UPEK Windows Password Decryption
On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have.
We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability. ElcomSoft has committed to not release details, which I understand – but given how likely it is that others will determine this technique, I believe that this information should be available to pen-testers and auditors so that these insecure credentials can be identified.
Read more…WordPress: Don’t trust that update
Want to know the easiest way to hack most of the WordPress installs on a host? It’s as easy as attacking the host’s internal DNS server, then just sitting back and waiting on users to install your backdoor. If you can manage to change the IP address that “api.wordpress.org” resolves to, you’ve won the battle.
I can’t take credit for finding this, it was pointed out on Twitter:
Read more…NeoInvoice Blind SQL Injection (CVE-2012-3477)
NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in
signup_check.php. The input for thevaluefield isn’t being properly sanitized, and is used in string concatenation to create the SQL query:require_once("config.php"); if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) { $field = $_GET['field']; $table = 'user'; $taken = '0'; $not_taken = '1'; } else if (isset($_GET['field']) && $_GET['field'] == 'coupon') { $field = 'name'; $table = 'coupon'; $taken = '1'; $not_taken = '0'; } else { die("<div class=\"error\">Invalid Field</div>"); } if (!isset($_GET['value'])) { die("<div class=\"error\">Invalid Value</div>"); } $value = preg_replace("[^a-zA-Z0-9_.\-\*\/\+\, @]", "", $_GET['value']); if ($value != $_GET['value']) { die("<div class=\"error\">Invalid Value</div>"); } $connect = mysql_connect(MYSQL_HOSTNAME, MYSQL_USERNAME, MYSQL_PASSWORD); if (!$connect) { die("<div class=\"error\">" . mysql_error() . "</div>"); } $query = "SELECT $field FROM $table WHERE $field = '$value' LIMIT 1"; mysql_select_db(MYSQL_DATABASE, $connect); $result = mysql_query($query, $connect); if (mysql_num_rows($result)) { echo $taken; } else { echo $not_taken; }Line #29 there is the key, by concatenating untrusted data into the SQL query, it has made SQL injection trivial. This vulnerability can be demonstrated with the following request:
Read more…Decrypting Spark Saved Passwords
A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal.
So, within a few minutes I found all of the details – and none of them make me feel any better. Here are the important bits:
Read more…Yahoo’s Associated Content Hacked?
Update: TrustedSec has a write up:
Yahoo! Voice compromised. Over 400K clear-text accounts. Analysis and story here: http://t.co/B8ko49pB – Still unconfirmed.
— TrustedSec (@TrustedSec) July 12, 2012
Earlier today a group called “D33Ds Company” released a large (17MB) dump from a Yahoo server. The dump includes information from a MySQL database, and the email addresses and passwords from over 450k users. Based on some of the emails and the naming of the tables, I suspect that the data is from Associated Content – a company that Yahoo bought in 2010, and closed in 2011 – replacing it with Yahoo Voices.
Read more…Assange, Ecuador, and the Cyberarmy
ALERT: Julian Assange has requested political asylum and is under the protection of the Ecuadorian embassy in London http://t.co/bz4O9bjF
— WikiLeaks (@wikileaks) June 19, 2012
The news that Julian Assange has asked Ecuador for political asylum is flooding twitter as his supporters do their best to attract attention to his cause, and rally everyone they can to contact Ecuador’s embassy in London to urge them to grant Assange’s request. While I’ve watched the Assange case since before the first allegations came out of Sweden – that’s not my interest here, my interest is in what Ecuador could do if they wanted to.
Read more…Snapchat: API & Security
Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues.
Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well. I’ve posted an update that covers some of these changes.
Read more…Monitor iPhone HTTP(S) Traffic with Fiddler
For a research project I decided that I needed to monitor the traffic to and from my iPhone – both HTTP and HTTPS. Having had so much luck with Fiddler in the past, it was the first place I looked. There are a number of posts on this topic, but few that provide a clear and complete picture of what’s needed. So I wrote one.
First, install the latest version of Fiddler, then install the iOS-compatible certificate generator. Now update the settings to decrypt HTTPS traffic:
Read more…LinkedIn: A little common sense
The fact that LinkedIn was breached has been well covered and confirmed, but in their confirmation they said something that I personally found insulting, more than anything else:
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
So, they just recently started salting their hashes? Seriously?
Read more…Piracy is not Theft
For many years now groups like the MPAA and RIAA have tried to convince the public that piracy (that is, copyright infringement) is theft – and many people have come to believe this, but it’s not true. In reality, copyright infringement is far more analogous to trespassing than it is to theft in its core concepts – and even moreso in the digital world.
To make it clear, I am looking at this from a largely historical perspective, looking at the origins of copyright and how it was intended to be used. This gives us a better view than the current laws that have been greatly influenced and complicated by politics and money from those that have a vested interest in maximizing copyright protections and broadening its definitions.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.