Adam Caudill

Security Engineer, Researcher, & Developer

  • PL/SQL Developer: Nonexistent Encryption

    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go. For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments.

    Read more…

  • Rance, Goodbye Friend

    If you never had the oppertunity to meet Rance, known as David Jones to some, you don’t know what a friend you missed. Today, you lost the chance to find out. He was truly something special – one of the most genuine, kind, and caring people I’ve ever met. I met him at the first security conference I ever attended – while I had always been somewhat involved with security work, I really wasn’t a member of the community, I was an outsider, and every word I said, I was painfully aware of that.

    Read more…

  • “New Atheism” & The Philosophy of Atheism

    A recent (very) public fracas between Richard Dawkins and Glenn Greenwald (both people who I respect, though for rather different reasons) left me thinking about the direction that the “New Atheism” movement is taking, and where atheism itself should be going. Religion is a difficult topic to discuss, as it evokes such passion that you often move past logic into purely emotional discussions. Some atheists, unfortunately, are just as zealous that they too lose sight of logical discourse.

    Read more…

  • 2015: Year In Review

    For the second year I am publishing a year-in-review – something I had generally avoided in the past, as the tone of these posts is typically just cynicism and negativity. Looking back at 2015, it wasn’t all positive (what year is?), but there was certainly some good, and there are great things to look forward to. In a season filled with empty marketing pitches, worthless predictions, and pointless projections – it’s important to look at the good and avoid the cynicism overload that is all too common.

    Read more…

  • Battle Fronts in the Crypto War

    or, These aren’t the droids apps you are looking for… The Chinese government has passed new anti-terror legislation, drafts of which have been criticized for months due to broad language, and the massive privacy concerns. This legislation is a critical move in the global Crypto War – effectively giving the Chinese what the FBI has been seeking for well over a decade: a CALEA-style law, that mandates providers be able to supply law enforcement with decrypted data.

    Read more…

  • on Unfair Judgement

    Recently I was leaving a store after doing some Christmas shopping, as I entered my car someone recognized me and waved – this is the story of what went through my mind in that moment, the mistakes it revealed, and the regret that went with it. For those that are here in hopes of an article on information security or development, please pardon the interruption; this is about human nature. I know the value of your time so I try to diverge from my normal topics as little as possible, but this incident was striking enough that I thought it worthy of publication.

    Read more…

  • Verizon Hum Leaking Credentials

    or, Christmas Infosec Insanity… A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected. Near the top is a large block of JSON assigned to an otherwise unused variable named phpvars – included was some validation code, a number of URLs, some HTML, and the like.

    Read more…

  • Juniper, Backdoors, and Code Reviews

    Researchers are still working to understand the impact of the Juniper incident – the details of how the VPN traffic decryption backdoor are still not fully understood. That such devastating backdoors could make it in to such a security-critical product, and remain for years undetected has shocked many (and pushed many others deeper into their cynicism). There are though, some questions that are far more important in the long run:

    Read more…

  • Dovestones Software AD Self Password Reset (CVE-2015-8267)

    Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts. The vendor has been working with customers to upgrade them to a fixed version. The /Reset/ChangePass function doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.

    Read more…

  • Much ado about Juniper

    Since this was published, more detailed information has become available: analysis of the SSH backdoor, the VPN backdoor, and the cryptography of the VPN backdoor. If you want a more detailed understanding of what was done, please take a moment to read these pages. The news is tearing through the information security community – Juniper seems to be on the lips of everyone now, let’s take a quick look at the information available:

    Read more…