PL/SQL Developer: HTTP to Command Execution
While looking into PL/SQL Developer – a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic – and in this case, there certainly was.
PL/SQL Developer has an update mechanism which retrieves a file containing information about available updates to PL/SQL Developer and other components; this file is retrieved via HTTP, meaning that an attacker in a privileged network position could modify this file.
Read more…Crypto Crisis: Fear over Freedom
Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors.
Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here:
Read more…PL/SQL Developer: Nonexistent Encryption
(See here for another issue discovered during this research; Updates over HTTP & Command Execution.)
PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go.
For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments. Instead of using something that provides some actual security like DPAPI (which itself is far from perfect, as we saw with the UPEK fiasco), they opted to use a proprietary “encryption” algorithm to protect these passwords – making it trivial to recover the passwords for any attacker that can access the preferences file(s).
Read more…Rance, Goodbye Friend
If you never had the oppertunity to meet Rance, known as David Jones to some, you don’t know what a friend you missed. Today, you lost the chance to find out.
He was truly something special – one of the most genuine, kind, and caring people I’ve ever met. I met him at the first security conference I ever attended – while I had always been somewhat involved with security work, I really wasn’t a member of the community, I was an outsider, and every word I said, I was painfully aware of that. Rance knew I was an outsider, and he did everything he could to make me feel welcome – within a couple days I had been introduced to everyone, and he treated me like an old friend.
Read more…“New Atheism” & The Philosophy of Atheism
A recent (very) public fracas between Richard Dawkins and Glenn Greenwald (both people who I respect, though for rather different reasons) left me thinking about the direction that the “New Atheism” movement is taking, and where atheism itself should be going. Religion is a difficult topic to discuss, as it evokes such passion that you often move past logic into purely emotional discussions. Some atheists, unfortunately, are just as zealous that they too lose sight of logical discourse.
Read more…2015: Year In Review
For the second year I am publishing a year-in-review – something I had generally avoided in the past, as the tone of these posts is typically just cynicism and negativity. Looking back at 2015, it wasn’t all positive (what year is?), but there was certainly some good, and there are great things to look forward to.
In a season filled with empty marketing pitches, worthless predictions, and pointless projections – it’s important to look at the good and avoid the cynicism overload that is all too common. As a community, there is a great deal of good that we can do, changes that can be made, lessons taught, and minds opened – it is critical that we focus on the good we can do, not all the negative that we encounter on the way.
Read more…Battle Fronts in the Crypto War
or, These aren’t the
droidsapps you are looking for…The Chinese government has passed new anti-terror legislation, drafts of which have been criticized for months due to broad language, and the massive privacy concerns. This legislation is a critical move in the global Crypto War – effectively giving the Chinese what the FBI has been seeking for well over a decade: a CALEA-style law, that mandates providers be able to supply law enforcement with decrypted data. This means no end-to-end encryption, this means adding backdoors (even if they are called something different, they are still backdoors).
Read more…on Unfair Judgement
Recently I was leaving a store after doing some Christmas shopping, as I entered my car someone recognized me and waved – this is the story of what went through my mind in that moment, the mistakes it revealed, and the regret that went with it.
For those that are here in hopes of an article on information security or development, please pardon the interruption; this is about human nature. I know the value of your time so I try to diverge from my normal topics as little as possible, but this incident was striking enough that I thought it worthy of publication. In the days since this event, it’s bothered me deeply.
Read more…Verizon Hum Leaking Credentials
or, Christmas Infosec Insanity…
A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected.
Near the top is a large block of JSON assigned to an otherwise unused variable named
Read more…phpvars– included was some validation code, a number of URLs, some HTML, and the like. After seeing the first element,isDeveloperMode, I was sure this was worth a closer look.Juniper, Backdoors, and Code Reviews
Researchers are still working to understand the impact of the Juniper incident – the details of how the VPN traffic decryption backdoor are still not fully understood. That such devastating backdoors could make it in to such a security-critical product, and remain for years undetected has shocked many (and pushed many others deeper into their cynicism).
There are though, some questions that are far more important in the long run:
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.