Dovestones Software AD Self Password Reset (CVE-2015-8267)
Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts.
The vendor has been working with customers to upgrade them to a fixed version.
The
Read more…/Reset/ChangePassfunction doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.Much ado about Juniper
Since this was published, more detailed information has become available: analysis of the SSH backdoor, the VPN backdoor, and the cryptography of the VPN backdoor. If you want a more detailed understanding of what was done, please take a moment to read these pages.
The news is tearing through the information security community – Juniper seems to be on the lips of everyone now, let’s take a quick look at the information available:
Read more…The Manifesto
As a child, all of my time was spent reading – at the age of 8 or 9 I was staying up all night reading the likes of Dickens and Verne, at 11 or 12, I was tearing through encyclopedias, medical texts, and anything else I could get my hands on. I had a love for learning, for understanding, a desire to know everything, and an insatiable curiosity that often led me in interesting directions (in that ancient curse “may you have an interesting life” kind of way). Then one day my father came home with a large box – and my world was changed forever.
Read more…The Door to Nowhere
Today I was walking around, exploring the local downtown area, and I noticed a door. Or more accurately, what used to be a door, and the symbolism was too perfect to ignore. It’s a door to nowhere.
A door once stood here, carefully built, thoughtfully placed, well crafted. Long ago someone decided that they didn’t want the door to exist anymore — so they filled it in. They made an attempt at reversing the decisions of the past to suit their desire at the moment — but they couldn’t.
Read more…Responsible Disclosure Is Wrong
The debate around how, where, and when to disclose a vulnerability – and of course to whom – is nearly as old as the industry that spawned the vulnerabilities. This debate will likely continue as long as humans are writing software. Unfortunately, the debate is hampered by poor terminology.
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.
Read more…Making BSides Knoxville
Two years of discussions, months of planning, weekly meetings, and thousands of dollars – BSides Knoxville 2015, the first BSides Knoxville that is, is in the books. By any metric I can think of, it was a resounding success – the feedback was great, awesome talks, good food, and a great atmosphere.
I would like to give a little insight into the event, some of what I learned from it, what went right, went wrong, and how to make something like this without going insane. Hopefully this will be useful for others thinking about running a small conference, or if you just want a behind the scenes view of what goes on.
Read more…Crypto Front Door: Everyone Welcome!
For decades, the US Government has fought — sometimes with itself — to prevent the use of secure cryptography. During the first crypto war, they allowed strong cryptography within the US, but other countries were limited to small keys — making brute force attacks practical. But what about those pesky US citizens? They didn’t really want them to have strong crypto either — enter key escrow.
What is key escrow?
According to Wikipedia:
Read more…On the Underhanded Crypto Contest
On August 15th of last year I asked if anybody would be interested in a contest for the best, most evil underhanded crypto techniques — the response was clear, and less than a month later I announced the creation of the contest.
Proudly announcing, the #UnderhandedCrypto Contest! See here for details / rules: https://t.co/mNV0KCVdLu
— Adam Caudill (@adamcaudill) September 3, 2014
Before I go any further, the contest simply wouldn’t have been possible without the huge effort by Taylor Hornby to help organize, coordinate and communicate. I couldn’t have asked for a better co-organizer for this event.
Read more…The Evolution of Paranoia
That researchers from Kaspersky Lab uncovered malware that uses hard-drive firmware has now been throughly discussed — perhaps too much for some people. It’s not exactly Earth-shattering news either, the idea has been discussed for years, and has been publicly demonstrated. Brandon Wilson and I were even working proof of concept for SSD controllers to demonstrate this based on our BadUSB work.
This isn’t about that story, exactly. This is about paranoia, and how it has changed over the last few years — and even the last few months.
Read more…Utopia Found; Utopia Lost
Sometime in the 1990’s I used a 2400-baud modem and connected to the internet for the first time; I found a new world, a better world. A world where ideas and intellect set people apart, not skin color, or political affiliation, of even the pseudo-scandal of the day (which is probably just a disguise for ignorance and intolerance).
It was a time of invention, in a world where everything was new and the potential was unlimited. It was magic – not the fake Hollywood magic, but real, life changing, nothing can hold you back magic. The only real restriction was your own mind (and maybe your long-distance bill).
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.