HOME    ABOUT    NEWS    SERVICES    PRINCIPLES    KNOWLEDGE    CAREERS    CONTACT
XorShift128+ Backward

Douglas Goddard, Security Analyst, Independent Security Evaluators
November 29th, 2016

This article is a follow up to our previous post, Hacking the JavaScript Lottery. In that post we wrote a Python Z3 implementation which utilized symbolic execution in order to recover the state of the XorShift128Plus pseudo-random number generator (PRNG) used by most major browsers. Shortly after publishing, Chrome (specifically V8, Chrome’s JavaScript engine), updated and the SAT solver was no longer able to find valid solutions.
Understanding Password Complexity

Billy McLaughlin, Security Analyst, Independent Security Evaluators
November 21st, 2016

Any Internet user is familiar with password requirements when registering an account on a website. Websites often require users to create passwords of a certain length or complexity. “Password must contain at least one letter, number, and special character” and “Password must be at least ten characters in length” are common messages encountered on the web today. This post will define bits of entropy, show how they relate to these types of restrictions, explain how they influence password strength, and outline some recommendations for choosing strong passwords.
A Breach in the Same-Origin Policy Induced by Mirroring External Content

Jacob Thompson, Senior Security Analyst, Independent Security Evaluators
September 29th, 2016

What do Google Translate, the Internet Archive, and the free anonymization proxy Hide.me have in common? Each of these services mirrors web content on a different origin than where it originated — and this could be a threat to your privacy and security. The weakening of the same-origin proxy induced by doing this is an underappreciated attack vector against web users. Under the right conditions, a third-party malicious site could track your browsing history, steal session cookies, and capture data input to web pages that would otherwise be secure under normal conditions. Read along to understand more about the problem, the risks, and how you can protect yourself.
How to View TLS Traffic in Android’s Logs

Rick Ramgattie, Associate Security Analyst, Independent Security Evaluators
September 29th, 2016

When establishing a TLS connection, the client needs to verify that it’s communicating with a legitimate server. Certificates can be verified by comparing the domain name (DN) in the server’s certificate against the requested domain name , and verifying that the certificate’s signature hierarchy chains back to a trusted root certificate authority.
“Electric Fence: Who Let the Heap Corruption Out?”

David Petty, Junior Security Analyst
and Co-Authored with Jacob Thompson, Senior Security Analyst, Independent Security Evaluators

August 26th, 2016

Heap mismanagement has been known to be a security issue for over 15 years, but continues to produce critical vulnerabilities in even highly-regarded and robust software packages. In this post we explore four common heap management errors — freeing a pointer to something other than a block of allocated heap memory, double free, use-after-free, and out-of-bounds writes — and the ways in which modern built-in mitigation measures succeed and fail at detecting them. We then explore a useful tool, Electric Fence, showing how it can help to detect errors in the use of malloc and free in an application under assessment.
What is Sweet32?

Dan Staples, Senior Security Analyst, Independent Security Evaluators
August 25th, 2016

Sweet32 is the name of an attack released by a pair of researchers at the French National Research Institute for Computer Science (INRIA). The research findings were assigned CVE-2016–2183 and CVE-2016–6329. The attack takes advantage of design weaknesses in some ciphers. These ciphers are used in common protocols such as TLS, SSH, IPsec, and OpenVPN. While the vulnerability at the core of the research has been known by cryptographers for a long time, the feasibility of such attacks is putting new emphasis on the need for software developers and product vendors to phase out deprecated ciphers in their products. The Sweet32 attack allows an attacker to recover small portions of plaintext when encrypted with 64-bit block ciphers (such as Triple-DES and Blowfish), under certain (limited) circumstances.
ICMP: The Good, the Bad, and the Ugly

Drew Branch, Security Analyst, Independent Security Evaluators
July 19th, 2016

The Internet Control Message Protocol (ICMP) allows Internet hosts to notify each other of errors and allows diagnostics and troubleshooting for system administrators. Because ICMP can also be used by a potential adversary to perform reconnaissance against a target network, and due to historical denial-of-service bugs in broken implementations of ICMP, some network administrators block all ICMP traffic as a network hardening measure. In this blog post, we review the beliefs for why administrators are motivated to block ICMP, the reasons why this is not an effective security measure against any level of targeted attack, and side effects of blocking ICMP that break legitimate network functionality. Finally, we suggest ways to block only the parts of ICMP that allow network discovery for networks where this is a concern.
Technical Anonymity Guide

Douglas Goddard, Security Analyst, Independent Security Evaluators
July 5th, 2016

As more data is collected at different layers of our digital lives an understanding of anonymity becomes a vital skill. While operational security (OPSEC) is important in practice, the technical setup for anonymity is a prerequisite to any operation. Given the range of use cases for anonymity and the many different actors who attempt to dismantle it, this design considers an environment in which everyone is an adversary. This article should serve as a start to finish guide on setting up a laptop for anonymous usage. While it will cover OPSEC in different sections this is not meant to be an exhaustive guide on the topic.
Looking Ahead — Continuous Performance Reviews

Lisa Green, Director of People Relations, Independent Security Evaluators
June 16th, 2016

Performance reviews — many managers and business leaders cringe when they hear this phrase. Traditionally performance reviews, from a manager’s perspective, tend to be time consuming and a waste of effort. Performance reviews from an employee’s point of view tends to create self-doubt and nervousness.
Hacking the JavaScript Lottery

Douglas Goddard, Security Analyst, Independent Security Evaluators
May 17th, 2016

January 2016 boasted a Powerball jackpot of 1.5 billion dollars. This generated a lot of interest in the lottery and the Los Angeles Times released a simulator where you start with 100 dollars and play until that is gone. I had seen previous work for predicting Java’s Math.random() and thought it would be a fun project to replicate for the browser.
Onsite Social Engineering Part II

Corey LeBleu, Security Analyst, Independent Security Evaluators
May 3rd, 2016

I'd rather lie to your face.

The average corporate security training program might be useful when it comes to thwarting remote attackers, but does it adequately prepare employees for face-to-face encounters? How are these situations different from one another? Why do physical attacks often succeed when remote attacks fail?
How do I Keep My Data Secure Using Amazon S3 Encryption?

Rick Ramgattie, Security Analyst, Independent Security Evaluators
April 18th, 2016

Cloud storage services allow customers to store and retrieve files on a remote, third-party server. Cloud storage aims to be more cost effective and scalable than on-premises storage. When developers and system administrators decide to use cloud storage services, they should ask themselves how files are kept confidential, both over the Internet as they travel to cloud storage and once they are stored.
AES-NI in Action

Drew Branch, Security Analyst, Independent Security Evaluators
April 5th, 2016

The use of encryption has drastically changed over the years. A vast number of encryption ciphers have been deemed weak (e.g., RC4), while others are considered industry standard (e.g., AES-128). The use of encryption is a predominant method of securing data at rest and in transit, as well as for securing communications between clients and servers. Traditionally, encryption ciphers are selected based on the type of data secured and the performance requirements of the system or application. The security of an algorithm is not always a forefront requirement in the selection process. Can a secure algorithm, such as AES, perform at a rate or faster than an algorithm known for performance, such as RC4?
Ransomware: Healthcare Security

Geoff Gentry, Security Analyst, Independent Security Evaluators
April 1st, 2016

“All truths are easy to understand once they are discovered; the point is to discover them” – Galileo Galilei

Seems simple, right? Unfortunately, that’s not necessarily the case. At least in healthcare… For the past few months, we have seen an acceleration of ransomware attacks on healthcare facilities. From California to Maryland, these attacks have caused chaos in the infected facilities and hindered their ability to properly care for their highest value asset: the patient. These attacks will not go away; instead, these attacks will increase in number, escalate in severity, and continue to hinder patient care. In fact, the latest attack occurred right in our own backyard at MedStar, which has locations in Virginia, Maryland, and D.C. This attack actually caused MedStar to turn patients away! If that is not an indictment on the state of healthcare security and the impact it has on patient health, then I am not sure what is.
Anti-virus, a cure worse than the disease?

Billy McLaughlin, Security Analyst, Independent Security Evaluators
March 25th, 2016

This blog post will explore situations in which anti­-virus software caused more harm than good. As the anti-virus landscape changes, software vendors are eager to provide new functionality to stay ahead of the competition. Vendors have started to implement features that are designed to detect and remove threats before they are fully present on a user's system. Some are developing custom, security-­focused web browsers and web browser plugins. Others are devising methods to intercept user traffic to detect threats in transit.
Don’t DROWN in Old Protocols—Disable SSLv2

Tom Connolly, Security Analyst, Independent Security Evaluators
March 3rd, 2016

A recently discovered vulnerability with SSLv2, dubbed the “DROWN” attack, has put the final nail in the SSLv2 coffin. Despite SSLv2 being deprecated since 2011, a large number of web servers, email servers, and other SSL-enabled servers still provide support for the outdated protocol. In fact, more than 33% of all Internet-accessible sites have been shown to support SSLv2—making this a viable attack scenario.
Assessing Healthcare: Patient Data vs Patient Health Part 1

Stephen Bono, President & Principal Security Analyst, Independent Security Evaluators
February 26th, 2016

Patients are a hospital's most important asset, not their data.

We recently concluded a study, securityevaluators.com/hospitalhack, at a variety of hospitals to determine the plausible impact of cyber threats against patient health. Our conclusion: they are very plausible. Part of what fuels this weakness is a long standing and ever increasing stride to protect patient health records rather than focusing on the asset that the healthcare facility was meant to protect in the first place: the patients' health.
An Important Misconception about Two-Factor Authentication

Stephen Bono, President & Principal Security Analyst, Independent Security Evaluators
February 19th, 2016

The adoption of two-factor authentication (2FA) could not be more important. Something-you-know secrets have proven ineffective time and again, be it through password guessing or cracking, password sharing, password reuse, flaws in password resets, and even just forgetting the many passwords we now have to remember. Combining passwords (something you know) with something you have dramatically improves security and reduces the risk of an account compromise. But is the way many applications implement 2FA really true 2FA?
ffmpeg HLS+concat/subfile

Kedy Liu, Independent Security Evaluators
February 8th, 2016

A few weeks ago, programmer, Maxim Andreev, released a critical ffmpeg and libav vulnerability in his blog that affects all ffmpeg versions prior to the January patch. With a specially crafted video file, an adversary is able to perform a weaker form of server-side request forgery attacks (i.e., the attacker is only able to send requests to a server of the adversary’s choice and cannot read the response).
Onsite Social Engineering 101

Corey LeBleu, Independent Security Evaluators
January 7th, 2016

Social engineering is all about manipulation, misdirection, and, above all, opportunity. I was lucky to be mentored and introduced to social engineering and physical security assessments early in my professional career. While I recommend consulting with an experienced professional before performing this type of assessment on your own, I would like to walk you through the basics of learning this skill set.
Talent Wars: A Shift in Focus- Retention

Lisa Green, Independent Security Evaluators
December 29th, 2015

When it comes to the current state of the job market, it is an employee’s market — especially in the security industry. Finding quality security talent is a hard task for any company, no matter the size or reputation. With so many options, security professionals have their pick of who they want to work for.
Using OpenSSL to determine which Ciphers are Enabled on a Server

Billy McLaughlin, Associate Security Analyst, Independent Security Evaluators
November 2nd, 2015

When evaluating a remote target, learning more about the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) configuration can be very useful. Being able to test SSL/TLS configurations on target machines is a common requirement when performing security assessments. As such, it is important to be able to perform these tests as independent of system configuration as possible. Today, most popular Linux distributions come bundled with the openssl package, which is the only tool that is required for these purposes.
Is Apple’s watchOS 2 Update Less Secure than the Predecessor?

Drew Branch, Associate Security Analyst, Independent Security Evaluators
October 6th, 2015

If you are like me, you were ecstatic when Apple finally decided to release its version of the Apple Watch smart watch. For many, this was a long overdue added installation to Apple’s device lineup. While its delayed release proved worth the wait, soon after, Apple Watch owners, as well as the general public, received intriguing news about the recently released watchOS 2 operating system for the Apple Watch. With a vast number of new features—one being the ability to run native applications on the watch—is Apple prepared to keep the information stored on your watch secure?
Quantum Computing and Quantum Resistant Algorithms

Ersin Domangue, Independent Security Evaluators
September 8th, 2015

Recently, I gave a little talk at ISE about quantum computing; I tried to delve into the subject a little deeper than what you might receive from a popular magazine or web news outlet. Following my talk, the ISE team jumped into a deeper discussion, questioning if an algorithm that is deemed "quantum resistant" is really safe. After all, with some celebrated exceptions (think one-time pad), no cryptographic algorithm can be totally resistant to cryptanalysis—even in the conventional sense.
Advanced Package Tool: Privacy or No Privacy?

Drew Branch, Associate Security Analyst, Independent Security Evaluators
August 31st, 2015

The Debian-based Linux distribution’s package manager, Advanced Package Tool (APT), does not ensure privacy out of the box. While other UNIX package managers use SSL/TLS, APT does not—leaving your privacy in the balance. With privacy concerns rapidly growing due to new discoveries of various government spying scandals, brand new laptops installed with “bloatware,” and targeted ads embedded within social media outlets, one would think that people would be more concerned with privacy. This blog post will demonstrate how requests made via APT are sent over the network by default, and it will provide steps to enable secure communications when using APT.
Empowering Healthcare Security Executives

Geoff Gentry, Independent Security Evaluators
June 29th, 2015

Patient lives are at risk. We’re all patients. Every single one of us. We get sick, we have children, we suffer accidents. And we all rely on the most advanced medical ecosystems in the world to make us better. To heal us. But these petri dishes of innovation and efficiency could also kill us. Healthcare ecosystems, architected by bright minds and integrating groundbreaking technologies to assist in the healing process, are suffering from what makes them great: technology. Due to myriad of factors, these ecosystems have become, and will continue to be, woefully insecure and vulnerable to attacks from a plethora of adversaries, all of whom are hell bent on gaining access to their most valuable asset: their patients. The stark reality of the modern era is that a digital attack can plausibly result in physical harm.
Samsung SwiftKey Killer Exploit

Independent Security Evaluators
June 20th, 2015

During BlackHat London, a vulnerability in the SwiftKey keyboard bundled by Samsung came to light.1 There is a flaw in the way languages are updated and installed that allows an attacker to write an arbitrary file to an arbitrary location on the file system. Disclosed to Samsung in late 2014, to capitalize on the vulnerability, the attacker needs to be able to modify traffic en route to the update servers. While Samsung provided a patch early in 2015,2 as of today, that patch has not made it in to an over-the-air (OTA) update for major carriers.3
Technology in Healthcare and Patient Risk

Drew Ogle, Independent Security Evaluators
June 8th, 2015

Technology is a critical component in healthcare: we get it, we can all agree on this point. However, these same technologies...the ones meant to better patient care, to improve workflows, to reduce costs, also introduce the possibility for errors, for attacks, and for patient harm. The referenced article below provides a good example of how disaster can strike, and I'll provide a few lessons we can learn to, hopefully, do better in the future.
VENOM Vulnerability: The Newest Threat to Your System’s Cyber Health

Ersin Domangue, Independent Security Evaluators
May 21st, 2015

The security firm CrowdStrike recently revealed a vulnerability that its staff discovered in QEMU-based virtual machine (VM) products (CVE-2015-3456). These include Xen, KVM, and VirtualBox. VMWare products, Bochs and Hyper-V, are not affected. The vulnerability, which they call "VENOM" (Virtualized Environment Neglected Operations Manipulation), can lead to complete control of a host computer, as well as access to all of the VMs running on the machine. VM vendors have or will have updates, and system administrators should apply them as soon as they are available.
Cyber Security: The Gateway to Career Success

Lisa Green, Independent Security Evaluators
May 14th, 2015

A notable weakness in most organizations’ security program is a lack of trained, experienced, and available security resources; to protect their assets, organizations require talented professionals with both technical and soft skills to create, define, and implement these programs. While the need is growing, the bar is set high. To work among the elite in the field in a career that allows for expansive professional growth, consider what it takes to get there. The need for talented cyber security analysts will continue to grow, and choosing to work in the industry is not only a timely career choice that allows for professional growth, but it is also a rewarding one that allows for personal growth and directly benefits companies and their stakeholders.
Don't Believe Everything You Read: Security Bugs in Reference Materials

Jacob Thompson, Independent Security Evaluators
April 10th, 2015

In this post, we consider the impact that the explosion of new software frameworks, and the frequent need to shift between them, has on security: (1) the tendency to use technologies without fully understanding them, (2) the use of non-peer reviewed sources for assistance and documentation when solving a problem, and (3) the presence of security bugs in code examples in printed materials from respected publishers. Finally, we conclude with recommendations for developers and authors to help avoid inadvertent subtle security bugs as a result of relying on or producing faulty documentation.
Superfish and Lessons not Learned - Preloaded Malware

Mark Goldman, Independent Security Evaluators
Feb. 21st, 2015

ISE has been finding more and more suspicious bloatware on Windows operating systems in past years. Just this past week, this issue came to a head with the discovery of the Superfish malware disguised as bloatware on Lenovo machines. ISE gives its take on this topic here.
Which SSL/TLS Protocol Versions and Cipher Suites Should I Enable on My Server?

Jacob Thompson, Independent Security Evaluators
Jan. 19th, 2015

ISE customers have recently asked how they should configure the SSL/TLS libraries on their servers to avoid any known security vulnerabilities. Here are our recommendations.
Case Studies
Papers/Publications
Presentations
Blog
Contact us

Copyright 2005-2013 Independent Security Evaluators, LLC. All rights reserved.