• Understanding Password Storage

    I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

    In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

  • Understanding the Difficulty of Assessing True Randomness

    I've had to explain, more than a few times, quite why it's so hard to assess whether a Random Number Generator (RNG) is compromised unless you have access to how the specific implementation works. Just because the data appears to be random, does not necessarily mean that it is actually unpredictable.

    In this short piece of documentation, I'll be attempting to demonstrate exactly how a compromised RNG can appear to be generating random data, based on the tests that are available to us.

  • Understanding the Nigerian 411 Scam

    Originally published to Helium.net


    The 411 scam is generally known to most of the world as Advance-fee fraud, or a 419 Scam. Traditionally 419 scams originate from Nigeria, and the name refers to the section under the Nigerian criminal code that such a crime applies to. Quite when the term 411 scam became popular is unclear, but the American Dialect society has traced the term '419 Fraud' back to 1992.

    A 419 Scam is a confidence trick intended to persuade the mark to part with money in order to reap greater rewards. The original 419 scams were sent by Letter, Telex and Fax as a result of the Nigerian Oil Crisis in the 1980's. The original marks were businessmen wishing to make money from illegal deals, but this soon expanded to include Western Businessmen. With the advent of wider E-mail use came a new form with which a scam could be executed, the target audience also grew to include the population as a whole.

  • Vulnerability: Infiltrating a network via Powerline (HomePlugAV) adapters

    As I posted recently, I've been playing around with some of ON Network's PL500 HomePlugAV Adapters. Given my previous experience with Powerline adapters, as part of that tinkering I thought I'd see whether they contain (or are) a security issue.

    Unfortunately the news isn't great, as I can now get effective physical network access using the HomePlugAV adapters as my entry point. It does, of course require some proximity to the target network, but is otherwise pretty straight forward.

    As I don't have $5,000 to spare, I did this without reading the HomePlugAV technical specification.


    Responsible Disclosure: Before publishing, I contacted the HomePlug Alliance to notify them of the issues I'd identified, but have had no response

  • What is js.Runfore?

    So your customers have been complaining that your/their webpage is being blocked by Google as containing malware? When you check, one or more Javascript files have been compromised and now contain this lovely code

  • Who's auditing the auditors? (it should be you)

    First published 30 September 2011 on Viryatechnologies.com

    A recently published issue with a Security Auditor has highlighted just how much potential there is for the worst to happen when information is requested by someone with a level of authority. In this particular case, the person being asked for the information had the sense to challenge the request, but it's easy to believe that many others would have simply attempted to comply.

    The Security Auditor in question was insisting that the following be provided;

    • A list of current user-names and plain-text passwords for all user accounts on all servers
    • A list of all password changes for the past six months, again in plain-text
    • A list of “every file added to the server from remote devices” in the past six months
    • The public and private keys of an SSH keys
    • An email sent to him every time a user changes their password, containing the plain-text password.

    It should be pretty clear to most that this presents a huge security issue, but faced with a Payment Card Industry (PCI) Auditor making the request, how many would simply assume that he “must know what he's doing”?


  • Why is Encryption not used more?

    Earlier this year I wrote this piece questioning why use of encryption was still not widespread. If more businesses and agencies adopted encryption, there'd be far less data leakage.

    Had Fisher Hargreaves Proctor employed encryption, the breach of their site would not have been so severe. Yet businesses continue to use and store unencrypted data as a matter of course. Why?

  • Why you should always consult a professional

    Originally posted at ViryaTechnologies.com.


    The web is, undoubtedly, a wonderful resource, it allows us to quickly and easily find information on almost anything. When it comes to servers and websites, however, it can be incredibly dangerous if you (or worse, the author) do not know what you/they are doing.

    I was browsing to see if there's a better way to reset a users password from PHP than the method I usually use, and stumbled across this tutorial. Quite frankly, my chin hit the desk at the advice being offered.

    In all fairness to the person who posted the tutorial, they have attempted to mitigate some of the serious security concerns, but despite that, it's still a security nightmare. What makes it worse, is the comments below indicating that some users are blindly copying and pasting the PHP and following the steps without even a base understanding of how it works.

    In this post we'll be looking at what the tutorial suggests, and why it's a bad idea.

  • Why You Shouldn't be using SHA1 or MD5 to Store Passwords

    There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

    I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

    Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

    In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.