Security

Still poking around the Noise Storm rabbit hole. I think I've figured out the four main packet types in this storm.

GreyNoise has been seeing crazy noise storms full of pings for years. I may have figured out what some of them are.

Pulling the whole series together to demonstrate the 1Password vault system from unlock to item decryption

Slides from my BSidesDE talk, November 9, 2018. A detailed description of how 1Password client unlocking and shared vault encryption works.

Finishing the Inside 1Password series with some miscellaneous topics

Looking at how Local Vaults are encrypted, and how that affects unlocking 1Password clients

How 1Password's shared vaults work

How the Encrypted Master Key works to unlock the Windows 1Password client

The Master Unlock Key and unlocking 1Pass on macOS

Beginning of a deep dive into how 1password works

The key to decrypt the firmware for the Secure Enclave Processor (SEP) on the iPhone 5S has been disclosed. It's actually potentially a good thing.

Slides from my BSidesROC talk, April 23, 2016. An overview of how iOS encryption works, with emphasis on passcoes and potential attacks.

A high-level summary of what we know, what we think we know, and what we know we don't know, as well as some words of caution.

A first, rough look at a new mobile app authentication service from Trail of Bits

Slides from my ShmooCon talk, January 17, 2016. A detailed overview of how Digest, NTLM, and OAuth work in the context of web and mobile applications.

Yet another uninformed, unrealistically idealistic rant about how things *ought* to be. Most readers will probably strongly disagree.

A discussion of ideas I've been kicking around about security research in general, and how current CyberUL speculation fits in.

A new service called Blind Hashing, that incorporates salts taken from petabyte-sized cloud databases, hopes to make password cracking obsolete.

Nails in the Crypt - White Paper

The Lenovo-installed SuperFish man-in-the-middle malware has me thinking again about how the CA system is still broken.

Slides from my ShmooCon talk. A short review of multiple iOS apps and how they handle server authentication, looking at both network use and on-device storage of credentials.

A bug in iOS (fixed in 8.1.1) allows a well-timed reboot to bypass the forced lockout timeout, allowing for multiple PIN attempts.

Videos of people breaking into cars, and reports of hijacked dealer equipment. Real-world example of why backdoors are bad?

MCX - a lousy substitute for proven technology

If you've enabled SMS forwarding on your iPhone, you might want to ensure that messages don't get displayed on your Mac when it's locked.

A response from Apple downplays security concerns raised over how Spotlight search works on Yosemite.

Slides from a quick NoVA Hackers talk I pulled together based on recent blog posts about Apple iOS encryption and privacy changes.

The "Apple can't decrypt devices for law enforcement" conversation continues to spawn excellent posts and explanations.

Making sense of how iOS encryption works, especially what's changed in iOS 8 and how Apple made it harder for law enforcement, can be difficult. I'll try to help.

Quick description and demo videos for activity hijacking to steal user-entered data like passwords, credit card numbers, and check images. Includes links to USENIX paper.

Quick review of BSidesLV Talk, in which they describe problems with the Mersenne Twister and other similer pseudo-random number generators.

Paypal mobile app authenticates, then kicks you out because it's not two-factor compliant. They show how to leverage this into non 2FA access.

Lots of press recently about a potentially serious malware called Svpeng. A nice case study in the use of FUD in mainstream tech press.

A consolidated list of known malware for iOS. Depending on your definition of malware.

Recent reports of users getting locked out of their iOS devices, probably due to compromise of their Apple ID password.

Mail.app's protection against loading images on suspected SPAM messages is broken when forwarding the email to a spam-reporting service.

Shared files, hidden by the obscurity of their URLs, may be revealed to third parties if the files contain a link to an external site. The remote site can find the file via the referrer header.