How a Single-Character Coding Error Led to a Major Data Leak

Paul Ballard

24 Feb , 2017  

If you don’t follow the tech Twitter-verse as obsessively as we do, you may not be aware that a major data breach at Cloudflare has put user passwords, messages and other information at risk all over the internet.

Cloudflare provides web security and performance services for companies like Uber and OkCupid, among many, many others. A significant chunk of web traffic flows through Cloudflare, and the data breach now known as Cloudbleed dates back to last September, according to New York magazine’s Select All blog—though Cloudflare didn’t disclose it publicly until Thursday.

While all the typical security advice applies in this situation—it’s probably a good idea to update your passwords, and enable two-factor authentication on your accounts when possible—what strikes us about the Cloudbleed debacle is how so much havoc was wreaked based on what Gizmodo describes as a simple, one-character coding error.

Apparently, the company’s switch to a new HTML parser led to what’s known as a buffer overrun vulnerability. Instead of being stored temporarily in a buffer, user data from some sites was leaked into another, insecure location. It could then be returned under certain circumstances in response to an HTTP request, including from search engines.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” wrote Tavis Ormandy, the Google security expert who discovered the breach, in a bug report.  … Read more

, ,


Java Security Updates May Not Actually Be Secure

Paul Ballard

23 Dec , 2015  

With Java SE reportedly installed on 850 million PCs, the “Java Update Available” popup has become a well known nuisance.  But keeping software up-to-date is supposed to help protect us.  According to the FTC, Java updates might be an exception to that rule.

The key issue is that Java updates have not always removed older versions of Java when installing the newer patch.  This leaves the vulnerable versions still accessible on your PC.  Oracle has just settled charges brought by the FTC for knowingly leaving user’s PCs vulnerable by offering to warn users of the insecurity of keeping older versions and providing tools to help remove old versions from affected PCs.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.” —  FTC Press Release

To make matters worse, the FTC claims that Oracle has known about this issue for some time and have been intentionally deceiving customers.

In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process.

Read more

, ,


Microsoft Releases Azure Active Directory Domain Services

Paul Ballard

15 Oct , 2015  

Microsoft has released a public preview for their new Azure Active Directory Domain Services feature in Azure Active Directory.  This feature allows you to establish virtual network domains in Azure.

Azure AD Domain Services is an entirely new concept. It’s a cloud based service which gives you a fully Windows Server Active Directory compatible set of API’s and protocols, delivered as a managed Azure service. This means as part of Azure AD you can now turn on support for all the critical directory capabilities your application and server VM’s need, including Kerberos, NTLM, Group Policy and LDAP.  — Active Directory Blog

This service is targeted toward providing standard domain services for Azure hosted VMs and applications, not desktops.  The service includes domain join and group policy features and works with on-premise AD via Azure AD Connect.  Using Azure AD Domain Services will enable legacy application users to use the same logins as other cloud based services such as Office 365.

For more information on this new service and how to configure it, read the Active Directory team’s blog post.… Read more

, ,

How To

6 Things You Should Know About SQL Server 2016 Always On Encryption

Paul Ballard

28 May , 2015  

The upcoming SQL Server 2016 release promises many new features including a “Stretch” feature which allows you to automatically archive older data to the cloud, enhanced in-memory OLTP functionality, and several new enhancements in security.  One of the most interesting new security features is Always On Encryption.  Here are 6 things you should know about this feature.


  1. Data is encrypted at all times
    Okay, so this might seem obvious but lets look at what this really means.  In the diagram above you see that the data for one or more columns of a table is stored in an encrypted state.  When SQL Server acts on this data locally it acts only on the encrypted version.  It never decrypts it and so it’s encrypted in memory as well as on the wire as it transits the network (or Internet) on the way to the client.  SQL Server treats the encrypted data as if it were the raw field.  Only at the point where the data reaches the client is it decrypted for use in your applications.  This makes the encrypted data nearly impervious to man-in-the-middle attacks or file based decryption on the server.
  2. Encryption keys are not stored on the server
    SQL Server does not hold the keys to be able to decrypt the data it stores in Always On Encrypted fields.  
Read more

, ,

Guest Author,How To

OAuth 2.0 Part 2 – The Four Party Diagram

Jim Blanchard

27 May , 2015  

Understanding the Four Party Diagram

In the last post, we made it through defining the four roles represented in the four party diagram. Now we’re going to dig into the arrows that represent information flowing between the parties.


Authorization Request

This is conceptually straightforward. The client needs to ask the resource owner for permission to access a resource. This needs to be explicit in terms of the type of access the client wants to get. For example, the client could present the resource owner with a request for read-only access to a repository of photos. How exactly does the client do this? The spec is opinionated but not demanding here. The client can communicate directly with the resource owner and still be compliant with the spec, but the preference is to use the authorization server as an intermediary. This makes sense if you think about it. The authorization server is going need to trust the authorization grant in order to issue the access token. It sure is easier to sort that out if the authorization server is actually the party issuing the authorization grant on behalf of the resource owner.
Those Authorization Grant arrows look like they’re hiding something…

The rest of the arrows are simple in concept; a request and a token that gives access to a resource.… Read more



Which Mobile OS Do You Trust?

Paul Ballard

23 Apr , 2015  

With recent revelations from the RSA Security Conference highlighting gaping security holes in iOS8 as well as pointing out that many Android apps don’t perform proper SSL validation, one has to wonder is their mobile data safe anywhere?

Amit Yoran, President of the RSA kicked off their company’s annual conference with a scathing commentary on the current state of security in the software industry calling our current mindset “Living in the Dark Ages”.

We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence. We must cast off the past and enter an Age of Enlightenment by pursuing greater visibility into and understanding of our digital world. — RSA Conference Keynote

According to the Computer Emergency Response Team, 22,000 Apps on Google’s Play Store including Kaspersky and Webroot don’t validate the authenticity of certificates that they use to secure communications to back-end servers.  This means that millions of users are vulnerable to certificate spoofing or using certificates that have been revoked by trusted certificate issuers.  To make matters worse, the checking of validation for SSL certificates is turned ON by default by Google and has to be turned off by developers.  … Read more

, , ,


Keep Your Software Off Our Hardware!

Paul Ballard

20 Feb , 2015  

No, this isn’t a cleverly disguised double entendre, we really mean it.  Keep your software off our hardware!  The recent reports of Lenovo preloading Adware Superfish onto their laptops is only one of several recent indications that hardware suppliers may not have our best interests at heart.

Earlier this week it was announced that Lenovo had infected its own computers with an Adware product called Superfish.  This software injects itself into search results provided by other providers like Google and Bing to provide additional revenue opportunities to Superfish advertisers.  Lenovo claims “The intent was to supplement the shopping experience.” but it was really to supplement income through ad sales.  But this gross invasion of our privacy was made worse by the fact that the adware interfered with SSL encryption making everything else the user did in the browser, ANY browser, insecure.  Hackers could pick off bank account numbers, SSNs, or anything else sent from infected PCs directly off the wire.

But Lenovo’s sleazy back-door attempt to sell us products we don’t want was only the most recent invasion of our hardware.  Security experts at Kaspersky also recently announced that the NSA has the ability to infect hard drive firmware to implant spyware directly onto our systems for surveillance purposes.  … Read more

, ,

Developer Lifestyle

Get 2015 Started Off on the Right Foot

Paul Ballard

30 Dec , 2014  

Get ready to put your best foot forward with these geek tips for starting the new year right.

As 2014 draws to a close, we begin look ahead for what lies in store for the next year.  While most New Year’s resolutions seldom see February 1st, these tech tips can be implemented so fast you won’t have time to lose your initiative.

Change your passwords

The past several months have certainly shown the havoc that can be wrought by unscrupulous jerks with access to other people’s data.  Taking the time to reset your passwords is a great start, but you should also be thinking how you’re going to manage your security credentials for the new year.  Here are some things to consider.… Read more

, , , ,


New Report Sites Significant Security Vulnerabilities in Android Devices

Paul Ballard

8 Dec , 2014  

Security firm TrendMicro has released a new report that states that 75% of users are vulnerable to multiple attacks.

TrendMicroIn their latest Quarterly Security Roundup, TrendLabs calls out several key vulnerabilities in recent Android OS including the FakeID issue and Android Browser flaws.  The FakeID vulnerability was originally discovered earlier this year by BlueBox Labs and allows malicious apps to impersonate legitimate applications that are trusted by the OS.

This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do. Android 4.4 is vulnerable to Fake ID, but not specifically to the Adobe System webview plugin due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code).  

Read more

, , ,