Software Integrity

Archive for February 2014

 

Understanding the Apple ‘goto fail;’ vulnerability

You may have heard about the recently publicly disclosed vulnerability (http://support.apple.com/kb/HT6147) in Apple iOS. Let’s take a look at the goto fail details as well as at who is affected. Vulnerability Details As the code at http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c shows, there is a bug in the implementation of the SSLVerifySignedServerKeyExchange function. Although the goto fail has been […]

Continue Reading...

Posted in Code Review, Mobile Application Security | Comments Off on Understanding the Apple ‘goto fail;’ vulnerability

 

A quick post on Apple Security 55471, aka goto fail

goto… fail? If you haven’t heard about the ironically named “goto fail” vulnerability, please read Adam Langley’s well written article. A summary of the issue is as follows: static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { … if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment | Comments Off on A quick post on Apple Security 55471, aka goto fail

 

Is it time for Enterprise IT to declare defeat in the cyber security war?

How can business leaders guarantee that they won’t be the next headline security breach? How should companies even start to address software security? Watch the HP Discover Performance Weekly video featuring Cigital CTO, Dr. Gary McGraw, to find out.






Continue Reading...

Posted in Code Review, Financial Services Security, Penetration Testing, Software Security Testing | Comments Off on Is it time for Enterprise IT to declare defeat in the cyber security war?

 

Kickstarter password Breach … #FTW?

Last Wednesday I spoke about password storage security in a WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, I was a bit self-conscious. Cue the Kickstarter security […]

Continue Reading...

Posted in Data Breach, Threat Modeling | Comments Off on Kickstarter password Breach … #FTW?

 

JMU distinguished lecture: Cyber war, cyber peace, stones, and glass houses

Software is in such a vulnerable state today. Most systems and networks were poorly designed and built from the start, which makes them even more difficult to defend against cyberwar, cyberespionage, and cybercrime attacks. We need to design and implement things to be more secure in the first place. Unfortunately, this is not the prevailing […]

Continue Reading...

Posted in Software Security Testing | Comments Off on JMU distinguished lecture: Cyber war, cyber peace, stones, and glass houses

 

UK National Health Service (NHS) infected – with a typo

The UK’s NHS web site (http://www.nhs.uk/), or to be precise, links embedded in it, have been infecting visitors with malware. At the end of the day, it was probably a straightforward typo in the coding of the web page. What lessons can we learn here? How could we have stopped that? Sadly, there’s not much […]

Continue Reading...

Posted in Data Breach, Healthcare Security, Web Application Security | Comments Off on UK National Health Service (NHS) infected – with a typo