Search the Community
Showing results for tags 'audit'.
Found 4 results
The Security audit of TrueCrypt disk-encryption software has been completed, with no evidence of any critical design vulnerabilities or deliberate backdoors in its code. TrueCrypt -- one of the world's most-used open source file encryption software used by Millions of privacy and security enthusiasts -- is being audited from past two years by a team of security researchers to assess if it could be easily exploited and cracked. Hopefully, it has cleared the second phase of the audit. TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition. NO NSA BACKDOORS Security Auditors and Cryptography Experts at NCC took an initiative to perform a public information security audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it, according to a leaked classified document by Edward Snowden. TrueCrypt cleared the first phase of the audit that reviewed the blueprints of the software and given a relatively clean bill of health almost a year ago. At the first phase, auditors discovered 11 issues of medium and low severity in the software. Now, the auditors from NCC Group’s Cryptography and security audit Services have finalized and published the 21-page Open Cryptographic report related to the second phase of audit that examined TrueCrypt's implementation of random number generators and critical key algorithms, and various encryption cipher suites. FOUR VULNERABILITIES DISCOVERED The report uncovered four vulnerabilities in the latest original version of the software, but none of them could lead to a bypass of confidentiality or let hackers use deformed inputs to subvert TrueCrypt. The vulnerabilities are given below: Keyfile mixing is not cryptographically sound -- Low severity Unauthenticated ciphertext in volume headers -- Undetermined CryptAcquireContext may silently fail in unusual scenarios -- High severity AES implementation susceptible to cache timing attacks -- High severity The most critical of the four vulnerabilities involved the use of Windows API to generate random numbers used by master cryptographic key. A separate vulnerability with undetermined severity checks for the volume header decryption was susceptible to tampering. Also, a low severity flaw for a method used to mix the entropy of keyfiles was not cryptographically sound. Another high severity flaw identified refers to "several included AES implementations that may be vulnerable to cache-timing attacks." Source: thehackernews.com
*Comsenz SupeSite 7.0 CMS SQL Injection Security Vulnerabilities* Exploit Title: Comsenz SupeSite CMS SQL Injection Security Vulnerabilities Product: SupeSite CMS (Content Management System) Vendor: Comsenz Vulnerable Versions: 6.0.1UC 7.0 Tested Version: 7.0 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection' [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor: * Comsenz *Product & Version:* SupeSite6.0.1UC SupeSite7.0 *Vendor URL & Download:* SupeSite can be bought from here, http://www.comsenz.com/products/other/supesite http://www.comsenz.com/downloads/install/supesite#down_open *Source code:* http://www.8tiny.com/source/supesite/nav.html?index.html *Product Introduction:* "SupeSite is an independent content management (CMS) function, and integrates Web2.0 community personal portal system X-Space, has a strong aggregation of community portal systems. SupeSite station can be achieved within the forum (Discuz!), personal space (X-Space) information content aggregation. Any webmaster , are available through SupeSite, easy to build a community portal for Web2.0." "Through grade audit operations, audit managers can publish information on the station to rank classification, shield, remove the handle, which can display information on the effective control of the site's pages. When the audit information, the audit level is set to shield information, the information will no longer appear on the page aggregation site, but the user's own personal space is still displayed above. If you want to completely shield the information, use the delete function. Audit information is divided into five levels, you can page polymerization conditions, freedom of information conducted classification. The default user information released pending state audit level. Administrators can set up the site, set whether to allow the pending status of the information displayed on the site aggregation page." *(2) Vulnerability Details:* SupeSite web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other Comsenz products vulnerabilities have been found by some other bug hunter researchers before. Comsenz has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to similar vulnerabilities. *(2.1)* The code programming flaw occurs at "batch.common.php" page with "name" parameter. *References:* http://tetraph.com/security/sql-injection-vulnerability/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/comsenz-supesite-70-cms-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://en.hackdig.com/?13972.htm -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
Funding from the Core Infrastructure Initiative has helped the maintainers of OpenSSL, one of the Internet’s most-deployed pieces of open source software, begin to get the crypto implementation on its feet. Despite its ubiquity, OpenSSL has historically been under-funded and under-resourced, though no one outside those close to the project knew how dire the situation was until Heartbleed and other Internet-wide bugs started experts looking closely at the security of open source software. With funding from CII and other corners of the Internet, full time help has been hired to maintain the regular flow of patches and feature upgrades, and since last spring, get the code base ship-shape for a full-fledged security audit. NCC Group Cryptography Services, the security company behind the first phase of the TrueCrypt audit, Monday announced that it, in partnership with the Linux Foundation, will conduct an audit of OpenSSL, looking at key components likely to put installations at risk in the event of a critical vulnerability. “A number of folks who have contributed their free time and professional time, kept OpenSSL growing,” said Tom Ritter, principal security engineer at NCC. “A lot of those contributions were around making OpenSSL more efficient and improving speed—and security improvements. Now, being able to have people work on it fulltime in a maintenance capacity goes long way. Any project that old accumulates technical debt takes that takes time and effort to pay down. Having fulltime focus on bug maintenance is super important.” OpenSSL’s code cleanup paved the way for the audit, Ritter said. Engineers spent significant time re-reading areas of code of most concern—and fixing bugs along the way—in order to make the code more reliable, consistent and secure. Ritter said work on the audit should begin shortly, and the first set of results will be made available mid-Summer after OpenSSL has had time to review the results and patch. Ritter said the audit will be concentrated only in certain critical areas of the OpenSSL codebase, and will not be comprehensive. In scope are the TLS stacks, covering protocol flow, state transitions, and memory management. The BIOS, high-profile crypto algorithms and fuzzing of the ASN.1 and x509 parsers will also happen, Ritter said, adding that input and feedback from the current OpenSSL team also contributed to what ultimately ended up in scope for the audit. “We chose areas around OpenSSL where a flaw here might be of higher severity than other areas,” Ritter said. “The types of things we’ll be looking for are things such as protocol mishandling or state transitions, things like that, even timing attacks in crypto algorithms, or memory corruption that would yield a denial of service condition or remote code execution. Those are the types of bugs looking for. If find one of those, it has the possibility of being fairly critical.” Unlike the TrueCrypt audit where one of the stated goals was to determine whether the popular encryption software had been backdoored, that isn’t necessarily the case with OpenSSL, Ritter said. “You haven’t heard much about [backdoors] in OpenSSL,” Ritter said. “Our real goal is to find any sort of exploitable security concerns. I think that we’re focusing on it from the perspective of a security audit.” Expect Ritter and his team to spend plenty of time in front of large whiteboards for the next few months, tracing out function flows and diagram the code in order to support the manual and automated code review it will take to properly assess OpenSSL. And while the audit may not yield something as dramatic as Heartbleed, you can expect Ritter’s team to be looking in that direction. “Certainly looking at historical bugs in the platform gives us an idea of the types of flaws present still; it will be helpful,” Ritter said. “I’m not going to say we’re doing to go in expecting to find any particular bug in a particular area, but looking at historical bugs does guide us in certain areas as do a lot of the less high-profile bugs. Looking at just about any bug and seeing the underlying causes of it gives us a sense that if something similar is happening elsewhere, there could be a bug there.” Source
There's a story on Hacker News asking what the hell is going on with the Truecrypt audit. I think that's a fair question, since we have been awfully quiet lately. To everyone who donated to the project, first accept my apologies for the slow pace. I want to promise you that we're not spending your money on tropical vacations (as appealing as that would be). In this post I'd like to offer you some news, including an explanation of why this has moved slowly. For those of you who don't know what the Truecrypt audit is: in late 2013 Kenn White, myself, and a group of advisors started a project to undertake a crowdfunded audit of the Truecrypt disk encryption program. To the best of my knowledge, this is the first time anyone's tried this. The motivation for the audit is that lots of people use Truecrypt and depend on it for their security and safety -- yet the authors of the program are anonymous and somewhat mysterious to boot. Being anonymous and mysterious is not a crime, but it still seemed like a nice idea to take a look at their code. We had an amazing response, collecting upwards of $70,000 in donations from a huge and diverse group of donors. We then went ahead and retained iSEC Partners to evaluate the bootloader and other vulnerability-prone areas of Truecrypt. The initial report was published here. That initial effort was Part 1 of a two-part project. The second -- and much more challenging part -- involves a detailed look at the cryptography of Truecrypt, ranging from the symmetric encryption to the random number generator. We had some nice plans for this, and were well on our way to implementing them. (More on those in a second.) Then in late Spring of 2014, something bizarre happened. The Truecrypt developers pulled the plug on the entire product -- in their typical, mysterious way. This threw our plans for a loop. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions. Was this a good use of folks' time and resources? What about applying those resources to the new 'Truecrypt forks' that have sprung up (or are being developed?) There were a few other wrinkles as well, which Thomas talks about here -- although he takes on too much of the blame. It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet. In our copious spare time we've also been looking manually at some portions of the code, including the Truecrypt RNG and other parts of the cryptographic implementation. This will hopefully complement the NCC/iSEC work and offer a bit more confidence in the implementation. I don't really have much more to say -- except to thank all of the donors for their contributions and their patience. This project has been a bit slower than any of us would like, but results are coming. Personally, my hope is that they'll be completely boring. Sursa: A Few Thoughts on Cryptographic Engineering: Another update on the Truecrypt audit