![]() ![]() My previous version of Windows was 7 and after that in the last 4 years was Linux so my everyday knowledge of Windows 10 itself was pretty much none at all. I'll be linking things as I go along but everything will be listed at the bottom as well. For this report I'll be going over everything I've found to make Windows 10 more useful and get out of the way as much as possible. ![]() Everything in that list is cross-platform for Linux and Windows. For example, see the following construct which includes a few of our audit notes: /* Accumulate a potential fragment into the current context.In my last report I gave a list of useful utility software I use regularly. Unfortunately for us, there were usually mitigating circumstances that limited the exploitability of issues and could only be described as “insecure coding practice”. Findings The repeatedly found vanilla overflowįairly early on we stumbled across a number of bad constructs related to memory allocation and reallocation. In late February 2016 we quickly audited the libotr library and several consumers of the library using manual code review. ![]() Vulnerabilities in the clients that allow compromising the system or sensitive data In libotr or libotr plugins.Vulnerabilities introduced directly in libotr plugins or libotr integration natively within a client.Vulnerabilities in the libotr library implementation.Vulnerabilities and weaknesses in the OTR protocol itself.We considered the attack surface related to: Libotr itself has a small code-base and it is approximately 7000 lines of C and C/C++ header code (we are not focussing on the Java library in our review). The protocol has gone through a few revisions after published research, most notably the papers “Secure Off-the-Record Messaging” and “Finite-State Security Analysis of OTR Version 2”. The OTR protocol was first presented in 2004 as an improvement over OpenPGP and S/MIME, supporting forward-secrecy and deniable authentication. Libotr is a library (C, Java) used by a number of clients to speak the OTR protocol, including Adium, ChatSecure and Jitsi natively and then Irssi, Miranda, and Pidgin via plug-in. That bet was a reaction to the release of the EFF scorecard, which at the time gave Cryptocat(†) a perfect score but dinged ChatSecure, which is a libotr client, for not having an audit done. Matthew Green and I had a bet for the last year, which just ended, over libotr’s security I bet him that nobody would find a sev:hi flaw in it all year, and, of course, won, because at this point all the low-hanging fruit in libotr has been shaken out. One of the reasons we wanted to look at libotr was due to the following thread related to the EFF Scorecard that explicitly calls it out with a bet on its security: As it’s being revised now, we’ll shift the focus of this post to look at software security outside of just a static snapshot of security bugs, based on some time reviewing libotr. ![]() … hazzah! - without sugar coating it too much, this initial scorecard was broken and quite frankly, dangerous. Shortly after, the EFF took down their scorecard and announced a new version is in the works. Since then, we followed up on other clients and libraries, and presented at the BSides Canberra conference here in Australia. In the first post we introduced the scorecard and took a look at an application called RetroShare, which after a short audit revealed a number of high-impact vulnerabilities, illustrating a number of areas of improvement needed for the scorecard. Back in February we published part one of our EFF Secure IM Scorecard review. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |