Writing a simple ESP8266-based sniffer
Thu, 26 Jul 2018

In this first post we discuss the packet sniffing capabilities provided by the ESP8266 SDK and demonstrate them writing a simple packet sniffer that will parse and output 802.11 frames to the serial console.

Implementing a Password Strength Indicator
Fri, 22 Jun 2018

Passwords are, at present, a mostly necessary part of web applications. A lot of research has gone into how applications should deal with passwords, from the UX of password entry and creation, to the storage of passwords. This article will cover how to implement a password strength indicator that follows modern best practices.

Digital Security Strategy, Part 2: Rising Into The Clouds
Fri, 25 May 2018

In the next post of the Digital Transformation section, we discuss the common security problems that companies face as they move computing into the cloud.

Why Do I Write Vulnerable Code?
Fri, 18 May 2018

You're a software engineer or architect. Imagine your product was the victim of a data breach and received lots of press. After the smoke clears, is your team asking and answering this fundamental question?

Digital Security Strategy: Part 1
Thu, 10 May 2018

At Carve we are fortunate to have clients that span across many industries, company sizes, and technology maturity levels. This series of blog posts will discuss an increasingly common theme across our customer base, called "Digital Strategy" or "Digital Transformation", and how this affects an organization's security.

Manipulating APIs for Security Test Automation
Fri, 27 Apr 2018

REST API security assessments were driving me crazy. I decided to write a tool to help.

Should GNSS be a threat vector in your threat model?
Tue, 03 Apr 2018

GPS, also referred to as the broader term GNSS, is a fundamental technology for IoT positioning and time estimation. Developers typically regard GPS as a trusted input to the system because the difficulty of manipulating GPS signals is presumed to be too difficult for the casual attacker. Lab testing at Carve shows us that this isn't the case. There are easy software tools for manipulating GPS inputs to find software flaws. Time to rethink the threat model.

JWT, OAuth, and Algorithm Choices
Tue, 27 Feb 2018

Implementing systems that securely authenticate users and authorize their activities within applications can involve multiple interactions that cross trust boundaries. When applications are written in different languages, live in different environments, but still want to share data with each other what are the options?

  • Don't start rolling your own crypto … 
Meltdown and Spectre. Oh My!
Fri, 05 Jan 2018

There have been a lot of new terms floating around the internet these last few days: Meltdown, Spectre, etc... What does it all mean? In this post, I will explain the high-level pieces, what systems are affected by this, and what you can do to better protect yourself against it.

Android 7 Cellular MiTM
Tue, 24 Oct 2017

Performing security assessments of complex systems sometimes requires some technical gymnastics to "man-in-the-middle" (MITM) communications between components. MITM techniques are essential for observing and manipulating communications in ways that a developer may not have anticipated. As system defenses improve the task of setting up a MITM environment for a system …