Tuesday, June 17, 2014

What I want from Domino's passwords

Domino's Pizza got hacked, hackers demand money for not publishing stolen user credentials. 

Now if I could analyze those passwords, here's what I would be interested in:


Friday, April 25, 2014

Did Twitter silently remove login verification using their Twitter app?

Updated information:

I tried to register for one-way tweeting by sms by sending 6 messages (stop, stop, start, yes, username, password) to Twitters UK number. Didn't work, repeated the process to the number listed in Finland. It worked.

Now I can tweet by SMS (Who would do that anyway???), but I can finally configure login verification by use of iOS/Android app.

Error report, or at least sort of:
The option Security and privacy - "Send login verification requests to my phone" is available (using pc/windows/Chrome at twitter.com), but I do not receive any verification code from Twitter.

My phone number is correctly listed under Mobile, including +47 country code for Norway and (Norway) listed. I have set a PIN to protect my account from SMS spoofed texts appearing to come from me.


_________________________________
Original text:

So @hmemcpy and @omervk had this little discussion on failure of configuring Twitter login verification, and I thought "dude, that's easy", and pointed to the option of using the "login verification" through Twitters native app for iOS or Android, and option I've been using for quite some time:

Monday, February 24, 2014

Personvern hos våre politiske partier


I valgkampens innspurt høsten 2013 sjekket jeg om de politiske partiene i Norge overholdt personopplysningsloven og de krav/anbefalinger som er gitt av Datatilsynet. Det jeg fant var såpass overraskende at jeg tipset Aftenposten, som selv kontrollerte, og fikk en klar tilbakemelding om lovbrudd for partiene da de henvendte seg til Datatilsynet. Saken til Aftenposten ligger tilgjengelig her.

I tillegg kritiserte jeg også partiene Høyre og Venstre for svak epost sikkerhet, også dette gjennom Aftenposten.

Nå, 6 måneder senere, var det tid for å sjekke hvilke partier som har holdt sine løfter og etablert den sikkerheten de er lovmessig pålagt å ha.

Tuesday, February 04, 2014

Sparebank 1 MSN på Facebook / Tinder

(English summary at the end)

Oppdatetert 06.02.2014: Dagbladet har laget sak basert på nedenstående.
Sparebank 1 SMN fikk massiv omtale i media i går, etter at de har opprettet 2 falske profiler på Facebook som brukes på Tinder for å tiltrekke seg nye kunder. 

Dette provoserer meg kraftig. 

1) Krav til personprofiler
Både Facebook og Tinder har som krav til personprofiler at de skal tilhøre en eksisterende person. Her har banken glatt oversett dette, og opprettet falske personprofiler.

2) Tinder: krav til bruk
Tinder stiller som krav at konto baseres på en eksisterende personlig Facebook profil, og at denne benyttes til ikke-kommersiell bruk. Her bryter banken vilkårene, da deres formål er å tiltrekke seg nye kunder via en datingtjeneste (!).

3) Personvern
Banken sier at en ansatt som jobber spesielt med sosiale medier har ansvaret for disse (falske) profilene. Jeg finner det naturlig å tro at flere andre ansatte kan få helt eller delvis innsyn i data som fremkommer gjennom deres bruk av disse tjenestene. Ved å bruke disse profilene, aktivt eller passivt, så vil banken få innsyn i opplysninger til uvitende som kan anses som sensitive personopplysninger. 

Jeg merker meg at informasjonsdirektør Hans Tronstad sier seg fornøyd med strategien så langt.

Gratulerer, dere har fått mye oppmerksomhet. Jeg vil i løpet av dagen kontakte Datatilsynet for å be dem om å se nærmere på saken. Jeg vil også rapportere de falske profilene og brudd på Terms of Use hos Facebook & Tinder.

--
English summary:
A Norwegian bank created 2 falsified "personal" accounts on Facebook, and uses them on Tinder (dating site) to attract new potential customers. Not only is this a violation of EULAs in terms of spoofing  & commercial usage, it could also be a gross violation of privacy.

I know these kind of violations happens every day, but I never thought a Norwegian bank could do something this stupid. To top it all off, their head of information says that so far they are very happy with their strategy so far. A bank becoming a scammer. Nice strategy. Now take a look in a mirror, and see what a scammer looks like.

(Full story: google translate the link above).

Friday, January 31, 2014

OCR matching Unicode characters

[Image linked from http://babelstone.blogspot.no/2013/10/whats-new-in-unicode-70.html]

I wonder if somebody could do OCR matching of all Unicode 6.x characters against each other, with a threshold value to find characters that visually will look pretty much the same to "normal" people.

Purpose: to identify characters I could use to mock password crackers by telling them my password is ᖴᕀⅠ੨Ȝ੫ƼⅥ⑦Ȣ, but there's no way in hell you'll be able to crack it.
(No, don't ask me how I would remember how to type in my passwords.)

That's all.


Tuesday, January 14, 2014

78K and counting!

So far, I have served out 78K+ minutes of viewing time from my YouTube account, through 19K+ views. I am really happy with that. :-)

With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.

While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)

So without further ado, here are the TOP 5 PasswordsCon Videos:


Number 5:

Advanced Password Cracking: Hashcat Techniques for the Last 20% 
Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.

Number 4:

Energy-efficient bcrypt cracking
Katja Malvoni, PasswordsCon in Bergen, December 2013


Number 3:

Passwords^12 - Exploiting a SHA-1 weakness in password cracking 
Jens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.


Number 2:

Password Cracking, From "abc123" to "thereisnofatebutwhatwemake" 
Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.


Number 1:

Password Cracking HPC
Jeremi Gsoney, PasswordsCon in Bergen, December 2012.

Congrats Jeremi! :-)

Monday, November 04, 2013

PasswordsCon Bergen - practical info

Alrighty, less than a month until PasswordsCon in Bergen, Norway!

Just some quick & practical information for those travelling from far away here:

Hotels

Most hotels in the city center will represent walking distance (15-30 minutes tops) to our venue.

Recommended hotels (preferred order, based on proximity to city center):


Radisson Blu Hotel Norge (absolute city center)
Clarion Collection Hotel No 13 (absolute city center)
Thon Hotel Bristol Bergen
Rica Travel Hotel Bergen
Grand Hotel Terminus (has one of the best Whisky bars in northern Europe)

I recommend looking them up on ww.tripadvisor.com, but do check out their prices directly from their home pages, as that just might give you the best price after all, without all the low price restrictions. All these hotels are very close to each other, making it easier to go out during the evening and find your way back home late at night. :-)

Depending on your arrival (saturday or sunday), I'll be able to show you & others around the city, including a visit to the top of 1 or more of the 7 mountains surrounding the city. Prepare for a bit colder and rainier environment than ... well... wherever. :-)


Wednesday, October 02, 2013

CFP: Passwords^13 (PasswordsCon), Bergen, Dec 2-3

PasswordsCon
December 2-3, 2013
Bergen, Norway

CALL FOR SUBMISSIONS
====================================

Per Thorsheim, with the support of FRISC (www.frisc.no), the University
of Bergen and Stricture Consulting Group, organize PasswordsCon,
the fifth edition of a technical conference only devoted to passwords
and related authentication methods.

Passwords are the most common authentication method on internet services
and on computers in general, regardless of their form factor (desktop,
laptop, tablet, smartphone, etc.).  Dissatisfaction with the robustness
and usability of current approaches has motivated the previous editions
of the Passwords conference, and more recently prompted the organization
of the Password Hashing Competition.

The purpose of PasswordsCon is to gather leading researchers in
passwords security and authentication methods in general, so as to best
understand the challenges posed and to address them adequately.

Details on the conference as they are ready will appear at our website:
passwordscon.org

Sunday, September 22, 2013

Seriously RapidSSLOnline....

RapidSSLOnline sends out HTML formatted emails for certificate renewal containing a direct SSL login link to your account, for easy renewal (or change/delete) of SSL certificates.

Hmm.. And I actually thought that sending out direct login links by clear-text e-mail was a bad idea....

Seriously?

Important update: my link + title initially pointed at RapidSSL.com, while the correct should be RapidSSLOnline.com. Big thx to Tom Willows for correcting me!

Wednesday, September 18, 2013

Bring CRM - og Thon Hotels


Jeg er medlem i fordelsprogrammet til Thon Hotels, på linje med flere andre hotellkjeder. Mulighetene for en "gratis" overnatting er fristende nok. Regelmessig har jeg mottatt min bonusoversikt på epost, sammen med diverse tilbud for å få meg til å bruke både poeng og penger.

Jeg irriterte meg imidlertid fra første mail, som hadde ovenstående skjermbilde som innledning i hver eneste mail. Poeng til deg om du skjønner hvorfor allerede nå.