Passwords^13

YES, IT'S HAPPENING!

Las Vegas. July 30-31. Same time as Blackhat, overlapping slightly with BsidesLV and a few days before Defcon, where our friends at Korelogic will be running the annual CrackMeIfYouCan competition once again.

But please, do visit passwordscon.org to learn more. Call for presentations, venue, registration, SPONSORING.... My friend & password cracking partner Jeremi Gosney of Stricture Consulting Group runs the page, and does a fantastic job of "local" organization in the US / Las Vegas.

I hope to see you there! :-)

Password Crackers Hierarchy of Needs

[Click for full size]

Why SMS 2FA Twitter, WHY?

Dear Twitter,

Congratulations on adding 2-factor authentication, or "login verification" as you have named the baby. It's way overdue imho. With me being 1) one of those critizizing you for being slow with introducing 2FA, and 2) one of those who can't get it quite yet (As Norway and all telcos here doesn't exist in your settings universe quite yet), I do have some questions for you.

FYI: Google Ads

FYI:
I'm on my own now, starting my own company, at the moment only with 1 employee: ME. :-)
I have decided to enable Google Ads to be displayed on my blog. I try to write good posts and contribute to the community, but I also have bills to pay. Thank you for understanding.

Cryptonerds PINs

I'm at Finse1222, attending the annual FRISC Winter School 2013. I did an evening talk (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts  on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.

Based on questions and some extra interest from Andrey Bogdanov and Sondre Rønjom, the three of us decided to do a little experiment. Here are the results. :-)

Will 2F weaken 1F?

"Well, Per isn't exactly a rocket scientist, and I have to help him with anything from shoelaces to toilet visits, but he is a KEEN debater in Internet forums..."

Ok, so this is one of those blog posts were I have spent a long time thinking about the topic, but I haven't spent much time preparing and writing it. After my tweet  here on a slow saturday afternoon, @marshray and @adamcaudill responded, and suddenly it was time to do this blog post, asking would the introduction of 2-factor authentication in an organization weaken the "something you know" part at some point?

HOWTOFAIL: ENTERCARD

[This is bad, and this is just the beginning of this blog post...]

Update March 29, 2013: SSL config is now at grade A! Congratulations!

Remembercard (brandname) is issued by Entercard, a joint venture between Swedish Swedbank and Barcleys Bank Plc. The irony of a credit card company not having a PCI-DSS compliant website is amazing. The lack of knowledge concerning users' selection of PIN codes is obvious, the lack of proper security for e-mail based marketing is shocking.

I hope this blog post will be read, understood and acted upon properly ASAP by those in charge.

Step 1: Securing My E-mail

The hacking of Mat Honan scared me. A lot. While there was no "advanced hacking" involved, the attackers found data across multiple services, which when combined enabled them to gain access to one service after another through password resets.

It really made me think about my own mail accounts (I've got quite a few of them), and how they are secured. I didn't really know, so I thought I should have a look. This is part 1. With more to come, this is my summary here. Make a guess for which one I prefer here:

[Click for full size]

Kjære Dataforeningen

Kjære Dataforeningen.

I dag skulle jeg melde meg inn i Dataforeningen. www.dataforeningen.no, og linken "Bli medlem".

Første observasjon: Linken går til en HTTP side. Ved å taste inn https i adressen kommer jeg til samme siden, men denne gang slik det skal være med HTTPS.

Det stopper dessverre ikke der, og det jeg ser er dårlig praksis. På grensen til ren slurv, eller en webtjeneste som er forsømt i mange år på driftssiden er min påstand.

Kjære BankID

Vi er nok ikke verdens beste venner, jeg er smertelig klar over det. Bruken av Java, sentrallagret PKI som strider mot etablerte prinsipper, BankID på mobil som bare fungerer med noen operatører & modeller, samt diverse andre problemer... jeg nevner i fleng.

Likevel er jeg frekk nok til å komme med et veldig enkelt endringsforslag som kan gjøre brukeropplevelsen *litt* bedre ved innlogging i nettbank fra PC.