tag:blogger.com,1999:blog-8400370148915075091.comments2023-12-12T18:59:45.550+01:00Security Nirvanasecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger345125tag:blogger.com,1999:blog-8400370148915075091.post-72699511565375653872013-03-29T13:38:34.180+01:002013-03-29T13:38:34.180+01:00I've rechecked using SSLLABS on Friday March 2...I've rechecked using SSLLABS on Friday March 29, 2013, and their SSL config now receives a PCI-compliant grade A: https://www.ssllabs.com/ssltest/analyze.html?d=netbank.entercard.com<br /><br />Congratulations!securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-46158805963666404222013-03-19T21:14:27.839+01:002013-03-19T21:14:27.839+01:00Dagensit.no have done a story based on my blog pos...Dagensit.no have done a story based on my blog post, available here (in Norwegian): <br />http://www.dagensit.no/article2582871.ece<br /><br />Summarized: they admit lack of QA at the external marketing company in this case, and claim that the reason for their grade F SSL config "is due to customers with older platforms". <br /><br />Since things are now getting fixed, I'll say no more.securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-23048948105697669872013-03-18T15:23:35.323+01:002013-03-18T15:23:35.323+01:00In the era where product placement is everywhere I...In the era where product placement is everywhere I really appreciate an honest review. Will keep an eye on your blog.<br /><br />Kudos also to Mr. Fjellgard who offered the device and accepted the critique despite not being totally favorable. It shows character and if improved version will be developed I suggest you repeat the procedure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-53784643139606988272013-03-12T17:14:04.086+01:002013-03-12T17:14:04.086+01:00If public disclosure of already publicly available...If public disclosure of already publicly available data becomes a bad thing to do....We've lost. :-(securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-22078930108105493052013-03-11T09:21:56.663+01:002013-03-11T09:21:56.663+01:00You may find that over-reponsible disclosure is a ...You may find that over-reponsible disclosure is a good thing in a tiny country with a small, but highly IT-focused environment where basically every company is engaged in business with each other. $0.02. :)Per-Arne Hoffhttp://sqlinjectthis.nonoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-66813439141703587582013-03-09T15:25:26.199+01:002013-03-09T15:25:26.199+01:00Apple have finally configured SSL support for iTun...Apple have finally configured SSL support for iTunes. Of course people tested their implementation ASAP using SSLLABS. Of course this is just my assumption, but I'm pretty sure no "responsible disclosure" was done to Apple before posting this Twitter status. I have no doubt the attack surface & potential consequences against Apple is WAY higher that to Entercard, providing a better context for my choices regarding disclosure.<br /><br />https://twitter.com/jameslyne/status/310385425237803008securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-46457110910453942332013-03-08T00:27:15.710+01:002013-03-08T00:27:15.710+01:001) Usually I prefer to know who is behind "An...1) Usually I prefer to know who is behind "Anonymous". Just like in any other media, it is difficult to fight 'ghosts'. I do publish all comments unless it is pure spam, even if it harsh criticism of what I've done. <br /><br />2. You ask me why I didn't do responsible disclosure. How do you know I didn't? Well, you could be an employee of one of the companies mentioned. In that case I would have expected a formal statement from a named official, permitted to speak in such a situation, not through a anonymous comment to my blog. <br /><br />You could of course also be one of those (few, I hope) who doesn't like me personally, at a general level, and you are just making assumptions about me. That's a bit harder for me do something about, especially since you remain anonymous.<br /><br />3. I didn't to this testing as part of a pentest engangement, I did this on my spare time, no pay, nothing. It's like a public written customer complaint, although I'm not a customer, and probably won't be either.<br /><br />4. I am very well aware of responsible disclosure, thank you. What I am 'disclosing' is not a 0-day vulnerability. It is not a hidden vulnerability I've discovered, neither is it a design flaw. It isn't necessarily a violation of the PCI-DSS requirements either (as I stated in my blog post). Without becoming a customer (which I am not), OR doing a pentest that would require a written agreement for the tests necessary to verify it, I cannot make claims this website needs to be PCI-DSS compliant. And as you've read, I do not.<br /><br />What I am pointing at (not disclosing) is a webserver with a SSL configuration that is either completely misconfigured from the very beginning, or has been completely forgotten soon after installation. I say that based on experience and gut feeling, not direct knowledge of their operational environment, capacity & knowledge. <br /><br />The server supports 40-bit encryption (https://en.wikipedia.org/wiki/40-bit_encryption), which indicates one of these options:<br /><br />- The server was configured before 1996 (see 40-bit encryption article), and haven't been updated or reconfigured since then.<br /><br />OR:<br /><br />- Those who designed/installed/configured the SSL certificate / policy are not the people who should do such work.<br /><br />(ITIL processes, quality management etc could be pointed at here as well, but it's late, and I'm going to sleep soon.)<br /><br />5. What I AM "disclosing" is information that is publicly available, without any need to conduct any kind of illegal or lets say questionable testing. I am merely saying "Hey, this publicly available information isn't good, and somebody should do something about it!"<br /><br />6. I did not inform Entercard before publishing my blog post, but I did inform them through public channels at the very moment I published it. And I published it during standard office hours, giving them an opportunity to read & take action if they found it necessary.<br /><br />I'll end this comment by saying that I DID think thoroughly before posting this online. What I am disclosing about the SSL configuration should usually represent a few hours work to fix for a competent technician. Add to that proper change management, testing, quality control, service level agreements for downtime etc, I'd say 2-4 weeks to fix. Online attacks against weak ciphers (as an example) are NOT techniques commonly used to breach confidentiality or integrity of a SSL secured website. Client-side trojans are, making SSL encryption irrelevant in most cases.<br /><br />The combination of current threats against the current configuration, time typically needed to either reconfigure, reinstall or relocate the services, as well as several other factors led to my decision to publish. I have no doubt this blog post has reached the people in charge, but I do not expect any type of thanks, recognition or other type of reasonable feedback. <br /><br />I can live with that. I just hope it gets fixed, for the protection of their customers and the company themselves.securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-39991519507898629412013-03-07T23:38:10.506+01:002013-03-07T23:38:10.506+01:00A blog post about self-chosen pin and phishing is ...A blog post about self-chosen pin and phishing is interesting. Your exposure of a netbank ssl weakness is not. Being a pentester since 1998 you know very well how a responsible disclosure of a security weakness should be done. Why didn't you do that? Publishing the weakness in a blog and "hope this blog post will be read, understood and acted upon properly ASAP by those in charge" is howtofail as a pentester. For other readers: https://en.wikipedia.org/wiki/Responsible_disclosure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-9231834225850140802013-03-07T00:08:35.724+01:002013-03-07T00:08:35.724+01:00Well, I stopped expecting good security, and start...Well, I stopped expecting good security, and started assuming the worst instead soon after I started doing pentesting fulltime. That was in 1998. :-)securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-29894889110109070782013-03-06T23:59:56.966+01:002013-03-06T23:59:56.966+01:00It seems weird to me that they can fail so complet...It seems weird to me that they can fail so completely when at least Swedbank, and Swedish banks in general work a lot with security. Their internet banking sites all use real 2-factor authentication etc, unlike a certain other large country. <br /><br />Good post though. Hopefully someone within the company will take notice.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-4626061726507189352013-03-06T15:47:12.090+01:002013-03-06T15:47:12.090+01:00Akward. Heads must roll...Akward. Heads must roll...Prohesthttps://www.blogger.com/profile/03484861197053047615noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-43714102461018723122013-02-26T09:27:50.365+01:002013-02-26T09:27:50.365+01:00Possibly relevant:
https://blog.duosecurity.com/20...Possibly relevant:<br />https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-34754498126083927732013-02-22T17:19:57.028+01:002013-02-22T17:19:57.028+01:00Hi Per, good to see some focus on email security. ...Hi Per, good to see some focus on email security. My two cents is however that although one can control the transfer between the server and client, unless specific transport policies are published (and tested) between the various SMTP servers, it is very difficult to gauge the security of public email providers. <br /><br />That said, I'm not proposing having novices running their own servers, and in full disclosure I'm using Google Apps for my own email hosting. What I do propose, is however a stronger focus on end-to-end encryption, in particular using RFC4880 (OpenPGP). For Thunderbird the Enigmail plugin to add GnuPG support is working rather nicely. <br /><br />Maybe a post focusing on this can be a natural follow-up on email security? Anonymoushttps://www.blogger.com/profile/01994346107685243465noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-3898654269136917872013-02-20T07:52:31.917+01:002013-02-20T07:52:31.917+01:00Thank you for that information, I'll update my...Thank you for that information, I'll update my post!securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-60090333669163542032013-02-20T00:59:58.760+01:002013-02-20T00:59:58.760+01:00A small note on the BEAST attack reported earlier ...A small note on the BEAST attack reported earlier on Hotmail.com<br /><br />It doesn't work. After it was published, all the major browser vendors decided to fix it and break support for a few outdated SSL sites.<br /><br />It's only a problem with outdated clients(Thunderbird I believe has the fix).<br /><br />http://youtu.be/LBbCec4Bp10?t=15m34sMangixhttps://www.blogger.com/profile/06816602571637076369noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-909381731413978162013-02-18T23:36:10.287+01:002013-02-18T23:36:10.287+01:00If you're looking for FIPS 140-2 and Exchange ...If you're looking for FIPS 140-2 and Exchange ActiveSync, have you considered this solution -<br />http://www.thursby.com/PKard_Mail.html<br /><br />This is Government / Military CAC / PIV strong two factor authentication. It can work in regular enterprise (finance, healthcare, energy etc.) using .NET (dot net) cards also.<br /><br />Thursby Softwarehttps://www.blogger.com/profile/11451897082865531213noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-65594158517045602252013-02-16T15:28:06.161+01:002013-02-16T15:28:06.161+01:00Meget bra svar Christian Torp! Sånt liker man!
Meget bra svar Christian Torp! Sånt liker man! <br /><br />ChrisADhttps://www.blogger.com/profile/11306532244637518474noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-38015351008284298482013-02-15T12:35:27.563+01:002013-02-15T12:35:27.563+01:00Hei Per og tusen takk for at du gjorde oss oppmerk...Hei Per og tusen takk for at du gjorde oss oppmerksom på dette. Stor takk også til Erlend Dyrnes, i IT-sikkerhetsfaggruppen i Bergen, som fulgte oss opp i går, torsdag 14. februar. <br /><br />Fra jeg leste blogginnlegget ditt i 9-tiden i går gikk det kun et par timer før CustomPublish hadde gjort nødvendige endringer. <br /><br />Vi gjorde følgende:<br />- SSL-config er nå oppgradert og er på B (Trustworthy) på SSLlabs.com<br />https://www.ssllabs.com/ssltest/analyze.html?d=www.dataforeningen.no<br />vi vil løfte denne videre til A snarest.<br /><br />- HTTPS lenker standard er satt i alle utgående eposter.<br /><br />- Passordkravene er høynet.<br /><br />- Auto-innloggingslenker leder nå til innlogging med kun brukernavn (epost) fyllt ut.<br /><br />- Tekster er litt mer informative (passordbytte etc)<br /><br />Vi vil arbeide ytterligere med informasjonen våre medlemmer og kunder får. Det være seg om de melder seg på en aktivitet, kjøper en sjekkliste eller vedlikeholder egen informasjon.<br /><br />Jeg setter pris på alle innspill og håper flere kommer med konstruktive innspill.<br /><br />Mvh <br /> <br />R. Christian Torp<br />IT-direktør<br />Den Norske Dataforening<br />www.linkedin.com/in/rctorp<br />Anonymoushttps://www.blogger.com/profile/11069996034323082278noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-57751310429246320502013-02-13T12:47:07.303+01:002013-02-13T12:47:07.303+01:00Et viktig poeng å ta med i risikovurderingen, uten...Et viktig poeng å ta med i risikovurderingen, uten tvil. <br /><br />Først og fremst er det en prinsippsak for meg. De registrerer info fra meg, og lagrer den. Da forventer jeg et minimum av sikkerhet - noe som er i tråd med generell anbefalt praksis. (Velg selv en standard...). Etterlevelsen av en-eller-annen "standard" ser jeg på som vel så viktig som den risikoanalysen de *kanskje* har utført, hvor de muligens har konkludert med "Personvern? Nah, vi trenger ikke slikt, vi har jo ingen hemmeligheter."<br /><br />Så over til mitt favoritt tema: passord.<br />Vi vet at over 60% av oss gjenbruker passord på tvers av ulike tjenester. Dataforeningen gir deg et passord via klartekst e-post, og så er det valgfritt om du vil endre det eller ikke. Dårlig praksis bare der. Gitt at ... 10% av brukerne på Dataforeningens websider skifter passordet sitt, så tror jeg nok noen av dem har samme passord på andre tjenester også. blir Dataforeningen kompromittert (fordi de har slapp sikkerhet), så kan det få direkte konsekvenser for deres kunder (=brukere) på andre tjenester.<br /><br />Det kan de ikke lastes for øknomisk eller juridisk etter alt jeg vet. Greit nok, men mulighetene for ekstra kostnader, negativ omtale og kanskje kundeflukt er vel strengt tatt heller ikke ønskelig?<br />--<br />Mulig jeg kaster litt stein i glasshus. Linkedin hadde elendig sikkerhet da de ble hacket i fjor. De har ikke sagt noen ting om hva som skjedde, eller hva de har gjort for å fikse det. Nå har de passert 200mill brukere, og aksjekursen stiger som aldri før. Negativ omtale kan visst være positiv omtale også. ;-)securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-69902740236016219182013-02-13T12:24:30.876+01:002013-02-13T12:24:30.876+01:00Og hva føler du om informasjonen de forvalter om d...Og hva føler du om informasjonen de forvalter om deg? Sikkerit ikke så mye info, men allikevel. Anonymoushttps://www.blogger.com/profile/17317606033079566258noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-70015675293854764232013-02-01T07:40:43.796+01:002013-02-01T07:40:43.796+01:00Helt supert! Stor skryt til Bootstrap. Det er mang...Helt supert! Stor skryt til Bootstrap. Det er mange som burde lære av dere!ChrisADhttps://www.blogger.com/profile/11306532244637518474noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-85201488025817480672013-01-31T20:54:12.407+01:002013-01-31T20:54:12.407+01:00De fleste driver ikke å betaler regnigner når de s...De fleste driver ikke å betaler regnigner når de sitter på pub'en eller på bussen, de fleste bruker dette i lukkede settinger. For veldig mange så er det enten samboer/ektefelle som kansje svinser rundt, eller som for oss andre: skulle det være noe titting over skulderen er det bare å melde seg på Åndenes Makt.<br /><br />Det er greitt å få valget selv, BankID er den siste instansen til å vite om skjuling eller visning er bra eller ikke.Anonymoushttps://www.blogger.com/profile/04396174581910824294noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-8546588225511358252013-01-31T20:46:37.626+01:002013-01-31T20:46:37.626+01:00If it´s broken - don´t fix it!If it´s broken - don´t fix it!Anonymoushttps://www.blogger.com/profile/02104356320378582730noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-16906654082568265502013-01-31T19:43:39.327+01:002013-01-31T19:43:39.327+01:00Ganske så enig, Per. Men skulle ønske vi hadde noe...Ganske så enig, Per. Men skulle ønske vi hadde noe mer håndfast å støtte oss på når det gjelder brukervennlighet kontra sikkerhet i skjuling/inntasting av passord. Både LukeW og Jacob Nielsen synser bare om dette. Vi vet nemlig at kikking over skulderen er et problem, bare spør kortselskapene. Det vil si at trass i sine mangler, så gjør faktisk skjulingen en nytte i mange situasjoner.<br /><br />Bloggposten du henviser til nevner at en del utstyr faktisk "ødelegger" skjulingen av passord med de latterlig store bokstavene som popper opp på skjermen. Og det å taste noe i skjul på en iPad er praktisk umulig i utgangspunktet. Her har skjulingen ofte liten effekt, og ting burde vært løst på en annen måte. Men er det da skjulingen, eller input-metoden som er feil?<br /><br />Jeg benytter meg villig vekk av muligheten til å taste et synlig passord. Men til forskjell fra mange andre, så er jeg bevisst på om noen står og kikker.itinsecurityhttps://www.blogger.com/profile/10129725210078939594noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-52101026147719731002013-01-11T08:42:53.771+01:002013-01-11T08:42:53.771+01:00Yes it seems like you can prevent screenshots with...Yes it seems like you can prevent screenshots with a FLAG_SECURE param set in the the app. As far as I can tell it's been around since before ICS but manufacturer implementation have not been the best.<br /><br />This flag should prevent both OS screenshot for historiy task list and general screenshot.<br /><br />http://developer.android.com/reference/android/view/Display.html#FLAG_SECURE<br /><br />However, it doesn't prevent users from taking screenshots with phone connected to a pc and USB debugging enabled.Thomas Methliehttps://www.blogger.com/profile/11139242041466212947noreply@blogger.com