Security Nirvana

Kommentar: sikring av iPad

2012-01-24T00:35:00.002+01:00

Hans Petter Nygård-Hansen har skrevet en veldig bra bloggpost med tittelen "11 tips for å jobbe sikkert på din iPad". Jeg vil så absolutt anbefale alle med iPad (eller iPhone for den saks skyld) å lese denne bloggposten. Det er vel verdt det, og den er ikke bare aktuell for de som bruker iPaden sin i jobbsammenheng.

Jeg vil bare gi noen små kommentarer og tips til de som ønsker å gjøre disse anbefalte tiltakene:

Først en kommentar til pkt 3: Krev bruk av passord for å åpne iPad-en
Noe av det som er positivt med iPad & iPhone er at de benytter AES datakryptering som standard. På godt norsk: alle programmer og informasjon på iPad-en din er rimelig godt sikret, men det avhenger allikevel av at du bruker et godt passord. Hans Petter anbefaler bruk av passord med bokstaver og tall.

En liten faktaopplysning:
Det er mulig å "knekke" en 4-sifret PIN kode på maksimalt 1 time på en iPad ved hjelp av spesiell programvare. Det har ingen betydning om du har begrenset antall forsøk eller tilsvarende, alt dette kan forbigås. Med en gang du passerer lengde 6 så begynner vi å snakke svært lang tid.

Et tips er å bruke en lang PIN kode. PIN koden 64604723 blir faktisk passordfrasen "min ipad" når du ser de små bokstavene under tallene på talltastaturet:

(Klikk for å zoome)

Uansett er det viktigste at du finner din egen metode som fungerer for deg, og som gir et-eller-annet passord på minst 6-7 tegns lengde.

--
Som jeg skrev innledningsvis så er det en utrolig god bloggpost skrevet av Hans Petter. Jeg foreslår følgende tillegg:

12. Eierskapsinformasjon på låseskjermen
Slik ser min "låseskjerm" ut:

(Klikk for å zoome)

Selvforklarende antar jeg? Enkel og grei "tyverimerking", dersom jeg glemmer den noe sted. Jeg bare skrev teksten inn i keynote, tok en "screenshot" (trykk strømknappen + hjemknappen samtidig), og satte bildet som bakgrunn på låseskjermen. Dette gjør du under Innstillinger - Lysstyrke og bakgrunn:

(Klikk for å zoome)

Klikk på bakgrunnsblidet som vist over, bla deg frem til det bildet du vil bruke, og velg deretter "Bruk på låst skjerm" som vist under:

(Klikk for å zoome)

13. Fjern tilgang til billedramme fra låseskjermen
Hvem vet - du kan ha bilder på iPad-en som ikke skal være tilgjengelig for alle. Private bilder eller bilder tatt i jobbsammenheng, spiller forsåvidt liten rolle. På låseskjermen er det som standard mulighet for å trykke på et ikon slik at iPad-en begynner å vise bilder fra billedgalleriet. Det vil du unngå, og du gjør det enkelt under Innstillinger - Kodelås, og sørger for at innstillingen står som vist under:

(Klikk for å zoome)

Helt til slutt: dersom du har koblet din iPad opp mot jobben, f.eks. ved at du har e-post, kontakter og kalender synkronisert, så kan det være at IT-avdelingen har satt restriksjoner på enkelte av de valg som her beskrevet. Er det enkelte valg du ikke kommer inn på eller får endret slik du ønsker, så kontakt IT-avdelingen. Det er ikke skrive- eller bildefeil hverken fra meg eller Hans Petter. :-)

Password Change Frequency

2012-01-22T22:06:00.001+01:00

(Picture of Cliff Stoll, linked from Berkeley website)

Professors are nice people. Seriously. They can be a challenge too, as I got to experience firsthand during my 3,5 hour lecture on password security at the NISNET winter school, 22-27 May 2011. Paranoid as I am, I even suspect two of them agreeing into a secret pact to have some fun on my behalf. ;-)

Note: I started writing this blog post in May 2011. Dropped some of my ideas, and have spent another 8 months to think, read and discuss the issues of password change frequencies. Now, at the time of publishing, I still haven't made up my mind. The "simple" question of How often should I change my passwords? isn't all that easy to answer.

First of all, I have the utmost respect for Professor Patrick Bours and Professor Christoph Busch, so no hard feelings in this blog post guys. I'll take this as a challenge, without doubt. ;-)

Here's what happened:
During my lecture, I said that in general I would recommend a password policy to require a minimum password length of 10 characters, and give users a 13 month change frequency as a reasonable tradeoff. I forgot to say that I've asked a lot of people if they would accept that, and almost everyone has considered that to be reasonable.

Somewhere else during my lecture, I showed password statistics based on data from a Windows domain, where LM as well as NTLM hashes were available. Naturally, LM hashes made things easy, so my statistics were based on having cracked 100% of the passwords.

I also said that I had successfully cracked a password of length 32 (or somewhere in that area), based on the NTLM hash and a user who had chosen a passphrase found on wikipedia with 2 digits applied to the end. A simple dictionary-hybrid attack using Cain overnight, using the popular wiki-wordlist by Sébastien Raveau recovered the password.

This is where Professor Christoph Busch raised his hand for some questions:
First question was how long time it took me to crack that length 32 password. I said "I was sleeping at the time, but maybe 8 hours?". His response got stuck in my brain:

"If your window of opportunity to crack a users password like this is - say 4 hours - why do you suggest a change frequency of 13 months, when it probably should be <4 hours?"

.... Being a password geek, waking up in the middle of the night with that question hammering your head is NOT pleasant at all. Damn you Christoph! ;-)

Now lets move to another part of the world, a long time ago during a penetration test, another guy came with some arguments regarding password change frequencies. Lets just call him "anonymous" for now, but he's yet another one of those guys that I really respect in terms of security knowledge. He simply said:

"If my password sufficiently strong in regard of length & complexity and stored with a reasonable hash algorithm, why would I ever need to change my password?"

Oh; and at his organisation at the time, they didn't do mandatory password change for anyone. EVER. In fact, he said that starting mandatory frequent password changes would be over his dead body. He's still alive (...), and now they do frequent password changes. :-) Partially based - I guess - on the fact his Windows password got cracked in minutes.

Now if you spend a couple of minutes thinking about reasons for why you should change one or more of your passwords on something that even resembles some short of frequency (days, months, years) or other reasons, you'll probably come up with quite a few:

(Corporate) policy enforces it - can't convince them into anything else
Some external experts told me/us to do so (insert name/organization/url here....:-))
I don't believe in research.
I haven't opened my eyes.
Oops. Sorry. Got a little carried away there. :-)

No, I'm not going to reveal my stance on this topic quite yet. I need to read that last paper there thoroughly. Twice.

However I would really like to hear your opinion:

How often, if ever, should we change our passwords?

I would be really happy if you reply with references to research, blog posts, articles, papers or anything else that can shed some more light on this subject. Yes, you can link to your own blogs and opinions. :-)

Passwords^12

2012-01-10T23:32:00.001+01:00

(Picture is (C) KluZz - aka my friend/colleague Jan Fredrik Leversund)

I have received many questions about the two first Passwords^XX conferences that I arranged in cooperation with professor Tor Helleseth at the university here in Bergen, Norway. The most frequent question after Passwords^11 in June 2011 is of course "when and where will the next conference be?". So here is some preliminary information from me, as well as a quest for sponsors for doing the conference somewhere in the US as well! :-)

1. FREE, as in FREE
I want the conference to be open for anyone to participate (limited seats though), and FREE to attend. At least as free as possible. No, I'm not interested in making any money of it. Attendees will eventually have to pay for food and their own drinks in the evening of course.

2. ACADEMICAL PERSPECTIVE
I want to learn something, and I sure hope the audience want the same. The best way to do it in my opinion: a mix of people from public, private and academic sectors. Public as police, military, not for profit organisations (ISC)2, ASIS, ISACA etc, private as in commercial companies or single persons, and academics (professors and perhaps PhD's... :-))

3. SPONSORSHIPS
Sure. But I won't give you time to talk during the conference, unless to solve problems without selling your own products. Food, drinks, facilities, pamphlets, parties, whatever. Bring it. What do I need sponsors for? Well, first and foremost to pay travel and accomodation for selected speakers. At Passwords^10 and Passwords^11 we had speakers that came on their own, with no commercial support backing them. Travelling halfway around the world to speak about passwords, they deserve some help getting there. Each of the two previous conferences had budgets <= USD 9000,-, so it's not that much of a big deal I think.

4. CONFERENCE CONTENT
This is, was, and will be a conference focusing on passwords and PIN codes only. Period. No biometrics, 2-factor authentication or any other solutions. Why? Because we won't get rid of passwords or pin codes any time soon. Better make the best of it - I belive a lot can still be done to improve the situation.

5. SPEAKERS
Yes, I will of course do a call for papers. That said, let me give you a few ideas on who I would like to have thee as a speaker, and why (in no particular order):

I would love to have Cormac Herley from Microsoft Research there. He can bring his co-authors as well, I think I could spend a full day without breaks listening to them presenting their published papers. If Frank Stajano has any updates for PICO, or if he has been looking more into security usability, I'd like to hear about it. Oh, and on the topic of security usability, I would like to listen to Markus Jakobsson from PayPal as well. More suggestions for speakers from the academic world is of course most welcome. Oh; and if anybody knows Bruce Schneier: Yes, I'll accept any talk on passwords from him - preferably with the phrase "security theater" somewhere in the headline.

Passware and Elcomsoft scared us all at the previous conferences. I'd like to invite them back again for updates and live demonstrations, eventually also bringing in Oxygen Software to show us forensics of smart phones. (People still get amazed when I talk about iOS forensic toolkit and what kind of information you can get access to, or the firewire attacks from Passware....). Focusing on smart phone/pad security, these guys should be able to give us a fun show to watch - and a few ideas for our next audits of corporate Activesync policies.

We would have to invite back quelrods, or James Nobis if you like. He knows his stuff on rainbowtables. Eventually also Sc00bz and Powerblade from the Freerainbowtables project to present on the latest developments there. That project continues to prove that you need to salt your passwords, period.

As for password crackers, atom would be an obvious speaker, presenting .. anything... about hashcat. In fact I would like to hear lots of stuff about it, and by bringing in Solar Designer from Openwall or some of the hard-core guys from the JtR mailing list on advanced rule creation with JtR/hashcat, we're talking serious stuff. A presentation from Bitweasil at Cryptohaze would of course be of interest as well, while Michail could eventually give us some interesting perspectives from a completely different side of our world. Not to forget we should have Matt Weir (@lakiw) talk a little about NIST SP800-63 and his PhD work. And in the second corner: Norbert Schmitz (@nidshce) from Germany, who have plans on improving the attacks as outlined by Matt in his work.

We should also look at all the statistics we've got, based on the ever-increasing number of leaks found all over the Internet. I presume Martin Bos (@purehate_) and Troy Hunt would have both statistics and opinions to share. :-)

Remembering Howard Smith from Oracle UK, and his suggestion for a panel discussion at Passwords^10 (which we did do, right there and then), if somebody knows a lawyer who can present on the legal side of downloading, cracking, distributing, PIPAL'ing and commenting on leaked passwords - I'd love that.

I would also like to see somebody talk about the usability aspects of passwords and pins. How do we assign them, side-channel transfers of username/pass/url/system name , password resets, service account management, why the annoying asterisks when I type my password (Good article at darkreading here).

Hey; Microsoft could present on "picture password" in Windows 8! (I guess they will still be using NTLM though... *doh!*), while somebody else could talk on PBKDF2, bcrypt and scrypt. Or perhaps Joan Daemen would like to update us on the status of SHA-3?

Last but not least - any chance we could try to work out some "best practices" that we - as "password experts" - can agree on, and pass on to all those who need it?

--
I guess the above would easily cover 2 full days, right? :-)

Comments are most welcome. Feel free to contact me by e-mail for personal inquiries.

Errata for Errata security

2012-01-06T11:04:00.002+01:00

Sorry about the title, best I could come up with late at night.

The blog post Passwords: uniqueness, not complexity from Robert David Graham (@ErrataRob) at Errata Security isn't bad, but it is not all that good either. Based on the recent - should I say ongoing - breach of #stratfor, Robert recommends unique passwords instead of having complex passwords. I would ask "why not both?". Let me explain...

Let us begin with the .. rumor .. that #stratfor got hacked due to lack of proper hardening and system maintenance. No, a blank password is not a bad password, it is evidence of incorrect installation and hardening, and a strong sign of weak computer security audits.

1. Long, complex, case-senstive passwords with multiple characters
That advice in the MSNBC article comes from Morgan Slain, CEO of SplashData. He actually recommend the "use a short sentence" trick, which I've been saying for quite some time already. Actually I say "use a positive sentence, something that you WANT to remember". Passwords are a mandatory pain to most of us, something that users normally doesn't want to remember. Use something that you want to remember.

Robert David Graham says "That's wrong advice", saying that passwords should be unique instead. I'd say Robert is 50% correct. Why not do both long, complex & unique?

With a password manager (LastPass, Keepass, or your selection of similar software), you can create long, complex and unique passwords. Bonus point: you don't need to remember them anymore. Not that password managers are for everyone; mom would most certainly reject the idea of downloading, installing, and learn how to use one for starters. "Give me something that I don't need to learn anything about, just make it work for me".

My password for Facebook is both long & strong! but really not that difficult to remember, right?

2. "...little to lose if hackers guess it."
Except for the embarrassment of course, which in some cases should be seen as part of overall reputation risk. "If person X uses password as his password at hacked site X, who knows how that person will handle & secure confidential data at other places?". Trust is hard to get, but easy to loose.

Another aspect is the eternal discussion of "I've got nothing to hide" (San Diego Law Review, Professor Daniel Solove examines the argument).

3. Three tiers of websites
First; I've got multiple e-mail addresses. Even if you compromised all of them, you would not be able to get access to all my accounts. There are services out there that doesn't (entirely) rely upon e-mail for account verification and passwords resets you know... Although very common of course, and an area of security where many do step into pitfalls.

Second (fact): MANY e-mail providers, including large ISPs, does not support encryption for pop3/imap/smtp communication, so no matter what your e-mail password might be, it is easily sniffed off your network. If you happen to use https to reach your e-mail it gets harder of course, but of course SSL is not broken, and we all trust every CA on the planet, right?

Third: the definition of tiers used. My primary e-mail is not accessed using webmail, I'm part of the old POP3 generation, although encrypted these days. I think the same applies to many others, if not running it off Microsoft Exchange or similar services.

Ranking e-commerce sites like Amazon etc as second on your list is .. weird. I say that from my Norwegian point of view: unless I'm acting as a complete idiot and give away my pin/password or OTP for my online bank on purpose, I WILL GET MY MONEY BACK if hacked. Heck, the technical implementation at my bank even allows me to use my username as my password. Pretty cool, huh?

The important thing you forgot with your tier definition is the sites that carry sensitive information about you as a person. Think privacy laws. At least here in Norway, my salary, my bank statements etc are "secrets", but we have 2 levels of personal information here. Top level: Race, sexual preferences, political view and memberships, religious views and a little more. Lower level: anything that can be used to identify a single citizen of Norway. IP address, phone number, you name it.

Based on those definitions, Facebook keeps more sensitive information about me than my bank. Who should have the better security? (and what does reality look like?)

--

Now this is very important for me to say: I completely agree with you @ErrataRob on your conclusion: "Your first password policy shouldn't be complexity, but uniqueness".

Using sentences you want to remember, I think one would be able to do both uniqueness, and complexity comes from length. (Password entropy calculation on anything up to length 8 is a lost case - length 8 can be rather easily broken, period).

Short comments on #STRATFOR

2012-01-02T15:35:00.000+01:00

Lots of articles popping up on the #stratfor leaks all over the web. Some good, some not that good. Just a few comments from me, until I eventually get the time to do a bigger blog post on the subject.

1. Written policies
Lots of websites has a written password policy. Many of them are just *stupid*, others are better. Very few are what I would call good policies, in terms of both usability and security. Example from the stupid side of password policies: "do not use any word from any wordlist. ever!".

2. Technical implementation
If they have a written policy, there is a rather high probability they haven't implemented it. Some "requirements" just cannot be implemented, try implementing the example above. For English you would have to block words like Pneumonoultramicroscopicsilicovolcanoconiosis from being used as whole or part of a password. More ideas on what to block? Look at wikipedia for long passwords.

3. Choice of password hash algorithm
Many sites still does plaintext storage of passwords. In many cases they are easy to discover (password sent to you be plaintext e-mail), but site owners way too often doesn't care at all. IF they do implement some sort of hash algorithm to protect your password, it will probably be something "default", like MD5 without salting. This happens because the techies installing your shiny new website doesn't think but use default configurations. Nobody told them to do otherwise, they are on a strict budget, with strict deadlines. The damage potential of leaked passwords being reused by their customers at other sites probably never struck their minds at all.

4. Change of password hash algorithm
We have seen leaks where password hashes has been found to be in different formats. This suggests a change of algorithm has occured at some point in time, but little/no action has been carried out in order to move all users passwords from old (weak?) to new (strong?) algorithm.

5. Password change frequency
Directly connected to the change of password hash algorithm, but there are many other aspects to this as well. I'll get back to this in a planned blog post later on.

Summarized:
Read the article "Don't blame users for bad passwords" by Robert Lemos at for Infoworld. Troy Hunt, myself and Cormac Herley with Microsoft research. If the hacker's can't crack your password - so what? They've got everything they need after a complete compromise such as #stratfor. I do not believe that #stratfor will be able to keep the hackers out again. Customers are bound to reuse their passwords, eventually just do a +1 update to their passwords - and so the hackers will gain access to multiple accounts again - at least.

Review: [hiddn] USB Crypto Adapter

2011-12-29T23:08:00.001+01:00

[Picture from www.hiddn.no]

A representative from High Density Devices (HDD) participated at Passwords^10, and after that I've been talking to them from time to time. Especially their marketing manager Tormod Fjellgård has been very forthcoming, and granted me the chance to do a review of 2 of their crypto adapters. This is my first review of their USB crypto adapter, and I've warned Tormod that I just might have some critical comments for them. So here we go:

The adapter comes in a small box, here's a picture of the contents:

[Sorry for blurring the PIN & PUK codes there.. Bad habit. :-)]

Here you can see the crypto adapter itself, USB cable with optional 1xUSB connector for more power, a small paper manual, primary and backup user chip card, a zeroing card and a small piece of paper with PIN, PUK and instructions.

For my testing I used my own Windows 7 x64 system, standard USB 2.0 ports, a Kingston DataTraveler G3 8GB usb stick, and a LaCie 250GB external USB2 disk. 8 files of equal size, for a total of 3GB were copied to the external device, with and without using the crypto adapter.

Now I won't do this review plastered with screenshots of performance numbers from PCmark, Atto or other benchmark tools. I'm interested in the security as well as usability of the product. Although performance is nice, security can sometimes be of preference over performance. :-)

First looks:
Military grade 90's style. Period. It's big, awkward buttons that you need to press rather hard, and certainly takes up space in any modern ultrabook bag. Simple manual, prints on smartcards clearly states their mission, PIN & PUK printed on the same small piece of paper - in the same box - part of the same shipment... Hmmm. Skeptical.

Installation:
Easy. <1 minute, and you are ready to go. Connect, insert smartcard, type PIN and #, wait a few seconds. Insert Kingston G3, and Windows says a new device has been connected, but needs formatting first. Ok, so I did a quick format, finishing in a few seconds. Hm. I would say that in order to "securely" format any device, you should always to a "slow" format. Oh well, the data that will be saved with AES encryption, according to HDD.

Usage:
I actually did try running Atto for disk benchmarking. It worked as expected without the adapter, but with the adapter the entire test crashed, and I had to reformat the G3. Not good - I wonder if it is a problem that can be recreated - say if you actually were to move a lot of small files back and forth and you end up with crash/reformat?

I also tried connecting the LaCie disk, but no luck. Windows didn't see anything, and the disk didn't spin up. Too low power from the crypto adapters USB port? (Yes, I tried with both usb cables connected to my computer for the extra power...)

Performance:

Sorry, but I have to say this... Without the adapter, I get approximately 11,5MB/second write speed, using my 8 files totalling 3GB. With the adapter, write speed is down to approximately 7.6MB/second. Not that much in this setting, but my gut feeling says that the adapter doesn't perform much better with faster devices either? In that case I'm all Truecrypt or Bitlocker, putting my trust into my own passwords.

(Security) Usability:

Where to begin...

1) I can't change the 6-digit PIN or the 16-digit PUK.

I wonder how HDD generate the PINs and PUKs? Separate & isolated environment, true random generator, no people ever get to see the printed codes etc?

2) PIN & PUK printed on the same piece of paper inside the package.

3) Backup card, zeroing card, PIN and PUK "must be kept in a secure place". Uh. Yeah, I can do that. But I still need to bring the user card, and what if I forget my PIN or lose my user card while travelling?

4) Data encryption bound to chip + PIN. Data cannot be accessed by others without them.

5) The chip cards cannot be used for anything else and sticks out - why not just leave it in there permanently? (I've seen cut off chip cards inside card readers many times before)

6) Manual isn't really end-user friendly - unless you are a G33k of course.

The manual says that HDD offers a Key Management System, delivered as a dedicated workstation. I guess that system is just a bit more expensive than the adapter itself, and not something I would purchase for personal use anyway.

Summary:

I can hardly see this USB crypto adapter as part of any standard equipment for anyone travelling around with a laptop. It's just too ... bulky.

It's a "single user" product - but why would I use this at home or at the office for myself, when I have Bitlocker, Truecrypt and other similar technologies at hand? The alternatives offer better performance, multi-factor authentication, and at least (non-certified) compliance with a bunch of standards?

I'm sorry guys. It's a nice idea doing hardware encryption combined with multi-factor authentication, but the wrapping is all wrong. To me this USB adapter is costly, slow & bulky. I can't see how this can give me any better security than other cheaper or even free alternatives available. Go back to square 1 and start over.

Oh; and for the FIPS-140 and Common Criteria / Mordac fans out there - this product is for you. ;-)

Når "anonym" har en arbeidsgiver

2011-12-04T22:10:00.000+01:00

(Screenshot tatt fra www.vg.no)

VG Nett har nylig endret sine regler for å kunne legge inn kommentarer til saker de publiserer. De tillater ikke lengre anononyme innlegg, og forsvarer dette valget gjennom plakaten som vist over. En god kollega av meg, som ønsker å forbli anonym, stilte meg et spørsmål i dag som ga meg grunnlag for å kommentere denne endringen hos VG. Det gjelder nok også en rekke andre medier, så bloggposten er ment å være generell i så måte.

Først av alt vil jeg påstå at jeg har brukt Internett såpass lenge at jeg for lengst har sluttet å tro at jeg kan være anonym på Internett. Graden av anonymitet kan alltids diskuteres, men dersom noen vil spore meg og mine aktiviteter, så lar det seg gjøre i de fleste tilfeller.

Spørsmålet jeg fikk fra min kollega var hvorvidt bedrifter flest hadde noen policy eller prinsipiell holdning til at ansatte, på jobb eller på egen fritid kommenterer saker hos VG gjennom bruk av sin Facebook profil. Den initielle tanken er jo selvfølgelig at i vårt frie og demokratiske Norge så skal ikke arbeidsgiver legge seg opp i dine private meninger eller ytringer. Ei heller skal arbeidsgiver nekte deg å gjøre dette selv i arbeidstiden, så lenge du gjør jobben din.

Min kollega kom ikke bare med sitt spørsmål, men også med et skjermbilde fra VGs nettsider. Jeg vil ikke bruke enkeltstående eksempler her, så bildet vil jeg ikke gjengi her. Hele poenget fra min kollega var at en rekke kommentarer inneholder navn og profilbilde fra Facebook, samt arbeidsgivers navn. Slike kommentarer finnes på mange saker, fra musikkanmeldelser til alvorlige straffesaker.

Nå er ikke farlige eller ulovlige ytringer på Internett noen ny oppdagelse. Har man levd noen år i vårt digitale samfunn så vet man også at ankomsten av SMS her til lands gjorde sitt til statistikken hos politiet for sjikane og trusselsaker.

Den interessante konsekvensen av VGs endring er at arbeidsgiverne blir synlige. Veldig synlige faktisk. Et kjapt søk via Google mot VG avslører mange sinte mennesker med harde utsagn, ferdig innlagt med arbeidsgivers navn klistret på. Tidsstemplingen sier sitt i forhold til hvor innlegget ble skrevet også - etter all sannsynlighet i arbeidstiden.

Nå er det ikke slik at arbeidsgivere skal stilles til ansvar for hva deres ansatte skriver på Internett. Overhodet ikke. Problemet er bare at det er det som skjer. Mer enn en gang har jeg opplevd tilfeller hvor arbeidsgivere blir kontaktet, med spørsmål om de er klar over hva ansatt X hos dem faktisk skriver. Akkurat den typen henvendelser kommer som oftest overraskende på arbeidsgiver, og kan medføre både unødvendig og overilte reaksjoner. Jeg mener at NSR nylig uttalte at de bare venter på den første oppsigelsessaken som skyldes en ansatts uvettige bruk av sosiale kanaler.

Jeg antar jo her at langt de fleste av oss har oppgitt hvor de jobber, og gjerne også hvor de har jobbet tidligere:

Når det gjelder VG, så er jeg rimelig sikker på at deres endring vekk fra anonyme kommentarer skyldes et svært enkelt fakta: økonomi. Mengden irrelevante kommentarer på Internett er overveldende. Legger man til hatefulle, rasistiske og alle andre typer truende kommentarer, så blir det enda verre. Ved å tillate anonyme kommentarer blir det et enormt arbeid å moderere dem - redaktørene må jo ta et visst ansvar for hva som publiseres på deres nettsider.

Ved å koble kommentarer mot brukerprofiler på Facebook får man frem navn, profilbilde og f.eks. arbeidsgiver tilknyttet kommentarene som legges inn. Uten tvil en bevisst handling fra VG for å nyttiggjøre seg Internettets iboende evne til å regulere seg selv - og jeg vil tro at VG håper på at dette vil redusere deres behov for å moderere innlegg. Mange vil nok holde litt tilbake på de aller verste ytringene når man tvinges til å stå frem i lyset med navn og annen informasjon om seg selv.

Til alle arbeidsgivere som har en policy rundt sosiale medier - jeg tror kampen er tapt. Dine ansatte vil ytre seg i åpne rom, og det de sier vil bli koblet mot deg og din virksomhet. Det er lite til ingenting du kan gjøre for å stanse det. Da blir mitt avsluttende spørsmål: hva gjør vi nå?

I'm not dead...

2011-11-30T23:37:00.001+01:00

As you can probably see from my Twitter feed. I'm just drowning in work as a security consultant at the moment. My head is full with blog posts that I have to get out soon... For the password stuff, which still is my primary focus here, I'm pretty close to start releasing some never seen before statistics. In close cooperation with my friend and colleague Jan Fredrik (@KluZz). Keep watching this space!

Hotel TV Infochannel Security

2011-11-14T21:26:00.001+01:00

[A rather static show at the hotel tv infochannel...]

Life as a security advisor, or just consultant if you prefer, can be very interesting. Working with a large variety of clients, tasks and situations is challenging, exactly the way I like it! To me it also includes going to other cities here in Norway, at the moment I'm at yet another hotel in Stavanger, Norway.

During the past couple of weeks I've got a renewed interested in hotel television systems. No, not that kind of activity that you may have heard of, or seen demonstrated by Major Malfunction in Las Vegas many years ago. I'm just curious about the risk analysis - if any - performed by the hotels, finding it acceptable to put their infochannel systems directly onto the Internet?

The picture on top of this blog post was taken from Comfort Hotel Stavanger on Nov 10, 2011. Obviously, this system is connected to the Internet, running Windows 7, Adobe Flash, Logmein, Smartsign Player 7 and some HP support software on an HP system. No presentation were running in the background, with HP, Adobe Flash and Windows *begging* for security updates to be installed and reboot the system in order to reboot. Please also note that there doesn't seem to be any antivirus software running, at least from the series of icons present in the lower right. Even my mother knows by now that's a stupid thing to do.

Moving forward to where I'm right now (Nov 14, 2011); at Park Inn Hotel (by Radisson) Stavanger. Came into the reception, and was pleasantly surprised to get a room almost at the top. "One of the refurbished rooms of this autumn" I was told. Excellent.

Got to my room, turned on the lights, and... WOW:

[Deluxe Philips/Otrum Retro Design 20" CRT television!]

Yeah, well, at least there's the parquet floors, as promised in the reception. Time to watch the news, turning the thing on usually gets you right to the hotel infochannel at channel #1:

Windows XP at VERY low resolution, and nagging about it. More interesting? Norman Antivirus is running, but complaining about missing updates. There's also a VNC icon there... Hm.... Oh, and a License Wizard wants to say something as well. Fabulous!

Or perhaps I should just a post a picture taken with my Samsung Galaxy S2, to summarize everything with their own words:

["The essence of a great hotel experience". Love it!]

I'm pretty sure there doesn't exist any risk analysis at these hotels whatsoever, concerning the installation, configuration and maintenance of these infochannel systems. Furthermore I fully believe that they have never even considered the reputation consequences of pr0n rolling over their infochannel, in the middle of conservative country here in Stavanger. As far as I can remember, people didn't complain after Major Malfunction displayed "pr0n wants to be free!" on all room tvs at his hotel in Vegas many years ago.
--
As we like to say here in Norway; any media coverage is good coverage?

Kjære kunde / Dear Customer

2011-11-10T20:51:00.000+01:00

This one is for @Questback, as a reply after the last couple of tweets between myself (@thorsheim), and @HopeMears, partially also @Ronnie_Ostgaard. Both have been most helpful in replying to my blog posts and tweets, and I hope this will be my last blog post regarding our "controversies". :-)

Kjære kunde,

Dette er for å informere deg om at Questback den xx.yy.zz vil gjøre en forbedring av sikkerheten for alle eksisterende avtaler. Dette brevet inneholder viktig informasjon til deg som kunde, og gir deg muligheten til å stanse denne endringen dersom den ikke er ønskelig. Merk at endringen er kostnadsfri for deg som kunde.

Questback har innført bruk av HTTPS som standard for våre undersøkelser. Dette betyr at alle undersøkelser blir utført av sluttbruker via en kryptert forbindelse, som også er standard for bruk ved sikker innlogging og elektronisk betaling på Internett.

Dette gir økt sikkerhet både for sluttbruker og for deg som kunde, da det reduserer sannsynligheten for uautorisert avlytting eller manipulering av undersøkelser. Det gir økt personvern, og vi har også indikasjoner på at dette bidrar til å øke svarprosenten i gjennomføringen av undersøkelser.

I praksis vil sluttbrukere nå få en link som begynner med HTTPS, istedenfor tidligere HTTP. Dette medfører ingen endring i brukervennlighet eller prosedyre for å gjennomføre undersøkelser på noen måte.

Dersom du skulle ha spørsmål om denne endringen så kan du ta kontakt med navn1, navn2 eller navn3. Vi ser frem til et fortsatt godt og trygt samarbeid om markedets sikreste løsning for spørreundersøkelser.

--
Dear customer,
... argh. use Google translate. It's just marketing talk in Norwegian.

-----

For @Ronnie_Ostgaard and @HopeMears at @Questback:
Thank you for your replies and follow-ups. My employer is a paying customer, at least for easyresearch. I don't get the periodically news & tips e-mails from you, so I don't know if you have put out the recommend info on turning on HTTPS (SSL encryption) in your latest info. Although a good idea, I do not believe all recipients will read, understand or implement your suggestions given there.

That's why I wrote the above for you, to make it *dead simple* to make a marketing pitch out of improving your default security for agreements already running. I hope and believe that you can easily script something that will turn on HTTPS for all existing agreements, and with the above electronic letter, you really shouldn't run into much negative feedback either.

Do this, and I promise I won't bother you anymore - until I find something else to complain about. ;-)

Adgangskort og PIN koder

2011-10-21T11:57:00.001+02:00

[PINs på Post-it. Er det noe problem?]

Denne bloggposten skrives etter veldig mange års frustrasjon med fysisk adgangskontroll. Bildet over bør være god nok forklaring på min frustrasjon, det er Post-it lapper jeg har fått utlevert sammen med ulike typer adgangskort, både magnetstripe og RFID baserte kort. Med et ønske om å bidra med "enkle sikkerhetstips i hverdagen", så har jeg noen spørsmål og tips rundt slike løsninger for adgangskontroll.

Jeg tror på forenkling av sikkerhet. Forstå meg rett; jeg vil forenkle sikkerheten, slik at det blir enklere for oss alle å overholde faktiske sikkerhetskrav. På den måten tror jeg at sikkerheten vil forbedres.

Jeg har hatt denne bloggposten i hodet i mange år, og dagens lille "æddabædda" nyhet om sikkert.no, som rapportert i Teknisk Ukeblad, fikk meg til å skrive litt. Denne nyheten om sikkert.no i seg selv fortjener gjentakelsen av noen enkle anbefalinger:

1. Still skriftlige sikkerhetskrav til leverandøren din, inkludert din rett til å foreta kontroller.
2. Kontroller at krav er oppfylt FØR løsninger settes i produksjon.
3. Kontroller selv, eller via tredjepart, at leverandøren overholder kravene jevnlig.

Uansett, tilbake til adgangskontrollen. Det jeg har opplevd utallige ganger, er blant annet følgende:

1. Adgangskort utleveres sammen med 4-sifret PIN kode på en lapp
Det gjelder både ved utlevering av vanlige adgangskort, samt besøkskort av ymse slag. I enda verre tilfeller, så er PIN kodet faktisk trykket på kortet, eller klistret på, slik dette bildet viser:

[Adgangskort fra et hotell i Norge. Her har du ALT du trenger...]

2. Jeg blir sjelden - nesten aldri - spurt om å velge PIN selv

Det kan jo forsåvidt være fornuftig, tenk på koden du får tilsendt i posten (...), til VISA kortet og de øvrige kredittkortene du har. Hadde nå bare disse resepsjonistene og vekterne delt ut tilfeldige PIN koder i lukket konvolutt eller noe slikt, men du får nok 1234, 0000 eller 2011 tildelt som din PIN kode.

3. Får jeg velge selv, så må jeg skrive ønsket kode på en lapp og gi den til adgangskontrollen
At sikkerhetspolicy i stort sett alt av selskaper og organisasjoner sier at du aldri skal oppgi ditt passord eller PIN kode til andre virker å være totalt neglisjert i enhver resepsjon og vekterfirma.

Kunne de ikke bare hatt en ekstern keypad på resepsjonsdisken?

4. På spørsmål om hvor mange forsøk jeg har før kortet sperres, så er svaret "Æhhh...."
Sannheten er at jeg aldri har opplevd noe sted som har en max begrensning på antall forsøk. Selv jeg, som feilet i matte valgfag i tredje på videregående, vet at det er 10,000 kombinasjoner å prøve. Med 5 sekunder pr PIN, mat & pissepause, så har du testet dem før det er gått 15 timer. Fin helgeaktivitet med andre ord.

På passordsiden opererer man normalt med max antall forsøk før konto blir sperret i N sekunder/minutter/timer, om ikke permanent til kontoen blir åpnet igjen manuelt. Ikke bare det, men for store nettsteder på Internett har man også for lengst innført rate limiting, dvs en eskalerende tidsforsinkelse mellom hvert feilede forsøk. Dette gir en mer fornuftig og ikke minst mer kostnadseffektiv håndtering av eksterne passordangrep, og reduserer behovet for 24x7 helpdesk som kan åpne kontoer manuelt og så videre.

5. Ved glemt PIN kode, så får jeg utlevert min kode på lapp eller muntlig
Gå direkte videre til pkt 6:

6. Kan resepsjonist/vekter se min PIN kode?
JA. Helt spesifikt har jeg utallige ganger sett at løsninger fra Securitas for fysisk adgangskontroll enten viser PIN kode på skjerm direkte, eller maskert (****). Imidlertid har lokal operatør selv mulighet til å fjerne denne maskeringen. Det er ikke meningen å "henge ut" Securitas mer enn noen andre, men nå er det engang sånn at det er de jeg har absolutt førstehåndskjennskap til. Hva har du å tilby @tabalizer? :-)

7. Tvunget/regelmessig skifte av PIN kode på adgangskort?
PIN er passord. Passord skal skiftes regelmessig. Passord skal skiftes umiddelbart etter at du har fått nytt (glemt passord), eller første gang du får tildelt en konto. Skjer tilsvarende for adgangskort? Gjett EN gang.

At man ikke vil skifte PIN regelmessig på adgangskort kan jeg ha forståelse for. Det ville gjort hverdagen enda vanskeligere for oss alle. Imidlertid sliter jeg med å se at kompenserende tiltak er på plass for å tillate oss denne luksusen, jfr punktene over, og og jeg har enda ikke sett en skriflig risikoanalyse eller aksept for avvik i adgangskontrollen i forhold til gjeldende sikkerhetspolicy.

8. "...adgangskort skal bæres synlig..."

Kravet finnes i nesten alle sikkerhetspolicyer i det vidstrakte land. Men... øh....:

[Bruker og adgangskort. Ser du likheten?]

Sannheten er at policykravet eksisterer de fleste steder, samtidig som noen med økonomisk forståelse har funnet ut at dersom man dropper store adgangskort med fargetrykk og istedenfor bruker RFID brikker, så blir kostnadene lavere. Evne til å se forbi nesetippen ser også ut til å reduseres kraftig, men det er ofte irrelevant for kvartals- og årsbudsjettet. De som er ansvarlige for valg av adgangskontrollsystemer bør blafre seg gjennom de nyeste bøkene til Kevin Mitnick før de tar flere beslutninger.

En liten utfordring til NSM, NorSIS og leverandører av adgangskontrollsystemer og resepsjons/vektertjenester her i landet:
Hører gjerne fra dere i forhold til kost/nytte og risikoanalyser foretatt, som forsvarer ett eller flere av de punkter som beskrevet over. Jeg har ikke sett noe slikt foreløpig.

Så helt til slutt, siden det er fredag og man gjerne spøker litt før man tar helg: la oss returnere til bildet av Post-it lappene på toppen av bloggposten her.

3M har lansert "Post-it Popnotes" som gratis app for iPhone og iPad, kommer også for Android og Windows Phone. Foreløpig bare i USA, men appen kommer nok hit også. Ta en kikk på beskrivelsen; du kan lage "Post-it" lapper med geotagging, og gjøre dem offentlig tilgjengelig slik at du kan få frem alle "lapper" postet innen en radius på 500 yards, altså ca 450 meter. Skal vi poste en lapp på hvert sted hvor ovenstående punkter blir observert, og se hvordan Norgeskartet blir seende ut etter en måned eller to?

Ha en riktig god helg!

More STARTTLS support!

2011-10-18T23:02:00.001+02:00


RFC 3207:


SMTP Service Extension for


Secure SMTP over Transport Layer Security

In a previous blog post entitled "STARTTLS support in Hotmail/Gmail", I requested these services to implement support for RFC 3207, in order to use automatic and transparent security at the "back side" of their services, when available. I doubt I'm the reason here, but Google now has support in place! (Hooray!)

The blog post referred to here also has a link to the survey conducted by my friend and colleague Jan Fredrik Leversund (@KluZz) and myself, regarding the use of STARTTLS across mailservers on the Internet. You can still find it here, although still only in Norwegian...

Proof #1: sending an e-mail from my work account to my Gmail account, then looking at the e-mail header of the mail received at Gmail:

Received: from Mail17.edb.com (mail17.edb.com. [212.18.128.233])

        by mx.google.com with ESMTPS id r11si2077637bkd.114.2011.10.18.12.26.22
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 18 Oct 2011 12:26:22 -0700 (PDT)

Proof #2: Replying from Gmail back to my work account:

Received: from mail-ww0-f44.google.com ([74.125.82.44])  by Mail34.edb.com
 with ESMTP/TLS/RC4-SHA; 18 Oct 2011 21:29:53 +0200

*NICE*. Thanks Google!

-------------------

Going further back in time, I've also pointed a finger at ISACA and Lyris Inc, recommending them to improve their security. I am now happy to see that ISACA and Lyris now supports the STARTTLS command through SMTP connections, which is proof of RFC 3207 support. While I was at it, I checked (ISC)2 and ASIS as well.Yup, they've got STARTTLS available as well. As a member of ISACA, (ISC2)2 and ASIS, this makes me a little bit happier. Do as you preach.

Oh... and Microsoft, with their Hotmail service? Still no support for RFC 3207. Come on guys!

-------------------

And now for Ivan Ristic at Qualys (SSLlabs); I've e-mailed you, look forward to any positive news you might have! :-)

Facebook password history...

2011-10-14T10:45:00.000+02:00

"Unfortunately you have provided an old password. Your password was last changed yesterday at 07:52. If you don't remember making this change, please click here".

First thought: WTF does Facebook tell me this????

Second thought: Good, they seem to have some password history going on. Got to test that later on, by trying to change back to my old password. I guess they don't block that quite yet.

Third thought: This is good from a usability perspective. They've got quite a few users (...), this will make it easier for them to actually change their passwords whenever they feel the need to do so, and handle it afterwards.

Fourth thought: A bruteforce attack against known logins will eventually succeed, but it may also reveal one or more previously used passwords, enabling several methods of pattern-based password analysis to improve the chances of an attacker figuring out the correct password faster and with less attempts then from a blind start.

Not good.

Any opinions?

En ROSA bloggpost!

2011-10-11T21:51:00.002+02:00

[Bilde fra WahWah brosjyre]

Jeg er gammeldags. Jeg har passert 40. Jeg har en tåpelig tendens til å ta i mot utfordringer fra jenter. Kristin er en av dem. Utfordringen kom for noen måneder siden; hun utfordret meg til å skrive et blogginnlegg om mote & skjønnhet og sånn. Jeg svarte at det var liksom ikke helt min greie, men dersom jeg gjorde det så måtte hun kvittere med en bloggpost om sikkerhet & sånn. Jeg gleder meg allerede! ;-)

Så jeg ble altså 40 år den 10 september. Stor fest, og mye morro på selve dagen. Kortversjonen oppsummeres slik, uten å nevne noen navn.. :-)

[Happy birthday to me!]

Som vanlig hadde jeg forsøkt å gi noen hint om at elektronikk alltid står på ønskelisten. Tradisjonen tro er det nok noe av det siste familien vil gi meg, de vet hvordan jeg prioriterer penger uansett. Om et rykte har spredd seg vites ei, men det dukket opp blant annet følgende i en fantastisk bunke med gaver:

[Gavekort fra WahWah]

Noen mente nok at jeg kunne ha godt av det, og sant skal sies; kvinner til stede på festen sukket mer enn en gang da de hørte de magiske ordene "Gavekort fra WahWah!". Mulig de fikk samme følelsen som jeg får når noen sier "OCZ Revodrive 3 X2" til meg altså. :-D

Første gavekort var på en "007" ansiktsbehandling. Resultatet:

[Et tryne så glatt at det var nesten litt nifst...]

Anyways; vi går fremover til dagen i dag, dvs tirsdag 11 oktober. Tid for ryggmassasje klokken 09:15. En litt roligere morgen enn normalt, og en glimrende mulighet til å stikke innom Augustins Kaffelade først:

[Kaffelade har muligens byens beste kaffe. Lite og rolig sted...]

Her kan sette seg ved vinduet, og se på folk som stresser til jobb i regnværet i Bergen:

Mens man nyter en deilig kaffe mocca:

Før man stiller til massasjetime hos Caroline hos WahWah. En utrolig hyggelig - og FLINK - dame. "Hu kjeme i frå Etne" - og når man selv kommer fra Tysvær så finner man tonen gjennom dialekten. Flirte litt av Bergensernes bruk av "ansikt", når man selv bare er vant til å si "tryne". :-)

[Caroline hos WahWah. Hyggelig og flink ung dame!]

Jeg skal tilstå at jeg har vært hos WahWah 2 ganger tidligere, også da etter å ha fått gavekort. Sovnet begge gangene, og i så måte fristet til å si at det føltes rart å betale såpass med penger for å få sove 40 minutter med litt "plinkiplonk" musikk i bakgrunnen. Sånn ble det ikke denne gangen!

Caroline ser og høres ut som den snille unge damen, men hun har avslørt både en fortid i forsvaret, guttejente holdninger og bilinteresse. Et uheldig latterutbrudd i forbindelse med "gakkgakk" uniform, og jeg er litt usikker på om et velplassert tommelpress forkortet livet med noen år der og da. Det føltes ihvertfall slik. :-)

Uansett, for å avslutte den kanskje mest meningsløse bloggposten jeg noen gang har skrevet på min egen blogg, så var Caroline så hyggelig at hun "dekorerte" litt med varme steiner og foreviget bildet av en oljesmurt & bleikfeit 40-åring på massasjebenken. God fornøyelse! :-)

[.... og de steinene der var .... VARME! :-)]

Comments on tablet/smartphone security

2011-09-28T12:54:00.001+02:00

My friends - and competitors - at www.watchcom.no - has published a report on tablet security (Warning: Norwegian!), evaluating 3 different tablets. Conclusion? iPad2 as the winner with the best out-of-the-box security features. While I do agree on the conclusion, Norwegian media has given this report a lot of coverage that I need to comment on. "Out-of-the-box" security, or default security parameters, are *rarely* to be considered "good enough" in most cases.

Watchcom did an analysis of iPad2 (iOS 4.3.5), Acer Iconia Tab A500 (Android 3.0.1) and the BlackBerry PlayBook (OS 1.0.7), looking at security features such as:

Security

Authentication
Encryption & communication
Blocking various features
Secure sync of critical applications

Administration

Administration and policy

Application security

Application security
Security extensions

Security evaluations and certifications

I think their PDF files with evaluation criteria and point scale system (1-3) should be fairly easy to understand, even when written in Norwegian.

As for my comments; I am both surprised of the media not asking any obvious and critical questions to this evaluation, as well as Watchcom seemingly not saying anything about the limitations surrounding their evaluation.

A few comments from me, that organisations should consider before making their decision & purchase:

1. iPad (iOS) security

Using the Elcomsoft iOS Forensic Toolkit, any 4-digit PIN on an iPad (or iPhone) can be bruteforced within <1 hour. Default security parameters in iOS and Microsoft Activesync requires a 4-digit PIN, while there are options available for requiring longer PINs and/or complex passwords.

While a 4-digit PIN will protect your data from the casual prying eyes (random theft/loss of your device), an organized and targeted attack will most likely succeed with a rather low cost compared to the data possibly stored on the device. I'll leave it to you to do the risk analysis including the value of your on-device stored data such as MS Exchange calendar including telephone conference numbers and codes, meeting attachments (word, excel, powerpoint, pdf files) and more.

With Apple and iOS so obviously in the lead above all else, there's no doubt they will draw even more attention to their security - or lack of it - in the very near future. From my perspective they really don't have that much of a reputation so far on discussing, disclosing and admitting security bugs and weaknesses found. Usually not a good sign to me, but I won't to the full open vs responsible vs closed disclosure discussion here.

2. Remote device management security

Remote wipe, as well as a wide range of other security features will actually require the tablet to connect to a wlan or gsm/3g connection in order to "phone home" and receive instructions such as "the device has been lost or stolen. Please wipe the entire contents of the device and set it back to its factory default".

While a GSM/3G jammer is illegal to operate here in Norway, it can still be obtained for pocket money from other countries. This will effectively block such communication, prohibiting any remote wipe command to ever reach the device. All this of course, in cases where the attacker can't simply remove the SIM card from the device of course. :-)

A simple "faraday cage" will additionally block any wlan connections, easily allowing an attacker to gain more time to successfully break the security of the device in order to gain information access. Evaluating your employees ability to actually report lost or stolen devices will be of high importance, as the timeframe needed for a successful compromise of your device could be as little as <= 1 hour. (This is something I will blog and talk about more in the near future.)

3. The gaping password hole left by Microsoft Activesync

Yes, I know I am a fanatic on passwords. I took the red pill a long time ago on this, and it keeps expanding. When you configure Activesync on your smartphone or tablet, the default configuration is to use a SSL (https) connection to a website providing Outlook Web Access (OWA). Default login here is username and password from the internal Active Directory, with password policy being whatever you have configured in your domain. Again; the default is nowhere good enough in this situation as well.

While many discussions have been raised on the security of the sync & storage of activesync data (contacts, calendar, mail), I haven't seem much talk regarding that fact of such a configuration opening up 1-factor password guessing (or pure bruteforcing) against OWA. As I have said before, like many others like me that are "excessively" interested in passwords, allowing for 1-factor access to internal systems from the Internet is generally not a good idea any longer. In fact, many security policies of large organisations disallow it.

From an attackers perspective; why waste time tracking down your CEO in order to steal or "borrow" his or hers tablet for a few hours, when finding the username and guessing the password of the CEO directly towards https://webmail.some.domain can be even faster and easier?

(Yes Watchcom, I already know that you provide solutions for VPN access and 2-factor authentication to secure this stuff. I have yet to see any evidence of acceptable usability on this :-) )

4. Android vs Android security

Watchcom has tested the Acer Iconia Tab A500 with Android 3.0.1. Fair enough.

I've got a Samsung Galaxy S II smartphone, featuring on-device hardware encryption of both internal storage as well as my inserted memory card. According to Samsung's commercial, it supports more Activesync policies than any other product on the market (or something like that). Working on verifying that, but at least it seems to be working. The same applies to the Galaxy Tab tablets, as well as other tablets now available in the stores.

I would say that Watchcom should consider updating their report ASAP with at least one or more Android based tablets from other vendors, say Samsung and the Lenovo Thinkpad, where the Thinkpad is specifically targeted at corporate business use.

As for the media: did you ask anyone to comment or question the findings from Watchcom? I'd sure as h**l appreciate it if you continue doing that every time you quote me on anything, thank you. :-)

Cryptohaze GPU Rainbow Cracker - test 1

2011-08-22T21:59:00.002+02:00

Well, not exactly my very first test, but my first blog post about Bitweasil's sweet little piece of software, which can be found at his site cryptohaze.com. First of all: it seems *FAST*. Second: MUCH needs to be done, which is the reason for this short little blog post. I'll start out with just a single request: HEX display of all found passwords, in addition to the standard display on screen. Here's what I did:

Using the hash generator at insidepro.com, I created 2 NTLM hashes, one for Passord, and one for Passor (a single space character replacement - ASCII Hex20 - for the letter d at the end there).

Passord : 72892f1b58f8708c3f07639f6c08daea
Passor : 42ae7b3af2c5c22514b89355dfa8b3be

Using GRTCrack.exe -h NTLM -s (hashvalue) GRT-NTLM-len7-fullcharset-perfect\*.grt --threads 512 --blocks 512 -m 500, my GTX580 goes to 99%. Tables are stored on a 2x1TB soft striped array on SATA, i7 cpu, 24GB memory and W7x64.

Passord is found in the second table, while Passor is found in the first table after a few seconds. Here are screenshots of the output:

GRTCrack output for Passord)

GRTCrack output for Passor )

As you can see: 2 different passwords, different hash values, but you can't trust the output in case of HEX20 padding at the end. One out of several tricks I've told some of those with an genuine interest in blocking me from cracking their passwords in "the early days". (You are not alone; Cain from www.oxid.it doesn't show any hex values either, and that's just one example.)

Chances are rather slim for finding a Windows domain controller with LM disabled and no LM hashes available. Add to that one or more users "padding" their password with one or more HEX20's at the end up to and including length 7, and charset limited within full US ASCII (or 8, with the Terabyte NTLM tableset that Bitweasil offers to ship to you for USD 500,-)... Well, not many does that.

However; I NEED to see the HEX output of the passwords as well Bitweasil! :-)
Even better: As soon as the password is found, calculate its hash value and compare it to the original input value - for added confidence in the results. Allow me to output the results to a TAB separated file (optional parameter?), making it easier to work with the results when users have used those darn ::::: colons in their passwords - for the fun of seeing me get angry. :-)

New comments for older posts

2011-08-17T14:44:00.000+02:00

Quick note to say that Erik Brännström has added an interesting comment to the "Never Trust Password Meters" blog post, while "Anonymous" (No, not those guys, but a PhD in Vein biometrics) has added comments to the "About Biometrics.." post. Both worth reading.

xkcd 936 - the discussion continues

2011-08-16T23:51:00.001+02:00

WOW. That was my immediate thought (We use wow in Norwegian as well) when I saw xkcd 936. WOW. That is pretty close to exactly what I've been trying to tell people for the last 10+ years, while researching passwords. Hat off, kudos and whatnot to Randall Munroe for this one! Now for some of the discussions in the wake of 936....

1. Password Entropy
Stop using mathematical entropy to measure the strength of passwords! You are most probably doing it wrong anyway. I'll be the first to say that I *suck* in math (WolframAlpha to the rescue!), so for starters on entropy I would suggest you to read Matt Weir's blog at reusablesec.blogspot.com, and his paper Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords (Weir, Aggarwal, Collins, Stern). NIST SP800-63 says something about password strength through resistance to online cracking, and to quote from his blog:

"Our findings were that the NIST model of password entropy does not match up with real world password usage or password cracking attacks."

Now, I could poke Matt with saying that their analysis were done towards revealed passwords in the form of leaks from sites like Rockyou etc. Having cracked almost nothing else than passwords from Microsoft Windows systems of real corporations and organisations for 10+ years, I think I've got evidence enough to say that "my" passwords are better in almost any measurement compared to the Rockyou, Hotmail lists and more. (Matt; what about applying your metrics to my data? ;-))

2. Never Trust Password Meters
This link will take you to an earlier blog post from me, and then back to the first one, based on an infographic that Mikko Hypponen made a tweet about. I hope and believe those 2 blog posts will widen your horizon in regard to password meters, password entropy and more.

3. xkcd 936 - related websites
Sure, they appeared very fast. simplestrongpasswordgenerator and passphra.se are just 2 examples that I've seen. Unfortunately they will fail in many situations, especially corporate environments. Simplestrongpasswordgenerator gave me this: widelyorderprivateestablished. Huh? Am I supposed to remember that?
Here's a good place to quote Troy Hunt and his blog post on the subject: "I'm sorry, but were you actually trying to remember your comical passwords?". Although I do not agree on everything he writes, he sure does have many good points in his blog post.

Although difficult sometimes, we should remember the difference between protecting our personal accounts, and (personal) accounts at corporations and organisations where a security breach can have a much wider impact than that of your own privacy.

4. Mixing it all
Mikko Hypponen really do impress me. Never met him, but his information, in any channel, is precise, short and informative. He also does a terrific job with his tweets, including all the retweets from others. And suddenly today, he retweeted this image from @ly_gs. Right back at the entropy calculations :-)

Melvin; We have 29 characters in our Norwegian alphabet, make your infographic with various charsets and/or languages applied. :-)

Phadej and davienthemoose followed up (among others) with some objections. Lets take a look:

Phadej posted this feedback:
We actually need more words, as entropy of the words is less than characters. Suppose there is about 50000 words (There is 301 000 main entries in OED). Than 50000^x > 94^13 => x => 5.5
So i would say that "balloons are very nice" < "@$XsBv2JMc473"
Also entropy of word like "are" is almost zero, so predictable. And xkcd strip actually kind of takes this into account. I will stick with pronounceable/memorizable passwords like pwgen kindly generates for me.

WolframAlpha says there are 600,000 words in the Oxford English Dictionary, 2nd edition. Lets take a shot at WolframAlpha: 600000^4 (4 simple words) = 129600000000000000000000 combinations. No offence, but I REALLY think we should drop this blind entropy discussion for measuring password strength.

Davienthemoose tweeted "until you use a dictionary set for cracking by word to break passphrases. Then each word becomes a char of 1".

Nice idea. After the CrackMeIfYouCan competition at this years Defcon, somebody said something like "we are now actually able to crack '4 simple word passphrases' (Can't remember exactly who, where and when, sorry!). Sure we/they can! On the other hand; being able to so is closer to blind luck, IMHO. Why? Well, back to the entropy, corporate password policies and just plain common language.

We've said password for decades, and we've tried to convert people to use 'passphrases' instead. Is widelyorderprivateestablished a good passphrase? Not in my opinion. Maybe the sentence "I live in New York, USA." (without the quotes) could be better? At least it should be easy to remember for quite a few people over there.

No, do NOT look at the contents of the password and say "Duh! DORK!". You have absolutely no idea what the password is before you actually crack it. See "Please crack my password" below.

Davienthemoose: Nice idea, and you should talk to some of the hardcore John the Ripper (JtR) guys to learn more. From my point of view: we're right back at the entropy stuff again, SP800-63, and much more. Please go back to Matt Weirs paper. :-)

I'll leave it for the evening right here, it's 23:47 and I've got to sleep. again. Just this last one, just for the fun of it:

5. Please Crack My Password
Please crack my NTLM hash: DD1E31A5C1709A9CF54893B89E24CA09
It is 4 words, and it complies with probably most (reasonable) common corporate password policies. It is very personally related to me, making it easy to remember. Good luck, you've got 14 days.
I'll donate some money to freerainbowtables.com or any other password related open-source project of your liking through PayPal, if you can crack my ... password/phrase/sentence above. I'd really appreciate an explanation on how you did it, and of course you can mock me for a LONG time afterwards.

Webmercs Password Security

2011-08-12T14:03:00.001+02:00

Vacation is over, time to take a look at the password security of another online webshop software solution. This time named Webmercs, from a Norwegian company named Data Design. I got triggered to do this blog post after visiting www.avshop.no, where I am a registered customer. Lets take a look at Webmercs...

On July 4, 2011, I released a blog post (in Norwegian) about password security in a software solution for logistics and online sales from a Norwegian company named MultiCase. Their solution sent passwords by unencrypted e-mail, and either stored passwords in plaintext or using reversible encryption. Their response came quickly, time will show if, and how they follow up.

Webmercs seems to be a hosted solution, lots of domains link to secure.webmercs.com. Running that site through ssllabs gives us unsatisfactory results: (MITM, SSL 2.0, 40-bit support etc)

(Click to view full size, or visit SSLLABS)

Now there are lots of sites which doesn't have their SSL configurations in order, although that is no excuse for Webmercs. Being a hosted solution, where their customers will completely or partially have their services running through secure.webmercs.com, it becomes more of a Single Point Of Failure.

They have a bunch of customers, which is always good to display - until something goes wrong.

----
As a small side-step before continuing, here are two opposite views on security, which I am constantly facing in my daily work:

Customers: "We trust our service provider. We have to trust our provider. We see no reason not to trust our provider. Of course our provider will be give us an acceptable security level. Our providers security is of course at an acceptable level. Our provider knows what an acceptable security level is, has implemented it, and maintains it continuously. Our provider is (solely) responsible for designing, implementing and maintaining an acceptable (best practice) level of security. We do not possess the necessary skills and experience to design such security ourselves, which is partially why we choose to buy this service from an external provider."

(Software) Providers:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

My point is simple: most (software) providers will provide an absolute minimum of security by default, leaving it all to you to decide what kind of security you want to configure. However; they will provide lots of buttons, parameters, flags and options that you may change to improve (or weaken) the default security level. Few of them will provide an additional "best practices" document, with recommendations on how you *should* configure those parameters...

As I've seen over and over and over again, default security parameters are often left right there - at default.
----

Well, that was my general complaint for the day. Let's get back to Webmercs. Here's a screenshot from an e-mail I received, after changing my password and then going through the "forgotten password" procedure at www.avshop.no, where I am a registered customer. They use Webmercs:

Even though its Norwegian, I guess you do understand what it says. (Oh, and that password is not my default one! :-))

Lots of evidence there already, showing that the Webmercs solution sends my existing password, username and all the info you need to access my account through unencrypted e-mail. If they do any kind of password encryption at Webmercs, it still is nowhere near what I would call "best practice".

I have also looked at a few other sites that are using Webmercs, and some seem to have at least somewhat better minimum password requirements configured. Obviously the choice of password policy is left to the customer to decide, and I do fear that the default from Webmercs is length 1, obviously without any type of complexity thrown in.

Do we need any more? To me I've got all the evidence of bad password practices I need. I'll uphold my recommendation on focusing on software developers & providers first for increasing password security & awareness, before bashing end-users for bad password behavior. I will of course get back to this in future blog posts as well.
--
FYI:
I have sent information to support@webmercs.no to inform them about this blog post, in accordance with their .. interesting stand on how to provide support. No online ticketing system for your support requests there, but at least they are honest about it.

Securing your passw^H^H^H^Hgp private key

2011-07-06T19:52:00.001+02:00

I saw this article today by @DSchwartzberg at Sophos about Google indexing PGP private keys, easily found if you know what to search for. It reminded me that I had to finish this old blog post which has been waiting in line for some months now. Lets get straight to the point: How do you protect your GPG/PGP private key?

I use GPG/PGP myself, both at work as well as at home, even though Bruce Schneier says in his book "Secrets & Lies": "Digital certificates provide no actual security for electronic commerce; it's a complete sham." Made me smile when I read it. Of course there are many ways to interpret that statement by itself, with perhaps an interesting view being that a digital certificate identifies an electronic identity, and not necessarily a physical person. DNA testing does that these days. Even more; identifying somebody really doesn't tell you much if they are Alice, Bob or Eve. Well, unless they already have a record, or become subjects of Ethnic Profiling of course.

We have a law here in Norway that says that I am legally bound by anything signed by my #BankID, and similar solutions. BankID is a bank-issued digital certificate, where a single commercial company - owned by various banks - keeps my private keys in their possession, and will NOT give it to me electronically!

Anyway, lets not wake up Auguste Kerckhoff from the dead.

What I am curious about - of course this blog post is about passwords - is how people go about protecting their GPG/PGP secret keys? Do people use strong passphrases? Do they ever change them? What about the password/phrase for shared secret keys, such as those belonging to various CERTs, IRTs, CSIRTs and so on? What if somebody leaves such a team - do they create a brand new key, do they just change the password (Now that's a risk!), or what?

Allow me to quote from the gnupg manual:

"Protecting your private key is the most important job you have to use GnuPG correctly. If someone obtains your private key, then all data encrypted to the private key can be decrypted and signatures can be made in your name. If you lose your private key, then you will no longer be able to decrypt documents encrypted to you in the future or in the past, and you will not be able to make signatures. Losing sole possession of your private key is catastrophic."

If you use PGP Microsoft Windows in a corporate environment, the default configuration will store your keyring, including your private key, under "My Documents". That folder will again probably be stored centrally on a server, making your keyring more easily available 24x7 to lots of other people. Oops - replace "other people" with "unauthorized people" in that last sentence there. It's your secret key, it should be kept in safe storage by you, nobody else (at least not Google's search engine :-))
--

(I'm sorry #BankID, but I want my private key!)

I'd like to hear your opinion, ideas, challenges or risk analysis on this subject. Shoot!

Passordsikkerhet fra MultiCase

2011-07-04T08:45:00.000+02:00

men hvordan er sikkerheten?

Multicase AS er et selskap som leverer et komplett forretningssystem til en lang rekke bedrifter i Norge. En av mange moduler er en løsning for netthandel. Selskapet oppgir selv en rekke referansekunder på sine nettsider, blant annet Bergans, FotoVideo og NetShop. Flere kunder er lett å identifisere via Google. Sikkerheten rundt lagring og sending av passord i løsningen til Multicase er ikke i tråd med anbefalt god praksis. I ytterste konsekvens kan det få store konsekvenser for dem selv, deres kunder, og sluttbrukerne selv.

Bakgrunn
Denne historien startet med at en venn av meg tipset meg om at han hadde glemt sitt passord på NetShop, og gjennom "glemt passord" funksjonen der fikk han tilsendt brukernavn + passord i ubeskyttet e-post. Han fortalte meg også at store deler av nettsidene deres ikke benyttet SSL etter innlogging, slik at sesjonskapring og uautorisert innsyn i hans aktiviteter hos NetShop kan være enkelt å utføre.

På skriftlig henvendelse til NetShop fikk han til svar at hans passord lå lagret kryptert (ikke hashet), men at de hadde nevnt for systemleverandøren (Multicase) at de ønsket dette endret.

Verifisering
På bakgrunn av den informasjonen jeg fikk, samt min egen erfaring med FotoVideo (som beskrevet i tidligere bloggpost), så har jeg brukt en god del tid på å vurdere hvorvidt jeg burde skrive denne bloggposten eller ikke. Jeg ønsker virkelig ikke å gi "hackerne" noen oppskrifter eller tips om hvordan de kan ødelegge enda mer enn de allerede gjør på Internett. Det ser for meg ut som om lagringen av passord i reverserbar kryptert form går igjen på tvers av deres kunder, og at utsendelse av brukernavn + passord i ukryptert passord også er en "standard" funksjon. Sistnevnte kan visstnok endres i systemoppsettet.

Det at passordet blir sendt i ukryptert e-post er i seg selv en verifisering av at passordet enten lagres i klartekst (=ubeskyttet), eller at det lagres i en kryptert form. Dersom det lagres i en kryptert form, så er applikasjonene utstyrt med det nødvendige passordet for å kunne dekryptere passordet ved behov.

Jeg har ingen informasjon om hvorvidt passord faktisk blir lagret i kryptert form, ei heller om denne krypteringen på noen måte overholder anbefalte nøkkellengder og algoritmebruk pr dags dato. Det jeg vet er at testede nettbutikker basert på deres løsning ikke stiller de krav til brukernes passord som anses som minimum ift god praksis anbefalinger.

Anbefaling

Dersom du er kunde hos f.eks. FotoVideo eller Netshop, så vil jeg anbefale deg å kontakte selskapet og si at du forventer at de endrer sitt standard systemoppsett slik at de ikke sender ut brukernavn + passord i ubeskyttet e-post. Videre kan du også oppfordre dem til å gå over til hashing av lagrede passord, og at dette gjøres i tråd med god praksis anbefalinger. Hele prosessen rundt oppsett av nye brukere, endring av brukerinformasjon, lagring, verifisering og sending av passord med mer bør gjennomgås.

Til Multicase: Merkelig nok så finner jeg ikke ordet sikkerhet brukt på noen av deres websider. Ovenstående kan ses på som et tips om å implementere sikkerhet på en enda bedre måte, og deretter bruke også det som et salgsargument for deres løsning?

One Spam To Spam Them All!

2011-07-01T11:36:00.001+02:00

This is a plain boring blog post. In fact, it's a blog post that in a perfect world would be completely unnecessary to write. In my world, this blog post is necessary in order to make Microsoft Exchange admins, as well as mailgateway/antispam operators and operations security people aware of a very simple, but highly important configuration issue in Microsoft Exchange.

I'll make this short:

A Distribution list in Microsoft Exchange is a group of users that will receive all e-mail sent to that list. In the screenshot below I've highlighted a distribution list, and added that list to the recipient list:

By double-clicking on the list, you get to see the properties of the lise, including its owner, and members of the list:

Moving on to the E-mail Addresses tab, you get to see any and all SMTP addresses that has been automatically created for that distribution list upon creation (sorry about all the blurring here, but you do understand why, right?)

Now for the "fun" part of this:
As far as I know, such lists will by default not be "protected" by default. Effectively that means a single e-mail from the Internet to this SMTP address will distribute to all members of the list. Suddenly having the all at yourdomain.com available for the CEO and the internal Pravda (info) department for internal announcements didn't seem like a good idea after all.

Spam mail is filtered in many ways, such as looking for mail of equal size and contents, sent to a large number of e-mail adresses within a certain (short) time frame. As we've read about lately about APT attacks, targeted e-mail with malicious attachments have been sent to specific individuals and/or small groups of people.

A single malicious e-mail sent to such a distribution list could very likely bypass several levels of antispam/antivirus controls, while reaching potentially every employees mailbox through Exchange and Outlook. You don't want that to happen.

So before going on vacation for the summer, please ask your Exchange admins if they have read, understood and implemented the default setting of "From authenticated users only" for all existing and new distribution lists (MSKB827616). This will effectively block such an attack. (And as I've experienced first-hand many times if you don't block it; a lot of people calling you, asking W%&T¤%&#F?!?!?! ARE YOU DOING?)

This is a quickwin. The only little problem; some distribution lists, perhaps like info at yourdomain.com, are actually there to receive e-mail from unauthenticated users on the Internet. Take that into account before you set some poor Exchange admin into clicking his way through a few thousand distribution lists. :-)

Passwords^11 - video archive

2011-06-30T00:29:00.000+02:00

Finally, the video recordings in 720p HD MP4 format are now available for direct download through http/ftp at http://ftp.ii.uib.no/pub/passwords11/.

At http://ftp.ii.uib.no/pub/finse2011/ you will find some video recordings from the NISNET winter school at Finse (Norway). They are pretty long lectures (several hours), but still worth watching, depending on your interests of course. :-)

FY! til FotoVideo!

2011-06-27T23:30:00.000+02:00

Å komme inn på FotoVideo butikken i Oslo var en drøm. Profesjonelle folk som virkelig tok seg tid til å lytte til mine behov (om enn aldri så urealistiske), og forklarte meg om smått og stort før jeg tok mine valg. En butikk som virkelig kan anbefales! Det vil si... inntil jeg oppdaget at it-sikkerhet overhodet ikke er deres fag. Faktisk såpass ille at jeg velger å påpeke det gjennom en offentlig bloggpost, i den tro at det vil føre til raskere endringer enn ellers. Slemt? Ja. Nødvendig? Etter å ha tenkt over det en god stund.. JA.

La oss begynne. Jeg var fysisk innom butikken for første gang, og kjøpte noen produkter der. I kassen ble jeg registrert som kunde, og oppga navn, adresse, telefonnummer og mailadresse. Ikke ulikt det man gjør de fleste steder i dag.

For kort tid siden var jeg innom nettsidene til FotoVideo for å bestille noen minnekort til fotoapparat før ferien. Jeg ble rimelig overrasket da jeg skulle registrere meg som kunde på nettsiden deres at mailadressen min var i bruk allerede som brukernavn, jeg hadde jo ikke registrert meg der før? Så jeg gikk gjennom "glemt passord" funksjonen, og fikk tilsendt - SURPRISE! - en e-post i klartekst (=totalt ubeskyttet) som oppga nettsidens navn (FotoVideo), mitt brukernavn (min mailadresse) og mitt mobilnr som PASSORD. Til å være såpass interessert og erfaren ift passord så kan jeg vel ikke si at jeg ble nevneverdig overrasket, men like fullt: DETTE ER UTROLIG DÅRLIG AV FOTOVIDEO!

Jeg kan overhodet ikke huske om de opplyste meg over disken at de la inn mitt mobilnr som mitt passord ved registrering av kjøp da jeg var der. Hadde de gjort det, så hadde jeg garantert protestert - og gitt de et gratis-på-stedet obligatorisk sikkerhetskurs. Det jeg frykter er at dette er "standard" rutine hos dem, og at det i så måte kan gjelde svært mange av deres kunder.

Men er det så galt da?
Ja. FotoVideo har denne fine beskrivelsen av sikkerhet på sin hjemmeside (min understreking):

(Klikk for full størrelse)

1. "All informasjon som samles inn oppbevares på en sikker og fortrolig måte."
Feil. De samler inn informasjon, men unnlot, ihvertfall i mitt tilfelle, å informere om at de brukte mitt mobilnummer som mitt passord. Dersom min mistanke stemmer, så kan det være enkelt å få tilgang til kundeopplysninger, inkl. ordrehistorikk, servicehistorikk og så videre for deres kunder. At passordet og kanskje også øvrig kundeinformasjon enten lagres kryptert eller enda verre - i klartekst - er absolutt et brudd på anbefalt praksis.

2. "Etter vår mening er dette ikke sensitive eller kritiske data som kan misbrukes på noen måte".
Jeg er uenig, og jeg tror mange andre vil være enig med meg. Hvilke varer jeg har kjøpt, til hvilken pris og på hvilket tidspunkt er i seg selv informasjon som kan misbrukes. Navn, adresse, mailadresse og mobilnummer er også informasjon som kan misbrukes. Her er noen av mine kundedata, lett sensurert (mine uthevinger i rødt):

(Klikk for full størrelse)

Det interessante her er jo muligheten for å endre leveringsadresse, samt få tilsendt varene med faktura pr. 14 dager. Denne ordningen er i praksis en kredittkjøpsordning gjennom Gothia Finans AS. Selv om ordningen tilsier at bestilte varer blir sendt til adressen som er registrert på meg i folkeregisteret, så byr ikke en postkasse på særlige problemer. Det står ingenting om bruk av rekommandert sending her, og fakturaen sendes til min registrerte e-post adresse. Sistnevnte er jo også registrert hos FotoVideo, og kan lett endres. Om ikke annet så kan utenforstående få opprettet dyre kredittkjøpsavtaler og gjennom det inkassosaker på meg gjennom denne løsningen.

Det er naivt å tro at personopplysninger, selv så uskyldige som de registrert hos FotoVideo, ikke kan misbrukes.

Til FotoVideo:
Dersom dere bruker kunders mailadresse og mobilnummer som standard brukernavn og passord, så bør dere endre den praksisen øyeblikkelig. Husk også å informere kundene om at dere gjør dette når de handler hos dere. Dere bør også vurdere å endre nettbutikk løsningen slik at brukernavn, passord og nettadresse ikke sendes ut i ukryptert e-post. Det er brudd på god praksis, og det er alt for enkelt å misbruke. Det gavner ingen dersom deres kunder blir svindlet, og dere mister kunder pga svak sikkerhet i nettløsningen deres.

Passwords^11 - Thank you all!

2011-06-16T21:18:00.000+02:00

Oh boy, that was a *lot* of fun! Yes, I know I wouldn't probably say anything else since I was more or less the sole organizer of the conference, but I've received nothing but very positive feedback. Speakers and participants; all very positive and asking for another round. Here's my own summary of the conference, with some pictures, name dropping and loads of links you can click on. :-)

First of all I will of course say a big thank you to Professor Tor Helleseth at the Selmer Center, part of the University of Bergen, as well as NISNet. Altogether they believed in me, gave me a budget for the conference, let us all use their facilities at the university as well as buying us lunch, coffee and Skillingsboller inbetween. Thank you!

Second I have to thank all the speakers who submitted speaking proposals and/or accepted my invitation to present at the conference. Without Professor Frank Stajano, Simon Josefsson, Professor Kirsi Helkala, Bendik Mjaaland, Erlend Dyrnes, Carsten Maartmann-Moe, James Nobis, Dmitry Sklyarov, and partially Markus Jakobsson & Ruj Akavipat (presented by Frank Stajano), I would have to speak about passwords just a little longer than anybody would be interested in listening. Thank you all!

Third I must say thank you to my friends in our "security think tank" (more formal name & logo to appear sometime in the future...). Great discussions on different security topics, closely and loosely related to passwords, lots of ideas for the conference! I should also include the assistance from Oleksandr Kholosha and Elisabeth Skibenes for the many practical tasks you carried out before and during the conference. Highly appreciated!

Fourth, A BIG THANK YOU to all the participants at the conference, those (few) of you who dropped by our live stream at ustream.tv, and all others who in various ways participated in making Passwords^11 happen.

Here are some pictures from the conference taken by our very own KluZz, as well as a few pictures from me while showing the city to Dmitry Sklyarov, Andy Malyshev (both with Elcomsoft), as well as Norbert Schmitz, our visiting Master student ("Guessing Passwords!") from Germany.

Just know this; I did ask KluZz to make me look young, smart and sexy, but he failed. ;-)

Now for the cool news: Our little panel discussion (not available as video, sorry) ended up with no belief in getting rid of passwords anytime soon. Based on that, Passwords^XX will most probably happen once every year for the next three or four years here in Bergen.

For those who prefer the US, there is a small chance you will see Passwords^XX happening over there as well, sometime during 2012. Currently starting discussions on that, so we'll see. Watch this blog for more news! :-)

Padding_____Haystacks

2011-06-15T20:08:00.000+02:00

@itinsecurity asked me for a blog post regarding Haystack, described as an interactive brute force search space calculator. Haystack comes from from Gibson Research Corporation (@sggrc). I did retweet, asking @purehate_, @iagox86, @lakiw, @quelrods, @CrackMeIfYouCan and @d3ad0ne_ for their opinions as well. Since we're all above average interested in passwords, why not see if we have any opinions in common? :-)

@purehate_ replied with a link to a blog post from @d3ad0ne_ called "Does password padding make your passwords more secure?", which I guess directly relates to the podcast from @sggrc and Haystack.

@quelrods (James Nobis) has also written his opinion on Haystack, as his very first blog post! (woohoo!)

There's probably no point in writing much more; I'll agree with purehate_, d3ad0ne_ and quelrods. Padding your password to lower the chances of crackers breaking it is not the best of ideas, as with probably ... oh.. a LOT of similar suggestions.

Lets talk a little psychology and security awareness instead.

I think we - as humans - are better at remembering positive things than the negative ones. Sure, there are some events way back there in your brain that won't go away anytime soon, but for most parts I think we're better at the positive things. I can still remember what color and type of clothes my wife was wearing the very first time I saw her. Black trousers, black shoes, red sweater, oval green sign with "Smash" written in white. (she worked at a clothing store at the time). Could that sentence be my password^H^H^H^Hphrase? I'd love to see somebody crack that, with no prior knowledge of either password policy restrictions or my preferred choices of passwords.

Obtaining a written password policy, as well as the various technical implementations, is "piece of cake". It's easy. It is so easy that calling it "social engineering" is.. well... an overstatement.

On the other hand, you really don't need to talk to many users before they will curse you from here to anywhere, when you ask them about password policies and password construction schemes. Try your mother, probably a good place to start.

See; there are way too many security people out there trying to teach people advanced password construction schemes in order to create - AND REMEMBER - advanced passwords. Suddenly the poor end-users must not only try to remember their password, but the construction rules instead. It just doesn't work in most cases - at least not in the scenarios I've tried out. (I have to admit this sure is something I'm going to dig deeper into, along with psychologists and other people studying human behavior etc).

That's why I've been telling my mom - and others - to write a sentence in normal language as their password. Hey, it's summertime, barbeque and margueritas, here we come! Positive sentence, shouldn't be that hard to remember.

Drop 99% of your written password policy and construction guidelines. It's pretty useless. People are just not interested. Breaks my securityheart, but not much to do about that. Tell them to use sentences. Positive ones. Deploy electrical treatment to all programmers and sysadmins who refuses to implement UTF-8 length 255 password support.

A large part of the problem is on our side. The security folks, the sysadmins, helpdesk who mess up everything, the haystacks of old and ridiculous policies stowed away in something called "QMS".

Stop blaming the end-user every time something goes kaboom. To you they keep you with a job. Don't fight them, help them!

--
And that's it from the happy-shiny-people's department today.

Password T-shirts

2011-06-10T12:42:00.000+02:00

James Nobis (@quelrods) asked me about my password related t-shirts at Passwords^11, ie if I had the designs available. Here are my own "designs" - it's just text - feel free to copy, print, use, sell as much as you like. :-) (Absolutely No Rights Reserved!)

Thanks to Jan Fredrik Leversund (@KluZz) for this one. :-)

If you don't know the meaning of this one, you're not into passwords at all.

Based on a tweet from comedian Will Ferrell. :-)

My first t-shirt attempt to poke fun at the biometrics fans...

Passord - 2 Eksempler til #DLD & Advarsel

2011-06-05T00:37:00.005+02:00

7-8 Juni arrangerer jeg for andre gang det jeg tror er verdens eneste konferanse som utelukkende handler om passord og PIN koder, kalt Passwords^11. Dette gjøres i samarbeid med Professor Tor Helleseth ved Selmer senteret, Universitetet i Bergen, og med finansiell støtte fra NISNET (Fra Norges Forskningsråd). Din første tanke etter de to første setningene er kanskje "er det mulig?". Det er det, og det er en sikkerhetskonferanse som er mer aktuell enn noensinne å arrangere. Her skal du få 2 konkrete eksempler fra min hverdag som forhåpentligvis aktualiserer konferansen også for deg.

1. Bergen Bompengeselskap (Bro- og Tunnelselskapet AS)
Jeg bor i Bergen, og kjører til jobb daglig. Det samme gjør kjæresten min, og innebærer daglige passeringer gjennom bompengeringen i Bergen. Bro- og Tunnelselskapet AS er ansvarlig selskap for bompengesystemet, og de benytter Q-Free sine løsninger. På websidene til Bro- og Tunnelskapet AS kan jeg logge inn for å se og endre mine abonnementsdetaljer, samt se alle mine passeringer de siste 6 måneder. Ja, jeg kan til og med se alle passeringene som min kjæreste har foretatt også, om ønskelig. Akkurat det kan jo naturlig nok unngås ved at hun har egen avtale, men det er en annen historie.

Bro- og Tunnelselskapet har en SKREMMENDE DÅRLIG sikkerhet tilknyttet passord i sin løsning. Det er svært enkelt for andre å oppnå uautorisert tilgang til ditt abonnement, inkludert registrere andre kjøretøy på ditt abonnement, slik at du betaler for dem. Ikke minst, som et innlegg til debatten om Datalagringsdirektivet: De kan få sett alle dine passeringer de siste 6 måneder.

Jeg har tatt skjermbilder for å illustrere tydelig hva jeg mener (du kan klikke på bildene for å full størrelse):

Standard innloggingsbilde for Bergen Bompengeselskap AS

Bildet over viser standard pålogging når man skal logge seg inn hos Bro- og Tunnelselskapet AS. Her klikker jeg på "Forgot password" (glemt passord), og får opp bildet under:

Skriv inn e-post adresse eller kundeID ved glemt passord

Jeg skriver inn min e-post adresse, alternativt kundenummer, for å få tilsendt mitt eksisterende brukernavn og passord via ukryptert e-post!

Bekreftelse etter å ha tastet inn min e-post adresse

Etter å ha skrevet inn min e-post adresse, så får jeg bekreftelsen over om at jeg får en e-post ganske straks. Og helt riktig, e-post kommer på få sekunder:

Ukryptert mail fra Bro- og Tunnelselskapet...

E-posten som kommer er ubeskyttet. Den inneholder min brukeridentitet (kundenummer), mitt passord og all annen informasjon som gjør andre i stand til å misbruke mitt abonnement, samt overvåke mine bompasseringer (samt min kjæreste). Det er ikke mulig for meg å undersøke hvor mange mennesker som ulovlig og uten spor kan plukke opp denne e-posten og misbruke informasjonen. Svært snill gjetting tilsier noen titalls personer. Minst. (Ja, passordet som vises i bildet over er faktisk det passordet jeg brukte tidligere hos Bro- og Tunnelselskapet AS...)

Alternativt skriv inn registreringnr + brikkeID

Dersom du ikke husker hverken kundenummer, passord eller din egen e-post adresse, eventuelt har fått ny eller har aldri registrert noen e-post adresse hos Bro- og Tunnelselskapet, så kan du skrive inn registreringsnummeret på bilen, samt BrikkeID. Men vent nå litt; hvor finner jeg det? Her:

Plassering av Q-Free brikke i frontvindu på bil

Eller nærmere bestemt, når jeg flytter meg nærmere med kameraet:

Q-Free BrikkeID lett synlig gjennom frontvindu på bil

Det å finne registreringsnummeret på en bil er jo ingen kunst, for å si det enkelt. Ei heller er det noe vanskelig å identifisere eieren når du har registreringsnummeret. Sist men ikke minst noterer man seg brikkeID'en, slik den er trykket klart og tydelig på brikken slik du ser på bildet over.

Dersom eieren ikke har registrert en e-post adresse, eller du kontakter selskapet på telefon, så kan du få tilsendt alle nødvendige opplysninger i et vanlig brev. En antatt enda enklere metode for enhver skurk som ønsker å utnytte de muligheter denne mangelen på sikkerhet faktisk gir.

Det er svært vanskelig for meg å tro at det er gjort noen skriftlig risikoanalyse som tilsier at denne måten å gjøre det på er innenfor akseptable grenser. Det er lite - om noe - i deres løsning som tilfredsstiller dokumentert god praksis fra anerkjente og nøytrale institusjoner på Internett, inkludert den Norske stat selv (NorSIS.no og Nettvett.no).

Bro- & Tunnelselskapet AS er eid av Hordaland Fylkeskommune (ca 27%) og Bergen Kommune (ca 24%), øvrige 49% av andre finansielle institusjoner. Jeg vil varsle både kommune og fylkeskommune om ovenstående.

Jeg kunne skrevet enda mer, men ovenstående bør være mer enn nok for å få Datatilsynet på banen. Det er fristende å tro at dette også har interesse for Stopp Datalagringsdirektivet? Et søk i Offentlig Elektronisk Postjournal på søkeordet passord avdekker flere konkrete tilfeller av samme type - og fortsatt finnes det utallige tilsvarende eksempler bare innen Norges grenser.

----

2. Selvbetjente innsjekkingsautomater på Norske flyplasser

Bildet under har jeg fått fra en venn som tok bildet på Bergen Lufthavn Flesland, høsten 2010. Det viser skjermen på en selvbetjent innsjekkingsautomat i avgangshallen som har startet på nytt, og hvor man må trykke Ctrl+Alt+Delete for å logge på. Skjermbildet i bakgrunnen har en tabell oppe til høyre med brukernavn, passord og tidligere brukte passord.

Jeg vil ikke gi her noen ideer eller utdype hvordan dette kunne blitt utnyttet, av naturlige årsaker. Det er bare å slå fast at en slik praksis, dersom den stemmer overens med skjermbildet, ikke er i tråd med regulatoriske krav til en slik løsning. Det verste er at jeg ikke vet hvem som er ansvarlige for disse innsjekkingsautomatene, men antagelig ikke Avinor selv.

Skjermbilde fra innsjekkingsautomat på Flesland, Bergen.

Sony #PSN Password Resets: Inconsistent & Inadequate?

2011-05-16T23:39:00.000+02:00

Sony's Playstation Network (PSN), has been offline for a long time. You know the reason for that by now. Following @mikkohypponen and others on Twitter, I saw that #PSN would open up again, territory by territory. I downloaded and installed the mandatory v3.61 update, eagerly awaiting some serious pwning in MW2:Black Ops again. Just had to change my password first, according to tweets and Sony themselves in a blog post. You know; for my own security. Thanks to Sony for taking care of me!

As most people I know, RTM or RTMF just doesn't stick to the top polytetrafluoroethylene coating. Try first, try a few more times, than eventually cave in and RTM. Easy.

Whoa... Wait a minute. Passwords first, MW2:Black Ops second. Lets take a look at the process for my multiple password resets using my PS3 as well as the web, and look for differences and weaknesses.

First of all: the PS3 process. Screenshots using my HTC Desire against my 100" and a Sony (!) VPL-HW15 projector.

Updated to v3.61. Request to logon to #PSN, this is what I get:

Ok, sure. If your organisation and/or your customers has been pwned: DO A COMPLETE PASSWORD RESET FOR ALL ACCOUNTS. (Sorry for the bold capital text there, but hey; it's important!). So far, so good.

Ah. Password requirements. At least length eight, numbers and letters. Ok. Lets try out the most common of them all (remember RockYou?): 123456.

Nope, that didn't work, and they do tell me which requirements my attempt didn't fulfill. GOOD! Some complexity and pattern matching rules here as well; PLEASE notice the last one: "The password must be different than your previous password". Ahhh. Password history I see, good that might be. Well: lets try the PCI DSS compatible password then: password1 (That's a single digit at the end there...)

Hrmf. Well, say whatever you want: password1 is NOT what I would consider a good password. As far as most recommendations from non-commercial organisations goes, the minimum requirement today is for a MixAlphaNumeric minimum length 8 password. Not that Password1 would be much better, but again: my own research shows that as much as 50% of users that are forced to comply with a mixalphanumeric policy will use the pattern of UPPERlowerlowerlowerlowerlowerdigitdigit (or 2 additional digits). The keyspace is considerable, while reality is not. But hey; you'll learn more about such things at Passwords^11. :-)

Just a final screenshot to show a heavily censored version of which data you could get access to using my PS3 and knowing my password. (Card number: first4 as well as last 4 digits, no security code):

Well. So far so good. Or not? Well, password1 for sure is not acceptable to me. Entering that password using my PS3 controller was more than enough, can't imagine too many people enter a length 12+ MixAlphaNumericSpecials password using their PS3 controller, even if the password gets stored locally after entering it.

So I had to do a another round or two - or three - of "lost password", just to see what that looked like. Back down to my home office and my computers. Pleasant surprise: DoNotReply@ac.playstation.net had sent me an e-mail with the subject: PlayStation(R)Network Password Change. Nice. I think that a default opt-out option should be available in online services, where the default setting will send you some kind of confirmation if/when security settings related to your account are changed in any way.

Browsing to www.playstation.com, "Sign in", "Forgot password", and voila:

Date of birth? Hm. Not too difficult to remember for most of us, and just a little bit more programming to do for an attacker to bypass. Nice. (Forgive me again for the heavy censorship, I'm sure you understand...)

Only one method for resetting my password available, but I've got to say I really hope to see more and better alternatives here in the future. "Please dial this premium number in Japan. If your callerID matches the number entered into your profile using your PS3, we'll give you a 10-digit OTP valid for 30 minutes to reset your password". Ah well, got carried away there, replacing Sony's losses over #PSN downtime.

Getting a confirmation on screen telling me that an e-mail has been sent to my e-mail address, which is also my logon id. Some comments here:

I've written about Guarding your usernames earlier. I'll stand by that, pointing my finger at Sony as well as others for not giving me any alternatives.
The way Sony has implemented this may enable easier identification of correct e-mails and birth dates. Another take, which I've seen at some sites, is to say something like "An e-mail has now been sent to your registered address, as long as the data entered are correct". Not sure about the usability vs security aspect there yet, still spending time thinking about it.

Anyway; the e-mail from DoNotReply... came within seconds, containing an https link to store.playstation.com/(something...), with a timeout value of 3 hours from the time it was sent. There are other variations around of that timeout, IF they have one at all.

For those paranoid among us: clicking the link gives me a case-sensitive CAPTCHA. Wow. Well, I did it in 3 attempts. :-) (Always a good idea to be a bit careful with capital i and so on in captchas...)

Lets see if the web interface will allow me to use a as my password. (A favorite test of mine for sure!)

Nope, didn't work. Instead I get a banner stating the password policy:

Hey! There's something wrong here! Compare this image above to the one below. Seems like Sony #PSN isn't completely consistent in their password policy, differentiating between passwords entered through the web or using the PS3s own interface? Hmmmm.... Could there be more weaknesses here? (Please continue to read below...)

There are.

See that last sentence there? "The password must be different than your previous password?". Doesn't seem to be implemented. I've changed away from password1, then back again, then away from it again. Not much sign of any password history being kept there. Could be a good thing, as I've written about in an earlier blog post entitled Why History May Be Bad For You. I really don't like to see written password policies not getting implemented to the word. It just make things harder for end users. The policy says one thing, the system apparently require something else.

My main concern with this: If Sony #PSN doesn't enforce this policy requirement, how many of their 70+ million customers will eventually type in the same previous password as they've used all along? The password that apparently has been compromised already? Any chance Sony would do a limited NDA based release of their user database, so that others could take actions to protect their own customers, like Linkedin did after the Gawker compromise? I guess not.

If you get compromised, you are compromised and you will basically remain compromised unless you change everything, including your users.

Now if you'll excuse me, I'm going to play Modern Warfare 2 : Black Ops on #PSN. I just have to delete my credit card details from my #PSN profile first.

Passwords^11 - Program & abstracts are ready!

2011-05-05T21:49:00.002+02:00

The program as well as abstracts for the academic talks at Passwords^11 are now available! I have added them to the registration blog post, or you can get them directly here: Program (pdf, 200kb), Abstracts (pdf, 172kb). I hope to see you at Passwords^11!

Dynamic Prevention of Common Passwords

2011-04-26T00:00:00.004+02:00

Remember the 370 passwords you were not allowed to use on Twitter? If not, here's the story, as told by @TechCrunch. You have probably experienced - maybe even implemented - the same kind of static blacklisting in other online services, in your corporate network or at your personal workstation. I have. Doesn't really help much in the long run, unless blocking Conficker from gaining access (List by Sophos - @gcluley) is your ultimate goal. Here I suggest another and more dynamic approach to the problem of commonly used and eventually also bad passwords.

Many years ago I made a developer create a custom password filter for Microsoft Windows, based on the passfilt.dll source code example. For obvious reasons I will not go into the specifics about when, where, why, how, what etc about that specific implementation. :-)

I've written before about being careful with disclosing your user/logon name, why your password history may be bad for you, what exactly do you/they mean by "wordlist", and even an old article entitled "Experiences with password policies" back in 2005. I could list more, but these are highly relevant for this blog post.

Here's the thing: I don't think implementing static blacklists for passwords really help. On the contrary, I think it is counterproductive as it will just be of annoyance to end-users, and will easily be circumvented. In the long run you will end up with users whispering behind your back about words NOT caught by the filter. Of course they will not tell you, as you are Mordac, the preventer of information services.

However there is another problem that may be of even greater risk than those end-users poking around with easy-to-guess passwords. Helpdesk. Yup, that's right. The people who has their performance measured by the number of support calls they can open and close in 45 seconds or less. Do you really think they are so creative they give out unique and easy-to-read length 15+ passphrases to every caller? No way buddy, no way. Most likely they will use a very limited set of "default" passwords, that change only every few years or so. If there's a bunch of new people starting at your company on Monday, they probably get the same password for starters, all of them. Sure, they will have to change it upon first logon, but with default Microsoft Windows, you can't really set a time limit for disabling the accounts if the password doesn't change in n days. That's too bad.

So here is my quick and dirty suggestion. I've given this a bit of thought, I have already attacked my own idea and have some objections, but I'd like to hear your comments first. Based on my primary experience within the corporate world filled with Windows desktops and valuable data stored on Windows servers, I'm kind of biased here (forgive me...):

Dynamic Prevention of Common Passwords

We'll implement a custom password filter (passfilt.dll) that uses a good HMAC to create a value for the new requested password by the user. This value will get stored either locally or in a centralized file/database, along with a count value. (In all honesty, as long as Microsoft continues using LANMAN and NTLM (no salting), it doesn't take much to do better....). This filter will be deployed to all domain controllers, to enable the filter for domain accounts.

Using a configuration file (no hardcoding, thx!), we'll set a threshold value N for how many simultaneous occurrences of the same password we'll accept among all accounts.

As soon as the filter receives a cleartext username + password for control, the filter will first check the bare minimums (length, complexity, similarity to username etc, if applicable), then proceed to hash the password, and check that specific hash value for number of occurences in the file/database that is dynamically updated. If there already exists N occurences of that hash value in our file/database, the password will be rejected.

The main purpose of this is to prevent a high number of accounts having the same password at the same time, with the most common passwords in corporate environments being tied to date/day/month/year and seasons. However, with such a dynamic filter in place, we'll effectively block any and all attempts to set the same (bad) password across multiple accounts, no matter the source.

In combination with a decent password policy and the removal of the LANMAN hash values, we'll have a better and wider selection of passwords in use at any given time. We'll effectively increase the time needed to successfully recover (crack) X passwords, while reducing the maximum number of accounts that can be compromised through the successful recovery of a single password (NTLM hash value).

Now, this is just some stuff I've been thinking about during easter, so be gentle with your comments. As I said earlier, I've attacked my own proposal already, and have some objections. Before I eventually expand this idea and lay out my own objections, I would really appreciate your comments. Fire away. :-)

Consolidate my posterior...

2011-04-22T19:26:00.001+02:00

While I was asleep...

As I'm sure many of you are aware of by now, Apple iOS 4.x contains a database file named consolidated.db, in which your every move (or at the very least, the movements of your device) are recorded. This, according to conspiracy buffs and privacy advocates, is done to make life easier for Gil Grissom or whoever your local CSI representative is. As a~~n international black market arms dealer~~ security professional, I've been curious about how useful the collected data really is, especially since a lot of the comments on the subject claims that the coordinates and time stamps are wildly inaccurate. So I decided to figure this out for myself, and proceeded to crank up Google Earth...

Google Earth has this neat feature that lets you import (and export) data via an XML-based file format named KML, so I've wrote a perl script that reads the consolidated.db file and outputs a KML file. The script can be found here. What you need to run the script is perl (obviously), and the DBI and DBD::SQLite modules (the database is in sqlite3 format).

Now, the procedure for extracting the consolidated.db file from backups have been described elsewhere, so I won't get into that. For this exercise, I'll just assume you've figured out that part already.

When everything is ready, simply run the script with the database file as the single argument:

perl xonsolidated.pl consolidated.db

If everything went well, there should be no output other than a new file with the .kml extension tacked onto the end of the original database file name (consolidated.db becomes consolidated.db.kml). This file can be loaded into Google Earth, and the result should be a big list of timestamps (one point and one path for each time stamp, and each pair with a different color).

If it didn't run properly... Well, happy debugging.

So, what did the Google Earth representation of my location data show me?

Well, it certainly didn't show a complete record of all my movements. In fact, before I separated each time segment into different colors, it looked a lot like a big plate of spaghetti. It seems that the location data is only dumped to the database every now and then (sometimes several times a day, sometimes as rare as every fortnight), all the data points are given same time stamp. From what I can tell, the coordinates corresponds more closely with which cell tower my cell phone was talking to than any actual phone location.

One of the more recent time stamps (see the picture up top) indicated my presence at dozens of locations with several square kilometers around my apartment, at a time that I'm quite certain I was sound asleep in my bed.

Another thing I found is that the collected can be vastly incomplete at times. Case in point; I spent a week in Angola last November, more precisely in the central district of the capital Luanda (which has surprisingly good cell phone coverage). The database contains tracking information all the way down to Frankfurt airport (in Germany), but after that, there's a 10 day gap where absolutely nothing is recorded. The next tracking dump occurs after I had been back home for several days.

So, are these data useful for anything at all?

It should be quite clear that it's not a reliable source of evidence; The data is written at way too irregular intervals, the coordinates are all over the place, and it is likely that vast chunks of data are missing (like my trip to Angola). In all likelihood, the cellular network providers already have much more accurate data on your device's movements.

So if it's not useful for auditing purposes, why does your device record these data at all? To be honest; I have no idea. Hopefully, someone who cares a lot more than me about these things, will figure it out, or Apple will decide to be a bit more open about what goes on under the hood of their devices (yeah, that's gonna happen).

Security Think Tank

2011-04-13T23:35:00.004+02:00

On Monday April 4, I did a presentation at the Scandinavian ISACA conference, held in Oslo, Norway. The title was "Board Member Security" (Link to Slideshare), and were part of the governance track. I will get back to the contents of the presentation later, first of all I would like to introduce the people behind the presentation.

I have set up a local "think tank" on security with some friends here in Bergen, Norway. Most of us have known each other for many years already, personally from school and by working together.

Erlend Dyrnes is the Security Manager of Norwegian ISP NextGenTel. (I should probably say triple-play provider or something to be more correct). A former pentester and auditor at Ernst & Young, he now has to face the consequences of his previous recommendations. With a bright mind, he manages to bring the important aspect of ROSI (Return On Security Investment) into our discussions. He also holds the CISA and CISM certifications from ISACA.

Odd-Terje Karlsen is our "Grand Old Man", and one of my work colleagues. He actually remembers the introduction of IBM PC's with MS-DOS! :-) With more years of experience from the IT industry then any other in the group, he can thoroughly draw the lines from the introduction of IBM PC's to one of the hotter topics in the business today: BYOPC (Bring Your Own PC). "Been there, done that" is natural for him to say whenever the rest of us has a new, bright and shiny new idea to discuss. Being able to benefit from earlier failures, pitfalls and success stories is of great value to us all. Oh, and he's a fan of Maltego. :-)

Alexander Hoogerhuis is our "foreign guy". Not just being a citizen form the Netherlands, as an independent consultant, he travels the world for his clients, installing and fixing networking problems (and more!) all over. He never did the final lab exam for Cisco CCIE, but the written exam as well as other certifications were a breeze. Through his work he sees a lot of challenges as well as solutions for a wealth of different enviroments, across borders and cultures. He is pretty creative on describing attack scenarios that involves social engineering in combination with exploitation of commonly known defaults and bad habits.

Lars Erik Bråtveit is our true CCIE, pentester and social engineering expert. At the time of writing this, it's just a week ago since he told me that he just won the CTF at a SANS course on pentesting in the US. Congrats! I do consider him a little paranoid, but then again.. doing social engineering and pentesting almost on a daily basis should make many people paranoid. Creativity on both the attacker as well as the defenders side of the table is of great value to our discussions.

Thomas Tjøstheim probably represent the strongest academic side of our group.With a Ph.D in computer security, he represents the analytic mind who organize lots of information very fast, if needed. He even take notes from our conversations! :-) With a passing score on the CISSP exam and working with risk analysis during work hours, he is also my nemesis in our highly informal "Pwn2Own" competition.

Per-Arne Hoff works in the public sector, just like Thomas has done for a couple of months now. With a positive attitude and perspectives from the public sector, he helps us see challenges as well as solutions from a different perspective than the rest of us. Supporting a very large organisation that needs to be open and available to anyone, he faces other challenges in his daily work that we - luckily - don't have to worry too much about on a daily basis. Oh, and he knows his firewalls, wlans, vlans, routers and switches pretty well. :-)

Thomas S. Methlie is our (secure) programmer. With a master in informatics, looking at different security aspects, he's one of those guys who usually have something really smart to say every time he speaks. He's also part of the "Thomas & Thomas" team (see above), my nemesis in our "Pwn2Own" competition. He passed his CISSP exam with ease, and practices confidentiality every day by being married to a journalist. ;-)

Oddbjørn Steffensen is also one of my colleagues. I usually refer to him as the inventor of PERL (he doesn't really like me saying that...). I think he can actually figure out the question that will give you "42" in less than 42 lines of PERL code, but that wouldn't be any fun, right? he can do mind mapping faster than you are capable of speaking, he eats any log format for breakfast and will tell you exactly who did it in minutes. And that with a complete profile, including a Google Street View of where the culprit lives by night. (If you try to hire him, I'll shoot you). Maybe I should say that he passed the CISSP exam many years ago, but didn't bother to report his CPEs. Too bad, but I'd hire him any day, no matter his price.

Jan Fredrik Leversund is another colleague, and yet another consultant in our group. Oddbjørn says that his own PERL code just works, while Jan Fredrik documents his code (!) in addition to making it work through a more structured approach. I have never ever met anyone more capable of turning down any and all suggestions that I can come up with, replacing them with either nonsense or even better ideas than what I thought of initially. I like that. :-) A programmer, risk analyst and pentester, he's a fan of Apple products and like Oddbjørn has a genuine interest in photography. He currently holds the CISSP-ISSAP certifications from (ISC)2, and needs to do a bit of paper work before officially becoming a CISA as well. He's also the mastermind behind quite a few lines of PERL code that does password analysis for me.

Yours truly? Well, you probably have an idea about me already, based on this blog and other sources. I'll leave it to somebody else to give a description of me, I'm really not objective here. :-)

Passwords^11 - REGISTER NOW!

2011-04-09T01:36:00.006+02:00

Twitter hashtag: #passwords11

We are getting ready. You can now register for participation at Passwords^11, a 2-day conference on passwords & PINs. Free for all, at the University in Bergen (Norway), on June 7-8. Limited seats available. Quite possibly the very first-ever conference *only* about passwords & PIN codes! :-)

Where?
Just like in December 2010, we'll do the conference at the Selmer Center, part of the University of Bergen. The exact address is Thormøhlensgate 55, 5008 Bergen. The building looks like this (Google street view). Walking distance from the city center (Torgalmenningen) to the Selmer Center is estimated to 21 minutes, thanks to Google. :-)

Why?
We'll record all presentations on video and make them available on the Internet for free as soon as possible after the conference. We're even planning to do live streaming of it all through ustream.tv. Cannot guarantee that will work out yet, we need to test it first. Anyway; by participating onsite you get the chance to ask questions, chit-chat, get to know new people with similar interests and probably some Übergeeky discussions over lunch and dinner.

Who?
Who should participate you may ask. Well, last year we had students (masters, PhDs), professors and post-docs from the academic side, and security professionals from the private side. It will be part academic stuff, part very applicable to you as a security professional or hard-core web/app developer. You do not have to be on level with Professor Tor Helleseth of course, but some basic knowledge is probably a good idea. Others may find it interesting too of course. :-)

Program?
Here is the program, as well as the abstracts (academics are much better at providing abstracts, I'll give'em that!)

Price, flights & accomodation?
Participation is for free. Hey, we'll even buy you lunch in the university cafeteria in the same building! Travel, accomodation, breakfast and dinner - and something you drink - is on you. Several airlines have direct routes to Bergen airport Flesland. Airport bus or taxi is approximately 20-35 minutes to the city center. Hotel standards are good in Norway, but June is also tourist season so I recommend that you book your hotel as soon as possible.

Feel free to join in for dinner on Monday, Tuesday and Wednesday evening. If you have any questions, like where to go, what to see before or after the conference, feel free to e-mail me, and I'll try to answer ASAP.

Great! Register! Register!
Register by sending an e-mail to me (per at thorsheim dot net), with the following information:

- Full name
- Title / position
- Company / Organisation (if applicable)

We will confirm your registration back to your e-mail address. No, we're not using Epsilon for mail distribution, and we will not give out any mail addresses to anyone else. Since this is a free conference, attendees may drop attending in the very last minute. Please, if you register and then find out you can't participate anyway, let me know ASAP.

Best regards,
Per Thorsheim

We also have a media partner in PenTest Magazine:

Sikkerhetsansvaret

2011-04-02T01:45:00.000+02:00

Jeg er litt overrasket over at Janne Hagen i FFI på siste FFI-FORUM skal ha påpekt at vi har "...et fragmentert statlig ansvar for IT-sikkerhet" (NSM bloggpost, 1 April 2011. Tviler på det er noen aprilspøk). Jeg regner med hun da uttaler seg om den reelle etterlevelsen av sikkerhet i det offentlige, plasseringen av ansvar bør det da ikke være noen tvil om? Styrelederen heter Harald, adm.dir heter Jens, og generalforsamlingen heter Stortinget. De har ansvaret for sikkerheten.

Tilgi meg for introduksjonen, temaet er svært viktig. Bloggposten fra Kjetil Veire i NSM er da også umulig å la være å kommentere. Plasseringen av ansvaret for sikkerhet synes å være et evig diskusjonstema.
(Definisjonen av tilstrekkelig sikkerhet... Vel, DER har vi noe å diskutere til evig tid, men det er da også en helt annen diskusjon enn plassering av ansvar.)

La oss ta utgangspunkt i børsnoterte selskaper. Styret er meg bekjent kollektivt ansvarlig for at sikkerhet blir tilstrekkelig ivaretatt i en virksomhet. De vil normalt nøye seg med å gi det daglige ansvaret for sikkerheten til administrerende direktør, og verifisere at dette blir ivaretatt gjennom enten en internkontrollfunksjon og/eller lovpålagt ekstern revisjon. Det er naturlig at man derunder bygger et organisasjonskart som også har en linje- eller virtuell organisasjon hvor noen er utpekt til ha det daglige ansvaret for å ivareta sikkerhet innen ulike områder.

Det å la en minister få øverste ansvar for sikkerheten i staten tror jeg er en dårlig ide. Det kan vel ha skjedd at både Kongen, Statsministeren og Stortinget har overkjørt hverandre i ulike saker, men at en skarve minister skal ha mulighet til å toppe dem? Neppe. Jeg har da heller ikke møtt på mange sikkerhetssjefer som har talt styret eller administrerende direktør midt i mot, om de i det hele tatt har talerett fremfor disse.

Utfordringen ligger ikke i plasseringen av ansvaret, men i mandat, budsjett og myndighet. Gjennom mandatet vet du hva du skal gjøre. Med budsjettet får du muligheten til å gjøre det. Gjennom myndigheten får du muligheten til ulike sanksjoner dersom tilstrekkelige tiltak faktisk ikke blir gjennomført innenfor definerte rammer.
Selv må jeg innrømme at jeg flere ganger har skyldt på fraværet av ett eller flere av de 3 nevnte elementer når sikkerheten blir veiet og funnet for lett.
--
Erland Løkken, direktør i Næringslivets Sikkerhetsråd, sier at "det må etableres et senter med mandat til å koordinere private og offentlige aktører for forebyggende og avgrensende tiltak".

NorSIS har ikke det mandatet, men de har allikevel et mandat som kanskje er et steg i riktig retning.

Jeg har tidligere kritisert NorSIS og Nettvett (Post- og teletilsynet) for å ha vidt sprikende anbefalinger i forhold til passord. Slik jeg ser det har de svært overlappende oppgaver, og de har også jevnlig kontakt seg imellom. Jeg tror at min bloggpost kan ha påvirket dem til å koordinere sine anbefalinger på området, slik at staten fremstår med ett sett anbefalinger i en daglig utfordring de fleste av oss må forholde seg til. La meg her få presisere at jeg har en god dialog med spesielt NorSIS, og synes at de gjør et godt og ikke minst viktig stykke arbeid.

Jeg liker forslaget fra Erland Løkken, men trengs det virkelig enda et senter for å koordinere private og offentlige aktører? Kan vi ikke redusere litt istedenfor? Om jeg ikke tar feil, så har vel dette landet uoffisiell verdensrekord i antall organisasjoner i forhold til folketall.

Som jeg påpekte i forhold til Norsis og Nettvett, så er det en stor utfordring at ulike organisasjoner ser ikke ut til å snakke sammen. De overlapper hverandre innenfor "ansvarsområder", men har vidt forskjellige anbefalinger. Jeg vil helst unngå noen monolittisk tilnærming fra staten til alle aspekter innen sikkerhet, men de ulike departementer, direktorater og tilsyn har vel rimelig klart definerte mandater og ansvarsområder? Hva om vi fikk dem til å faktisk holde seg til dem, og kreve bedre koordinering dem imellom? Der har du muligens det senteret Erland Løkken burde etterspør: et senter som skal sørge for at alle tar sikkerhetsansvar innenfor sitt eget ansvarsområde, og koordinerer tversgående regler, aktiviteter og kontroller.

Et slikt senter kaller jeg ofte for "sikkerhetsavdeling".

The end of passwords

2011-04-01T10:32:00.003+02:00

After more than 9 years of research on passwords, there is no doubt anymore: we should get rid of them. No, not by implementing any so-called alternatives such as biometrics or 2-factor token authentication. Be smart, use a blank password on your account. It's much easier, we can downsize customer support with at least 50%, it's completely free and every CFO will be ecstatic. Who would ever think that you would be so stupid to not use any passwords at all? Based on this, I will discontinue my research into passwords, as it is neither fun, interesting or useful anymore.

Oh. And happy Aprils Fools Day everyone, have a fantastic weekend, and I'll probably see many of you at #passwords11. :-)

Security Gone South

2011-03-20T18:02:00.001+01:00

I've been on vacation with my wife and our daughter for one week at Gran Canaria (Spain). The picture on the left here shows parts of the hotel we stayed at. The tour operator as well as the hotel name shall remain anonymous in this blog post, as I don't think my observations are unique for this hotel only.

Being on vacation doesn't mean leaving my interest in security & safety at home, hence this blog post.

First an interesting observation regarding the use of credit cards for payment. Almost all stores required an extra piece of identification, preferably passport, before accepting payment by card. Having my picture and name on the card was not enough. I guess the problem of skimming and stolen cards has been, or still is a big problem in Spain, as it is in many other European countries as well. Good thing to see that such a simple control seem to be in place to protect end-users.

Anyway; as soon as we arrived at the hotel and our room (or "apartment", as they like to call it), I had a look at the emergency exit information, the location of fire fighting equipment and so on. Hopefully not needed, but being prepared is usually a good idea. We were situated on the second floor, with a small balcony, and here is a picture of the door leading out to the balcony:

Notice the absence of a lock. We could not lock the sliding door, and it was just as easy to open it from the outside as it was from the inside.

Warning number 1: If you have kids who get up early in the morning, you probably want to block that door to prevent them from going out (and start climbing on the chairs for a better view...)

Warning number 2: afraid of strangers - thieves - entering the room at any given time? You have a problem. If you take a look at the top image, it is fairly easy to climb from balcony to another, at least sideways. Even worse: most of the rooms on the ground floor had the same problem - no lock on the balcony doors. That's beyond stupid, if you ask me.

Talking to another family, they said they asked in the reception about this, and were told that they had to ask the owners of that part of the hotel, as "their" part did in fact have locks on the balcony doors. No further resolution of the problem, they "surrendered" to the in-room safety box. This of course gives the obvious question: which hotel did we stay at? (Since the entire building/area had one name, and apparently one reception etc..). I'd guess any insurance company would *love* this...

But of course, if you were actually afraid of any valuables, you could deposit 10,- Euros and pay another 2,- Euros per day to use the in-room safety box (which I did). Here are the instructions, please read carefully:

(Instructions for in-room safety box. Click to enlarge)

Unfortunately I didn't take a picture of the safety box, which was located inside the wardrobe in the bedroom. A rather small box, height and width suitable for an iPad, a camera and some other stuff. The box was attached to the wardrobe, but I'm a little unsure if it was also connected to the concrete wall behind the wardrobe. My guess; a decent crowbar should do the job. (Good observation though; a 20 minute delay between every 4 attempts to enter the correct PIN is good!)

So, could I deposit the rest of our clothes, suitcases and other stuff in the reception? Yes, but without any responsibility or penalties for the hotel if lost/stolen/damaged. I guess going on vacation does involve a bit of simple risk analysis, usually ending up with "Either we go on vacation, or we don't, ok?". Damn.

Speaking of hotel reception, here's a picture I took from the reception area:

Yup, that's Facebook on a 42 inch screen. No wireless access, it was either GSM/3G (at insane prices!), or tossing Euro coins onto the computer/PS3 residing inside that cabinet you see there. Absolutely no privacy there if you wanted to check out Facebook or your company webmail (which I observed several people do..) Oh, and the PC inside were running Windows XP, and had a full keyboard as well as a card reader (CF, SD etc..) available. NOT the best place to ask for either security or privacy. :-)

It's 2011. People go on holiday, but still want Internet access wherever they go. This was supposedly a 4-star hotel. Give people what they want - and try to make it just a little secure as well. You know; safeguarding your customers just might be a good idea after all.

--
What do you know: I forgot an interesting piece of information at the end here.. Here's a bottle of water and a box of mixed fruits juice:

Both were purchased at Gran Canaria and placed in our hand luggage before entering the security control at the airport of Las Palmas, Gran Canaria. I found them when we got home and unpacked everything. Luckily water and fruit juice are not the most explosive or combustible liquids available.

Call for Papers: Passwords^11

2011-03-08T23:50:00.003+01:00

"Passwords^10 is probably the best security conference I have ever attended"

- Note on evaluation form after Passwords^10, Dec 8-9, 2010

After a fantastic conference with 38 participants (!) in December last year, we have received many many requests from participants as well as others world-wide to do another conference on passwords only. So with the same close-to-zero budget as last year, I am happy to announce our Passwords^11 : Call for Papers!

ANNOUNCEMENT & CALL FOR PAPERS : PASSWORDS^11

PASSWORDS^11 will be held at the University in Bergen (Norway), on June 7-8, 2011. The 2-day conference will be free and open for everyone to attend. Primary audience will be academics and security professionals with deep technical knowledge. Limited seats available. Passwords & PINs, nothing else.

== DATES ==
March 9 - Public CFP
April 17 - CFP submission ends
April 24 - All notifications sent to speakers (accept / reject)
Registration opens at - TBA

== ABOUT THE CONFERENCE ==
The conference will be held at the University in Bergen (uib.no), with help and participation from The Selmer Center (www.uib.no/rg/selmer) and NISNet (www.nisnet.no). We'll start tuesday at 09:00, ending wednesday 17:00. We'll sleep somewhere in the middle. Like in December, we'll probably only do a single track of talks, everybody get to attend all presentations.

== CALL FOR PAPERS ==
We are looking for relevant content within ATTACKS, DEFENCE and USABILITY towards passwords & PIN codes. Presentations will be either 1 hour (45-50 minutes + questions), or 2 hours including a break. We are especially interested in:

Protecting against online attacks, such as detecting, rate-limiting and blocking them, implementing hashing schemes such as PBKDF2, Bcrypt and PBMAC, and attacks against passwords on mobile devices. If you mention forensics or PCI-DSS somewhere in there as well, you just might be a winner.

Cool Guy Challenge:

We'd like to see a presentation on the probability & feasibility of *ever* getting rid of passwords.

Business cases, even crazy ideas suggesting that leaving passwords for something better could be a good thing to do (faster, cheaper & better). (Blizzard protects their games using 2-factor authentication, while many banks still uses usernames & passwords only....)

ATTACKS include online and offline attacks against all types of passwords and & PINs, where the purpose is to gain access to, circumvent or recover a password in some form. (Mind reading is out of scope). New & updated tools & techniques are most welcome.

DEFENCE includes ways to defend against online/offline attacks against passwords, including IDS, logging, ciphers, policies, awareness etc.

USABILITY includes user interaction designs, password policies, security awareness, password reset / recovery from a user perspective, statistics and so on.

== HOW TO SUBMIT ==
Send your suggestions to per@thorsheim.net. Submissions will be reviewed by people from the Selmer Center and me (Per Thorsheim). Submissions MUST include the following information:

1. Speaker(s) name
2. Bio (short, should include link to online profile, website, blog etc)
3. Title and short abstract of your presentation
4. List of facilities required beyond the usual equipment available
5. If you will allow materials, presentation and video to be made available online after the conference

All papers and presentations must be in English. With free participation and a very limited budget, we can't offer much more than the fun and usability of talking to other experts in this area, as well as free lunch both days.

== IMPORTANT INFORMATION FOR SUBMISSIONS ==
No product marketing will be accepted. Materials presented should be your own work. No limits to technical depth - expect well educated and highly experienced security professionals in the audience. We will do video recordings of all presentations and make them available for free after the conference, unless you disagree. (We may even consider live streaming!)

== ADDITIONAL INFORMATION ==

We will make arrangements for an official conference hotel, preferably with a price discount available. We will also try to help those who would like to see the fjords before or after the conference. Of course we'll try to gather everyone for dinner on monday evening (before we start), as well on tuesday evening. There will be plenty of sightseeing opportunities available at this time of year. If anyone would like to sponsor the conference in any way, please contact me ASAP, we're open to any suggestions you might have. We MAY be able to do limited travel reimbursements for 1-2 speakers, but only for people attending privately (not representing any commercial organisation)

Questions and comments are of course most welcome.

Best regards,
Per Thorsheim
CISA, CISM, CISSP-ISSAP

Tell me your password...

2011-03-07T23:31:00.000+01:00

And I'll tell you who you are, where you work, and what kind of work you do. Not that you would ever lie about your password of course. :-)

I saw an online article on March 4 at Computerworld Norway, entitled "Bryter seg inn i norske bedrifter" (Google translated to English). At a recent security seminar held by Norwegian ISF, a previous colleague of mine held an interesting presentation. Read the 2-page article at Computerworld first, notice some of the statements from Christian Jacobsen (now at Secode).

Although his presentation was on social engineering, he mention seeing passwords that can somewhat identify what type of organisation they originate from and things like gender balance among employees. A high percentage of men will show "men" words (hunting, fishing, sports), while with women one will see names of children, birth dates and names of spouses.

Of course I'd like to challenge Christian with "show me some proof, or at least some statistics!".

I've thought about doing word analysis related to gender, age, type of position/role/organisation etc myself, and now I see that I've got to move forward on this subject. I've got data to analyze on this, and then some.

As for the readers of this blog, if any, do you have or know about any statistics ever done on something like this? And please, no questionnaires or simple surveys but hard facts based on real data?

--
It's late. Time to sleep. Good night.

Pwnd. Again.

2011-03-03T21:49:00.000+01:00

In October 2010 I wrote the blog post Can You See My Password? I wrote that as a result of a near-successful "hack" against me, and as part of a little "competition" I'm running with friends and colleagues. Unfortunately I have to write another post, this time stating the embarrassing fact: I GOT PWND. (again).

You really should read the older blog post first, to get the rules for this little competition. Basically it is about "hacking" each other in a way not done before, in order to uphold and increase security awareness. Quite simple really.

Anyway; I went out with some good friends (...) for dinner and a beer. We eat, drink and talk about security topics of common interest. We even have a couple of projects we're working on - lets call it research for now. I brought my HTC Desire as well as my iPad. Err... make that the iPad I bought for my wife, our daughter and myself for christmas. Quite handy for doing quick notes, looking up stuff on the Internet and so on.

Flash forward to leaving the restaurant, going to a pub. I put my phone and iPad on the table, and went to the bar to get something to drink. Several friends stayed at the table, so leaving my stuff there shouldn't be risky, right? (you have probably figured out where this is going already?)

If you do this kind of competition, you are never safe. You do not have any friends. You cannot trust anyone.

So back at the table. Pick up the iPad. Slide left-to-right. Enter PIN code. WT...? several friends around the table - smiling. Pwnd. Again.

So here's my confession, with congratulations to my ... well... and Anonymous is taken... hm.... *friends*. You know who you are. Revenge will be sweet.

Oppdater din PC del 1 (Java)

2011-02-24T14:32:00.000+01:00

Ovenstående bilde er tatt fra nettbanken min, men det kunne selvfølgelig vært tatt fra en rekke andre steder også. Det er nok av sikkerhetsfolk og andre som skriver og sier dette - du kan simpelthen ikke ha unngått å lese det. Men hva betyr det i praksis? Jeg skal lage noen enkle guider med skjermbilder for å forklare hva du bjør gjøre, og jeg begynner med oppdatering av Java Runtime Environment.

På godt norsk er Java et lite program som igjen gjør at andre programmer, spill og reklame (!) kan vises på datamaskinen din og på nettsider.

Du har mest sannsynlig Java på din Windows datamaskin allerede. I de fleste nettbanker bruker man nå BankID for å logge seg på, og BankID bruker Java. Java har en logo som ser slik ut (du vil se denne mange steder når Java brukes, i ulike farger og størrelser):

Java sjekker automatisk for oppdateringer, men dette skjer ikke før du faktisk starter Java, f.eks. når du skal logge deg på nettbanken din. Java vil også se etter oppdateringer en gang pr måned, men du kan selv manuelt søke etter oppdateringer. I tillegg bør du også fjerne eldre versjoner av Java, dersom dette finnes på din maskin. Slik gjør du det (skjermbildene er basert på Windows XP, men alle bilder utenom det første skal være helt lik på Vista og Windows 7):

1. Gå via START menyen til Kontrollpanelet i Windows:

2. Finn JAVA ikonet, og dobbeltklikk på dette:

3. Du får da opp dette kontrollpanelet for Java:

4. Derfra går du inn på "Update" delen:

Her skal du klikke en gang på "Update Now" knappen.

5. Java vil nå sjekke etter oppdateringer. Dersom det er noen oppdateringer tilgjengelig, så skal du si ja til å laste den ned og installere oppdateringen. Installasjonsbildet ser slik ut:

Når Java er ferdig oppdatert så er du litt sikrere i forhold til bruk av nettbank og Internett generelt.

Imidlertid kan det også ligge gamle versjoner av Java på maskinen din, som oppdateringsprogrammet ikke fjerner automatisk. Dette kan du sjekke på følgende måte:

6. I Windows kontrollpanelet skal du dobbeltklikke på dette ikonet:

7. Du får da opp et vindu som viser installerte programmer på din Windows maskin:

Her ser du at jeg har Java(TM) 6 Update 24 installert, og du ser Java logoen (en kaffekopp...) til venstre for navnet. Dersom du har flere versjoner installert, vist gjennom flere linjer i bildet over (f.eks. kan det stå Java(TM) 6 Update 7), så klikker du på disse og deretter Avinstaller/remove knappen som vises.

Versjon 6 oppdatering 24 er den nyeste versjonen av Java, og du bør helst ikke ha noen eldre versjoner installert på maskinen din. Neste versjon av Java er planlagt å komme om kvelden den 7. juni 2011. Da er det på tide å gjenta denne prosessen - for å være sikrest mulig.

Så en liten advarsel til slutt:
Du bør ikke gjøre dette selv på maskinen du benytter på jobb, uten først å sjekke med IT-avdelingen. De bør ha en sentralisert styring av slike oppdateringer, og installasjon/fjerning av andre Java versjoner kan forårsake problemer. Så er det sagt. :-)

Far Out Dude!

2011-02-22T23:57:00.004+01:00

This is a blog post specifically for Davey Winder (@happygeek), after I read your article "The password cracking software enigma". I came across the article through @WeldPond, who retweeted a message from @L0phtCrackLLC saying "so why is exposing weak passwords and weak hashing bad again?"

You must be joking.

You are referring to Passware Kit Enterprise, any person capable of doing copy & paste from your article into their Google search bar can figure that out. You almost make it sound like this is nothing more than a commercialized "hacking" application, bashing their marketing of this as a forensic toolkit. There are others like them, but you could easily have contacted them to give them a fair opportunity to explain their product, pricing and target audience for their products. You probably didn't, and I guess you didn't inform them about your article afterwards either. At least according to Norwegian press standards, that's not a nice thing to do.

Just like you can use ANY car to drive from A to B or to kill people, you can use this software for doing good (legal forensics, exposing bad passwords), or doing bad (Cracking other peoples passwords unlawfully, with malicious intent). This really is legal software, and their latest version actually got released during Passwords^10, a 2-day conference ONLY about passwords in December 2010. We did discuss password cracking, and we also discussed the ethics on doing exactly that. You should have been there.

I'm not going to make a long list of situations where such software can be very useful, you've already mentioned law enforcement agencies. If an employee dies suddenly, and his laptop holding valuable business data is using Bitlocker FDE, we might need this. To analyze our true risk exposure, cracking our passwords is a good idea.

I am very well aware about the dangers of letting anyone purchase this software, as it may be used for illegal activity. That doesn't mean that all of us purchasing this type of software intend to do so. On the contrary in fact.

To finish off, you wrote: "But surely most enterprises have a proper password management system up and running, a system which enforces enterprise password policy and manages identity without fuss and which therefore means there is no problem in recovering ‘lost’ passwords in the first place."

Uh... No. Sorry, you're wrong. Nice assumption, but you are wrong. Ask any IT security auditor that have been working with this stuff for at least a couple of years, they should be able to confirm that BAD passwords are everywhere. Password auditing/forensic software will help to find, document and FIX such weaknesses. Just as it helps law enforcement agencies and others to do proper forensics even on data where others have tried to hide their illegal activity using seemingly strong passwords.

Let me repeat myself: I do understand your concern. Don't take it out on the vendors or those of us who actually use this type of software for good purposes. What do you know, I've even used such software to uncover ILLEGAL use of similar types of software!

About Biometrics...

2011-02-21T22:48:00.000+01:00

(ATM with vein scanner technology)

As mentioned earlier, I had the pleasure of attending the opening of the Biometrics lab at NISLAB, part of Gjøvik University College. I was invited by Professor Christoph Busch to participate in a panel discussion on biometric authentication. Now I am definitely not an expert on biometrics, but I believe I'm rather good at playing the role of being the Devils advocate. While on the train from Oslo to Gjøvik early tuesday morning (that's a 2 hour trip), I scribbled down some thoughts on Attacking Biometrics. Partially as a simple brain dump for myself, partially as a possible introduction from my side. After 10 slides I decided I had too many questions and concerns, but here are some simple questions.

Oh, and Bian Yang: you sure answered several of my questions with your presentation! :-)

Here's a simple one:

Introducing biometric authentication to my credit card, my wife suddenly can't go shopping with my card anymore.

Mr Hisao Ogata of Hitachi-Omron Terminal Solutions explained that in Japan they've used ATMs with biometric authentication for some 5 years already (see top picture). They still support authentication using chip/magstripe/pin, but with lower withdrawal limitations compared to full biometric authentication. This way a stolen card can only be used to withdraw a smaller amount, either set by the owner or the card issuer. Really elegant solution!

(Using special light, a vein scanner can see your unique blood vein patterns)

One of the things I expressed concerns about was the lack of end-to-end security, where a hardware biometric authenticator is attached typically using USB to a Microsoft Windows system inside an ATM. The operating system will be equipped with hardware drivers (most probably not digitally signed, and the application will then talk to the drivers, and the drivers talk to the hardware. With an attack towards the operating system, a concern would be that an attacker can intercept and record the biometric data being sent from the hardware to the operating system/application, and use this in a replay attack. (Hi, my name is Werner Brandes. My voice is my passport. Verify Me.)

Not the easiest attack of course, but I've seen ATMs running Windows with easily accessible Ethernet and power cables, without camera coverage. Never say never.

Thomas Bengs from PFU Imaging Solutions (part of Fujitsu) answered this one for me: they are working on removing as many steps as possible in the process of authentication, lowering the possible entry points for any hacker wanting to break, see or even manipulate the process. I can't see that happening overnight, but still a good answer to my concern.

Bian Yang mentioned the use of biometric templates, which could be used for (too me) the obvious question:

What happens if somebody can steal my biometric password, be it my fingerprint or the digital representation of either my fingerprint or vein pattern?

I've got to be honest here: I need to get this explained again. And again. I can hear what you're saying, but I can't see this being any better than resetting a password to something *completely* different than the last one. (Edit-distance metrics of password generations contributed to this concern...)

Now Mr Waldemar Grudzien of Bundesverband deutscher Banken, as well as Andreas Ewig of Deutscher Sparkassen- und Giroverband had some realistic views of this technology. Nicely summarized, they wanted this technology to be faster, more secure and cheaper than current technology for it to become widely adopted and deployed. Probably easier said than done at present time, but they were also very realistic on something else: Current losses are increasing due to fraud. Still not at a level that is "unacceptable" financially, and certainly not enough to defend the adoption of biometric authentication for ATMs yet.

Their very best statement though: This is a question about trust. If people loose their trust in current systems, banks (and others) may not have any alternatives than to migrate to new technologies that may not really be needed now.

Fear, Uncertainty and Doubt. Most certainly some of the more powerful business drivers in our society today.
(More to come in the future)

Speaking & writing schedule

2011-02-21T08:00:00.066+01:00

I am sorry for not doing any blog posts about my password research for a long time. I'll try to do something about that in the near future. I'm running my cpu's and gpu's at 100% most of the time, at least when I'm not doing analysis and charting and whatever... Anyway; here's a short update of what I've done and plan to do in the very near future.

I've talked about mobile security issues at one of my employers events here in Bergen. I spoke about GSM security at the DND "hackers Pub" on January 31st, and then about (the lack of) security in social media in front of some 350+ people at First Tuesday Bergen on February 8th. In between there, at work, I've done .. 3? 1,5 hour sessions on CISSP preparations for colleagues in and Ukraine (Hooray to video conferencing systems!).

On Tuesday 15th I had the pleasure of attending the opening of the biometrics lab at Gjøvik university college, as well as being part of a panel discussion on biometric authentication. A big THANK YOU to Professor Christoph Busch for asking me to participate (and play the role of the Devil's advocate). Not exactly "Minority report" biometrics, but very interesting to hear that most ATMs in Japan have been equipped with biometric vein authenticaiton for some 5 years now. German banks are considering the technology, while it haven't even been discussed between Norwegian banks so far. Got to get hold of one of those vein scanners to play with.... Also check out PhD student Mohammad Derawi, his work which includes a prototype app for Android that will recognize and authenticate you based on your movement/walking pattern. Cool idea, cool guy! :-)

On March 3 I will be speaking at the University of Stavanger, trying to provoke them a little on openness of a university vs the need for information protection. My title: "Does the University have something to hide?". Hint; they are situated right in the middle of our major Oil & Gas industry.

ISACA Norway Chapter is hosting this years Scandinavian conference on April 4-5. I will be speaking about security issues specifically related to organisational "Codes of Conduct" and their applicability to members of the board. This is an area I've been looking into for the last 2+ years, a long with a nice group of good friends here in Bergen. Yes, our very own little "Think Tank". Truly incredible what a diverse group of security people can come up with over dinner and a few beers. :-) Personally I'm looking forward to hear the CSO of eBay, as well as many others on the current agenda.

I would also like to give a pointer to my colleague Gleb Paharenko (Infopulse, Ukraine). He passed his CISSP exam in Moscow in December, currently waiting for endorsement approval. He's part of the Ukraine Information Security Group, organizing events to improve knowledge in this important area. I will probably bring along more links to work they're doing there in the future.

By far the coolest thing so far this year for me personally: participating and speaking at the NISNET winter school at Finse, May 22-27. Yes, NISNET provided the funding for the Passwords^10 conference, and will probably do so for yet another conference on passwords only. Joan Daemen on hash functions (he's 50% of Rijndael, maybe better known now as AES), Ed Dawson on access control, Peter Ryan on electronic voting, Patrick Bours on authentication, Katrine Franke on digital forensics and Chunming Rong on cloud computing security. And me. on passwords. For 3-4 hours. *shivers* That is NOT an audience made up of idiots, on the contrary. Can't sleep, can't eat, can't breathe... Got to prepare for this with all I've got.

Well, that was the self bragging blog post of today. Something more useful will probably appear soon. :-) Good night from Bergen, Norway.

Passwords^11?

2011-02-19T23:47:00.000+01:00

Quick and dirty:
I've talked with Professor Tor Helleseth, and he's got a budget to sponsor another password conference. IF we do it, we'll have to do it before end of June 2011, according to budgets, grants etc. I've been asked to provide some suggestions for main topics that we can include in a CFP. I would like to know your opinion.

I learned at lot about organizing a security conference. :-) If we do this again, I will make arrangements for a "official" conference hotel, preferably with a discount package. Especially for foreign participants I will also try to arrange, or at least get some reasonable info for sightseeing before or after the conference. And I PROMISE; I will provide maps with the exact location of the University building for the conference. ;-)

Anyway; the important stuff:
In order to progress from Passwords^10 (which got a 4.6/5 overall rating!), I've been thinking about the following areas, in addition to those that got covered last time:

1. "Best practice", real-life war/success stories on using various hash algorithms (This F-Secure blog post is an interesting reference: http://www.f-secure.com/weblog/archives/00002095.html)

2. Self-reset password solutions. People do forget their passwords. How do you handle that?

3. Out-of-Band password authentication : does it work? risks? SMS? Voice? Snail mail?

A few entries for my own wishlist of talks I'd like to see:
1. Using statistical analysis to improve password guessing attacks (Matt Weir? ;-))
2. Hybrid Rainbow Tables - evolution beyond length 8 (FreeRainbowTables - Quel?)
3. Howard Smith from Oracle - Ethics part two: responsible disclosure (yes, seriously!)
4. Passware : "First we'll take Firewire - then we'll take PCMCIA/Expresscard" (reference: http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars)
5. Elcomsoft : Evolution of EDPR and EPPB (naturally) - Andrey: some of the iOS backup stuff we've discussed so far. Working on a blog post + PPT on deploying iTunes/iPhone "securely" with ActiveSync in an organisation.
6. Already talked to Kirsi Helkala - her "3 simple words" was kinda cool - I'd like to see more statistics! :-)
7. KoreLogic: *anything*: I'm interested. :-)
8. PCI-DSS: passwords and encryption (covering latest version of PCI-DSS)
9: HIDDN hardware AES encryption, protected by smart cards. Would love to ask you questions on your products.
10. The ultimate John the Ripper walkthrough
11. Pass-the-Hash / Pass-the-Ticket (Kerberos) attacks - do, detect, block (?), improve. TrueSec in Sweden; you are most welcome. :-)
12. CSO of PlentyofFish or anyone else who got compromised : what happened, what to do, lessons learned?
13. The researchers who compared 2 lists of compromised services and found password reuse to be more than a myth.
14. Anyone who studies human nature behavior, patterns etc: why do we choose simple passwords? Why do we forget them? (Psychologists wanted...)

I'd like to hear your opinion. :-)

Best regards,
Per

Facebook, sikkerhet og apper

2011-02-12T13:22:00.000+01:00

Min kollega Terje Karlsen leste mitt blogginnlegg Bedre sikkerhet når du bruker Facebook, og sendte meg en kommentar på den. Etter avtale med Terje har jeg valgt å publisere hans kommentar som et eget innlegg, et innlegg som spesielt apputviklere til Facebook bør merke seg.

Hei Per!

Muligheten for å alltid kjøre HTTPS når en benytter Facebook – dersom tilgjengelig er vel og bra, men undertegnede er grunnleggende skeptisk til første versjon av all programvare og da spesielt ift sosiale medier som tilbyr bedre sikkerhet. Jeg utførte dine anbefalte endringer og fikk mail da jeg logget på med jobb-pc første gang. Navnet jeg oppga ble også registrert på profilen min:

Mange brukere benytter Facebook til spill, og det viser seg at dersom en etter å ha logget inn på Facebook velger et spill vil en få opp denne meldingen:

De fleste brukere vil da tenke at ok, jeg er på et sikkert nett så det spiller ingen rolle, og velge fortsett. Det man imidlertid IKKE får beskjed om er at Facebook da fjerner krysset for sikker nettsurfing:

Med andre ord har en fått endret sin sikkerhetsinnstilling uten å få tydelig melding om dette. Endringen vil da påvirke all bruk av Facebook, ikke bare i denne sesjonen eller på denne maskinen, og urutinerte brukere vil tro at de benytter HTTPS hver gang. Ikke bra Facebook!!!

Bedre sikkerhet når du bruker Facebook

2011-02-08T10:10:00.000+01:00

Endelig har den kommet. Muligheten for at jeg i Facebook innstillingene mine kan skru på valget for å alltid bruke Facebook via en kryptert forbindelse. En bitteliten endring med STOR effekt for ditt personvern og konto på Facebook. Dette bør du ta i bruk øyeblikkelig.

Facebook har en lang historikk hvor de gang etter gang har snevret inn vårt personvern. Dette har gjort ved å la våre opplysninger i stadig større grad være tilgjengelig for absolutt alle på Facebook, og så har det vært opp til oss som brukere å begrense denne informasjonsdelingen med fremmede.

Mange har også fått med seg debatten om mobbing blant både barn, ungdommer og voksne som for lengst også har spredd seg til sosiale medier slik som Facebook. Selv kjenner jeg flere som har vært utsatt for slikt. I tillegg skjer det også at andre stjeler tilgang til Facebook kontoer. Dette gjøres i forbindelse med mobbing, informasjons- og ID-tyveri og en lang rekke typer økonomisk kriminalitet. Tyveri av andres Facebook kontoer ble gjort ekstremt enkelt for en tid tilbake, i form av et programtillegg kalt "Firesheep". Tyveri og misbruk av andres Facebook kontoer steg kraftig på grunn av dette.

Denne nye muligheten fra Facebook er i så måte svært velkommen. Dessverre har de valgt å gjøre det slik at du selv må gå inn i oppsettet for din Facebook konto og skru på funksjonen. Heldigvis er det en engangsjobb, og går svært raskt å utføre. Her er min lille steg-for-steg guide:

1. Logg deg inn på Facebook

2. På meyen "Brukerkonto" oppe til høyre velger du "Kontoinnstillinger":

3. Neste bilde ser slik ut (klikk bildet for å se full størrelse):

Her skal du klikke deg inn på valget Kontosikkerhet.

4. Du skal da på neste bilde se blant annet dette:

Her skal du sette kryss i boksen for Surf Facebook på en sikker tilkobling (https) når mulig. Deretter klikker du på Lagre, og så er du ferdig.

Det du nå har gjort er å sørge for at alle data mellom deg og Facebook vil gå kryptert (=uleselig for andre) når dette er mulig. Stort sett vil det bety hele tiden. Det er straks blitt mye vanskeligere for andre å kunne avlytte din trafikk mot Facebook, du slipper ulovlig innsyn og reduserer risikoen for at andre klarer å stjele Facebook kontoen din.

Enkelt og greit! :-)

Jeg_VilVite!

2011-02-06T18:50:00.001+01:00

Merk: VilVite har respondert på dette blogginnlegget, se kommentarer på slutten. Stor takk til god og rask respons fra VilVite!
Søndag 6 februar var jeg på VilVite senteret i Bergen, med min datter og en av hennes venninner. Et fantastisk sted for både store og små, med leker og aktiviteter av den typen som er både morsomme og lærerike. I tillegg har de alle en flott forankring i vitenskapens verden. Så gøy at vi forlengst har anskaffet oss årskort. Men så var det dette med sikkerhet da....

VilVite senteret bruker RFID brikker som adgangskort, både for dagsbesøk og for årskort, slik vi har. Ved å bruke disse elektroniske kortene kan man registrere seg med navn og e-post adresse, og deretter registrere sin innsats på flere ulike aktiviteter. (Videoen over er fra dagens kjøring av Sentrifugalskapen, en sykkel hvor du tråkker deg rundt til bildet går i svart, eller de ansatte stopper deg. Hva gjør man ikke for sin datter?)

Jeg ble gjort oppmerksom på muligheten for registrering og uthenting av video fra Sentrifugalskapen i dag, og registrerte meg rett etter på en av de mange utplasserte terminalene deres. Enkelt og greit, e-post adresse og passord (krav: minimum 8 karakterers lengde).

Da jeg kom hjem hadde jeg fått e-post fra Vilvite, med mitt passord oppgitt i klartekst, og beskjed om at jeg kunne logge meg inn på websidene deres. Allerede litt irritert går jeg inn på www.vilvite.no, og derfra videre til minside.vilvite.no. Jahaja. Ingen bruk av SSL kryptering ved innlogging.

Enkelt oppsummert:
VilVite senteret, sammen med sine 2 utviklere, Expology og FuggiBagi Design, bryter altså to av de aller mest elementære regler for sikkerhet i Internett løsninger:

1. Bruk alltid SSL kryptering for å beskytte minimum innlogging, helst alt innhold av personlig karakter.
2. ALDRI ALDRI ALDRI lagre eller sende brukeres passord i klartekst, men implementere en enkel løsning for å resette passord dersom brukeren har glemt det.

Tålmodigheten ble ikke bedre da det ikke var noen mulighet for å slette enkeltelementer fra min profil (f.eks. dagens video), eneste alternativ jeg fant var å slette hele min profil.

Så jeg vil gjerne vite om VilVite vil endre på sin løsning, slik at den bedre ivaretar personvernet til barn og voksne som benytter deres mange muligheter?

Høyre og #DLD

2011-01-31T00:03:00.000+01:00

I anledning Nasjonal Sikkerhetsdag 2010 lanserte min arbeidsgiver en rapport om hvordan taushetsbelagt informasjon sendes ukryptert via e-post i Norge. Rapporten var utarbeidet av meg sammen med min kollega Jan Fredrik Leversund, og fikk tydelig oppmerksomhet i media. Nå er snart ett år gått, og spørsmålet kommer naturlig: Har det skjedd noe siden sist?

Svaret er JA.

Først av alt: denne bloggposten er og blir mine private meninger. Nummer 2: denne bloggposten er ikke ment å fremheve noe ståsted fra min side ift Datalagringsdirektivet. Imidlertid vil jeg bare påpeke overfor Høyre at i forhold til at de enda ikke har bestemt seg ift Datalagringsdirektivet, så kan de jo uansett rydde litt i eget hus før endelig standpunkt blir tatt?

I forbindelse med fjorårets undersøkelse så vi selvfølgelig på hvordan våre politiske partier hadde satt opp håndtering av innkommende e-post til seg selv.

Vi smilte litt når distriktsvennlige Venstre viste seg å ha outsourcet kontroll av all innkommende e-post til et firma i Danmark. Dette betød i praksis at stort sett alle i Norge som sendte e-post til Venstre ville få sin e-post sendt gjennom Sverige til Danmark, og så tilbake til korrekt mottaker i Venstre via Sverige, etter antivirus kontroll i Danmark. Jahaja. Venstre, som var så tydelig i debatten rundt den Svenske FRA-loven, sendte selv sin mail via Sverige til Danmark og tilbake? Jeg skal ikke fremsette noen påstand om forskjell mellom liv og lære, men selvfølgelig; det frister.

Uansett; i løpet av de 9 månedene som har gått nå, så har Venstre "flyttet hjem". Sender jeg e-post til Venstre i dag, så får ihvertfall ikke svenskene uten videre mulighet til å lese hva jeg skriver til dem. De andre partiene på stortinget i dag er allerede trygt forankret her hjemme i Norge. Med unntak av ett:

Høyre derimot, de har fortsatt outsourcet til utlandet. De benytter fortsatt en leverandør i Danmark, men har skiftet leverandør minst en gang siden forrige sjekk i april 2010. Nå ser det slik ut (i prioritert rekkefølge fra topp til bunn):

hoyre.no mail is handled by 10 gw1-sec.net.comendo.com
hoyre.no mail is handled by 20 gw2-sec.net.comendo.com
hoyre.no mail is handled by 30 gw3-sec.net.comendo.com

Slik jeg leser det, og oversatt til godt forståelig Norsk, så har Høyre inngått en avtale med Comendo Norge AS om at de skal håndtere e-post sikkerhet for partiet. Comendo Norge benytter imidlertid morselskapet i Danmark for å håndtere det tekniske. Dermed vil e-post sendt fra nesten hvem-som-helst i Norge til Høyre gå via Sverige til Danmark for antivirus kontroll før det returneres samme vei til korrekt mottaker i partiet her hjemme i Norge.

Nå stoler jo vi på søta bror. Ingen ville jo finne på å tro at de ville ha noen interesse av å kunne lese e-post mellom Høyre og de aller fleste personer, organisasjoner og virksomheter i Norge. Ikke et dumt ord om Høyre, dette har de selvfølgelig risikovurdert og funnet akseptabelt i forhold til alle typer risiko. Eller?

Now Recruiting: Password Mules!

2011-01-11T18:12:00.001+01:00

The above announcement originates from a web forum where users submit password hashes for cracking. Other users reply with recovered passwords. Recovering your own? well, why not. Recovering 100 million? A reasonable question would be: Where did you get those? It's about time to talk about ethics.

I frequently visit forums and websites that discuss password cracking in many forms. Many people participates in such forums either out of personal interests, research or commercial purposes. I've become increasingly aware of users posting large amounts of password hashes, asking for help to crack them without any explanation about their origins, the purpose of posting & cracking them. NOTHING. There is no information available about the user either, happily hiding behind the "anonymity" the Internet provides them with.

At the #Passwords10 conference I got challenged after my talk to do a debate on password cracking ethics by Howard Smith of Oracle:

(Howard Smith during his talk at #Passwords10)

I think my presentation, previous blog posts as well as my guest blog post for Elcomsoft entitled "Why you should crack your passwords" clearly presents my point of view.

Howard's opinion, which was pretty opposite (correct me if I'm wrong Howard), is that there is no point in doing password cracking for research purposes, since we pretty much know that passwords haven't improved much during the last 10-15 years or so. People are still using simple passwords, they are still personally related, they are still easy to crack. If we still need to do it, we shouldn't have to actually display the found passwords, as this may violate privacy and the entire point of keeping passwords secret. Compare them "automagically" to a predefined set of rules, list those accounts that doesn't comply, and enforce a new password. Howard also said that one should question the legality of cracking password hashes with unknown origins, found on anonymous blog posts and shady forums on the Internet.

It's hard to disagree.

However; we do know that the bad guys are doing this. In fact, it seems to me as if there is an increasing trend in releasing large hash-only lists onto various web forums, asking other participants - even site owners - to participate freely in cracking those password hashes.

I'm afraid those participating are effectively becoming free password mules, aiding the bad guys in increasing the value of their stolen data. These data are of course obtained through illegal hacking activity against websites, compromising parts of, or entire user databases. By stealing user names and cracking their associated passwords, they suddenly have data with a monetary value attached to it in the black market.

Now here's a dilemma (back to Howard): As ... I don't know... password security professionals? can we aid in saving both users and service providers by monitoring such forums, by downloading such lists and try to identify their origins before the bad buys start selling the valuable data - informing the service provider about what we've found (under closed/responsible disclosure?) Or is that a job for the police or other government agencies to do?

We've seen cases before where service providers have no clue about being compromised long after their data has been put out on the Internet for sale by criminals. It will happen again. And again. And again.

The Gawker compromise also showed what could be a possible first; Chris Wysopal (CTO at Veracode, Twitter: @WeldPond) pointed out in a tweet that other service providers (Linkedin and others) used the list of compromised accounts (e-mail addresses) from Gawker to disable any of their own users with the same e-mail addresses. This just in case the users had broken one of the many laws of passwords: Never use the same password across multiple services. What Linkedin and others did, he saw as a possible new best practice. I fully agree to that!

So here we are, with a discussion that has been going on "forever", and it doesn't really have an ending either: ethics. At the same time password mules are unknowingly (or wittingly?) helping criminals increase the value of their stolen data, creating even more damage to providers as well as end-users. What next?

I'll end this blog post by quoting "Barsmonster", or Michail Svarychevski as he's named in real life, when he were asked why he quit developing his GPU based tool for high-performance password cracking at his own forum:

"The complexity & danger - is due to risks to help someone to violate the laws, especially if you do this for money - you may be liable."

My definition of Password mule:

A person that willingly or unknowingly aids in cracking passwords obtained through illegal or questionable actions, and where the purpose is to increase the criminal monetary value of the data obtained.

No good security @StepStone Solutions!

2011-01-09T11:06:00.022+01:00

ERRATA:

I've received a reply to this blog post by private e-mail (Thx Pål!), and I will update it to reflect the difference between the two separate companies StepStone and StepStone Solutions. Erroneous text/links has been changed to ~~strikethrough italics~~, while new text is written in blue.

I got an e-mail just before the new year from noreply@easycruit.com, a service from StepStone StepStone Solutions. It reminded me that I hadn't changed or updated my CV in their database for 6 months. They recommended that I updated it, otherwise they would delete it in two weeks. The e-mail also gave me my current username and password - in cleartext:

(Forgive me for my censorship here :-) Click for full size. Text in Norwegian.)

Now, for those of you who have been following this blog for some time, you might have seen some references to RFC3207, an RFC specifying the use of STARTTLS for automated, opportunistic and user-transparent encryption of SMTP traffic between mail servers. With the incredible help and efforts from my friend and colleague Jan Fredrik (KluZz), we (our employer) even released a survey in April 2010 that made some headlines in Norway.

Not that this one matters much, but inspection of the mailheader showed what is still the standard for most Internet mail today, namely clear-text transmission:

(E-mail received from sending-only SMTP server with ESMTP, no SSL/TLS encryption)

To save you the lookup, the 62.209.53.0/25 is used by Stepstone, as a customer of Telecity.com.

So here I am, without forgetting my password or any other action that could somehow justify sending my complete login credentials and all necessary information required to compromise my account at Easycruit / StepStone through unencrypted e-mail.

Now, lets do the game of risk analysis first.
Of course, as a security professional, I would hope and believe that StepStone are doing their part in this area. My CV isn't that valuable, is it? At least not worth protecting like a secret, right? You can find parts of it publicly available at Linkedin.com/in/thorsheim anyway? Somebody messing it up, would that be a much of a problem? Well, as many other online things, NO, not really, just ... annoying. At least for me. On the other side: Many Human Relations departments love to say that their most important asset are their employees, so do they really want all CVs from applicants and employees to be easily accessed, copied and stolen?

How do my employer - any employer - look, when recruiting security professionals (and others), asking them to register their application through a system that is fundamentally flawed on the security side? It may be hard to set a monetary value to your public appearance, but this doesn't really help on the positive side, that's for sure.

--

Easycruit is an online recruitment tool, a product, that corporations can purchase and custom fit for their own purposes, at least as far as I can interpret their info page. I got this e-mail because my employer uses easycruit, and I've registered my CV there earlier.

~~Looking at bullet 11, data security, in their privacy policy (translation from NO to EN), they are using SSL, firewalls, monitoring and manual security procedures to safeguard my privacy.~~ Looking at their privacy policy (under "Data Security"), they seem to have copied the policy from StepStone, removed parts of it and we're left with even less details that they can be held responsible for. Unlike Stepstone, they do not list any particular person or mail address as responsible for any questions on their privacy policy.

For registration and password reset issues, I can understand the need for sending a one-time-password (OTP) in unencrypted e-mail. Not the best way, but sometimes the easiest, cheapest and only solution available. But I have changed my password, and without any reasonable sense they seemingly store it unencrypted in their systems, or at least decrypt it before sending it to me!

So dear StepStone Solutions: With this blog post I ask you to remove my profile and any associated data ASAP, including removing me from any mailing lists or other services where you have registered me. I will of course also notify you about this in accordance with your privacy policy, by calling you by phone since you don't have a specific e-mail address listed., ~~and send the same request using unencrypted e-mail to to the contact listed by you~~.

I will also notify my employer about these issues, and highly recommend them to demand a meeting with you, requesting actions and time frames for these actions to be implemented. If this cannot be done within reasonable time and free of charge to my employer, I will recommend ending any agreements they may have with you, and seek other providers of similar services - AND a better security level.

--
Addendum Monday 10, january 2011:
In the reply I got by e-mail, I also received a link to this page at StepStone: Fordi din sikkerhet teller ("Because your security matters").

Basically they are saying that from now on (unknown date, probably somewhere in 2010), you won't be able to log in if your password was less than 3 characters in length. From this point on your password must now be at least 4 characters in length, passwords will be case-sensitive, and their service now has a password strength meter for you when you change your password. (Read my earlier blog post: Never trust password meters!).

Of course I couldn't resist (today; Jan 10, 2011), so I chose to reset my password from the link provided on this web page. After typing in my correct e-mail address, I got an e-mail with a HTTPS link valid for 30 days to change my password.

They only require 4 characters (1234 is accepted), but it's labeled "insecure". They also have low-medium-strong-very strong, and my PCI-DSS compliant super-duper password Password1 gets a STRONG rating:

No wonder I say you shouldn't trust password meters.

As for the clarifications received by e-mail I'm thankful for that. Considering the additional information provided as well, I'd say my overall impression of StepStone's password security didn't change much for the better. As for StepStone Solutions.... Well, I'm looking forward to any reply you may provide.

Facebook places - ny runde med sikkerhet

2011-01-06T17:15:00.000+01:00

I går, det vil si onsdag 5. januar, ble endelig Facebook "Places" tjenesten også tilgjengelig for bruk i Norge. Personverninnstillingene relatert til denne funksjonen har vært tilgjengelig lenge, men dagens lille test (skjermbildet over) viser at ihvertfall mange av mine kontakter enda ikke har endret på dette. Det må vi få gjort noe med.

Jeg har tidligere skrevet om Facebook sikkerhet (passord) og personvern (del 1 og del 2), og ikke minst om såkalte "geolokasjonstjenester" i bloggposten "Hvor er du?". Med introduksjonen av "Places" vil jeg anbefale at du først leser bloggposten "Hvor er du?", og deretter anbefaler jeg at du gjør følgende i Facebook oppsettet ditt (klikk på bildene for full størrelse):

1. Velg "Personverninnstillinger" under menyvalget "Brukerkonto" som du har øverst til høyre i Facebook bildet. Du vil da få et bilde som ser slik ut (nedenstående er mitt eget oppsett):

2. Her velger du "Tilpass innstillinger" nederst, og får da opp en rekke ulike valg, som vist under (nok en gang; mine innstillinger, som jeg også anbefaler andre å benytte):

Merk at jeg bevisst ikke har aktivert funksjonen "Ta meg med i Folk som er her nå når jeg har sjekket inn". Denne funksjonen gjør nemlig at ikke bare vennene dine, men også andre og helt eksterne personer kan se at du har sjekket inn et sted når de er i nærheten. (Jeg har ikke sett noen definisjon på "i nærheten" enda...)

Fortsetter du nedover på listen, så får du opp disse valgene også:

Som du ser av bildet over, så har jeg satt opp Facebook profilen min slik at det stort sett bare er mine venner som kan se og evt gjøre endringer ift min profil. Funksjonen "Venner kan sjekke meg inn på steder" er den interessante i forhold til "Places" funksjonen. Når du klikker på "Endre innstillinger" (som markert over), så før du opp en dialogboks slik den du ser under:

Her er det da jeg anbefaler at dette valget settes til "Deaktivert", og deretter trykker du Ok. Da var de nødvendige endringene gjort, og du har fortsatt noenlunde kontroll over din Facebook profil. :-)

--
I en senere bloggpost skal jeg skrive litt om hvordan du kan sikre deg bedre dersom noen skulle stjele tilgangen til din Facebook konto, slik at du enklere og raskere kan få tilbake kontrollen. Her vil jeg også vise litt om hvordan du kan sjekke hvorvidt andre har vært innlogget på din Facebook profil.

Hvem stoler du på?

2010-12-16T22:24:00.000+01:00

Hvem stoler du på egentlig?
Din bedre halvdel? Dine barn? Naboen? Politiet? Banken? Kommunen? NSM?

For kort tid siden ble jeg gjort oppmerksom på en liten detalj rundt bankenes avtalevilkår for betalingskort, derav denne bloggposten. (Tusen takk til "R"!)

Jeg er kunde i 3 ulike banker i Norge. Av flere gode årsaker vil jeg ikke oppgi hvilke, og jeg gjør her en antagelse om at bruksvilkårene for betalingskort er de samme i alle banker, ihvertfall på papiret.

Denne bloggposten gjelder selvfølgelig passord (...), her i form av PIN koder. Disse skal du nemlig ikke gi til noen andre i følge avtalevilkårene. PIN koden er din personlig, punktum. Nå er det sånn at jeg stoler på min kjæreste (offisielt titulert som ektefelle eller kone), og hun har fått låne mine kort til f.eks. shopping tidligere. Så der; jeg har oppgitt at jeg bryter avtalevilkårene. Så får vi se om det skjer noe i etterkant av dette.

Jeg ble litt nysgjerrig, og laget en enkel spørreundersøkelse på nett, og spurte familie/venner/kontakter via Facebook om de kunne ta seg 2 minutter til å besvare den. Med 37 personer som har gjennomført pr 16 desember så er det ikke mye grunnlag, men her er resultatene (klikk for full størrelse):

Selv med små forskjeller så er det jo fascinerende at man stoler noe mindre på egne/partners barn enn personer utenfor nærmeste familie (spørsmål 3-4 vs spørsmål 5).

Uansett synes jeg at det er et klart og tydelig gap mellom bankenes avtalevilkår og hvordan "folk flest" gjør sin personlige risikovurdering i forhold til personlige PIN koder. Mitt spørsmål blir egentlig om dette bruddet på avtalevilkårene i seg selv er nok til reaksjoner fra banken, selv om ingen hendelse har inntruffet så langt?

Jeg hører svært gjerne din mening.

Videos and presentations now online!

2010-12-14T13:21:00.001+01:00

Presentations as well as videos from the conference are now online. You can download the presentations as well as the video files (iPad friendly h.264 HD format) from http://ftp.ii.uib.no/pub/passwords10/ , or download them through bittorrent from http://home.online.no/~putilutt/torrents/. Just remember to seed them as well after downloading. :-)

I would really like to thank the University of Bergen, especially @haakonnilsen, for providing FTP server space to these files for us. Also a big thank you to all the presenters for allowing us to record and publish the videos online after the conference. Thank you to all participants for being there, great discussions and exchanging of ideas!

Last but not least; a personal big THANK YOU to Professor Tor Helleseth for providing me with the opportunity as well as budget, advice and everything else to help Passwords^10 come true. I really hope we'll do it again. :-D

Passwords^10 : Passware scared us all

2010-12-13T23:24:00.000+01:00

Originally my plan was to do several blog posts based on what I heard, saw and learned at Passwords^10. That still is my plan of course, but the president of Passware, Dmitry Sumin, scared me. *A LOT*. So first things first; this blog post is highly necessary - and maybe time critical to some of us as well.

A short time before the conference Nataly Koukoushkina, the marketing manager of Passware told me that they would demo their newest version of Passware Kit Forensic (version 10.3) at Passwords^10. Dmitry made his presentation and demo on thursday 9th for the very first time, while they posted their press release (direct link to PDF) at their website.

Lets say you are using Microsoft Bitlocker, or perhaps Truecrypt, to do full hard disk encryption. If you EVER allow your computer to enter hibernation mode, Passware Kit Forensic can be used to extract the decryption key necessary to access your hard drive from the hiberfil.sys file. That file is basically your physical memory saved to disk when you choose to hibernate your computer. And no, the TPM chip present in some laptops (at least in corporate environments) won't help you. The extraction can be done in minutes. Even more frightening: you can't really make that hiberfil.sys go away using standard operating tools, as it is off-limits for you. To be really secure it can't just be deleted either, it has to be wiped.

Recommendation:
NEVER EVER EVER EVER allow hibernation for any computer, at least those that are more exposed to theft or other types of unauthorized physical access! Use sleep mode (keeping data in memory on low power consumption), or do a complete shutdown. WiredPig (Twitter/WiredPig) has already a writeup on this stuff, highly recommended reading. with more details to go.

Does this change my risk evaluation? Yes, it most certainly does.
Probability of computer being stolen or accessed without authorization? Probably no change.
Consequences if stolen? Much higher than before. Flip your coin: a simple criminal wanting a new laptop, or a (targeted) attack to get access to everything you and your employer have on that computer. And more.

Dmitry also showed an somewhat "old" trick; using Firewire to do live memory dumps, thus gaining access to your decryption keys (and anything else) you might have in your computers memory. A trick that most certainly gave a few "WOWs" in the audience, with people afterwards saying "I need to use superglue on my Firewire ports, as well as PCMCIA ports in order to prevent insertion of Firewire cards".

You can see all this, and more, by downloading the video recordings we've made available for free. They are currently hosted at the FTP server of the University in Bergen: http://ftp.ii.uib.no/pub/passwords10/ (Big thank you to @haakonnilsen at UiB for that!). Torrents can also be found at http://home.online.no/~putilutt/torrents/ in case you would like to help us distribute the files. :-)

Passwords^10 : 2 dager om passord & PIN koder

2010-12-02T11:40:00.002+01:00

Den 8 og 9 desember arrangeres det en 2-dagers konferanse om passord og PIN koder - og bare det! Arrangør er Per Thorsheim i samarbeid med Professor Tor Helleseth ved Selmersenteret, Universitetet i Bergen, og med Nisnet som sponsor. Per Thorsheim kan kontaktes på tlf 90 999 259 eller mail:
perkrøllalfathorsheim.net.

Konferansen er gratis, og åpen for alle, også media :-) Komplett program finnes her (PDF, 104KB, ingen javascript eller flash). Flere av presentasjonene vil inneholde mye matematikk/krypto, så er den advarselen gitt.

Formålet med konferansen er å presentere og diskutere noe som de aller fleste av oss må forholde seg til i hverdagen: passord & pin koder. Facebook, nettbank, dørene på jobben, mobiltelefonen eller den PIN koden som forsvant ut av hodet akkurat i det du kom frem til kassen etter 20 minutter i julepresang køen.

Vi har stadig flere passord, og kvaliteten på dem har ikke blitt nevneverdig bedre de siste 10-15 årene. Mange har det samme passordet i bruk på ulike tjenester, selv om dette er hverken anbefalt eller "lovlig" i henhold til en del virksomheters interne regler.

Teknologi og kunnskap om hvordan man knekker passord for å oppnå uautorisert tilgang til informasjon som er beskyttet har hatt en rivende utvikling i mange år, men kravene til passord har stort sett vært uendret i mange år. Det er også store sprik mellom hva sikkerhetseksperter anbefaler som minimum og hva som faktisk implementeres av organisasjoner og virksomheter. Gjennomsnittet tillater dessverre bruk av passord som lar seg knekke på få sekunder i mange tilfeller, og virksomheter flest virker ikke å være oppmerksom på denne trusselen i det hele tatt.

Litt om foredragene:

Howard Smith kommer fra Oracle i USA, hvor han leder deres interne team for sikkerhetstesting. Han vil snakke om menneskers valg av PIN koder. De har gjort en analyse av slike PIN koder, og ikke overraskende viser det at vi har en tendens til å velge PIN koder som er dårlige. Han stiller da spørsmål om det også bør innføres regelverk også for valg av PIN koder for å bedre sikkerheten.

Kirsi Helkala kommer fra Universitetet på Gjøvik, hvor hun er stipendiat innen informasjonssikkerhet. Hun har sett nærmere på opplæring av studenter i hvordan man lager og husker gode passord, og hvor effektiv denne opplæringen har vært over tid. Ett av funnene viser at de fleste faller tilbake til "dårlige" passord i løpet av relativt kort tid dersom ikke opplæringen repeteres eller videreføres.

Firmaet Elcomsoft ble spesielt godt kjent da en av deres forskere ble arrestert i USA i 2001, da han presenterte deres funn av svakheter i programvare fra Adobe. Saken ble bredt omtalt (mange linker på www.freesklyarov.org), og resulterte i full frifinnelse. På konferansen vil adm.dir. + en av deres forskere snakke om bruken av grafikkort til å knekke passord stadig raskere, samt vise programvare som benyttes av bl.a. politi og myndigheter for å få tilgang til krypterte iPhone/Blackberry telefoner.

Vi kan også legge til at Elcomsoft 30 November annonserte at de hadde funnet en svakhet i et spesielt tilbehør fra Canon for digitale speilrefleks kameraer. Dette tilbehøret brukes for å GPS/tidsstemple digitale bilder for bruk i juridisk sammenheng, og svakheten viser at slike bilder kan manipuleres uten å bryte den digitale "vannmerkingen" som skal sikre juridisk holdbarhet. Dette kan potensielt få konsekvenser i alle saker hvor slike bilder har blitt benyttet som bevismateriale, da det nå er bevist at man ikke kan stole på ektheten av disse bildene.

James Nobis er bedre kjent som en av utviklerne på www.freerainbowtables.com, et gratisprosjekt med stadig flere deltakere. Disse kjører hver en distribuert programvare som lager "rainbowtables", en form for data som bidrar til å knekke passord mye raskere enn tidligere. Pr desember 2010 deltar rundt 1200 maskiner i dette arbeidet, med en samlet datakraft tilsvarende en respektabel superdatamaskin. Hans presentasjon vil ta for seg prosjektets bakgrunn, status og fremtidsplaner.
(Et annet prosjekt som også lager slike rainbowtables heter A5/1, bedre kjent som krypteringen som benyttes i svært mange mobiltelefoner. Det prosjektet har dokumentert behovet for at alle GSM mobiltelefonnett bør oppgraderes umiddelbart for å tilby tilstrekkelig sikkerhet mot ulovlig avlytting.)

Firmaet Passware stiller med en helt ny versjon av sin "Passware Forensic Kit" programvare, og vil her gi den aller første demonstrasjonen av hvordan de kan hente ut krypteringsnøkler (=passord) fra en maskin som i utgangspunktet er i såkalt hvilemodus ("hibernation"), og som benytter kryptering av hele harddisken. Dette er programvare som benyttes av politi og andre myndigheter for å få tilgang til maskiner som er kryptert, og det foreligger mistanke om kriminelle formål. For å sette dette i perspektiv så ble det for kort tid siden publisert en undersøkelse som sa at over 50% av virksomheter i England ikke benyttet harddisk kryptering på sine maskiner for å sikre dataene i tilfelle tyveri. Det er ingen grunn til å tro at situasjonen er spesielt bedre i Norge. Denne programvaren viser tydelig hvordan slik programvare ikke bare må tas i bruk, men det må også gjøres riktig på første forsøk.

For å avslutte med et litt større perspektiv på verden, så kommer Professor Sigbjørn Hervik fra Universitetet i Stavanger. Han er professor i matematikk, men har sin utdannelse innen teoretisk fysikk. Han avslutter konferansen med et populærvitenskapelig foredrag om hvor universet kommer fra, hvor det er, og hvor det er på vei. Stort større perspektiv er det vanskelig å avslutte med. :-)

--

Om meg selv i denne sammenhengen:
Selv har jeg gjennom jobb og privat i over 9 år "forsket" på passord. Jeg har tidligere sagt at "jeg har brutt meg inn i det meste hos de fleste, og fått lovlig betalt for å gjøre det!". Jeg er blant de best sertifiserte innen IT- og informasjonssikkerhet i Skandinavia, og jobber til daglig innen dette området.

Nå er jeg utrolig glad og stolt over å få til en 2-dagers konferanse om passord & pin koder. I seg selv er det temmelig unikt å lage en slik konferanse, og det blir bare mer unikt når noe slikt har sitt utspring i, og arrangeres i Bergen. Faktisk kjenner jeg ikke til at det har blitt arrangert noe tilsvarende noe annet sted - noen gang.

Det jeg er aller mest glad for, er alle de foredragsholderne som kommer. Flere av dem har jeg mye kontakt med, og da jeg sendte mail med spørsmål om de ville komme, så var svarene "Ja, selvfølgelig!". Og det på deres egen regning!

Så med stor fare for at min bedre halvdel blir litt skuffet (ja, jeg er faktisk gift og har en datter på 4 år), så må jeg virkelig si at julen kommer tidlig i år for min del. Litt bursdag og nyttårsaften også, vil jeg påstå.

mvh.
Per Thorsheim
Mobil: +47 90 999 259

Why Passwords^10?

2010-11-30T00:31:00.000+01:00

I've been asked this many times: "Why would you do a 2-day conference on passwords & PIN codes?". I'm being told that passwords are lame and old-fashioned. Biometrics and 2-factor authentication are much better at providing better security. Some even refer to xkcd 538 to describe to me why password-only authentication is stupid. Allow me to explain a little...

I've been researching passwords for more than 9 years now. I've got more passwords now than I had 9 years ago. Many more, in fact. Not that I've asked for them voluntarily, but it's the only option available from most services. Some services, like my online banks (I'm using 3), uses a solution named BankID to authenticate me. It runs using Java (hooray...). Among other factors, it also uses a password for authentication. The technical password policy implementation currently allows anything as your password, as long as it is minimum 6 characters in length. Yes, that allows 123456 to be used as a password, although they do suggest to pick a stronger one to protect your financial life. I would suggest so too.

I'm using Twitter, Facebook, Google, and a WIDE variety of online services. I'm even using Microsoft Windows, but I guess there's nothing special about that. "Windows? You can get 2-factor and biometrics for Windows!". Sure. I even know some organisations who actually authenticates all their users using RSA Securid 2-factor authentication when logging on locally to Windows.

Problem number 1:
Fixed 4-digit PIN codes manually selected by their users is what you need to obtain (See xkcd 538 again), in addition to stealing that SecurID token. If the PIN isn't taped to the back of the token, that is. I've seen that before. Oh; and a PIN code is a password to me. I presume there are probably even more people in the world dependant on PIN codes in their daily life than there are people dependant on computers. Honestly; do you know anyone above age 16 that doesn't use or depend on PINs or passwords in their daily life? And when did you last change your PIN codes? Can't remember? aha. Thought so.

Problem number 2:
Of course using 2-factor like SecurID is a good idea. Usability is probably better, with less fuzz and "lost password" support calls. Well, here's a wild guess from me: I don't think all those service accounts used for monitoring, anti-malware, backup/restore, databases and similar services uses 2-factor authentication to log on. I don't even believe that shared accounts, test or demo/training accounts are equipped with SecurID tokens (I'm excluding the possibility of Skynet being present here). Unfortunately those are the accounts with the highest access levels in your Windows domain and individual systems in most cases, AND the most interesting targets for any attacker who wants full access while concealing their activities. Passwords win. Or loose. Depending on how you look at it of course.

I'm using GPG/PGP. Come get some.
I like AES. I like other algorithms as well. And your encrypted files and e-mails are protected through a private/public key system. Only you have your private key, and of course its protected by an amazing - you guessed it - PASSWORD. Without a centralized password policy for those GPG/PGP passwords, I believe many people will be using rather simple passwords to protect their private key. At least, my research shows exactly that - maybe as many as 50% will be on the absolute minimum of technical requirements implemented.

So where do you store your private key then? On your personal home area on some server somewhere in the organisation? In the cloud perhaps? Where domain admins, backup administrators, helpdesk and many others can easily find and copy the file for further offline processing and brute-force attacks? Many organisations uses shared private PGP keys for a single department or function. If one person leaves, who knows whether that person made a copy-to-go of that private key? Would you consider that to be a potential risk?

I'm using superduper hard drive encryption.
Probably with pre-boot authentication (search for "evail maid attack" on Google), or direct boot into your OS-of-choice (probably Windows), with transparent full disk encryption, perhaps coupled with a TPM chip inside your computer. The evil maid attack will capture your password. Live memory dumps will give almost instant access to decryption keys stored in memory. Use your patience, wait for a new TCP/IP level remote exploit to appear that allows you to attack and seize control of that computer with the encrypted disk and password/biometric protected screensaver.

--
...And I could go on for a long time with attacks and defences. Passwords are some of the oldest authentication methods we have to control access to some sort of resource - at least for computer systems. They were bad 5, 10, 15 and 20 years ago, and passwords created by humans are still bad. Almost no development in our password selections in 20 years, yet the techology to crack them have improved. Massively. And those bad passwords won't go away in the very near future.

At Passwords^10 we will talk about passwords and PINs because they are everywhere. They won't go away. We all use them in our daily lives. How we create them or crack them - both sides will be up for discussions at the conference. Many things can be done to improve the security passwords provide us with, while maintaining or perhaps even improving their usability for all of us.

I hope you will be able to join us at the conference. We're planning to make the presentations available very shortly after the conference, as well as video recordings of all presentations.

Revisiting password meters

2010-11-29T00:10:00.000+01:00

(Screenshot from Swedish PTS on Sunday 28, Nov 2010)

In February this year I wrote a blog post named "Never Trust Password Meters", after a tweet from @mikkohypponen at F-Secure. One of the password meter services I commented on was "testalosenord" (test your password) from the Swedish Post and Telecom Agency. I e-mailed them the same day, just to inform them about my blog post. On November 18 I received a reply.

Not that I expected any answer of course, I write about my personal opinions and I'm just happy whenever I get any feedback. It's a short reply from PTS, but they gave me a link to a page displaying statistics about the passwords tested through their online service. Oh, and they use Cracklib for testing all passwords submitted. The statistics are interesting, the screenshot on top of this blog post is taken from this page.

Yes, I know it's in Swedish. I'm here to help. :-)

Passwords shorter than 8 characters (90.27%)
No surprise really. My guess: most people will test one or more of their passwords, most probably personal passwords not used at work. Even if they do test their work passwords, very few organisations are at length 8 or higher in their password policies.

Passwords without digits (88.07%)
Well, digits doesn't have to be a requirement for making "secure" passwords. I guess this really cannot be interpreted as "bad" passwords, as we do not have any info on length, use of upper/lower and/or specials.

Passwords without UPPERCASE letters (90.56%)
To me this really indicates that passwords tested are personal passwords, not subject to a "professional" password policy, that will usually require complexity requirements (3 of 4 characters groups must be used). The typical outcome of such complexity requirements are easily illustrated by me this way:

(Click image to see full size)

Passwords without lowercase letters (86.05%)
Now this is really surprising! In a real corporate environment I would expect lowercase letteers in pretty close to ... 99.9% of all passwords or something like that. Of course, with 123456 probably being the most common passwords out there, you could blame some of the statistics on that one, but 86.05% is still surprising!

Passwords without special characters (92.25%)
In a corporate environment I would usually expect this percentage to be lower, meaning more specials in passwords. However, for personal passwords most probably not originating from corporate environments with complexity requirements turned on, this makes sense to me.

Passwords found in the PTS wordlist (16.58%)
Well, I don't know if they are using a standard Cracklib wordlist, or if PTS has edited such a list themselves. I have also questioned what we all consider to be a "wordlist" in a previous blog post named "What's a wordlist?". In any way I really can't see much usefulness in this one, at least for my purposes.

Passwords without any letters (4.65%)
Could simply be user clicking Testa! (submit), or the common 123456 password, or the slightly less common 12345 password of course. In a complexity environment I will usually expect most "complex" passwords to be on the format UllllllDD (Uppercase, multiple lowercase, 2 or 4 digits at the end).

Again; interesting statistics, but I'm afraid statistics LIE. A lot. In fact, not only should you never trust password meters, but I would suggest that you should be very skeptical of password statistics as well.

--
Oh.... Seems as if I just told you not to trust my statistics either. Well, be skeptical at least. Ask questions, like I do. For Passwords^10, I'll try to use the tedPAD in order to create a fantastic presentation with my password statistics. :-)
(If you haven't seen the 6-minute talk on tedPAD, you should do so now! It's fantastic!)

Nokas og Datalagringsdirektivet

2010-11-28T22:32:00.000+01:00

(Bildet er hentet fra promoteringen av Nokas filmen)

I Dagens Næringsliv lørdag 27. desember står at at Kripos henlegger saken på piraten som la en kopi av Nokas-filmen ut på The Pirate Bay. Datasporene etterforskerne trenger for å finne piraten er slettet. Jeg hadde bestemt meg for å ikke uttale meg høyt om datalagringsdirektivet. Jeg vil fortsatt forsøke å unngå det, men dette blogginnlegget kan nok oppfattes som et innlegg i debatten.

Versjonen av filmen som ble spredd via fildelingsnettverk viste seg å stamme fra en intern dataserver hos produksjonsselskapet Alligator, hvor en del magasinjournalister fikk tilgang til å laste ned filmen for å kunne anmelde den. Med anmeldelsen fulte en liste på under fem navn som hadde fått tilgang til filmen, samt IP-adressene som hadde lastet ned filmen fra produksjonsselskapets server.

Saken henlegges, og ut i fra artikkelen synes det å være mangelen på data som binder IP-adresser mot bruker/eier på angitte tidspunkter for nedlasting som gjør at man ikke lengre kan spore opp den eller de som initielt utførte uautorisert nedlasting, kopiering og spredning på internett. Disse dataene har blitt slettet av internett leverandørene i henhold til tidsfrister for lagring av slike opplysninger, og Advokatfirmaet Simonsen reagerer naturlig nok på dette. Advokat Rune Ljostad mener sågar at denne saken er et godt argument for forlenget lagring av slike data, uavhengig av om eventuelt datalagringsdirektivet blir innført eller ikke.

Jeg skal da altså ikke skrive noe om egne meninger ift innføring av datalagringsdirektivet. Imidlertid har jeg noen kommentarer - og spørsmål - som ikke synes belyst i artikkelen. Selvfølgelig blogger jeg i vei uten å kjenne alle saksdetaljer, og de er vel heller ikke offentlig tilgjengelig.

Sikkerhet og nedlasting av film

Produksjonsselskapet Alligator la filmen ut for nedlasting for "noen magasinjournalister". Hvor mange? Hvem? Frilansere, eller ansatte i aviser/blader? Kall meg slem og forutinntatt her, men jeg satser på at noen års erfaring gir grunnlag for kvalisert gjetning:

(1) Filmen som ble lagt ut for anmeldelse var ikke digitalt vannmerket, synlig eller usynlig
(2) Det var ingen unik identifikator (vannmerking) pr person/redaksjon som fikk filmen
(3) Serveren hadde ingen begrensninger på tidsperiode for når filmen kunne lastes ned
(4) Serveren hadde ingen begrensninger for hvilke IP-adresser som kunne laste ned filmen
(5) Det ble ikke brukt kryptering av data (inkl. brukernavn/passord) ved filoverføring
(6) Tilgang til filmen ble "annonsert" via ukryptert e-post
(7) Det ble benyttet felles brukernavn/passord for tilgang

Jeg vil tro at ovennevnte anses som irrelevant for Advokatfirmaet Simonsen. Det ville være urimelig å ikke stole 100% på anmelderne eller redaksjonene eller frilanserne eller IT-avdelingene til mediehusene eller vennene til anmelderne som vet at anmelderne har lastet nettopp denne filmen på sin private pc uten noen god sikkerhet, pent plassert i en privat stue og lett tilgjengelig for enhver venn med en USB minnepinne til kr 179,- for kopiering. Man forventer jo selvfølgelig at filmen kun blir sett av anmelderen, og det på en pc som er kryptert og avskåret fullstendig fra omverden, inkludert egen redaksjon, samboer og barn. Filmen slettes selvfølgelig på en sikker måte øyeblikkelig etter at anmelder har sett gjennom den. Hva skjedde med lukket pressevisning egentlig?

Velkommen til 2010.

Jeg spurte Georg Apenes for noen år tilbake om hvem jeg kunne egentlig stole på. Han trakk på skuldrene, og sa at det var et ubehagelig godt spørsmål. Noe å lære av i denne situasjonen kanskje?

Som sagt; jeg kjenner ikke sakens detaljer. Jeg tviler på at de er tilgjengelig, og at hverken Kripos, Advokatfirmaet Simonsen eller Alligator vil gjøre dem tilgjengelig heller. Dermed kan jeg ikke påstå at det kunne ha blitt gjort mer for å sikre tilgang til, samt distribusjon av anmelderutgaven. Jeg bare TROR at man kunne ha gjort det, og antagelig for en lavere sum enn det som nå har blitt brukt på en tapt sak og ringvirkningene av dette. Sikringstiltak som nevnt over er fullt lovlige og tilgjengelige i dag, og jeg tror personlig at de også ville bidratt mye bedre enn ethvert datalagringsvedtak til å oppklare saken.

--
Ut i fra artikkelen i Dagens Næringsliv så fremgår det ingen beskrivelse av noen sikringstiltak overhodet, ei heller er ordet tillit nevnt. Det som fascinerer meg i alle saker hvor elektroniske data/informasjon er kommet på avveie, er at det svært sjelden snakkes om alle de som har teknisk, men ikke rettslig tilgang til dataene som overføres og lagres elektronisk. Det er et tema som jeg akter å skrive mer om fremover.

Malware Authors: Show Me Your Passwords!

2010-11-15T23:38:00.002+01:00

I'm baffled. And that doesn't happen too often. In February I wrote a blog post over at Elcomsofts official blog, entitled "Why you should crack your passwords". I'm long overdue for a follow-up on that post, with another angle at the same statement. Do you remember Conficker (also known as Downadup)? I guess you do. And that's the primary reason for this blog post, and me being baffled.

At work one of my regular tasks is to coordinate joint efforts on security patch management. We've got quite a few systems to keep updated, but that would be a different story to tell. I remember the MS08-067 patch, and how we deployed it faster than anything else we had ever deployed earlier. (To those of my colleagues reading this: I'm proud of your efforts!).

As soon as Conficker went into action across the Internet, security professionals started analyzing it. The "B" version of Conficker, first discovered December 29, 2008, used a simple dictionary to conduct bruteforce authentication attempts against the default ADMIN$ share on Windows systems. This was done in order to increase the probability of successful infections and higher speed of distribution.

A nice summary of how Conficker did this can be found in the article "Downadup: Locking Itself Out" by Eric Chien at Symantec, while a more extensive list of passwords used by Conficker can be found at F-Secure's virus description of W32/Downadup.

Back to me being baffled.

I've been playing, working, researching - dreaming - about passwords for more than 9 years now. One of the things that I requested as soon as I heard Conficker/Downadup did dictionary attacks, was a complete list of all the passwords it had in its wordlist. I think I laughed for quite some time when I saw it: it was BAD. As in not good, if your purpose is to get access to accounts and shares with a low number of guesses before locking out accounts (which happened all over where Conficker gained initial entry).

So of course I did another round of password audits in order to be sure NONE of these passwords would succeed for Conficker. And I were correct, none of those passwords would give access to anything that I were responsible for at that time.

The original reason for doing this blog post was to do a follow-up from the previous blog post by me at the Elcomsoft blog. Not only should you crack your passwords in order to check compliance between your written password policy and its various technical implementations across platforms. You should also do it to measure compliance between real-life passwords and the technical and written policy as well.

This blog post were supposed to talk about the passwords found in various malware like Conficker, their authors who obviously (to me) didn't know much about statistically popular passwords or policy implementations. This blog post were supposed to give you more background info that you could use when doing your own password audits, in order to protect yourself from such automated malware attacks.

Instead, I end up with what really baffles me:
I've asked Norman, Sophos and F-Secure if they have ever compiled any lists of passwords being used by various types of malware for password guessing. NONE of them have done something like that, all I've got are links to old blog posts on Conficker. I've even googled for it several times, but no luck so far.

So in case none of my readers have made such a list, all I can say is:
Malware Authors: Show Me Your Passwords!
--
Oh, and if anyone of you decide to attend Passwords^10, please notify me upon arrival. :-)

Usikrede trådløse nettverk

2010-11-14T20:28:00.000+01:00

Til alle tilbydere av trådløse nettverk i Norge, både i kommersiell og offentlig regi, samt alle andre som har åpne trådløse nettverk for egne ansatte, gjester, naboer og hvem det ellers måtte være.

Jeg håper og tror at de fleste av dere fikk med dere lanseringen av "Firesheep", et tillegg til nettleseren Firefox som ble lansert for noen uker tilbake. Media har allerede dekket dette grundig som en nyhetssak, selv om det egentlig ikke presenteres noen nyhet. Dette tillegget gjør det ekstremt enkelt å stjele tilgang til andres Facebook kontoer, samt en rekke andre kjente steder som Twitter og Amazon.com. Teknikken er altså "gammel", dette tillegget er lansert "for å få ulike tjenesteleverandører til å tenke seg om en gang til".

...Og her kommer altså mitt ønske til dere: vær vennlig og vurder et prosjekt som har til hensikt å innføre kryptering av deres trådløse nettverk som standard. Dette for å kraftig redusere sannsynligheten for misbruk av deres trådløse nettverk, samt skjerme deres kunder fra hverandre ved bruk av deres nett.

Eksempel: sitter man på Gardermoen og bruker Avinors trådløse nettverk (valgfri leverandør), så benytter man altså et åpent trådløst nettverk. Dette gir i seg selv ingen sikkerhet overhodet, noe også Avinor selv opplyser om i sine bruksvilkår. All bruk av f.eks. Facebook, Amazon eller Twitter på dette trådløse nettverket, f.eks. via pc, iPad eller mobiltelefon, kan svært enkelt avlyttes og misbrukes av andre på samme nettverk. Faktisk kan man med dette verktøyet ta eierskap til andres kontoer på nevnte tjenester, samt en rekke andre. Dette igjen kan gi tilgang til personsensitive data (ref §POL), forretningshemmeligheter, og andre sensitive opplysninger.

Jeg skal ikke påstå at ingen leser vilkårene før de tar tjenesten i bruk, men jeg tror ikke det er mange som leser dem heller. Hvor mange som faktisk forstår konsekvensene av vilkårene er jo også relevant, men det kan jo ikke Avinor eller samarbeidspartnere holdes ansvarlig for regner jeg med.

Nå er ikke mitt ønske noe jeg har funnet på selv. Jeg vil ikke ta æren for noe som andre har kommet opp med, så jeg vil anbefale dere følgende lesning. Jeg føyer meg til rekkene som er enig i disse vurderingene, og anbefaler tiltak fra dere.

1. Is it legal to use Firesheep at Starbucks? (Computerworld)
Denne artikkelen er svært interessant, da den tar opp 2 motsetningsforhold i en juridisk kontekst: "det finnes ingen rimelig forventning til personvern i et offentlig tilgjengelig og åpent/usikkert trådløst nettverk". Dette settes opp mot "Når mennesker bruker sin konto på sosiale nettverkstjenester, så har man en forventning om at ens personvern blir ivaretatt". At sistnevnte tilgang gjøres via et åpent/usikret nettverk anses dermed som irrelevant.

2. Dear Starbucks: The skinny on how you can be a security hero (nakedsecurity)
Chester Wiesniewski i Sophos Labs skrev denne artikkelen som en anbefaling om å sikre sine løsninger til ulike leverandører av trådløst nettverk. Han fikk umiddelbart respons av teknisk karakter; nettopp at hans anbefalinger allikevel kunne forbigås gjennom mer avanserte og målrettede angrep. Han oppdaterte saken sin med å si at dette kanskje ikke var en så god ide allikevel. Jeg har selv kommunisert med ham og flere andre, og konsensus virker å være at det er bedre å gjøre noe, enn å gjøre ingenting. I så måte inneholder artikkelen alt dere måtte ha behov for å vite ift sikring av dagens løsninger.

Det er mange måter dette kan løses på, og for de store leverandørene kan det nok innebære en del arbeid. For alle bedrifter og andre mindre organisasjoner som tilbyr såkalte "gjestenett" i form av trådløse nettverk; vær oppmerksom på at dere utsetter deres gjester for unødig risiko ved å tilby slike gjestenett i ukryptert og ubeskyttet form. Sannsynligheten for at egne ansatte også benytter slike gjestenett er stor, mens de nødvendige tiltak bør ikke representere mer enn noen timers arbeid pluss et oppslag på intranett og i resepsjonen om innføring av felles tilgangspassord til det trådløse nettverket.

Når dette er sagt så bør det vel også sies at forbrukere flest har en forventning til at de sikkerhetsmekanismer som måtte eksistere i et produkt er skrudd på som standard ved kjøp. Man forventer jo at sikkerheten er godt ivaretatt de fleste steder. Allikevel selges det meste av slikt trådløst utstyr med et standard oppsett hvor de fleste sikkerhetsfunksjoner er skrudd av, og det overlates til sluttbruker å ta dem i bruk dersom dette er ønskelig.

Lykke til.

Passwords^10 : REGISTER NOW!

2010-11-08T20:35:00.002+01:00

Announcement:

Passwords^11 is coming. June 7-8. CFP is here!

We are ready. You can now register for participation at Passwords^10, a 2-day conference on Passwords & PINs. Free for all, at the University in Bergen (Norway), on December 8-9. Limited seats available.

Register now by sending an e-mail to me (per at thorsheim dot net), with the following information:
- Full name
- Title / position
- Company / Organisation (if applicable)

- Participate in joint event Yes/No (Wednesday evening Dec 8, location/program TBA, you pay for yourself)

... and any additional info that shows you are not a bot, but a human interested in Passwords & PINs are most welcome as well of course. :-)

We will confirm your registration back to your e-mail address. No, we have no intentions of using it ever after, unless you specifically ask for it. Since this is a free conference, attendees may drop attending in the very last minute. Please, if you register and then find out you can't participate anyway, let us now ASAP.

Oh.. And maybe you would like to have a look at the preliminary program? (PDF, 173KB, no embeded javascript or flash, stored at home.online.no). There you will also find additional and useful info on how to get to the conference, where to stay and so on. Usability you know.

All speakers confirmed, schedule may change, more contents to be filled in (check back later). Please contact me if you have any questions, comments or just want to say "Sorry I can't be there, maybe next year?". :-)

Best regards,
Per Thorsheim

Usikkert Norgespass

2010-11-05T12:50:00.001+01:00

Jeg har VELDIG lyst på en Samsung Galaxy Tab. I likhet med mye annen elektronikk selvfølgelig, men det kan vi ta litt nærmere jul. Ofte er det imidletid slik at man bare må gjøre noe øyeblikkelig, så også i dette tilfellet (Nei kjæresten min, jeg har ikke kjøpt denne dingsen - enda!)

Jeg besøkte Nettavisen.no i dag, og så en liten reklame som sa at jeg kunne vinne akkurat en slik Galaxy Tab dingseboms. Selvfølgelig bare ved å registrere meg. Vanligvis holder jeg meg langt unna de fleste reklamer og slike konkurranser, men her ble jeg fristet:

Så jeg klikker, og havner på nettsidene til Norgespasset.no. Setter i gang registrering, og får underveis selvfølgelig beskjed om at de skal tyte meg full av reklame i alle kanaler som gratis medlem, men til gjengjeld kan jeg jo vinne en Samsung Galaxy TAB! WOOHOO! (Utrolig hvordan sunt vett forsvinner ut på et blunk når man har satt seg et urealistisk mål: vinne i en konkurranse på nett....)

Så gjør jeg gjennom hele registreringen da, innkludert kravet om å liste opp minst ett tema som jeg er interessert i, slik at de kan "skreddersy" reklamen de vil sende meg. Mjo.. SKEPTISK.

Men så tar jo sikkerhetshalvdelen av hjernen over igjen da, og man tenker litt rasjonelt igjen etter at den forskuddterte seiersrusen begynner å gi seg. Hm... Hadde ikke disse en brukeravtale som jeg såvidt skumleste deler av? Var det ikke noe om personvern der? Joda, det var det. Betingelsene deres finner du her. Tjenesten tilhører Mediehuset Nettavisen AS og Barlind Solutions AS. Se på pkt 13 i betingelsene deres, spesielt andre paragraf:

(Klikk for full størrelse)

Så ser vi også på hvilke opplysninger de ber om at du registrerer på profilen din (mange av disse er riktignok frivillige å oppgi):

(Klikk for full størrelse)

Mye data for å skreddersy reklame rettet mot meg, og definitivt også en god porsjon personopplysninger som kan brukes til f.eks. ID-tyveri.

Vel vel. Kjære Mediehuset Nettavisen AS og Barlind Solutions AS, i henhold til betingelsene for bruk av deres tjeneste så vil jeg med dette opplyse om at jeg mistenker at andre kan ha fått tak i mitt brukernavn og/eller passord. Årsakene til dette er som følger:

1. Dere bruker min mailadresse som brukernavn.
Det skal virkelig ikke noen spesiell ekspertise til for å finne ut hvilke mailadresser jeg bruker til vanlig, og jeg er faktisk over gjennomsnittet paranoid på sikkerhet. For mer normale mennesker tror jeg det er enda enklere.

2. Dere har ingen passordpolicy eller -krav!
Passordet mitt i det jeg skriver denne teksten er tallet 1 (en). Ikke noe mer. EN ENKELT KARAKTER! Jeg har ALDRI FØR sett så dårlig passordsikkerhet i noen løsning med brukernavn/passord på Internett OVERHODET! Og jeg har da altså brukt Internett siden høsten 1992!
(Overdreven bruk av store bokstaver, fet tekst og utropstegn for å gi avsnittet et mer journalistisk sensasjonspreg, tilgi meg for det....)

3. Dere bruker HTTP og cookies for sesjonsstyring!
Nettavisen har selv skrevet om "firesheep" den 26.10.10. La gå, teknikken har jo vært kjent i noen år allerede, men firesheep gjør det elementært enkelt for de fleste å stjele andres tilganger til nettsteder der hvor disse benytter hettopp HTTP og cookies for sesjonsstyring - akkurat slik dere gjør. Kaste stein i glasshus er det jo mange som gjør, men det rekker knapt nok som noen forklaring i de fleste tilfeller.

Jeg skal ikke spekulere i hvorvidt dere har gjort noen risikoanalyse som tilsier at deres nåværende sikkerhetsnivå er tilfresstillende for dere eller ikke. Ei heller om dere har benyttet interne eller eksterne sikkerhetsressurser for å kvalitetssikre løsningen før den settes i produksjon.

Jeg vil egentlig bare melde i fra om at jeg tror mitt brukernavn og passord kan ha kommet på avveie. Jeg melder i fra på denne måten (ukryptert via Internett), så reduserer vi sannsynligheten for at sikkerhet vil komme i veien for det viktige budskap som skal formidles.

Med vennlig hilsen,
Per Thorsheim

--

PS: det finnes ingen mulighet inne på sidene deres for at jeg skal kunne slette min konto på en enkel måte. Faktisk måtte jeg søke på ordet "slett" i betingelsene deres for å finne ut hvordan jeg kan gjøre det. Enten ved å sende et fysisk brev til dere, eller gjennom en mail til norgespasset@nettavisen.no. Virkelig enkelt, det må jeg si.

PS #2: tolker jeg betingelsene deres at dersom jeg laster opp hva-som-helst til dere, og så ber om å få slettet min konto, så vil allikevel alle data om meg tidligst bli slettet om 3 år? (punkt 5, siste avsnitt, siste setning). (Håper det er greit for dere at jeg tipser Datatilsynet om den der.)

PS #3: Jeg tar det for gitt at jeg ikke vinner noen Samsung Galaxy Tab nå, selv om jeg har registrert meg. For ordens skyld sender jeg dere også en mail med beskjed om at jeg vil slettes som bruker hos dere.

PS #4: Jeg ser at dere sender brukernavn, passord og navn på tjenesten i en og samme mail, uten noen sikkerhet. Anbefaler en tidligere bloggpost fra meg på dette temaet: http://securitynirvana.blogspot.com/2010/10/how-not-to-send-account-info-by-mail.html

PS #5: Passordet dere sendte meg umiddelbart etter registrering samsvarer ikke med det jeg oppga ved registrering. Ikke er det "godt nok" heller i forhold til anbefalt god praksis.

CFP for Passwords^10 has ended

2010-11-03T23:39:00.000+01:00

(Click for full size)

Short notification; the public CFP is now closed. Speakers have been notified, we're currently working out the details for the program. Public registration opens up on monday morning 08:00 (Norway/Oslo time). Limited seats available. Free participation including lunch. Wednesday evening we'll meet for the usual fun, including a competition with prizes to be won! (A big thank you to Elcomsoft for sponsoring us with those!)

This will be *COOL*. Passwords & PINs for 2 full days. Elcomsoft. Passware. Oracle. The freerainbowtables.com project. And more!

Hey, we'll even try to make video recordings available afterwards for those unable to attend.

More to come, stay tuned. :-)