Security issues with MSXML

This is a quick & dirty blog post, partially to help a friend reach out to the world, and partially because I'm affected as well. Correction: was affected. Now removed & patched at the same time.

At my previous job one of my tasks was to manage & improve the security patch management process across all platforms, from operating systems and databases to browsers & plugins. Sometimes even down to firmware & driver updates, because of bugs and vulnerabilities. My primary focus was - no surprise - Windows installations and pretty much everything that can be installed on Windows. I did that for more than 5 years. 10-15K servers, 100-150K clients. I did well. Very well in fact, and I'm still proud of it.

Many surprises have appeared along the way, the most recent has to do with MSXML, which comes to light in this blog post.

Facebook Poke vs Snapchat - Security Comparison

Facebook Poke vs Snapchat - on security.

@adamcaudill got me started with his tweet + blog post about some of the lack of security in Snapchat, and I just had to take a look. After hammering Snapchat for a while, I thought I could do a security comparison to Facebook Poke, their own app that does pretty much the same thing as Snapchat. If you want to see a feature comparison, take a look here at techcrunch.

While Adam does the crypto + API stuff - the inner workings of the Snapchat app - I'm more interested in the visible password stuff. And before we start talking about financial muscles, size of organisation etc between Facebook & Snapchat.... It doesn't take a giant to make good security. (Rather on the contrary I would say.)

Måling av reell verdi fra sosiale medier

Min Klout score Jan 1, 2013. Twitring er hovedårsaken til min score.

Jeg ble veldig nysgjerrig da +Hans-Petter Nygård-Hansen postet denne bloggposten: "Slik kan du måle din innflytelse i sosiale medier". Faktisk så nysgjerrig at jeg måtte sjekke meg selv. Jada, innrømmer glatt at jeg har et ego jeg også. :-)

Passwords^12 - in summary

Yeah, I'm happy with that. :-)

Passwords^12 turned out to be an amazing event - although I'm not really neutral saying so.

Sorry for taking so long to come up with a few words after the conference. First there was the biochem warfare attack from you-know-his-name, then the total exhaustion after the conference, including video editing & uploading to Youtube & our media archive. I've been sleeping a lot during the past 2 weeks. :-)

Press Release: Passwords^12

World's best password hackers gather in Oslo, Dec 3-5

Bergen/Oslo, 27. November 2012
The world's best password hackers gather in Oslo on December 3-5 to speak & participate at Passwords^12, a 3-day conference ONLY about passwords & PIN codes. This is the first and only conference dedicated to research in an area that affects us all on a daily basis. The conference brings together an "all-star" team of international researchers, hackers, and security professionals. The conference aims to increase security, while simultaneously keeping and improving usability aspects for everyday users.

Pressemelding: Passwords^12

Verdens beste passordhackere samles i Oslo 3-5 desember

Bergen/Oslo, 27. november 2012
Verdens beste passordhackere samles i Oslo 3-5 desember for å delta på Passwords^12, en 3 dagers konferanse utelukkende om passord og PIN koder. Dette er verdens første og eneste konferanse som er dedikert til forskning på et fagområde som vi alle påvirkes av daglig. Konferansen bringer sammen et stjernelag av internasjonale forskere, hackere og sikkerhetsspesialister. Konferansen har en klar målsetning om å bidra til en sikrere og enklere hverdag for oss alle.

Sikker tilgang til offentlige data

[Hvorfor sensurere eller kryptere? Det er offentlig tilgjengelig...]

Oppdatert 4. April 2013: Gule Sider / Eniro har forlengst fikset SSL og oppdatert sine apper. Stor takk til dem for rask respons på min kontakt + bloggpost.

Denne er til deg Eivind, selv om jeg tror andre vil finne dette interessant også. Du spurte meg tidligere om jeg/vi (www.vsc.no) hadde sett nærmere på sikkerheten i de mest populære appene. Vi har sett på en del taxi apper, og resultatet presenteres på DND medlemsmøte i Bergen den 20 November. (Presentasjon derfra vil bli gjort tilgjengelig i etterkant.)

Jeg installerte Gule Sider appen for Android på min Samsung Galaxy SII for kort tid siden, og ble litt nysgjerrig på den. Litt pakkesniffing, litt lesing på nett og litt sammenligning mot andre, og her er noen enkle observasjoner, risiko og anbefalinger:

Analysis of the Punto.pe Leak

That extremely frustrated feeling you get when you cannot crack 50% of a moderately large leak within minutes. When rockyou.txt only nets you 6,124 plains. When 1.2 billion words + 40,000 rules results in a paltry 24,000 plains. Oh, that frustrated feeling.

And let's not forget that "you have to be freaking kidding me" feeling you get when you realize that the dump you have been working with for 26 hours actually contains plaintext passwords for 70% of the hashes -- after you've already busted your ass to crack 81% of them. A mistake easily made when you hastily extract only the hashes from a dump, without bothering to look at the rest of the data.

Rosing IT Security Award finalist 2012

[Oh yeah, you can zoom in on it!]

This is my proof of being not only nominated, but also ending up as one of three finalists for the Rosing IT Security Award in 2012, presented by the Norwegian Computer Society. On Thursday Oct 18 the winner was announced at their annual conference, with Gjøvik University College (HiG) as the winner. Very few individuals has been nominated for the award since its inception in 2002, and I am incredibly proud to be one of them. I am also very happy to congratulate all the excellent people I know there; Christoph, Tone, Morten, Patrick, Kirsi, Nils and others as well. I really look forward to our continued cooperation!

Criteria for the award (Google translated text):
The prize will be awarded to businesses in Norway, or in special occasions to individuals. The receiver will in a positive way - directly or indirectly - have contributed to increased information security and IT security. The contribution may be through dissemination, training or awareness-raising activities, by promoting innovative thinking or to have developed and implemented appropriate methods, standards, concepts, technologies or services that have provided great merits - or otherwise have contributed to this.

New PGP key

I've created a new GPG key with KeyID 7861BC12. Synced to keyserver.ubuntu.com, pool.sks-keyservers.net, keyserver.pgp.com and keys.gnupg.net. It even includes a picture. You can get it here.
My old key (KeyID D0D0AEF6) has been set to expired.