Review: [hiddn] USB Crypto Adapter

[Picture from www.hiddn.no]

A representative from High Density Devices (HDD) participated at Passwords^10, and after that I've been talking to them from time to time. Especially their marketing manager Tormod Fjellgård has been very forthcoming, and granted me the chance to do a review of 2 of their crypto adapters. This is my first review of their USB crypto adapter, and I've warned Tormod that I just might have some critical comments for them. So here we go:

Når "anonym" har en arbeidsgiver

(Screenshot tatt fra www.vg.no)

VG Nett har nylig endret sine regler for å kunne legge inn kommentarer til saker de publiserer. De tillater ikke lengre anononyme innlegg, og forsvarer dette valget gjennom plakaten som vist over. En god kollega av meg, som ønsker å forbli anonym, stilte meg et spørsmål i dag som ga meg grunnlag for å kommentere denne endringen hos VG. Det gjelder nok også en rekke andre medier, så bloggposten er ment å være generell i så måte.

I'm not dead...

As you can probably see from my Twitter feed. I'm just drowning in work as a security consultant at the moment. My head is full with blog posts that I have to get out soon... For the password stuff, which still is my primary focus here, I'm pretty close to start releasing some never seen before statistics. In close cooperation with my friend and colleague Jan Fredrik (@KluZz). Keep watching this space!

Hotel TV Infochannel Security

[A rather static show at the hotel tv infochannel...]

Life as a security advisor, or just consultant if you prefer, can be very interesting. Working with a large variety of clients, tasks and situations is challenging, exactly the way I like it! To me it also includes going to other cities here in Norway, at the moment I'm at yet another hotel in Stavanger, Norway. 

During the past couple of weeks I've got a renewed interested in hotel television systems. No, not that kind of activity that you may have heard of, or seen demonstrated by Major Malfunction in Las Vegas many years ago. I'm just curious about the risk analysis - if any - performed by the hotels, finding it acceptable to put their infochannel systems directly onto the Internet?

Kjære kunde / Dear Customer

This one is for @Questback, as a reply after the last couple of tweets between myself (@thorsheim), and @HopeMears, partially also @Ronnie_Ostgaard. Both have been most helpful in replying to my blog posts and tweets, and I hope this will be my last blog post regarding our "controversies". :-)

Adgangskort og PIN koder

[PINs på Post-it. Er det noe problem?]

Denne bloggposten skrives etter veldig mange års frustrasjon med fysisk adgangskontroll. Bildet over bør være god nok forklaring på min frustrasjon, det er Post-it lapper jeg har fått utlevert sammen med ulike typer adgangskort, både magnetstripe og RFID baserte kort. Med et ønske om å bidra med "enkle sikkerhetstips i hverdagen", så har jeg noen spørsmål og tips rundt slike løsninger for adgangskontroll.

More STARTTLS support!

RFC 3207:

SMTP Service Extension for

Secure SMTP over Transport Layer Security

In a previous blog post entitled "STARTTLS support in Hotmail/Gmail", I requested these services to implement support for RFC 3207, in order to use automatic and transparent security at the "back side" of their services, when available. I doubt I'm the reason here, but Google now has support in place! (Hooray!)

Facebook password history...

"Unfortunately you have provided an old password. Your password was last changed yesterday at 07:52. If you don't remember making this change, please click here".

First thought: WTF does Facebook tell me this????

Second thought: Good, they seem to have some password history going on. Got to test that later on, by trying to change back to my old password. I guess they don't block that quite yet.

Third thought: This is good from a usability perspective. They've got quite a few users (...), this will make it easier for them to actually change their passwords whenever they feel the need to do so, and handle it afterwards.

Fourth thought: A bruteforce attack against known logins will eventually succeed, but it may also reveal one or more previously used passwords, enabling several methods of pattern-based password analysis to improve the chances of an attacker figuring out the correct password faster and with less attempts then from a blind start.


Not good.


Any opinions?

En ROSA bloggpost!

[Bilde fra WahWah brosjyre]

Jeg er gammeldags. Jeg har passert 40. Jeg har en tåpelig tendens til å ta i mot utfordringer fra jenter. Kristin er en av dem. Utfordringen kom for noen måneder siden; hun utfordret meg til å skrive et blogginnlegg om mote & skjønnhet og sånn. Jeg svarte at det var liksom ikke helt min greie, men dersom jeg gjorde det så måtte hun kvittere med en bloggpost om sikkerhet & sånn. Jeg gleder meg allerede! ;-)

Comments on tablet/smartphone security

My friends - and competitors - at www.watchcom.no - has published a report on tablet security (Warning: Norwegian!), evaluating 3 different tablets. Conclusion? iPad2 as the winner with the best out-of-the-box security features. While I do agree on the conclusion, Norwegian media has given this report a lot of coverage that I need to comment on. "Out-of-the-box" security, or default security parameters, are *rarely* to be considered "good enough" in most cases.

Cryptohaze GPU Rainbow Cracker - test 1

Well, not exactly my very first test, but my first blog post about Bitweasil's sweet little piece of software, which can be found at his site cryptohaze.com. First of all: it seems *FAST*. Second: MUCH needs to be done, which is the reason for this short little blog post. I'll start out with just a single request: HEX display of all found passwords, in addition to the standard display on screen. Here's what I did:

New comments for older posts

Quick note to say that Erik Brännström has added an interesting comment to the "Never Trust Password Meters" blog post, while "Anonymous" (No, not those guys, but a PhD in Vein biometrics) has added comments to the "About Biometrics.." post. Both worth reading.

xkcd 936 - the discussion continues

WOW. That was my immediate thought (We use wow in Norwegian as well) when I saw xkcd 936. WOW. That is pretty close to exactly what I've been trying to tell people for the last 10+ years, while  researching passwords. Hat off, kudos and whatnot to Randall Munroe for this one! Now for some of the discussions in the wake of 936....

Webmercs Password Security

Vacation is over, time to take a look at the password security of another online webshop software solution. This time named Webmercs, from a Norwegian company named Data Design. I got triggered to do this blog post after visiting www.avshop.no, where I am a registered customer. Lets take a look at Webmercs...

Securing your passw^H^H^H^Hgp private key

I saw this article today by @DSchwartzberg at Sophos about Google indexing PGP private keys, easily found if you know what to search for. It reminded me that I had to finish this old blog post which has been waiting in line for some months now. Lets get straight to the point: How do you protect your GPG/PGP private key?

Passordsikkerhet fra MultiCase

men hvordan er sikkerheten?

Multicase AS er et selskap som leverer et komplett forretningssystem til en lang rekke bedrifter i Norge. En av mange moduler er en løsning for netthandel. Selskapet oppgir selv en rekke referansekunder på sine nettsider, blant annet Bergans, FotoVideo og NetShop. Flere kunder er lett å identifisere via Google. Sikkerheten rundt lagring og sending av passord i løsningen til Multicase er ikke i tråd med anbefalt god praksis. I ytterste konsekvens kan det få store konsekvenser for dem selv, deres kunder, og sluttbrukerne selv.

One Spam To Spam Them All!

This is a plain boring blog post. In fact, it's a blog post that in a perfect world would be completely unnecessary to write. In my world, this blog post is necessary in order to make Microsoft Exchange admins, as well as mailgateway/antispam operators and operations security people aware of a very simple, but highly important configuration issue in Microsoft Exchange.

Passwords^11 - video archive

Finally, the video recordings in 720p HD MP4 format are now available for direct download through http/ftp at http://ftp.ii.uib.no/pub/passwords11/.

At http://ftp.ii.uib.no/pub/finse2011/ you will find some video recordings from the NISNET winter school at Finse (Norway). They are pretty long lectures (several hours), but still worth watching, depending on your interests of course. :-)

FY! til FotoVideo!

Å komme inn på FotoVideo butikken i Oslo var en drøm. Profesjonelle folk som virkelig tok seg tid til å lytte til mine behov (om enn aldri så urealistiske), og forklarte meg om smått og stort før jeg tok mine valg. En butikk som virkelig kan anbefales! Det vil si... inntil jeg oppdaget at it-sikkerhet overhodet ikke er deres fag. Faktisk såpass ille at jeg velger å påpeke det gjennom en offentlig bloggpost, i den tro at det vil føre til raskere endringer enn ellers. Slemt? Ja. Nødvendig? Etter å ha tenkt over det en god stund.. JA.

Passwords^11 - Thank you all!

Oh boy, that was a *lot* of fun! Yes, I know I wouldn't probably say anything else since I was more or less the sole organizer of the conference, but I've received nothing but very positive feedback. Speakers and participants; all very positive and asking for another round. Here's my own summary of the conference, with some pictures, name dropping and loads of links you can click on. :-)

Padding_____Haystacks

@itinsecurity asked me for a blog post regarding Haystack, described as an interactive brute force search space calculator. Haystack comes from  from Gibson Research Corporation (@sggrc). I did retweet, asking @purehate_, @iagox86, @lakiw, @quelrods, @CrackMeIfYouCan and @d3ad0ne_  for their opinions as well. Since we're all above average interested in passwords, why not see if we have any opinions in common? :-)

Password T-shirts

James Nobis (@quelrods) asked me about my password related t-shirts at Passwords^11, ie if I had the designs available. Here are my own "designs" - it's just text - feel free to copy, print, use, sell as much as you like. :-) (Absolutely No Rights Reserved!)

Passord - 2 Eksempler til #DLD & Advarsel

7-8 Juni arrangerer jeg for andre gang det jeg tror er verdens eneste konferanse som utelukkende handler om passord og PIN koder, kalt Passwords^11. Dette gjøres i samarbeid med Professor Tor Helleseth ved Selmer senteret, Universitetet i Bergen, og med finansiell støtte fra NISNET (Fra Norges Forskningsråd). Din første tanke etter de to første setningene er kanskje "er det mulig?". Det er det, og det er en sikkerhetskonferanse som  er mer aktuell enn noensinne å arrangere. Her skal du få 2 konkrete eksempler fra min hverdag som forhåpentligvis aktualiserer konferansen også for deg.

Sony #PSN Password Resets: Inconsistent & Inadequate?

Sony's Playstation Network (PSN), has been offline for a long time. You know the reason for that by now. Following @mikkohypponen and others on Twitter, I saw that #PSN would open up again, territory by territory. I downloaded and installed the mandatory v3.61 update, eagerly awaiting some serious pwning in MW2:Black Ops again. Just had to change my password first, according to tweets and Sony themselves in a blog post. You know; for my own security. Thanks to Sony for taking care of me!

Passwords^11 - Program & abstracts are ready!

The program as well as abstracts for the academic talks at Passwords^11 are now available! I have added them to the registration blog post, or you can get them directly here: Program (pdf, 200kb), Abstracts (pdf, 172kb). I hope to see you at Passwords^11!

Dynamic Prevention of Common Passwords

Remember the 370 passwords you were not allowed to use on Twitter? If not, here's the story, as told by @TechCrunch. You have probably experienced - maybe even implemented - the same kind of static blacklisting in other online services, in your corporate network or at your personal workstation. I have. Doesn't really help much in the long run, unless blocking Conficker from gaining access (List by Sophos - @gcluley) is your ultimate goal. Here I suggest another and more dynamic approach to the problem of commonly used and eventually also bad passwords.

Consolidate my posterior...

While I was asleep...

As I'm sure many of you are aware of by now, Apple iOS 4.x contains a database file named consolidated.db, in which your every move (or at the very least, the movements of your device) are recorded. This, according to conspiracy buffs and privacy advocates, is done to make life easier for Gil Grissom or whoever your local CSI representative is. As an international black market arms dealer security professional, I've been curious about how useful the collected data really is, especially since a lot of the comments on the subject claims that the coordinates and time stamps are wildly inaccurate. So I decided to figure this out for myself, and proceeded to crank up Google Earth...

Security Think Tank

On Monday April 4, I did a presentation at the Scandinavian ISACA conference, held in Oslo, Norway. The title was "Board Member Security" (Link to Slideshare), and were part of the governance track. I will get back to the contents of the presentation later, first of all I would like to introduce the people behind the presentation.

Passwords^11 - REGISTER NOW!

Twitter hashtag: #passwords11

We are getting ready. You can now register for participation at Passwords^11, a 2-day conference on passwords & PINs. Free for all, at the University in Bergen (Norway), on June 7-8. Limited seats available. Quite possibly the very first-ever conference *only* about passwords & PIN codes! :-)

Sikkerhetsansvaret

Jeg er litt overrasket over at Janne Hagen i FFI på siste FFI-FORUM skal ha påpekt at vi har "...et fragmentert statlig ansvar for IT-sikkerhet" (NSM bloggpost, 1 April 2011. Tviler på det er noen aprilspøk). Jeg regner med hun da uttaler seg om den reelle etterlevelsen av sikkerhet i det offentlige, plasseringen av ansvar bør det da ikke være noen tvil om? Styrelederen heter Harald, adm.dir heter Jens, og generalforsamlingen heter Stortinget. De har ansvaret for sikkerheten.

The end of passwords

After more than 9 years of research on passwords, there is no doubt anymore: we should get rid of them. No, not by implementing any so-called alternatives such as biometrics or 2-factor token authentication. Be smart, use a blank password on your account. It's much easier, we can downsize customer support with at least 50%, it's completely free and every CFO will be ecstatic. Who would ever think that you would be so stupid to not use any passwords at all? Based on this, I will discontinue my research into passwords, as it is neither fun, interesting or useful anymore.

Security Gone South

I've been on vacation with my wife and our daughter for one week at Gran Canaria (Spain). The picture on the left here shows parts of the hotel we stayed at. The tour operator as well as the hotel name shall remain anonymous in this blog post, as I don't think my observations are unique for this hotel only.

Being on vacation doesn't mean leaving my interest in security & safety at home, hence this blog post.

Call for Papers: Passwords^11

"Passwords^10 is probably the best security conference I have ever attended"

- Note on evaluation form after Passwords^10, Dec 8-9, 2010

After a fantastic conference with 38 participants (!) in December last year, we have received many many requests from participants as well as others world-wide to do another conference on passwords only. So with the same close-to-zero budget as last year, I am happy to announce our Passwords^11 : Call for Papers!

Tell me your password...

And I'll tell you who you are, where you work, and what kind of work you do. Not that you would ever lie about your password of course. :-)

I saw an online article on March 4 at Computerworld Norway, entitled "Bryter seg inn i norske bedrifter" (Google translated to English). At a recent security seminar held by Norwegian ISF, a previous colleague of mine held an interesting presentation. Read the 2-page article at Computerworld first, notice some of the statements from Christian Jacobsen (now at Secode).

Pwnd. Again.

In October 2010 I wrote the blog post Can You See My Password? I wrote that as a result of a near-successful "hack" against me, and as part of a little "competition" I'm running with friends and colleagues. Unfortunately I have to write another post, this time stating the embarrassing fact: I GOT PWND. (again).

Oppdater din PC del 1 (Java)

Ovenstående bilde er tatt fra nettbanken min, men det kunne selvfølgelig vært tatt fra en rekke andre steder også. Det er nok av sikkerhetsfolk og andre som skriver og sier dette - du kan simpelthen ikke ha unngått å lese det. Men hva betyr det i praksis? Jeg skal lage noen enkle guider med skjermbilder for å forklare hva du bjør gjøre, og jeg begynner med oppdatering av Java Runtime Environment.

Far Out Dude!

This is a blog post specifically for Davey Winder (@happygeek), after I read your article "The password cracking software enigma". I came across the article through @WeldPond, who retweeted a message from @L0phtCrackLLC saying "so why is exposing weak passwords and weak hashing bad again?"

About Biometrics...

(ATM with vein scanner technology)

As mentioned earlier, I had the pleasure of attending the opening of the Biometrics lab at NISLAB, part of Gjøvik University College. I was invited by Professor Christoph Busch to participate in a panel discussion on biometric authentication. Now I am definitely not an expert on biometrics, but I believe I'm rather good at playing the role of being the Devils advocate. While on the train from Oslo to Gjøvik early tuesday morning (that's a 2 hour trip), I scribbled down some thoughts on Attacking Biometrics. Partially as a simple brain dump for myself, partially as a possible introduction from my side. After 10 slides I decided I had too many questions and concerns, but here are some simple questions.

Speaking & writing schedule

I am sorry for not doing any blog posts about my password research for a long time. I'll try to do something about that in the near future. I'm running my cpu's and gpu's at 100% most of the time, at least when I'm not doing analysis and charting and whatever... Anyway; here's a short update of what I've done and plan to do in the very near future.

Passwords^11?

Quick and dirty:
I've talked with Professor Tor Helleseth, and he's got a budget to sponsor another password conference. IF we do it, we'll have to do it before end of June 2011, according to budgets, grants etc. I've been asked to provide some suggestions for main topics that we can include in a CFP. I would like to know your opinion.

Facebook, sikkerhet og apper

Min kollega Terje Karlsen leste mitt blogginnlegg Bedre sikkerhet når du bruker Facebook, og sendte meg en kommentar på den. Etter avtale med Terje har jeg valgt å publisere hans kommentar som et eget innlegg, et innlegg som spesielt apputviklere til Facebook bør merke seg.

Bedre sikkerhet når du bruker Facebook

Endelig har den kommet. Muligheten for at jeg i Facebook innstillingene mine kan skru på valget for å alltid bruke Facebook via en kryptert forbindelse. En bitteliten endring med STOR effekt for ditt personvern og konto på Facebook. Dette bør du ta i bruk øyeblikkelig.

Jeg_VilVite!

Merk: VilVite har respondert på dette blogginnlegget, se kommentarer på slutten. Stor takk til god og rask respons fra VilVite!
Søndag 6 februar var jeg på VilVite senteret i Bergen, med min datter og en av hennes venninner. Et fantastisk sted for både store og små, med leker og aktiviteter av den typen som er både morsomme og lærerike. I tillegg har de alle en flott forankring i vitenskapens verden. Så gøy at vi forlengst har anskaffet oss årskort. Men så var det dette med sikkerhet da....

Høyre og #DLD

I anledning Nasjonal Sikkerhetsdag 2010 lanserte min arbeidsgiver en rapport om hvordan taushetsbelagt informasjon sendes ukryptert via e-post i Norge. Rapporten var utarbeidet av meg sammen med min kollega Jan Fredrik Leversund, og fikk tydelig oppmerksomhet i media. Nå er snart ett år gått, og spørsmålet kommer naturlig: Har det skjedd noe siden sist?

Now Recruiting: Password Mules!

The above announcement originates from a web forum where users submit password hashes for cracking. Other users reply with recovered passwords. Recovering your own? well, why not. Recovering 100 million? A reasonable question would be: Where did you get those? It's about time to talk about ethics.

No good security @StepStone Solutions!

ERRATA:

I've received a reply to this blog post by private e-mail (Thx Pål!), and I will update it to reflect the difference between the two separate companies StepStone and StepStone Solutions. Erroneous text/links has been changed to strikethrough italics, while new text is written in blue.

I got an e-mail just before the new year from noreply@easycruit.com, a service from StepStone StepStone Solutions. It reminded me that I hadn't changed or updated my CV in their database for 6 months. They recommended that I updated it, otherwise they would delete it in two weeks. The e-mail also gave me my current username and password - in cleartext:

(Forgive me for my censorship here :-) Click for full size. Text in Norwegian.)

Facebook places - ny runde med sikkerhet

I går, det vil si onsdag 5. januar, ble endelig Facebook "Places" tjenesten også tilgjengelig for bruk i Norge. Personverninnstillingene relatert til denne funksjonen har vært tilgjengelig lenge, men dagens lille test (skjermbildet over) viser at ihvertfall mange av mine kontakter enda ikke har endret på dette. Det må vi få gjort noe med.