Sunday, December 30, 2012

Passwords^12 - in summary

Yeah, I'm happy with that. :-)
Passwords^12 turned out to be an amazing event - although I'm not really neutral saying so.

Sorry for taking so long to come up with a few words after the conference. First there was the biochem warfare attack from you-know-his-name, then the total exhaustion after the conference, including video editing & uploading to Youtube & our media archive. I've been sleeping a lot during the past 2 weeks. :-)

Tuesday, November 27, 2012

Press Release: Passwords^12


World's best password hackers gather in Oslo, Dec 3-5


Bergen/Oslo, 27. November 2012
The world's best password hackers gather in Oslo on December 3-5 to speak & participate at Passwords^12, a 3-day conference ONLY about passwords & PIN codes. This is the first and only conference dedicated to research in an area that affects us all on a daily basis. The conference brings together an "all-star" team of international researchers, hackers, and security professionals. The conference aims to increase security, while simultaneously keeping and improving usability aspects for everyday users.

Pressemelding: Passwords^12

Verdens beste passordhackere samles i Oslo 3-5 desember


Bergen/Oslo, 27. november 2012
Verdens beste passordhackere samles i Oslo 3-5 desember for å delta på Passwords^12, en 3 dagers konferanse utelukkende om passord og PIN koder. Dette er verdens første og eneste konferanse som er dedikert til forskning på et fagområde som vi alle påvirkes av daglig. Konferansen bringer sammen et stjernelag av internasjonale forskere, hackere og sikkerhetsspesialister. Konferansen har en klar målsetning om å bidra til en sikrere og enklere hverdag for oss alle.

Sunday, November 11, 2012

Sikker tilgang til offentlige data

[Hvorfor sensurere eller kryptere? Det er offentlig tilgjengelig...]

Oppdatert 4. April 2013: Gule Sider / Eniro har forlengst fikset SSL og oppdatert sine apper. Stor takk til dem for rask respons på min kontakt + bloggpost.

Denne er til deg Eivind, selv om jeg tror andre vil finne dette interessant også. Du spurte meg tidligere om jeg/vi (www.vsc.no) hadde sett nærmere på sikkerheten i de mest populære appene. Vi har sett på en del taxi apper, og resultatet presenteres på DND medlemsmøte i Bergen den 20 November. (Presentasjon derfra vil bli gjort tilgjengelig i etterkant.)

Jeg installerte Gule Sider appen for Android på min Samsung Galaxy SII for kort tid siden, og ble litt nysgjerrig på den. Litt pakkesniffing, litt lesing på nett og litt sammenligning mot andre, og her er noen enkle observasjoner, risiko og anbefalinger:

Friday, October 26, 2012

Analysis of the Punto.pe Leak

That extremely frustrated feeling you get when you cannot crack 50% of a moderately large leak within minutes. When rockyou.txt only nets you 6,124 plains. When 1.2 billion words + 40,000 rules results in a paltry 24,000 plains. Oh, that frustrated feeling.

And let's not forget that "you have to be freaking kidding me" feeling you get when you realize that the dump you have been working with for 26 hours actually contains plaintext passwords for 70% of the hashes -- after you've already busted your ass to crack 81% of them. A mistake easily made when you hastily extract only the hashes from a dump, without bothering to look at the rest of the data.

Saturday, October 20, 2012

Rosing IT Security Award finalist 2012

[Oh yeah, you can zoom in on it!]
This is my proof of being not only nominated, but also ending up as one of three finalists for the Rosing IT Security Award in 2012, presented by the Norwegian Computer Society. On Thursday Oct 18 the winner was announced at their annual conference, with Gjøvik University College (HiG) as the winner. Very few individuals has been nominated for the award since its inception in 2002, and I am incredibly proud to be one of them. I am also very happy to congratulate all the excellent people I know there; Christoph, Tone, Morten, Patrick, Kirsi, Nils and others as well. I really look forward to our continued cooperation!

Criteria for the award (Google translated text):
The prize will be awarded to businesses in Norway, or in special occasions to individuals. The receiver will in a positive way - directly or indirectly - have contributed to increased information security and IT security. The contribution may be through dissemination, training or awareness-raising activities, by promoting innovative thinking or to have developed and implemented appropriate methods, standards, concepts, technologies or services that have provided great merits - or otherwise have contributed to this.

Monday, October 01, 2012

New PGP key

I've created a new GPG key with KeyID 7861BC12. Synced to keyserver.ubuntu.com, pool.sks-keyservers.net, keyserver.pgp.com and keys.gnupg.net. It even includes a picture. You can get it here.
My old key (KeyID D0D0AEF6) has been set to expired.

Tuesday, September 25, 2012

Ny runde: Anonyme Spørreundersøkelser

[Spam eller på ekte? Faktisk vanskelig finne ut av...]
Kjære Eurocard. Jeg benytter meg av deres tjenester. Dere har noen glimrende sikkerhetsløsninger som jeg har brukt som "skoleeksempler" i flere foredrag, hvor brukervennlig sikkerhet har vært et viktig punkt. Der scorer dere høyt. Dessverre faller dere fullstendig igjennom når dere (?) sender ut undersøkelser som den jeg har mottatt, avbildet over.

Friday, September 21, 2012

Java patching i Norge

Venner lar ikke venner kjøre Java.
[Java. Du trenger ikke å like det, men du må dessverre ha det i Norge.]

Marie Moe i NorCERT er overrasket når Digi.no forteller henne at tall fra sikkerhetsselskapet Mnemonic viser at 78% har enda ikke oppgradert Java programvaren sin til nyeste versjon. Nyeste versjon anses sikker pr dags dato, i betydningen "Ingen offentlig kjente sårbarheter pr dags dato".

Hun burde ikke være overrasket.

Saturday, September 15, 2012

Elcomsoft, UPEK & more


[That was one *awesome* passphrase! :-)]

Elcomsoft has announced that certain versions of fingerprint software named Protector Suite made by UPEK (now part of Authentec) stores your Windows password in a 'scrambled' format in registry. This allows an attacker through different entry points to get easy access to a users Windows password. I have no reason not to believe Elcomsoft in their claims, but UPEK/Autentec seriously disagrees. In the middle of this I happen to have some questions, and an opinion regarding biometric software today.

Sunday, September 09, 2012

Spying on ex-employees & others using Computrace

[Hi, and welcome to 1984!]
The Norwegian Data Protection Authority (Datatilsynet) has strict guidelines on the use of tracking software & hardware enabling position tracking of people. Easily summarized: A user has to agree on being tracked (in writing), and can recall his/her consent at any given time. Consequences of not agreeing on being tracked may of course be denied access to the service in question, etc.

In Norway it has become pretty common that employees get to keep their laptop & smartphone when leaving a company due to downsizing. Enter the problematic world of asset tracking & inventory software hardcoded into your system BIOS.

Sunday, August 26, 2012

Windows 8 Password Security

[Retro-style static boot splash graphic in Windows 8.]
I installed Windows 8 Consumer Preview (and some earlier versions as well) into a VM so that I could have a look for changes in password security. After quite a few screenshots etc from CP, I decided to wait for RTM, so that I wouldn't have to an entirely new one if there were major differences. I'm happy I did that. Lets take a look at what we get with Windows 8 in terms of password security.

Monday, August 06, 2012

Preliminary speaking schedule

Just a few links to conferences/events where I will be presenting during the next couple of months:

--
I will be speaking together with my friend Erlend Dyrnes about "social & mobile (in)security" in Haugesund (Norway) on Thursday, 8 August. Co-located with a subsea conference, this security conference is primarily targeted at companies within the Norwegian/international offshore/subsea operations market. Program and more info here: http://www.uop-sikkerhet.no/?page_id=159
--
I will be speaking at a breakfast seminar held by my employer EVRY in Grenland (Porsgrunn, Norway) on Thursday, 23 August. I will be focusing on mobile security issues here as well, with some legal concerns applicable specifically to Norway to top it off.
--
On September 3-5 it is once again time for the annual ISF autumn conference (Program info in Norwegian), where I will give my full story on what happened before and after the story appeared *everywhere*
--
...And I just might also appear at my employers annual EVRY INSIGHT conference in Tønsberg, September 19-20.
--
On September 26-27 the beautiful Hotel Alexandra in Loen will be the arena for the annual IT-forum conference. I will do a keynote there, with the conference using "BYOD - chaos or success?" as this years headline.
--
More to come - and then there's Passwords^12 in December!

----------------

And that was the not-so-important news today. Go Curiosity!

Friday, August 03, 2012

Vacation Observations

[Panorama view from mountain top near Puerto De Pollensa, Mallorca)

Ahh... Vacation.. Those days of the year where infosec professionals get some time to glimpse into another parallel world, by some... wifes... referred to as "the real world". Anyway; I like to take a look around, even when I go on vacation. Here's a few security observations made this summer.

Saturday, June 30, 2012

The Final Word on the LinkedIn Leak


As you are undoubtedly aware of by now, two weeks ago the professional networking site LinkedIn became the victim of a rather unfortunate mishap: they sprung a little leak, and 6.4 million password hashes trickled out onto the internet. And in those two short weeks, hundreds of security experts the world over, all of various backgrounds whose hats range from white to black, have been feverishly clawing their way through that list in an attempt to crack all 6.4 million passwords. However, few have made more progress in their pursuit than my associate d3ad0ne and me.

Thursday, June 28, 2012

Linkedin Password Infographic

[ Oh yeah, you can click it for *full* size! Free to use, please show credits. ] 
  
Jeremi Gosney (@jmgosney) have done a terrific job on cracking the Linkedin hashes. In fact, he has cracked some 90% of them now. So I asked Jeremi if I could ask one of my UX colleagues to try to make an infographic, he happily agreed. The result can be seeen in all its glory from the above supersize infographic (Print it if you like!)

Wednesday, May 30, 2012

Analyzing PIN codes

[ A load of PIN codes visualized ]
You can click the image above to see it full size. It is a heatmap generated by us (@KluZz and myself), and the data are 4-digit PINs extracted from a physical access control system. According to the system operators, more than 50% of the PINs are believed to be selected by the users themselves, while the remaining ones are randomly generated by the system when a new 'user' is created and physical card is issued. The complete data set includes PINs for guest visitor cards etc.

According to Norwegian privacy laws, we didn't request and didn't get any ownership information on each PIN, so they cannot be traced back to individual users.

Now you may ask why did we do this?

Monday, May 21, 2012

Live Memory Password Aquisition

[ Screenshot of Passware Kit Forensic ]
Congratulations to Passware on their newest release of Passware Kit Forensic, now at version 11.7. This new release brings "instant" decryption of Microsoft Office 2007-2010 password protected documents through memory analysis, as well as some other interesting new features. I am quoted in their press release, available here (PDF): http://www.lostpassword.com/pdf/pr-120521.pdf

 Lets take a look at these new features from a threat/risk perspective:

Saturday, May 19, 2012

Note to self: Inception + Ubuntu 12.04LTS

If you want to get inception up and running on (default config) Ubuntu 12.04LTS, you should expand your dependencies installation like this (adding juju, doxygen and g++):

sudo apt-get install git cmake python3 doxygen g++ juju


Now go ahead with the rest of the installation. :-)

Thursday, May 10, 2012

Forbud mot skimmingutstyr

[Klikk på bildet for full størrelse]
Navnet på denne bloggposten + bildet over bør være en god indikasjon på hva denne bloggposten handler om. Legger jeg til endringen i straffelovens § 186, som annonsert i pressemelding 151-2010 fra Justis- og Beredskapsdepartementet 10. desember 2010, så kommer vi enda nærmere.

Monday, May 07, 2012

Challenge received

[Picture from lego.com - I'm a Star Wars fan!]

"Accept the challenge I do, your Highness". (Yoda, Star Wars)

Kirsi Helkala gave presentations at both Passwords^10 and Passwords^11. Her work on passwords is fascinating, now working as a associate professor at Gjøvik University College in Norway. See her list of publications to understand what I'm talking about. She has given me a challenge - nine in fact - all being unsalted MD5s. I need help! :-)

FY til Adecco!


I forrige uke var jeg muligens litt småtøff i kjeften da jeg la ut en melding på Twitter angående Adecco (Norge), med link til testresultater fra SSLLabs. La meg bare si med en gang at @AdeccoNorge har svart, så jeg går ut i fra at de tar dette seriøst.

Saturday, May 05, 2012

Countermail - protecting your privacy?


Due to some media coverage lately, I got curious and had to take a look at the Swedish service Countermail. It seems to go far and beyond services like hushmail in order to protect your privacy, at least that's my impression from their service description. Not that I have a habit of trusting marketing talk of course, but they do have some pretty tough claims at their site.

Now I do like to look for logical errors, mistakes etc., but I am not a pentester anymore. I'll leave Backtrack and that sort of stuff to the younger generation. :-) So here are just a few simple comments on their service offerings, after playing around for an hour or so:

Monday, April 23, 2012

Note to self: Google Authenticator + oneiric

install Google-Authenticator app on whatever device you prefer

Then you do this on Ubuntu 11.10 (oneric):
git clone https://code.google.com/p/google-authenticator/

install libqrencode library
install libpam0g-dev

cd google-authenticator
sudo make install

run google-authenticator
Time-based tokens: Y
Scan the QR code you get up on screen with your authenticator app
Update .google-authenticator file: Y
Disallow use of same authentication token: Y
Increase window for time-skew: N
Rate-limiting: Y

insert auth required pam_google_authenticator-so into your /etc/pam.d/sshd file
sudo restart ssh

go.

Tuesday, April 10, 2012

Passwords^12 : Call for Presentations


[Still haven't asked anyone to make a  logo...]

CALL FOR PRESENTATIONS IS NOW CLOSED.
PRACTICAL INFO HERE.


For the third year running, I am happy to once again announce a Call for Presentations for Passwords^12.

Passwords^12 will be held at the University of Oslo (Norway) on December 3-5, 2012. The 2-day conference will be free and open for anyone to attend. Please do note that our primary audience will be academics and security professionals with deep technical knowledge. This is a conference with international speakers and participants, presenting fresh ideas and innovative research in an area that affects us all.

Saturday, April 07, 2012

Improving Password Meters



I've cried and cursed over password meters earlier. Twice actually. I've been planning to do it again too, just haven't found the time yet. (Volunteers?)

Then this site appeared in my Twitter stream - HowSecureIsMyPassword.Net, and I soon got in contact with Mark (@smallhadron). A bit of e-mails, broken promises from my side supplying some constructive criticism etc, and here I am. Sorry Mark, but finally I couldn't keep these ideas in my head any longer, so here you are. I still hope and believe this can be of interest to you, as well as anyone else considering making their own password metering software. :-)

Thursday, April 05, 2012

It all started with a hash

[ Lots of clipart available. I did my own this time. ]

This is a "Thank you all!" blog post, that will also provide something useful. At least; I hope so.

Not long ago, I found myself involved in a penetration test against an episerver installation. Working with my security colleagues @jabjorkhaug and @KluZz, we got access to some password hashes and their respective salts. Unfortunately the hash and salt values didn't look like those shown in the episerver patch for JtR by Johannes Gumbel in 2008. And here our quest began.... :-)

Wednesday, March 28, 2012

Viktig oppdatering - Adobe Flash Player


Adobe har kommet med en kritisk oppdatering som anbefales installert snarest, da den fikser kritiske sikkerhetssvakheter, og kommer i tillegg med en opsjon for automatisk oppdatering.

På mer forståelig norsk: Det har kommet en viktig oppdatering til et lite tilleggsprogram på datamaskinen din som bør installeres så fort som mulig. Dette tilleggsprogrammet er det som gjør at du kan se f.eks. reklame og videoer på en lang rekke nettsider, og brukes nesten over alt. I denne oppdateringen er det også kommet en funksjon som gjør at du heretter ikke trenger å tenke mer på å oppdatere den manuelt; det vil skje automatisk og uten at du legger merke til det.

PS: på jobben din ordner antagelig IT-avdelingen dette for deg automatisk!

Her er steg-for-steg guiden for hvordan du installerer oppdateringen:

Friday, March 23, 2012

Note to self: Ubuntu 11.10x64 + Nvidia

Install Ubuntu 11.10 x64 with all updates
sudo apt-get install gnome-panel (Unity be gone!)
Logout and pick gnome on login
Add https://launchpad.net/~ubuntu-x-swat/+archive/x-updates to software sources
sudo apt-get update
enable Nvidia hardware driver in hardware drivers
reboot
Install Virtualbox 4.1.x (problems with the guide at virtualbox.org on adding repository)
Go cudaHashcat*, Multiforcer & John.
Restore normal room temperature.

Wednesday, March 14, 2012

BYOD - har du lest den lille skriften?

Dette er en spennende bloggpost om Datatilsynets merknader til personopplysningsforskriften kapittel 9.

På et tidspunkt tilbake i tid satt jeg på en høgskole sammen med staute grønnkledde mennesker,  og der leste jeg blant annet sikkerhetsloven og utvalgte høydepunkter fra straffeloven. Lesingen sluttet ikke der, og for å bruke et ofte brukt uttrykk: Djevelen ligger i detaljene.

Thursday, March 01, 2012

Pwnd. Again. And again.

[My colleague Jørgen, putting up his best smile after a successful PWN of me]
This short notice is to acknowledge the fact that I got Pwnd. Again. I'm experiencing that at a rate of <=2 per year. Not good, but then again; I don't think that's too bad, considering the fact I'm actually inviting people to test me. You can see my previous blog posts "Can you see my password?" and "Pwnd. Again." for more information about previous (successful) attempts, as well as competition rules. :-)

Sunday, February 12, 2012

Activesync and FIPS 140-2 part 1

Perhaps the best Dilbert/Mordac ever...?
I am not Mordac. I can admit being a bit similar to Mordac once upon time, but that is a looong time ago. I'll bet I can get somebody to confirm it, at least if I get to "talk" to them a little bit before you do. ;-)

Seriously, I've been doing some testing with Microsoft Activesync in order to find some common ground across iOS & Android for setting a "good practice" password policy level. After spending some time on this, I think Mordacs work at Apple & Google. I also think that Mordac was involved in the creation of FIPS 140-2, at least when somebody thought it would be a good idea for mobile devices.

I'll explain that later on, but first 2 simple things to remember here:
1. A default policy, no matter which product, should never be considered "secure" or "good enough".
2. I say Good Practice. "Best practice" cannot be proven legally, period. There is a legal difference here.

Monday, February 06, 2012

STARTTLS & the Police

[Kids say the darndest things...]
The FBI got "hacked" by Anonymous (NYTimes), eavesdropping an international telephone conference regarding criminal activities by Anonymous. The hack wasn't all that sophisticated (...), since they probably got access to the meeting invitation sent by e-mail (pastebin), which contained all the necessary info. Just a few tips here for those interested:

Simple Security Usability part 1


[Grabbed from Microsoft. Too lazy to make my own. Sorry.]

Try searching Google for pictures related to "security usability". You will find quite a few pictures similar to the above.

Is that really the simple - and stupid - truth? Does it always have to be like that? I'd like to fight against some misconceptions in the area of security vs usability. Here's a very simple example; improving security by simplifying usability.

Friday, February 03, 2012

Minimum Password Length POO

(Picture from fileformat.info, showing U+1F4A9]
Looking at the wonderful new character named "Pile of Poo" in Unicode 6.0 (not 6.1, as re-tweeted by many...), I think my spontaneous competition on Twitter Jan 31 became even more fun to write about now. While I still owe you to write loads of opinions for/against periodic password changes, I'll drop this one as an input to the "minimum length" discussions as well.

Tuesday, January 31, 2012

Hvordan bli et pengemuldyr


Her er et rykende ferskt eksempel på hvordan skurker forsøker å verve nordmenn til å fungere som "money mules", eller pengemuldyr som vi skriver her hjemme på berget. Et pengemuldyr er en person som bevisst eller ubevisst hjelper utenlandske svindlere med ulovlige pengeoverføringer. Dette gjøres ofte ved at "muldyret" mottar penger inn på sin bankkonto, og deretter tar pengene ut i kontanter snarest mulig. Så går muldyret til en annen bank, spesialiserte selskaper eller privatpersoner for den saks skyld, og der overfører pengene (minus en provisjon til seg selv) til en utenlandsk mottaker.

Tuesday, January 24, 2012

Kommentar: sikring av iPad

Hans Petter Nygård-Hansen har skrevet en veldig bra bloggpost med tittelen "11 tips for å jobbe sikkert på din iPad". Jeg vil så absolutt anbefale alle med iPad (eller iPhone for den saks skyld) å lese denne bloggposten. Det er vel verdt det, og den er ikke bare aktuell for de som bruker iPaden sin i jobbsammenheng.

Jeg vil bare gi noen små kommentarer og tips til de som ønsker å gjøre disse anbefalte tiltakene:

Sunday, January 22, 2012

Password Change Frequency

(Picture of Cliff Stoll, linked from Berkeley website)
Professors are nice people. Seriously. They can be a challenge too, as I got to experience firsthand during my 3,5 hour lecture on password security at the NISNET winter school, 22-27 May 2011. Paranoid as I am, I even suspect two of them agreeing into a secret pact to have some fun on my behalf. ;-)

Note: I started writing this blog post in May 2011. Dropped some of my ideas, and have spent another 8 months to think, read and discuss the issues of password change frequencies. Now, at the time of publishing, I still haven't made up my mind. The "simple" question of How often should I change my passwords? isn't all that easy to answer.

Tuesday, January 10, 2012

Passwords^12

(Picture is (C) KluZz - aka my friend/colleague Jan Fredrik Leversund)
I have received many questions about the two first Passwords^XX conferences that I arranged in cooperation with professor Tor Helleseth at the university here in Bergen, Norway. The most frequent question after Passwords^11 in June 2011 is of course "when and where will the next conference be?". So here is some preliminary information from me, as well as a quest for sponsors for doing the conference somewhere in the US as well! :-)

Friday, January 06, 2012

Errata for Errata security

Sorry about the title, best I could come up with late at night.

The blog post Passwords: uniqueness, not complexity from Robert David Graham (@ErrataRob) at Errata Security isn't bad, but it is not all that good either. Based on the recent - should I say ongoing - breach of #stratfor, Robert recommends unique passwords instead of having complex passwords. I would ask "why not both?". Let me explain...

Monday, January 02, 2012

Short comments on #STRATFOR

Lots of articles popping up on the #stratfor leaks all over the web. Some good, some not that good. Just a few comments from me, until I eventually get the time to do a bigger blog post on the subject.