Monday, November 04, 2013

PasswordsCon Bergen - practical info

Alrighty, less than a month until PasswordsCon in Bergen, Norway!

Just some quick & practical information for those travelling from far away here:

Hotels

Most hotels in the city center will represent walking distance (15-30 minutes tops) to our venue.

Recommended hotels (preferred order, based on proximity to city center):


Radisson Blu Hotel Norge (absolute city center)
Clarion Collection Hotel No 13 (absolute city center)
Thon Hotel Bristol Bergen
Rica Travel Hotel Bergen
Grand Hotel Terminus (has one of the best Whisky bars in northern Europe)

I recommend looking them up on ww.tripadvisor.com, but do check out their prices directly from their home pages, as that just might give you the best price after all, without all the low price restrictions. All these hotels are very close to each other, making it easier to go out during the evening and find your way back home late at night. :-)

Depending on your arrival (saturday or sunday), I'll be able to show you & others around the city, including a visit to the top of 1 or more of the 7 mountains surrounding the city. Prepare for a bit colder and rainier environment than ... well... wherever. :-)


Wednesday, October 02, 2013

CFP: Passwords^13 (PasswordsCon), Bergen, Dec 2-3

PasswordsCon
December 2-3, 2013
Bergen, Norway

CALL FOR SUBMISSIONS
====================================

Per Thorsheim, with the support of FRISC (www.frisc.no), the University
of Bergen and Stricture Consulting Group, organize PasswordsCon,
the fifth edition of a technical conference only devoted to passwords
and related authentication methods.

Passwords are the most common authentication method on internet services
and on computers in general, regardless of their form factor (desktop,
laptop, tablet, smartphone, etc.).  Dissatisfaction with the robustness
and usability of current approaches has motivated the previous editions
of the Passwords conference, and more recently prompted the organization
of the Password Hashing Competition.

The purpose of PasswordsCon is to gather leading researchers in
passwords security and authentication methods in general, so as to best
understand the challenges posed and to address them adequately.

Details on the conference as they are ready will appear at our website:
passwordscon.org

Sunday, September 22, 2013

Seriously RapidSSLOnline....

RapidSSLOnline sends out HTML formatted emails for certificate renewal containing a direct SSL login link to your account, for easy renewal (or change/delete) of SSL certificates.

Hmm.. And I actually thought that sending out direct login links by clear-text e-mail was a bad idea....

Seriously?

Important update: my link + title initially pointed at RapidSSL.com, while the correct should be RapidSSLOnline.com. Big thx to Tom Willows for correcting me!

Wednesday, September 18, 2013

Bring CRM - og Thon Hotels


Jeg er medlem i fordelsprogrammet til Thon Hotels, på linje med flere andre hotellkjeder. Mulighetene for en "gratis" overnatting er fristende nok. Regelmessig har jeg mottatt min bonusoversikt på epost, sammen med diverse tilbud for å få meg til å bruke både poeng og penger.

Jeg irriterte meg imidlertid fra første mail, som hadde ovenstående skjermbilde som innledning i hver eneste mail. Poeng til deg om du skjønner hvorfor allerede nå.

Saturday, September 14, 2013

Facebook Promoted Posts


Passwords^13 in Las Vegas was exceptionally great. I may not be totally neutral when saying so, but after the conference and putting the videos online, I wanted to try out Facebook Promoted Posts. I was deeply disappointed. Here's why.

Sunday, September 01, 2013

Quick look: PIXELPIN

A quick look at:

PixelPin says on their front page:

"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember. PixelPin solves all of these problems."
You really can't waive a bigger piece of red cloth in front of my eyes, so I had to take a quick look at what they have to offer. I like the idea of picture passwords, but I'm not all that happy about my observations here.

Thursday, August 22, 2013

Hvilken sikkerhet tilbyr partiene på sine nettsider?

Jeg har tidligere kritisert partiene Venstre og Høyre for dårlig e-post sikkerhet (Aftenposten). Jeg har også tidligere blogget om temaet sikring av e-post. Den svenske tjenesten Countermail som skal tilby spesielt høy sikkerhet for e-post har jeg også kikket på tidligere.

Som en oppfølger nå i valgkampen ble jeg trigget av ønskene om nye medlemmer og ikke minst penger for å bidra til valgkampen for de ulike partiene. Da jeg har jobbet i snart 20 år med informasjonssikkerhet og Internett, så tok jeg en titt på partienes nettsider for å se hvordan sikkerheten var der.

Resultatet var overraskende, og svært skuffende. Resultatet kan du lese hos Aftenposten på nett.

Svarene er som forventet, men like fullt positive: partiene akter å rydde opp. Jeg kommer til å følge dem opp på det løftet.

Sunday, August 18, 2013

Noen ting tuller man ikke med.


Noen vil kanskje ikke tro meg når jeg skriver dette, men jeg forsøker altså å tenke meg godt om før jeg twitrer, blogger, poster, ringer, mailer, liker, retweeter eller uttaler meg til media. Jeg vet utmerket godt at jeg kan være fleipete og krass i formen. Tro meg, det er tidvis veldig bevisst.

Like fullt er det en del ting man ikke tuller med. Her er en anonymisert historie om det.

Thursday, June 27, 2013

Våre Offisielle Kanaler

Denne teksten ble først publisert som en kronikk hos Computerworld Norge 26.06.2013.


Da Evernote med sine 50+ millioner brukere ble hacket i mars i år, benyttet de en ekstern partner for å varsle sine brukere via epost. Evernote ble i løpet av få timer oversvømmet med meldinger fra brukere i ulike kanaler,  med rapporter om et mulig storstilt phishing angrep. Årsak?  De hadde mottatt mail som ikke kunne spores tilbake til Evernote som avsender, alt kom fra en ukjent tredjepart. Det fantes ingen informasjon på nett hos Evernote som opplyste om at de brukte denne eksterne leverandøren.

Monday, June 17, 2013

We are here.

Dear anyone who operates websites & services online, who operate in various channels to keep in touch with your customers: PLEASE give me easy options for verifying that you are actually... you. If you dont, it is very easy for paranoid people like me to disregard almost anything appearing as "you" as phishing or malware attempts.

Thursday, June 13, 2013

New video: Configuring strong & memorable PIN codes on your iPhone


Ok, so I've reached the point where I had to make this video. There are just way too many people out there who believe a 4-digit PIN is the only "passcode" option available on their iPhone, iPod & iPad. It's not.

Using a password on a (small) mobile device can be a pain in the ass, but you can still use a "password" to unlock your device. Watch this video to see how I create and use a longer PIN code, while making it very simple to remember.

- Stronger PIN code
- Easy to enter
- Easy to remember

What else do you want? :-)

Sunday, June 09, 2013

Sikker politisk epost

Valgkampen er i gang, ingen tvil om det. Partiene og ikke minst partilederne er godt i gang med taler, ønsker, kritikk av sine opponenter og ikke minst mange lovnader med forbehold.

Nå har en "overvåkingsskandale" slått ned i USA, allerede behørig dekket av media og kommentert også her hjemme.

Her er et lite tips til programpartiene som hverken er populistisk, politisk farget eller kontroversielt: gi oss sikrere kommunikasjon ved bruk av epost i offentlig forvaltning. Det er blant de svært enkle tiltak å gjennomføre, det krever ingen gigantiske IT-prosjekter, og det er ingen alternativer å vurdere utover Ja/Nei.

Thursday, May 23, 2013

Passwords^13

YES, IT'S HAPPENING!

Las Vegas. July 30-31. Same time as Blackhat, overlapping slightly with BsidesLV and a few days before Defcon, where our friends at Korelogic will be running the annual CrackMeIfYouCan competition once again.
But please, do visit passwordscon.org to learn more. Call for presentations, venue, registration, SPONSORING.... My friend & password cracking partner Jeremi Gosney of Stricture Consulting Group runs the page, and does a fantastic job of "local" organization in the US / Las Vegas.

I hope to see you there! :-)

Password Crackers Hierarchy of Needs

[Click for full size]

Why SMS 2FA Twitter, WHY?

Dear Twitter,

Congratulations on adding 2-factor authentication, or "login verification" as you have named the baby. It's way overdue imho. With me being 1) one of those critizizing you for being slow with introducing 2FA, and 2) one of those who can't get it quite yet (As Norway and all telcos here doesn't exist in your settings universe quite yet), I do have some questions for you.

Friday, April 26, 2013

Cryptonerds PINs


I'm at Finse1222, attending the annual FRISC Winter School 2013. I did an evening talk (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts  on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.

Based on questions and some extra interest from Andrey Bogdanov and Sondre Rønjom, the three of us decided to do a little experiment. Here are the results. :-)

Saturday, April 06, 2013

Will 2F weaken 1F?

"Well, Per isn't exactly a rocket scientist, and I have to help him with anything from shoelaces to toilet visits, but he is a KEEN debater in Internet forums..."
Ok, so this is one of those blog posts were I have spent a long time thinking about the topic, but I haven't spent much time preparing and writing it. After my tweet  here on a slow saturday afternoon, @marshray and @adamcaudill responded, and suddenly it was time to do this blog post, asking would the introduction of 2-factor authentication in an organization weaken the "something you know" part at some point?

Wednesday, March 06, 2013

HOWTOFAIL: ENTERCARD

[This is bad, and this is just the beginning of this blog post...]

Update March 29, 2013: SSL config is now at grade A! Congratulations!

Remembercard 
(brandname) is issued by Entercard, a joint venture between Swedish Swedbank and Barcleys Bank Plc. The irony of a credit card company not having a PCI-DSS compliant website is amazing. The lack of knowledge concerning users' selection of PIN codes is obvious, the lack of proper security for e-mail based marketing is shocking.

I hope this blog post will be read, understood and acted upon properly ASAP by those in charge.



Tuesday, February 19, 2013

Step 1: Securing My E-mail


The hacking of Mat Honan scared me. A lot. While there was no "advanced hacking" involved, the attackers found data across multiple services, which when combined enabled them to gain access to one service after another through password resets.

It really made me think about my own mail accounts (I've got quite a few of them), and how they are secured. I didn't really know, so I thought I should have a look. This is part 1. With more to come, this is my summary here. Make a guess for which one I prefer here:
[Click for full size]

Wednesday, February 13, 2013

Kjære Dataforeningen

Kjære Dataforeningen.

I dag skulle jeg melde meg inn i Dataforeningen. www.dataforeningen.no, og linken "Bli medlem".

Første observasjon: Linken går til en HTTP side. Ved å taste inn https i adressen kommer jeg til samme siden, men denne gang slik det skal være med HTTPS.

Det stopper dessverre ikke der, og det jeg ser er dårlig praksis. På grensen til ren slurv, eller en webtjeneste som er forsømt i mange år på driftssiden er min påstand.

Thursday, January 31, 2013

Kjære BankID

Vi er nok ikke verdens beste venner, jeg er smertelig klar over det. Bruken av Java, sentrallagret PKI som strider mot etablerte prinsipper, BankID på mobil som bare fungerer med noen operatører & modeller, samt diverse andre problemer... jeg nevner i fleng.

Likevel er jeg frekk nok til å komme med et veldig enkelt endringsforslag som kan gjøre brukeropplevelsen *litt* bedre ved innlogging i nettbank fra PC.

Thursday, January 24, 2013

Skryt til blogg.no

[Logo elegant kopiert rett fra blogg.no...]
Updated post - english summary at the bottom.

"Jeg er streng, men rettferdig."

Ordene sitter fortsatt spikret, over 20 år etter rekruttskolen. Fantastisk troppsjef, og jeg forsøker å leve opp til de ordene. Nå skal jeg gjøre noe jeg ikke har gjort før: jeg skal skryte av en rosablogg, nemlig blogg.no. For å være helt korrekt; jeg skal skryte av firmaet Bootstrap AS som står bak tjenesten.

De har på svært kort tid fikset det jeg anså som svært alvorlige sikkerhetssvakheter, etter at jeg sendte dem mail om det. Her er historien:

Friday, January 18, 2013

Tees. With comments.

It's Friday, and I'm kind lazy today, so I thought I would put up pictures of the T-shirts I made for myself for Passwords^12, and a short explanation for each of them. (Media archives right here, videos also available on youtube).


Monday, January 07, 2013

Security issues with MSXML


This is a quick & dirty blog post, partially to help a friend reach out to the world, and partially because I'm affected as well. Correction: was affected. Now removed & patched at the same time.

At my previous job one of my tasks was to manage & improve the security patch management process across all platforms, from operating systems and databases to browsers & plugins. Sometimes even down to firmware & driver updates, because of bugs and vulnerabilities. My primary focus was - no surprise - Windows installations and pretty much everything that can be installed on Windows. I did that for more than 5 years. 10-15K servers, 100-150K clients. I did well. Very well in fact, and I'm still proud of it.

Many surprises have appeared along the way, the most recent has to do with MSXML, which comes to light in this blog post.

Thursday, January 03, 2013

Facebook Poke vs Snapchat - Security Comparison

Facebook Poke vs Snapchat - on security.
@adamcaudill got me started with his tweet + blog post about some of the lack of security in Snapchat, and I just had to take a look. After hammering Snapchat for a while, I thought I could do a security comparison to Facebook Poke, their own app that does pretty much the same thing as Snapchat. If you want to see a feature comparison, take a look here at techcrunch.

While Adam does the crypto + API stuff - the inner workings of the Snapchat app - I'm more interested in the visible password stuff. And before we start talking about financial muscles, size of organisation etc between Facebook & Snapchat.... It doesn't take a giant to make good security. (Rather on the contrary I would say.)

Tuesday, January 01, 2013

Måling av reell verdi fra sosiale medier

Min Klout score Jan 1, 2013. Twitring er hovedårsaken til min score.

Jeg ble veldig nysgjerrig da +Hans-Petter Nygård-Hansen postet denne bloggposten: "Slik kan du måle din innflytelse i sosiale medier". Faktisk så nysgjerrig at jeg måtte sjekke meg selv. Jada, innrømmer glatt at jeg har et ego jeg også. :-)