Thursday, November 06, 2014

Dear Technology Leader,

in adaptive multi-factor authentication.

I'll be nice and not name you in this blog post quite yet, as I want to give you a chance of fixing things ASAP. I just hope & believe you'll listen, at least after the presentation from your company I listened to not long ago.

However I feel obligated to speak up against some of the claims you made in your presentation, as well as what I see from your demo website. Let's get started.

Tuesday, June 17, 2014

What I want from Domino's passwords

Domino's Pizza got hacked, hackers demand money for not publishing stolen user credentials. 

Now if I could analyze those passwords, here's what I would be interested in:


Friday, April 25, 2014

Did Twitter silently remove login verification using their Twitter app?

Updated information:

I tried to register for one-way tweeting by sms by sending 6 messages (stop, stop, start, yes, username, password) to Twitters UK number. Didn't work, repeated the process to the number listed in Finland. It worked.

Now I can tweet by SMS (Who would do that anyway???), but I can finally configure login verification by use of iOS/Android app.

Error report, or at least sort of:
The option Security and privacy - "Send login verification requests to my phone" is available (using pc/windows/Chrome at twitter.com), but I do not receive any verification code from Twitter.

My phone number is correctly listed under Mobile, including +47 country code for Norway and (Norway) listed. I have set a PIN to protect my account from SMS spoofed texts appearing to come from me.


_________________________________
Original text:

So @hmemcpy and @omervk had this little discussion on failure of configuring Twitter login verification, and I thought "dude, that's easy", and pointed to the option of using the "login verification" through Twitters native app for iOS or Android, and option I've been using for quite some time:

Monday, February 24, 2014

Personvern hos våre politiske partier


I valgkampens innspurt høsten 2013 sjekket jeg om de politiske partiene i Norge overholdt personopplysningsloven og de krav/anbefalinger som er gitt av Datatilsynet. Det jeg fant var såpass overraskende at jeg tipset Aftenposten, som selv kontrollerte, og fikk en klar tilbakemelding om lovbrudd for partiene da de henvendte seg til Datatilsynet. Saken til Aftenposten ligger tilgjengelig her.

I tillegg kritiserte jeg også partiene Høyre og Venstre for svak epost sikkerhet, også dette gjennom Aftenposten.

Nå, 6 måneder senere, var det tid for å sjekke hvilke partier som har holdt sine løfter og etablert den sikkerheten de er lovmessig pålagt å ha.

Tuesday, February 04, 2014

Sparebank 1 MSN på Facebook / Tinder

(English summary at the end)

Oppdatetert 06.02.2014: Dagbladet har laget sak basert på nedenstående.
Sparebank 1 SMN fikk massiv omtale i media i går, etter at de har opprettet 2 falske profiler på Facebook som brukes på Tinder for å tiltrekke seg nye kunder. 

Dette provoserer meg kraftig. 

1) Krav til personprofiler
Både Facebook og Tinder har som krav til personprofiler at de skal tilhøre en eksisterende person. Her har banken glatt oversett dette, og opprettet falske personprofiler.

2) Tinder: krav til bruk
Tinder stiller som krav at konto baseres på en eksisterende personlig Facebook profil, og at denne benyttes til ikke-kommersiell bruk. Her bryter banken vilkårene, da deres formål er å tiltrekke seg nye kunder via en datingtjeneste (!).

3) Personvern
Banken sier at en ansatt som jobber spesielt med sosiale medier har ansvaret for disse (falske) profilene. Jeg finner det naturlig å tro at flere andre ansatte kan få helt eller delvis innsyn i data som fremkommer gjennom deres bruk av disse tjenestene. Ved å bruke disse profilene, aktivt eller passivt, så vil banken få innsyn i opplysninger til uvitende som kan anses som sensitive personopplysninger. 

Jeg merker meg at informasjonsdirektør Hans Tronstad sier seg fornøyd med strategien så langt.

Gratulerer, dere har fått mye oppmerksomhet. Jeg vil i løpet av dagen kontakte Datatilsynet for å be dem om å se nærmere på saken. Jeg vil også rapportere de falske profilene og brudd på Terms of Use hos Facebook & Tinder.

--
English summary:
A Norwegian bank created 2 falsified "personal" accounts on Facebook, and uses them on Tinder (dating site) to attract new potential customers. Not only is this a violation of EULAs in terms of spoofing  & commercial usage, it could also be a gross violation of privacy.

I know these kind of violations happens every day, but I never thought a Norwegian bank could do something this stupid. To top it all off, their head of information says that so far they are very happy with their strategy so far. A bank becoming a scammer. Nice strategy. Now take a look in a mirror, and see what a scammer looks like.

(Full story: google translate the link above).

Friday, January 31, 2014

OCR matching Unicode characters

[Image linked from http://babelstone.blogspot.no/2013/10/whats-new-in-unicode-70.html]

I wonder if somebody could do OCR matching of all Unicode 6.x characters against each other, with a threshold value to find characters that visually will look pretty much the same to "normal" people.

Purpose: to identify characters I could use to mock password crackers by telling them my password is ᖴᕀⅠ੨Ȝ੫ƼⅥ⑦Ȣ, but there's no way in hell you'll be able to crack it.
(No, don't ask me how I would remember how to type in my passwords.)

That's all.


Tuesday, January 14, 2014

78K and counting!

So far, I have served out 78K+ minutes of viewing time from my YouTube account, through 19K+ views. I am really happy with that. :-)

With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.

While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)

So without further ado, here are the TOP 5 PasswordsCon Videos:


Number 5:

Advanced Password Cracking: Hashcat Techniques for the Last 20% 
Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.

Number 4:

Energy-efficient bcrypt cracking
Katja Malvoni, PasswordsCon in Bergen, December 2013


Number 3:

Passwords^12 - Exploiting a SHA-1 weakness in password cracking 
Jens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.


Number 2:

Password Cracking, From "abc123" to "thereisnofatebutwhatwemake" 
Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.


Number 1:

Password Cracking HPC
Jeremi Gsoney, PasswordsCon in Bergen, December 2012.

Congrats Jeremi! :-)