tag:blogger.com,1999:blog-84003701489150750912024-03-06T01:56:35.720+01:00Security NirvanaPersonal research and opinions from Per Thorsheim.securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger205125tag:blogger.com,1999:blog-8400370148915075091.post-78517415564737061412015-05-20T14:29:00.004+02:002015-05-20T14:29:57.938+02:00The End of this blog - I think.This blog is coming to an end. Although I have lots to talk and write about, time is limited and prioritized in other areas. New blog posts may appear in the future on my own company web page: https://godpraksis.no/<br /><br />securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-4387983887873098602015-02-24T19:05:00.002+01:002015-02-24T19:28:01.577+01:00Seek Thermal XR - first impressions<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHaaxzzsFle-K4fJAdfoWYGx88TcErIFTMqAgg5MAw6DzmF9p9Urg23TExT6k2mrb3XEKvri8aK0lyOKF3Wh1mui9lwzgxUzDg-qdW5otsSd5EiIGmKhcMhS7p-gcdAbiaJzBbbcNWgk/s1600/2015-02-24+17.37.34.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHaaxzzsFle-K4fJAdfoWYGx88TcErIFTMqAgg5MAw6DzmF9p9Urg23TExT6k2mrb3XEKvri8aK0lyOKF3Wh1mui9lwzgxUzDg-qdW5otsSd5EiIGmKhcMhS7p-gcdAbiaJzBbbcNWgk/s1600/2015-02-24+17.37.34.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ First picture using Seek Thermal XR with iPhone 6. ]</td></tr>
</tbody></table>
<span id="goog_1894473261"></span><span id="goog_1894473262"></span><br />
So I got my <a href="http://thermal.com/" target="_blank">Seek Thermal</a> XR thermal imaging camera today, through a proxy service in the US since they do not offer shipping outside US/Canada yet. <a href="https://twitter.com/thorsheim" target="_blank">I put out a tweet earlier today</a>, were I said I would unbox and give my first impressions of it. Here it is.<br />
<br />
<a name='more'></a>The camera comes in a small box, easy to open like a book:<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7HS_nXkmRd5Kqi76ffQ3TsdBoIblC0MpRRpDfsmJdMdGb_rmaSgFHbl9b5dlkTJwo19IM1Cg7MR0EnWwpti4LMXte9jUQer6k-xEnnTvm_Yh0qIt2rKGq6j_d4Yoj96hEg6d9kghrep0/s1600/2015-02-24+15.10.50.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7HS_nXkmRd5Kqi76ffQ3TsdBoIblC0MpRRpDfsmJdMdGb_rmaSgFHbl9b5dlkTJwo19IM1Cg7MR0EnWwpti4LMXte9jUQer6k-xEnnTvm_Yh0qIt2rKGq6j_d4Yoj96hEg6d9kghrep0/s1600/2015-02-24+15.10.50.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Box front ]</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVbUwes6n3yOF6rpf719gWUvXfPqSB5OoRQwDpZYImzZhG1H1mQnKOF16uInYJnZaW4ELEaFh4Jp5DeqA-CSoHr6j63bljDh3mcBJX3tDsZSWjovYyO2HPA9u05VkuRxXBNPS29SCDKo/s1600/2015-02-24+16.50.40.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVbUwes6n3yOF6rpf719gWUvXfPqSB5OoRQwDpZYImzZhG1H1mQnKOF16uInYJnZaW4ELEaFh4Jp5DeqA-CSoHr6j63bljDh3mcBJX3tDsZSWjovYyO2HPA9u05VkuRxXBNPS29SCDKo/s1600/2015-02-24+16.50.40.jpg" height="240" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Box Open ]</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJs7yJPUOX9HtU0ndWLM5ti0hhM2wAYJNXLTGublA4tqBszsDkNkygyIqE80f_xJirK3xFGuA-K7xoQa28NOnRQnRsMQ9gkRdE_WrMK_4wNNrFPD2T4rcj0Dr_0gPn1t3RzKVL0dYe_v4/s1600/2015-02-24+16.51.53.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJs7yJPUOX9HtU0ndWLM5ti0hhM2wAYJNXLTGublA4tqBszsDkNkygyIqE80f_xJirK3xFGuA-K7xoQa28NOnRQnRsMQ9gkRdE_WrMK_4wNNrFPD2T4rcj0Dr_0gPn1t3RzKVL0dYe_v4/s1600/2015-02-24+16.51.53.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Box backside ]</td></tr>
</tbody></table>
<br />
I didn't know (or read) if he camera came with a small carrying case, so I was happy to see that is indeed part of the package. Because the camera is *small*:<br />
<div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGTyNDDOOqK28HLlzprzttErw3JO0uARPQXTJu6ChKtAt-wy02_KfzdDelpS27d9Fs9kUIoccJIrIaFipRiut7BWKwys9NKmgti0Ay_k4j0A3ediv7t_IKM8-SoHZdiLBKMP2oYLIFwXE/s1600/2015-02-24+16.52.47.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGTyNDDOOqK28HLlzprzttErw3JO0uARPQXTJu6ChKtAt-wy02_KfzdDelpS27d9Fs9kUIoccJIrIaFipRiut7BWKwys9NKmgti0Ay_k4j0A3ediv7t_IKM8-SoHZdiLBKMP2oYLIFwXE/s1600/2015-02-24+16.52.47.jpg" height="240" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Camera and protective case for transportation ]</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPmY78b4G9IQ7BVt1TrpkMARaweeC_m3ajfYWNlDELt5Bb9iYVmZnmmSnrBsTtPbznpQmP_fJ0VWBs4d1ldZhm92P4Ddzm12bpdV4r5WR43_4OO3YknD0MvV-DZLFmcwJTIiS0rjJoUAY/s1600/2015-02-24+16.53.23.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPmY78b4G9IQ7BVt1TrpkMARaweeC_m3ajfYWNlDELt5Bb9iYVmZnmmSnrBsTtPbznpQmP_fJ0VWBs4d1ldZhm92P4Ddzm12bpdV4r5WR43_4OO3YknD0MvV-DZLFmcwJTIiS0rjJoUAY/s1600/2015-02-24+16.53.23.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Smaller than I imagined, it is very light - and I have small hands... ]</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNISfVSE1usuQ649w4_yhgqmnIb7cN3Al84UZ3AN-ehSZSCUfssS2tv0aPWjIH5fY7ofVhJdZozL6_UdCIUkZyxnqFESuAgTBJzvN4rt5VMuvwvIdm6JewAvyhfrFSOFQN6bF8Tb__l1A/s1600/2015-02-24+16.54.09.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNISfVSE1usuQ649w4_yhgqmnIb7cN3Al84UZ3AN-ehSZSCUfssS2tv0aPWjIH5fY7ofVhJdZozL6_UdCIUkZyxnqFESuAgTBJzvN4rt5VMuvwvIdm6JewAvyhfrFSOFQN6bF8Tb__l1A/s1600/2015-02-24+16.54.09.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Camera nicely placed inside the small plastic case for storage ]</td></tr>
</tbody></table>
I had already downloaded the <a href="https://itunes.apple.com/us/app/seek-thermal/id920891746?mt=8" target="_blank">iOS app</a>, the latest update got into appstore just 4 days ago (1.7.0), which makes the app fully compatible with the XR version. Yes: the XR version. Longer range - or "zoom" if you like. I<a href="http://obtain.thermal.com/category-s/1818.htm" target="_blank"> went for that version, which is 50 dollars extra</a>. I'm sure that based on your planned use it actually does matter which one to purchase.<br />
<br />
So after installing the app you can either start it manually, or plug in the camera and the app will start automatically. On first start the app will ask your permission to access the thermal camera, your location, pictures and the phone camera itself.<br />
<br />
Then comes the option of signing in, registering or do it later. There is no printed "get started" guide in the box, but you cannot really go wrong either. Or? I already had an account with Seek Thermal, so I entered my username (email address) and username, but was told "bad username/password". <i><b>Damn those security people who won't tell me which one is wrong! :-)</b></i><br />
<br />
Immediately suspected the app of having max password length restrictions lower than their website, so I went online, changed my password to less than 15 characters (ugh!), and tried again. No luck. Clicked to register new account, typed in existing username and password, was told to follow instructions in email sent to me. Never came, but now I'm logged in. Oh well, just lack of usability design and testing, you can still use the app and camera without registering and logging in.<br />
<br />
So here's my very first picture, with default color palette and all other settings:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHaaxzzsFle-K4fJAdfoWYGx88TcErIFTMqAgg5MAw6DzmF9p9Urg23TExT6k2mrb3XEKvri8aK0lyOKF3Wh1mui9lwzgxUzDg-qdW5otsSd5EiIGmKhcMhS7p-gcdAbiaJzBbbcNWgk/s1600/2015-02-24+17.37.34.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHaaxzzsFle-K4fJAdfoWYGx88TcErIFTMqAgg5MAw6DzmF9p9Urg23TExT6k2mrb3XEKvri8aK0lyOKF3Wh1mui9lwzgxUzDg-qdW5otsSd5EiIGmKhcMhS7p-gcdAbiaJzBbbcNWgk/s1600/2015-02-24+17.37.34.jpg" /></a></div>
<br />
Upper right corner: a small single LED lamp pointing upwards from my desk. After being left on for hours, its no problem holding my hand around it. My <a href="http://www.philips.com.au/c-p/BDM4065UC_75/brilliance-led-backlit-lcd-display/overview" target="_blank">Philips BDM4065</a> 40" UltraHD (4K) resolution screen is an easy spot, on top of it a Microsoft HD USB webcam (inactive), below the monitor an Intel NUC i5 ultrasmall formfactor computer (running). Left side, partially hidden behind a black Creative desktop loudspeaker is my Apple Airport 3TB Time Capsule, acting as WIFI hotspot, cabled Gigabit switch and backup for my Mac Mini (not running, not visible). The bright lower box is a 2TB 7200rpm Western Digital drive inside a custom aluminium USB 3 case, currently running and connected to the tower box below it.<br />
<br />
Same scene, different color palettes makes for different and more efficient ways of looking at a scene:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWK66Rj2mJzGIYytryJG-TrDdzZ4trCNjAooFvksv3Bma2seOjgcQAa4YdyxeK1DYXYlAokd47mEWNLjHt4GTKYNKfd4topCfyaDm5_QFTg36FXnoj0R_tdKceltCRZZlK1U4PaR6DbQY/s1600/2015-02-24+19.08.41.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWK66Rj2mJzGIYytryJG-TrDdzZ4trCNjAooFvksv3Bma2seOjgcQAa4YdyxeK1DYXYlAokd47mEWNLjHt4GTKYNKfd4topCfyaDm5_QFTg36FXnoj0R_tdKceltCRZZlK1U4PaR6DbQY/s1600/2015-02-24+19.08.41.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRrbCTt18hCxNr8LymIBdVk5pgzyPdX6ZVKyqbZ_PaeFzu5Yckva2n-P2ppJfc6AUw4SLScVwruS3zdRRIn9I2fh7sfie8acDehvJjP05NVC0UapEy8vc_2Qv_aYt9du-ZKyk2n0mTZI/s1600/2015-02-24+19.09.09.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRrbCTt18hCxNr8LymIBdVk5pgzyPdX6ZVKyqbZ_PaeFzu5Yckva2n-P2ppJfc6AUw4SLScVwruS3zdRRIn9I2fh7sfie8acDehvJjP05NVC0UapEy8vc_2Qv_aYt9du-ZKyk2n0mTZI/s1600/2015-02-24+19.09.09.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ_YlNLskPdjsYHDksdaIc3U_4HY1SpTgj26r6ukqcAhfCsHI-rAfZoAhw0tc9W-Pp7jipmNNxCKMFPPdYutfyJkXs1fwAjKMjNPvMPHh64RbwaCj5RSK3Zh14N3yn09DqZCEgIEXI_fA/s1600/2015-02-24+19.09.30.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ_YlNLskPdjsYHDksdaIc3U_4HY1SpTgj26r6ukqcAhfCsHI-rAfZoAhw0tc9W-Pp7jipmNNxCKMFPPdYutfyJkXs1fwAjKMjNPvMPHh64RbwaCj5RSK3Zh14N3yn09DqZCEgIEXI_fA/s1600/2015-02-24+19.09.30.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsQsBKGDVdpCjA2qiIEJNlt4yWFu3dVlLWtULonWFk8Rof6wiSi1QNwg48S_JeLrZNS4he4yR9VIxU6YDRHvkVcA83NQKHdC0KF6HAsUKbA2p2R15yYZu48ThScJ7xepU43OqrczzXJ-s/s1600/2015-02-24+19.09.45.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsQsBKGDVdpCjA2qiIEJNlt4yWFu3dVlLWtULonWFk8Rof6wiSi1QNwg48S_JeLrZNS4he4yR9VIxU6YDRHvkVcA83NQKHdC0KF6HAsUKbA2p2R15yYZu48ThScJ7xepU43OqrczzXJ-s/s1600/2015-02-24+19.09.45.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipgdbdwL3D5z_EsaPdR-s7qnXdui7Trt_QMZyb3AeEghmDEQxto3eMvS4wZ4S6qDxCvpeBvQvpoAKnePraUb5knS1BrQmWFnp7W4bUHWU6L56fZOGrxzK2iUGX9TKpttLvv5EOT9cOUdQ/s1600/2015-02-24+19.10.01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipgdbdwL3D5z_EsaPdR-s7qnXdui7Trt_QMZyb3AeEghmDEQxto3eMvS4wZ4S6qDxCvpeBvQvpoAKnePraUb5knS1BrQmWFnp7W4bUHWU6L56fZOGrxzK2iUGX9TKpttLvv5EOT9cOUdQ/s1600/2015-02-24+19.10.01.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivvNDSpGhPhw9KgxnCKXc2aFZKXYV-3foihFrUgXjGAFUOx8tnY40h_FY4lRgAQB5EEJipdWyI5MqSkYzYuDyL0cFxNdaVi7dl7ADBK6IBz6jM1nEL06CvZcNZ6Uk_vi1EoHzE4oyHloE/s1600/2015-02-24+19.10.17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivvNDSpGhPhw9KgxnCKXc2aFZKXYV-3foihFrUgXjGAFUOx8tnY40h_FY4lRgAQB5EEJipdWyI5MqSkYzYuDyL0cFxNdaVi7dl7ADBK6IBz6jM1nEL06CvZcNZ6Uk_vi1EoHzE4oyHloE/s1600/2015-02-24+19.10.17.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpCNRdsAqrwAWMM940EqiApDxwqw8hFAlUZXljcX1_IzgZO1mdREFVdIyif0MWL13x9ac81Spdv1gBgjFeTbXRUl66as_kfBDHBJ1ultwBvaXaHldVnb24j7N_t1ddUDqf4miiotOgRB0/s1600/2015-02-24+19.10.32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpCNRdsAqrwAWMM940EqiApDxwqw8hFAlUZXljcX1_IzgZO1mdREFVdIyif0MWL13x9ac81Spdv1gBgjFeTbXRUl66as_kfBDHBJ1ultwBvaXaHldVnb24j7N_t1ddUDqf4miiotOgRB0/s1600/2015-02-24+19.10.32.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhULtBx3dICAsH9hHRyt7BGUXDKnQMg9n9HYZgpdn9fj8jU7ZrF_GQu6-QPqtCr7qKJtMm6zMTgoqdukpxXDz_a1uaArvCQ3RWBu5bOEIbEq2Fh2YhWed33gRu2-sKaq8sBWDLyQNSDA9w/s1600/2015-02-24+19.10.51.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhULtBx3dICAsH9hHRyt7BGUXDKnQMg9n9HYZgpdn9fj8jU7ZrF_GQu6-QPqtCr7qKJtMm6zMTgoqdukpxXDz_a1uaArvCQ3RWBu5bOEIbEq2Fh2YhWed33gRu2-sKaq8sBWDLyQNSDA9w/s1600/2015-02-24+19.10.51.jpg" height="480" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2-mSzujEmx_9fJqns2pTPWLaxVESqXzG2rVyxz3mtRKg3ynUZvZMS4tsm2YPVCWpa7muKUUDaIwun7umyHWvGVOPzrSBxDZuHplmXXw5NDEYqsH3BraQd6Zxnz3hrx-g_l_8QP6YwLCg/s1600/2015-02-24+19.11.47.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2-mSzujEmx_9fJqns2pTPWLaxVESqXzG2rVyxz3mtRKg3ynUZvZMS4tsm2YPVCWpa7muKUUDaIwun7umyHWvGVOPzrSBxDZuHplmXXw5NDEYqsH3BraQd6Zxnz3hrx-g_l_8QP6YwLCg/s1600/2015-02-24+19.11.47.jpg" height="480" width="640" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRATcx1wIg6zhwo_KXKPW4hYMuhxk3zwxTyUbDYazJJnxTH8zbW8zirIuUwYGXFl0i1llISGFD_GTMGKSw76rEvfFRtfpgScwKYuTPMsNPjL63Mu1rhT6D2xzjV3dzUWQ6_Xc30ufIgPc/s1600/2015-02-24+19.12.15.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRATcx1wIg6zhwo_KXKPW4hYMuhxk3zwxTyUbDYazJJnxTH8zbW8zirIuUwYGXFl0i1llISGFD_GTMGKSw76rEvfFRtfpgScwKYuTPMsNPjL63Mu1rhT6D2xzjV3dzUWQ6_Xc30ufIgPc/s1600/2015-02-24+19.12.15.jpg" height="480" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Displaying maximum and minimum temperature in the scene ]</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS56eEg_uRuIHLFW5MKFPYWAMiky9PvJ9BsZlYeAXunjXl6cFRUSGn673P8DH3BOFB58W-pXNF9JnmC_aRVgaIt9BDB4kNfOahu6L55bLA2xuy_Jn565OmJZ1SQhUnGCWO8yUOMc6_sY4/s1600/2015-02-24+19.12.34.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS56eEg_uRuIHLFW5MKFPYWAMiky9PvJ9BsZlYeAXunjXl6cFRUSGn673P8DH3BOFB58W-pXNF9JnmC_aRVgaIt9BDB4kNfOahu6L55bLA2xuy_Jn565OmJZ1SQhUnGCWO8yUOMc6_sY4/s1600/2015-02-24+19.12.34.jpg" height="480" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ Point of interest temperature ]</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLV8vH5xIiIjHDTkQO3ZIUpJpgKFwFv8uHjMjr40ROAJ-Awbgd9kGf4z8hu2CU_Yzsr4stIWTtu0cBzScgotpiQ33fODxMcazDsexmlbFTFbQTtl8QtEOsCRMLkzJfApmIOmiaiXiD7XE/s1600/2015-02-24+19.13.17.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLV8vH5xIiIjHDTkQO3ZIUpJpgKFwFv8uHjMjr40ROAJ-Awbgd9kGf4z8hu2CU_Yzsr4stIWTtu0cBzScgotpiQ33fODxMcazDsexmlbFTFbQTtl8QtEOsCRMLkzJfApmIOmiaiXiD7XE/s1600/2015-02-24+19.13.17.jpg" height="480" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">[ And this is the scene using iPhone 6 normal camera ]</td></tr>
</tbody></table>
So based on one scene, a few minutes of operation and default settings, I'm happy so far, and will definitely examine other scenarios before giving my final verdict on the Seek Thermal XR camera.</div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-17283655945145512062014-11-06T12:40:00.000+01:002014-11-06T12:40:02.749+01:00Dear Technology Leader,in adaptive multi-factor authentication.<br /><br />I'll be nice and not name you in this blog post quite yet, as I want to give you a chance of fixing things ASAP. I just hope & believe you'll listen, at least after the presentation from your company I listened to not long ago.<br />
<br />
However I feel obligated to speak up against some of the claims you made in your presentation, as well as what I see from your demo website. Let's get started.<br />
<br />
<a name='more'></a><br />
<h3>
SMS Interception</h3>
<div>
I am sorry, but your claim that "only mobile carriers and the government can intercept SMS messages, and only centrally" really isn't true. Now I won't go into the details on how SMS messages actually can be intercepted, lets just say it is quite a bit easier then you seem to believe. As your primary solution depends on the use of "flash SMS" as you call it, you should at least reconsider whatever you presently tell your customers.</div>
<div>
<br /></div>
<h3>
Google:"how to hack" </h3>
<div>
Googling "how to hack" is NOT an indicator of how easy or hard it is to hack anything, nor is it an indicator of how much or little "cybercrime" there is in the world. IMHO its a ridiculous demo made by sales representatives that should never be made in front of <b>anyone. EVER.</b></div>
<div>
<b><br /></b></div>
<h3>
<b>PIN = PASSWORD</b></h3>
<div>
Never think of a PIN as anything else than a very bad password. Any claim that passwords are not enough, and replacing them with PINs is .... ridiculous. Easy to bruteforce, easy to predict if created by the user, even easier to guess if we know some basic info about the user.</div>
<div>
<br /></div>
<h3>
Sending username + PIN (=password) first</h3>
<div>
I argued that in some scenarios sending a username and OTP first, then password if OTP is correct could be a good way of not exposing the password to any MITM. You argued against me, claiming that you wouldn't be able to set up a binding between your session initiation from your device and the 30-second life SMS generated and sent to me from your server. Although I'm not a programmer at all, I'm pretty sure you are WAY OFF. But don't take my word for it, look at what we do with BankID in Norway; username -> OTP -> password -> you're in.</div>
<div>
<br /></div>
<h3>
Your homepage + partner site (same server)</h3>
<div>
No default SSL. </div>
<div>
SSL available, but missing <yourdomain>.com / www.<yourdomain>.com. in cert name. Result is browsers warns against using the site.</yourdomain></yourdomain></div>
<div>
No EV-SSL. (I would recommend that for a security authentication company.)</div>
<div>
SHA-1 signed cert, expires February 2017.</div>
<div>
SSLv2 is supported, which is insecure, period.</div>
<div>
SSLv3 is supported, but not vulnerable to POODLE.</div>
<div>
No TLSv1.1 or TLSv1.2 support.</div>
<div>
No Forward Secrecy support at all.</div>
<div>
No HSTS headers.</div>
<div>
No PCI compliance (although irrelevant for your site, but an indicator of bad security).</div>
<div>
<b>SSLLabs grade F.</b></div>
<div>
<br /></div>
<h3>
SSL at your demo site</h3>
<div>
No default SSL.</div>
<div>
SSL available (Good!)</div>
<div>
SHA-1 signed cert, expires Apr, 2018.</div>
<div>
<div>
SSLv2 is supported, which is insecure, period.</div>
<div>
SSLv3 is supported, but not vulnerable to POODLE.</div>
<div>
No TLSv1.1 or TLSv1.2 support.</div>
<div>
No Forward Secrecy support at all.</div>
<div>
No HSTS headers.</div>
<div>
No PCI compliance (although irrelevant for your site, but an indicator of bad security).</div>
<div>
<b>SSLLabs grade F.</b></div>
</div>
<div>
<br /></div>
<h3>
Your demo registration process</h3>
<div>
User account registration over plaintext http.</div>
<div>
You send me a plaintext mail (no RFC3207 STARTTLS support) using an external mailing partner with:</div>
<div>
- username (my email address)</div>
<div>
- password (6 character predictable pattern; 2 letters from my name + 4 digits)</div>
<div>
<br /></div>
<div>
The password is permanent; no need or recommendation to change it.</div>
<div>
<br /></div>
<h3>
Login & cookies at your demo site</h3>
<div>
I logon with username + password from plaintext email, and receive a 6-letter password by standard SMS (not "flash SMS"). Everything entered using an insecure HTTP connection. After logon I take a look at the cookies you've set on my computer. HostOnly, Session and HttpOnly. No sign of cookies marked Secure. You need to read up on session hijacking for sure.</div>
<div>
<br /></div>
<h3>
Privacy & cookies</h3>
<div>
No privacy policy or cookie policy available on your main, partner or demo website, as recommended (required?) in the EU and your country, as part of EU. In fact the words PRIVACY or COOKIE are not mentioned anywhere on your site.</div>
<div>
<br /></div>
<h3>
SUMMARY</h3>
<div>
Well, I believe the above speaks for itself, right? Now go to work, shooting the messenger is never a good strategy, either at conferences or out on the public Internet.</div>
<div>
<br /></div>
<div>
<i>Oh, and excuse me for not registering at your partner site and check your security settings there. So far security doesn't look acceptable for me to even consider registering.</i></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-43431587649529191692014-06-17T09:19:00.001+02:002014-06-17T09:24:51.314+02:00What I want from Domino's passwords<h3>
<a href="http://www.welivesecurity.com/2014/06/16/dominos-pizza-hacked/">Domino's Pizza got hacked</a>, hackers demand money for not publishing stolen user credentials. </h3>
<h3>
Now if I could analyze those passwords, here's what I would be interested in:</h3>
<div>
<br /></div>
<div>
<a name='more'></a><h4>
1. Site specific basewords</h4>
</div>
<div>
We've been discussing this like a million times. Scrape www.dominos.com for all words, and use that as a base for cracking passwords. But why specifically an analysis for this breach?<br />
<br />
Well, its a "specialty" site. Narrow field of products served. It would be interesting to see how many site/service specific words we would find at the base of users' passwords. Many other services online might have a bigger custom dictionary in use. Using site/service specific association elements is one of the observations we've made before, but imho an area still to be researched more.</div>
<div>
<br /></div>
<h4>
2. Use of site specific colors in passwords</h4>
<div>
Based on research from <a href="https://www.researchgate.net/profile/Kirsi_Helkala">Kirsi Helkala</a> in 2012, we discovered that the color blue was the most dominant color word used in the <=6 million unique Linkedin passwords, as we show in this <a href="http://securitynirvana.blogspot.no/2012/06/linkedin-password-infographic.html">infographic blog post</a>.</div>
<div>
<br /></div>
<div>
It could be pure coincidence, as previous research shows that blue is the dominant color used on the Internet.</div>
<div>
<br /></div>
<div>
<b>Domino's</b> uses a red and something blue-ish on a white background as their logo and website colors. I would search for color words black|white|blue|red|green|yellow|pink|orange etc, where used as base words, preferably stand-alone or connected with digits or symbols. Eventually as part of sentences or longer words (passphrases without spaces).<br />
<br />
That's it.</div>
<div>
<br /></div>
<div>
Oh, and Robin @digininja: consider the above as some sort of feature requests for Pipal. ;-)</div>
<div>
<br /></div>
<div>
Oh; and I would love to see more tools developed for target specific wordlist creation, including for Maltego, Metasploit, Kali Linux and more.</div>
<div>
<br /></div>
<div>
<br /></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-55698606022073920022014-04-25T14:10:00.002+02:002014-04-25T16:28:05.761+02:00Did Twitter silently remove login verification using their Twitter app?<h4>
</h4>
<h3>
<b>Updated information:</b></h3>
<span style="font-weight: normal;">I tried to register for <a href="https://support.twitter.com/articles/14226">one-way tweeting by sms</a> by sending 6 messages (stop, stop, start, yes, username, password) to Twitters UK number. Didn't work, repeated the process to the number listed in Finland. <a href="https://twitter.com/thorsheim/statuses/459675274444296192">It worked</a>.</span><br />
<span style="font-weight: normal;"><br /></span>
<span style="font-weight: normal;">Now I can tweet by SMS (Who would do that anyway???), but I can finally configure login verification by use of iOS/Android app.</span><br /><br />Error report, or at least sort of:<br />
<span style="font-weight: normal;">The option Security and privacy - "Send login verification requests to my phone" is available (using pc/windows/Chrome at twitter.com), but I do not receive any verification code from Twitter.<br /><br />My phone number is correctly listed under Mobile, including +47 country code for Norway and (Norway) listed. I have set a PIN to protect my account from SMS spoofed texts appearing to come from me.</span><br />
<span style="font-weight: normal;"><br /></span>
<span style="font-weight: normal;">_________________________________</span><br />
<b>Original text:</b><br /><br />
So <a href="https://twitter.com/hmemcpy">@hmemcpy</a> and <a href="https://twitter.com/omervk">@omervk</a> had <b>t</b>his little <a href="http://www.twitter.com/omervk/status/459433920711639040">discussion</a> on failure of configuring Twitter login verification, and I thought "dude, that's easy", and pointed to the option of using the "login verification" through Twitters native app for iOS or Android, and option I've been using for quite some time:<br />
<br />
<a name='more'></a><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJExDRQOy9WfIj1cdFh8Cw6a2J9N6LmUchXeQIQgNecD2eYDEjSxysRgsGpZftn4fQU3dFHcNRhoBSfvO_aXx61FMMgNI0H8pyEoqbqyK7cowJbMw310xmds2wH1eyQYLxT9RdRWXaRDE/s1600/01.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJExDRQOy9WfIj1cdFh8Cw6a2J9N6LmUchXeQIQgNecD2eYDEjSxysRgsGpZftn4fQU3dFHcNRhoBSfvO_aXx61FMMgNI0H8pyEoqbqyK7cowJbMw310xmds2wH1eyQYLxT9RdRWXaRDE/s1600/01.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Screenshot from earlier configuration of my account at Twitter]</i></td></tr>
</tbody></table>
<br />
Twitter didn't have 2FA or any kind of login verification. <a href="http://arstechnica.com/security/2013/02/il0vethewhopper-doesn-cut-it-twitter-calls-for-tougher-passwords/">High profile accounts got hacked</a>. <a href="http://money.cnn.com/2013/02/21/technology/social/twitter-hacking/">I was among the many asking for 2FA or similar to become available</a> at Twitter. <br />
<br />
<a href="https://blog.twitter.com/2013/getting-started-with-login-verification">Twitter launched SMS-based login verification on 22 May 2013</a>, but with a <a href="https://support.twitter.com/articles/20170024-twitter-s-supported-mobile-carriers">restricted list</a> of countries and telcos supported. People complained, I was one of them.<br />
<br />
<a href="https://blog.twitter.com/2013/improvements-to-login-verification-photos-and-more">Twitter launched an improvement on August 6, 2013</a>, where you no longer had to use SMS as part of the process, you could just use your native Twitter client for iOS or Android. Suddenly "everyone" could have login verification, and without the hassles and cost of SMS. <b>This is what I've been using, since Twitter still has no support for Norway and the telcos here for SMS based login verification. They list them alright:</b><br />
<b></b><br />
<b></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisT5nYl7JPl8WwOHr8zz6bVzDutQjixTK_DjxRHAlaH6RDABAvmWGF3jAMO-i7b57s4U80X4xezhAFNBzuLOdbCr2UoSUrdEExgaiNhDaWFr6h1S3ZDR0JKh1h3SvMmMdncjvQAz_Cfqo/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisT5nYl7JPl8WwOHr8zz6bVzDutQjixTK_DjxRHAlaH6RDABAvmWGF3jAMO-i7b57s4U80X4xezhAFNBzuLOdbCr2UoSUrdEExgaiNhDaWFr6h1S3ZDR0JKh1h3SvMmMdncjvQAz_Cfqo/s1600/03.png" height="320" width="281" /></a></div>
<div class="" style="clear: both; text-align: left;">
<b>But the response is this:</b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0mNcPToallG_JmgzVDlUuoMRhO10JQSjrZ_TDCKVHR5FxfOxVhasey3n_FnLZtPoX0HOsrnhFKUeGyHDhu-X944iDhW-0wkxgOiD_99TSBAII8103FcSpt4HlK8pRjtaw_A3JhqGpgu0/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0mNcPToallG_JmgzVDlUuoMRhO10JQSjrZ_TDCKVHR5FxfOxVhasey3n_FnLZtPoX0HOsrnhFKUeGyHDhu-X944iDhW-0wkxgOiD_99TSBAII8103FcSpt4HlK8pRjtaw_A3JhqGpgu0/s1600/04.png" height="111" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b></b><br />
<b>So YES</b>, I was really surprised when I checked my settings online at twitter today, and saw this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: 1em; margin-right: 1em; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM1srIpOYoPSSJjUIa2irVH7ZOqi5KOBRT2FaP_nfuLs61uAS0_96j1PpG2TwIZcIx7PylsPcxVEnUPMExbCSHB67cy53MR-RpjMIvuEvQfmwvDARF-21684ljVMypuuwZu-5IeBtrkr8/s1600/02.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM1srIpOYoPSSJjUIa2irVH7ZOqi5KOBRT2FaP_nfuLs61uAS0_96j1PpG2TwIZcIx7PylsPcxVEnUPMExbCSHB67cy53MR-RpjMIvuEvQfmwvDARF-21684ljVMypuuwZu-5IeBtrkr8/s1600/02.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Screenshot of my Twitter account settings, April 25, 2014]</i></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>WTF?!?</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Did my friends finally manage to pwn my account, to see me suffer and humiliated in public? NO.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<b><span style="font-size: large;">Twitter seem to have <u>silently</u> removed the use of their native app to do login verification without registering a phone. </span></b></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
At least to me based in Norway, I'm back to trusting my password, as I did before august 2013. No login verification available for me, unless I can do it using their "<a href="https://support.twitter.com/entries/110250">SMS to long code in another country</a>" option works, with <a href="https://support.twitter.com/articles/14226">numbers available in UK, Germany and Finland</a>. Tried once with the UK number, no luck.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So out of curiosity and increased body temperature right now Twitter; </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b><i><span style="font-size: x-large;">Seriously, WTF?!?</span></i></b></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-65515588536105649042014-02-24T13:40:00.001+01:002014-02-24T13:40:11.997+01:00Personvern hos våre politiske partier<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVuGgBqOxIDWfvCyBRHDMrNzJQCGkKcqzeMGwbKK0jl155gwDOG1DDXsk7EGJ9qK_DXsnA55HohzoyTygPwxrnA9bR7a7fDHEHphy9Pr4YBZN_2CsgNAnTpic7c0vZSMpXk4vizM3npWk/s1600/F.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVuGgBqOxIDWfvCyBRHDMrNzJQCGkKcqzeMGwbKK0jl155gwDOG1DDXsk7EGJ9qK_DXsnA55HohzoyTygPwxrnA9bR7a7fDHEHphy9Pr4YBZN_2CsgNAnTpic7c0vZSMpXk4vizM3npWk/s1600/F.png" /></a></div>
<br />
I valgkampens innspurt høsten 2013 sjekket jeg om de politiske partiene i Norge overholdt personopplysningsloven og de krav/anbefalinger som er gitt av Datatilsynet. Det jeg fant var såpass overraskende at jeg tipset Aftenposten, som selv kontrollerte, og fikk en klar tilbakemelding om lovbrudd for partiene da de henvendte seg til Datatilsynet. <a href="http://www.aftenposten.no/nyheter/iriks/politikk/Hull-i-informasjonssikkerheten-pa-de-fleste-partiers-nettsider-7287358.html">Saken til <b>Aftenposten</b> ligger tilgjengelig her</a>.<br />
<br />
I tillegg kritiserte jeg også partiene <b>Høyre</b> og <b>Venstre</b> for svak epost sikkerhet, <a href="http://www.aftenposten.no/nyheter/iriks/Kritiserer-e-post-sikkerheten-i-Hoyre-og-Venstre-7271725.html">også dette gjennom <b>Aftenposten</b></a>.<br />
<br />
Nå, 6 måneder senere, var det tid for å sjekke hvilke partier som har holdt sine løfter og etablert den sikkerheten de er lovmessig pålagt å ha.<br />
<br />
<a name='more'></a><br />
<h3>
La oss ta det positive først; </h3>
<b>MDG</b>, <b>Venstre</b>, <b>Høyre</b> og <b>Frp</b> har etablert kryptering for å sikre personvernet ved innmelding i partiene. Høyre har også flyttet sin epost tjeneste hjem til Norge. Der slutter de gode nyhetene.<br />
<br />
<h3>
Kryptering på websider for innmelding</h3>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6y6Sv3I36C_YUYgaWLNf0I5GHrauXs1KUBGBrV9eAcYr-1fSTQ67vulT_QwDVKXUwC7TtTG3dqrvVIL-mVkj40LT_LmFW66-FUfBdaEnFmYhePK1qqGn-Hk7MlcWUb_8-FYZ6-yIHKew/s1600/Parti_webservere.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6y6Sv3I36C_YUYgaWLNf0I5GHrauXs1KUBGBrV9eAcYr-1fSTQ67vulT_QwDVKXUwC7TtTG3dqrvVIL-mVkj40LT_LmFW66-FUfBdaEnFmYhePK1qqGn-Hk7MlcWUb_8-FYZ6-yIHKew/s1600/Parti_webservere.png" height="395" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Klikk på bildet for full størrelse]</i></td></tr>
</tbody></table>
<b>Arbeiderpartiet</b> har kryptering, men har ikke gjort endringer i sin løsning, slik at de identifiserer seg fortsatt med et sertifikat tilhørende en ekstern gratis bloggtjeneste når man vil melde seg inn. Enkelt forklart kan det anses som bruk av falsk legitimasjon av den helt åpenbare sorten. De skjuler også krypteringen, slik at det er vanskelig for menigmann å sjekke om man faktisk får personvernet ivaretatt.<br />
<br />
<b>NKP</b>, <b>Rødt</b>, <b>Senterpartiet</b>, <b>Krf, Pensjonistpartiet</b> og <b>Demokratene</b> har fortsatt ikke etablert det lovpålagte minimum for å beskytte sensitive personopplysninger (her: politisk oppfatning og evt medlemskap).<br />
<br />
<b>Piratpartiet</b> har en for meg akseptabel måte å håndtere innmelding på (innbetaling via bank), mens <b>De Kristne</b> ber om å få innmelding tilsendt via ukryptert epost.<br />
<br />
Selv om <b>Venstre</b> har etablert en kryptert løsning (<a href="http://venstre.alreadyon.com/">venstre.alreadyon.com</a>), så vil innmelding via deres vanlige hjemmeside fortsatt gå ukryptert. Jeg håper at dette bare er snakk om en kort overgangsperiode før den nye løsningen er den eneste i bruk.<br />
<br />
Samtlige partier benytter digitale sertifikater fra ulike <u>utenlandske</u> leverandører for å bekrefte sin identitet. Det er gjennomgående billige eller til og med gratis sertifikater som er tatt i bruk, i den grad tillit skal diskuteres. Det skal sies at en norsk leverandør av digitale sertifikater er tilgjengelig, og som ellers både anbefales og benyttes for bl.a. ALTINN og andre tjenester.<br />
<br />
Mest overraskende er dog oppsettet fra<b> Høyre</b>; selv om de benytter kryptering på sin side<b> <a href="http://dugnad.hoyre.no/">dugnad.hoyre.no</a>, </b>så tillater oppsettet <a href="https://www.ssllabs.com/ssltest/analyze.html?d=dugnad.hoyre.no&s=46.137.75.173">uautorisert avlytting</a> av absolutt all kommunikasjon på en relativt enkel måte. En konfigurasjonsfeil som en kvalitetskontroll enkelt burde ha fanget opp. Det gjør ikke saken bedre at de annonserer på siden at alt innhold nå går kryptert, slik konfigurasjonen er pr dags dato.<br />
<br />
<h3>
Plassering av webserver</h3>
<div>
Personvern på tvers av landegrenser kan være en utfordring grunnet ulik lovgivning, hvor Norge står sterkt sammenlignet med de fleste land. I så måte er det grunn til å stille spørsmål om hvorfor <b>SV</b> har sin webserver plassert i Tyskland, <b>MDG</b> står i Nederland, <b>Høyre</b> har valgt å bruke Amazon (EU), mens Frp er plassert i Finland. Er det mulig å be om innsyn i databehandleravtalen disse partiene skal ha etablert med sine leverandører for mottak og behandling av sensitive personopplysninger?</div>
<div>
<br /></div>
<div>
De øvrige partier har sine webservere plassert i Norge, enten hos en ekstern leverandør eller under egen kontroll. Like fullt er databehandleravtale også aktuelt her.</div>
<div>
<br /></div>
<h3>
Epost sikkerhet</h3>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_7Jjn3BLIAjXNq-vL-_xwRcMuDQDQY2ixTyF-jrBHVroKlIkcikewBtfEmsOHPywCUAd1eg4QHkeHeH8N39_L0NRE5HQxQRVhy7Aj6QM2wctmZi9GeCDQNVPRcKvVnlFs49O9ja503FI/s1600/Parti_mailservere.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_7Jjn3BLIAjXNq-vL-_xwRcMuDQDQY2ixTyF-jrBHVroKlIkcikewBtfEmsOHPywCUAd1eg4QHkeHeH8N39_L0NRE5HQxQRVhy7Aj6QM2wctmZi9GeCDQNVPRcKvVnlFs49O9ja503FI/s1600/Parti_mailservere.png" height="268" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Klikk på bildet for full størrelse)</i></td></tr>
</tbody></table>
Siden mine kontroller i august 2013 har tjenesten <a href="https://starttls.info/">starttls.info</a> blitt lansert. Dette er en gratis tjeneste, utviklet og driftet av<a href="http://indev.no/"> Einar Otto Stangvik</a>, på ide og forespørsel fra meg. Med denne tjenesten kan man enkelt kontrollere om mailservere på Internett tilbyr gratis, brukertransparent og opportunistisk kryptering av epost. Tenk på det som at din epost sendes sikret i en låst metallboks, fremfor å sendes som et postkort som alle langs veien kan lese.</div>
<div>
<br /></div>
<div>
Når man ønsker å sende epost til de politiske partiene går de fra din maskin via din epost leverandør til partiets epost server, og derfra til mottaker. Som i august 2013 finner jeg at <b>Venstre </b>sender sin epost via Google i USA. Det gjør også <b>SV</b> og <b>MDG</b>, mens <b>Krf </b>sender sin epost via Microsoft i England. </div>
<div>
<br /></div>
<div>
<b>De øvrige partiene har sine epost servere plassert i Norge.</b></div>
<div>
<br /></div>
<div>
<b>NKP</b>, <b>Rødt</b>, <b>Senterpartiet</b>, <b>Pensjonistpartiet</b>, og <b>De Kristne </b>støtter ikke slik epost kryptering.</div>
<div>
<br /></div>
<div>
<b>Arbeiderpartiet</b> har støtte for epost kryptering, men oppsettet muliggjør allikevel full avlytting av all kommunikasjon grunnet konfigurasjonsfeil som en kvalitetskontroll burde ha fanget opp. Det samme gjelder <b>Piratpartiet</b>.</div>
<div>
<br /></div>
<h3>
Oppsummering</h3>
<div>
Både de svakheter og lovbrudd som her påpekes kan enkelt og raskt korrigeres av kvalifisert personell. I flere av tilfellene ligger det ingen eller beskjedne eksterne investeringer for å overholde krav og anbefalt god praksis. Etter 6 måneder ville jeg ha forventet at dette for lengst var utbedret.</div>
<div>
<br /></div>
<div>
Jeg håper virkelig at partiene vil ta dette seriøst, og ikke skylder på små budsjetter eller mangel på tid. Flere, om ikke samtlige partier, har involvert seg stort i personverndebatten i løpet av de siste 1-2 år. Jeg er glad for det, men ønsker virkelig å se at man også tar ansvar i eget hus for egne uttalelser.</div>
<div>
<br /></div>
<div>
<br /></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-31359685116213774812014-02-04T09:09:00.001+01:002014-02-06T12:05:20.590+01:00Sparebank 1 MSN på Facebook / Tinder<div style="font-family: Helvetica; font-size: 12px;">
(English summary at the end)</div>
<div style="font-family: Helvetica; font-size: 12px;">
<br />
<span style="color: red;">Oppdatetert 06.02.2014: <a href="http://www.dagbladet.no/2014/02/05/nyheter/innenriks/sosiale_medier/facebook/tinder/31660480/">Dagbladet har laget sak</a> basert på nedenstående.<br /></span></div>
<span style="font-family: inherit;"><b>Sparebank 1 SMN</b> fikk <a href="http://www.aftenposten.no/digital/Sparebank-1-SMN-kontakter-single-via-sjekkeapp-7456067.html">massiv omtale i media i går</a>, etter at de har opprettet 2 falske profiler på Facebook som brukes på Tinder for å tiltrekke seg nye kunder. </span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><b>Dette provoserer meg kraftig. </b></span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><b>1) Krav til personprofiler</b></span><br />
<span style="font-family: inherit;">Både Facebook og Tinder har som krav til personprofiler at de skal tilhøre en eksisterende person. Her har banken glatt oversett dette, og opprettet falske personprofiler.</span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><b>2) Tinder: krav til bruk</b></span><br />
<span style="font-family: inherit;">Tinder stiller som krav at konto baseres på en eksisterende personlig Facebook profil, og at denne benyttes til ikke-kommersiell bruk. Her bryter banken vilkårene, da deres formål er å tiltrekke seg nye kunder via en datingtjeneste (!).</span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><b>3) Personvern</b></span><br />
<span style="font-family: inherit;">Banken sier at en ansatt som jobber spesielt med sosiale medier har ansvaret for disse (falske) profilene. Jeg finner det naturlig å tro at flere andre ansatte kan få helt eller delvis innsyn i data som fremkommer gjennom deres bruk av disse tjenestene. Ved å bruke disse profilene, aktivt eller passivt, så vil banken få innsyn i opplysninger til uvitende som kan anses som sensitive personopplysninger. </span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;">Jeg merker meg at informasjonsdirektør Hans Tronstad sier seg fornøyd med strategien så langt.</span><br />
<div style="min-height: 13.8px;">
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><b>Gratulerer, dere har fått mye oppmerksomhet. Jeg vil i løpet av dagen kontakte Datatilsynet for å be dem om å se nærmere på saken. Jeg vil også rapportere de falske profilene og brudd på Terms of Use hos Facebook & Tinder.</b></span><br />
<span style="font-family: inherit;"><b><br /></b></span>
<span style="font-family: inherit;"><b>--</b></span><br />
<span style="font-family: inherit;"><b>English summary:</b></span><br />
<span style="font-family: inherit;">A Norwegian bank created 2 falsified "personal" accounts on Facebook, and uses them on Tinder (dating site) to attract new potential customers. Not only is this a violation of EULAs in terms of spoofing & commercial usage, it could also be a gross violation of privacy.</span><br />
<span style="font-family: inherit;"><br /></span>
I know these kind of violations happens every day, but I never thought a Norwegian bank could do something this stupid. To top it all off, their head of information says that so far they are very happy with their strategy so far. A bank becoming a scammer. Nice strategy. Now take a look in a mirror, and see what a scammer looks like.<br />
<br />
(Full story: google translate the link above).securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-42655079851567247742014-01-31T08:34:00.001+01:002014-01-31T08:35:19.194+01:00OCR matching Unicode characters<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.babelstone.co.uk/Blog/Images/Webdings_F06D.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://www.babelstone.co.uk/Blog/Images/Webdings_F06D.png" height="464" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Image linked from http://babelstone.blogspot.no/2013/10/whats-new-in-unicode-70.html]</i></td></tr>
</tbody></table>
<br />
<b>I wonder</b> if somebody could do OCR matching of all Unicode 6.x characters against each other, with a threshold value to find characters that visually will look pretty much the same to "normal" people.<br />
<br />
<b>Purpose:</b> to identify characters I could use to mock password crackers by telling them my password is <span style="font-size: large;">ᖴᕀⅠ੨Ȝ੫ƼⅥ⑦Ȣ</span>, but there's no way in hell you'll be able to crack it. <br />
(No, don't ask me how I would remember how to type in my passwords.)<br />
<br />
That's all.<br />
<br />
<br />securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-46072286593917116312014-01-14T18:56:00.002+01:002014-01-18T19:11:16.188+01:0078K and counting!So far, I have served out 78K+ minutes of viewing time from <a href="https://www.youtube.com/user/thorsheim">my YouTube account</a>, through 19K+ views. I am really happy with that. :-)<br />
<br />
With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.<br />
<br />
While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)<br />
<br />
<h3>
So without further ado, here are the <b>TOP 5 PasswordsCon Videos:</b></h3>
<br />
<h3>
<b>Number 5:</b></h3>
<b><a href="https://www.youtube.com/watch?v=9l6COVMer8M">Advanced Password Cracking: Hashcat Techniques for the Last 20% </a></b><br />
Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.<br />
<b style="text-align: center;"><br /></b>
<h3>
<b style="text-align: center;">Number 4:</b></h3>
<b><a href="http://www.youtube.com/watch?v=SJztbiunuLo">Energy-efficient bcrypt cracking</a></b><br />
Katja Malvoni, PasswordsCon in Bergen, December 2013<br />
<br />
<br />
<h3>
<b>Number 3:</b></h3>
<a href="https://www.youtube.com/watch?v=7YebpMoK9VQ"><b>Passwords^12 - Exploiting a SHA-1 weakness in password cracking </b></a><br />
Jens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.<br />
<br />
<br />
<h3>
<b>Number 2:</b></h3>
<a href="https://www.youtube.com/watch?v=DLpSKmT5BUs"><b>Password Cracking, From "abc123" to "thereisnofatebutwhatwemake" </b></a><br />
Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.<br />
<br />
<br />
<h3>
<b>Number 1:</b></h3>
<b><a href="https://www.youtube.com/watch?v=3axK5P8xw-E">Password Cracking HPC</a></b><br />
Jeremi Gsoney, PasswordsCon in Bergen, December 2012.<br />
<b><br /></b>
<b>Congrats Jeremi! :-)</b>securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-23071083420981001782013-11-04T18:05:00.001+01:002013-11-04T18:05:07.082+01:00PasswordsCon Bergen - practical info<h3>
Alrighty, less than a month until PasswordsCon in Bergen, Norway!</h3>
Just some quick & practical information for those travelling from far away here:<br />
<br />
<h3>
Hotels</h3>
Most hotels in the city center will represent walking distance
(15-30 minutes tops) to our venue.<br />
<h4>
Recommended hotels (preferred order, based on proximity to city center):</h4>
<br />
<a href="http://www.radissonblu.com/hotelnorge-bergen">Radisson Blu Hotel Norge</a> (absolute city center)<br /><a href="https://www.nordicchoicehotels.no/clarion-collection/clarion-collection-hotel-no-13/">Clarion Collection Hotel No 13</a> (absolute city center)<br />
<a href="http://www.thonhotels.com/hotels/countrys/norway/bergen/thon-hotel-bristol-bergen/">Thon Hotel Bristol Bergen</a><br />
<a href="https://www.rica-hotels.com/hotels/bergen/rica-hotel-bergen/">Rica Travel Hotel Bergen</a><br /><a href="http://www.grandterminus.no/en/">Grand Hotel Terminus</a> (has one of the best Whisky bars in northern
Europe)<br />
<br />I recommend looking them up on ww.tripadvisor.com, but do check
out their prices directly from their home pages, as that just
might give you the best price after all, without all the low price
restrictions. All these hotels are very close to each other, making it easier to go out during the evening and find your way back home late at night. :-)<br />
<br />
Depending on your arrival (saturday or sunday), I'll
be able to show you & others around the city, including a
visit to the top of 1 or more of the 7 mountains surrounding the
city. Prepare for a bit colder and rainier environment than ... well... wherever. :-)<br />
<br />
<br />
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-19693810879538704522013-10-02T23:47:00.001+02:002013-10-03T09:24:23.337+02:00CFP: Passwords^13 (PasswordsCon), Bergen, Dec 2-3<div class="moz-text-plain" graphical-quote="true" lang="x-western" style="font-family: -moz-fixed; font-size: 14px;" wrap="true">
<pre wrap=""><b>PasswordsCon
December 2-3, 2013
Bergen, Norway</b>
CALL FOR SUBMISSIONS
====================================
Per Thorsheim, with the support of FRISC (<a class="moz-txt-link-abbreviated" href="http://www.frisc.no/">www.frisc.no</a>), the University
of Bergen and Stricture Consulting Group, organize PasswordsCon,
the fifth edition of a technical conference only devoted to passwords
and related authentication methods.
Passwords are the most common authentication method on internet services
and on computers in general, regardless of their form factor (desktop,
laptop, tablet, smartphone, etc.). Dissatisfaction with the robustness
and usability of current approaches has motivated the previous editions
of the Passwords conference, and more recently prompted the organization
of the Password Hashing Competition.
The purpose of PasswordsCon is to gather leading researchers in
passwords security and authentication methods in general, so as to best
understand the challenges posed and to address them adequately.
Details on the conference as they are ready will appear at our website:
passwordscon.org
<a name='more'></a>
<b>== TOPICS ==</b>
PasswordsCon asks for submissions on topics including, but not limited to:
- Password hashing functions
* New algorithms & constructions
* Cryptanalytic attacks on classical security notions
* Hardness circumvention attacks
* Formal definitions and proofs
* Implementation on users' platforms
* APIs
- Attacking password hashes
* CPU/GPU coding
* Online/offline password guessing and cracking
* Distributed attacks
* Ruleset generation & optimization
* Hardware implementation (ASIC, FPGA)
* Password profiling of people (patterns, habits)
- Passwords security and usability
* Empirical studies
* Strength metrics
* Mobility issues
* Policies
* Password management software
<b>== SUBMISSION INSTRUCTIONS ==</b>
To submit to PasswordsCon, fill the submission form below,
and email it to <a class="moz-txt-link-abbreviated" href="mailto:cfp@passwordscon.org">cfp@passwordscon.org</a>
Submissions mainly consist of a description of the presentation
proposal and of information on the speaker. We do NOT require the
submission of a formal original paper.
<b>== DATES ==</b>
October 2 - Public CFP
October 30 - Submission deadline
November 1 - Notification to speakers
December 2-3 - PasswordsCon conference
<b>== REVIEW PANEL ==</b>
Submissions with be evaluated by a panel of experts including
- Per Thorsheim (chair)
- Jean-Philippe Aumasson
- Jeremi Gosney
-------------------------------
<b>Submission form
PasswordsCon
December 2-3, 2013
Bergen, Norway
SUBMISSION FORM</b>
====================================
Please fill out this form completely and email to <a class="moz-txt-link-abbreviated" href="mailto:cfp@passwordscon.org">cfp@passwordscon.org</a>
If you wish to submit several presentations, please fill different forms
for different submissions.
<b>== SPEAKER ==</b>
- Name or handle:
- Primary email:
- Primary mobile number:
If you are accepted we can publish your social media information on
the speaker page. If you want your information made public so that
attendees can contact you or follow your work, please list it here.
- URL:
- Twitter handle:
- Facebook page:
- IRC nickname & network:
- Bio (Professional history, achievements, bragging points. Let people
know who you are, and why you're qualified to speak on this topic.):
<b>== PRESENTATION ==</b>
- Title:
- Abstract (max 200 chars):
- Details (max 1000 chars):
- Is there a demonstration? (Y/N)
- Are you releasing a new tool? (Y/N)
- How much time does your presentation require? (15, 30, or 60 minutes)
- Has this presentation been given in any other venue or conference?
(Y/N) Y (no yet, in a week, private conference)
- We will provide one LCD projector, a microphone, and an internet
connection. Will your presentation require any additional equipment?
(Y/N, explain.)
- Any special requests for your presentation?
<b>== TERMS AND CONDITIONS ==</b>
By submitting you agree to the Terms and Conditions below. Please read
and accept these terms by inserting your name in the appropriate area,
otherwise your application will be considered incomplete and returned to
you.
1) I warrant that the above work has not been previously published
elsewhere, or if it has, that I have obtained permission for its
publication, and that I will promptly supply the PasswordsCon committee
with wording for crediting the original publication and copyright owner.
2) If I am selected for presentation, I hereby give PasswordsCon
permission to duplicate, record and redistribute this presentation;
including, but not limited to, the conference proceedings, video, audio,
hand outs(s) to the conference attendees for educational, on-line and
all other purposes.
3) I will include a detailed bibliography as either a separate document
or included within the presentation of all resources cited and/or used
in my presentation.
4) I will complete my presentation within the time allocated to me - not
running over the time allocation.
5) I understand that PasswordsCon will provide 1 LCD projector feed, 1
microphone, and internet connectivity. I understand that I am
responsible for providing all other necessary equipment, including
laptops (with VGA output), to complete my presentation.
6) I understand that I will be responsible for my own hotel and travel
expenses.
I, XXXXXXXXXXXXXXXX, have read the Term and Conditions and agree to the
terms as detailed.
<b>Website: passwordscon.org</b>
</pre>
</div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-15579816032541537192013-09-22T15:17:00.003+02:002013-09-22T20:15:27.760+02:00Seriously RapidSSLOnline....<a href="http://www.rapidsslonline.com/">RapidSSLOnline</a> sends out HTML formatted emails for certificate renewal containing a direct SSL login link to your account, for easy renewal (or change/delete) of SSL certificates.<br />
<br />
Hmm.. And I actually thought that sending out direct login links by clear-text e-mail was a bad idea....<br />
<br />
<b>Seriously?</b><br />
<b><br /></b>
<b><span style="color: red;"><i>Important update: my link + title initially pointed at RapidSSL.com, while the correct should be RapidSSLOnline.com. Big thx to <a href="http://twitter.com/tomwillows">Tom Willows</a> for correcting me!</i></span></b><br />
<b></b><br />
<a name='more'></a><b><br />Here's the email received, slightly censored to protect the innocent:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9IVCzZCMyZ_LOLjG6IUUKcbrd43mP93GDqGW5GeDAj5sSUK-Wsns991IT59RnVhKcU3Lwl3GcENr8G-bjONhFD4jHvgRWuAGoQSn42qGPcU_abr1fRBGtfDVwLp-8FUm8GVvWTulaFAw/s1600/RapidSSL_mail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9IVCzZCMyZ_LOLjG6IUUKcbrd43mP93GDqGW5GeDAj5sSUK-Wsns991IT59RnVhKcU3Lwl3GcENr8G-bjONhFD4jHvgRWuAGoQSn42qGPcU_abr1fRBGtfDVwLp-8FUm8GVvWTulaFAw/s640/RapidSSL_mail.png" width="361" /></a></div>
<b><br /></b>
<b>Clicking the "Renew & Save" takes you - or anyone who can get access to the email in transit or at rest - directly to this page (again heavily censored):</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoapL0r9gegG36gwzdSjIPfBotVgOWDORxFUchbLMFyJERyPcONkKITdlOzd7PPzqfq_DfYeKUJiLsZfXZqRSaL7eHgKCE2gKRkqTpz6VBJWfaStnszoTcsk9oHfblgqVPGMixNVtmzMQ/s1600/Webpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoapL0r9gegG36gwzdSjIPfBotVgOWDORxFUchbLMFyJERyPcONkKITdlOzd7PPzqfq_DfYeKUJiLsZfXZqRSaL7eHgKCE2gKRkqTpz6VBJWfaStnszoTcsk9oHfblgqVPGMixNVtmzMQ/s320/Webpage.png" width="316" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Dear RapidSSLOnline:</b></div>
You are in the business of Internet security. I really do expect better than this. Running your entire shop off Amazon cloud servers (web + mail) doesn't help on my lack of confidence in your current security practices. (Sorry Amazon).securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-60257421975553512822013-09-18T00:25:00.000+02:002013-09-18T00:25:16.742+02:00Bring CRM - og Thon Hotels<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji8i5BBS4L0DbHP9-aetHXynt-zqUwo5iApPcYbEPQTW7BwbqJsnxpRgH-PQD1nzOK2gngAfMhvM0YaEf__IjstQmj4jnY6K67l8uBFgt1UtDN4uF_K4-7Ya2y2lodYUG47XSnR4Qlvqo/s1600/For_00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji8i5BBS4L0DbHP9-aetHXynt-zqUwo5iApPcYbEPQTW7BwbqJsnxpRgH-PQD1nzOK2gngAfMhvM0YaEf__IjstQmj4jnY6K67l8uBFgt1UtDN4uF_K4-7Ya2y2lodYUG47XSnR4Qlvqo/s1600/For_00.png" /></a></div>
<br />
Jeg er medlem i fordelsprogrammet til Thon Hotels, på linje med flere andre hotellkjeder. Mulighetene for en "gratis" overnatting er fristende nok. Regelmessig har jeg mottatt min bonusoversikt på epost, sammen med diverse tilbud for å få meg til å bruke både poeng og penger.<br />
<br />
Jeg irriterte meg imidlertid fra første mail, som hadde ovenstående skjermbilde som innledning i hver eneste mail. Poeng til deg om du skjønner hvorfor allerede nå.<br />
<br />
<a name='more'></a><h2>
Bakgrunn</h2>
<div>
Man <b>skal</b> ikke sende brukernavn, passord og adresse til ulike tjenester på internett via epost, punktum. Jeg skriver <b>skal</b>, fordi <b>bør</b> blir for svakt. Faren for kompromittering av informasjon og brudd på ulike lover er simpelthen for stor.</div>
<div>
<br /></div>
<div>
Bildet over har teksten <b>"Direkte innlogging til Din Side her"</b>. Klikket jeg på linken så kom jeg rett inn på "min side" hos Thon Hotels, hvor jeg kunne se min poengsaldo, gjøre boookinger, se oversikt over tidligere hotellopphold og så videre. </div>
<div>
<b><br /></b></div>
<div>
<b>På godt norsk: </b>Thon Hotels sendte regelmessig ut brukernavn, passord og nettadressen for innlogging til hvert eneste medlem av fordelsprogrammet deres. Jeg antar at det dreier seg om ganske mange mennesker i det programmet.</div>
<div>
<br /></div>
<h2>
Risiko?</h2>
<div>
Hva så? Noen kan se poengsaldoen min? Få seg en gratis overnatting i Oslo sentrum med falsk ID i mitt navn? Big deal liksom!</div>
<div>
<br /></div>
<div>
<b>Noen ord om PERSONVERN</b>. </div>
<div>
Noen overnatter kanskje på et annet hotell enn de har fortalt arbeidsgiver, kjæreste eller ex-mann. Kanskje har de gode grunner for å servere den lille løgnen - og ikke være noe pertentlig moralpoliti nå takk. </div>
<div>
<br /></div>
<div>
En oversikt over hvor og når du eller andre har overnattet <i><b>kan</b></i> kunne få store konsekvenser dersom det blir kjent for uvedkommende, selv om du ikke har gjort noe galt.</div>
<div>
<br /></div>
<h2>
Ansvarlig varsling <i>(Responsible Disclosure)</i></h2>
<div>
Jeg har tidligere blogget om at <a href="http://securitynirvana.blogspot.no/2013/08/noen-ting-tuller-man-ikke-med.html">noen ting tuller man ikke med</a>. Ovennevnte risiko er nok til at jeg ikke ringer første og beste sensasjonsjournalist og ber om forsiden. Jeg ønsker å gjøre <b>ansvarlig varsling </b>til rette organisasjon/person, for om mulig å få dem til å endre til etablert <b>God Praksis</b>. I så måte liker jeg å se etter rotårsaker - istedenfor å få patchet et sikkerhetshull så er jeg mer interessert i å få endret policy & rutiner, og gjerne bevisstgjøre noen på innbilte og reelle sikkerhetsutfordringer man står overfor.</div>
<div>
<br /></div>
<div>
Så jeg sjekket litt nærmere selvfølgelig.</div>
<div>
<br /></div>
<div>
URL adressen som gjemte seg bak "Direkte innlogging" linken så omtrent slik ut <i><span style="color: red;">(litt endret, for sikkerhets skyld)</span></i>:<br />https://secure.bringcrm.no/MHVU/lt/Ranbow/nt/1157/mh.html?re=http%3A%2F%2Fwww.thonhotels.no%2F%3Flogin%3DmYGpgWEqmpytrI%252bDICsk8s9xtvwrl%252fGm2DtI%253d</div>
<div>
<br /></div>
<div>
Aha. Thon Hotels kjører sitt lojalitetsprogram gjennom <a href="http://www.bring.no/hele-bring/produkter-og-tjenester/kundedialog-og-crm/crm-og-kundedialog#lojalitetsprogram">Bring CRM</a> altså. Ingenting galt i det, og jeg tenkte umiddelbart at den manglende sikkerheten lå som standard i løsningene fra Bring CRM, og ikke hos Thon Hotels alene. <i>Her kunne jeg kjørt lang debatt om revisjon/kontroll av leverandørers tjenester før avtale eller produksjonssetting, men la oss hoppe over den rotårsaken nå....)</i></div>
<div>
<br /></div>
<div>
Uansett bedre å gå direkte på Bring ihvertfall. Kontakt med Thon Hotels kan fort skape problemer, og bare bli et forsinkende ledd mot de med teknisk ansvar, nemlig Bring. Et ørlite <b>beklager</b> til Thon Hotels, dette er jo juridisk sett deres ansvar å ha kontroll på. Jeg bare hoppet over dere for å få ting til å skje litt raskere. Ber om forståelse for det...</div>
<div>
<br /></div>
<div>
<b>PS: om noen (@sprakradet) har et offisielt norsk uttrykk for "Responsible Disclosure", så gi meg beskjed ASAP.</b></div>
<div>
<br /></div>
<h3>
Lang historie - kort utgave</h3>
<div>
Jeg kontaktet <i>noen</i>. Noen jeg har kjent lenge, og som satt plassert slik at jeg fikk overrakt mitt budskap, uten å fremstå som en tilfeldig person "som bare vil klage". </div>
<div>
<br /></div>
<div>
Jeg tok kontakt første gang 22. mars 2013. Jeg purret 2 ganger, og fikk beskjed om at mine synspunkter var overbrakt. Så ble det stille - og jeg tok sommerferie. Vurderte å purre da vi kom inn i august, og arbeidsdagen var igang igjen. Kom aldri så langt.</div>
<div>
<br /></div>
<h2>
Så plutselig...</h2>
<div>
Tirsdag 17. september 2013. Ny epost med bonusoversikt fra Thon Hotels. En <b>ørliten</b> tekstendring:<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEnf7fpBmgPNtUx-kaG-O9mG2XoaReUoYUr3LGDTGQm5tfwRbgxa0HnTsj6F0qkBt3itvkSVNrZ-Xt64PaLcsS1dzMarS7dnOJpMQTBAxWeoR3Tq5jo7XJJaB-4yLhNE6inal2kG5o3T4/s1600/Etter_00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEnf7fpBmgPNtUx-kaG-O9mG2XoaReUoYUr3LGDTGQm5tfwRbgxa0HnTsj6F0qkBt3itvkSVNrZ-Xt64PaLcsS1dzMarS7dnOJpMQTBAxWeoR3Tq5jo7XJJaB-4yLhNE6inal2kG5o3T4/s1600/Etter_00.png" /></a></div>
<div>
<br /></div>
<div>
Ordet <b>Direkte</b> er fjernet. Ser man det. Knapt merkbart. Så kikker jeg på URL adressen i linken, og finner dette: <a href="http://www.thonhotels.no/logg-inn/%C2%A0">http://www.thonhotels.no/logg-inn/ </a><br /><br />Ingen direkte innlogging lengre. Akkurat som jeg påpekte 22. mars, og anbefalte dem å fjerne, eventuelt redesigne for å ivareta litt brukervennlighet.</div>
<div>
<br /></div>
<div>
<b>Bonus</b>, og et tegn på at det har blitt gjort et stykke gjennomtenkt arbeid: tidligere linker for direkte innlogging fungerer ikke lengre.</div>
<div>
<br /></div>
<div>
Jeg har ikke mottatt noen tilbakemeldinger, hverken fra <i>noen</i> eller fra Bring CRM. Spiller ingen rolle for meg, jeg <b>tror</b> jeg har gjort tjenesten til Thon Hotels / Bring litt sikrere, samt sørget for en mindre sak å behandle for Datatilsynet. De har åpenbart nok å gjøre om dagen allikevel.</div>
<div>
<br /></div>
<div>
Så til alle dere som vil irritere dere over at direkte innlogging nå er borte-vekk: <b>Beklager.</b> Jeg håper Bring CRM i dialog med sine kunder og gjerne litt ekstern ekspertise (...) kan komme opp med alternativer som ivaretar personvernlovgivning og god praksis innen både sikkerhet og brukervennlighet.</div>
<div>
----</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<i>Pr. 17.09.2013 får secure.bringcrm.no karakter <a href="https://www.ssllabs.com/ssltest/analyze.html?d=secure.bringcrm.no"><b>A</b> hos SSLLABS</a>. <br />Dette er veldig bra, og bedre enn første gang jeg testet. :-) </i></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-53569203581474939952013-09-14T14:16:00.000+02:002013-09-14T14:24:04.206+02:00Facebook Promoted Posts<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibzH4b5jhJuH6hxCmn0bqL60UsoLURfLIfWdBj5gBf8DqYrpTKISFEDhEhDhWdNB3FunZcUTlPOkHKUhNn0yT2MUH7vP0Wa8OZsabCaRpmofzcizvVx5X-BTadz13Wj_TC8mCKaTADGZ8/s1600/Header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibzH4b5jhJuH6hxCmn0bqL60UsoLURfLIfWdBj5gBf8DqYrpTKISFEDhEhDhWdNB3FunZcUTlPOkHKUhNn0yT2MUH7vP0Wa8OZsabCaRpmofzcizvVx5X-BTadz13Wj_TC8mCKaTADGZ8/s1600/Header.png" /></a></div>
<br />
<b>Passwords^13 in Las Vegas was exceptionally great. </b>I may not be totally neutral when saying so, but after the conference and putting the <a href="http://www.youtube.com/playlist?list=PLdIqs92nsIzTphHrDlIucuMP2vatvd4UL">videos online</a>, I wanted to try out <a href="https://www.facebook.com/help/promote">Facebook Promoted Posts</a>. I was deeply disappointed. Here's why.<br />
<br />
<a name='more'></a><h2>
Background</h2>
<br />
First of all, I'm one of the millions running Chrome + Adblock. I don't mind seeing some ads here and there, sometimes I even click on them. I'm just annoyed by all the damned popups, moving objects, music etc that pretty much kills my experience of whatever content I was looking for in the first place. I really could need a "Dislike" button on every ad I see.<br />
<br />
I also know that tons of people run <a href="http://www.fbpurity.com/">Facebook Purity</a> to clean up the users experience of Facebook, removing ads and other annoyances for you.<br />
<br />
<h2>
Expectations?</h2>
<div>
None. Just curiosity, and the willingness to spend some dollars to prove to myself its useless for my purposes, or at least doesn't provide the value for money I would expect.</div>
<div>
<br /></div>
<h2>
Lets go!</h2>
<div class="separator" style="clear: both; text-align: left;">
These are screenshots from my public (company) Facebook page, plus links to videos. There were 2 posts I wanted to promote for my little experiment. The first one was the talk from Dominique Bongard (Reversity on Twitter), founder & ceo of<a href="http://www.0xcite.ch/"> 0XCITE</a> in Switzerland. <a href="http://www.youtube.com/watch?v=fdphoc3XUF8">He did a presentation</a> that reporters and anyone into security & privacy should take an interest into. After putting the video up on Youtube, I announced its availability on <a href="https://twitter.com/thorsheim/status/370127398253387776">Twitter</a>, <a href="https://plus.google.com/113848325212589987956/posts/9umfx9HjbkQ">Google+</a>, Linkedin and Facebook. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/fdphoc3XUF8?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: center;">
<i>Dominique Bonard at Passwords^13, Las Vegas, July 31, 2013.</i></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The same thing with Rick Redman (Minga) from Korelogic. He's the founder and primary organizer of the <a href="http://contest.korelogic.com/">CrackMeIfYouCan</a> competition at Defcon. His talk on <a href="http://www.youtube.com/watch?v=5i_Im6JntPQ">why your corporate password policy suck</a> is worth watching if you haven't done so already.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://img.youtube.com/vi/5i_Im6JntPQ/0.jpg" height="266" width="320"><param name="movie" value="http://youtube.googleapis.com/v/5i_Im6JntPQ&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="http://youtube.googleapis.com/v/5i_Im6JntPQ&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<div style="text-align: center;">
<i>Rick Redman at Passwords^13, Las Vegas, July 31, 2013.</i></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After my *massive* and almost unlimited budget of USD 70,- was spent in less than 48 hours, with USD 50,- for promoting Dominique and USD 20,- for Rick, these were my results:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglWdwNZEm678XBW8Yq4Q6ns9eAVmeItAqgJTjjsKUGjudyxXdCRO5XtK_pKyn3jo9B3H0BLETl_8BLBW4qhxzBI4TcgANbl_k3SQy5MWF4ikIwPmorw3g7HyN-seZVL1otW9v19IEoI2s/s1600/Closing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglWdwNZEm678XBW8Yq4Q6ns9eAVmeItAqgJTjjsKUGjudyxXdCRO5XtK_pKyn3jo9B3H0BLETl_8BLBW4qhxzBI4TcgANbl_k3SQy5MWF4ikIwPmorw3g7HyN-seZVL1otW9v19IEoI2s/s1600/Closing.png" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The numbers are "Total Reach" and "Paid Reach". As you can see, I have to pay for pretty much anyone to have them "like" or even watch anything I post online. :-)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h2>
The details</h2>
<div class="separator" style="clear: both; text-align: left;">
Sweet. For USD 70,- I've reached 39,000 people! WOW! Now that I cannot do on the street in 48 hours!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoctoUpGv5UFHJAIlcsxEJp_kyuFtniyafPDaibYGCh62EvWQV6BGsezSRk4CEcFleLuW1OcVrB09pNp3uHsaDvgYpnJOAV1mZUjMKVjwONg8OI0-hQRU0GubFPp2LlBu1POm7u6Bayck/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoctoUpGv5UFHJAIlcsxEJp_kyuFtniyafPDaibYGCh62EvWQV6BGsezSRk4CEcFleLuW1OcVrB09pNp3uHsaDvgYpnJOAV1mZUjMKVjwONg8OI0-hQRU0GubFPp2LlBu1POm7u6Bayck/s320/01.png" width="222" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But take a look at the details here; how many "got involved:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid5gvx3CbLiz9VbG8DGTeDbtlXQj-WEQRuTB1SfjGqeEALIg_eEx3SYeOl-aXTeSzkPzhCXs62xuXH7NAO6ZTuHaGV9tGmnZkTqqVqoiuJKar_yz9-xWVgYlq1bm7Eozka5dsCAyV2ifo/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid5gvx3CbLiz9VbG8DGTeDbtlXQj-WEQRuTB1SfjGqeEALIg_eEx3SYeOl-aXTeSzkPzhCXs62xuXH7NAO6ZTuHaGV9tGmnZkTqqVqoiuJKar_yz9-xWVgYlq1bm7Eozka5dsCAyV2ifo/s320/02.png" width="171" /></a></div>
<br />
Now this might just be me, but seeing the numbers above, AND the Analytics numbers available to me on Youtube.... Meh. Nowhere near to what I would expect. Perhaps its just me believing that people above age 20 in France and countries close them would take an interest in this topic?<br />
<br />
Moving on to the results for the USD 20,- investment for Rick Redman's talk, numbers are just as disappointing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTxb1UkTEN74ce5juM8XQgp4c79AZENT-KhyXQVrZ5wi6K2K0ZsoRPEi82eK0M7FTIVVjfhg1AQJPJYgoUtQKIsLLxf9ssqo1Uy0SLy3eZjxnjh1lGByftRKhayk44nErFgpZTsmPl73I/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTxb1UkTEN74ce5juM8XQgp4c79AZENT-KhyXQVrZ5wi6K2K0ZsoRPEi82eK0M7FTIVVjfhg1AQJPJYgoUtQKIsLLxf9ssqo1Uy0SLy3eZjxnjh1lGByftRKhayk44nErFgpZTsmPl73I/s320/03.png" width="263" /></a></div>
<br />
<div>
<h2>
My first, and probably last conclusion on FB Promoted Posts</h2>
</div>
<div>
<b>Crap</b>. Period. What annoys me the most is that I do not get any additional info on <b>who are all these people I have 'reached'? </b>Did they actually see the promoted posts? Did the post display in their newsfeed, the upper right corner, or where? How many people in each country? Age statistics? Occupation? Interests?</div>
<div>
<br /></div>
<div>
Nothing.</div>
<div>
<br /></div>
<div>
<b>For those who clicked, liked, commented & watched: Thank you.</b><br />
<br />
With a budget of USD 70,- I'm pretty sure I could get more involvement by spending an hour or 3 running around in my local city center, asking people to click & like.</div>
<div>
<br /></div>
<div>
Mission failed - as pretty much expected. Sorry Dominique & Rick. :-)</div>
<!--48-->securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-32468310272081128312013-09-01T22:51:00.001+02:002013-09-01T22:51:31.431+02:00Quick look: PIXELPIN<div class="separator" style="clear: both; text-align: center;">
A quick look at:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://pixelpin.co.uk/"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXbUz6N1Ne9AGPAyKzaI9h4Xv10LIPdFphLW1V8d4Nha2-8iyeQin8fFJwNK9DNtTTYNYC4qyWLSAy2Xp-6ecnlfBFdAK2zvuRnzP9r0Zh1HVsbbiAvUuZU9otzMzctozEaldz3UqPWM8/s1600/Header.png" /></a></div>
<h2>
PixelPin says on their front page:</h2>
<div style="text-align: center;">
<i style="text-align: center;"><b><span style="font-size: large;">"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember. PixelPin solves all of these problems."</span></b></i></div>
You really can't waive a bigger piece of red cloth in front of my eyes, so I had to take a quick look at what they have to offer. I like the idea of picture passwords, but I'm not all that happy about my observations here.<br />
<br />
<a name='more'></a><h3>
<i>Background info</i></h3>
<br />
I have previously given <a href="http://securitynirvana.blogspot.no/2012/08/windows-8-password-security.html">my opinion on Windows 8 Picture Password</a>. Along with <a href="http://adamcaudill.com/">Adam Caudill</a>, as well as Russian company <a href="http://passcape.com/">Passcape</a>, <a href="http://arstechnica.com/author/dan-goodin/">Dan Goodin</a> at arstechnica <a href="http://arstechnica.com/security/2012/10/experts-windows-8-features-make-account-passwords-easier-to-steal/">ran a story on our joint findings & opinions</a>. Although Microsoft has some good info on the <a href="http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx?Redirected=true">math & magic</a> behind it, this isn't really about that. After reading about (or trying out) Windows 8 Picture Password and how it works (Circle, Line, Dot), take a look at the <a href="http://www.youtube.com/watch?v=tzdRWshtTK4">PixelPin introduction video</a> on Youtube before you continue reading.<br />
<br />
<br />
<h3>
Getting started</h3>
<div>
<br /></div>
So I headed over to their website, and <a href="https://login.pixelpin.co.uk/">clicked to sign up</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCfJpOZsKCOBSHsxqlqzq9HdY_3OE1k5Fz3M3FSX1oRAAYwGw2fRCpWrAcHN4_uIqxABeoVYXiWMzx0OSNaTLASlpFVJBYfPQw10EPh_dU4CJLaEDRORXcsAfDr_HHdWh1fezlvaTOvOs/s1600/Signup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCfJpOZsKCOBSHsxqlqzq9HdY_3OE1k5Fz3M3FSX1oRAAYwGw2fRCpWrAcHN4_uIqxABeoVYXiWMzx0OSNaTLASlpFVJBYfPQw10EPh_dU4CJLaEDRORXcsAfDr_HHdWh1fezlvaTOvOs/s320/Signup.png" width="233" /></a></div>
Clean, simple, and already at this page we learn that all accounts uses their email address as their username to sign in. Guessing user-selected usernames are usually harder, so already here we might have an option for verifying existing accounts. More on that later. Since they are using SSL (thank god!), I put them through the mandatory <a href="https://www.ssllabs.com/">SSLLABS</a> test:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivslPC1wxmbIxn33-FfyrF4qeXGAm8tt6poYY2MRK2dZPkir8oa9e8TOtbfTpxXTY8_1Esd6YOZ-8zTd8rjPWGQqDoUct8c4VylczH5fftx7gd-V_n_FI9HyHSUtcRp9xgPDRopbSDFV8/s1600/Pic_04_SSLLABS_login.pixelpin.co.uk.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivslPC1wxmbIxn33-FfyrF4qeXGAm8tt6poYY2MRK2dZPkir8oa9e8TOtbfTpxXTY8_1Esd6YOZ-8zTd8rjPWGQqDoUct8c4VylczH5fftx7gd-V_n_FI9HyHSUtcRp9xgPDRopbSDFV8/s320/Pic_04_SSLLABS_login.pixelpin.co.uk.png" title="[ Yes, you can magnify this A LOT by clicking! ]" width="140" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[ Please magnify me by clicking! ]</i></td></tr>
</tbody></table>
<br />
Grade B, <a href="https://www.pcisecuritystandards.org/">not PCI compliant</a>. Oh well, why would we care if they are not running bank-level security? They just want to protect ... eh.... all your accounts, right? (<a href="http://securitynirvana.blogspot.no/2010/02/criticism-of-pci-password-requirements.html">PCI-DSS has quite a mess on passwords as well</a>...)<br />
<br />
Well, moving on with my registration. Compared to Microsoft, PixelPin asks for 4 picture points (dots), while Microsoft asks for 3, but offers a choice of using a circle, line or dot. PixelPin looks at the order of your selected dots (I think Microsoft does that), Microsoft looks at start/end points as well as left/right circles.<br />
<br />
So I'm asked to select a picture to be used for my picture authentication. Some people may recognize this particular picture from the penthouse at Palms Place, overlooking the strip (just change your focus for a second). Here I will click 4 points of interest (...), and I have to remember the order I did it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibPs37AsdEeQClfAxcWGnh-dLjIsPlotyWJL976RFpwNRc26To-giQpxnI7ncPneaAH090SnC2WTypEUGcS2Qabb6Orr_KkUruTgxwnizgMpGRphIMnvxN9vJB7VFEVJ35__RejkhzJY/s1600/Pic_00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibPs37AsdEeQClfAxcWGnh-dLjIsPlotyWJL976RFpwNRc26To-giQpxnI7ncPneaAH090SnC2WTypEUGcS2Qabb6Orr_KkUruTgxwnizgMpGRphIMnvxN9vJB7VFEVJ35__RejkhzJY/s640/Pic_00.png" width="640" /></a></div>
<br />
<br />
And done! <b>Or?</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuYVUIFuK_imEzsduJTke3lC0uZKA9fFv4W_FEpjh3d600mTedquef23qu63Q5ZriV7j-H7il6cQTC4PJEUFbBoSSiOTXwIWo0zwW0-qsuA998lOztNQj8CAhM7A_L6E0Y2yWSjR1XxlI/s1600/Pic_01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuYVUIFuK_imEzsduJTke3lC0uZKA9fFv4W_FEpjh3d600mTedquef23qu63Q5ZriV7j-H7il6cQTC4PJEUFbBoSSiOTXwIWo0zwW0-qsuA998lOztNQj8CAhM7A_L6E0Y2yWSjR1XxlI/s320/Pic_01.png" width="233" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>AHEM. </b>Eh.... Let's rewind to the top, and quote PixelPin once again:</div>
<blockquote class="tr_bq">
<i style="text-align: center;"><b><span style="font-size: large;">"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember."</span></b></i></blockquote>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let me see if I'm getting this right.... PixelPin is asking, NO, forcing me to make my own challenge/response question/answer, to be used as my backup in case I forget the 4 points of interest I just selected? My oh my, as if I would ever.... Err... No, wait, there was more than 4 points of interest in that picture, right? </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Well, lets make something then;</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPKRY_D2bytXTPKddjm0_QdOMtEtXP3NhzU4fJfwmekDwaF52DoTIrkSOGEf-gHWqiNIRPPMe6SIXRxxl7LSc93bt8fo1C72CIW8hug18t49swmKG4p7xLePfIHqZOvGH4ZHqINkT3ErA/s1600/Pic_02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPKRY_D2bytXTPKddjm0_QdOMtEtXP3NhzU4fJfwmekDwaF52DoTIrkSOGEf-gHWqiNIRPPMe6SIXRxxl7LSc93bt8fo1C72CIW8hug18t49swmKG4p7xLePfIHqZOvGH4ZHqINkT3ErA/s320/Pic_02.png" width="233" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ah. Restrictions you have! Is that for memorability, readability to your helpdesk (for manual resets), or what? And why not display those restrictions *before* I enter my question & answer?</div>
<br />
Seconds after signing up, I got this email asking me to verify my email address:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgswF1gfCtmubNd4eACDziSvO8HGBtvN-tmYH9hn-GvGVVgw8ytI1hGAEzUJ2Y4PctPCtzmce-BbND_XRBg3MwsuL8gPMpUErKIqzZTnIUjRFrmKi-go15B30sCr2uTIbVy9PH7HNkZ5Ck/s1600/Pic_03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgswF1gfCtmubNd4eACDziSvO8HGBtvN-tmYH9hn-GvGVVgw8ytI1hGAEzUJ2Y4PctPCtzmce-BbND_XRBg3MwsuL8gPMpUErKIqzZTnIUjRFrmKi-go15B30sCr2uTIbVy9PH7HNkZ5Ck/s640/Pic_03.png" width="640" /></a></div>
<br />
...Sent to me using <b>Googles mailservices</b>. "PixelPin will not send you sales messages <b>or pass your details onto third-parties.</b>" Argh. Sorry, couldn't resist highlighting that. Probably because PixelPin doesn't say anywhere on their website that they use Google, how they use it, and for what purpose. I don't have a problem with Google, but I do have a problem with sites & services who doesn't tell me anywhere on their site how they will communicate with me before I sign up.<br /><br /><b>Oh; </b>and that url, although using https, does contain some data that caught my attention as well. Didn't dig into the details though - a pentest, IT audit or usability review most certainly should.<br />
<br />
<h3>
Moving along....</h3>
<div>
<br /></div>
So I'm all set up, account verified, and lets go back to that login screen:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOEwjTlLe2F8USOUHCLL69hPbunXO-1eD8cIoBSTfsAW7fCm88A-ATsvUKkqoAA0mhNEZWQxu7LvJk3ZVMrVVwfzlv7pVId5ZfKhlVdrWuF3fhBELptEVv5buye6TyZnjWMUcAHAKawM/s1600/Pic_05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOEwjTlLe2F8USOUHCLL69hPbunXO-1eD8cIoBSTfsAW7fCm88A-ATsvUKkqoAA0mhNEZWQxu7LvJk3ZVMrVVwfzlv7pVId5ZfKhlVdrWuF3fhBELptEVv5buye6TyZnjWMUcAHAKawM/s320/Pic_05.png" width="233" /></a></div>
<br />
Wellwellwell, my standard email address doesn't exist (<b>Unknown user name</b>), when I accidentally didn't use the email address I specifically used to sign up. Hm. So now I can probably verify the existence of large amounts of accounts by bruteforcing my way through this interface, and reading off the response. That's a bad thing guys, and it should be fixed. <b>This should be basic knowledge!</b><br />
<br />
Lets try out the "forgot my points of interest" feature then:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQHtXq0ORx0Xiu-NYt8GLDCZYoPNlhjgPv31TRgKu5ht5KRLzfjPUbFcBf0ADnpnL3cofryj2get9tQEb2DTnaR_HXWL9k10qXKcYrzCAaH6CUz4-2tyK3KchG3TcRYzRY1UjqZET9XY/s1600/Pic_07_rate_limiting_picpoints_rst_after_magic_question.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQHtXq0ORx0Xiu-NYt8GLDCZYoPNlhjgPv31TRgKu5ht5KRLzfjPUbFcBf0ADnpnL3cofryj2get9tQEb2DTnaR_HXWL9k10qXKcYrzCAaH6CUz4-2tyK3KchG3TcRYzRY1UjqZET9XY/s320/Pic_07_rate_limiting_picpoints_rst_after_magic_question.png" width="233" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ah. An account lockout policy. 3 incorrect, and account is disabled for 2 hours. So how is your rate limiting configuration here? Any attempts/sec per IP + attempts/sec per username configuration? Any options for me, either as a single user, or a massive online service provider to tweak these settings ourselves? Hm. Maybe I should read your <a href="https://login.pixelpin.co.uk/Developer/Index.aspx">developer docs</a>...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I could have written a lot more here, and I would love to hear your opinion on the recent findings of <a href="http://www.public.asu.edu/~zzhao30/">Ziming Zhao</a> (homepage), <a href="https://www.usenix.org/conference/usenixsecurity13/security-picture-gesture-authentication">as presented at Usenix Security '13</a> (video + pdf). Personally I like the idea of picture passwords because of the simplicity it offers to end users who are tired of passwords & PINs, who hate bringing their SecurID tokens everywhere, and are not techies enough to use Google Authenticator.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What I don't like is usability solutions or improvements that claim to be security improvements.<b> Increasing usability while maintaining or even increasing security is hard. </b>So far I only see an improvement of usability, which is why I've deleted my test account with PixelPin until security is improved. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>I'm all up for discussing my concerns though.</b> We'll do that over a beer or two when I'm in London next time <a href="http://pixelpin.co.uk/2013/08/08/passwords-con-13/">Luke Briner</a>, right? :-)</div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-3229464931267599242013-08-22T17:34:00.002+02:002013-08-23T08:12:47.604+02:00Hvilken sikkerhet tilbyr partiene på sine nettsider?<b>Jeg har tidligere <a href="http://www.aftenposten.no/nyheter/iriks/Kritiserer-e-post-sikkerheten-i-Hoyre-og-Venstre-7271725.html">kritisert partiene Venstre og Høyre for dårlig e-post sikkerhet</a></b> (Aftenposten). Jeg har også tidligere blogget om temaet <a href="http://securitynirvana.blogspot.no/2013/02/step-1-securing-my-e-mail.html">sikring av e-post</a>. Den svenske tjenesten <a href="http://countermail.com/">Countermail</a> som skal tilby spesielt høy sikkerhet for e-post har <a href="http://securitynirvana.blogspot.no/2012/05/countermail-protecting-your-privacy.html">jeg også kikket på tidligere</a>.<br />
<br />
Som en oppfølger nå i valgkampen ble jeg trigget av ønskene om nye medlemmer og ikke minst penger for å bidra til valgkampen for de ulike partiene. Da jeg har jobbet i snart 20 år med informasjonssikkerhet og Internett, så tok jeg en titt på partienes nettsider for å se hvordan sikkerheten var der.<br />
<br />
Resultatet var overraskende, og svært skuffende. <b><a href="http://www.aftenposten.no/nyheter/iriks/politikk/Hull-i-informasjonssikkerheten-pa-de-fleste-partiers-nettsider-7287358.html">Resultatet kan du lese hos Aftenposten på nett</a>.</b><br />
<b><br /></b>
Svarene er som forventet, men like fullt positive: partiene akter å rydde opp. Jeg kommer til å følge dem opp på det løftet.securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-44030718291544622042013-08-18T22:11:00.001+02:002013-08-18T22:11:23.680+02:00Noen ting tuller man ikke med.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YCjoojW4YXk4VThlyjIdpxfMjcHUn9oQm8nlAsoeac9dhJOuqmoyWxoWqk0ljJeReUlqqYgaMg0iP3BhRJ_lMEHc4CCL-6odJEWAcaQ8VBik1PvEjxCQKUHRo6PlPJzNt2IeymjHKIk/s1600/Noen_ting_header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YCjoojW4YXk4VThlyjIdpxfMjcHUn9oQm8nlAsoeac9dhJOuqmoyWxoWqk0ljJeReUlqqYgaMg0iP3BhRJ_lMEHc4CCL-6odJEWAcaQ8VBik1PvEjxCQKUHRo6PlPJzNt2IeymjHKIk/s320/Noen_ting_header.png" width="320" /></a></div>
<br />
Noen vil kanskje ikke tro meg når jeg skriver dette, men jeg forsøker altså å tenke meg godt om før jeg twitrer, blogger, poster, ringer, mailer, liker, retweeter eller uttaler meg til media. Jeg vet utmerket godt at jeg kan være fleipete og krass i formen. Tro meg, det er tidvis veldig bevisst.<br />
<br />
Like fullt er det en del ting man ikke tuller med. Her er en anonymisert historie om det.<br />
<br />
<a name='more'></a><br /><br />
Jeg får etterhvert mange tips om ting som er dårlig sikret på nett. For en tid tilbake fikk jeg et tips av den vanlige sorten: en nettbutikk som tydeligvis sender og lagrer passord i <b>klartekst. </b>På godt norsk: så lite sikkert som man overhodet kan gjøre det. Naturlig nok ikke i tråd med noen form for anbefalt god praksis selvfølgelig.<br />
<br />
Slike finnes det veldig mange av, også her i Norge. Ikke bare nettbutikker, men alle typer sider hvor man registrere seg med ett brukernavn og passord. (<b>Jeg jobber hardt med å få gjort noe med dem, slik at det er sagt.)</b><br />
<b><br /></b>
Normalt løfter jeg ikke et øyenbryn over et slikt tips, men i dette tilfellet var det en spesialisert nettbutikk, primært rettet mot offentlig personell som ofte er å se i en slags uniform. 2 minutters surfing på sidene, og jeg ser også at de ber om å få tilsendt avfotografert/scannet ID-kort pr e-post (ukryptert!), for å selge enkelte produkter. Dette fordi de ønsker å holde kontroll med hvem som kjøper, og kun selge til utvalgte kundegrupper.<br />
<br />
<b><u>Punkt 1 (til sluttbruker):</u></b><br />
Man sender ikke kopi av offentlig ID (pass, førerkort) pr e-post, ei heller ID-kort fra offentlige etater via vanlig e-post. Det er ille nok at pass sendes via vanlig post, men å sende kopi av slikt på ukryptert e-post på internett er en virkelig dårlig ide.<br />
<br />
<b><u>Punkt 2 (til nettbutikker og webtjenester generelt):</u></b><br />
Dersom dere har et noenlunde legitimt behov for å identifisere kunder før salg/forsendelse, så <b>ikke be om å få tilsendt kopi av gyldig ID på ukryptert epost!</b><br />
<b><br /></b>
<b>Selvfølgeligheter?</b> Ja. Den aktuelle nettbutikken kan antas å besitte følgende informasjon om sine kunder, digitalt lagret i ubeskyttet form:<br />
<br />
<ul>
<li>Navn, e-post og annen kontaktinformasjon</li>
<li>Bildekopi av gyldig ID-kort</li>
<li>Kunders passord i klartekst (=ubeskyttet)</li>
</ul>
<div>
Grunnet kundegruppen nettbutikken retter seg mot, faren for gjenbruk av brukernavn/passord på tvers av tjenester og en del andre faktorer, så er det grunn til å anse deres kundedata som spesielt attraktiv for organiserte kriminelle interesser. Dette kan få direkte konsekvenser for liv & helse (i motsetning til noen kredittkort detaljer på avveie), og er <b>ikke noe man tuller med.</b></div>
<div>
<b><br /></b></div>
<div>
<b>Jeg er glad for å kunne si at noen har blitt varslet, og tiltak er, eller vil bli iverksatt ASAP.</b></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-32357097647423133292013-06-27T09:48:00.000+02:002013-06-27T10:52:24.524+02:00Våre Offisielle Kanaler<i><a href="http://www.idg.no/computerworld/article273912.ece">Denne teksten ble først publisert som en kronikk hos Computerworld Norge 26.06.2013.</a></i><br />
<br />
<br />
Da Evernote med sine 50+ millioner brukere ble hacket i mars i
år, benyttet de en ekstern partner for å varsle sine brukere via
epost. Evernote ble i løpet av få timer oversvømmet med
meldinger fra brukere i ulike kanaler, med rapporter om et
mulig storstilt phishing angrep. Årsak? De hadde mottatt mail
som ikke kunne spores tilbake til Evernote som avsender, alt kom
fra en ukjent tredjepart. Det fantes ingen informasjon på nett
hos Evernote som opplyste om at de brukte denne eksterne
leverandøren.<br />
<br />
<a name='more'></a><br />
<b><a href="https://www.gjensidige.no/privat/bank/personvern-og-sikkerhet/offisielle-kanaler">Gjensidige</a></b><b> og <a href="https://www.skandiabanken.no/Oss/offisielle-kanaler/">Skandiabanken</a> </b>troner øverst på
søkeresultatene hos Google når jeg søker etter <b>offisielle
kanaler på nett</b>. Dessverre er det sørgelig få som har en
samlet og klar oversikt over hvilke kanaler de opererer i på
nett. Her har mange mye å lære av to foregangseksempler, og
disse to fortjener skryt<br />
<br />
<b> Jeg håper og tror</b> at de fleste organisasjoner og
bedrifter har en rimelig klar kommunikasjonsstrategi, men jeg
savner sårt å se samarbeidet med webansvarlig, markedsfolkene og
ikke minst sikkerhetsansvarlig. Det er viktig å sikre sine
offisielle kanaler fra hackerangrep, og det er tilsvarende
viktig å informere om hvilke kanaler man benytter, og til hvilke
formål. Noen kontaktpunkter for manuell verifisering mot
virksomheten er heller ikke å forakte, og ta gjerne med et
telefonnummer. Det er ikke alltid Internettet er til å stole på.<br />
<br />
<b> Lett tilgjengelig informasjon</b> om hvilke kanaler på nett
en virksomhet benytter er en verdifull ressurs for meg og mange
andre. Daglig oversvømmes vi med eposter med linker, popup
meldinger med spørreundersøkelser på nettsider og konkurranser
av alle tenkelige slag. Kall meg gjerne litt paranoid. Jeg
ønsker nemlig å sjekke om spørreundersøkelsen som popper opp fra
banken min faktisk kommer fra dem før jeg legger ut om
privatøkonomien min. Når undersøkelsen ligger på en server i USA
med manglende personvern, og jeg ikke finner informasjon på
sidene til banken om at denne tjenesten ligger i USA... Ja, da
får de ikke svar fra meg.<br />
<br />
<b> Jeg skal ikke be om mye.</b> En enkelt webside med
informasjon, tilsvarende de foregangseksemplene jeg allerede har
nevnt. For dere er det noen få timers arbeid, for deres kunder
gjør det Internett litt tryggere. Best av alt; sånne som meg vil
enklere kunne informere dere - GRATIS - om mulige angrep mot
dere og deres kunder. Det kalles vel en win-win situasjon?<br />
<br />
<b> Jeg venter i spenning.</b>securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-59342360809052359072013-06-17T16:09:00.003+02:002013-06-17T16:09:40.984+02:00We are here.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyBFIJuavPPhfQ4SvPhSfL8Bte8LQW5Hu_lS738oSWDBRuA7DQrUnxhjhSX2R7wsI1KuJ4yuvR0zXtG6wXZFcbK5nXGCVzjM0UcYA-3QqMDiuSrvnK8-tx8PNUTxSE5KJ7g2s_mxXMQuc/s1600/we-are-here.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyBFIJuavPPhfQ4SvPhSfL8Bte8LQW5Hu_lS738oSWDBRuA7DQrUnxhjhSX2R7wsI1KuJ4yuvR0zXtG6wXZFcbK5nXGCVzjM0UcYA-3QqMDiuSrvnK8-tx8PNUTxSE5KJ7g2s_mxXMQuc/s200/we-are-here.png" width="186" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Dear anyone who operates websites & services online</b>, who operate in various channels to keep in touch with your customers: <b>PLEASE</b> give me easy options for verifying that you are actually... <b>you.</b> If you dont, it is very easy for paranoid people like me to disregard almost anything appearing as "you" as phishing or malware attempts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><h3>
Background</h3>
<br />
<div class="separator" style="clear: both; text-align: left;">
I went online to one of my banks today, to do some of the tasks we have to do periodically. As soon as the webpage appeard on screen, I also got a popup asking me if I wanted to do a quick customer survey in order to help the bank improve their website. Anonymously of course (...), but still with a chance of winning NOK 500,- (USD 100,-).Woohoo!<br /><br /><b>But first; security.</b> After all, you probably care more about the security part than see me win NOK 500,-, right? :-)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3>
<b>Risk-loving me, I clicked "Yes".</b></h3>
<div class="separator" style="clear: both; text-align: left;">
<i> (Running Chrome in a disposable VM is usually a good idea)</i>.</div>
<div class="separator" style="clear: both; text-align: left;">
Mind you; I don't like popups at all - I always get suspicious about them - are they legit, or the product of some fancy-schmancy malware-phishing trickery?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have chosen to drop the name of the bank in question, and focus on the general root cause instead for this blog post. Here's the first screenshot I made:<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaex9LaWSqc3yAorMHXYSJdfqax8Ay116AcT933nhD0-PUDIez5dS9fS9gkUlpZt9uFcIwzPuzmVX3Mpo1rfG4QPyqVO89y6cWd9Fi_eSrnstLKOxFwQqxbMAID1H5C2dtP877U3yQwdE/s1600/survey_picture.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaex9LaWSqc3yAorMHXYSJdfqax8Ay116AcT933nhD0-PUDIez5dS9fS9gkUlpZt9uFcIwzPuzmVX3Mpo1rfG4QPyqVO89y6cWd9Fi_eSrnstLKOxFwQqxbMAID1H5C2dtP877U3yQwdE/s400/survey_picture.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[click for full size]</i></td></tr>
</tbody></table>
<div class="" style="clear: both; text-align: left;">
Hm. It seems as if this is powered by <a href="http://www.surveymonkey.com/">SurveyMonkey</a> (top left), but URL doesn't indicate at. Oh, and no HTTPS, so everything is sent in the cleear. At the bottom there are URLs to <a href="http://customercarewords.com/">Customercarewords</a>, who does this survey in cooperation with <a href="http://netliferesearch.com/">Netliferesearch</a>.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<h3>
We Are Here.</h3>
<div class="" style="clear: both; text-align: left;">
I wondered if the bank had any information on their webpage, confirming their use of Customercarewords or Netliferesearch, for the purpose of running surveys - or anything else. <b>NO SUCH LUCK, </b>their own search engine as well as Google shows ZERO results connecting the bank to these services. <b>crap.</b></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
<i>In their defence, you <b>really</b> need to look hard to find websites that will tell you which channels they operate in, especially their use of third-party services to communicate with their customers.</i></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<blockquote class="tr_bq" style="text-align: center;">
<b><span style="font-size: large;">"Could you please set up and maintain a webpage where you list third-parties you are using, and for what purposes?"</span></b></blockquote>
<br />
<h3>
I WANT HTTPS</h3>
<div class="" style="clear: both; text-align: left;">
It's simple: I prefer secured connections before I respond to surveys & other services that "guarantees" me privacy & anonymity, so I added https to that URL above.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
<b>BOOO! </b>The layout suddenly changed, and something is very wrong with that SSL certificate. The links to Customercardwords and Netliferesearch at the bottom of the page are also gone:</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGaO2w-uHCCWuwpQbN_vP65P3MF0p_e-iMO0mZAnUF-c9mRPA_KDxjajYVVQFdxzLwHzAvbKvbUbtXA_zwAkMxgpp0VOAIh04fWGWpKL8c7NW5_CSNqE4CPUA2licc2fL1n-WqX5l1D2I/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGaO2w-uHCCWuwpQbN_vP65P3MF0p_e-iMO0mZAnUF-c9mRPA_KDxjajYVVQFdxzLwHzAvbKvbUbtXA_zwAkMxgpp0VOAIh04fWGWpKL8c7NW5_CSNqE4CPUA2licc2fL1n-WqX5l1D2I/s400/2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[click for full size]</i></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Closer look, part 1:</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDoMxMQEqq9LlnctwcT9pbWohqp-Dbr3ouVP1LF91J-m3QPCt9JTbvaoVo_XUbc16_BP2AmOLDJS0iLuVC3Ew12XeFALj5CCVSS9z3H2kX4e_3n031LafdKU7BxrYx1VEkutFUH_rHf6Y/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDoMxMQEqq9LlnctwcT9pbWohqp-Dbr3ouVP1LF91J-m3QPCt9JTbvaoVo_XUbc16_BP2AmOLDJS0iLuVC3Ew12XeFALj5CCVSS9z3H2kX4e_3n031LafdKU7BxrYx1VEkutFUH_rHf6Y/s320/3.png" width="256" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Certificatename does not match site name. Surprise, surprise!]</i></td></tr>
</tbody></table>
<br />In fact the certificate has been issued for <b><a href="https://pagodabox.com/">*.pagodabox.com</a></b>, which is something quite different:<div>
<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqXcncfm1TP6fCcN8UgDtEYvykBlsnxw0HGF7YLTtdMhLXL9UEk9zlAyKQZOeX9rqK3pikq0uHDzA9ZlQwGLstX0gdlUbn_mTBINBJCd3HJ0vJf-xOjKIBWifN4zmybLK-0VvRd1_As0/s1600/4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqXcncfm1TP6fCcN8UgDtEYvykBlsnxw0HGF7YLTtdMhLXL9UEk9zlAyKQZOeX9rqK3pikq0uHDzA9ZlQwGLstX0gdlUbn_mTBINBJCd3HJ0vJf-xOjKIBWifN4zmybLK-0VvRd1_As0/s320/4.png" width="257" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[click for full size]</i></td></tr>
</tbody></table>
<br />
<b>Closer look, part 2:</b><br />
So this stinks of hosted services, with mix-ups of IP addresses, DNS addresses, SSL certificates and what-not. Just to go one step further, I ran the *.pagodabox.com through <a href="https://www.ssllabs.com/">SSLLABS</a>, with a grade B result:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2qRbqj6fua0n_JqEn3vasiATNwNB-T5mFHbFEghVzatYSjgsgBQ2F9eCvD4laxbk3sneF0kcqJx49Zz-UzB8O3YNPehlFfJi3TY8cYIWwkAoWdpYr3Pm3qm5mwRmzdR8C1FWrmVtdVRg/s1600/55_ssllabs.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2qRbqj6fua0n_JqEn3vasiATNwNB-T5mFHbFEghVzatYSjgsgBQ2F9eCvD4laxbk3sneF0kcqJx49Zz-UzB8O3YNPehlFfJi3TY8cYIWwkAoWdpYr3Pm3qm5mwRmzdR8C1FWrmVtdVRg/s320/55_ssllabs.png" width="102" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Click to view a veerrrrryyyyy long image :-)]</i></td></tr>
</tbody></table>
<br />
<h3>
<br /></h3>
<h3>
Anyway, to end by quoting myself from above:</h3>
<br /><br />
<blockquote class="tr_bq" style="text-align: center;">
<b><span style="font-size: large;">"Could you please set up and maintain a webpage where you list third-parties you are using, and for what purposes?"</span></b></blockquote>
<div>
<br /></div>
It would be very helpful to aid in the protection of your customers, instead of adding to the global problem of Fear, Uncertainty & Doubt, which again leads to more and more successful phishing attempts.<br />
<br />
--<br />
<br />
And here are 2 wonderful examples in Norway, showing exactly what I would recommend anyone to do:<br /><a href="https://www.skandiabanken.no/Oss/offisielle-kanaler/">Skandiabanken</a><br />
<a href="https://www.gjensidige.no/privat/bank/personvern-og-sikkerhet/offisielle-kanaler">Gjensidige</a></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0Bergen, Norge60.391262799999993 5.3220544000000759.888751299999996 4.03116090000007 60.89377429999999 6.61294790000007tag:blogger.com,1999:blog-8400370148915075091.post-13943721361549740612013-06-13T13:39:00.002+02:002013-06-13T13:39:22.205+02:00New video: Configuring strong & memorable PIN codes on your iPhone<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/Gf7JBGdwzkc?feature=player_embedded' frameborder='0'></iframe></div>
<br />
Ok, so I've reached the point where I had to make this video. There are just way too many people out there who believe a 4-digit PIN is the only "passcode" option available on their iPhone, iPod & iPad. It's not.<br /><br />Using a password on a (small) mobile device can be a pain in the ass, but you can still use a "password" to unlock your device. Watch this video to see how I create and use a longer PIN code, while making it very simple to remember.<br />
<br />
- Stronger PIN code<br />
- Easy to enter<br />
- Easy to remember<br />
<br />
What else do you want? :-)securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-9923509185186256632013-06-09T17:00:00.002+02:002013-06-09T17:00:48.447+02:00Sikker politisk epostValgkampen er i gang, ingen tvil om det. Partiene og ikke minst partilederne er godt i gang med taler, ønsker, kritikk av sine opponenter og ikke minst mange lovnader med forbehold.<br />
<br />
Nå har en "overvåkingsskandale" slått ned i USA, <a href="http://www.vg.no/nyheter/utenriks/artikkel.php?artid=10117032">allerede</a> <a href="http://www.vg.no/nyheter/utenriks/artikkel.php?artid=10117130">behørig</a> <a href="http://www.dagensit.no/article2626808.ece">dekket</a> <a href="http://www.dagbladet.no/2013/06/07/nyheter/overvakning/nsa/27589711/">av</a> <a href="http://www.aftenposten.no/nyheter/uriks/USA-i-gang-med-jakt-pa-de-som-lekket-dokumentene-til-overvakingsskandalen-7224711.html">media</a> og <a href="http://www.aftenposten.no/nyheter/uriks/IT-eksperter-tror-ikke-pa-Google-og-Facebook-dementier-om-massiv-overvaking-7223582.html#.UbSMJfnIbqc">kommentert</a> <a href="http://www.hardware.no/artikler/kommentar-kan-ikke-vike-fordi-politikerne-ikke-forstar-hva-en-ip-adresse-er/134219">også her hjemme</a>.<br />
<br />
Her er et lite tips til programpartiene som hverken er populistisk, politisk farget eller kontroversielt: gi oss sikrere kommunikasjon ved bruk av epost i offentlig forvaltning. Det er blant de svært enkle tiltak å gjennomføre, det krever ingen gigantiske IT-prosjekter, og det er ingen alternativer å vurdere utover Ja/Nei.<br />
<br />
<a name='more'></a><br />
<h3>
Bakgrunn</h3>
Våren 2010 viste jeg og min tidligere arbeidsgiver hvordan <b><a href="http://www.dagensit.no/article1881581.ece">Statsministerens kontor bruker falsk ID</a> </b><i>(overskrift: Dagensit.no). </i><a href="http://www.dagensit.no/article1883066.ece">Tilsvar fikk vi også</a>, fra Domstoladministrasjonen i Trondheim.<br />
<br />
<a href="http://www.nettavisen.no/it/article2458476.ece">Mange politikere uttalte seg da den Svenske FRA loven kom på plass</a> - plutselig kunne Svenskene med loven i hånd avlytte det meste av Internett trafikk fra Norge til utlandet. <a href="http://ikt-norge.no/">IKT-Norge</a> var blant dem som sto på barrikadene for å advare og protestere mot denne overvåkingen.<br />
<br />
<h3>
Status Juni 2013</h3>
Når jeg nå tar en liten sjekk for å se hva som har skjedd siden sist, så er svaret "sørgelig lite". <b>All epost til partiene Venstre og Høyre sendes ut av landet.</b> Via Sverige og FRA loven.<br />
<br />
<b>Høyre</b> benytter en filtertjeneste i Danmark for å passe på at de ikke får for mye søppelpost eller virus. <b>Konsekvensen</b> er at all epost sendes via Sverige til Danmark for kontroll - og tilbake igjen for lagring & lesing.<br />
<br />
<b>Venstre</b> bruker Google sin e-post tjeneste. Partiet som har vært mye fremme i personverndebatten der altså. Et snev av ironi bør vel være lov å legge til her. <b>Konsekvensen </b>er at all epost til partiet Venstre sendes ut av landet - og lagres der på permanent basis. <i>Litt usikker på distriktspolitikken her forøvrig.</i><br />
<br />
<h3>
Anbefaling</h3>
<b>Offentlig forvaltning bør ha sine tjenester på Internett plassert i Norge.</b> Kall det distriktspolitikk, prioritering, nasjonal selvfølelse eller beskyttelse av vårt samfunn, identitet eller personvern, samme for meg.<br />
<br />
Ved å implementere en minimal endring som er 100% standardisert på Internett - uten alternativer til vurdering - så kan vi gjøre en l viktig forbedring for personvernet. <b>Epost vil ikke lengre sendes som åpne postkort på Internett, men sendes som en lukket konvolutt med superlim og hengelås</b>. En liten endring som utgjør stor forskjell.<br />
--<br />
<br />
<b><a href="http://www.difi.no/">DIFI</a></b> har sett på vår anbefaling, etter vår rapport våren 2010. Foreløpig har forslaget havnet på "ikke prioritert" listen, og etter å ha lest all tilgjengelig dokumentasjon i saken er jeg redd for at de har misforstått. Der har nemlig et enkelt lite tiltak blitt vanskeliggjort til det ugjenkjennelige - og dermed blitt nedprioritert.<br />
<br />
<b>Rykter vil ha det til at DIFI kan være interessert i å gjøre en ny vurdering, og her har de politiske partier en mulighet til å ta en sak som altså er billig, gjennomførbar, allerede standardisert og uten kontrovers av noe slag. </b>Værsågod, bare hyggelig. Jeg skal mer enn gjerne bidra ved behov.<br />
--<br />
<br />
<h3>
<b>Til IKT-Norge:</b></h3>
Flott at dere står på barrikadene, både for personvern og mot Svensk overvåkning. Bare sånn for ordens skyld; dere <i style="font-weight: bold;">vet</i> at dere bruker Googles epost tjeneste, ikke sant? Ser dere noen ironi i dette?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJQFSfL9mhFbcxk8gFuS2L7o0708TVbvL6YihX5EKW5ZIx8UU9HHhDP4Y_Tsep2GNIIsfDqp3NRFdjA5l2IDb6pOz2_FHjmRce1XApa9eO61xowuy4gQSTDZCbUfphSm94R5UGNYAjKlo/s1600/IKT-Norge.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJQFSfL9mhFbcxk8gFuS2L7o0708TVbvL6YihX5EKW5ZIx8UU9HHhDP4Y_Tsep2GNIIsfDqp3NRFdjA5l2IDb6pOz2_FHjmRce1XApa9eO61xowuy4gQSTDZCbUfphSm94R5UGNYAjKlo/s1600/IKT-Norge.png" /></a></div>
<br />
<h3>
Saksvedlegg</h3>
<div>
Kontroll pr. 9 juni viser at epost til <b>Venstre</b> og <b>Høyre</b> går ut av landet. FRP, Arbeiderpartiet, SV, SP, KRF og Rødt holder seg innenfor landets grenser.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Uusb-yb1DYqigJnQgBMWI3BaAMpLlZHnBTvIpBw8VeI0ZAjL7pR5GSbGCFp9Iy1isEV6XQbMK9PVrAmPsbutVG-SbqkNc_32NytMz-nHwCVrJSZ8uwqCbs5L2r0u5Sgi6752Fr6LCP0/s1600/Venstre_og_Hoyre.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Uusb-yb1DYqigJnQgBMWI3BaAMpLlZHnBTvIpBw8VeI0ZAjL7pR5GSbGCFp9Iy1isEV6XQbMK9PVrAmPsbutVG-SbqkNc_32NytMz-nHwCVrJSZ8uwqCbs5L2r0u5Sgi6752Fr6LCP0/s1600/Venstre_og_Hoyre.png" /></a></div>
<br />
<div>
<br /></div>
<div>
<br /></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-83776835957015131402013-05-23T23:23:00.003+02:002013-05-23T23:26:13.082+02:00Passwords^13<div class="separator" style="clear: both; text-align: center;">
</div>
<h2 style="text-align: center;">
YES, IT'S HAPPENING!</h2>
<div>
<b>Las Vegas. July 30-31.</b> Same time as <a href="http://blackhat.com/">Blackhat</a>, overlapping slightly with <a href="http://bsideslv.com/">BsidesLV</a> and a few days before <a href="http://defcon.org/">Defcon</a>, where our friends at <a href="http://korelogic.com/">Korelogic</a> will be running the annual CrackMeIfYouCan competition once again.</div>
<div>
<b>But please</b>, <b>do visit <a href="http://passwordscon.org/">passwordscon.org</a> to learn more. Call for presentations, venue, registration, SPONSORING....</b> My friend & password cracking partner <a href="https://twitter.com/jmgosney">Jeremi Gosney</a> of <a href="http://stricture-group.com/">Stricture Consulting Group</a> runs the page, and does a fantastic job of "local" organization in the US / Las Vegas.<br />
<br />
I hope to see you there! :-)</div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-24814928156733127772013-05-23T14:32:00.002+02:002013-05-23T14:32:36.269+02:00Password Crackers Hierarchy of Needs<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFO73Y629ysziuSJK774gWsM2zCVe_Cxsoa61BuGLl2hBQircrUk9V9-xFuIpKKm1RnWRROKZDli_lwPpWLNK-dXVzi9G7d-B8nlNgOvN944WhB723s2LxXy2MF1GicYTMU0405FqSea4/s1600/Password_crackers_hierarchy_of_needs.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFO73Y629ysziuSJK774gWsM2zCVe_Cxsoa61BuGLl2hBQircrUk9V9-xFuIpKKm1RnWRROKZDli_lwPpWLNK-dXVzi9G7d-B8nlNgOvN944WhB723s2LxXy2MF1GicYTMU0405FqSea4/s640/Password_crackers_hierarchy_of_needs.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>[Click for full size]</i></td></tr>
</tbody></table>
<br />securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-31981248560778852582013-05-23T11:57:00.000+02:002013-05-23T11:59:51.125+02:00Why SMS 2FA Twitter, WHY?<h3>
Dear Twitter,</h3>
Congratulations on adding 2-factor authentication, or "<a href="https://blog.twitter.com/2013/getting-started-login-verification">login verification</a>" as you have named the baby. <a href="http://money.cnn.com/2013/02/21/technology/social/twitter-hacking/index.html">It's</a> <a href="http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-after-sending-false-news-flash/">way</a> <a href="http://money.cnn.com/2013/05/17/technology/security/hacking-financial-times/index.html">overdue</a> imho. With me being 1) one of those critizizing you for being slow with introducing 2FA, and 2) one of those who can't get it quite yet (As Norway and all telcos here doesn't exist in your settings universe quite yet), I do have some questions for you.<br />
<br />
<a name='more'></a>Essentially my questions are already summarized elegantly by <a href="https://twitter.com/thepacketrat/">Sean Gallagher</a> at <a href="http://arstechnica.com/security/2013/05/twitter-launches-two-factor-authentication-too-late-to-save-the-onion/">arstechnica in this article</a>.<br />
<br />
<i>My short list, with comments:</i><br />
<br />
<h3>
Why no one-time device/app type authentication/authorization?</h3>
This would be more user friendly, and similar to Google, Dropbox & Facebook, it would aidstandardizing both security & user experience across multiple services. Now you introduce something "new" in terms of security to your users.<br />
<br />
<h3>
Usability, Usability & Security Usability (where did they go?)</h3>
I'm afraid using SMS *every* time at logon will make lots of users stay away from using it, or stay permanently logged in. Neither one of those options are preferable if you ask me.<br />
<br />
<h3>
Protecting shared corporate accounts</h3>
<div>
@AP got hacked. Many others as well, but <a href="http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-after-sending-false-news-flash/">@AP really rocked the world</a>, at least for 7 minutes. You know, just many of us paranoids do, that high-value, high-profile & high-target corporate accounts are shared between multiple users & employees. <b>Wild guess: their passwords suck, and never gets changed. </b>By deploying a SMS solution like you've done now, protecting such accounts using your SMS 2FA will be <b>hard</b> to do in real life. </div>
<div>
<br /></div>
<div>
Guess what; <b>end users want better security</b> <b>as long as it doesn't affect current usability.</b></div>
<br />
<h3>
Access to Twitter suddenly depends on SMS</h3>
<div>
As I wrote at the top, I'm in Norway. Norway isn't listed as a country yet in your settings, neither are any of the telcos here, so I can't enable login verification quite yet. If I loose my phone running a standardized TOTP authentication app, its my problem. If my telco cannot deliver your SMS in seconds, I won't login. then I won't use your service, and post to Facebook, G+ and Instagram instead. I guess you don't want that to happen?</div>
<div>
<br /></div>
<h3>
So please, get me some more options</h3>
<div>
<b>I'm a Twitter addict.</b> I want better security, but preferably not at a great cost/loss of usability. What it looks like now, even before I've been able to configure login verification, I'm skeptical. I cheered when Dropbox introduced <a href="http://tools.ietf.org/html/rfc6238">RFC6238</a> support, I enjoyed using my existing Google Authenticator app to handle it, I laughed when I discovered <a href="http://www.pcworld.com/article/2036252/how-to-set-up-two-factor-authentication-for-facebook-google-microsoft-and-more.html">how to configure Facebook 2FA support into Authenticator</a>, and of course I've got my SSH servers in there as well.</div>
<div>
<br /></div>
<div>
<a href="http://money.cnn.com/2013/02/21/technology/social/twitter-hacking/index.html">I'm sorry for lashing out at you earlier</a>, if this SMS solution is what we get. It could be done better, and the solutions were already available out there.</div>
<div>
<br /></div>
<div>
<i>Hoping for the best,</i></div>
<div>
Per Thorsheim</div>
<div>
<br /></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0tag:blogger.com,1999:blog-8400370148915075091.post-83084496509860576142013-04-26T00:01:00.000+02:002013-04-26T10:43:25.110+02:00Cryptonerds PINs<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr7CXralV66IloZ8DfA5KrvTV-THI9-GnPiTSHAFlSwKg63RsbZQTt3BuFuE1ixcST30kSJpp2N9ZY6LDC-kOEseAzoaBCH38DEEGC93tdbbHtkFHnfR4_8KLXRtfTgwaaGM6J9h0mMkU/s1600/Header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr7CXralV66IloZ8DfA5KrvTV-THI9-GnPiTSHAFlSwKg63RsbZQTt3BuFuE1ixcST30kSJpp2N9ZY6LDC-kOEseAzoaBCH38DEEGC93tdbbHtkFHnfR4_8KLXRtfTgwaaGM6J9h0mMkU/s400/Header.png" width="400" /></a></div>
<br />
I'm at <a href="http://www.finse1222.no/en">Finse1222</a>, attending the annual <a href="http://www.frisc.no/arrangementer/finse-winter-school-2013/">FRISC Winter School 2013</a>. I did an <a href="http://www.frisc.no/wp-content/uploads/2013/02/finse2013-thorsheim.pdf">evening talk</a> (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.<br />
<br />
Based on questions and some extra interest from <a href="http://www.dtu.dk/English/Service/Phonebook.aspx?lg=showcommon&id=78945&type=publications">Andrey Bogdanov</a> and <a href="http://www.informatik.uni-trier.de/~ley/pers/hd/r/R=oslash=njom:Sondre.html">Sondre Rønjom</a>, the three of us decided to do a little experiment. Here are the results. :-)<br />
<br />
<a name='more'></a><b>First of all</b>, look at page 8 (PIN heatmaps) from my tuesday evening talk (link above). I gave a short description of that slide, referring to the findings of <a href="http://www.cl.cam.ac.uk/~jcb82/">Joseph Bonneau</a> et.al, University of Cambridge. I highlighted the lower left block, the vertical line of years (19xx) and the 0000-1111-2222....9999 line.<br />
<br />
Then take a look at the <a href="https://dl.dropboxusercontent.com/u/3308274/Finse/Frisc_Finse_2013_PINs_for_cryptonerds.pdf">slides we presented yesterday</a> (PDF, Dropbox). The initial cover page, then our request for the audience (26 people) to write down the following:<br />
<br />
<ol>
<li><b>One</b> 4-digit PIN that you think you will easily remember on Friday afternoon</li>
<li><b>One</b> RANDOM 4-digit PIN</li>
<li><b>One</b> 7-digit PIN that you think you will easily remember on Friday afternoon</li>
</ol>
<div>
Questions on tuesday evening from Andrey & Sondre were specific to the obvious "block patterns" in the heatmaps from Bonneau. Even though I didn't provide an explanation for those, they are observed and explained in the post over at <a href="http://www.datagenetics.com/blog/september32012/">Datagenetics</a>, which I refer to later in our presentation.</div>
<div>
<br /></div>
<div>
I discussed with Andrey & Sondre in advance, and we ended up with asking for the 3 PIN codes as listed above. Andrey was curious about the possible differences between memorable & "random" 4-digit PINs, while I wanted the 7-digit PIN for other reasons:</div>
<div>
<br /></div>
<h3>
Association elements of passwords & PINs:</h3>
<div>
<b>Back in 2010</b>, at Passwords^10 in Bergen, we had Howard Smith, "chief hacking officer" at Oracle (UK) talking about user-selected PIN codes. You can see a <a href="http://www.youtube.com/watch?v=tS0PXWEiiYU">recording of his talk on Youtube here</a>. In his talk he talks about PIN codes longer than 4 digits, mentioning stuff like memorability and association elements used to remember longer PINs.</div>
<div>
<br /></div>
<div>
Now the association element part is what triggered my interest in asking for a 7-digit PIN. Back in 2012 I was invited to be co-author on the paper "Cracking Associative Passwords" from <a href="http://www.nordrekalstad.com/kirsi">associate Professor Kirsi Helkala</a>. She presented that paper at Passwords^12, online <a href="http://passwords12.at.ifi.uio.no/">video recording & PDF</a> through our media archive.<br />
<br />
Perhaps the most interesting finding from her research was the use of color words as an associative element, which <a href="http://stricture-group.com/">Jeremi Gosney</a> helped me verify, and <a href="http://no.linkedin.com/pub/tom-kristian-t%C3%B8rrissen/44/91a/b50">Tom K. Tørrissen</a> visualized using <a href="http://securitynirvana.blogspot.no/2012/06/linkedin-password-infographic.html">infographics</a>. Pretty cool finding imho.</div>
<div>
<br /></div>
<div>
So I've had discussions with friends on PIN codes that would be easy to remember. In general, 4, 6 and 8 digit PINs can easily be associated with birthdates, christmas and similar date constructions. For Norwegians all mobile and landline telephone numbers are 8 digits. 11 digits could be our Social Security Numbers (SSN), which most people remember since it is used as our username for several public services.</div>
<div>
<br /></div>
<div>
The obvious question came to mind: "What kind of PIN codes would users select if we ask for 5, 7, 9 or 10 digits?". More of a psychological experiment than a real-world scenario, I thought it could be interesting to use this opportunity to give it a shot. So we did. In order not to completely overwhelm the poor crypto researchers with advanced memory tasks, we settled on asking for 3 PINs, with a memorable 7-digit PIN as the longest one.</div>
<div>
<br /></div>
<h3>
Findings from our little experiment - part 1</h3>
<div>
<b>Andrey Bogdanov</b> made the following statistics, based on the collected data:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLa2n4I4WTAiIg9raw7wMU5Xs_1zHE9ifl3fWXW0_Mt6tuqIbiC578sRULS-SXjUA_2J6VGGoZWXjr-hHns0v5f1cOPLKfWXa-ikkvjCybY5h665wXqcbIobJVxcemWICNVcSq7hyphenhyphenJ0so/s1600/4-digit-memorable-distribution.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLa2n4I4WTAiIg9raw7wMU5Xs_1zHE9ifl3fWXW0_Mt6tuqIbiC578sRULS-SXjUA_2J6VGGoZWXjr-hHns0v5f1cOPLKfWXa-ikkvjCybY5h665wXqcbIobJVxcemWICNVcSq7hyphenhyphenJ0so/s1600/4-digit-memorable-distribution.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>1, 2 & 7 seems especially easy to remember, while 6 is not.</i></td></tr>
</tbody></table>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_kFIJTEPsgEGnpcMRmZ_4LK_wyExAieI4ET5MU2F3BD38NSMWQ5tNJwYsiosR071Uj2WELoYmGSDPSO55-fWpv_ycic-iWQvr2r63F4Vy1uVIKIi6A_SGv9bhuoHZzI3pePiuqRbRaUY/s1600/4-digit-random-distribution.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_kFIJTEPsgEGnpcMRmZ_4LK_wyExAieI4ET5MU2F3BD38NSMWQ5tNJwYsiosR071Uj2WELoYmGSDPSO55-fWpv_ycic-iWQvr2r63F4Vy1uVIKIi6A_SGv9bhuoHZzI3pePiuqRbRaUY/s1600/4-digit-random-distribution.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>3 & 9 are very 'random' digits, while 0 isn't considered a random number by crypto researchers?</i></td></tr>
</tbody></table>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgamNW80wv48WBcJrouAdfEcqIBxDr5z0U5-K1bl4xGH3fbwJC5S4NBMKqwCV611w20iyaGUTo5av3qQWpHp_UnuFmShOdW68dC2sdH7hDu_QDXiu8HJydEifwIGCDo8Ra_UTu7ZregphE/s1600/7-digit-memorable-distribution.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgamNW80wv48WBcJrouAdfEcqIBxDr5z0U5-K1bl4xGH3fbwJC5S4NBMKqwCV611w20iyaGUTo5av3qQWpHp_UnuFmShOdW68dC2sdH7hDu_QDXiu8HJydEifwIGCDo8Ra_UTu7ZregphE/s1600/7-digit-memorable-distribution.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Just like the 4-digit memorable PINS, digits 1 & 2 seems easy to remember, while 6 is not.</i></td></tr>
</tbody></table>
<div>
<br /></div>
<h4>
Heatmapping</h4>
<div>
Using a custom built tool by my friend <a href="http://no.linkedin.com/in/kluzz">Jan Fredrik Leversund</a> (<a href="https://twitter.com/kluzz">@kluzz</a>), I ran the collected data to create heatmaps similar to those created by Joseph Bonneau ++ as well. Maybe not that useful with only 26 participants, but the difference between memorable 4-digit PINs and "random" 4-digit PINs is interesting. The heatmaps have the first digits on the horizontal axis, and the last (two) digits on the vertical axis, just like Bonneau et al did in their papers & presentations.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisG3Gw3-x33zF_J2UFWNbG1Kt6WC1jZLvZGNvTm5Ty4Xcy_i3-BqdvkCPjd53HF75VFvfxZwuPohtmBrfRmmNmNdHIIhb-tjdPFdxIl7X8f14xShc2kVwRIwkr9Y17j7d-d8LjHDKrM4/s1600/4-digit-memorable.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisG3Gw3-x33zF_J2UFWNbG1Kt6WC1jZLvZGNvTm5Ty4Xcy_i3-BqdvkCPjd53HF75VFvfxZwuPohtmBrfRmmNmNdHIIhb-tjdPFdxIl7X8f14xShc2kVwRIwkr9Y17j7d-d8LjHDKrM4/s320/4-digit-memorable.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Heatmapping 26 4-digit user-selected memorable PIN codes.</i></td></tr>
</tbody></table>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinx2swCll2iHeaTrmW7g2y9R9ucT5Is5GwMHPDsMNpuuULhHTWvRAzydlUn6fCIPjWZhy9SwNJC08m6HITcpPDMlImVtY9bgkDPfX6showfT_7F-ZN26htX2XX4hBmo0x9LOPKNAeJ368/s1600/4-digit-random.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinx2swCll2iHeaTrmW7g2y9R9ucT5Is5GwMHPDsMNpuuULhHTWvRAzydlUn6fCIPjWZhy9SwNJC08m6HITcpPDMlImVtY9bgkDPfX6showfT_7F-ZN26htX2XX4hBmo0x9LOPKNAeJ368/s320/4-digit-random.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Heatmapping 26 4-digit user-selected random PIN codes. No doubt people fled the lower-left block of PINs!</i></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXDk3N2afz8khqSbncAPQKEWgCmF3e-mw6kQXXR6-7VpuEfI7ckCTJhjLZ92LkLwK7sP76elwxk-fe4NrtNcsubFrxyc1UNbVBkAvY023IzBXCRa21cGg-HUP4s7Z4ffMJfiTjiI9pVOc/s1600/7-digit-memorable.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXDk3N2afz8khqSbncAPQKEWgCmF3e-mw6kQXXR6-7VpuEfI7ckCTJhjLZ92LkLwK7sP76elwxk-fe4NrtNcsubFrxyc1UNbVBkAvY023IzBXCRa21cGg-HUP4s7Z4ffMJfiTjiI9pVOc/s320/7-digit-memorable.png" width="319" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Heatmapping 26 7-digit user-selected memorable PIN codes.</i></td></tr>
</tbody></table>
<div>
To me personally I am very curious about the distribution observed for the 7-digit PINs. One user told me he just padded a 4-digit PIN, I have yet to ask other participants if they can remember it, and how they constructed their 7-digit PINs. Tomorrow morning, Friday, I'll ask people if they can remember their selected PINs. Will eventually update this blog post then. Source data may also be made available, but I will also try to repeat this exercise with other audiences, perhaps also expand it to include 5, 9 and 10-digit PINs.</div>
<div>
<br /></div>
<div>
Psychology is fun.</div>
<div>
<br /></div>
<div>
--</div>
<div>
A big thank you to Andrey Bogdanov, Sondre Rønjom, Joseph Bonneau (and colleagues at Cambridge), Kirsi Helkala, Jan Fredrik Leversund, Datagenetics, Daniel Amitay, Matt Weir, Jeremi Gosney, Tom Tørrissen and probably others I can't remember right now for inspiration, tools, help & visualizations. </div>
<div>
<br /></div>
<div>
Would really love to expand this simple experiment into something bigger and more scientifically correct research.</div>
<div>
<br /></div>
securitynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.com0