Passordsikkerhet fra MultiCase

men hvordan er sikkerheten?

Multicase AS er et selskap som leverer et komplett forretningssystem til en lang rekke bedrifter i Norge. En av mange moduler er en løsning for netthandel. Selskapet oppgir selv en rekke referansekunder på sine nettsider, blant annet Bergans, FotoVideo og NetShop. Flere kunder er lett å identifisere via Google. Sikkerheten rundt lagring og sending av passord i løsningen til Multicase er ikke i tråd med anbefalt god praksis. I ytterste konsekvens kan det få store konsekvenser for dem selv, deres kunder, og sluttbrukerne selv.

One Spam To Spam Them All!

This is a plain boring blog post. In fact, it's a blog post that in a perfect world would be completely unnecessary to write. In my world, this blog post is necessary in order to make Microsoft Exchange admins, as well as mailgateway/antispam operators and operations security people aware of a very simple, but highly important configuration issue in Microsoft Exchange.

Passwords^11 - video archive

Finally, the video recordings in 720p HD MP4 format are now available for direct download through http/ftp at http://ftp.ii.uib.no/pub/passwords11/.

At http://ftp.ii.uib.no/pub/finse2011/ you will find some video recordings from the NISNET winter school at Finse (Norway). They are pretty long lectures (several hours), but still worth watching, depending on your interests of course. :-)

FY! til FotoVideo!

Å komme inn på FotoVideo butikken i Oslo var en drøm. Profesjonelle folk som virkelig tok seg tid til å lytte til mine behov (om enn aldri så urealistiske), og forklarte meg om smått og stort før jeg tok mine valg. En butikk som virkelig kan anbefales! Det vil si... inntil jeg oppdaget at it-sikkerhet overhodet ikke er deres fag. Faktisk såpass ille at jeg velger å påpeke det gjennom en offentlig bloggpost, i den tro at det vil føre til raskere endringer enn ellers. Slemt? Ja. Nødvendig? Etter å ha tenkt over det en god stund.. JA.

Passwords^11 - Thank you all!

Oh boy, that was a *lot* of fun! Yes, I know I wouldn't probably say anything else since I was more or less the sole organizer of the conference, but I've received nothing but very positive feedback. Speakers and participants; all very positive and asking for another round. Here's my own summary of the conference, with some pictures, name dropping and loads of links you can click on. :-)

Padding_____Haystacks

@itinsecurity asked me for a blog post regarding Haystack, described as an interactive brute force search space calculator. Haystack comes from  from Gibson Research Corporation (@sggrc). I did retweet, asking @purehate_, @iagox86, @lakiw, @quelrods, @CrackMeIfYouCan and @d3ad0ne_  for their opinions as well. Since we're all above average interested in passwords, why not see if we have any opinions in common? :-)

Password T-shirts

James Nobis (@quelrods) asked me about my password related t-shirts at Passwords^11, ie if I had the designs available. Here are my own "designs" - it's just text - feel free to copy, print, use, sell as much as you like. :-) (Absolutely No Rights Reserved!)

Passord - 2 Eksempler til #DLD & Advarsel

7-8 Juni arrangerer jeg for andre gang det jeg tror er verdens eneste konferanse som utelukkende handler om passord og PIN koder, kalt Passwords^11. Dette gjøres i samarbeid med Professor Tor Helleseth ved Selmer senteret, Universitetet i Bergen, og med finansiell støtte fra NISNET (Fra Norges Forskningsråd). Din første tanke etter de to første setningene er kanskje "er det mulig?". Det er det, og det er en sikkerhetskonferanse som  er mer aktuell enn noensinne å arrangere. Her skal du få 2 konkrete eksempler fra min hverdag som forhåpentligvis aktualiserer konferansen også for deg.

Sony #PSN Password Resets: Inconsistent & Inadequate?

Sony's Playstation Network (PSN), has been offline for a long time. You know the reason for that by now. Following @mikkohypponen and others on Twitter, I saw that #PSN would open up again, territory by territory. I downloaded and installed the mandatory v3.61 update, eagerly awaiting some serious pwning in MW2:Black Ops again. Just had to change my password first, according to tweets and Sony themselves in a blog post. You know; for my own security. Thanks to Sony for taking care of me!

Passwords^11 - Program & abstracts are ready!

The program as well as abstracts for the academic talks at Passwords^11 are now available! I have added them to the registration blog post, or you can get them directly here: Program (pdf, 200kb), Abstracts (pdf, 172kb). I hope to see you at Passwords^11!