Våre Offisielle Kanaler

Denne teksten ble først publisert som en kronikk hos Computerworld Norge 26.06.2013.


Da Evernote med sine 50+ millioner brukere ble hacket i mars i år, benyttet de en ekstern partner for å varsle sine brukere via epost. Evernote ble i løpet av få timer oversvømmet med meldinger fra brukere i ulike kanaler,  med rapporter om et mulig storstilt phishing angrep. Årsak?  De hadde mottatt mail som ikke kunne spores tilbake til Evernote som avsender, alt kom fra en ukjent tredjepart. Det fantes ingen informasjon på nett hos Evernote som opplyste om at de brukte denne eksterne leverandøren.

We are here.

Dear anyone who operates websites & services online, who operate in various channels to keep in touch with your customers: PLEASE give me easy options for verifying that you are actually... you. If you dont, it is very easy for paranoid people like me to disregard almost anything appearing as "you" as phishing or malware attempts.

New video: Configuring strong & memorable PIN codes on your iPhone

Ok, so I've reached the point where I had to make this video. There are just way too many people out there who believe a 4-digit PIN is the only "passcode" option available on their iPhone, iPod & iPad. It's not.

Using a password on a (small) mobile device can be a pain in the ass, but you can still use a "password" to unlock your device. Watch this video to see how I create and use a longer PIN code, while making it very simple to remember.

- Stronger PIN code
- Easy to enter
- Easy to remember

What else do you want? :-)

Sikker politisk epost

Valgkampen er i gang, ingen tvil om det. Partiene og ikke minst partilederne er godt i gang med taler, ønsker, kritikk av sine opponenter og ikke minst mange lovnader med forbehold.

Nå har en "overvåkingsskandale" slått ned i USA, allerede behørig dekket av media og kommentert også her hjemme.

Her er et lite tips til programpartiene som hverken er populistisk, politisk farget eller kontroversielt: gi oss sikrere kommunikasjon ved bruk av epost i offentlig forvaltning. Det er blant de svært enkle tiltak å gjennomføre, det krever ingen gigantiske IT-prosjekter, og det er ingen alternativer å vurdere utover Ja/Nei.

Passwords^13

YES, IT'S HAPPENING!

Las Vegas. July 30-31. Same time as Blackhat, overlapping slightly with BsidesLV and a few days before Defcon, where our friends at Korelogic will be running the annual CrackMeIfYouCan competition once again.

But please, do visit passwordscon.org to learn more. Call for presentations, venue, registration, SPONSORING.... My friend & password cracking partner Jeremi Gosney of Stricture Consulting Group runs the page, and does a fantastic job of "local" organization in the US / Las Vegas.

I hope to see you there! :-)

Password Crackers Hierarchy of Needs

[Click for full size]

Why SMS 2FA Twitter, WHY?

Dear Twitter,

Congratulations on adding 2-factor authentication, or "login verification" as you have named the baby. It's way overdue imho. With me being 1) one of those critizizing you for being slow with introducing 2FA, and 2) one of those who can't get it quite yet (As Norway and all telcos here doesn't exist in your settings universe quite yet), I do have some questions for you.

Cryptonerds PINs

I'm at Finse1222, attending the annual FRISC Winter School 2013. I did an evening talk (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts  on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.

Based on questions and some extra interest from Andrey Bogdanov and Sondre Rønjom, the three of us decided to do a little experiment. Here are the results. :-)

Will 2F weaken 1F?

"Well, Per isn't exactly a rocket scientist, and I have to help him with anything from shoelaces to toilet visits, but he is a KEEN debater in Internet forums..."

Ok, so this is one of those blog posts were I have spent a long time thinking about the topic, but I haven't spent much time preparing and writing it. After my tweet  here on a slow saturday afternoon, @marshray and @adamcaudill responded, and suddenly it was time to do this blog post, asking would the introduction of 2-factor authentication in an organization weaken the "something you know" part at some point?

HOWTOFAIL: ENTERCARD

[This is bad, and this is just the beginning of this blog post...]

Update March 29, 2013: SSL config is now at grade A! Congratulations!

Remembercard (brandname) is issued by Entercard, a joint venture between Swedish Swedbank and Barcleys Bank Plc. The irony of a credit card company not having a PCI-DSS compliant website is amazing. The lack of knowledge concerning users' selection of PIN codes is obvious, the lack of proper security for e-mail based marketing is shocking.

I hope this blog post will be read, understood and acted upon properly ASAP by those in charge.