FYI: Google Ads

FYI:
I'm on my own now, starting my own company, at the moment only with 1 employee: ME. :-)
I have decided to enable Google Ads to be displayed on my blog. I try to write good posts and contribute to the community, but I also have bills to pay. Thank you for understanding.

Cryptonerds PINs

I'm at Finse1222, attending the annual FRISC Winter School 2013. I did an evening talk (PDF) tuesday, first part about legal issues with Bring your Own Device & Mobile Device Management, second part about some random thoughts  on passwords & PIN codes. Primarily to catch some interest from the audience of PhD students and professors, most of them within infosec/crypto at academic institutions from around the world.

Based on questions and some extra interest from Andrey Bogdanov and Sondre Rønjom, the three of us decided to do a little experiment. Here are the results. :-)

Will 2F weaken 1F?

"Well, Per isn't exactly a rocket scientist, and I have to help him with anything from shoelaces to toilet visits, but he is a KEEN debater in Internet forums..."

Ok, so this is one of those blog posts were I have spent a long time thinking about the topic, but I haven't spent much time preparing and writing it. After my tweet  here on a slow saturday afternoon, @marshray and @adamcaudill responded, and suddenly it was time to do this blog post, asking would the introduction of 2-factor authentication in an organization weaken the "something you know" part at some point?

HOWTOFAIL: ENTERCARD

[This is bad, and this is just the beginning of this blog post...]

Update March 29, 2013: SSL config is now at grade A! Congratulations!

Remembercard (brandname) is issued by Entercard, a joint venture between Swedish Swedbank and Barcleys Bank Plc. The irony of a credit card company not having a PCI-DSS compliant website is amazing. The lack of knowledge concerning users' selection of PIN codes is obvious, the lack of proper security for e-mail based marketing is shocking.

I hope this blog post will be read, understood and acted upon properly ASAP by those in charge.

Step 1: Securing My E-mail

The hacking of Mat Honan scared me. A lot. While there was no "advanced hacking" involved, the attackers found data across multiple services, which when combined enabled them to gain access to one service after another through password resets.

It really made me think about my own mail accounts (I've got quite a few of them), and how they are secured. I didn't really know, so I thought I should have a look. This is part 1. With more to come, this is my summary here. Make a guess for which one I prefer here:

[Click for full size]

Kjære Dataforeningen

Kjære Dataforeningen.

I dag skulle jeg melde meg inn i Dataforeningen. www.dataforeningen.no, og linken "Bli medlem".

Første observasjon: Linken går til en HTTP side. Ved å taste inn https i adressen kommer jeg til samme siden, men denne gang slik det skal være med HTTPS.

Det stopper dessverre ikke der, og det jeg ser er dårlig praksis. På grensen til ren slurv, eller en webtjeneste som er forsømt i mange år på driftssiden er min påstand.

Kjære BankID

Vi er nok ikke verdens beste venner, jeg er smertelig klar over det. Bruken av Java, sentrallagret PKI som strider mot etablerte prinsipper, BankID på mobil som bare fungerer med noen operatører & modeller, samt diverse andre problemer... jeg nevner i fleng.

Likevel er jeg frekk nok til å komme med et veldig enkelt endringsforslag som kan gjøre brukeropplevelsen *litt* bedre ved innlogging i nettbank fra PC.

Skryt til blogg.no

[Logo elegant kopiert rett fra blogg.no...]

Updated post - english summary at the bottom.

"Jeg er streng, men rettferdig."

Ordene sitter fortsatt spikret, over 20 år etter rekruttskolen. Fantastisk troppsjef, og jeg forsøker å leve opp til de ordene. Nå skal jeg gjøre noe jeg ikke har gjort før: jeg skal skryte av en rosablogg, nemlig blogg.no. For å være helt korrekt; jeg skal skryte av firmaet Bootstrap AS som står bak tjenesten.

De har på svært kort tid fikset det jeg anså som svært alvorlige sikkerhetssvakheter, etter at jeg sendte dem mail om det. Her er historien:

Tees. With comments.

It's Friday, and I'm kind lazy today, so I thought I would put up pictures of the T-shirts I made for myself for Passwords^12, and a short explanation for each of them. (Media archives right here, videos also available on youtube).

Security issues with MSXML

This is a quick & dirty blog post, partially to help a friend reach out to the world, and partially because I'm affected as well. Correction: was affected. Now removed & patched at the same time.

At my previous job one of my tasks was to manage & improve the security patch management process across all platforms, from operating systems and databases to browsers & plugins. Sometimes even down to firmware & driver updates, because of bugs and vulnerabilities. My primary focus was - no surprise - Windows installations and pretty much everything that can be installed on Windows. I did that for more than 5 years. 10-15K servers, 100-150K clients. I did well. Very well in fact, and I'm still proud of it.

Many surprises have appeared along the way, the most recent has to do with MSXML, which comes to light in this blog post.