Podcasts about per thorsheim

Hello and welcome to the Imposter Syndrome Network Podcast, where everyone belongs, especially if you think you don't.Today's guest is Per Thorsheim, founder of PasswordCon and CISO at BankID BankAxept AS.Today, we'll discover what a CISO does, and learn about Per's journey, beginning with his first employment as a service hacker and the critical lesson he learned on his first day at work.He explains to us why he feels so passionate about passwords and why we'll never see them go away.We talk about what to do when hacking into a Fortune 500 company, the importance of being wrong, and the best way to tell your parents that you tore their computer apart.-“Please disagree with me because I like to disagree with other people as well. And I don't disagree with people, because they're wrong, but because I want to understand if you just came up with your answer or if you have actually thought it through.I just want to learn, what's your reasoning behind the statement”-If you want to keep the talk going, join our LinkedIn Group.Send us a message, we would love to hear from you. Chris Grundemann Zoe Rose-Links:●    LinkedIn●    Twitter●     https://passwordscon.org/●     https://starttls.info/●    https://www.rfc-editor.org/rfc/rfc3207 --Thanks for being an imposter - a part of the Imposter Syndrome Network (ISN)! We'd love it if you connected with us at the links below: The ISN LinkedIn group (community): https://www.linkedin.com/groups/14098596/ The ISN on Twitter: https://twitter.com/ImposterNetwork Zoë on Twitter: https://twitter.com/RoseSecOps Chris on Twitter: https://twitter.com/ChrisGrundemann Make it a great day.

En podcast fra Nasjonal sikkerhetsmyndighet På verdens passorddag nylig kom nyhetene om at Apple, Google og Microsoft går sammen for å gjøre hverdagen passordfri! Hva betyr dette? For å finne ut mer har Roar Thon invitert en som er godt over gjennomsnittet interessert i passord – Per Thorsheim. Dessverre har Roar hatt noen utfordringer med sin mikrofon, så hans lydspor er ikke perfekt. Vi håper likevel at det er mulig å lytte til denne ukes episode. I studio: Roar Thon Per Thorsheim

We have talked in the previous episodes that 100% security doesn’t exist. But what about traceability? How do you know what digital footprint do you have out there? Can you manage, protect and “truly” delete all or even a part of it? Once you are online, your existence and your data is out there.You are a target, even when you don’t believe so and your data is valuable, even when you don’t care about it. In this episode, Per Thorsheim and I talk about the myths around digital identities and footprint, what challenges we face, and how can we manage, protect and take care of our digital identities better, amidst a chaos and huge web of footprints, that we don’t even know exist.

Sikker digital ID er helt avgjørende for å utvikle gode digitale tjenester. BankID er den mest utbredte løsningen som de fleste av oss har et forhold til. Over 4 millioner nordmenn bruker BankID på tvers av offentlige og private tjenester. I takt med at vi flytter mer og mer over på nettet, så øker også fristelsene for de kriminelle. I denne episoden snakker vi om tillit, kriminell aktivitet og politikk. Hvordan kan vi sikre tilliten til digitale ID-er? Ukens gjester er Per Thorsheim, CSO for Nordic Choice Hotels, og Tom Staavi, informasjonsdirektør i Finans Norge. Programleder er Christian Brosstad, Atea Norge. See acast.com/privacy for privacy and opt-out information.

SMS er vel den eneste meldingstjenesten vi kan være sikre på at alle har og som ikke krever at brukeren lar en app sende notifications. Det er delvis fordi den i praksis er like gammel som måten vi bruker mobiltelefoner på i dag og inngår i alle mobilabonnement. Det er også derfor SMS ofte både anbefales og brukes, men passer alltid SMS utover at det er lett å nå folk?Jeg har tatt en prat med Per Thorsheim om bruk av sikkerhet ved bruk sms i tjenester som smittesporing. I tillegg til arbeidet han har gjort med sikkerhet i bla. sms er han en internasjonalt anerkjent passordekspert. Hosted on Acast. See acast.com/privacy for more information.

Vi har invitert Per Thorsheim for å få svar på spørsmålene:Er sikkerhet nedprioritert i Bergen?Hvordan ivaretas sikkerheten når det skal utvikles innovative løsninger i større selskaper?Hvordan kan mindre startups sørge for at de ivaretar sikkerheten rundt digitale løsninger, når det er dyrt å ansette egne folk på dette området?Per Thorsheim er leder for IT sikkerhet i Choice Hotels i Norden, og har 22 års erfaring fra sikkerhetsfaget blant annet fra PwC, TietoEVRY, og egne konsulentselskaper.Produsert av Mainstream for Guilty See acast.com/privacy for privacy and opt-out information.

Dagens avsnitt är en intervju med Per Thorsheim, inspelad av Robin von Post fjortonde Mars 2019.

Hydro er det siste i en rekke store bedrifter som har blitt rammet av store dataangrep, men mange angrep hører vi aldri om. Kan store og små bedrifter egentlig unngå slik angrep, eller må man bare forberede seg på hva man skal gjøre den dagen det skjer? Ukens gjester er Per Thorsheim, sikkerhetsdirektør i Nordic Choice, og Leif Sundsbø, leder for Cyber Security, Cisco Norge. Produsent er Magne Antonsen og programleder er Marius Lorentzen. See acast.com/privacy for privacy and opt-out information.

Per Thorsheim er sikkerhetsekspert, passord-ekspert, kurs- og foredragsholder og grunnlegger av verdens største passordkonferanse; PasswordCon. Han har bakgrunn fra EVRY, og har jobbet de siste årene i eget selskap - God Praksis.no, og er nå på plass i Petter Stordalens hotellkjede, Nordic Choice Hotels.Når nye cyber-trusler dukker opp, tyr mediene ofte til Per Thorsheim. Og da snakker vi ikke kun om de norske. Per oppdaget for noen år tilbake at LinkedIn ble hacket, og da var Thorsheim et yndet intervjuobjekt for en rekke internasjonale medier. Per er særdeles opptatt av passord, og slår blant annet et slag for at IT-sjefer slutter å mase på sine medarbeidere om å endre passordene hele tiden.Hans-Petter og Per snakker om alt fra backup og passord, til tillit og paranoia. Du vil få svar på hva løsepengevirus er for noe, og hvorfor Bitcoins er en populær valuta blant cyberkriminelle.I tillegg får du med deg noen matnyttige tips på hvordan du kan legge opp til en levelig passord-strategi. See acast.com/privacy for privacy and opt-out information.

Marius og Hans-Petter er på sommerferie, men MediaPuls tar ikke sommerfri av den grunn. Hver uke gjennom sommeren har vi ny en ny gjest på besøk, og denne gangen er det IT-sikkerhetsekspert Per Thorsheim som gjester internett-studioet vårt. Per Thorsheim er sikkerhetsekspert, passord-ekspert, kurs- og foredragsholder og grunnlegger av verdens største passordkonferanse; PasswordCon. Han har bakgrunn fra EVRY, og har jobbet de siste årene i eget selskap - God Praksis.no, og er nå på plass i Petter Stordalens hotellkjede, Nordic Choice Hotels. Når nye cyber-trusler dukker opp, tyr mediene ofte til Per Thorsheim. Og da snakker vi ikke kun om de norske. Per oppdaget for noen år tilbake at LinkedIn ble hacket, og da var Thorsheim et yndet intervjuobjekt for en rekke internasjonale medier. Per er særdeles opptatt av passord, og slår blant annet et slag for at IT-sjefer slutter å mase på sine medarbeidere om å endre passordene hele tiden. Hans-Petter og Per snakker om alt fra backup og passord, til tillit og paranoia. Du vil få svar på hva løsepengevirus er for noe, og hvorfor Bitcoins er en populær valuta blant cyberkriminelle. I tillegg får du med deg noen matnyttige tips på hvordan du kan legge opp til en levelig passord-strategi. Takk for at du lytter til MediaPuls! Har du forslag til temaer og saker vi bør ta opp i MediaPuls, kan du komme med de via vår åpne sendedisposisjon på http://bit.ly/MediaInnspill. Eventuelt sender du oss en epost til enten hpnhansen (a) gmail dott com, eller marius (a) heltdigital dott no. Du finner Hans-Petter og Marius på http://HansPetter.info og http://Helt.Digital. Vi hadde satt stor pris på om du vil abonnere og rate oss på iTunes. Alle episoder legges ut fortløpende med lenker til alt vi har snakket om på http://Mediapuls.no. See acast.com/privacy for privacy and opt-out information.

Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org, an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchers to better understand and improve security. In part one of our discussion with Per, we examined two well-known forms of authentication – passwords and hardware. In this segment, he talks about a lesser known form -biometrics and the use of keystroke dynamics to identify individuals. Per explains, “Keystroke dynamics, researchers have been looking at this for many, many years. It’s still an evolving piece of science. But it’s being used in real life scenarios with banks. I know at least there’s one online training company in the US that’s already using keystroke dynamics to verify if the correct person is doing the online exam. What they do is measure how you type on a keyboard. And they measure the time between every single keystroke, when you are writing in password or a given sentence. And they also look for how long you keep a button pressed and a few other parameters.” What’s even more surprising is that it is possible to identify one’s gender using keystroke dynamics. Per says, “With 7, 8, 9 keystrokes, they would have a certainty in the area of 70% or more…and the more you type, if you go up to 10, 11, 12, 15 characters, they would have even more data to figure out if you were male or female.” Those who don’t want to be profiled by their typing gait can try Per Thorshim’s and another infosec expert Paul Moore’s Keyboard Privacy extension. Transcript Cindy Ng: Let's talk a bit about biometrics because that's really interesting. Keystroke dynamics and it refers to your typing gait: how often you pause, how fast you type. With just a few characters if you type seven to nine characters, you can build a profile of a person. I'm wondering if you can talk a little bit about if you're able to tell someone's gender, are you also taking into account their location? How can you tell whether or not they're typing with one or two hands, their gender, their age? These are soft metrics, but really important and... Per Thorsheim: Keystrokes dynamics... There have been researchers looking into this for many, many years already. But still, it's a really a modeling piece of science. But it is also being used today in real-life scenarios with banks. I know that there is at least one online training company in the U.S. who is already using keystroke dynamics, to verify if the correct person is actually doing the online exam as an example. What they do is they measure how you type on your keyboard and they measure the time between every single keystroke when you're writing in a password or a given sentence. They also look out for how long you keep each button depressed and a few other parameters. Now, this sounds weird, I know. But I learned from researchers in France, they have been collecting this kind of data from a lot of men and women, and talk about men and women being different in many different areas. But I had never guessed. I would have never believed until they told me that men and women in general type differently on a keyboard, using normal standard 10 finger touch type on a keyboard. They said that as soon as you have entered seven, eight, nine characters onto a keyboard, we can with a pretty good probability tell you if it is a man or a woman typing on the keyboard. That is again assuming typing normally with 10 fingers touch type on a keyboard. Cindy Ng: What is the accuracy rate of the gender identification? Per Thorsheim: The accuracy that they talked about is they would say that with seven, eight, nine keystrokes, they would have a certainty on this in the area of 70% or more. So, of course, it's not that good, but it's improving. And the more you type if you go up to 10, 12, 15 characters, they would have even more data to figure out whether you're a male or female. But that's just figuring out male or female. It doesn't identify you as a unique human being on planet earth. Because in that setting, this technology is nowhere near good enough. There are lots of people that would actually type just like you on a keyboard, in the world. Cindy Ng: What's the probability of you typing in the same way as other people in our population? Per Thorsheim: If you have an iPhone and you're using Touch ID with your iPhone or maybe an iPad today, the fingerprint reader that is being used by Apple today, they usually say that those devices have what we call a false acceptance rate or false rejection rate of 1 in 50,000. Meaning that 1 in 50,000 attempts, where you try to identify to your own phone will fail even if you're using the correct finger. The other way around 1 in 50,000 people, it means that person among 50,001 will have a fingerprint that will be accepted as you. But it's not you getting in. So false acceptance rate, 1 to 50,000. With the keystroke dynamics, the last time I heard was 1 in 100. So they're saying that if you're in a room with 200 people, there will be 1, maybe even 2 people in there that would be able to type on the keyboard almost the same way as you do. Then they would be able to be identified as being Cindy, but it's not. It's them typing on a keyboard. Cindy Ng: What's the potential abuse when we're using keystroke dynamics? Per Thorsheim: The frustration is from the privacy perspective of this. A very simple example that I have been using, which is maybe chauvinistic as well as being male is, say that you go to an online store and you want to purchase a vacuum cleaner and you have never been there before. You don't have an account, nothing. In the search field, you type in vacuum cleaner. Based on that and nothing else, you have already given them so many keystrokes that they can identify whether you are male or female. So if you are male or when they assume you are male based on how you type, they will give you the 3000 watts, black, shiny, Porsche model vacuum cleaner which is big and makes a lot of noise and it can run by itself. If they identify you as being female, maybe they think that you prefer the low noise, nice colored, red colored vacuum cleaner that doesn't take up a lot of space when it's not being used. That's a very simple example. But from a privacy perspective, this can be used for tracking you across multiple route source. They can identify you as a returning customer. They can also use it to check if you are, say, allowing your kids or your husband or your girlfriend to log in to your accounts. They can be able to use that for fraud detection to say that this is the wrong person logging in. That can be a good feature to have. It can also be abused in ways that will affect your privacy or your right to privacy. Cindy Ng: All the different types of authentication: passwords, hardware, biometrics. It all culminates to behavioral profiling, which is a hallmark worry for many. You and another security expert, Paul Moore, created Keyboard Privacy. It's supposed to disrupt your keystroke tracking gait from 82% to 3%. I read this in an article. Can you tell us a little bit more about Keyboard Privacy? Per Thorsheim: We learned about this keystroke dynamics being used with several banks here in Norway, where I live. We learned about this because we received information from people who told us that, "Did you actually know the banks are using keystroke dynamics?" We said, "No." We didn't know that. But we figured out that it is being used. We looked at the source code of web pages where we log in and we saw that they're actually using keystroke dynamics. They are using keystroke dynamics as a sort of fraud prevention. They want to make sure that the correct person is logging into their own account and not somebody else. That's a good purpose. What we reacted to was the fact that they didn't tell us, that they had suddenly started to build these biometric profiles, the keystroke dynamics profile of every single user that are using online banking here in Norway. Also, a couple of banks in the UK as well are doing this. So we had an evening, me and Paul, and we were talking to each other and like privacy counsels, blah blah blah, security usability, blah blah blah. But they just wanna say, just for the fun of it. How can we break this? How can we prevent them from being able to recognize if it is me or Paul or anybody else logging into my accounts? Say, we would like to do that, prevent app tracking to be able to identify us as being male or female. So we looked at the code and we realized, well, they are looking at a very low number of parameters, two, three, four, different parameters. One of them being the amount of time between each key press and another parameter is being, how long will you keep each key depressed on your keyboard? The plug-in that Paul created based on my idea was that the plug-in for Google Chrome will take all your keystrokes from your keyboard. And before they enter any form on that page you're visiting, we will put in a random time delay between each keystroke, and that random time delay will be anything from zero milliseconds to 50 milliseconds. To the human eye, even if you type really fast, that delay is so small that you won't be able to notice on screen. But for anyone using keystroke dynamics, this will completely destroy their capability of building a profile on how you type, and it will also destroy their ability to detect whether it is you or anyone else logging into a specific account. Cindy Ng: There is warning before you install it. It says it can read and change all your data on websites you visit. I was wondering if you can expand on that warning. Do you store the data that you're changing? Per Thorsheim: For those who are interested in programming and can read a code, you can read a code for this plug-in and it's pretty simple and short code. The only thing we do is to insert this random time delay between different websites. We also have an option to turn it off for specific websites. If you use that option, of course, that information will be stored locally on your computer. Say that for bank X or website Y, we have stored information on your computer saying that the plug-in shouldn't be used for this website. You want to be yourself, so to speak. The thing is that with these plug-ins is that since the plug-in is receiving whatever you type on your keyboard and does something to that data before putting it into a website, it wouldn't be fully possible for us, just like anybody else developing plug-ins, to record everything you type on your keyboard ,and as an example, send it off to us or to your favorite three-letter agency country in the world. Cindy Ng: With your password conference, that's really interesting. It's the one and only conference on passwords. Tell us a little bit more about that. Per Thorsheim: I'm the founder of and running PasswordsCon, which is the world's first and as far as I know only conference in the world which is only about passwords and digital authentication. It's a conference that I started in 2010, by support from the University of Bergen in Norway where I live. So it's two and a half days with geeky people from all over the world, academics and security professionals and password hackers if you like, that are discussing how to break passwords, how to secure them, how to transmit them, how to store them, how not to store them of course, all kinds of science and real world experience into handling passwords from every imaginable perspective. I can tell you this, I know. You don't have to say this. I know that it sounds very nerdy and a lot of people do ask me like, why this insane interest in passwords. But I can also tell you that I think that almost everyone that has ever participated for the first time at this conference, when I ask them afterward, so the obvious question, "What did you think of the conference?" I think that almost everyone has responded by saying that, "Wow! I had never thought that such a topic like passwords, which I consider to be such an insignificant and very small part of my everyday life and security, can actually be expounded into so many topics like statistics, cryptography, linguistics, math, psychology, colors, adherence, sounds, and everything." So people have been really, really fascinated when they have participated in this conference. Also, lots of people have gained new ideas from research and also for taking back to their your own organizations to implement. Cindy Ng: I think what people are saying now is that security and technology, it's becoming so seamless. That it's kind of almost like a utility, where you just plug and play which has its own problems with Mirai botnet attack. Per Thorsheim: Yeah. Cindy Ng: With the default password problems. So I would equate passwords with electricity and as a huge important utility for people to understand, to synthesize, to work together, to figure it out. We often tend to innovate and create as fast as possible without security and privacy from the start. So it's a great thing for everyone. So I applaud you for doing that. Per Thorsheim: Yeah. Thank you. I am concerned about the internet of things as we say and the Mirai botnet really showed us. It really gave us not one, several lessons on security or insecurity of internet of things and all kinds of connected devices. It's interesting to see that the major attack vector who was that there were security cameras, DVRs, all kinds of equipment that was collected to the internet and they were running with default usernames and passwords and they were available online. So just by doing an internet-wide scan, you will find hundreds of thousands of such devices are collected and you can easily break into and use them for illegal purposes. Which we saw with the Mirai botnet. Cindy Ng: Often times people set the password as default, thinking that the user will go back and change it. But that's not the case. It's also a good segue to hear from a password expert, a security adviser. What are your password secrets, that you can...? Per Thorsheim: I will draw a line between whether you are tech savvy and using computers. Or if you're like my own mother, who doesn't take an interest at all. I have to draw a line there. First of all, if you're like my own mother and you're not really interested in learning how to use computers and most technology, you're just one of those that you just want it to work. The best advice I can give you is to write down your passwords on a piece of paper or in a small notebook and keep it in your kitchen drawer or somewhere at home, where it is reasonably safe. In that, you will put down the passwords or the pass phrases that you use for different sites and services on the internet. Most of those passwords, you don't have to remember them. You don't need to use them every day. An important part is that... And I'm sorry to say this. But you have to try to use unique passwords for different services that you're using online. Because we know that bad guys, as soon as they're able to get access to your password and you're using them from one site to one service, they will try very quickly to use the same username and password across other services to gain access to more accounts, more money, more information, more data that they can use and abuse about you, sell to spammers and the like online. So write down and use unique passwords. That's advice for my mother. If you're a tech savvy, if you have used and using computers, I highly recommend using a piece of software called a Password Manager. There are many out there, some of them are not as good either from security or usability perspectives. But there are some that are really good for both. Some of them are even free and I highly recommend using them. They will generate passwords for you. They will remember them for you. They will automatically input them into the username and password fields and help you log in. And the only password you really have to remember is the master password for your password manager. That's the one password you can never forget. Cindy Ng: What if your password manager has a breach? Do you have another layer of security just in case that happens? Per Thorsheim: There are different password managers of that. Some of them will store your data in a cloud service like LastPass. While other password managers like 1Password will only store your data locally. So the only way it can be breached would be if somebody got access to your physical computer or phone. If that happens, you have a more serious problem than just a password manager and there could be accounts stored in there. The cloud services and the password managers that are used in cloud services, they are also encrypting all your data locally. Then the encrypted data are being transferred to the cloud service. So if the cloud service and the password manager service is being compromised, the attackers will only get access to encrypted data, and they don't have access to the keys stored on your computer or on your phone to be able to unlock those data. So those are actually very safe to use. Cindy Ng: It sounds like hidden message too is doing a risk analysis on yourself. Guide us… Per Thorsheim: Yeah. Cindy Ng: What is your recommendations for that? Per Thorsheim: The risk analysis is from an incredibly simple perspective, I'm asking people to write down all this stuff. Who do you think your enemies are? And in most cases the national security agency of the U.S. or the FSB and D of Russia, they're not your enemies. They have no interest in your life or your data whatsoever. If you're just a normal citizen, just like most of us are. If you're a five-star general in the army, or if you're working in intelligence service of some country asking something, Then obviously other nation states have an interest in getting access to your data and whatever you do and find out, and then the risk perspective is very different. But in most cases, the biggest risk for you as a normal citizen in most countries will be yourself losing your passwords or random computer viruses that are not targeted on you, will get access to your Facebook account or your bank account and steal your money. So the risk analysis is simple. Do the list of who are your enemies and also try to look at for each of these different enemies that you might have, what are the possibility of them actually being able to get access to your data, your usernames, and passwords? If you have them on paper at home, they would have to come to wherever you live and break into your house. The probability of that happening is close to none. Nobody would be interested in going to Norway and break into my apartment, as an example. Cindy Ng: Who or what would be the enemy of an organization of businesses? Per Thorsheim: First of all I would say competitors of course. Competitors could be interested in trying to gain access to sensitive information that you have about new and upcoming products being researched and developed currently in your company. You also have to think about the opportunistic hacker, that just wants to make money in some way or another. It could be by giving you a crypt log or a virus that will encrypt the data files that you have on your computer. They don't care about what kind of data gets encrypted and then the bad guys will say, "Hey. This is ransomware," as we call it. "So you have to pay us a certain amount of money for us to give you the password needed to be able to decrypt your files again." That's a very realistic threat to organizations and companies today, that you need to look into as well. So competitors and random bad guys, just trying to make some quick money. Those are I would say the most important threats to an organization today. Cindy Ng: Thank you so much, Per.

Based in Norway, Per Thorsheim is an independent security adviser for organizations and government. He is also the founder of PasswordsCon.org, a conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference is a gathering security professionals & academic researchers worldwide to better understand and improve security worldwide. In part one of our conversation, Per explains - despite the risks - why we continue to use passwords, the difference between 2-factor authentication and 2-step verification, as well as the pros and cons of using OAuth. Naturally the issue of privacy comes up when we discuss connected accounts with OAuth. So we also made time to cover Privacy by Design as well as the upcoming EU General Data Protection Regulation(GDPR). Transcript Cindy Ng Recently, I had the pleasure to speak with an independent security advisor, Per Thorsheim, on all things passwords. Based in Norway, he is the founder of Passwords Con, the world's first and only conference about passwords. It's a gathering of security professionals and academic researches from all around the world where they discuss ways to improve security worldwide. Thank you, Per. Let's get started. So, a very important question, so, lots of security experts have warned us the dangers of passwords, but why are we continuing to use it? Per Thorsheim Well, it's cheap to use from a business perspective. There are many cases where we don't have a business situation where, you know, there's no point in using anything else than passwords. They are available in every single system we use, and if you want something else, it's going to be more expensive. And who's going to pay for that? Cindy Ng A lot of people are using password managers to manage all our different accounts for all our different sites. And there’s also two-factor authentication which can be tiresome. You suggested that there's life after two-factor authentication. Can you tell us a little bit more about that? Per Thorsheim Yeah, you know, we have National Security Awareness month here in Norway, just like in the US, in all of October. And a very important message that we have been bringing out in all possible channels over the past month is to use two-factor authentication. And basically what that is, is that in addition to having a username and password, you would have a code that you need to enter that you will get from a key from a text message or something similar. Maybe you have a couple of codes written down on a piece of paper that you have to type in, in addition to your password. That's two-factor authentication. Now, what I mean about life after two-factor authentication is that every step that we add into the process of authenticating, you know, how to figure out that you are the correct person logging into our system, takes time. And by adding a second factor, it will take you, in most cases, a little bit extra time to be able to log in. For some people, that's okay. For some people, it's a disruption. It's annoying, and what I've been thinking about, you know, by saying, "life after two-factor authentication," is, "What happens today when, in my case, I have, like, 400 accounts on different services all over the internet and at home and at different, you know, banks and insurance companies and so on? What happens today that I'm actually using two-factor authentication with all of those accounts?" I'm just imagining to myself that that's going to be very annoying. It's going to take a lot of time. Every time I have to log in to any kind of service, I have to type in username, I have to type in my password or pass phrase, and then I also have to look at my phone to receive a text message or find you know, that dumb piece of hardware dongle that I forgot at home, probably, and type in a code from that one as well. So from a usability perspective, I'm a little bit concerned, maybe even a little worried about what's the world going to be in a couple years when all the services that I'm using today are either offering or even requiring me to use two-factor authentication? Now, from a security perspective, adding this kind of two-factor authentication's a good thing. It increases security in such a way that in some cases, even if I told you my password for my Facebook account, as an example, well, I have two-factor authentication. You won't be able to log in, because as soon as you type in my username and password, I will be receiving a code via SMS from Facebook on my phone, which you don't have access to. Now, without that code, you will not be able to log in to my account. The security perspective of this is really good which is why we recommend it. From the usability side, I'm a little bit concerned about the future. Cindy Ng What's the difference between the two-factor authentication and the two-step authentication, in terms of increasing usability? Per Thorsheim Two-step verification process is what I consider to be a good trade-off between good security and good usability. With two-step verification, which is what Facebook and Twitter and Google does in most cases, is that you will do the initial setup process of your account and an initial setup of your two-factor authentication procedure, like, once, to log in, using the Facebook app on your phone, on your iPad. Maybe you're using the browser on your computer. And you do this authentication with username, password, and entering the additional code once per device or per app that you're using or maybe for each and every single web browser on different computers that you may be using. And as soon as you've done that, Facebook will remember the different browsers and apps you have used, and then, you know, they are already pre-approved. So then next time you log in, you only type in your username and password, which reduces complexity and time for you. But still they remember your browser, so they see that, "Oh, yep, that's Per logging in from a browser that he had already used before, so we know that this browser probably belongs to Per. And as long as the username and password is correct, he gets access to his Facebook account." The two-factor authentication process, I would have to enter that additional code every single time I log on, and that's the difference between the two-step verification and the two-factor authentication. Cindy Ng What if I decide to delete my cookies? Per Thorsheim Well, then it's all gone. Then you have to do the setup process again, and this applicable to when you're using your web browser. But if you are using the official Facebook app for iOS or for Android, as an example, these features are built into the application. In that setting, it's not just a standard cookie. There's a little bit different security built into the app. But, of course, you can do this on the app as well to basically delete your cookie. Cindy Ng You would essentially have to do a risk analysis on yourself to figure out what the trade-off is in that regard. Per Thorsheim Yeah, absolutely. You know, when I go traveling abroad, I go to many different countries, and some of them may be, well, should I say, a little less democratic and a little more hostile, perhaps, than others. So I do my personal risk analysis on wherever I go, do I need a strong PIN code? Do I need a strong password? Should I be using two-factor authentication? And this is a risk analysis, and it's also trade-off for the usability. I'm just like, I guess, everybody. I want security to be good, but I'm not willing to sacrifice too much of the usability in order to keep up good security, because then I will probably stop using the service if I'm forced to be compliant with all kinds of security requirements all the time, when there's, you know, from my perspective, no point in doing so. Cindy Ng Let's also talk about other security options, such as O-auth. Tell us a little bit more about the pros and cons of using that as an option to log in. Per Thorsheim Well, it solves many problems, especially in terms of usability. I can go to an online store here in Norway, and I'll want to purchase myself a new computer, or maybe I would like to order tickets to the movie theater to go with somebody to watch a movie, as an example. And instead of having to sign up for an account, I can use what we call a social login, where they are using O-auth in the background, and you basically sign up using your Facebook account. Now, this is, from a usability perspective, it's very easy to do. The privacy concerns about this is the fact that Facebook will be getting access to information like you went to the movie theater, and they will maybe be able to find out which movie you actually went to see and how many tickets you've purchased. I don't know. Maybe they can. And the movie theater, they will also get information from Facebook about me, who I am, my age, my gender, maybe some other pieces of information as well. And in my opinion, the movie theater shouldn't be asking me, you know, who I am or anything. You know, I want to see a movie. I'm not going to make any trouble for them, and I'm going to pay for the tickets, and that's it. There are lots of privacy concerns about this, at least from my perspective. And I am a little bit concerned that most people, they don't really realize how much information they actually give away about themselves when they are using this kind of authentication to all kinds of services around. Cindy Ng You're really speaking to data minimalization, which is part of the "Privacy by Design" guideposts, to collect what you really need, not collect every single thing. When you go see the movies, they don't need to know every single friend that you have on Facebook, for instance. Per Thorsheim Yeah, and, of course, from science modeling perspectives, I can see that they actually have an interest in knowing this about you. But, you know, the movie theater, they don't give me a discount when I provide lots of personal information about myself, compared to those who just purchase a ticket and pay in cash. And they remain completely anonymous, so to speak, for the movie theater, while I'm paying the same price, but at the same time I also give them information about my age, address and phone number, email address, gender, a lot of pieces of information as well. In one way, I would say that, well, if they would give me a discount, maybe I would be interested in giving away more personal information about myself. It's going to be interesting when the GDPR actually comes into law. I still do have my concerns about GDPR. I mean, it's a EU law, so that will be implemented in different countries in the EU and also in Norway. I mean, we are actually not actually a member of the European Union, but still the GDPR will be put into our laws and regulations as well. And the most important aspect of GDPR, in my opinion, is that if you are a service provider of any type, and you suffer a data breach of personally identifiable information about, you know, users, especially if that information is sensitive - that is, regarding sexuality, health, criminal records, political activity, religious activity, membership in worker unions, as an example - the GDPR says that the company or organization in question can get a fine up to 4% of their total global yearly revenue. And, you know, you look at the numbers of Apple and Microsoft and Google, of how much revenue they make in a full year, and then, you know, 4% of that amount is going to be the maximum fine for one single data breach. That's a lot of money. Today, data breach laws here in Norway, as an example, will give you a fine so small that anybody can pay it without any problems at all. So this is a game-changing regulation that is coming into law for the European Union. How it will be interpreted in courts, and how big those fines will actually be, that is going to be very interesting to see from starting in somewhere in 2018. Cindy Ng Yeah, it'll be a challenge to see how they can enforce it when US companies do business in Norway or any of the EU countries. Per Thorsheim Well, absolutely. I mean, there have been attempts to set up agreements between European Union and the US, as an example, for Cloud services from Google, from Apple, from Microsoft and so on that will regulate how US companies are to handle data about European citizens and also whether the US government can get access to that data or not. And these are, as far as I know, still ongoing discussions, of course, but there are also laws and regulations and agreements already in place on this. That applies, again, to how US companies are handling data about European citizens stored on computers in Europe. Cindy Ng Let's talk about hardware. What do you think about things like the YubiKey and the RSA Tokens. How effective is having hardware in... Per Thorsheim Well, from the risk analysis perspective, it's a good thing. If I give you an app that you will use on your phone that will provide you with codes that you need to log in, somebody would either have to steal your phone. They could eventually trick you, talk you into giving them the code from your app by, you know, calling you and say, "Hey, this is from Microsoft Support in India, and we are calling to make you aware that you have some problems with your account. We need to verify your account by having you read up the present token number that you have on your phone at the moment." But, in general, from a risk analysis perspective, having a hardware token is good thing, security-wise. And it's much better than using just an app or receiving a text message by SMS, because an app is a piece of software that may have vulnerabilities, and SMS messages are also being sent, essentially, in the glare. And we know from assessing vulnerabilities in the worldwide user networks that they can be interrupted, and they can also be sent through hostile servers, where an adversary can read them in plain text and then get access to your account. If you have a handheld device, maybe with a, you know, small screen and doesn't have any connectivity at all, it just generates a new code every 30 seconds or 1 minute or 5 minutes, like RSA Secure ID. It's much harder for an attacker to get access to those codes. They would either have to trick you, or they would have to steal comments in that physical token from you. Cindy Ng It's interesting how social engineering can happen with hardware that's supposed to protect us too.

Vi snakker med Per Thorsheim om sikkerhet både i mediebransjen og i det offentlige. Hvor sikker er du på at du forbli anonym hvis du tipser NRK, EOS-utvalget eller KRIPOS? Produsent og programleder: Marius Arnesen

Anja Skybakmoen så Alle Elsker Mary hver helg i ti år. Gjorde Per Sandberg så provosert at han forlot Dagblad-debatt. Ble dyttet inn i bransjen av rockebror Jonas. Passord-ekspert Per Thorsheim kommer innom. Jørgen tenker på Per Olaf Lundteigen som har vært på Lesvos.

Detta är det åttonde intervjuavsnittet av Säkerhetspodcasten, i vilket Johan, Peter och Mattias intervjuar Per Thorsheim, grundaren till Passwordscon.

Innhold: 01:00 Lansering Spillbits.no, 10:41 Oppsummering Spillexpo 2012, 32:37 Litt om Wii U og spill, 39:15 Passord12 konferansen, en prat med Per Thorsheim, 57:10 Underskriftskampanje for ett fritt og åpent internett, Medvirkende: Einar Holten og Jan Espen Pedersen, Gjest: Per Thorsheim (@thorsheim), sikkerhetsrådgiver, Gikk direkte: 3 desember 2012 kl 21:30-22:30