Blog
CSN Follow-Up: Another CAPTCHA Problem Hidden In Plain Sight
This is a follow-up on the previous post Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN) where I describe some vulnerabilities discovered in August 2020 and the response from CSN. It seems I missed another problem with the CAPTCHA though. And it was right in front of my eyes…
Blog
Brute-Forcing Borrowers' PINs at the Swedish Board of Student Finance (CSN)
The Swedish Board of Student Finance CSN is the government agency that manages Swedish student finance, i.e. grants and loans for studies. They also manage driving licence loans and home equipment loans. (Source)
This is the story of when I found two security vulnerabilities in their login functionality and reported it to them.
Blog
PKI Is Hard - How Yubico Trusted OpenSSL And Got It Wrong
This is the story on how I discovered that Yubico used an invalid certificate chain in their Personal Identity Verification (PIV) attestation feature on YubiKey 4.3 and YubiKey NEO, which could only be solved by a new hardware release. The impact for users and organizations is that the certificate chain will be deemed invalid by tools that verifies the chain properly, such as OpenSSL version 1.1.0 and later. Yubico has published a custom Python script that can be used to verify their attestation certificate chains.
Blog
Many Common Mobile Authenticator Apps Accept QR Codes for Modes They Don't Support
You probably use an “authenticator app” such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. In October 2017 when I evaluated HashiCorp Vault for generating and storing TOTP secrets for a system at work I realized that the Android version and iOS version of Google Authenticator differed a lot when it comes to which modes are supported.
Blog
Solution to 35C3 Junior CTF Challenge "Entrance"
TL;DR: This post has a lot of details. Skip to the Summary if you know the challenge and are here just for the solution.
Door icon made by Freepik from www.flaticon.com is licensed by CC 3.0 BY. Between Christmas and New Year’s I attended the 35th Chaos Communication Congress (CCC), 35C3, in Leipzig, Germany, together with Malmö based Xil hackerspace. It was my third congress (in a row).
Since 2012 there has been a Capture The Flag (CTF) competition at congress.
Blog
New Static Blog Using Hugo
Inpired by Hackeriet’s blog where Alexander Kjäll use to post CTF write-ups, I’ve decided to create a personal one for myself. Focus will be on IT security.
Hackeriet’s blog is powered by Jekyll which is a static site generator written in Ruby. See their post Creating a fast blog for how they set up their blog.
I have decided to try another static site generator called Hugo, which is written in Go.