Profile

Cover photo
Per Thorsheim
714 followers|1,172,496 views
AboutPostsPhotosYouTube+1's

Stream

Per Thorsheim

Shared publicly  - 
 
So my friend Asbjørn Reglund Thorsen finally posted his blog post about the Target="_blank" vulnerability‍. Others have written about it before, but Asjørn also made a short video to better explain it visually. Very simply explained: a web link on any page that is set to open up in a new window (tab), and the new window has partial access to the window it was opened from. This has some very interesting and scary consequences, especially for phishing‍ credentials as is shown in this blog post.


https://www.reglund.com/target-_blank-write-up-with-demo/

This vulnerability has been blogged about by several other excellent bloggers, but I would like you to see how potential dangerous this vulnerability is with a demo video. A lot of pages has this problem and I guess this vulnerability...
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I have posted links to all relevant media from our #passwords16 track at BSides Las Vegas to Peerlyst, as well as our official passwordscon.org website. Not complete quite yet and missing the individual video recordings, but they should be online within a week or so. Hopefully.

https://www.peerlyst.com/posts/media-archive-from-passwordscon-at-bsides-las-vegas-per-thorsheim-1
passwords, password manager, password - Our passwords‍ passwords16 track‍ was held at BSides Las Vegas‍, Tuscany Hotel & Casino, August 3-4, 2016. You can see our track schedule here.Media archives:Video recordings are in their final post-production stages before being uploaded to the offi Security
1
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I am very happy to announce that I will be speaking at the SANS European Security Awareness Summit to be held 11 November in London. #SecAwareSummit

Program and other details will be published on the link below, where you can also register for the event.

https://www.sans.org/event/euro-sec-awareness-summit-2016
Learn the skills needed to build a high-impact security awareness programme with a one day summit and MGT433, a two day SANS training course. Click for more
3
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I have provided some comments for this article, as well as some sound advice at the end.

http://www.csoonline.com/article/3101378/security/salted-hash-phishing-study-reveals-frightening-password-habits.html#tk.twt_cso
Passwords are a problem, and yet they're the primary means of authentication used when at work or at home. Recently, Salted Hash examined 126,357 passwords for accounts compromised during Phishing attacks in 2016. What we discovered was both sad and frustrating.
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
Stor takk til Dagens Næringsliv som sjekker bakgrunnsstoff for saker og skriver hakket mer enn de NTB-lignende meldingene som florerer i pressen av og til.

http://www.dn.no/tekno/2016/07/28/1344/Itsikkerhet/fant-hull-i-betrodd-sikkerhetstjeneste
 ·  Translate
Nyheter fra næringslivet. Norges ledende næringslivstjeneste.
3
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I am delighted to see that the story of NIST draft SP800-63B which deprecates SMS for two-factor authentication is now going viral.

I am even more happy to say that one of the authors will be presenting the draft at our #passwords16 track @ BSides Las Vegas next week.

Learn more about +Jim Fenton and schedule your attendance right now!

https://bsideslv2016.sched.org/event/7YO6/toward-better-password-requirements
2
Add a comment...
Have him in circles
714 people
Fredrik L. Andersen's profile photo
Web Analyse's profile photo
Sondre Naustdal's profile photo
Jimmy Crown's profile photo
Ajamal Ali's profile photo
Øyvind Storheim's profile photo
Ivar Laukholm's profile photo
stevens37y's profile photo
Alexander Hoogerhuis's profile photo

Per Thorsheim

Shared publicly  - 
 
You thought those pictures on iCloud were deleted for good, huh? Not so I'm afraid. New post from me +Peerlyst:

https://www.peerlyst.com/posts/icloud-pictures-doesn-t-get-deleted-per-thorsheim-1

cc +Elcomsoft
tool, services, privacy - (Disclosure: I've known Elcomsoft for years, had them as speakers at my conference https://passwordscon.org/, contributed ideas to their products and have licenses for their software. No paid work or other commercial arrangements.)Today Elcomsoft has Security
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I am very proud to have people from the following organisations as members of our Passwords 2016 academic program committee in December:

University of Cambridge, UK
Heriot-Watt University, Scotland
Ruhr-University Bochum, Germany
Bauhaus-University Weimar, Germany
ETH Zurich, Switzerland
University of Bergen, Norway
NIST, USA
United States Naval Academy, USA
University of Trento, Italy
Microsoft Research / IEEE, USA
Stanford University / EFF, USA
Florida Institute of Technology, USA
Carnegie Mellon University, USA
Carleton University, Canada
Berkeley, University of California, USA
University College London, UK

For more infomation, including our CFP, please visit https://passwords2016.rub.de/
The 11th International Conference on Passwords (PASSWORDS2016), 5 - 7 December 2016 in Bochum, Germany.
3
Add a comment...

Per Thorsheim

Shared publicly  - 
 
Jeg har gitt noen kommentarer til Dagens Næringsliv om denne saken som potensielt kan berøre svært mange bileiere også her til lands, meg selv inkludert.

http://www.dn.no/tekno/2016/08/12/1748/Volkswagen/hevder-de-kan-pne-100-millioner-volkswagenbiler
 ·  Translate
Nyheter fra næringslivet. Norges ledende næringslivstjeneste.
1
Jim Lian's profile photo
 
Fire ulike nøkler?!? Holy s*#t! 
Add a comment...

Per Thorsheim

Shared publicly  - 
 
LIVESTREAMS from almost all @BSidesLV tracks will be available at
https://youtube.com/c/bsideslvorg/

#passwords16 
Recordings of Security BSides Las Vegas sessions, selected sessions of sister conferences and other Information Security related educational materials.
2
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
"Which one comes first, Password or OTP?"
Short security tip on Peerlyst from me ahead of #passwords16 +BSidesLV

https://www.peerlyst.com/posts/which-one-comes-first-password-or-otp-per-thorsheim-1
1
Add a comment...

Per Thorsheim

Shared publicly  - 
 
I tweeted my goodbyes to LastPass today, after LastPass+LogMeIn+Citrix was announced. Here's a short post to explain my point of view.

https://godpraksis.no/2016/07/lastday-for-lastpass/
Let me explain that tweet. When LastPass merged with LogMeIn in October 2015, I said I would continue to use LastPass. While I never liked LogMeIn (or other similar “firewall friendly” services), I stayed with LastPass. Price didn't increase, product remained the same.
3
Add a comment...
People
Have him in circles
714 people
Fredrik L. Andersen's profile photo
Web Analyse's profile photo
Sondre Naustdal's profile photo
Jimmy Crown's profile photo
Ajamal Ali's profile photo
Øyvind Storheim's profile photo
Ivar Laukholm's profile photo
stevens37y's profile photo
Alexander Hoogerhuis's profile photo
Work
Occupation
Security.
Skills
Passwords
Links
Other profiles
Contributor to
Links
Story
Tagline
Security Professional. Password Researcher.
Introduction
I live and work in Bergen, Norway. Occupation: Security.

I currently hold the CISA and CISM certifications from ISACA, and the CISSP-ISSAP certifications from ISC(2).

More details can be found on my Linkedin profile here: http://www.linkedin.com/in/thorsheim
Bragging rights
1 of 3 finalists for the annual Rosing IT security award in Norway, 2012. Received the commander's coin from the chief of the Norwegian cyber defence forces in spring 2014.
Basic Information
Gender
Male
Relationship
Single
Per Thorsheim's +1's are the things they like, agree with, or want to recommend.
WiFi Track
market.android.com

A WiFi Survey / Wardriving App.

Break Weak Password Hashes
www.indiegogo.com

Instantly check if a hash is from a list of trillions of passwords. Works with unsalted hashes: LM, NTLM, MD5, SHA1, etc.

Jeg bekymrer meg en del for paranoia...
mollerhaug.blogspot.com

En av mine tidligere sjefer sa en gang (fritt oversatt fra engelsk): "Jeg bekymrer meg en del for paranoia. Som oftest er jeg bekymret for a

ISF Norge
market.android.com

The ISF-app gives you a complete overview over the autumn conference – directly to your smartphone! Download the app to review the updated p

Phishing without a webpage - researcher reveals how a link *itself* can ...
nakedsecurity.sophos.com

Can you phish without a phishing page? Research by a student at the University of Oslo in Norway finds that, with the help of a trusty URI,

- En gavepakke til myndighetene - Computerworld
www.idg.no

Er Skype fortsatt troverdig? Nei, sier Eivind Jonassen. Han mener du bør droppe programmet. - Bare spekulasjoner og rykter, kontrer Per Thor

The Final Word on the LinkedIn Leak
securitynirvana.blogspot.com

As you are undoubtedly aware of by now, two weeks ago the professional networking site LinkedIn became the victim of a rather unfortunate mi

Hackere kan kreve løsepenger for familiebildene dine
tv2.no

Et datavirus som tar over filer på datamaskinen din og gjør dem uleselige herjer nettet.

GO LauncherEX Norwegian langua
market.android.com

GO Launcher Dev Team A language plug-in for GO LauncherEX. This pack is for GO LauncherEX Norwegian language support. Install it and change

- Skriv gjerne passordet på lapp - Computerworld
www.idg.no

Passordekspert Per Thorsheim mener passordet er tryggere på lapp enn i utrygg app.

Passord-apper holder ikke mål - Computerworld
www.idg.no

De holder orden på passordene, men er elendig kryptert - flere mangler kryptering helt.

- Vi hater passord - Computerworld
www.idg.no

Sikkerhetssjef Úlfar Erlingsson i Google mener konkurrentene er hans største sikkerhetstrussel. Årsaken: Kundene hater passord.

Cryptohaze Blog: GPU Rainbow Tables 1.22 out - with WebTables fixes!
blog.cryptohaze.com

GPU Rainbow Tables 1.22 out - with WebTables fixes! Sorry for the delay. My random number generator code was acting up and needed revision.