Federated login relies on target site to be secure

I attended an interesting talk in the last week that was based on a paper from MSR. It was interesting to hear that in this day where federated logins where you use your facebook, google or live credentials to login to some 3rd party site is very convenient but a lot of these 3rd party…


Phishing Test

Every time I hear of somebody falling for a phishing attempt it puzzles me since I found it so obvious when I see a phishing attempt. So yesterday I did the Phishing and Spam IQ test. Some of the questions were quite hard since you don’t know if you have ordered such a service mentioned…


Getting the logged on windows user in your apache server

I was recently involved in a discussion where a company was developing an intra-net site using Apache and PHP on a Windows server. All clients were windows and they wanted to know who was connecting to the intra-net site (only accessible inside the company firewall). And they wanted a SSO (single sign-on) experience for the users….



<?php // This a copy taken 2008-08-21 from http://siphon9.net/loune/f/ntlm.php.txt to make sure the code is not lost. // For more information see: // http://blogs.msdn.com/cellfish/archive/2008/08/26/getting-the-logged-on-windows-user-in-your-apache-server.aspx // NTLM specs http://davenport.sourceforge.net/ntlm.html $headers = apache_request_headers(); if (!isset($headers[‘Authorization’])){ header(‘HTTP/1.1 401 Unauthorized’); header(‘WWW-Authenticate: NTLM’); exit; } $auth = $headers[‘Authorization’]; if (substr($auth,0,5) == ‘NTLM ‘) { $msg = base64_decode(substr($auth, 5)); if (substr($msg,…


Using CSS to fetch user browser history

If you know what you’re looking for in the user’s browser history there is a pretty simple way to check if the user have visited a certain site recently or not. Basically you can create an invisible iframe with the link(s) you want to check and then use java script to query the appearance of…