NFC and QR Code Risks

Packetstorm recently posted an interesting whitepaper discussing the security implications of NFC. Not especially long, but it does bring up some good points worth considering.  Personally I have little use for NFC and keep it turned off as a general practice. 

Another technology bearing similar treatment would be QR codes, which GRC has an interesting podcast about here:

Happy Hacking,


Locking Down Facebook

For those who use Facebook and care about their security and personal information, ensuring you​r account is locked down (and stays locked down in the face of the umberous changes Facebook makes over time) is of paramount importance. Kaspersky (via ThreatPost) put together a handy video detailing the step by step needed to adjust the Facebook settings appropriately for the most secure account you can have.


Trackback URL to Kaspersky's original post:
Happy hacking,


Life Hacks

While browsing around the Al Gore-created series of tubes, I came across this nice collection of life hacks.  While I didn't come up with these hacks (nor do I endorse all of them), I figured they deserved some airtime.
Happy Hacking,


Dynamic Passwords

There will come times that, like it or not, you will not be able to use passphrases.  A service might require you to follow "complexity requirements" in your password, or you might be limited to a certain number of characters.  So, if you can't use your a passphrase, what is your next, most secure option?

Traditional security rules state that a password should be least 8 characters long, with at least one capital letter, one lowercase letter, one number, and one special character.  It is also recommend practice that each service, website, or application you use have a separate password. Sounds great, but is this really a practical solution? Unless you have exceptional memory, remembering all those unique passwords is going to be extremely difficult, and chances are you will either forget them or write them down. Sure, you could use one complex password for everything (as many people do, unfortunately), but what if one of your services get compromised? The attacker would then be able to log into any other service you use.  So, what is the best compromise?

Enter dynamic passwords. Put simply, a dynamic password is simply an algorithm that is used to produce a password that is unique to each site or service you create the password for.  All you need to do is remember the algorithm you used; if you forget the password, you can always use the same algorithm to arrive at the same password.  This keeps passwords easy to remember, and if the algorithm is sufficiently complex, difficult for attackers to figure out.  This is best explained by example:

Let's start with a very basic password, such as "Q". Now, let's throw in some dynamic variables at the end of the password, such as the first and last character of the service or website you're using, represented by X and Y.  The password would then look like: "QXY".  Applying this to a website is easy. For example, if you're creating a password for Amazon, X would be "a" and Y would be "n".  Thus the password for Amazon would "Qan". Using the same algorithm, the password for Walmart would be "Qwt".

But let's not stop there - obviously a three-character password isn't going to last for long.  We could add on other variables, such as the length of the first word of the service (represented by LL), as well as static characters, like "3!". Now the password is "QXYLL3!", and if used for Newegg, would be "Qng033!".  To top it off, you could add a shift-cipher at the end that capitalizes the first character of the website/service, and moves it forward two letters in the alphabet (thus, 'a' would become 'C', 'b' would be 'D', etc).

Thus, our final algorithm would look like "QXYLL3!(+2)", and would generate the following passwords:
GovernmentSecurity.org:    Qgy103!I
Yahoo.com:                       Qyo053!A
Paypal.com:                       Qpl033!R

This is just a sample algorithm, but it has the advantages of being sufficiently complex for most websites, is unique to each site, and is relatively easy to remember.  Experiment with your own algorithm, combining various features and other tricks to obscure it. The possible variations are endless. Note, that if an attacker has access to enough passwords, they may be able to deduce the algorithm.  However, they would need to compromise several such services that you use and then correlate the results.  Even so, a sufficiently complex algorithm should be able to resist casual deduction, short of statistical analysis.

Happy Hacking.