Why an 8-Character Password is Not Enough

Take a common password8 characters in length, composed of 1 word, 1 numbers and 1 punctuation mark:

The Attack

Using a script (a program that automatically executes tasks instead of a human), the script starts to guess all possible 8-character password combinations. This will take about 3 days.

This is a brute force attack – very little elegance, just plain old grinding it out.

The More Sophisticated Attack

Using a dictionary attack, again the attacker runs a script, but this time instead of random guessing, dictionaries of words are tried first, specifically, the most common password words are tried.

See yours in here?

The Defence

Choose 3 obscure words, string them into a sentence separated by punctuation and numbers.

***

This post has been brought to you by Nuix and KeriBlog. Meet Nuix here.

 

 

Never Call when This Happens

Kind’ve clever eh: a real-sounding URL, “Support for Apple”, and a toll-free number, how nice for someone else to foot the bill.

The Attack

Pop-up window appears > you call the number > whomever answers is skilled with words > you’re tricked (social engineered) into doing something stupid, like providing a password or downloading a malicious file.

The Defence

Never call. This will never happen.

***

See also: You’ll never win a contest via text

 

 

Defeat New Car Tech by Using a Wire & Wedge

I was locked out of my car at the airport a few weeks ago, and had to call for help.

A gentleman showed up with these primitive tools, and as I watched I realized how ironic that all the electronic this and automatic that can be defeated using a wire and rubber wedge.

How it works:

1 – jam the wedge between the door’s window jam and frame, creating a gap
2 – slide the wire through the gap
3 – use the J-hook on the end of the wire to unlock the door

Sorry for the grainy photos, it was like:

Guy – woah wait, are you filming this?
Me – no no, they’re just photos, it’s okay.

 

 

Don’t Customize your Car’s Home Screen

For the past couple months, I’ve been trying to upload images into the infotainment home screen of whatever car I have each week.

I’ve now tried 5 different manufactures, formatting the USB 3 different ways, using  jpegs/bmps, and each time I keep failing.

I can’t get them to talk, none of the five. Strangest thing. So my reasoning is – if that doesn’t work, there’s a problem, so don’t.

Because here is the possible attack:

The Attack

Download image from the internet to USB > there’s flaws in the code that reads jpegs/bmps that could be used to execute arbitrary code on the device > leading to you running bad stuff (malware, virus, etc.)

The Defence

Just don’t. Everything doesn’t need to be customized.

To be clear: I highly doubt this niche attack will happen to you, and if it does, it’s probably because you’re a target and likely have bigger things to worry about.

But it’s not always going to be this way. In the near future, we’ll be adding apps to our cars the same way we now do to our phones. Good habits start now.

Photo I’m trying to load is from the post: Got stuck in some PVC pipe yesterday here

***

Blog tag = auto security

 

 

Introducing the Nuix & KeriBlog Security Series

Announcing the launch of an all-new security series here on KeriBlog, brought to you by Nuix and KeriBlog.com.

I’m especially excited to get Nuix’s input on the posts, because I am no expert, and the type of topics we’ll talk about is baby stuff for them.

Who is Nuix?

Found in 45 countries around the world, Nuix specializes in threat intelligence, and works with some of the world’s leading enterprises and regulatory agencies, law enforcement and anti-corruption bodies, federal government departments, and advisory firms.

They’re a technology company that enable people to make fact-based decisions from analyzing and extracting knowledge from unstructured data.

Think of it like an “Anomaly Machine” – upload any type of file (logs, emails, documents), and it will hoover up the text and help you find patterns among thousands+ of files.

We’ll make it so you don’t
recoil in horror seeing this:

About the Security Series

We’ve designed an 8-part series to teach you about how to stay safe online. Our first topic is passwords. Did you know that with the help of a tool, I can make 25 billion password guesses, per second. Billion.

Upcoming topics: 

  1. Passwords
  2. So You Clicked on a Bad link
  3. Malware, Viruses, Trojans and more
  4. What is a Pentest and why you need one
  5. XSS is not your friend
  6. Let’s go Phishing
  7. The MITM Attack
  8. Securing a WordPress site

And they’re going to attack me. Neat eh.

I’ll be the guinnea pig, and they’ll attempt (and probably succeed) in breaching my social media accounts, blog, and email to show you how easy it is to be compromised.

Remember the golden rule of online security:
it’s only as good as YOU make it.

Small business owners – a responsibility comes with accepting credit cards and customer’s personal information, conduct your business security accordingly.

***

This post has been brought to you by Nuix and KeriBlog.