Debunking Cybersecurity Myths

Cybersecurity expert Eva Galperin -- @evacide -- helps debunk some common myths about cybersecurity.

☑️​ Is the government watching you through your computer camera?

☑️​ Does Google read all your Gmail?

☑️​ Does a strong password protect you from hackers?

☑️​ Will encryption keep my data safe?

☑️​ Are all hackers bad people?

Eva answers all these questions and much more using clear language that's easy to understand.

Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation -- @eff

Rathedr read than listen? A helpful transcript is available.

https://www.wired.com/video/watch/expert-debunks-cybersecurity-myths

#Infosec #Cybersecurity #BeCyberSmart
#MoreThanAPassword #InfosecTraining
#DiceWare #Encryption #Passwords
#PasswordManagers #PublicWiFi #VPN
#EFF #ElectronicFrontierFoundation

And the answer to the poll is . . . 1882!

Yup, it’s true. Asking someone to disclose their “mother’s maiden name” as a security technique was first publicly described in 1882.

That’s the year Sacramento, CA banker — Frank Miller — published his book titled "Telegraphic Code: To Insure Privacy and Secrecy In The Transmission Of Telegrams."

This was the same book which described the first concept and implementation of the One-Time Pad.

Frank and his fellow banker buddies conducted high finance over the Internet of their day, the Telegraph, which was considered by many to be completely insecure; about as private as sending a postcard.

How did you transfer loads of your employer’s money securely over an insecure means of communication?

You used a telegraphic code book and combined it with other layers of security. Big $$$$s were involved, and no one wanted — then or now — to be the one who screwed up a transaction.

So “mother’s maiden name” became one of the layers of security used in money transfers.

As they said on Battlestar Galactica: “All this has happened before, and all this will happen again.”

Interesting how things seem to repeat over and over.

Thanks to everyone who voted in the Poll!

#Infosec
#Cybersecurity
#MothersMaidenName
#InfosecTraining
#OneTimePad

Mother’s Maiden Name?

This was one of the most common security questions. Thankfully we don’t encounter these as often as we used to.

But for at least two decades, during online account setup, sites frequently asked us to enter our mother’s maiden name as a way of identifying ourselves.

Take a guess!

When do you think asking for this tidbit of personal info (as a security technique) was first publicly described?

#Infosec
#Cybersecurity
#MothersMaidenName
#InfosecTraining

Mother’s Maiden Name?

This was one of the most common security questions. Thankfully we don’t encounter these as often as we used to.

But for at least two decades, during online account setup, sites frequently asked us to enter our mother’s maiden name as a way of identifying ourselves.

Take a guess!

When do you think asking for this tidbit of personal info (as a security technique) was first publicly described?

#Infosec
#Cybersecurity
#MothersMaidenName
#InfosecTraining

You clicked on what?

Check out this piece of conference swag.

An infosec vendor gave out these T-shirts at a conference last year.

Initially this shirt made me laugh, but just wondering if we should try not to make fun of “the stoopid users” so much.

Are "people" really the weakest link in the cybersecurity chain?

Lance Spitzner prefers the phrase:

"People are the primary attack vector."

This subtle change in messaging reframes the conversation, and moves the blame away from the user.

He encourages all of us to stop *blaming* others and figure out how to *enable* instead.

"After all, how many operating systems do you know of that self-report when they've been hacked?"

Just wondering if there are other ways to shift the convo when we engage with ordinary consumers / end users without talking down or making them feel “less than” for their lack of technical skillz?

Cybersecurity savvy *isn't* evenly distributed in the general public. Lots of folks are living below the cybersecurity poverty line, and don't even know it.

#Infosec
#Cybersecurity
#BeCyberSmart
#InfosecTraining

Lance Spitzner is a board member of the National Cybersecurity Alliance.

RT @nullDelhi
And the HUMLA on Advanced sqli injection begins...

@null0x00

#null0x00 #nulldelhi #sqli #workshop #community #infosec #infosectraining

Time for me to watch the annual cyber-security video - which seems to be 2 months early since I didn’t start at the company until the end of March. Maybe it takes people 2 months to get around to watching it so they notify early? (Also got the DMV registration for the #Taycan today, and that isn’t due until mid-April!)

#infosectraining

Which infosec training should I spend my money on next?

#infosec #redteam #malware #pentesting #infosectraining

Which Password Manager Is Better?
Standalone or Built-In?

Tavis Ormandy Sounds Off

Should ordinary folks use a separate, standalone Password Manager, or the Password Manager built into their browser?

Tavis Ormandy is an Information Security Engineer from England currently employed by Google as a member of their Project Zero team.

After discussing various technical problems with password managers, and after downplaying the need for "nuance," Tavis says:

"If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI (user interface) from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use."

Tavis also recommends writing down and securely storing passwords.

Thinking about what would work best for most people, where do you think this advice lands?

Good idea, bad idea, or somewhere in between?

#Infosec
#Cybersecurity
#BeCyberSmart
#MoreThanAPassword
#InfosecTraining
#Passwords
#PasswordManagers

https://lock.cmpxchg8b.com/passmgrs.html

Debunking Cybersecurity Myths

Cybersecurity expert Eva Galperin -- @evacide -- helps debunk (and confirm!) some common myths about cybersecurity.

☑️​ Is the government watching you through your computer camera?

☑️​ Does Google read all your Gmail?

☑️​ Does a strong password protect you from hackers?

☑️​ Will encryption keep my data safe?

☑️​ Are all hackers bad people?

Eva answers all these questions and much more using clear language that's easy to understand.

Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation -- @eff

A helpful transcript is available.

https://www.wired.com/video/watch/expert-debunks-cybersecurity-myths

#Infosec #Cybersecurity #BeCyberSmart
#MoreThanAPassword #InfosecTraining
#DiceWare #Encryption #Passwords
#PasswordManagers #PublicWiFi #VPN
#EFF #ElectronicFrontierFoundation

:boost_ok:​ Feel free to share (boost) this post with all those who follow you by clicking the cycled-arrow icon below.

:mastodon: ​Here on Mastodon, boosting doesn’t elevate a post through any algorithmic shenanigans. Everyone who follows you gets to see the post (“toot”) without the platform interfering.

And the answer to the poll is . . . 1882!

Yup, it’s true. Asking someone to disclose their “mother’s maiden name” as a security technique was first publicly described in 1882.

That’s the year Sacramento, CA banker — Frank Miller — published his book titled "Telegraphic Code: To Insure Privacy and Secrecy In The Transmission Of Telegrams."

This was the same book which described the first concept and implementation of the One-Time Pad.

Frank and his fellow banker buddies conducted high finance over the Internet of their day, the Telegraph, which was considered by many to be completely insecure; about as private as sending a postcard.

How did you transfer loads of your employer’s money securely over an insecure means of communication?

You used a telegraphic code book and combined it with other layers of security. Big $$$$s were involved, and no one wanted — then or now — to be the one who screwed up a transaction.

So “mother’s maiden name” became one of the layers of security used in money transfers.

As they said on Battlestar Galactica: “All this has happened before, and all this will happen again.”

Interesting how things seem to repeat over and over.

#Infosec
#Cybersecurity
#MothersMaidenName
#InfosecTraining
#OneTimePad

Mother’s Maiden Name?

This was one of the most common security questions. Thankfully we don’t encounter these as often as we used to.

But for at least two decades, during online account setup, sites frequently asked us to enter our mother’s maiden name as a way of identifying ourselves.

Take a guess!

When do you think asking for this tidbit of personal info (as a security technique) was first publicly described?

#Infosec
#Cybersecurity
#MothersMaidenName
#InfosecTraining

:boost_ok:​ Feel free to share (boost) this post with all those who follow you by clicking the cycled-arrow icon below.

:mastodon: ​Here on Mastodon, boosting doesn’t elevate a post through any algorithmic shenanigans. Everyone who follows you gets to see the post (“toot”) without the platform interfering.

“Catching” People Doing The Right Thing

What if we put some effort into incentivizing security behaviors in an overt way?

In some situations, could the work of infosec leadership be more about reinforcing positive behavior than correcting behavior that falls short?

Is that even possible to do in a way that doesn’t seem like intrusive surveillance, or feels creepy?

Some years ago business writers explored the concept of incentivizing behaviors through “catching” employees doing the right thing.

One writer suggested:
☑️​ Brainstorming the behaviors the organization wants to see more of.
☑️​ Writing the specific behaviors down on pieces of paper.
☑️​ Putting them all into a bowl or hat.
☑️​ Pulling one behavior out of the bowl/hat once each day.

During the day, business managers would look for employees doing the “right thing,” and make a point of calling out their good behavior.

Is there some way to do this with typical consumers that would move the needle in the right direction?

Perhaps at the point of signing in to a website, we could celebrate with users their strong password, or their use of MFA to log in, or . . . any other security behavior we want to encourage?

Is it possible to do this in a way that doesn’t feel like they’re being watched too closely?

This article from Harvard Business Review details putting these concepts to work at a large bank using stickers, and a Canadian law enforcement organization issuing “positive tickets.”

https://hbr.org/2012/10/catch-people-in-the-act-of-doing-things-right

Just sitting here wondering if there’s a way to incorporate this into helping ordinary consumers become more safe online.

Have you noticed anything along these lines that worked well? Or that failed?

#Infosec
#Cybersecurity
#BeCyberSmart
#InfosecTraining

:boost_ok:​ Feel free to share (boost) this post with all those who follow you by clicking the cycled-arrow icon below.

:mastodon: ​Here on Mastodon, boosting doesn’t elevate a post through any algorithmic shenanigans. Everyone who follows you gets to see the post (“toot”) without the platform interfering.

Get a red-hot poker and open up my eyes, it's so boring!

Negative Employee Perceptions of Cybersecurity Training

Why do employees often not engage with cybersecurity training material? How do their current beliefs influence their receptivity for future training?

Australian researchers conducted in-depth interviews with 20 employees to understand their thinking about corporate information security training.

The results from our friends “down under” suggest that employee perceptions of infosec training programs relate to:

➡️​ Their previously held beliefs about cybersecurity threats,
➡️​ The content and delivery of the training program,
➡️​ The behavior of others around them, and
➡️​ Features of their organization.

What do you think we could add to infosec training to make it more fun, engaging, and interesting?

Have you tried anything recently that was unusual or especially effective?

PS — This is a great opportunity to "toot" your own horn, which is appropriate since we're on Mastodon, right?

https://www.sciencedirect.com/science/article/pii/S016740482100105X

#Infosec
#Australia
#Cybersecurity
#InfosecTraining

I don't want to post content from birdsite here, but this is cool, and probably interesting for a lot here. 

Dirk-jan Mollema is holding trainings on Azure AD and hybrid AD security. It's in-person and I think NL only, but there's a poll on his Twitter so maybe other options later.

https://twitter.com/_dirkjan/status/1597900320809840640

#AzureAD #AzureHybrid #ActiveDirectory #infosectraining

@CackalackyCon is an #oldschool #hacker conference held in #rdu. The first one was in 2019, and had approximately 400 attendees, but unfortunately the pandemic put a damper on 2020 and 2021. CackalackyCon is BACK in May! It's a true old school "hacker" con without sponsors (donations are cool though) that runs Friday evening through Sunday evening. There's a single track of talks, a Lockpick Village (by Oak City Locksport), CTF, contests, likely a workshop, and plenty of shenanigans. Please consider submitting, and I hope to see you there! #hacking #infosec #infosectraining #rdu (local RDU venue to be announced soon). https://docs.google.com/forms/d/1KmoAfD6AvAdR09AbPExc-kVUDmrANCefUICUCPGkg1Y Talks from 2019 can be found here https://www.youtube.com/@CackalackyCon/videos