From 2690cf1a9d13f1412a0cffa4fb84e9257652f1ce Mon Sep 17 00:00:00 2001 From: Declan Chidlow Date: Wed, 28 Feb 2024 16:04:06 +0800 Subject: [PATCH] Release cybersecurity article --- .../documents/Cybersecurity_Superstition.md | 60 +++++++++++-------- .../export/Cybersecurity_Superstition.html | 54 +++++++++-------- blog/feed/export/feed.rss | 60 +++++++++++-------- config/pages/blog/blog.md | 8 +++ docs/blog.html | 5 ++ docs/blog/Cybersecurity_Superstition.html | 54 +++++++++-------- docs/blog/feed.rss | 60 +++++++++++-------- 7 files changed, 181 insertions(+), 120 deletions(-) diff --git a/blog/feed/documents/Cybersecurity_Superstition.md b/blog/feed/documents/Cybersecurity_Superstition.md index a3bb2bea..67e6a2a1 100644 --- a/blog/feed/documents/Cybersecurity_Superstition.md +++ b/blog/feed/documents/Cybersecurity_Superstition.md @@ -1,46 +1,48 @@ Cybersecurity Superstition| Vale.Rocks - - + + - +
- Review + Essay

Cybersecurity Superstition

    -
    • -
  • 926 words
    • -
  • 3 minute read
    • +
    • +
  • 1586 words
    • +
  • 5 minute read
-People are scared of being hacked, and when they think of being hacked, they picture a man in a blacked out room wearing a hoodie, surrounded by monitors cascading Matrix style green Unicode characters. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. In reality, this is just about the least accurate depiction you can conjure, but it's how the media depicts hackers. +Fear of hacking often conjures up images of a solitary figure cloaked in darkness, sporting a hoodie, and surrounded by monitors cascading Matrix style green code. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. However, this depiction couldn't be further from the truth. Most of the hackers I know either wear thigh high pink socks or are balding and middle aged. -This is just one of many misconceptions that have been around for years and continue to perpetuate. I often find myself explaining these to people, but I've had enough. This article aims to educate on some of the common misconceptions when it comes to cybersecurity, so I don't have to. +Such misconceptions about hackers and cybersecurity in general have persisted for years, fuelled by sensationalism and misinformation. As someone frequently tasked with debunking cybersecurity fallacies, I've decided enough is enough. This article seeks to debunk common myths surrounding cybersecurity and, with any luck, also frees me from the perpetual cycle of explanation. ## Passwords -We generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. +Almost everyone uses passwords. They're the simplest solution for restricting access to something, and they do their job well. Unfortunately, years of bad advice has left people creating passwords that are confusing and insecure. I want to clear this up and identify some best practices. + +Something to understand is that we generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. A short password is easy to guess, but as you might imagine, it becomes harder to guess the longer it becomes. The act of guessing passwords through this guess work is called bruteforcing. Bruteforcing is when someone tries _lots_ of different passwords in rapid succession to find the one that works. A bit like when you get locked out of your phone and try lots of different variations in an attempt to rediscover your password. -Most people know not to use names or common phrases in their passwords [(although apparently not enough)](https://blog.mozilla.org/en/privacy-security/privacy-security-tips/your-childs-name-makes-a-horrible-password). Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue. +Most people know not to use names or common phrases in their passwords. Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.
XKCD comic strip comparing password strength and memorability, showing a complicated password and a simple passphrase, highlighting the entropy and guessability of each, and a stick figure finding the passphrase easier to remember.
Relevant XKCD comic.
-These confusing special chracter infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. +These confusing special character infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. While bruteforcing may have started by simply crawling through a list of predefined common passwords, they later moved on to using complex algorithms. zxcvbn is a very useful tool that takes these algorithms into account to give an accurate idea of what more modern bruteforcing attacks are capable of. @@ -48,23 +50,33 @@ Bitwarder is a free and open source password manager and [supplies a free tool t You should quickly come to realise that passphrases are much more effective than passwords, both in terms of difficulty for computers to crack and ability for humans to memorise. -Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. +Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. If you take one thing out of this article, make it this. ### Periodic Password Changes While I'm on the topic of passwords, I need to do a brief rant on mandatory password updates. Many organisations require that users periodically change their passwords. This is a terrible idea. [Even Microsoft is against it](https://learn.microsoft.com/en-gb/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903). -It prevents users from memorising their passwords, and prompts them to create simpler, easier-to-remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. +It prevents users from memorising their passwords, and prompts them to create simpler, easier to remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. Moreover, it also introduces unnecessary risk when users are forced to change their passwords, potentially leading to weaker passwords being chosen and opens up opportunities for phishing attacks. -There really is no point in implementing it, especially in the modern age. It does far more harm than good. +There really is no point in implementing these forced changes, especially in the modern age. It does far more harm than good. + +## Multifactor Authentication + +Some people think that a secure password is enough and that it'll ensure their security, but passwords should only ever be used alongside another form of authentication. We call this Multifactor Authentication (MFA). Passwords aren't perfect, and shouldn't be the only point of access. It's a single point of failure that can do undue and preventable damage. + +Timed One Time Passwords (TOTP) are excellent and are one of the best options. The user receives a unique and temporary code that they can use. It's easy for the user and extremely secure. + +Unfortunately, one of the most common MFA solutions is SMS based authentication. It's hugely insecure, and most advisories urge against its usage. Exploitation of the system is all too common, and I have an upcoming article discussing the inherent issues with SMS as a whole. + +Another good option is hardware authentication, such as a Yubikey. This works as you might expect a car or house key to function. You plug it in your computer and it authenticates you. Unfortunately, this also introduces issues of its own. One of these issues is the potential for loss or theft of the physical device. The effect is more or less the same as what would happen should keys of any other nature be lost or stolen. ## Social Engineering -The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness the real threat. Social engineering. Is it easier to put to together a simple attack that exploits human error, then it is to sink time into finding an exploit in well written software. +The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness of the real threat. Social engineering. It is far easier for a malicious actor to put together a simple attack that exploits human nature than it is to sink time into finding software vulnerabilities to exploit. -I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definately has its flaws, but I think this perfectly encapsulates the how social engineering works. +I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definitely has its flaws, but I think this perfectly encapsulates how social engineering works. @@ -72,25 +84,25 @@ Just like that, Johnny Lee Miller's character has access to the TV network. Some The scene highlights all the hallmarks of a good social engineering attack. A convincing story, a sense of urgency, and an overwhelming of the victim. They all come together to help the hacker achieve what they want without the need for any messy script writing. -Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. Remain wary on the net, and treat everything with scepticism. +Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. While it's important to have at least a basic security setup, that shouldn't be your sole focus. Educate yourself on common social engineering tactics, notably phishing attacks, and maintain a vigilant stance online. Approach all interactions with a healthy dose of scepticism. ## Antiviruses -Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to install an antivirus on their device. +Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to go out of their way to install an antivirus on their device. Despite this, companies will use scare tactics to extort money out of users who know no better. -Companies will use scare tactics to extort money out of users, but it is not needed. Phones are sandboxed, and any application installed from an app store has likely been checked by the store holders. Apple is particularly stringent about this. +Most laptops and desktop computers run Windows, which is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the Microsoft Defender, which is directly integrated into Windows, is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. -It doesn't mean it's impossible for other attacks to occur. You should remain on the lookout for phishing attacks, but it's next to impossible to install malware on your phone. +Unlike computers, phones operate in a closed ecosystem. Apps are screened for malicious content before being added to app stores. That makes it hard to install malware in the first place. Apps are also usually sandboxed, which stops them from interacting with the system at large and prevents anything that may be malicious from doing any real damage. -Devices running Windows are a different story. Windows is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the one built into Windows is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. +This doesn't mean it's impossible for phones to be hacked, but it does mean that it's a lot harder for it to happen unless you do things outside the norm. It's still possible to encounter malware on phones, but an antivirus really isn't necessary and will likely do more harm than good. -What is worth doing, is using an advertisement blocker. I'd recommend [uBlock Origin](https://ublockorigin.com) which is open source and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). +While it's not worth going out of your way to install an antivirus, it is worth installing an ad blocker. I'd recommend [uBlock Origin](https://ublockorigin.com), which is free, open source, and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). ## VPNs In the same vein as antiviruses, many Virtual Private Networks (VPNs) employ the same scare tactics and fearmongering regarding issues that haven't been relevant for years. -Honestly, I can't say much that hasn't been covered by Tom Scott's excellent video ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). +Honestly, there isn't much I can say that wouldn't be covered better by simply watching Tom Scott's excellent video, ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). --- diff --git a/blog/feed/export/Cybersecurity_Superstition.html b/blog/feed/export/Cybersecurity_Superstition.html index 8800076a..23eda467 100644 --- a/blog/feed/export/Cybersecurity_Superstition.html +++ b/blog/feed/export/Cybersecurity_Superstition.html @@ -57,61 +57,67 @@ Cybersecurity Superstition| Vale.Rocks - - + + - +
- Review + Essay

Cybersecurity Superstition

    -
    • -
  • 926 words
    • -
  • 3 minute read
    • +
    • +
  • 1586 words
    • +
  • 5 minute read
-

People are scared of being hacked, and when they think of being hacked, they picture a man in a blacked out room wearing a hoodie, surrounded by monitors cascading Matrix style green Unicode characters. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. In reality, this is just about the least accurate depiction you can conjure, but it's how the media depicts hackers.

-

This is just one of many misconceptions that have been around for years and continue to perpetuate. I often find myself explaining these to people, but I've had enough. This article aims to educate on some of the common misconceptions when it comes to cybersecurity, so I don't have to.

+

Fear of hacking often conjures up images of a solitary figure cloaked in darkness, sporting a hoodie, and surrounded by monitors cascading Matrix style green code. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. However, this depiction couldn't be further from the truth. Most of the hackers I know either wear thigh high pink socks or are balding and middle aged.

+

Such misconceptions about hackers and cybersecurity in general have persisted for years, fuelled by sensationalism and misinformation. As someone frequently tasked with debunking cybersecurity fallacies, I've decided enough is enough. This article seeks to debunk common myths surrounding cybersecurity and, with any luck, also frees me from the perpetual cycle of explanation.

Passwords

-

We generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right.

+

Almost everyone uses passwords. They're the simplest solution for restricting access to something, and they do their job well. Unfortunately, years of bad advice has left people creating passwords that are confusing and insecure. I want to clear this up and identify some best practices.

+

Something to understand is that we generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right.

A short password is easy to guess, but as you might imagine, it becomes harder to guess the longer it becomes. The act of guessing passwords through this guess work is called bruteforcing.

Bruteforcing is when someone tries lots of different passwords in rapid succession to find the one that works. A bit like when you get locked out of your phone and try lots of different variations in an attempt to rediscover your password.

-

Most people know not to use names or common phrases in their passwords (although apparently not enough). Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.

+

Most people know not to use names or common phrases in their passwords. Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.

XKCD comic strip comparing password strength and memorability, showing a complicated password and a simple passphrase, highlighting the entropy and guessability of each, and a stick figure finding the passphrase easier to remember.
Relevant XKCD comic.
-

These confusing special chracter infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure.

+

These confusing special character infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure.

While bruteforcing may have started by simply crawling through a list of predefined common passwords, they later moved on to using complex algorithms. zxcvbn is a very useful tool that takes these algorithms into account to give an accurate idea of what more modern bruteforcing attacks are capable of.

Bitwarder is a free and open source password manager and supplies a free tool to check the strength of a password against zxcvbn. It's worth giving it a go with a range of different passwords, just to see what is actually strong.

You should quickly come to realise that passphrases are much more effective than passwords, both in terms of difficulty for computers to crack and ability for humans to memorise.

-

Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like Bitwarden or Proton Pass allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security.

+

Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like Bitwarden or Proton Pass allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. If you take one thing out of this article, make it this.

Periodic Password Changes

While I'm on the topic of passwords, I need to do a brief rant on mandatory password updates. Many organisations require that users periodically change their passwords. This is a terrible idea. Even Microsoft is against it.

-

It prevents users from memorising their passwords, and prompts them to create simpler, easier-to-remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures.

+

It prevents users from memorising their passwords, and prompts them to create simpler, easier to remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures.

Moreover, it also introduces unnecessary risk when users are forced to change their passwords, potentially leading to weaker passwords being chosen and opens up opportunities for phishing attacks.

-

There really is no point in implementing it, especially in the modern age. It does far more harm than good.

+

There really is no point in implementing these forced changes, especially in the modern age. It does far more harm than good.

+

Multifactor Authentication

+

Some people think that a secure password is enough and that it'll ensure their security, but passwords should only ever be used alongside another form of authentication. We call this Multifactor Authentication (MFA). Passwords aren't perfect, and shouldn't be the only point of access. It's a single point of failure that can do undue and preventable damage.

+

Timed One Time Passwords (TOTP) are excellent and are one of the best options. The user receives a unique and temporary code that they can use. It's easy for the user and extremely secure.

+

Unfortunately, one of the most common MFA solutions is SMS based authentication. It's hugely insecure, and most advisories urge against its usage. Exploitation of the system is all too common, and I have an upcoming article discussing the inherent issues with SMS as a whole.

+

Another good option is hardware authentication, such as a Yubikey. This works as you might expect a car or house key to function. You plug it in your computer and it authenticates you. Unfortunately, this also introduces issues of its own. One of these issues is the potential for loss or theft of the physical device. The effect is more or less the same as what would happen should keys of any other nature be lost or stolen.

Social Engineering

-

The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness the real threat. Social engineering. Is it easier to put to together a simple attack that exploits human error, then it is to sink time into finding an exploit in well written software.

-

I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definately has its flaws, but I think this perfectly encapsulates the how social engineering works.

+

The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness of the real threat. Social engineering. It is far easier for a malicious actor to put together a simple attack that exploits human nature than it is to sink time into finding software vulnerabilities to exploit.

+

I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definitely has its flaws, but I think this perfectly encapsulates how social engineering works.

Just like that, Johnny Lee Miller's character has access to the TV network. Something akin to this is the greatest and most common threat.

The scene highlights all the hallmarks of a good social engineering attack. A convincing story, a sense of urgency, and an overwhelming of the victim. They all come together to help the hacker achieve what they want without the need for any messy script writing.

-

Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. Remain wary on the net, and treat everything with scepticism.

+

Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. While it's important to have at least a basic security setup, that shouldn't be your sole focus. Educate yourself on common social engineering tactics, notably phishing attacks, and maintain a vigilant stance online. Approach all interactions with a healthy dose of scepticism.

Antiviruses

-

Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to install an antivirus on their device.

-

Companies will use scare tactics to extort money out of users, but it is not needed. Phones are sandboxed, and any application installed from an app store has likely been checked by the store holders. Apple is particularly stringent about this.

-

It doesn't mean it's impossible for other attacks to occur. You should remain on the lookout for phishing attacks, but it's next to impossible to install malware on your phone.

-

Devices running Windows are a different story. Windows is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the one built into Windows is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions.

-

What is worth doing, is using an advertisement blocker. I'd recommend uBlock Origin which is open source and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI recommend using an adblocker.

+

Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to go out of their way to install an antivirus on their device. Despite this, companies will use scare tactics to extort money out of users who know no better.

+

Most laptops and desktop computers run Windows, which is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the Microsoft Defender, which is directly integrated into Windows, is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions.

+

Unlike computers, phones operate in a closed ecosystem. Apps are screened for malicious content before being added to app stores. That makes it hard to install malware in the first place. Apps are also usually sandboxed, which stops them from interacting with the system at large and prevents anything that may be malicious from doing any real damage.

+

This doesn't mean it's impossible for phones to be hacked, but it does mean that it's a lot harder for it to happen unless you do things outside the norm. It's still possible to encounter malware on phones, but an antivirus really isn't necessary and will likely do more harm than good.

+

While it's not worth going out of your way to install an antivirus, it is worth installing an ad blocker. I'd recommend uBlock Origin, which is free, open source, and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI recommend using an adblocker.

VPNs

In the same vein as antiviruses, many Virtual Private Networks (VPNs) employ the same scare tactics and fearmongering regarding issues that haven't been relevant for years.

-

Honestly, I can't say much that hasn't been covered by Tom Scott's excellent video "This Video Is Sponsored By ███ VPN".

+

Honestly, there isn't much I can say that wouldn't be covered better by simply watching Tom Scott's excellent video, "This Video Is Sponsored By ███ VPN".

Cybersecurity is important, and it's worth putting in the time to stay safe. It takes more effort to do damage control than it does to simply stay protected in the first place. If you have any suggestions on additions that I could implement in this article, then I'd love to hear them in the comments below.

diff --git a/blog/feed/export/feed.rss b/blog/feed/export/feed.rss index 38856eea..ada5ed90 100644 --- a/blog/feed/export/feed.rss +++ b/blog/feed/export/feed.rss @@ -477,46 +477,48 @@ Are there any specific settings you change, or parts of this post that you think ]]>Cybersecurity_Superstition.md Cybersecurity Superstition| Vale.Rocks - - + + - +
- Review + Essay

Cybersecurity Superstition

    -
    • -
  • 926 words
    • -
  • 3 minute read
    • +
    • +
  • 1586 words
    • +
  • 5 minute read
-People are scared of being hacked, and when they think of being hacked, they picture a man in a blacked out room wearing a hoodie, surrounded by monitors cascading Matrix style green Unicode characters. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. In reality, this is just about the least accurate depiction you can conjure, but it's how the media depicts hackers. +Fear of hacking often conjures up images of a solitary figure cloaked in darkness, sporting a hoodie, and surrounded by monitors cascading Matrix style green code. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. However, this depiction couldn't be further from the truth. Most of the hackers I know either wear thigh high pink socks or are balding and middle aged. -This is just one of many misconceptions that have been around for years and continue to perpetuate. I often find myself explaining these to people, but I've had enough. This article aims to educate on some of the common misconceptions when it comes to cybersecurity, so I don't have to. +Such misconceptions about hackers and cybersecurity in general have persisted for years, fuelled by sensationalism and misinformation. As someone frequently tasked with debunking cybersecurity fallacies, I've decided enough is enough. This article seeks to debunk common myths surrounding cybersecurity and, with any luck, also frees me from the perpetual cycle of explanation. ## Passwords -We generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. +Almost everyone uses passwords. They're the simplest solution for restricting access to something, and they do their job well. Unfortunately, years of bad advice has left people creating passwords that are confusing and insecure. I want to clear this up and identify some best practices. + +Something to understand is that we generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. A short password is easy to guess, but as you might imagine, it becomes harder to guess the longer it becomes. The act of guessing passwords through this guess work is called bruteforcing. Bruteforcing is when someone tries _lots_ of different passwords in rapid succession to find the one that works. A bit like when you get locked out of your phone and try lots of different variations in an attempt to rediscover your password. -Most people know not to use names or common phrases in their passwords [(although apparently not enough)](https://blog.mozilla.org/en/privacy-security/privacy-security-tips/your-childs-name-makes-a-horrible-password). Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue. +Most people know not to use names or common phrases in their passwords. Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.
XKCD comic strip comparing password strength and memorability, showing a complicated password and a simple passphrase, highlighting the entropy and guessability of each, and a stick figure finding the passphrase easier to remember.
Relevant XKCD comic.
-These confusing special chracter infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. +These confusing special character infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. While bruteforcing may have started by simply crawling through a list of predefined common passwords, they later moved on to using complex algorithms. zxcvbn is a very useful tool that takes these algorithms into account to give an accurate idea of what more modern bruteforcing attacks are capable of. @@ -524,23 +526,33 @@ Bitwarder is a free and open source password manager and [supplies a free tool t You should quickly come to realise that passphrases are much more effective than passwords, both in terms of difficulty for computers to crack and ability for humans to memorise. -Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. +Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. If you take one thing out of this article, make it this. ### Periodic Password Changes While I'm on the topic of passwords, I need to do a brief rant on mandatory password updates. Many organisations require that users periodically change their passwords. This is a terrible idea. [Even Microsoft is against it](https://learn.microsoft.com/en-gb/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903). -It prevents users from memorising their passwords, and prompts them to create simpler, easier-to-remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. +It prevents users from memorising their passwords, and prompts them to create simpler, easier to remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. Moreover, it also introduces unnecessary risk when users are forced to change their passwords, potentially leading to weaker passwords being chosen and opens up opportunities for phishing attacks. -There really is no point in implementing it, especially in the modern age. It does far more harm than good. +There really is no point in implementing these forced changes, especially in the modern age. It does far more harm than good. + +## Multifactor Authentication + +Some people think that a secure password is enough and that it'll ensure their security, but passwords should only ever be used alongside another form of authentication. We call this Multifactor Authentication (MFA). Passwords aren't perfect, and shouldn't be the only point of access. It's a single point of failure that can do undue and preventable damage. + +Timed One Time Passwords (TOTP) are excellent and are one of the best options. The user receives a unique and temporary code that they can use. It's easy for the user and extremely secure. + +Unfortunately, one of the most common MFA solutions is SMS based authentication. It's hugely insecure, and most advisories urge against its usage. Exploitation of the system is all too common, and I have an upcoming article discussing the inherent issues with SMS as a whole. + +Another good option is hardware authentication, such as a Yubikey. This works as you might expect a car or house key to function. You plug it in your computer and it authenticates you. Unfortunately, this also introduces issues of its own. One of these issues is the potential for loss or theft of the physical device. The effect is more or less the same as what would happen should keys of any other nature be lost or stolen. ## Social Engineering -The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness the real threat. Social engineering. Is it easier to put to together a simple attack that exploits human error, then it is to sink time into finding an exploit in well written software. +The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness of the real threat. Social engineering. It is far easier for a malicious actor to put together a simple attack that exploits human nature than it is to sink time into finding software vulnerabilities to exploit. -I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definately has its flaws, but I think this perfectly encapsulates the how social engineering works. +I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definitely has its flaws, but I think this perfectly encapsulates how social engineering works. @@ -548,25 +560,25 @@ Just like that, Johnny Lee Miller's character has access to the TV network. Some The scene highlights all the hallmarks of a good social engineering attack. A convincing story, a sense of urgency, and an overwhelming of the victim. They all come together to help the hacker achieve what they want without the need for any messy script writing. -Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. Remain wary on the net, and treat everything with scepticism. +Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. While it's important to have at least a basic security setup, that shouldn't be your sole focus. Educate yourself on common social engineering tactics, notably phishing attacks, and maintain a vigilant stance online. Approach all interactions with a healthy dose of scepticism. ## Antiviruses -Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to install an antivirus on their device. +Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to go out of their way to install an antivirus on their device. Despite this, companies will use scare tactics to extort money out of users who know no better. -Companies will use scare tactics to extort money out of users, but it is not needed. Phones are sandboxed, and any application installed from an app store has likely been checked by the store holders. Apple is particularly stringent about this. +Most laptops and desktop computers run Windows, which is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the Microsoft Defender, which is directly integrated into Windows, is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. -It doesn't mean it's impossible for other attacks to occur. You should remain on the lookout for phishing attacks, but it's next to impossible to install malware on your phone. +Unlike computers, phones operate in a closed ecosystem. Apps are screened for malicious content before being added to app stores. That makes it hard to install malware in the first place. Apps are also usually sandboxed, which stops them from interacting with the system at large and prevents anything that may be malicious from doing any real damage. -Devices running Windows are a different story. Windows is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the one built into Windows is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. +This doesn't mean it's impossible for phones to be hacked, but it does mean that it's a lot harder for it to happen unless you do things outside the norm. It's still possible to encounter malware on phones, but an antivirus really isn't necessary and will likely do more harm than good. -What is worth doing, is using an advertisement blocker. I'd recommend [uBlock Origin](https://ublockorigin.com) which is open source and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). +While it's not worth going out of your way to install an antivirus, it is worth installing an ad blocker. I'd recommend [uBlock Origin](https://ublockorigin.com), which is free, open source, and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). ## VPNs In the same vein as antiviruses, many Virtual Private Networks (VPNs) employ the same scare tactics and fearmongering regarding issues that haven't been relevant for years. -Honestly, I can't say much that hasn't been covered by Tom Scott's excellent video ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). +Honestly, there isn't much I can say that wouldn't be covered better by simply watching Tom Scott's excellent video, ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). --- diff --git a/config/pages/blog/blog.md b/config/pages/blog/blog.md index 3d9fab8a..508cf7ee 100755 --- a/config/pages/blog/blog.md +++ b/config/pages/blog/blog.md @@ -89,6 +89,14 @@ input#blogsearch {
+ +
+ +Essay +### [Cybersecurity Superstition](/blog/Cybersecurity_Superstition) + | 1586 words | 5 minute read +
+
Review diff --git a/docs/blog.html b/docs/blog.html index c89c57a1..183fe11a 100644 --- a/docs/blog.html +++ b/docs/blog.html @@ -130,6 +130,11 @@

+

Essay

+

Cybersecurity Superstition

+

| 1586 words | 5 minute read

+
+

Review

I Hate My Nokia

| 926 words | 3 minute read

diff --git a/docs/blog/Cybersecurity_Superstition.html b/docs/blog/Cybersecurity_Superstition.html index 8800076a..23eda467 100644 --- a/docs/blog/Cybersecurity_Superstition.html +++ b/docs/blog/Cybersecurity_Superstition.html @@ -57,61 +57,67 @@ Cybersecurity Superstition| Vale.Rocks - - + + - +
- Review + Essay

Cybersecurity Superstition

    -
    • -
  • 926 words
    • -
  • 3 minute read
    • +
    • +
  • 1586 words
    • +
  • 5 minute read
-

People are scared of being hacked, and when they think of being hacked, they picture a man in a blacked out room wearing a hoodie, surrounded by monitors cascading Matrix style green Unicode characters. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. In reality, this is just about the least accurate depiction you can conjure, but it's how the media depicts hackers.

-

This is just one of many misconceptions that have been around for years and continue to perpetuate. I often find myself explaining these to people, but I've had enough. This article aims to educate on some of the common misconceptions when it comes to cybersecurity, so I don't have to.

+

Fear of hacking often conjures up images of a solitary figure cloaked in darkness, sporting a hoodie, and surrounded by monitors cascading Matrix style green code. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. However, this depiction couldn't be further from the truth. Most of the hackers I know either wear thigh high pink socks or are balding and middle aged.

+

Such misconceptions about hackers and cybersecurity in general have persisted for years, fuelled by sensationalism and misinformation. As someone frequently tasked with debunking cybersecurity fallacies, I've decided enough is enough. This article seeks to debunk common myths surrounding cybersecurity and, with any luck, also frees me from the perpetual cycle of explanation.

Passwords

-

We generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right.

+

Almost everyone uses passwords. They're the simplest solution for restricting access to something, and they do their job well. Unfortunately, years of bad advice has left people creating passwords that are confusing and insecure. I want to clear this up and identify some best practices.

+

Something to understand is that we generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right.

A short password is easy to guess, but as you might imagine, it becomes harder to guess the longer it becomes. The act of guessing passwords through this guess work is called bruteforcing.

Bruteforcing is when someone tries lots of different passwords in rapid succession to find the one that works. A bit like when you get locked out of your phone and try lots of different variations in an attempt to rediscover your password.

-

Most people know not to use names or common phrases in their passwords (although apparently not enough). Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.

+

Most people know not to use names or common phrases in their passwords. Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.

XKCD comic strip comparing password strength and memorability, showing a complicated password and a simple passphrase, highlighting the entropy and guessability of each, and a stick figure finding the passphrase easier to remember.
Relevant XKCD comic.
-

These confusing special chracter infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure.

+

These confusing special character infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure.

While bruteforcing may have started by simply crawling through a list of predefined common passwords, they later moved on to using complex algorithms. zxcvbn is a very useful tool that takes these algorithms into account to give an accurate idea of what more modern bruteforcing attacks are capable of.

Bitwarder is a free and open source password manager and supplies a free tool to check the strength of a password against zxcvbn. It's worth giving it a go with a range of different passwords, just to see what is actually strong.

You should quickly come to realise that passphrases are much more effective than passwords, both in terms of difficulty for computers to crack and ability for humans to memorise.

-

Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like Bitwarden or Proton Pass allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security.

+

Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like Bitwarden or Proton Pass allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. If you take one thing out of this article, make it this.

Periodic Password Changes

While I'm on the topic of passwords, I need to do a brief rant on mandatory password updates. Many organisations require that users periodically change their passwords. This is a terrible idea. Even Microsoft is against it.

-

It prevents users from memorising their passwords, and prompts them to create simpler, easier-to-remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures.

+

It prevents users from memorising their passwords, and prompts them to create simpler, easier to remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures.

Moreover, it also introduces unnecessary risk when users are forced to change their passwords, potentially leading to weaker passwords being chosen and opens up opportunities for phishing attacks.

-

There really is no point in implementing it, especially in the modern age. It does far more harm than good.

+

There really is no point in implementing these forced changes, especially in the modern age. It does far more harm than good.

+

Multifactor Authentication

+

Some people think that a secure password is enough and that it'll ensure their security, but passwords should only ever be used alongside another form of authentication. We call this Multifactor Authentication (MFA). Passwords aren't perfect, and shouldn't be the only point of access. It's a single point of failure that can do undue and preventable damage.

+

Timed One Time Passwords (TOTP) are excellent and are one of the best options. The user receives a unique and temporary code that they can use. It's easy for the user and extremely secure.

+

Unfortunately, one of the most common MFA solutions is SMS based authentication. It's hugely insecure, and most advisories urge against its usage. Exploitation of the system is all too common, and I have an upcoming article discussing the inherent issues with SMS as a whole.

+

Another good option is hardware authentication, such as a Yubikey. This works as you might expect a car or house key to function. You plug it in your computer and it authenticates you. Unfortunately, this also introduces issues of its own. One of these issues is the potential for loss or theft of the physical device. The effect is more or less the same as what would happen should keys of any other nature be lost or stolen.

Social Engineering

-

The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness the real threat. Social engineering. Is it easier to put to together a simple attack that exploits human error, then it is to sink time into finding an exploit in well written software.

-

I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definately has its flaws, but I think this perfectly encapsulates the how social engineering works.

+

The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness of the real threat. Social engineering. It is far easier for a malicious actor to put together a simple attack that exploits human nature than it is to sink time into finding software vulnerabilities to exploit.

+

I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definitely has its flaws, but I think this perfectly encapsulates how social engineering works.

Just like that, Johnny Lee Miller's character has access to the TV network. Something akin to this is the greatest and most common threat.

The scene highlights all the hallmarks of a good social engineering attack. A convincing story, a sense of urgency, and an overwhelming of the victim. They all come together to help the hacker achieve what they want without the need for any messy script writing.

-

Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. Remain wary on the net, and treat everything with scepticism.

+

Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. While it's important to have at least a basic security setup, that shouldn't be your sole focus. Educate yourself on common social engineering tactics, notably phishing attacks, and maintain a vigilant stance online. Approach all interactions with a healthy dose of scepticism.

Antiviruses

-

Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to install an antivirus on their device.

-

Companies will use scare tactics to extort money out of users, but it is not needed. Phones are sandboxed, and any application installed from an app store has likely been checked by the store holders. Apple is particularly stringent about this.

-

It doesn't mean it's impossible for other attacks to occur. You should remain on the lookout for phishing attacks, but it's next to impossible to install malware on your phone.

-

Devices running Windows are a different story. Windows is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the one built into Windows is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions.

-

What is worth doing, is using an advertisement blocker. I'd recommend uBlock Origin which is open source and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI recommend using an adblocker.

+

Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to go out of their way to install an antivirus on their device. Despite this, companies will use scare tactics to extort money out of users who know no better.

+

Most laptops and desktop computers run Windows, which is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the Microsoft Defender, which is directly integrated into Windows, is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions.

+

Unlike computers, phones operate in a closed ecosystem. Apps are screened for malicious content before being added to app stores. That makes it hard to install malware in the first place. Apps are also usually sandboxed, which stops them from interacting with the system at large and prevents anything that may be malicious from doing any real damage.

+

This doesn't mean it's impossible for phones to be hacked, but it does mean that it's a lot harder for it to happen unless you do things outside the norm. It's still possible to encounter malware on phones, but an antivirus really isn't necessary and will likely do more harm than good.

+

While it's not worth going out of your way to install an antivirus, it is worth installing an ad blocker. I'd recommend uBlock Origin, which is free, open source, and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI recommend using an adblocker.

VPNs

In the same vein as antiviruses, many Virtual Private Networks (VPNs) employ the same scare tactics and fearmongering regarding issues that haven't been relevant for years.

-

Honestly, I can't say much that hasn't been covered by Tom Scott's excellent video "This Video Is Sponsored By ███ VPN".

+

Honestly, there isn't much I can say that wouldn't be covered better by simply watching Tom Scott's excellent video, "This Video Is Sponsored By ███ VPN".

Cybersecurity is important, and it's worth putting in the time to stay safe. It takes more effort to do damage control than it does to simply stay protected in the first place. If you have any suggestions on additions that I could implement in this article, then I'd love to hear them in the comments below.

diff --git a/docs/blog/feed.rss b/docs/blog/feed.rss index 38856eea..ada5ed90 100644 --- a/docs/blog/feed.rss +++ b/docs/blog/feed.rss @@ -477,46 +477,48 @@ Are there any specific settings you change, or parts of this post that you think ]]>Cybersecurity_Superstition.md Cybersecurity Superstition| Vale.Rocks - - + + - +
- Review + Essay

Cybersecurity Superstition

    -
    • -
  • 926 words
    • -
  • 3 minute read
    • +
    • +
  • 1586 words
    • +
  • 5 minute read
-People are scared of being hacked, and when they think of being hacked, they picture a man in a blacked out room wearing a hoodie, surrounded by monitors cascading Matrix style green Unicode characters. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. In reality, this is just about the least accurate depiction you can conjure, but it's how the media depicts hackers. +Fear of hacking often conjures up images of a solitary figure cloaked in darkness, sporting a hoodie, and surrounded by monitors cascading Matrix style green code. Bonus points if the 'hacker' is wearing a Guy Fawkes mask. However, this depiction couldn't be further from the truth. Most of the hackers I know either wear thigh high pink socks or are balding and middle aged. -This is just one of many misconceptions that have been around for years and continue to perpetuate. I often find myself explaining these to people, but I've had enough. This article aims to educate on some of the common misconceptions when it comes to cybersecurity, so I don't have to. +Such misconceptions about hackers and cybersecurity in general have persisted for years, fuelled by sensationalism and misinformation. As someone frequently tasked with debunking cybersecurity fallacies, I've decided enough is enough. This article seeks to debunk common myths surrounding cybersecurity and, with any luck, also frees me from the perpetual cycle of explanation. ## Passwords -We generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. +Almost everyone uses passwords. They're the simplest solution for restricting access to something, and they do their job well. Unfortunately, years of bad advice has left people creating passwords that are confusing and insecure. I want to clear this up and identify some best practices. + +Something to understand is that we generally calculate the strength of passwords using something called entropy. Entropy refers to how unpredictable something is - in this case, a password. We measure entropy in bits. The more bits of entropy a password has, the more guesses are needed to get it right. A short password is easy to guess, but as you might imagine, it becomes harder to guess the longer it becomes. The act of guessing passwords through this guess work is called bruteforcing. Bruteforcing is when someone tries _lots_ of different passwords in rapid succession to find the one that works. A bit like when you get locked out of your phone and try lots of different variations in an attempt to rediscover your password. -Most people know not to use names or common phrases in their passwords [(although apparently not enough)](https://blog.mozilla.org/en/privacy-security/privacy-security-tips/your-childs-name-makes-a-horrible-password). Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue. +Most people know not to use names or common phrases in their passwords. Through years of conditioning, we've taught people that they should construct confusing passwords, substituting letters for numbers and forcing in random characters as they please. The embedded XKCD comic outlines the issue.
XKCD comic strip comparing password strength and memorability, showing a complicated password and a simple passphrase, highlighting the entropy and guessability of each, and a stick figure finding the passphrase easier to remember.
Relevant XKCD comic.
-These confusing special chracter infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. +These confusing special character infused passwords don't improve security; they harm it. They are hard for humans and easy for computers - the worst of both worlds. I previously mentioned entropy and how we can use it to calculate the strength of a password. Well, it isn't a perfect measure. While bruteforcing may have started by simply crawling through a list of predefined common passwords, they later moved on to using complex algorithms. zxcvbn is a very useful tool that takes these algorithms into account to give an accurate idea of what more modern bruteforcing attacks are capable of. @@ -524,23 +526,33 @@ Bitwarder is a free and open source password manager and [supplies a free tool t You should quickly come to realise that passphrases are much more effective than passwords, both in terms of difficulty for computers to crack and ability for humans to memorise. -Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. +Many people get this far and then make a fatal mistake. They reuse their passwords across multiple sites or store them insecurely. In the modern age, you should be using a password manager. Something like [Bitwarden](https://bitwarden.com) or [Proton Pass](https://proton.me/pass) allows you to generate secure passwords, store them, and auto fill them on the login page. It's easy to use and provides much needed security. If you take one thing out of this article, make it this. ### Periodic Password Changes While I'm on the topic of passwords, I need to do a brief rant on mandatory password updates. Many organisations require that users periodically change their passwords. This is a terrible idea. [Even Microsoft is against it](https://learn.microsoft.com/en-gb/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903). -It prevents users from memorising their passwords, and prompts them to create simpler, easier-to-remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. +It prevents users from memorising their passwords, and prompts them to create simpler, easier to remember passwords. It also results in security fatigue, where users become indifferent or careless about security measures in general, which undermines security measures. Moreover, it also introduces unnecessary risk when users are forced to change their passwords, potentially leading to weaker passwords being chosen and opens up opportunities for phishing attacks. -There really is no point in implementing it, especially in the modern age. It does far more harm than good. +There really is no point in implementing these forced changes, especially in the modern age. It does far more harm than good. + +## Multifactor Authentication + +Some people think that a secure password is enough and that it'll ensure their security, but passwords should only ever be used alongside another form of authentication. We call this Multifactor Authentication (MFA). Passwords aren't perfect, and shouldn't be the only point of access. It's a single point of failure that can do undue and preventable damage. + +Timed One Time Passwords (TOTP) are excellent and are one of the best options. The user receives a unique and temporary code that they can use. It's easy for the user and extremely secure. + +Unfortunately, one of the most common MFA solutions is SMS based authentication. It's hugely insecure, and most advisories urge against its usage. Exploitation of the system is all too common, and I have an upcoming article discussing the inherent issues with SMS as a whole. + +Another good option is hardware authentication, such as a Yubikey. This works as you might expect a car or house key to function. You plug it in your computer and it authenticates you. Unfortunately, this also introduces issues of its own. One of these issues is the potential for loss or theft of the physical device. The effect is more or less the same as what would happen should keys of any other nature be lost or stolen. ## Social Engineering -The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness the real threat. Social engineering. Is it easier to put to together a simple attack that exploits human error, then it is to sink time into finding an exploit in well written software. +The fact that focus is often on concepts such as making secure passwords, encryption, and obscurity is detrimental to awareness of the real threat. Social engineering. It is far easier for a malicious actor to put together a simple attack that exploits human nature than it is to sink time into finding software vulnerabilities to exploit. -I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definately has its flaws, but I think this perfectly encapsulates the how social engineering works. +I think the best example I can give is this scene from the 1995 film Hackers. The movie as a whole has aged and definitely has its flaws, but I think this perfectly encapsulates how social engineering works. @@ -548,25 +560,25 @@ Just like that, Johnny Lee Miller's character has access to the TV network. Some The scene highlights all the hallmarks of a good social engineering attack. A convincing story, a sense of urgency, and an overwhelming of the victim. They all come together to help the hacker achieve what they want without the need for any messy script writing. -Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. Remain wary on the net, and treat everything with scepticism. +Social engineering is the most common vector of attack, not traditional 'hacking' as the media might portray. While it's important to have at least a basic security setup, that shouldn't be your sole focus. Educate yourself on common social engineering tactics, notably phishing attacks, and maintain a vigilant stance online. Approach all interactions with a healthy dose of scepticism. ## Antiviruses -Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to install an antivirus on their device. +Something I despise and am long overdue to talk about is the fearmongering of antivirus companies. In the modern age, the average consumer does not need to go out of their way to install an antivirus on their device. Despite this, companies will use scare tactics to extort money out of users who know no better. -Companies will use scare tactics to extort money out of users, but it is not needed. Phones are sandboxed, and any application installed from an app store has likely been checked by the store holders. Apple is particularly stringent about this. +Most laptops and desktop computers run Windows, which is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the Microsoft Defender, which is directly integrated into Windows, is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. -It doesn't mean it's impossible for other attacks to occur. You should remain on the lookout for phishing attacks, but it's next to impossible to install malware on your phone. +Unlike computers, phones operate in a closed ecosystem. Apps are screened for malicious content before being added to app stores. That makes it hard to install malware in the first place. Apps are also usually sandboxed, which stops them from interacting with the system at large and prevents anything that may be malicious from doing any real damage. -Devices running Windows are a different story. Windows is a malware mess. That said, I still don't recommend going out of your way to install an antivirus, as the one built into Windows is remarkably capable. Just open it up and check that it's working at full capacity, and ensure you use Windows Update regularly to keep the definitions at the latest versions. +This doesn't mean it's impossible for phones to be hacked, but it does mean that it's a lot harder for it to happen unless you do things outside the norm. It's still possible to encounter malware on phones, but an antivirus really isn't necessary and will likely do more harm than good. -What is worth doing, is using an advertisement blocker. I'd recommend [uBlock Origin](https://ublockorigin.com) which is open source and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). +While it's not worth going out of your way to install an antivirus, it is worth installing an ad blocker. I'd recommend [uBlock Origin](https://ublockorigin.com), which is free, open source, and supported on most of the major browsers. Adblockers don't just block ads; they also block a lot of phishing material and malware links. Even America's FBI [recommend using an adblocker](https://www.ic3.gov/Media/Y2022/PSA221221). ## VPNs In the same vein as antiviruses, many Virtual Private Networks (VPNs) employ the same scare tactics and fearmongering regarding issues that haven't been relevant for years. -Honestly, I can't say much that hasn't been covered by Tom Scott's excellent video ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). +Honestly, there isn't much I can say that wouldn't be covered better by simply watching Tom Scott's excellent video, ["This Video Is Sponsored By ███ VPN"](https://www.youtube.com/watch?v=WVDQEoe6ZWY). ---