1- PGP
PGP is a Form of Minimalism
As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:
-
You get from them a PGP identity (public key). How you do that is entirely up to you.
-
Your PGP program uses that identity to perform a single public key encryption of a message key.
-
Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
-
Your correspondent does the opposite operations to get the message.
If you want to sign your message then you:
-
Hash the message.
-
Do a public key signature operation on the hash and attach the result to the message.
-
Your correspondent checks the signature from your PGP identity, which they have acquired somehow.
The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.
As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:
-
Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
-
A Signal session requires the storage and maintenance of a lot of state information.
-
Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
-
Signal achieves partial deniability with a triple Diffie-Hellman key exchange. OpenPGP achieves complete deniability by not signing the message in the first place.
-
Supporting the Signal protocol in practice requires a separate system to store and protect past messages1). Since this is at odds with forward secrecy such a system will end up with a system to delete old messages.
The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.
I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.
2- Very long passwords that are actually a sentence
It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”
3- Writing passwords down.
I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.
We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.
Did I say passwords? I meant encryption keys.
4- Changing default ports for certain services like dbs
Most of the gangs out there use tools that don’t do a full search, so they go through the default port list
5- MFA in general.
Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.
If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.
If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.
6- Oauth for 3rd party apps.
Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.
7- Two-step verification.
Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.
8-Biometric Authentication.
The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.
Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.
One example of this is https://passage.id/ which is about as secure as you can get.
9- Zoom.
Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.
10- Unplugging the ethernet cable.
11- Browser password managers?
Rant moment: reasons cybersecurity fails
<Rant>
People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.
No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.
This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.
</Rant>
source: r/cybersecurity
Source: r/cybersecurity
- Как защитить свой домашний WI-FIby Nikita Artemov (Security on Medium) on July 3, 2022 at 1:55 pm
Настраиваем безопасный домашний роутерContinue reading on Medium »
- Как защитить свой домашний WI-FIby Nikita Artemov (Cybersecurity on Medium) on July 3, 2022 at 1:55 pm
Настраиваем безопасный домашний роутерContinue reading on Medium »
- 4 Powerful Hacks You Need Against Ransomware Attackby Zubia Taufeeq (Cybersecurity on Medium) on July 3, 2022 at 1:42 pm
You log in to your computer just like you do every day. But to your surprise, the device is locked & you’re unable to boot up. A message…Continue reading on Medium »
- What is cybersecurity?by SaaS Security (Cybersecurity on Medium) on July 3, 2022 at 1:14 pm
Cybersecurity is the practice of protecting electronic systems, networks, and data from unauthorized access or damage. It includes both…Continue reading on Medium »
- $100M Harmony Bridge Hack — Incident Analysisby PlagueDoctor (Cybersecurity on Medium) on July 3, 2022 at 12:43 pm
On 23rd June 2022, Harmony’s Horizon bridge was exploited accounting for the loss of almost $97M. In this article, we’ll analyze the cause…Continue reading on Medium »
- India recorded 50,035 cases of cybercrime in 2020, an 11.8by ASHISH TANWAR (Cybersecurity on Medium) on July 3, 2022 at 11:55 am
With the proliferation of internet users in India, the instances of cybercrimes are also rising at a mammoth rate. Government push towards…Continue reading on Medium »
- PhD or MBA - which one would help the most to become a CISO?by /u/nocheckout21 (cybersecurity) on July 3, 2022 at 11:22 am
I am a IAM Manager for a bank in the UK and have a MSc in Information Security. My long term goal (next 10 years) is to eventually become a CISO. I do know I need to get exposure to more areas of Cyber/Info Security which I will work on, however, from an educational point, which one from MBA or PhD would help the most when it comes to CISO positions? Ps. I do know that a MBA or PhD is not required to become a CISO however I enjoy education and would like to take one of them on but just wanting to make the right decision. submitted by /u/nocheckout21 [link] [comments]
- How to find Bugs without Linux !!by Milanjain (Cybersecurity on Medium) on July 3, 2022 at 11:13 am
Hii all i have back with new article which helps beginner a lot .Lot of my friends facing issue to install linux .and if they able to…Continue reading on Medium »
- In Research, “Do what interests you the most” and “Stay curious”by Prof Bill Buchanan OBE (Cybersecurity on Medium) on July 3, 2022 at 11:08 am
I do a few interviews, and a common question that I get asked is the advice I would give to my younger self. My typical answer is “to…Continue reading on ASecuritySite: When Bob Met Alice »
- What happened in May?by MiaScreates (Cybersecurity on Medium) on July 3, 2022 at 10:54 am
CC: Trap Posted Born Dead.Continue reading on Medium »
- Learning should be fun... Right?!by /u/johnnyfatwods (cybersecurity) on July 3, 2022 at 10:50 am
So, i recently started a new job working in Cyber Intelligence. The company have their own internal training which all staff do (not just cyber) as a mandatory thing. There was a brief bit about botnets where they used a video made by Network Chuck (YouTube him if you've never heard) who iam familiar with and makes learning fun. I just wondered if you know anyone else out there who is so enthusiastic and passionate about a topic that it rubs off onto those learning? Most content out there is pretty dull (Especially IT related) and the way they present it could be so much better. If you know of any tutors online who make the effort to create stuff thats interesting and doesn't make you fall asleep please share! Cheers submitted by /u/johnnyfatwods [link] [comments]
- 7 Essential Tips to Avoid Getting Hacked Online — by Jonse Teopizby Jonse Teopiz, RN (Cybersecurity on Medium) on July 3, 2022 at 10:43 am
Be Safe From Hackers and Cyber AttacksContinue reading on New Writers Welcome »
- Malware Attacks on IoT Devicesby Annanya Pandey (Cybersecurity on Medium) on July 3, 2022 at 10:38 am
Internet of Things is a vast and ever-growing field referring to the interconnectivity of devices via the internet. They work on sensors…Continue reading on Medium »
- 5 Essential Network Security Monitoring Tools (2022)by Mahamkhurram (Security on Medium) on July 3, 2022 at 10:11 am
Are you also petrified of losing your network or system’s data to an extensive range of attack vectors? Today, the exploitation of…Continue reading on Medium »
- Attending a (cute?) Hacker conference— Kawaiicon 2022by Andre Camillo (Security on Medium) on July 3, 2022 at 9:16 am
com·mu·nity [kəˈmjuːnɪti]Continue reading on Medium »
- Penetration Test — Pass the Hash 實作by Charge (Security on Medium) on July 3, 2022 at 9:13 am
Pass the Hash PoCContinue reading on Medium »
- How many assets do you need?by Alexander Lyadov (Security on Medium) on July 3, 2022 at 9:01 am
Does a person need a lot of wealth, assets, or things? It depends on who is going to manage them. You can’t just “have” a car and leave it…Continue reading on Medium »
- Ransomware Attacks and Payments Soar in 2021by /u/my070901my (cybersecurity) on July 3, 2022 at 6:47 am
submitted by /u/my070901my [link] [comments]
- Cyberattack Shuts Down Unemployment Services Across USby /u/my070901my (cybersecurity) on July 3, 2022 at 6:41 am
submitted by /u/my070901my [link] [comments]
- Moving from detection centric driven to response centric driven Security Operation Centerby Richard de Vries (Security on Medium) on July 3, 2022 at 6:03 am
Most SOCs are primarily focused on detection and less on response. Although you could argue this is good, I will say this is bad.Continue reading on Tales from a Security Professional »
- AstraLocker 2.0 ransomware isn't going to give you your files backby /u/techietraveller84 (cybersecurity) on July 3, 2022 at 5:52 am
submitted by /u/techietraveller84 [link] [comments]
- How did a rental startup I’d never heard of leak my home address?by /u/wewewawa (cybersecurity) on July 3, 2022 at 2:02 am
submitted by /u/wewewawa [link] [comments]
- Basics of Web Application Testing — Cookies and Sessionsby Julian Runnels (Security on Medium) on July 3, 2022 at 12:51 am
Reviewing cookie functionality, attacks and protections for web penetration testing.Continue reading on Medium »
- Security-oriented features coming to Chrome on iOSby Tech House (Security on Medium) on July 3, 2022 at 12:42 am
With the addition of many new security features, Google is significantly enhancing the security of its Chrome browser on Apple’s mobile…Continue reading on Medium »
- Kaspersky Reveals a Backdoor Targeting Organizations Around the Worldby /u/kugkug (cybersecurity) on July 3, 2022 at 12:11 am
submitted by /u/kugkug [link] [comments]
- Investigating DLL injection with Volatilityby /u/Altiverses (cybersecurity) on July 2, 2022 at 10:39 pm
Hi there, hope this is the correct sub for these kind of questions 🙂 I have a memory dump of a process that I know for a fact had a DLL injected into it. I do not know the functionality of that DLL (basic static analysis doesn't give much). What I do know is that it is mapped into the process's memory via LoadLibrary (so a path to the DLL is given and it is not byte-fed). My goal is to find as much information on that DLL from the process's memory dump alone. How would you go about analyzing this? submitted by /u/Altiverses [link] [comments]
- your strugglesby /u/SecShark (cybersecurity) on July 2, 2022 at 9:58 pm
Hello All, I would like to know what struggles are you facing as someone: 1. Who is trying to learn cyber security for the first time 2. Who is trying to break into cyber security. 3. Who is already working in cyber security domain. If possible try to give 3 things that you are personally struggling with, otherwise 1 is also sufficient for the answer. You replies would mean a lot to me. Thanks in advance. submitted by /u/SecShark [link] [comments]
- Salary Question - Canadaby /u/Associate_Simple (cybersecurity) on July 2, 2022 at 9:38 pm
What is the salary range for a cyber security analyst (focus on threat hunting). Job is asking for 10+ year in IT, 5+ years in sec ops. Any idea? submitted by /u/Associate_Simple [link] [comments]
- Thoughts on Unifi IDS/IPS System, false positive rate?by /u/Pommes254 (cybersecurity) on July 2, 2022 at 8:47 pm
What are your experiences on firewall based IPS Systems, specially from Unifi? Have you ever had false positive alerts? How much would you be worried if you get alerts from it within the local network, but everything else (including ondevice based security) seems fine? submitted by /u/Pommes254 [link] [comments]
- Command Injectionby Litesh Ghute (Security on Medium) on July 2, 2022 at 8:37 pm
If you wanna know, how a vulnerable lambda function can be leveraged to perform a privileged operation? Then, you are at the right place!Continue reading on Medium »
- Raspberry Robin worm in hundreds of Windows networks, spread via malicious USB drivesby /u/tweedge (cybersecurity) on July 2, 2022 at 8:35 pm
submitted by /u/tweedge [link] [comments]
- How do you deobsufucate power shell scripts?by /u/Fortune_Technical (cybersecurity) on July 2, 2022 at 8:13 pm
Do you use online tools or write your own custom script depending on the obfuscation method? submitted by /u/Fortune_Technical [link] [comments]
- MITRE MAD Worth it?by /u/B_Macklin_FB_eye (cybersecurity) on July 2, 2022 at 7:14 pm
Just curious if anyone has tried the MITRE ATT&CK Defender program. I'm not so much interested in the certs, but more if the curriculum is any good. Looking to expand my knowledge of CTI and my company is also working towards integrating the ATT&CK framework into our IR processes. submitted by /u/B_Macklin_FB_eye [link] [comments]
- Managing IT security at home: hard but not impossibleby Bisma Farrukh (Security on Medium) on July 2, 2022 at 6:24 pm
Managing IT security at home is difficult, but not impossible. Here are a few tips to keep your computer safe from hackers and foot…Continue reading on Medium »
- what is more secure open source or closed source software?by /u/Djackson_ (cybersecurity) on July 2, 2022 at 6:06 pm
I was asked this question during an interview for a soc analyst position and was curious if there is a "correct" answer to the question. Honestly seemed like a question to pick your brain to make sure you know the difference and gauge your thinking process behind the answer. But please let me know if there is actually a right answer. submitted by /u/Djackson_ [link] [comments]
- Rogue HackerOne employee steals bug reports to sell on the sideby /u/f50ci31y (cybersecurity) on July 2, 2022 at 4:11 pm
submitted by /u/f50ci31y [link] [comments]
- Data loss prevention - where to start?by /u/ChozzaGeorge (cybersecurity) on July 2, 2022 at 2:45 pm
Does anyone have any recommendations for capturing requirements for different departments for DLP? Planning to implement using Microsoft DLP tools and working through a data register to capture what data types each department manages. The next step is to define and start testing some policies but wondering where to start. Ideally we are going to start simple based around sensitive data and gradually roll out from there - does anyone have any recommendations? What types of policies have you focused on initially? Did you start with a pilot group and gather feedback? Did you use questionnaires to capture department requirements / labelling info? Thanks submitted by /u/ChozzaGeorge [link] [comments]
- Reverse Engineering how WAFs Like Cloudflare Identify Bots — IPMby /u/dgaff (cybersecurity) on July 2, 2022 at 2:18 pm
submitted by /u/dgaff [link] [comments]
- Threat Stack Vulnerability Checksby /u/dr_pardee (cybersecurity) on July 2, 2022 at 1:20 pm
We use Threat Stack for our organization's server vulnerability scanning. We recently noticed that our Threat Stack server page would show 'No' Notices but when manually checking the hosts, there were security updates not applied. We contacted Threat Stack about this issue and Threat Stack said there's an issue with how Threat Stack is parsing the ALAS Amazon RSS feed, a fix is coming next week. However, we checked some Ubuntu hosts and the Ubuntu hosts also had security updates but showed 'No' Notices on the Threat Stack server page. We are wondering if this is all somehow only pertinent to our Account or is this a widespread problem and others using Threat Stack are having this issue but are potentially unaware. Thanks submitted by /u/dr_pardee [link] [comments]
- why are jobs not being filled?by /u/Serious-Summer9378 (cybersecurity) on July 2, 2022 at 12:37 pm
submitted by /u/Serious-Summer9378 [link] [comments]
- Cyber Threat Intelligenceby /u/RicTheRuler7 (cybersecurity) on July 2, 2022 at 3:32 am
I've been a Security Analyst for over 4 years and the company I am at currently has a Cyber Threat Intelligence team that I am interested in joining. My current role is on the IR team but I'd like to transition away from that. Unfortunately, the CTI team rarely has openings but I did some that a few other companies have CTI teams. Does anybody have any insight on what CTI analysts/engineers do on a daily basis? And is there anything I can do, study, or learn to make myself a more attractive candidate for a CTI position? submitted by /u/RicTheRuler7 [link] [comments]
- Next step in securing a cybersecurity job?by /u/wander_lust909 (cybersecurity) on July 2, 2022 at 3:08 am
I completed my certifications in COMP TIA security+ and Cisco CCNA recently. What should I study next to improve my chances of getting an entry level cybersecurity analyst job?. I'm currently working as Network Technician in the field. submitted by /u/wander_lust909 [link] [comments]
- How do you disconnect?by /u/Wentz_ylvania (cybersecurity) on July 2, 2022 at 12:11 am
With a holiday weekend for us in the US fast approaching, what do you folks do to take a break? I know that not all of us can fully shut down our workstations, but stepping away is important for overall mental health. I, myself, will be taking a lengthy road trip to get away from all of the stress. submitted by /u/Wentz_ylvania [link] [comments]
- A lot of job postings mention the candidate should know the NIST framework. What course or certification or anything can I get to be able to put NIST on my resume?by /u/gettinjiggywitgIT-hi (cybersecurity) on July 1, 2022 at 5:53 pm
I know there’s the documents I can read but then what do I say on my resume? (Already in a cybersecurity analyst role for 2+ years, and have my security+) submitted by /u/gettinjiggywitgIT-hi [link] [comments]
- Jenkins discloses dozens of zero-day bugs in multiple pluginsby /u/tweedge (cybersecurity) on July 1, 2022 at 1:47 pm
submitted by /u/tweedge [link] [comments]
- Mentorship Monday - Post All Career, Education and Job questions here!by /u/AutoModerator (cybersecurity) on June 27, 2022 at 12:00 am
This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]