CyberSecurity – What are some things that get a bad rap, but are actually quite secure?

CyberSecurity - What are some things that get a bad rap, but are actually quite secure?

Table of Contents

CyberSecurity – What are some things that get a bad rap, but are actually quite secure?

Cybersecurity is an important issue for everyone, from individuals to large organizations. There are many things that get a bad rap when it comes to cybersecurity, but that doesn’t mean they’re not secure. For example, PGP (Pretty Good Privacy) is a method of encrypting emails that is considered to be very secure. However, it can be difficult to set up and use. Another example is using very long passwords that are actually a sentence. This may seem like a security risk, but it’s actually more secure than a shorter password because it’s more difficult for hackers to guess. Additionally, changing the default port for certain services like databases can help to prevent hacking. Unplugging the ethernet cable may also seem like a security risk, but it’s actually one of the most effective ways to prevent data breaches. Finally, browser password managers are often considered to be insecure, but they’re actually quite secure if used properly. Cybersecurity is an important issue, and there are many things that can be done to help prevent hacking and data breaches.

There are a lot of CyberSecurity myths out there. People think that X, Y, and Z are the most secure way to do things when in reality, they are the least secure. The biggest myth is that PGP is unbreakable. PGP has been broken many times and is not a reliable form of CyberSecurity. Another myth is that very long passwords are secure. The problem with very long passwords is that they are difficult to remember and often get written down somewhere. If a hacker gets ahold of your password, they can easily access your account. The best way to prevent CyberSecurity breaches is to use MFA, OAuth, and two-step verification whenever possible. These methods make it much more difficult for hackers to gain access to your accounts. While they may not be foolproof, they are the best CyberSecurity measure available.

1- PGP

PGP is a Form of Minimalism

As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:

  1. You get from them a PGP identity (public key). How you do that is entirely up to you.
  2. Your PGP program uses that identity to perform a single public key encryption of a message key.
  3. Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
  4. Your correspondent does the opposite operations to get the message.

If you want to sign your message then you:

  1. Hash the message.
  2. Do a public key signature operation on the hash and attach the result to the message.
  3. Your correspondent checks the signature from your PGP identity, which they have acquired somehow.

The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.

As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:

  • Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
  • A Signal session requires the storage and maintenance of a lot of state information.
  • Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
  • Signal achieves partial deniability with a triple Diffie-Hellman key exchange. OpenPGP achieves complete deniability by not signing the message in the first place.
  • Supporting the Signal protocol in practice requires a separate system to store and protect past messages1). Since this is at odds with forward secrecy such a system will end up with a system to delete old messages.

The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.

I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.

2- Very long passwords that are actually a sentence

It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”

3- Writing passwords down.

I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.

We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.

Did I say passwords? I meant encryption keys.

4- Changing default ports for certain services like dbs

Most of the gangs out there use tools that don’t do a full search, so they go through the default port list

Pass the AWS Certified Machine Learning Specialty Exam with Flying Colors: Master Data Engineering, Exploratory Data Analysis, Modeling, Machine Learning Implementation, Operations, and NLP with 3 Practice Exams. Get the MLS-C01 Practice Exam book Now!

5- MFA in general.

Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.

If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.

If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.

6- Oauth for 3rd party apps.

Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.

7- Two-step verification.

Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.

8-Biometric Authentication.

The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.

Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.

One example of this is which is about as secure as you can get.

9- Zoom.

Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.

10- Unplugging the ethernet cable.

11- Browser password managers?

Rant moment: reasons cybersecurity fails


AI Unraveled: Demystifying Frequently Asked Questions on Artificial Intelligence (OpenAI, ChatGPT, Google Gemini, Generative AI, Discriminative AI, xAI, LLMs, GPUs, Machine Learning, NLP, Promp Engineering)

People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.

No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.

This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.


Why do cyber attackers commonly use social engineering attacks?

Hackers commonly use social engineering attacks because they can be very effective. By using social engineering, hackers can take advantage of people’s trusting nature and willingness to help others. They can also exploit the fact that people are often not well-informed about security and privacy issues. For example, a hacker might pose as a customer service representative and ask for someone’s password. Or, they might send an email that looks like it is from a trusted source, such as a bank or government agency, and ask the recipient to click on a link or download an attachment. If the person falls for the deception, the hacker can gain access to their accounts or infect their computer with malware. That is why it is important to be aware of these types of attacks and know how to protect yourself.

Cyber attackers commonly use social engineering attacks for a number of reasons. First, hacking into a person’s or organization’s computer systems is becoming increasingly difficult as security measures become more sophisticated. Second, even if a hacker is able to gain access to a system, they are likely to be discovered and caught before they can do any significant damage. Third, social engineering attacks allow hackers to bypass security measures and obtain sensitive information without being detected. Finally, social media platforms have made it easier for cyber attackers to obtain personal information about their targets and to carry out attacks. As a result, social engineering attacks are an attractive option for many cyber attackers.

To conclude:

Cybersecurity is often thought of as a complex and technical field, but there are actually many simple things that everyone can do to help stay safe online. For example, one way to protect your online communications is to use PGP encryption. This type of encryption is incredibly difficult for even the most skilled hacker to break, but it’s also easy to use. Another way to improve your cybersecurity is to use very long passwords that are actually a sentence. This may seem daunting, but using a phrase as your password makes it much harder for hackers to guess. Additionally, changing the default ports for certain services can help prevent unauthorized access. And finally, unplugging the ethernet cable when you’re not using it is a great way to physically block hackers from accessing your device. By following these simple tips, you can dramatically improve your cybersecurity and protect your privacy.

Source: r/cybersecurity

  • Yesterday's issue isn't a security problem. It's an ITSM problem.
    by /u/secnomancer (cybersecurity) on July 20, 2024 at 4:45 pm

    With the CS incident yesterday, the real problem isn't a security issue, it's an operational excellence issue. Every update that comes across the wire needs to be tested before being pushed to production. This is basic change and patch management. I mean legitimately old school, ITIL 101 shit. To give you an idea, WSUS is almost 20 YEARS OLD.... Your orgs supply chain should not be able to make changes that can render your systems INOP from outside your network perimeter with zero eyeballs on the change and an approval/staging/release gate from inside of your organization. Your CEO and, more importantly, your CIO need to either re-architect for resiliency and/or follow basic ITSM best practice. Now it's the time for CIOs to push for emergency funding authorizations and budget increases from their C-suite or boards to get the resources they need. In most orgs this takes some combination of new head count, process improvement, and BCP planning re-works, as well as shifting priorities and closing the skills gaps. submitted by /u/secnomancer [link] [comments]

  • India's Top Cybersecurity Professional just spoke about the Police Arrest Scams happening in India
    by /u/hamiecod (cybersecurity) on July 20, 2024 at 4:12 pm

    submitted by /u/hamiecod [link] [comments]

  • Google Uncovers Global APT41 Chinese Hackers Cyberespionage Campaign
    by /u/flacao9 (cybersecurity) on July 20, 2024 at 3:37 pm

    submitted by /u/flacao9 [link] [comments]

  • Automation help
    by /u/gbrot (cybersecurity) on July 20, 2024 at 1:52 pm

    I'm currently working on a project involving Microsoft Defender and Purview, and I could use some assistance. We have a Purview alert that triggers whenever someone creates a forwarding rule. At the moment, this alert creates a ticket in our ticketing system. An analyst then manually logs in to review the data to determine if the forwarding rule is internal or not. If it's internal, they dismiss it; if it's external, it gets blocked. What I'm trying to do is automate this process. Specifically, I want to send an email to the user who created the forwarding rule, informing them that their forwarding rule is detected. If the rule forwards emails outside of the organization, they need to submit a ticket to request an exception. Has anyone here done something similar or can offer guidance on how to set up this kind of automation? Any advice or resources would be greatly appreciated. I started using Power Automate but ran into issues with interacting with purview. submitted by /u/gbrot [link] [comments]

  • Project 2025 Suffers Online 'Hack'
    by /u/WilliamMitchell__ (cybersecurity) on July 20, 2024 at 1:36 pm

    A group of "gay furry hackers" has targeted right-wing think tank The Heritage Foundation—which is behind Project 2025—by releasing the passwords, usernames, and user logs of its users. submitted by /u/WilliamMitchell__ [link] [comments]

  • Data Exfiltration in M365: Rclone Meets SharePoint
    by /u/DFIRinProgressBlog (cybersecurity) on July 20, 2024 at 1:13 pm

    TLDR Why Should I Care? A Business Email Compromise can lead to data exfiltration from SharePoint. What Should I Consider? Restrict user consent for applications in Microsoft 365 (M365). submitted by /u/DFIRinProgressBlog [link] [comments]

  • What are your Incident/DR lessons learned from CS outage?
    by /u/jonbristow (cybersecurity) on July 20, 2024 at 11:33 am

    If all your hosts have CS, I cant think of any way to prevent this. We even have our hosts at N-1 update policy, but this was not caused by an agent update, but by signatures update, which are not customizable in the dashboard. Should you leave some critical redundant hosts without EDR? Maybe only with Windows Defender? Should we switch some services to hybrid (cloud and onprem)? What preventive measures will you suggest to your board now? submitted by /u/jonbristow [link] [comments]

  • QuickHelp - HomeLab Setup
    by /u/A-Anon_102 (cybersecurity) on July 20, 2024 at 10:31 am

    Hello all, Im looking to build a Homelab environment to test out things in a nice, safe, isolated environment. I'm stumped on finding information on hardware requirements though. Currently I am equipped with a dual-monitor setup intended for use with my 2023 Macbook Pro. Some have told me this is pretty non-ideal as a start. Looking for someone to tell me an A-Z on what I'd need to have before I hop onto the configuration side of things. Many thanks. submitted by /u/A-Anon_102 [link] [comments]

  • Will you move away from Crowdstrike?
    by /u/Irish1986 (cybersecurity) on July 20, 2024 at 10:16 am

    For those still impacted close to an Ops role, drink some water, have a bit to eat, take a 15-30min walk, call your family. Once this dust settled will you be recommending to move away from CS to your c-suite? What would CS need to do for you to chance your mind? What beyond money & reduce rate would you like to see? Any other compensation CS should offer? submitted by /u/Irish1986 [link] [comments]

  • Inside The Outages: A Dangerous Null Pointer Exception Deployed On Friday
    by /u/derjanni (cybersecurity) on July 20, 2024 at 10:15 am

    submitted by /u/derjanni [link] [comments]

  • 17-Year-Old Arrested for Last Year's Ransomware Attack on MGM Resorts
    by /u/DerBootsMann (cybersecurity) on July 20, 2024 at 8:40 am

    submitted by /u/DerBootsMann [link] [comments]

  • String.fromcharcode function using CyberChef
    by /u/Dsouzapg (cybersecurity) on July 20, 2024 at 7:25 am

    Hi, I was looking to de-obfuscate the Char using CyberChef. The function used to decode is String.fromcharcode. Anyone has any idea if there is any default recipe for it in CyberChef or if we can create a custom one? submitted by /u/Dsouzapg [link] [comments]

  • Got an interview for dream job, but pay range is low....keep it?
    by /u/Designer_Cloud_394 (cybersecurity) on July 20, 2024 at 4:19 am

    So I scheduled an interview for a cyber hands-on manager job with a once in a lifetime company...but the pay range they posted on the description is below what I make now. Im really qualified for the job, but should I even keep the interview in the hopes that maybe I get to the point where they would hire me and maybe consider going above their announced range? To be honest, what they are offering for a manager job (140 top pay) is insulting for the skills they are looking for, and for the company they are. Theyve been looking to fill the position for at least 6 months, and counting. Im thinking that I should keep it, even for the interview practice. Anyone been in a similar position? submitted by /u/Designer_Cloud_394 [link] [comments]

  • Realistic CI/CD tasks for Security Engineering
    by /u/CyPhanTomb (cybersecurity) on July 20, 2024 at 12:52 am

    Hey, what’s up y’all! I hope you’re ready for the weekend! I just have a question regarding what I keep seeing on job postings for security engineer (not specific to coding) positions. I see a lot of CI/CD under job requirements or duties but I don’t fully understand what actual tasks a Security Engineer or SecOps Engineer would be doing. Related duties in this job posting are IR, automation, log analyst etc, common Security tasks. CI/CD always throws me off. I don’t come from a code review background. I’m more of an incident responder or security deployment engineer so I’m trying to find out what people actually do using CI/CD. I would like to know more about what a day in the life task would be regarding security and their involvement in the CI/CD pipeline. Realistically. Thanks for any feedback! Cheers! submitted by /u/CyPhanTomb [link] [comments]

  • What were the key takeaways your cybersecurity team learned from today's outage?
    by /u/sk8hackr (cybersecurity) on July 19, 2024 at 10:37 pm

    I'd like to hear about how the enterprise cybersecurity community dealt with today's outage? What did your organization do? What were the reactions within your company? And what do you know now going forward to better prepare your team for incidents like this? submitted by /u/sk8hackr [link] [comments]

  • Will we start seeing multi-OS failover as part of a high availability requirement in security architecture for critical infrastructure?
    by /u/FourSharpTwigs (cybersecurity) on July 19, 2024 at 9:46 pm

    I can’t imagine how much that shit would cost. submitted by /u/FourSharpTwigs [link] [comments]

  • Southwest Airlines unaffected by outage because they're still running Windows 3.1
    by /u/skeeloco (cybersecurity) on July 19, 2024 at 7:07 pm

    submitted by /u/skeeloco [link] [comments]

  • A furry hacktivist group has breached Disney, leaked 1.1TiB of data, and says it's because Club Penguin shut down
    by /u/Evropa_TheLastBattle (cybersecurity) on July 19, 2024 at 6:47 pm

    submitted by /u/Evropa_TheLastBattle [link] [comments]

  • Revolver Rabbit gang registers 500,000 domains for malware campaigns
    by /u/anynamewillbefine (cybersecurity) on July 19, 2024 at 3:52 pm

    submitted by /u/anynamewillbefine [link] [comments]

  • How naive are most people when it comes to technology / cyber security?
    by /u/below298 (cybersecurity) on July 19, 2024 at 3:31 pm

    Idk if I'm insane or not.. but do people walk around on this planet and not realize how fragile technology is and that security itself (at best) is something that has to be hard fought more and that most companies ARE ABSOLUTELY CLUELESS ABOUT TECHNOLOGY?? Someone please tell me this is all in my head and in life: privacy and security exists. I'm realizing either I'm crazy or almost every single non tech person or even low level tech people have no clue how backwards and goofed up most software is. I just don't know anymore... Idk if any cyber security experts can agree with a hobbyist like me lol. You deal with this c*** everyday so you can tell me if I'm making it all up submitted by /u/below298 [link] [comments]

  • So which one of you screwed up half the internet?
    by /u/Flashy-Requirement41 (cybersecurity) on July 19, 2024 at 3:28 pm

    I'm sure all of your inboxes are just as full. What a wonderful day we all have ahead of us. submitted by /u/Flashy-Requirement41 [link] [comments]

  • This is reminding me of solarwinds
    by /u/xonxoponcho (cybersecurity) on July 19, 2024 at 3:14 pm

    I know everyone is probably all tired of hearing/reading/dealing with this throughout the day. But I just can’t get this out of my head, it just sounds so much like supply chain and although an attack as been dismissed i can’t ever trust the first “no”. Solarwinds, although incredibly spaced out, was also like this, through updates on Orion, and the news only came out like 4 days later as an attack after fireeye reported being hacked. I don’t know, maybe it’s me being paranoid. submitted by /u/xonxoponcho [link] [comments]

  • What are your goto cybersecurity feeds/news sites in 2024?
    by /u/URG_RST (cybersecurity) on July 19, 2024 at 1:14 pm

    I am always looking to add new feeds to my RSS reader, so which feeds or websites do you use for cybersecurity news? submitted by /u/URG_RST [link] [comments]

  • Anybody not affected by current global outages?
    by /u/StringLing40 (cybersecurity) on July 19, 2024 at 1:14 pm

    I didn’t notice anything at all. It’s been a quiet day as usual so I didn’t know about it until someone mentioned it and then I read the news. Nothing in our organisation has been affected at all and we have a lot of stuff. I have been working on an iPad today and nothing I have touched seems broken. We don’t use Azure or AWS but I am sure some of our third parties do. We don’t use crowdstrike. We use a lot of windows 11 with some windows 10. We don’t have any windows servers but we do have a lot of Linux servers and use a lot of Google services as well as iCloud. Too many vendors to list. Are you having a quiet day too? submitted by /u/StringLing40 [link] [comments]

  • What cybersecurity skills do you think will be most in-demand in the next 5 years?
    by /u/AIExpoEurope (cybersecurity) on July 19, 2024 at 8:31 am

    Are there specific areas of expertise that you believe will be particularly sought after? Are there emerging technologies or trends that will shape the future of cybersecurity and require new skill sets? submitted by /u/AIExpoEurope [link] [comments]

  • CrowdStrike issue…
    by /u/qercat (cybersecurity) on July 19, 2024 at 5:48 am

    Systems having the CrowdStrike installed in them crashing and isn’t restarting. edit - Only Microsoft OS impacted submitted by /u/qercat [link] [comments]

  • Mentorship Monday - Post All Career, Education and Job questions here!
    by /u/AutoModerator (cybersecurity) on July 15, 2024 at 12:00 am

    This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ace the 2023 AWS Solutions Architect Associate SAA-C03 Exam with Confidence Pass the 2023 AWS Certified Machine Learning Specialty MLS-C01 Exam with Flying Colors

List of Freely available programming books - What is the single most influential book every Programmers should read

#BlackOwned #BlackEntrepreneurs #BlackBuniness #AWSCertified #AWSCloudPractitioner #AWSCertification #AWSCLFC02 #CloudComputing #AWSStudyGuide #AWSTraining #AWSCareer #AWSExamPrep #AWSCommunity #AWSEducation #AWSBasics #AWSCertified #AWSMachineLearning #AWSCertification #AWSSpecialty #MachineLearning #AWSStudyGuide #CloudComputing #DataScience #AWSCertified #AWSSolutionsArchitect #AWSArchitectAssociate #AWSCertification #AWSStudyGuide #CloudComputing #AWSArchitecture #AWSTraining #AWSCareer #AWSExamPrep #AWSCommunity #AWSEducation #AzureFundamentals #AZ900 #MicrosoftAzure #ITCertification #CertificationPrep #StudyMaterials #TechLearning #MicrosoftCertified #AzureCertification #TechBooks

zCanadian Quiz and Trivia, Canadian History, Citizenship Test, Geography, Wildlife, Secenries, Banff, Tourism

Africa Quiz, Africa Trivia, Quiz, African History, Geography, Wildlife, Culture

Exploring the Pros and Cons of Visiting All Provinces and Territories in Canada.
Exploring the Pros and Cons of Visiting All Provinces and Territories in Canada

Exploring the Advantages and Disadvantages of Visiting All 50 States in the USA
Exploring the Advantages and Disadvantages of Visiting All 50 States in the USA

Health Health, a science-based community to discuss health news and the coronavirus (COVID-19) pandemic

Today I Learned (TIL) You learn something new every day; what did you learn today? Submit interesting and specific facts about something that you just found out here.

Reddit Science This community is a place to share and discuss new scientific research. Read about the latest advances in astronomy, biology, medicine, physics, social science, and more. Find and submit new publications and popular science coverage of current research.

Reddit Sports Sports News and Highlights from the NFL, NBA, NHL, MLB, MLS, and leagues around the world.

Turn your dream into reality with Google Workspace: It’s free for the first 14 days.
Get 20% off Google Google Workspace (Google Meet) Standard Plan with  the following codes:
Get 20% off Google Google Workspace (Google Meet) Standard Plan with  the following codes: 96DRHDRA9J7GTN6 96DRHDRA9J7GTN6
With Google Workspace, Get custom email @yourcompany, Work from anywhere; Easily scale up or down
Google gives you the tools you need to run your business like a pro. Set up custom email, share files securely online, video chat from any device, and more.
Google Workspace provides a platform, a common ground, for all our internal teams and operations to collaboratively support our primary business goal, which is to deliver quality information to our readers quickly.
Get 20% off Google Workspace (Google Meet) Business Plan (AMERICAS): M9HNXHX3WC9H7YE
Even if you’re small, you want people to see you as a professional business. If you’re still growing, you need the building blocks to get you where you want to be. I’ve learned so much about business through Google Workspace—I can’t imagine working without it.
(Email us for more codes)