CyberSecurity – What are some things that get a bad rap, but are actually quite secure?

Proxy vs VPN

You can translate the content of this page by selecting a language in the select box.

CyberSecurity - What are some things that get a bad rap, but are actually quite secure?

CyberSecurity – What are some things that get a bad rap, but are actually quite secure?

Cybersecurity is an important issue for everyone, from individuals to large organizations. There are many things that get a bad rap when it comes to cybersecurity, but that doesn’t mean they’re not secure. For example, PGP (Pretty Good Privacy) is a method of encrypting emails that is considered to be very secure. However, it can be difficult to set up and use. Another example is using very long passwords that are actually a sentence. This may seem like a security risk, but it’s actually more secure than a shorter password because it’s more difficult for hackers to guess. Additionally, changing the default port for certain services like databases can help to prevent hacking. Unplugging the ethernet cable may also seem like a security risk, but it’s actually one of the most effective ways to prevent data breaches. Finally, browser password managers are often considered to be insecure, but they’re actually quite secure if used properly. Cybersecurity is an important issue, and there are many things that can be done to help prevent hacking and data breaches.

There are a lot of CyberSecurity myths out there. People think that X, Y, and Z are the most secure way to do things when in reality, they are the least secure. The biggest myth is that PGP is unbreakable. PGP has been broken many times and is not a reliable form of CyberSecurity. Another myth is that very long passwords are secure. The problem with very long passwords is that they are difficult to remember and often get written down somewhere. If a hacker gets ahold of your password, they can easily access your account. The best way to prevent CyberSecurity breaches is to use MFA, OAuth, and two-step verification whenever possible. These methods make it much more difficult for hackers to gain access to your accounts. While they may not be foolproof, they are the best CyberSecurity measure available.

1- PGP

PGP is a Form of Minimalism

As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:

  1. You get from them a PGP identity (public key). How you do that is entirely up to you.
  2. Your PGP program uses that identity to perform a single public key encryption of a message key.
  3. Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
  4. Your correspondent does the opposite operations to get the message.

If you want to sign your message then you:

Achieve AWS Solutions Architect Associate Certification with Confidence: Master SAA Exam with the Latest Practice Tests and Quizzes illustrated

  1. Hash the message.
  2. Do a public key signature operation on the hash and attach the result to the message.
  3. Your correspondent checks the signature from your PGP identity, which they have acquired somehow.

The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.

As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:

  • Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
  • A Signal session requires the storage and maintenance of a lot of state information.
  • Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
  • Signal achieves partial deniability with a triple Diffie-Hellman key exchange. OpenPGP achieves complete deniability by not signing the message in the first place.
  • Supporting the Signal protocol in practice requires a separate system to store and protect past messages1). Since this is at odds with forward secrecy such a system will end up with a system to delete old messages.

The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.

I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.


Ace the AWS Certified Machine Learning Specialty Exam with Confidence: Get Your Hands on the Ultimate MLS-C01 Practice Exams!

2- Very long passwords that are actually a sentence

It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”

3- Writing passwords down.

I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.

We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.

Did I say passwords? I meant encryption keys.

4- Changing default ports for certain services like dbs

Most of the gangs out there use tools that don’t do a full search, so they go through the default port list

5- MFA in general.

Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.

If you are looking for an all-in-one solution to help you prepare for the AWS Cloud Practitioner Certification Exam, look no further than this AWS Cloud Practitioner CCP CLFC01 book below.


If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.

If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.

"Become a Canada Expert: Ace the Citizenship Test and Impress Everyone with Your Knowledge of Canadian History, Geography, Government, Culture, People, Languages, Travel, Wildlife, Hockey, Tourism, Sceneries, Arts, and Data Visualization. Get the Top 1000 Canada Quiz Now!"


6- Oauth for 3rd party apps.

Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.

7- Two-step verification.

Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.

8-Biometric Authentication.

The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.

Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.

One example of this is https://passage.id/ which is about as secure as you can get.

Invest in your future today by enrolling in this Azure Fundamentals - Pass the Azure Fundamentals Exam with Ease: Master the AZ-900 Certification with the Comprehensive Exam Preparation Guide!

Microsoft Azure AZ900 Certification and Training

9- Zoom.

Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.

10- Unplugging the ethernet cable.

11- Browser password managers?

Rant moment: reasons cybersecurity fails

<Rant>

People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.

No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.


This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.

</Rant>

Why do cyber attackers commonly use social engineering attacks?

Hackers commonly use social engineering attacks because they can be very effective. By using social engineering, hackers can take advantage of people’s trusting nature and willingness to help others. They can also exploit the fact that people are often not well-informed about security and privacy issues. For example, a hacker might pose as a customer service representative and ask for someone’s password. Or, they might send an email that looks like it is from a trusted source, such as a bank or government agency, and ask the recipient to click on a link or download an attachment. If the person falls for the deception, the hacker can gain access to their accounts or infect their computer with malware. That is why it is important to be aware of these types of attacks and know how to protect yourself.

Cyber attackers commonly use social engineering attacks for a number of reasons. First, hacking into a person’s or organization’s computer systems is becoming increasingly difficult as security measures become more sophisticated. Second, even if a hacker is able to gain access to a system, they are likely to be discovered and caught before they can do any significant damage. Third, social engineering attacks allow hackers to bypass security measures and obtain sensitive information without being detected. Finally, social media platforms have made it easier for cyber attackers to obtain personal information about their targets and to carry out attacks. As a result, social engineering attacks are an attractive option for many cyber attackers.

To conclude:

Cybersecurity is often thought of as a complex and technical field, but there are actually many simple things that everyone can do to help stay safe online. For example, one way to protect your online communications is to use PGP encryption. This type of encryption is incredibly difficult for even the most skilled hacker to break, but it’s also easy to use. Another way to improve your cybersecurity is to use very long passwords that are actually a sentence. This may seem daunting, but using a phrase as your password makes it much harder for hackers to guess. Additionally, changing the default ports for certain services can help prevent unauthorized access. And finally, unplugging the ethernet cable when you’re not using it is a great way to physically block hackers from accessing your device. By following these simple tips, you can dramatically improve your cybersecurity and protect your privacy.

source: r/cybersecurity


We know you like your hobbies and especially coding, We do too, but you should find time to build the skills that’ll drive your career into Six Figures. Cloud skills and certifications can be just the thing you need to make the move into cloud or to level up and advance your career. 85% of hiring managers say cloud certifications make a candidate more attractive. Start your cloud journey with these excellent books below:

Source: r/cybersecurity

  • Phish Automation
    by /u/topper70 (cybersecurity) on February 1, 2023 at 6:17 pm

    Phish is love, phish is life. Currently looking for any kind of automation from user reported phish emails, just general ideas, experience or ways you might do it currently? Just implemented new 5 strikes rule in our policy, so naturally our entire user base just reports every email as phish, which requires an analyst to do a minimal analysis and close. Trying to get away from this to reduce alert fatigue, and automate the task so we can spend time on real threats, not validating spam. submitted by /u/topper70 [link] [comments]

  • Trying to automate matching vulnerability info with remediation info
    by /u/Actual_Telephone_594 (cybersecurity) on February 1, 2023 at 6:06 pm

    I am using my SIEM's built-in vulnerability scanning to identify vulns in my environment. I know there are better tools, but this is what has been made available to me. It works well enough at identifying vulnerabilities, but it lacks the basic remediation information or references in the reports (or the web interface, for that matter) that's part of dedicated products like Nessus. Not a show stopper, but with the size of our environment I have around a thousand lines to go out and manually search for the information then manually write the information in. I want to set it up so that I can generate a CSV file that I can use to automatically generate tickets for a list of vulns. I've tried using the NVD API to drop information into Excel but it only pulls 2k lines. I'm not much of a programmer, but I've dabbled enough to know I'm probably going about this all wrong. I've tinkered with Python a bit so I know the general concepts of pulling data from an API, but I'm not sure what the best approach would be to taking the data I currently have in a CSV, using that to query an API, and generate an output back into CSV or something similar. I'd appreciate some direction in how I can pull remediation information for a list of ~1000 vulnerabilities. submitted by /u/Actual_Telephone_594 [link] [comments]

  • Recovering after a Mental Health Blowup
    by /u/comingbackfromaltf4 (cybersecurity) on February 1, 2023 at 5:52 pm

    So, about a year-ish back I had a mental breakdown and quit my incredibly rare and good contract job. As a guy with only certs and some work experience this was an enormous fuckup. So far this is one of my greatest regrets, hence posting this on a throwaway. In the time since then, I tried to go back to university and finish my computer science degree but I had to drop out as I'm unable to afford the tuition. I've also spent a significant amount of time studying for the OSCP although the two attempts I've had were not successful. Given that, I am trying to go about returning to a SOC position like how I originally got started in cybersecurity. Does anyone have any advice about tackling this situation? I've got an Associate of ISC2 under my belt and a uni certificate program in cyber. I was thinking that obtaining another cert would be beneficial in showing that I am still proficient and interested in the field. I'd like to hear some opinions. Thanks submitted by /u/comingbackfromaltf4 [link] [comments]

  • K-12 schools in Tucson, Nantucket respond to cyberattacks
    by /u/yogibear2190 (cybersecurity) on February 1, 2023 at 5:23 pm

    Schools in Tucson, Arizona, and Nantucket, Massachusetts, are dealing with cyberattacks as U.S. schools continue to face a barrage of threats in the first weeks of 2023. https://therecord.media/k-12-schools-ransomware-tucson-nantucket/ submitted by /u/yogibear2190 [link] [comments]

  • Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’ - Printer exploit chain could be weaponized to fully compromise more than 100 models
    by /u/speckz (cybersecurity) on February 1, 2023 at 5:21 pm

    submitted by /u/speckz [link] [comments]

  • http CONNECT request importance
    by /u/shut_up_Meg_gig (cybersecurity) on February 1, 2023 at 4:59 pm

    From SOC perspective, are http CONNECT request relevant for the incident investigation? My understanding is that CONNECT "only" establishes a tunnel, then if any other requests were made (GET/POST) then it is "almost" like user wouldn't make the connection in first place. So we know that the connection was established, but if CONNECT is the only request that occurred, then for example no malicious file could have been downloaded from a given website, or credentials were not leaked. ekhm, change my mind I guess? Cheers submitted by /u/shut_up_Meg_gig [link] [comments]

  • Brit says sorry after waving around nonce patent and leaning on sites to cough up
    by /u/julian88888888 (cybersecurity) on February 1, 2023 at 4:48 pm

    submitted by /u/julian88888888 [link] [comments]

  • Threat intelligence IOC enrichments?
    by /u/Few-Calligrapher2797 (cybersecurity) on February 1, 2023 at 4:42 pm

    Working in threat intelligence platform, what are some creative ideas you could enrich IOCs. Already got the basics down (Virus total, domain search, etc.) what else is there? submitted by /u/Few-Calligrapher2797 [link] [comments]

  • Best resources to learn email security/analyzing MTA logs.
    by /u/RawOystersOnIce (cybersecurity) on February 1, 2023 at 4:38 pm

    I'm looking for the best free or paid resources to increase my skill in analyzing MTA logs and general email security. I prefer if the resource is a video series I could follow along to. I don't care if it is free or if I have to pay for it. Thank you. submitted by /u/RawOystersOnIce [link] [comments]

  • Your Company's Bossware Could Get You in Legal Trouble
    by /u/KolideKenny (cybersecurity) on February 1, 2023 at 4:07 pm

    submitted by /u/KolideKenny [link] [comments]

  • Cybersecurity Educational TV Series for the General Population?
    by /u/frenchfry_wildcat (cybersecurity) on February 1, 2023 at 4:04 pm

    I was thinking - is anyone aware of an educational tv series or something tailored for people who don’t work in security or IT? If not, any idea why? Too boring? Science has tons of these shows - Bill Nye, space shows from Neil Tyson, etc. Wouldn’t something like that for security be helpful in improving the knowledge level of the average citizen? Cybersecurity impacts everyone and many don’t even know what’s going on beyond tech support scams. submitted by /u/frenchfry_wildcat [link] [comments]

  • Access control and capability lists
    by /u/sounaz962 (cybersecurity) on February 1, 2023 at 3:54 pm

    Hello, How different are the two? And how do their respective matrices look like? Thank you! submitted by /u/sounaz962 [link] [comments]

  • Do you make sense of this email?
    by /u/jonbristow (cybersecurity) on February 1, 2023 at 3:49 pm

    I work in cybersec and one of my staff reported this email: Staff (@mycompany.com) sends an email to a client (@client.com and client@hotmail.com) Staff gets an email back from postmaster@outlook.com to staff@hotmail.com (which doesnt exist) that: "Delivery has failed to these recipients or groups: wongxiansheng724@gmail.com The email address you entered couldn't be found..." The gmail address is nowhere in the chain. I checked the logs and we didnt send an email to that gmail account. Checked the raw response and is like this: "... VE1PR10MB3438.EURPRD10.PROD.OUTLOOK.COM ([fe80::d827:8ebb:92a1:cd59%6]) with Microsoft SMTP Server id ; Wed, 1 Feb 2023 15:23:08 +0000 From: CLIENT client@hotmail.com To: "wongxiansheng724@gmail.com" wongxiansheng724@gmail.com Subject: FW: Statement Thread-Topic: Statement Thread-Index: A..." Did the client automatically forwarded our email to the gmail account? But why did we get CC'd back? I feel like this client has a compromised mail server? Cant make sense why we got a mail back from a random account? submitted by /u/jonbristow [link] [comments]

  • Bypassing Administrative Control on Enterprise-Managed Chromebooks With SH1MMER Exploit
    by /u/Significant_Brick116 (cybersecurity) on February 1, 2023 at 3:43 pm

    A new exploit, SH1MMER, has been developed that can unenroll enterprise- or school-managed Chromebooks from administrative control. This exploit takes advantage of a modified Return Merchandise Authorization shim image to create a recovery media for the Chromebook and write it to a USB stick. By booting the Chromebook in developer mode with the drive image and plugging the USB stick containing the image into the device, an altered recovery menu is displayed that enables users to completely unenroll the machine. Additionally, the SH1MMER menu can be used to re-enroll the device, enable USB boot, open a bash shell, and even allow root-level access to the ChromeOS operating system. We have reached out to Google for comment and will update this post accordingly. #cybersecurity #TechNews #Google submitted by /u/Significant_Brick116 [link] [comments]

  • Reviewing IBM Security software and services
    by /u/Kevinflynn00 (cybersecurity) on February 1, 2023 at 3:37 pm

    Being tasked with reviewing IBM security products (software and services) I work for are a mostly single cloud MSP and proserv company so our direct involvement with client environments is generally on a single cloud. Any interaction into other clouds or on-prem is often handed to other teams. My main question revolves around that given that context, are IBM security products and services even relevant here? From a purely functionality and performance standpoint, are they a class leader in any way? What about when pricing is concerned? Put another way. Why would I use IBM for anything security related compared to any of the market leaders that are newer and/or more cloud experienced ? submitted by /u/Kevinflynn00 [link] [comments]

  • Using LSA Secrets to gain a possible foothold in the Cloud
    by /u/Traditional-Couple-2 (cybersecurity) on February 1, 2023 at 2:23 pm

    submitted by /u/Traditional-Couple-2 [link] [comments]

  • Ideas for how to improve our image
    by /u/MayaIngenue (cybersecurity) on February 1, 2023 at 1:21 pm

    I often worry that, at least for me and my company, that those of us in cybersecurity sometimes get viewed as intimating and unapproachable and I understand why, because for the most part the only communication I make with many of my coworkers is when they may have done something wrong. I am, for all intents and purposes, the network cop. I brought this attention to my manager and her boss and now I've been tasked with brainstorming ways to make us be seen in a more positive light. I mean, I got nothin. I have enough things to do with my nose to the grindstone all day as it is. Is there something that maybe you do in your organization to better improve the image of your cybersecurity personnel? submitted by /u/MayaIngenue [link] [comments]

  • Identity Protection Services
    by /u/license_to_kill_007 (cybersecurity) on February 1, 2023 at 1:11 pm

    When end users reach out asking about which identity protection service is most recommended, which one do you tell them? I really liked ID Watchdog, but it seems there's others more highly regarded. Also, does your org offer ID theft protection services as a benefit? submitted by /u/license_to_kill_007 [link] [comments]

  • Roadmap for Information Security Auditor and Cyber Risk Consultant
    by /u/Fun_Fee_2259 (cybersecurity) on February 1, 2023 at 1:06 pm

    Hello everyone, can anyone be kind and share the roadmap or where should I look for the roadmap of both Information Security Auditor as well as Cyber Risk Consultant. Like what certifications to pursue step by step what jobs to switch after one likewise. It would be much appreciated. Thank you in Advanced. submitted by /u/Fun_Fee_2259 [link] [comments]

  • O365 Safe Link - false sense of security?
    by /u/Its_Riccardo (cybersecurity) on February 1, 2023 at 11:34 am

    All, I have been asked to determain wether the Safe Link feature in O365 would be a valuable feature to enable. While I am all down for this kind of pre-delivery checks, one of my concerns would be that is makes it harder to check if url’s in mails are indeed refering to legit sender domains, because of the safelink.outlook url that shows now when you hover over links. Not sure what the false positive/negative rate would be. But I can imagine that there would be plenty of questionable (phishing) websites that would not be picked up by Microsoft, but would be identifiable if you looked at the “original” url. What are your thoughts here? submitted by /u/Its_Riccardo [link] [comments]

  • Advice regarding phishing simulation
    by /u/deamondiamond (cybersecurity) on February 1, 2023 at 10:52 am

    Have a 10+ year career in IT, recently joined a company working within cyber security and i'm trying to impress to climb the ranks and looking for advice. Environment that i need to run a phishing campaign on is google workspace, I have setup gophish but the problem i have is that google detects the link as phishing and blocks the page from being accessed, if trying to access the website directly google safe browsing blocks it. (Have tried tinyurl for example) I'm told a paid option or changes such as migrating to O365 etc for the customer are out of the question and ideas like sharing a google form or document and tracking whos opened it isn't satisfactory. Any advice on what i may be able to implement? ​ Thank you. submitted by /u/deamondiamond [link] [comments]

  • As a CISO, what do you do when switching companies?
    by /u/Username-Foobar (cybersecurity) on February 1, 2023 at 9:11 am

    In the first days and weeks after joining a new company, what do you do and focus on first? submitted by /u/Username-Foobar [link] [comments]

  • Assembly for Reverse Engineering
    by /u/SherilWebs (cybersecurity) on January 31, 2023 at 9:52 pm

    Hi guys! I was thinking about learning the assembly for reverse engineering. Which materials (books/repos) would you recommend? All suggestions are appreciated! submitted by /u/SherilWebs [link] [comments]

  • Boss told me I'm too dumb to get into cybersecurity and to not waste my time
    by /u/Lucky-Mixture-4787 (cybersecurity) on January 31, 2023 at 7:17 pm

    I have been working in construction (AV, Surveillance, networking) on/off with this guy for a couple years. We mostly just pull cables or hang TVs. I recently started getting enrolled in WGU's cybersecurity program. I am 27 and feel like it is time to get into something more "brain" oriented. I can't use my body forever and don't intend to. I have always viewed myself as a smart person but I did poorly in college because of severe depression. I attempted suicide twice in college and was on a mixture of medications throughout it. I eventually underwent transcranial magnetic stimulation and it made my depression go into remission. Anyway, my boss told me that I'm too dumb to get into cybersecurity and nobody would hire me. He said it's too competitive because everybody wants to get into it. He said that if I was meant to do something with my brain, I'd have done it by now. He said my depression was just an excuse (he doesn't know my full story with it). He also said that If i was so smart, my last IT service tech job would've taken me out of the field and put me into a remote desk position. He said I'm going to be competing with people who are actually smart and they're going to look at my resume and waste my time and never call me back. I told him that I don't have anything on my resume and that's why I can't get a spot. He said that it doesn't matter, and there are guys who walk into jobs and flex their intelligence, and get offered to move up into roles solely on the intelligence that they convey to others. He said I'm just not built for anything other than construction and to not waste my time and money, and to stay in a field where the competition is low and people are retarded so I can stick out. It was harsh but he is entitled to his opinion. I don't like to be surrounded by people who put me down so I'm considering not working with him anymore. The guy has never seen me do anything other than hammer a nail into a wall so I'm not entirely sure why he felt that way. But he did make me feel like cybersecurity is a job that is SO super competitive that I won't be able to even get an entry level spot with my degree at WGU. Even with AV/IT experience. He made it seem like I'm going to get my degree, and it's just going to sit there collecting dust, until I give up and go back into construction for the rest of my life. What the hell do I make of this, and is there anyone who has graduated WGU here? Also how competitive is an entry level spot, really? ​ Edit; Although I am not replying, I am reading all of your comments and I actually started crying during it. Thanks to everyone for sharing your stories and offering advice. I think there are a lot of commonalities between my rant and what others have gone through. Thank you all for these small shreds of humanity that make a big impact. submitted by /u/Lucky-Mixture-4787 [link] [comments]

  • Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web
    by /u/rotbettow (cybersecurity) on January 31, 2023 at 9:42 am

    submitted by /u/rotbettow [link] [comments]

  • Mentorship Monday - Post All Career, Education and Job questions here!
    by /u/AutoModerator (cybersecurity) on January 30, 2023 at 12:00 am

    This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]

error: Content is protected !!