CyberSecurity – What are some things that get a bad rap, but are actually quite secure?

cybersecurity

Cybersecurity and what it means to the food safety professional | Food  Safety News

1- PGP

PGP is a Form of Minimalism

As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:

  1. You get from them a PGP identity (public key). How you do that is entirely up to you.
  2. Your PGP program uses that identity to perform a single public key encryption of a message key.
  3. Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
  4. Your correspondent does the opposite operations to get the message.

If you want to sign your message then you:

  1. Hash the message.
  2. Do a public key signature operation on the hash and attach the result to the message.
  3. Your correspondent checks the signature from your PGP identity, which they have acquired somehow.

The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.

2022 AWS Cloud Practitioner Exam Preparation

As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:

  • Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
  • A Signal session requires the storage and maintenance of a lot of state information.
  • Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
  • Signal achieves partial deniability with a triple Diffie-Hellman key exchange. OpenPGP achieves complete deniability by not signing the message in the first place.
  • Supporting the Signal protocol in practice requires a separate system to store and protect past messages1). Since this is at odds with forward secrecy such a system will end up with a system to delete old messages.

The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.

I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.

2- Very long passwords that are actually a sentence

It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”

3- Writing passwords down.

I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.

We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.

Did I say passwords? I meant encryption keys.

4- Changing default ports for certain services like dbs

Most of the gangs out there use tools that don’t do a full search, so they go through the default port list


Save 65% on select product(s) with promo code 65ZDS44X on Amazon.com

5- MFA in general.

Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.


If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.

If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.

6- Oauth for 3rd party apps.

Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.

7- Two-step verification.

Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.

8-Biometric Authentication.

The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.

Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.

One example of this is https://passage.id/ which is about as secure as you can get.

9- Zoom.

Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.


Build the skills that'll drive your salary into six figures

10- Unplugging the ethernet cable.

11- Browser password managers?

Rant moment: reasons cybersecurity fails

<Rant>

People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.

No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.

This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.

</Rant>

source: r/cybersecurity

Source: r/cybersecurity

error: Content is protected !!