Isolation Con 2
The Many Hats Club return with Isolation Con 2, raising funds for Child's Play, and I manage to talk about OPSEC (Overly Presenting Some Erroneous Content) there!
Cyberz 4 Gud
Stu Peck and The Many Hats Club, along with The Beer Farmers, and a fair few others in the cyber security industry, have really made my heart melt during lockdown. Putting on these online conferences and other things have been a way for us to get together, network and do some good during this difficult time.
Last year’s Isolation Con raised over £10,000 for Médecins Sans Frontières and gave us a chance to get together, chat and to hear some great talks, in a socially distanced manner, of course. These conferences have really helped, alongside my MSc studies, broaden my knowledge and see what other cyber security opportunities there might be out there.
This year’s conference raised money for the awesome Child’s Play charity. To quote the charity, “Child’s Play Charity delivers therapeutic games and technology directly to paediatric hospitals to improve patients’ lives through the power of play”. I think it’s a fantastic cause to support. The Many Hats Club managed to raise just over $10,000 for them which was an amazing achievement. Well done to everyone involved, and of course, the lovely sponsors.
There were so many great talks on the day and I’m hoping to catch up on the ones that I missed out as I was prepping for my talk when the videos get released. I also managed to DJ for the after party which was awesome!
I also agreed that if we hit $14,000 then I’d eat a whole jar of Marmite - yuk! Or was it yuk? I’d spent the whole week prior mentioning how much I loved Marmite.- which I guess is what the talk was about……
The Talk: OPSEC (Overly Presenting Some Erroneous Content)
I’ll be honest, a lot of this talk was me coming from a place of common sense (well my common sense, others might say I’m an idiot :D). I see a lot of “advice” online with cyber which basically works but, in my humble opinion, is a bit flawed. The “advice” I’m talking about tends to be the like of “NEVER use x”, “ALWAYS do y”, “This is ALWAYS a SERIOUS threat”. Now I’m sorry in advance if me, a lowly developer with an interest in cybersecurity, upsets anyone and actually I’ve missed some something very obvious when this advice is given. I also appreciate its blanket advice designed to get one point across. The problem is that life is nuanced, therefore so should our responses be. Otherwise people will turn off anyway. We should say what we mean in an effective manner.
A great example of this is around OPSEC. Operational Security. We learnt from my previous talk at BeerCon2 that OPSEC is a way of keeping military operational plans secret. Some people also use it in the civilian world (having never served it’s the only exposure I’ve had to it). Often in the civilian world it points towards personal privacy, and this is sometimes where things get a bit strange.
I read somewhere to never reveal your date of birth because it could be used with other information to steal your money from your bank. Now it seems a good bit of general advice around privacy, and if followed, it certainly doesn’t hurt. But if this was such a huge threat to EVERYONE, where hackers are poised to know your DoB to instantly steal your money, well why do celebrities whose DoBs are widely known don’t get all of their money stolen every day? I worked with someone 10 years ago who had all of their money stolen from their bank account and they never revealed their DoB once. It’s almost like there’s more than meets the eye. I would probably say using something that monitors loans, bank account creation etc that occurs with your details is a much better thing to educate people on than just hiding away your date of birth.
But that’s one controversial example… you may be on board, you may not, so the focus on my talk were other examples of this “advice”. NEVER sharing anything real about you on social media EVER.
Close, but no cigar
So why don’t we share any personal details of ourselves ever online?
SECURITY QUESTIONS AND PASSWORDS!
Well done! 50 points to you! The premise of this advice is that by revealing little known facts about yourself, hackers can guess your passwords and secret security questions. You know the secret security questions like “What’s your favourite football team / pet / home city / maiden name?” and that password leaks such as Rock You found people use their favourite football team or other information in them too.
So if these things are used in security questions to gain access to your bank we shouldn’t post them on social media right, and furthermore, common security thinking right now is everyone MUST be stopped in doing this, yeah?
WRONG!
Well kinda…… ideally I would like to see banks and other places that use security question authentication yeeted to the sun and yeeted hard. It’s a terrible premise that only know you will know your place of birth (social media), only you knows your mothers maiden name (birth certificates via Ancestry anyone), only you knows your first pet name (potentially everyone you’ve ever went to first school with that you were loosely acquainted to), so why do we do it?
One of my Professors at Edinburgh Napier, Dr Peter Cruickshank calls things like this security theatre. Things that make us feel better and secure but actually aren’t secure at all. You go through the rigmarole of a worse user experience in the hope that you’re actually benefiting from security, but actually it makes nothing better, and worsens your experience.
So sadly some security thespians clearly like the theatre of security questions and will keep using them. Bummer. So I guess we’re screwed then and we should stop sharing our lives then?
WRONG!
Imagine somehow you miraculously manage to keep all of your details well under wraps, and you’re the most security and privacy conscious person known to the planet, well there is one hugely insidious and unstoppable threat that may be overlooked - YOUR FAMILY!
I love my mum dearly. But her social media is my OPSEC Fail! I think you can find out my favourite toy when I was a kid, how much I weighed at birth, all the things. And I never want her to stop doing it! This is why using security questions is so flawed. Often you are not the only person to know this information.
Yeah we get it. So what about the erroneous content part?!
Security questions aren’t going away any time soon. Now we can try and hide information. Information by obscurity - hardly ever works in the long term. But also we don’t have to be truly honest with people. This is where I start my talk. Just make up things on social media. “I have a cat”, “I have a dog”, “My mother’s maiden name is Floopsy”. Overly Presenting Some Erroneous Content - OPSEC (Ironically an erroneous expansion of the acronym)! We do it for sock accounts so why not ourselves! We could keep notes of everything to keep it believable!
Let’s do another: I love Marmite! - aside I do NOT love Marmite, I hate it! But in the run up to the talk I said I loved it loads all across my social media. I started the talk by eating a jar of it to make this erroneous tale stick true. It was revolting. I downed half a bottle of red wine immediately after to get the taste out of my mouth - it certainly made the talk much more…. interesting (apologies).
So I hope this tale shows the biggest flaw with Overly Presenting Some Erroneous Content. You may end up in a situation where you lie about your allergies, to protect yourself from poisoning, even though this threat is next to non-existent. Instead, someone sees you love something you’re allergic to and makes it for you. You then die! A bit reductio ad absurdum but I hope it gets the point across.
Really hammering home why this is not a great idea, now imagine how difficult and convoluted is it to remember all the lies you’ve said about yourself to protect yourself?! What if you meet someone online and you want to be friends offline? Won’t they find it weird that the connections they’ve made are essentially with someone that doesn’t exist?! It’s not really sustainable if you’re wanting to actually forge real connections with people online. You know, the social part of social media.
OK. So everyone knows our security questions again?!
So security questions aren’t going away soon no matter how flawed they are. Keeping up a barrage of false facts online is very time consuming, prone to error, and a family member or friend could actually give everything away anyway. Also, if you hit a certain level of public notoriety, people will just start learning things about you anyway…..
So instead of making up things, be as honest as you want to be on social media. Lie if you want, say things honestly if you want, I’m not your parent. But what I would urge you to do is not answer your security questions with any shred of accuracy. Make sure every answer you give to a security question is different for each company that asks it. But hang on…… how do you keep track of these? Let’s take a detour into the world of passwords!
Don’t base passwords on things about you either
So, we know from the RockYou password breach and many other breaches that people tend to use favourite football teams or facts related to them as passwords. In fact, since 2016 it was suggested that the best passwords should be a collection of random words called a passphrase, and has been championed by NIST and NCSC since 2016. Personally I don’t agree with the advice. While I agree that longer passwords are better, I believe it would have been better for them to spend the money they have on introducing the concept of passphrases to introducing the concept of password managers instead.
I love password managers. I have one in my phone, one in my laptop. I use Keypass X and Droidpass so all the passwords are offline and I manually transfer the passwords from one device to the other to keep them in sync. This works for me but I’m sure is too tedious for many. But there are plenty of solutions that allow passwords to be shared across devices. Sean Wright has been advocating the use of Bitwarden and I’m looking forward to checking it out tbh. Thanks to password managers, I don’t know any of my passwords, except for my laptop login one (which is the only place where I think the NCSC / NIST advice becomes handy), and I know that because every password is unique and long, if one gets breached, then it’s only one I need to change, and nothing I share online in social media will compromise them.
OK but how can password managers help with security questions?
Well, let’s think what a security question is….. it’s essentially a passphrase. So why don’t we generate them randomly and store them in our password manager too?
One thing to bear in mind…… If your bank is wondering what your favourite pet was called and you reply £434mkdmfgsdl!!? well, don’t be surprised that someone listening on the phone might not actually correct you if every character is wrong. In fact we know since at least 2017 that scammers use social engineering tactics to get access to bank accounts. So although training exists to prevent passwords being given away, it would be human nature to think it’s a computer error and allow access to the account if they see that.
So how do we round this square peg? Well……. RANDOM PLACES AND NAMES OF COURSE!!!!
Use random name generators, random place generators, random school name generators and make up your life for your security questions! Bonus points - get a few random results and then cobble them together to make truly unique ones!
Conclusion
So there we have it. You don’t need to make up stuff on social media if you don’t want to. Just make it up when typing in your security questions and store it in your password manager instead!
So why would you want to still make up details? Well there are a lot of creepy people on the internet and this is what I left my talk on. People may be able to detect your location using OSINT skills. I myself had a very harmless but unexpected encounter with someone that met me in the middle of the South Downs based on my posting my runs and where they thought I might be. Although I wasn’t that phased by this, a woman feeling vulnerable might well have. If I don’t want people to know my whereabouts, but still want to post about runs etc then I normally delay these by different time intervals to ensure that I can’t be traced. Just one thing to bear in mind.
Thanks peeps - hope those that tuned in enjoyed the talk. I’ll post the video when it appears.