{"id":140427191,"date":"2021-04-26T15:51:00","date_gmt":"2021-04-26T15:51:00","guid":{"rendered":"https:\/\/danconn.dev\/blog\/2021\/04\/26\/isolation-con-2\/"},"modified":"2024-07-28T21:15:59","modified_gmt":"2024-07-28T21:15:59","slug":"isolation-con-2","status":"publish","type":"post","link":"https:\/\/danconn.dev\/blog\/2021\/04\/26\/isolation-con-2\/","title":{"rendered":"Isolation Con 2"},"content":{"rendered":"\n

The Many Hats Club return with Isolation Con 2, raising funds for Child’s Play, and I manage to talk about OPSEC (Overly Presenting Some Erroneous Content) there!<\/h2>\n\n\n\n

Cyberz 4 Gud<\/h1>\n\n\n\n

Stu Peck and The Many Hats Club, along with The Beer Farmers, and a fair few others in the cyber security industry, have really made my heart melt during lockdown. Putting on these online conferences and other things have been a way for us to get together, network and do some good during this difficult time. <\/p>\n\n\n\n

Last year\u2019s Isolation Con raised over \u00a310,000 for M\u00e9decins Sans Fronti\u00e8res and gave us a chance to get together, chat and to hear some great talks, in a socially distanced manner, of course. These conferences have really helped, alongside my MSc studies, broaden my knowledge and see what other cyber security opportunities there might be out there. <\/p>\n\n\n\n

This year\u2019s conference raised money for the awesome Child\u2019s Play charity. To quote the charity, \u201cChild\u2019s Play Charity delivers therapeutic games and technology directly to paediatric hospitals to improve patients\u2019 lives through the power of play\u201d. I think it\u2019s a fantastic cause to support. The Many Hats Club managed to raise just over $10,000 for them which was an amazing achievement. Well done to everyone involved, and of course, the lovely sponsors.

There were so many great talks on the day and I\u2019m hoping to catch up on the ones that I missed out as I was prepping for my talk when the videos get released. I also managed to DJ for the after party which was awesome!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I also agreed that if we hit $14,000 then I\u2019d eat a whole jar of Marmite – yuk! Or was it yuk? I\u2019d spent the whole week prior mentioning how much I loved Marmite.- which I guess is what the talk was about\u2026\u2026<\/p>\n\n\n\n

The Talk: OPSEC (Overly Presenting Some Erroneous Content)<\/h1>\n\n\n\n

I\u2019ll be honest, a lot of this talk was me coming from a place of common sense (well my common sense, others might say I\u2019m an idiot :D). I see a lot of \u201cadvice\u201d online with cyber which basically works but, in my humble opinion, is a bit flawed. The \u201cadvice\u201d I\u2019m talking about tends to be the like of \u201cNEVER use x\u201d, \u201cALWAYS do y\u201d, \u201cThis is ALWAYS a SERIOUS threat\u201d. Now I\u2019m sorry in advance if me, a lowly developer with an interest in cybersecurity, upsets anyone and actually I\u2019ve missed some something very obvious when this advice is given. I also appreciate its blanket advice designed to get one point across. The problem is that life is nuanced, therefore so should our responses be. Otherwise people will turn off anyway. We should say what we mean in an effective manner.<\/p>\n\n\n\n

A great example of this is around OPSEC. Operational Security. We learnt from my previous talk at BeerCon2<\/a> that OPSEC is a way of keeping military operational plans secret. Some people also use it in the civilian world (having never served it\u2019s the only exposure I\u2019ve had to it). Often in the civilian world it points towards personal privacy, and this is sometimes where things get a bit strange. <\/p>\n\n\n\n

I read somewhere to never reveal your date of birth because it could be used with other information to steal your money from your bank. Now it seems a good bit of general advice around privacy, and if followed, it certainly doesn\u2019t hurt. But if this was such a huge threat to EVERYONE, where hackers are poised to know your DoB to instantly steal your money, well why do celebrities whose DoBs are widely known don\u2019t get all of their money stolen every day? I worked with someone 10 years ago who had all of their money stolen from their bank account and they never revealed their DoB once. It\u2019s almost like there\u2019s more than meets the eye. I would probably say using something that monitors loans, bank account creation etc that occurs with your details is a much better thing to educate people on than just hiding away your date of birth.<\/p>\n\n\n\n

But that\u2019s one controversial example\u2026 you may be on board, you may not, so the focus on my talk were other examples of this \u201cadvice\u201d. NEVER sharing anything real about you on social media EVER. <\/p>\n\n\n\n

Close, but no cigar<\/h2>\n\n\n\n

So why don\u2019t we share any personal details of ourselves ever online? <\/p>\n\n\n\n

SECURITY QUESTIONS AND PASSWORDS!<\/strong><\/p>\n\n\n\n

Well done! 50 points to you! The premise of this advice is that by revealing little known facts about yourself, hackers can guess your passwords and secret security questions. You know the secret security questions like \u201cWhat\u2019s your favourite football team \/ pet \/ home city \/ maiden name?\u201d and that password leaks such as Rock You <\/a>found people use their favourite football team or other information in them too.

So if these things are used in security questions to gain access to your bank we shouldn\u2019t post them on social media right, and furthermore, common security thinking right now is everyone MUST be stopped in doing this, yeah? <\/p>\n\n\n\n

WRONG!<\/p>\n\n\n\n

Well kinda\u2026\u2026 ideally I would like to see banks and other places that use security question authentication yeeted to the sun and yeeted hard. It\u2019s a terrible premise that only know you will know your place of birth (social media), only you knows your mothers maiden name (birth certificates via Ancestry anyone), only you knows your first pet name (potentially everyone you\u2019ve ever went to first school with that you were loosely acquainted to), so why do we do it? <\/p>\n\n\n\n

One of my Professors at Edinburgh Napier, Dr Peter Cruickshank<\/a> calls things like this security theatre. Things that make us feel better and secure but actually aren\u2019t secure at all. You go through the rigmarole of a worse user experience in the hope that you\u2019re actually benefiting from security, but actually it makes nothing better, and worsens your experience. <\/p>\n\n\n\n

So sadly some security thespians clearly like the theatre of security questions and will keep using them. Bummer. So I guess we\u2019re screwed then and we should stop sharing our lives then? <\/p>\n\n\n\n

WRONG!<\/p>\n\n\n\n

Imagine somehow you miraculously manage to keep all of your details well under wraps, and you\u2019re the most security and privacy conscious person known to the planet, well there is one hugely insidious and unstoppable threat that may be overlooked – YOUR FAMILY!<\/p>\n\n\n\n

I love my mum dearly. But her social media is my OPSEC Fail! I think you can find out my favourite toy when I was a kid, how much I weighed at birth, all the things. And I never want her to stop doing it! This is why using security questions is so flawed. Often you are not the only person to know this information. <\/p>\n\n\n\n

Yeah we get it. So what about the erroneous content part?!<\/h2>\n\n\n\n

Security questions aren\u2019t going away any time soon. Now we can try and hide information. Information by obscurity – hardly ever works in the long term. But also we don\u2019t have to be truly honest with people. This is where I start my talk. Just make up things on social media. \u201cI have a cat\u201d, \u201cI have a dog\u201d, \u201cMy mother\u2019s maiden name is Floopsy\u201d. Overly Presenting Some Erroneous Content – OPSEC (Ironically an erroneous expansion of the acronym)! We do it for sock accounts so why not ourselves! We could keep notes of everything to keep it believable!

Let\u2019s do another: I love Marmite! – aside I do NOT love Marmite, I hate it! But in the run up to the talk I said I loved it loads all across my social media. I started the talk by eating a jar of it to make this erroneous tale stick true. It was revolting. I downed half a bottle of red wine immediately after to get the taste out of my mouth – it certainly made the talk much more\u2026. interesting (apologies). <\/p>\n\n\n\n

\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

So I hope this tale shows the biggest flaw with Overly Presenting Some Erroneous Content. You may end up in a situation where you lie about your allergies, to protect yourself from poisoning, even though this threat is next to non-existent. Instead, someone sees you love something you\u2019re allergic to and makes it for you. You then die! A bit reductio ad absurdum but I hope it gets the point across. <\/p>\n\n\n\n

Really hammering home why this is not a great idea, now imagine how difficult and convoluted is it to remember all the lies you\u2019ve said about yourself to protect yourself?! What if you meet someone online and you want to be friends offline? Won\u2019t they find it weird that the connections they\u2019ve made are essentially with someone that doesn\u2019t exist?! It\u2019s not really sustainable if you\u2019re wanting to actually forge real connections with people online. You know, the social part of social media.<\/p>\n\n\n\n

OK. So everyone knows our security questions again?!<\/h2>\n\n\n\n

So security questions aren\u2019t going away soon no matter how flawed they are. Keeping up a barrage of false facts online is very time consuming, prone to error, and a family member or friend could actually give everything away anyway. Also, if you hit a certain level of public notoriety, people will just start learning things about you anyway\u2026..<\/p>\n\n\n\n

So instead of making up things, be as honest as you want to be on social media. Lie if you want, say things honestly if you want, I\u2019m not your parent. But what I would urge you to do is not answer your security questions with any shred of accuracy. Make sure every answer you give to a security question is different for each company that asks it. But hang on\u2026\u2026 how do you keep track of these? Let\u2019s take a detour into the world of passwords!<\/p>\n\n\n\n

Don\u2019t base passwords on things about you either<\/h2>\n\n\n\n

So, we know from the RockYou password breach and many other breaches that people tend to use favourite football teams or facts related to them as passwords. In fact, since 2016 it was suggested that the best passwords should be a collection of random words called a passphrase, and has been championed by NIST and NCSC<\/a> since 2016. Personally I don\u2019t agree with the advice. While I agree that longer passwords are better, I believe it would have been better for them to spend the money they have on introducing the concept of passphrases to introducing the concept of password managers instead.

I love password managers. I have one in my phone, one in my laptop. I use Keypass X and Droidpass so all the passwords are offline and I manually transfer the passwords from one device to the other to keep them in sync. This works for me but I\u2019m sure is too tedious for many. But there are plenty of solutions that allow passwords to be shared across devices. Sean Wright<\/a> has been advocating the use of Bitwarden<\/a> and I\u2019m looking forward to checking it out tbh. Thanks to password managers, I don\u2019t know any of my passwords, except for my laptop login one (which is the only place where I think the NCSC \/ NIST advice becomes handy), and I know that because every password is unique and long, if one gets breached, then it\u2019s only one I need to change, and nothing I share online in social media will compromise them.<\/p>\n\n\n\n

OK but how can password managers help with security questions?<\/h2>\n\n\n\n

Well, let\u2019s think what a security question is\u2026.. it\u2019s essentially a passphrase. So why don\u2019t we generate them randomly and store them in our password manager too?<\/p>\n\n\n\n

One thing to bear in mind\u2026\u2026 If your bank is wondering what your favourite pet was called and you reply \u00a3434mkdmfgsdl!!? well, don\u2019t be surprised that someone listening on the phone might not actually correct you if every character is wrong. In fact we know since at least 2017 that scammers use social engineering tactics to get access to bank<\/a> accounts. So although training exists to prevent passwords being given away, it would be human nature to think it\u2019s a computer error and allow access to the account if they see that.

So how do we round this square peg? Well\u2026\u2026. RANDOM PLACES AND NAMES OF COURSE!!!!
Use random name<\/a> generators, random place<\/a> generators, random school name <\/a>generators and make up your life for your security questions! Bonus points – get a few random results and then cobble them together to make truly unique ones!<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

So there we have it. You don\u2019t need to make up stuff on social media if you don\u2019t want to. Just make it up when typing in your security questions and store it in your password manager instead! <\/p>\n\n\n\n

So why would you want to still make up details? Well there are a lot of creepy people on the internet and this is what I left my talk on. People may be able to detect your location using OSINT skills. I myself had a very harmless but unexpected encounter with someone that met me in the middle of the South Downs based on my posting my runs and where they thought I might be. Although I wasn\u2019t that phased by this, a woman feeling vulnerable might well have. If I don\u2019t want people to know my whereabouts, but still want to post about runs etc then I normally delay these by different time intervals to ensure that I can\u2019t be traced. Just one thing to bear in mind.

Thanks peeps – hope those that tuned in enjoyed the talk. I\u2019ll post the video when it appears.
<\/p>\n","protected":false},"excerpt":{"rendered":"

The Many Hats Club return with Isolation Con 2, raising funds for Child’s Play, and I manage to talk about OPSEC (Overly Presenting Some Erroneous Content) there!<\/p>\n","protected":false},"author":2,"featured_media":147072334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[155,152,153,151,154],"class_list":["post-140427191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-talks","tag-i-hate-marmite","tag-isolation-con-2","tag-online-safety","tag-opsec","tag-persec"],"_links":{"self":[{"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/posts\/140427191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/comments?post=140427191"}],"version-history":[{"count":2,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/posts\/140427191\/revisions"}],"predecessor-version":[{"id":147072337,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/posts\/140427191\/revisions\/147072337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/media\/147072334"}],"wp:attachment":[{"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/media?parent=140427191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/categories?post=140427191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/danconn.dev\/blog\/wp-json\/wp\/v2\/tags?post=140427191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}