My dad’s an electrician. I’m a software security person. We know very little about the technical doings of the other.
Still… sometimes one of us tries to talk technical to the other.
Yesterday we were sitting around and Dad says there was a “hacker on Rachael Ray or Good Morning America.” He’s had time off from work lately (medical) and watches dangerous amounts of daytime TV.
The haxxor was touting a book, allowing me to find out it was Kevin Mitnick.
This is what my dad took away from his appearance…
1. “There’s some new thing… you’ve got your username, password, and this new thing. It’s an app with a value that changes every 10 seconds! It makes you unhackable.”
I pegged that as two factor authentication, using Google Authenticator or Authy instead of just texts.
But touting 2FA as the end-all-be-all of app sec is really misleading. The very first app I was ever paid to audit had implemented 2FA half-assed. You could do client-side manipulation and bypass it altogether.
2. “A hacker can get your mother’s maiden name and Social Security number in twenty seconds online. He said that’s just really easy to do.”
Maybe if the person has been affected by a breach that got dumped. See Troy Hunt’s Have I Been Pwned website.
And, I get it, nowadays that’s most Americans. But it’s not like some government database is being accessed by these mythical haxxorz.
3. “You have to put tape over your webcam. Hackers can watch you any time, even if your computer is off.”
OK, I know the NSA-related lore and saw the Snowden movie. The average malicious operator needs a RAT on your computer to do this, though. An undetectable one if they’re running Kaspersky. And if you’re running Kaspersky you won’t be a real easy target.
So who are you that resources like that are going into compromising you?
The ‘even if your computer is off’ legend never made sense to me. Maybe fake sleep mode and run the webcam, somehow don’t make the little green light go on. But if there’s no battery or power source to the device? Come on.
I’ve never read any of Kevin’s stuff but this is what it seems like to me – Mitnick is to infosec as Michael Lewis is to investment banking.
Investment bankers don’t go to Michael Lewis for technical knowledge. Maybe for some history on stuff that happened in their field.
I get trying to scare the average person into buying your book and supposedly learn how to protect themselves. But I don’t respect or appreciate it.