The $10 opportunity cost of shake-change-out-of-pockets hax

Behold! The most effective security awareness campaign since the last leaked celeb nudes.

I have to admit, I enjoy a good troll defacement. I always have and I’m sure it’s a character flaw of mine. The more elaborate and mysterious, the better. Spending $20 to clone a number and jack everything isn’t quite that, but it’s a great example.

At least 100 years ago, all of the old curmudgeons maintained a defacement blog. Attrition and a couple others updated the ones that I remember most vividly because people had to pay the bill for hosted meme content bandwidth in the bad good ol days.

Recently I received some pushback on my usual hard authentication and credential wallet bit/rant that I give to everyone upon request. The usual is hey here’s your hardware token, if you’re an opensource zealot use keepass, 1password if they’re phone primary or needs an enterprise team not beholden to a major all-in vendor cloud.

There’s something for everyone in this pwning today, so I thought that I would reiterate my order of operations to stay reasonably safe on the internet, until someone steals your unsecured phone from out your hands.

  • Use strong auth. If no one can get your yubi or titankey, they can’t hoover down your entire digital footprint. Like your emails for the last decade, every shared office asset, and every text you ever sent like today.
  • If hardware auth is too annoying or impractical for some reason, install the app for your cloud that you like. Google, Microsoft, Amazon. They all have nation-state resistant (probably) push auth apps you could be using right now.
  • If using the chipset that’s likely built into your phone right now, and the price of lunch is too much to pay for a standalone token, and using a multi-billion dollar cloud security program is too restrictive, you can save one-time password tokens in a credential wallet. I usually just direct people to 1password who has the distinction of being the least lame for the longest period of time, as this is my informal key metric for vendor excellence. If they want to fight about keepass or lastpass or dashlane, awesome use that one. If you want to run Cisco’s or IBM’s or something, awesome. Do it and use randomly generated complex passwords.

SS7 has been basically open source telemetry and unencrypted coms since the 90s to anyone who’s cared. If you’ve just gotta use sms for authentication, have it roll over to something that supports strong platform auth, like Google Voice, at least until they smother the service in the night sometime for being unprofitable as they tend to do. I try to not get into peoples phone choices because it’s usually a mess, so I aim for lesser ask that they install an app or two when they’re not on an issued and managed asset.

If you’re not familiar with defacement and other gremlin-style internet activity, there’s an unlimited amount to look at.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s