Article Details

Ex-CISA officials, CISOs dispel 'hacklore,' spread cybersecurity truths. Don't believe everything you read. Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real. Hacklore combines hacking and folklore, and Hacklore.org "exists to separate myth from reality" and instead provides useful tips about how to protect data and devices. Think: install patches, keep software up to date, use strong passwords and passkeys, and turn on multi-factor authentication, as opposed to avoiding public Wi-Fi and never scanning QR codes.  Both of the latter made the list of outdated advice security leaders want to retire, and those 86 security leaders include former CISA director Jen Easterly, ex-CISA senior advisor and former Yahoo CISO and first-ever Democratic National Committee chief security officer Bob Lord, Microsoft Deputy CISO Geoff Belknap, ex-Uber CISO Joe Sullivan, Google Chrome VP Parisa Tabriz, and many, many others. Lord spearheaded the efforts, and he told The Register that a few factors shaped the timing of Hacklore.  "Some CISO friends routinely send me antique advice because they know it's a pet peeve, and a few weeks ago one of them shared an article that finally pushed me to start the site," Lord said. "More importantly, I've noticed growing support for retiring obsolete guidance altogether. And with the usual surge of bad cybersecurity advice that appears ahead of Cyber Monday and the holiday travel season, I set a deadline of today to counter it with guidance rooted in how the most common compromises actually occur." Other pieces of outdated advice that the signatories want to see buried and gone include don't charge devices from public USB ports (they note that there aren't any in-the-wild "juice jacking" cases) and turn off Bluetooth and near-field communication (unless you're a high-value target such as a politician or government official, corporate exec, human rights defender or journalist, wireless exploits are extremely rare). Additionally, clearing or deleting cookies isn't going to "meaningfully" improve security or stop trackers, and there's zero evidence that regularly changing passwords makes you safer. In fact, it often leads to weaker passwords and password reuse. "This kind of advice is well-intentioned but misleading," the security leaders wrote. Instead, organizations should require phishing-resistant MFA, work on eliminating passwords altogether, and "build systems that don't fail catastrophically when people make mistakes - especially when they are victimized by malicious actors," they write. Also recommended: develop clear, simple ways for employees to report suspicious digital activity, and acknowledge any reports quickly.   Don't blame the employee, they add. If someone's mistake harms the company, the system's at fault, and should have been designed to be resilient from the start, the letter said. And perhaps unsurprisingly, since Lord helped lead CISA's Secure by Design software effort under Easterly's leadership, the group also has a message for software manufacturers: build secure-by-design software, and publish roadmaps showing how they will achieve that goal of shipping software without flaws. They also implore providers to use modern encryption protocols to protect network traffic, use bug bounty programs to incentivize security researchers, and commit to publishing "complete, accurate, and timely" CVE records for all software vulnerabilities. "We urge communicators and decision-makers to stop promoting 'hacklore' - catchy but inaccurate advice - and instead share guidance that meaningfully reduces harm," they wrote.