Full Report
Don't believe everything you read Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real.…
Analysis Summary
# Main Topic
The emergence of "hacklore"—outdated or myth-based cybersecurity advice—and a coordinated effort by dozens of security leaders (including ex-CISA officials and CISOs) to dispel these myths and promote actionable, evidence-based security guidance through the website Hacklore.org.
## Key Points
- **Core Goal:** To separate cybersecurity myth from reality and replace misleading advice with practices that address how most modern compromises actually occur.
- **Timing:** The launch was timed to counter the surge of bad advice often seen before major shopping/travel events (e.g., Cyber Monday/holiday travel season).
- **Myth Debunking:** The effort specifically targets advice like:
- Avoiding public Wi-Fi.
- Never scanning QR codes.
- Not charging devices from public USB ports ("juice jacking" is noted as having no in-the-wild cases).
- Turning off Bluetooth/NFC (unless the user is a high-value target).
- Regularly changing passwords (noted as potentially leading to weaker passwords and reuse).
- Deleting cookies for meaningful security improvement or tracking prevention.
## Threat Actors
- No specific malicious threat actors or TTPs are mentioned as the focus is on *defender* guidance rather than an active campaign.
- The primary "actors" discussed are the 86 security leaders spearheading the effort (e.g., Jen Easterly, Bob Lord, Geoff Belknap, Parisa Tabriz).
## TTPs
- N/A (The focus is on countering incorrect TTP advice, not reporting observed attacker TTPs).
## Affected Systems
- General advice concerns consumer and enterprise devices susceptible to common security failures, focusing on user behavior and organizational resilience rather than specific technology targets.
## Mitigations
The security leaders recommend focusing on mitigations rooted in reducing actual risks:
- Install software patches.
- Keep software up to date.
- Use strong passwords and passkeys.
- Enable Multi-Factor Authentication (MFA).
- **For organizations:** Build systems resilient to human error ("don't fail catastrophically").
- **For organizations:** Develop clear, simple reporting mechanisms for suspicious activity, and acknowledge reports without blaming the employee.
- **For software manufacturers:** Build secure-by-design software.
- **For software manufacturers:** Publish roadmaps showing progress toward secure software delivery.
- **For software manufacturers:** Use modern encryption protocols for network traffic.
- **For software manufacturers:** Commit to publishing complete, accurate, and timely CVE records.
## Conclusion
The threat landscape is characterized by outdated defensive advice overshadowing real risks. The immediate assessment is that organizations and individuals must pivot from folklore-based security practices (like avoiding public Wi-Fi entirely) to verifiable, high-impact measures such as patching, MFA, modern authentication, and systemic resilience. The push also emphasizes vendor responsibility in shipping secure software.