Debunking FUD

By /

Introduction

FUD stands for “Fear, Uncertainty, and Doubt,” referring to individuals who engage in fearmongering disguised as helpful advice. In this article, I aim to provide examples and reinforce how you can detect and debunk FUD. I will be focusing on a recent Forbes article that highlights more than five-year-old NSA advice on reducing breaches and cyber incursions on your mobile phone. ZDNet published a very similar article a month after Forbes.

In essence, what constitutes FUD and what doesn’t is highly situational and personal, depending heavily on the cybersecurity experts’ threat model or threat landscape.

Detecting FUD

Very few things are universally applicable. If the threat landscape or situation is not specified, one should carefully analyze whether it is FUD. The following essential hygiene items are a comprehensive list of generic, universally applicable advice that everyone should follow, regardless of the threat landscape or situation.

  • Keep all devices up to date
  • Use long (16 or longer is best), unique passwords everywhere, unique per site
  • Use MFA wherever it is offered
  • Be careful what you install on your devices
  • Be very careful about what links you click on and what attachments you open

Most people will also want to:

  • Lock their device with a PIN or a password
  • Maintain physical control over their devices, more for asset protection than security concerns. Most people can’t easily afford to replace a device if it is lost

Anything outside of that list that doesn’t specify the target audience or the specific situation is likely FUD.

Threat landscape and risk appetite

Let’s dive into the concept of threat landscape. This term captures the idea that a white, middle-aged male working as a middle manager in some nondescript company faces very few threats compared to an intelligence officer, a journalist investigating a repressive regime, or even just his female coworker. Who you are, your skin color, your gender, and your position in society all significantly impact what your threat landscape looks like.

Your threat landscape matters because security is all about striking a balance between security and convenience. With today’s technology, it is not possible to be secure without giving up some convenience. For example, it would be much more convenient not to have to enter a password or authenticate into your bank account, but allowing just anyone to access your bank account is a big problem. Therefore, you must sacrifice some convenience to ensure the security of your bank account.

Now, the balancing act is just how much convenience I need to give up to feel secure enough. This balancing act is where the threat landscape comes into play.

As I stated above, if you are an intelligence officer, such as an NSA field officer, you will have a vastly different threat landscape from the average person. The same applies to a journalist investigating an organization like the NSA or a state-sponsored intelligence agency investigating you. The latter group will have to tip the scale significantly more towards the security end, while the average person can safely tip the scale closer to the convenience end.

This is why accepting advice from the NSA, although it sounds good in theory, might be overkill for the average person.

Risk appetite also needs to be considered. Some people are more risk-averse than others. What is risky can be a very personal decision.

Specific advice

Every time you see someone talk about a threat or risk, make sure you understand specifically under what conditions this is a risk or threat. Using all available information, you need to decide if this is a risk or a threat under your threat landscape and if it exceeds your risk appetite. Never just assume someone else’s risk analysis.

I want to reiterate that I am speaking to general folks going about their daily lives. If your work has security policies, you should obviously follow those to the letter. If you are handling sensitive documents or visiting sensitive locations, follow the instructions regarding those documents and locations. If audio surveillance is a part of your risk registry or threat landscape, you are not what I would consider the general public.

Here are some specific Myths that I will be busting.

A VPN makes you secure.

I busted this myth in the original article, but it bears repeating. Using a personal VPN does very little to make you secure, especially if the vendor isn’t reputable. There are valid use cases, but they have little to do with security for the general public. The biggest use case for VPNs is to allow employees secure access to the office network, and that has everything to do with securing the office and nothing to do with securing the employee.

In other words, the purpose of a VPN is to tunnel you into a specific network so that the connection is secure. If all you are doing is accessing a publicly available website, that connection is already secure, and a VPN will add nothing.

Public Wi-Fi

For 99.999999% of people and cases, Public Wi-Fi poses zero dangers. There are no documented cases of any kind of breach simply by using public Wi-Fi. There might be some extreme corner cases that NSA operatives need to be concerned with, but the average public does not need to worry about those. There might be a one or two percent chance of privacy issues, but that’s the worst-case scenario.

Unknown removable media

Use your common sense here. One rule of thumb I sometimes teach is: If this were a sandwich, would you eat it? If you found a sandwich next to the removable media, would you eat it? If not, then why are you touching the removable media?

If you wouldn’t take food from a person, don’t take removable media from them. If you trust them to feed you, removable media from them is probably safe.

Rebooting your device

Their argument that rebooting your phone doesn’t harm it is very weak, to say the least. Sure, it is often a good idea to reboot all computing devices periodically, and your phone is a computing device. Still, it does nothing to enhance security for the vast majority of people. I’m sure conspiracy theorists could come up with many grand theories on why the NSA wants you to reboot your device frequently, and I doubt any of them would be about enhancing your security; however, I won’t entertain those here.

Disable Bluetooth

This will help your battery last longer, but the likelihood of it impacting your security one way or another is almost nonexistent.

The worst-case scenario I’ve heard of is pranksters connecting to Bluetooth speakers to mess with you.

Audio Surveillance

The jury is still out on whether the NSA, other intelligence agencies, or anyone else is performing mass audio surveillance (aka eavesdropping). I find it very curious, though, that the NSA is focusing on advice on how to stop audio surveillance.

I’ll let you decide whether to be worried about audio surveillance based on your threat landscape and risk appetite. I can tell you that this threat isn’t even on my radar, let alone in my threat model.

Conclusion

My conclusion is that the 2020 NSA infographic, referenced in Forbes and ZDNet articles in the fall of 2024, was intended for NSA employees rather than the general public. I find it hard to believe that the NSA doesn’t understand threat modeling and thinks this is helpful advice for the general public.

Leave a Comment

Shopping Cart
Scroll to Top