Hacklore: The Modern Folklore of Cybersecurity

In cybersecurity, there is a phenomenon we rarely talk about, but that almost everyone has encountered. It’s called hacklore.

The term comes from a combination of hacking and folklore. It describes security advice that has been repeated so many times that it is perceived as truth, even though it does not necessarily reflect what the threat landscape actually looks like today.

The Hacklore.org project has collected many such examples and is trying to clear up old security myths. Their point is not that the advice is always wrong, but that much of it is exaggerated, outdated or simply misunderstood.

Many of these tips originated 10–20 years ago. The technology was different. The networks were different. The attacks were different. Yet the advice lives on in security courses, internal IT guidelines, media articles, onboarding presentations and LinkedIn posts with "warnings".

The result is that we often spend a lot of time on scenarios that almost never occur, while the most common attacks receive less attention.

Classic examples of hacklore

Most people have heard this advice:

• Do not use public Wi‑Fi because hackers can steal your passwords
  (mobile providers have used this as an argument for why people should buy and use more mobile data) This was a more genuine risk in the past. Today, almost all services use HTTPS, and browsers and apps will warn you if something is wrong. The risk still exists, but it is far smaller than many people think.
• Do not charge your phone using a public USB port, as an attacker could steal everything on your phone.
  So-called juice jacking is technically possible, but very rare in practice. Modern phones also ask for permission before any data transfer takes place. The risk is therefore low, but it is still a simple precaution to use your own charger or a regular power outlet.

• Turn off Bluetooth when you’re not using it
  Bluetooth vulnerabilities have existed, but modern implementations are significantly more secure than before. For most users, this is now a relatively low risk.
  

• You need to change your password frequently
  This is a good example of advice that has actually been abandoned by many security authorities. Frequent password changes often result in weaker passwords and reuse. Today, long, unique passwords and MFA are recommended instead.

These are recommendations that still appear in many security programs. The problem is not that the attacks are impossible. The problem is that they are often not very realistic in practice. They are often theoretical attacks that work if "all the planets are aligned and it’s meatballs for dinner, etc." It takes an awful lot to exploit them. Modern technology has changed a lot since these attacks were more realistic:

• HTTPS (encrypted traffic) is used almost everywhere

• operating systems are more secure

• apps run in a sandbox

• browsers have better security mechanisms

Thus, many of the classic scenarios are far less relevant than they once were.

What attackers actually do

In practice, most attacks are much simpler. Attackers rarely use complicated technical methods if they can achieve the same result in an easier way. On assignments for customers, we rarely see advanced attacks on public networks. What we do see again and again is phishing, password reuse, and lack of MFA.

Typical entry points we see again and again are:

• phishing

• stolen or reused passwords

• missing MFA

• vulnerable software

• misconfigured services

For an attacker, it is almost always easier to:

• send a convincing phishing email

• trick someone into logging in to a fake site

• use leaked passwords

than to carry out advanced attacks against random users on an airport network.

When security advice becomes offensive

Another problem with hacklore is that it creates security noise.

Users are often given long lists of rules:
  •  do not use this network
  •  do not charge your phone here
  •  do not click there
  •  do not install this

When the list gets long enough, it becomes difficult to know what actually matters. The result is often that users ignore the advice altogether.

Measures that actually have an effect

If the goal is to reduce risk, there are some measures that have a much greater effect than most others.

For most users, these are among the most important:

• use long passwords and store them in a password manager.

• use strong and unique passwords or passkeys. Length is more important than complexity. "Jegerutroliggladikattenemine" is a much better password than "kj%#|€12"

• enable MFA wherever possible

• keep software and apps up to date.

• be aware of phishing, vishing, and other forms of social engineering.

These are measures that directly address the most common attack methods. It may not be as dramatic as stories about hackers on airport Wi-Fi, but this is where most attacks actually happen.

A little less folklore

The point isn’t that old security advice is always wrong. The point is that cybersecurity is constantly changing. Advice that was good many years ago isn’t necessarily just as relevant today.

Perhaps the most important question we should ask ourselves more often is:
Which security measures actually reduce risk the most right now?

Maybe we should spend a little less time on hacklore and a bit more time on the attacks that actually happen.