May 4, 2019 3 min read

Informed Advice

Post discussing why giving security advice is not always as clear cut as a yes or no answer.

Informed Advice

Let me start this post off with sharing the poll which I put on Twitter:

Now let me be clear, my intention was not to gauge the security of wireless peripherals such as keyboards and mice, that is content for an entirely different topic (as well as the fact this is not my area of expertise). The goal of this poll was to gauge how we as an industry re-act to when a question is posed as to what is secure and what factors we take into play (and hence my request for a larger sample size). Most, if not all, security decisions around what represents a security risk and what doesn't is not black and white.

Security Risk

Risk is defined as a situation which involves exposing someone or something to danger. In context of a security risk this, this would involve exposing a victim to a situation where they are exposed to some sort of security related danger (where a bad guy can successful exploit their situation).

Now taking it back to the poll which I created. If I working in a crowded office, in a busy city, then certainly a wireless keyboard and mouse could pose a security risk. But what if I was working from home, out in the remote country side? Personally I do, and I think I would have bigger issues to worry about if I had a situation where an attacker is in the position to be able to exploit wireless devices.

Also, my question was vague for a reason, what type of wireless is being used? If Bluetooth the risk is usually only present when pairing the device (the connection is otherwise encrypted). What if the vendor encrypts the channel between the device and dongle?

Another factor is the threat model. What type of target are you, and who your threat actors are going to be? As an ordinary citizen I think that most would not have sophisticated threat actors after them. However a CEO of a large corporation could be a lucrative target, so their chances of someone trying to exploit them would be a lot higher than an ordinary citizen.

A final factor is the human factor in determining what is a risk, or an acceptable risk. We all have our own tolerance levels. What I might deem to be an acceptable risk, someone else might not. Personally I hate wires and love the fact that wireless devices do away with this, combined with the fact that I do live in a relative remote location I deem the risk to be minimal, if at all.

Other Observations

One encouraging thing I noticed about the poll, was the debate. It was great to see people from the community getting involved and sharing their ideas and knowledge on the matter. I'm by no means an expert on the matter, so I actually did learn a thing or two. It was actually a civilized debate on Twitter!

Conclusion

This whole idea came about the use of password books. I used to be firmly against the use of password books. I thought that they were a horrible idea and no-one should use them. And then I started seeing people post about them on Twitter and it made me realise I was wrong. Password books are OK to use in the right situations (remember security risk). If the book is kept at home, then it's fine (you would have bigger issues to worry about if someone got hold of it). If you are travelling, it would pose a significant risk.

While giving security advice, it is important to realise that your situation will most likely not be the same as others. So taking their situation into account needs to happen in order for the appropriate advice to be given.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.