Every day it seems like there’s a new breach, a password to reset, or vulnerability. The trouble with a lot of security news is that while a lot of it is important, there are also garbage stories that are big on scares and lacking in information. Let’s break down what’s worth paying attention to, and what you can ignore when you see it.
Much of this boils down to where you get your security news in general, and how much of it you’d like to read. If you’re an enthusiast or security professional, you probably have blogs and names you follow and trust. If you’re a layperson however, even a scary headline about a “vulnerability” disclosed by “security researchers” can seem like a reason to turn off your PC or call your internet provider to ask how you can protect yourself.
Don’t worry — a lot of security news, especially on general news sites, is generally recycled information from older publications, shallow reports without much detail, and in general not very informative. That’s not to say you shouldn’t sit up and pay attention sometimes, though, if the issue is serious enough. Here’s what you should look out for.
Security News that Everyone Should Pay Attention To
There are some types of news that everyone should sit up and take notice of. Usually this is because the news is actionable, as in you can do something to protect yourself and your data. Here are a couple of things you should always look into when you see people talking about them, or read a headline about them:
- Hacks and security breaches that require action, like password changes or stolen credit card information. Regardless of your level of tech-savvy, these are the headlines that should make you read deeper. If you see that a service you use or retailer you shop with has been hacked, you should learn as much as you can about it. If it’s a service you haven’t used in ages, change the password or close the account. Don’t rely on the retailer or web site to email you or contact you with more information — they may say they will, but never follow up on it, and at the end of the day, it’s still your responsibility to protect yourself. Make sure you change those passwords and monitor your credit reports and statements.
- Reports of identity theft at places you shop. This one’s a little more sinister. Whether you find out that the staff at a restaurant you used to frequent have been charged with stealing credit card numbers, or set up your own free credit monitoring system. Hacks may be ubiquitous, but when it hits home, you should pay just as much (possibly more) attention.
- Broad trends and security news from trusted, consumer-focused experts. Even laypeople should take a little time to explore how security tools work, which ones are generally recommended (and are well regarded) and which are more likely to cause more problems than they solve. Everyone should also learn, in general, how to protect their security and privacy online. This one’s tougher to pin down because who trust is an issue, but the bottom line is that any security researcher or professional whose background you can study and whose job it is to pay attention to the industry and distill it for consumers in an understandable way is a good source. Then, once you’ve found one source like that, find a few more, and read multiple opinions. You’ll do best here by sticking to technology-focused sites, as opposed to sites with huge names that seem to cover everything, like local news and weather. Consumer tech sites like PCMag, Cnet, and others with dedicated security editors are a good start.
The bottom line here is that the bare minimum everyone should pay attention to are the things that can directly affect you. Read up on the basics, and how to protect yourself from the threats that are already out there, and when something new turns up that you have some control over, or some way to protect yourself against, make sure you take notice.
You should still be sceptical of course. The same rules apply here as to anything else on the internet. Read more than one source, and don’t read too much into what any individual, company, or research group says. In many cases, a single researcher or “security team” will heavily publicize their own specific vulnerability or something they discovered as something way worse than it is, or even pimp a specific tool because that’s how they make money and get attention in the security community. That’s how the industry works — money and prestige go where the big, banner, scary threats and vulnerabilities are. That means you should take a lot of security news with a grain of salt, but still an open mind. Verify what you read with other good sources.
Security News that Enthusiasts Should Pay Attention To
If you’re an enthusiast, budding researcher, or you’re interested in security news and want to learn more than what you’ll hear on the occasional podcast or read on multipurpose consumer technology sites, then you’ll want to dig deeper. If that sounds like you, here are some things you should pay attention to:
- All of the above. Make no mistake, you shouldn’t slack on the basics just because you want to learn more, or you think you’re more than a layperson. You should, just as you would expect anyone else, change those passwords once a site you visit has been hacked, check your credit and finances to make sure someone’s not stealing your identity, and practice good internet hygiene.
- Specific industry trends and widely-encompassing issues like Heartbleed and Shellshock. Whether you’re an enthusiast or you’re just interested in learning more than what you’ll hear at a lot of news sites, following specific news about big security issues that aren’t actionable at a consumer level will reveal a lot. Vulnerabilities like Heartbleed, Shellshock, and the more recent StageFright aren’t exactly anything the average consumer can do anything about, so for many there’s no need to scare them about something they can’t protect themselves from (or there’s little evidence is being exploited in the wild.) Experts don’t want to live under that cosy blanket, so it’s worth reading up on their causes, scale, and how the industry reacts. You learn a lot about security (and real world business practices) that way, which can take a lot of the wind out of the hype sails in those bombastic headlines elsewhere on the web. It’s incredibly informative to learn how vulnerabilities work, where the vulnerability is really rooted, how difficult it is to fix, and what has to be done to resolve it.
- Independent security findings and publications from trustworthy threat response experts. A lot of things fall into this category, but this is the line where everyday tech consumers generally don’t cross. On one side is the world where you generally focus on using your technology to communicate, work, and play, and on the other is where you read and keep up with security news. This side of the line is where you subscribe to updates from The US Computer Emergency Readiness Team (US-CERT) but also understand that they’re fairly conservative in scope, and bookmark sites like ThreatPost and Dark Reading for more. You pay attention to antivirus test results from AV Comparatives and AV Test, and you trust the opinions of people like Bruce Schneier and Brian Krebs, and turn to them for thoughts when you hear about a scary new “vulnerability.” You listen to podcasts like Security Now every week.
If you’re reading Lifehacker, it’s a semi-safe bet that you fall into at least some of the above. You may prefer to only sit up and take notice when something important comes along, but you also like being an educated, informed user of your technology. Take or leave parts of both groups as you see fit — the only thing that will happen is you’re a more educated, informed user as a result.
Security News that’s Safe for Everyone to Ignore
In general, if it’s actual security news, you shouldn’t ignore it. However, the problem is that a lot of sites package old vulnerabilities, long-patched issues, and super-old hacks as security “news” in order to get your clicks and your views. For example, this CNBC piece we mentioned earlier is just awful. It regurgitated an ancient, long-patched exploit by a security “research firm” that’s well known for over-the-top reports in an article that’s almost completely devoid of any useful information whatsoever.
This piece, while at least more current, also addresses a vulnerability that’s already patched, never exploited, and affects a tiny subset of devices (incidentally, using information from the same research firm.) Those are the kinds of reports you have to take with a grain of salt: Where the “exploit” or “vulnerability” is so vague and obscure that it affects no one, is a proof of concept, isn’t in the wild, requires some insane level of access or direct contact, or is more or less preliminary research from a security firm trying to make a name for itself.
This isn’t always the fault of the researchers, either — like with science, often security reporting is a rush to get alarming, shareable headlines. That means sometimes today’s promising research into an attack vector can be tomorrow’s plastered headline that claims all phones everywhere are vulnerable to an exploit….and in small print buried in the article that it was patched three years ago, only affects devices with certain versions of certain software, and oh, it also requires physical access for weeks to crack.
Long story short, your BS sensor is your best friend. If you see a story widely reported but never followed up on, if you read about a vulnerability but there’s only one expert talking about it in every article you find, or the vulnerability is being publicized by a specific company with their own products to sell, get your salt shaker ready. Corroborate what you read, look for what you can do to address the issue (or if it’s already been addressed), and when in doubt, find sources you can trust, like some of the ones we linked above. In no time at all you’ll be able to separate the security wheat from the scaremongering chaff.