Dex — the security & hacking glossary
Plain-language definitions of the cybersecurity, cryptography, and hacking terms you keep running into — the acronym soup decoded, and a reference of well-known APT groups with their common aliases. Written by the team building Secretus.
Core concepts
The foundational ideas the rest of security builds on.
- Attack surface
- The total set of points where an attacker could try to enter or extract data from a system. Reducing it — fewer servers, less stored data, shorter retention — is one of the most reliable defenses.
- Defense in depth
- Layering multiple independent controls so that no single failure is catastrophic. If one layer is bypassed, another still stands.
- End-to-end encryption— E2EE
- Encryption where only the communicating endpoints hold the keys, so no server, network provider, or platform in between can read the content. Data is encrypted before it leaves the sender's device and decrypted only after it reaches the recipient's.In Secretus: Every Secretus secret is encrypted in the sender's browser and decrypted in the recipient's; our servers never receive plaintext or decryption keys.
- Ephemeral
- Existing only briefly, then gone. An ephemeral message or key is designed to disappear after use rather than persist — the opposite of email and chat, which retain everything by default.
- Forward secrecy— PFS — perfect forward secrecy
- A property where compromising a long-term key does not expose past sessions, because each session uses fresh, ephemeral keys that are discarded afterward. Recording today's traffic and stealing the key tomorrow still doesn't decrypt it.
- Key exchange— key agreement
- The process by which two parties who have never met establish a shared secret key over an untrusted channel, without ever transmitting the key itself. The security of an encrypted channel usually hinges here.
- Metadata
- Data about data: who talked to whom, when, how often, and how big the message was — even when the content itself is encrypted. Metadata frequently reveals more than people expect.
- Plaintext / Ciphertext
- Plaintext is the readable original data; ciphertext is its encrypted, scrambled form. Encryption turns plaintext into ciphertext with a key; decryption reverses it with the matching key.
- Threat model
- An explicit statement of who you're defending against, what they can do, and what you're protecting. Good security starts here — 'encrypted' is meaningless until you say against whom.
- Zero-knowledge architecture
- A system design in which the service provider cannot read the data it stores or transmits, because it never holds the keys. Often used loosely; the meaningful version is a precise statement of what the servers do and don't see.In Secretus: For Secretus this means one thing specifically: servers do not receive plaintext secrets or decryption keys.
Cryptography
The maths that turns readable data into protected data.
- AES— Advanced Encryption Standard
- The dominant symmetric cipher, standardized by NIST in 2001. AES-256 (256-bit key) is the common high-security choice; the GCM mode adds authentication so tampering is detected. Considered secure against classical and, for the key sizes used, quantum brute force.In Secretus: Async secrets are protected with browser-side AES-256-GCM.
- Asymmetric encryption— public-key cryptography
- A scheme with a keypair: a public key that anyone can use to encrypt (or verify), and a private key that only the owner uses to decrypt (or sign). Solves the key-distribution problem symmetric crypto has.
- Diffie-Hellman— DH / ECDH
- The original public key-exchange method (1976): two parties derive a shared secret over a public channel. ECDH is the elliptic-curve variant — faster and smaller. Its security rests on the discrete-logarithm problem, which Shor's algorithm would break.
- Double Ratchet
- An algorithm (popularized by Signal) that combines a symmetric-key ratchet with a Diffie-Hellman ratchet, giving forward secrecy and post-compromise recovery across an ongoing conversation.
- Hash function
- A one-way function that maps any input to a fixed-size fingerprint (digest). Good hashes (e.g. SHA-256) make it infeasible to reverse the input or find two inputs with the same digest. Used for integrity, signatures, and password storage.
- HKDF— HMAC-based key derivation
- A standard function that turns raw shared-secret material into one or more cryptographically strong keys of the right size and separation. Common as the final step after a key exchange.
- HMAC
- A keyed hash used to prove a message is authentic and untampered: only someone with the shared key can produce a valid tag. Distinct from encryption — it protects integrity, not confidentiality.
- Hybrid key agreement
- Combining a classical key exchange (like ECDH) with a post-quantum one (like ML-KEM), feeding both into a key-derivation function. An attacker must break both to recover the session key — hedging against either scheme being weakened.
- ML-KEM— Kyber, FIPS 203
- Module-Lattice Key-Encapsulation Mechanism — a post-quantum key-exchange scheme standardized by NIST in 2024 (formerly CRYSTALS-Kyber). Its security rests on lattice problems for which no efficient quantum algorithm is known. ML-KEM-768 is the mid-strength parameter set.In Secretus: Maximum Security mode adds ML-KEM-768 hybrid post-quantum key agreement to protect against harvest-now-decrypt-later risk.
- Nonce / IV— initialization vector
- A number used once per encryption to ensure that encrypting the same plaintext twice yields different ciphertext. Reusing a nonce with the same key can catastrophically break modes like AES-GCM.
- Post-compromise security— PCS, self-healing
- The property that a conversation can recover secrecy after a key compromise, once fresh key material is exchanged. A general goal of ratcheting protocols; strong claims about it require careful analysis or audit.
- Ratchet— symmetric ratchet
- A construction that derives a fresh key for every message and then discards the material needed to recompute past keys, so a later compromise can't decrypt earlier messages. A core idea behind modern secure messaging.In Secretus: Maximum Security uses a per-direction symmetric ratchet so each message gets its own key.
- RSA
- A classic public-key algorithm (1977) based on the difficulty of factoring large numbers. Still widely deployed, but vulnerable to a large enough quantum computer running Shor's algorithm — which is why the industry is migrating key exchange to post-quantum schemes.
- Salt
- Random data added to a password before hashing so that identical passwords produce different hashes, defeating precomputed 'rainbow table' attacks. Stored alongside the hash.
- Shamir's Secret Sharing— SSS, k-of-n
- A 1979 scheme (by Adi Shamir) that splits a secret into n shares so that any k reconstruct it, while k−1 shares reveal mathematically nothing. Used to remove single points of failure for high-value keys.In Secretus: Team Split runs Shamir's Secret Sharing k-of-n, creating and reconstructing shares client-side, with share material living in URL fragments rather than server storage.
- Signal Protocol
- The widely respected messaging-security protocol used by Signal, WhatsApp and others, combining X3DH key agreement with the Double Ratchet algorithm. Often referenced as the benchmark for end-to-end encrypted messaging.
- Symmetric encryption
- Encryption that uses the same key to encrypt and decrypt. Fast and used for bulk data, but both sides must somehow share the key securely first.
- X3DH— Extended Triple Diffie-Hellman
- A key-agreement protocol that lets two parties establish a shared secret and authenticate each other using published prekey bundles — even if one party is offline when the other initiates.
Attacks & threats
How adversaries actually get in — and get your secrets.
- Brute force
- Systematically trying every possible key or password until one works. Made infeasible by sufficient key length and slow, salted password hashing.
- Credential stuffing
- Automatically trying username/password pairs leaked from one breach against many other sites, exploiting password reuse. Cheap, scalable, and defeated mainly by unique passwords plus MFA.
- Harvest now, decrypt later— HNDL, store-now-decrypt-later
- Recording encrypted traffic today to decrypt it in the future once quantum computers can break the key exchange. No decryption is needed now — only storage and patience. A live threat for anything with a long secrecy lifetime.In Secretus: Maximum Security adds ML-KEM-768 hybrid post-quantum protection specifically against harvest-now-decrypt-later risk.
- Man-in-the-middle— MITM, on-path attack
- An attacker secretly positioned between two parties, relaying and possibly altering traffic while each side believes it's talking directly to the other. End-to-end encryption with authentication is the defense.
- Phishing
- Tricking a person into revealing credentials or running malware, usually via a fake email, message, or login page that impersonates a trusted party. Still the single most common initial-access technique.
- Privilege escalation— PrivEsc, LPE
- Turning limited access into higher access — from a normal user to administrator/root, or from one account into another's. Often the step between initial foothold and full compromise.
- Ransomware
- Malware that encrypts a victim's files (and increasingly exfiltrates them first) then demands payment for the key. 'Double extortion' adds the threat of leaking the stolen data publicly.
- Replay attack
- Capturing a valid message or token and re-sending it later to impersonate the original sender or repeat an action. Defended with nonces, timestamps, and sequence numbers.
- Side-channel attack
- Extracting secrets from a system's physical behavior — timing, power draw, electromagnetic emissions, cache effects — rather than breaking the algorithm itself.
- Social engineering
- Manipulating people rather than technology — pretexting, urgency, authority, help-desk impersonation — to obtain access or secrets. The human layer is often the softest target.
- Spear phishing
- Targeted phishing tailored to a specific person or organization using researched details (names, projects, vendors) to appear legitimate. Whaling is spear phishing aimed at executives.
- Supply chain attack
- Compromising a trusted upstream dependency — a software library, build system, or vendor — to reach that supplier's many downstream customers at once. SolarWinds and XZ Utils are canonical examples.
- Watering hole
- Compromising a website the intended victims are known to visit, so the malware is delivered to them indirectly through a site they already trust.
- Zero-day— 0-day
- A vulnerability unknown to the vendor (and thus unpatched) at the time it's exploited — defenders have had 'zero days' to fix it. Highly valuable to attackers precisely because no patch exists.
Abbreviations
The acronym soup, decoded.
- APT— Advanced Persistent Threat
- A well-resourced, stealthy adversary — usually state-linked — that gains long-term access to a target and pursues strategic goals (espionage, sabotage) over months or years rather than a quick smash-and-grab.
- C2— C&C, command and control
- The infrastructure an attacker uses to communicate with and control compromised machines — issuing commands and receiving stolen data. Detecting C2 traffic is a core defensive goal.
- CVE— Common Vulnerabilities and Exposures
- A public catalog assigning each disclosed vulnerability a unique identifier (e.g. CVE-2024-3094), so everyone refers to the same flaw unambiguously.
- CVSS— Common Vulnerability Scoring System
- A standard 0–10 severity score for vulnerabilities, factoring in how easily and how severely a flaw can be exploited. Helps teams prioritize patching.
- DDoS— Distributed Denial of Service
- Overwhelming a service with traffic from many sources so legitimate users can't reach it. About availability, not data theft — though sometimes used as a smokescreen.
- EDR— Endpoint Detection and Response
- Software on endpoints (laptops, servers) that monitors behavior to detect, investigate, and respond to threats that slip past prevention. XDR extends this across more data sources.
- IAM— Identity and Access Management
- The discipline and tooling for controlling who can access what — identities, roles, permissions, and their lifecycle. SSO and MFA live here.
- IOC— Indicator of Compromise
- A forensic artifact suggesting a breach — a malicious file hash, IP address, domain, or registry key — shared so others can detect the same intrusion.
- MFA / 2FA— multi-factor / two-factor authentication
- Requiring more than just a password — something you have (a code, security key) or are (biometric) — so a stolen password alone isn't enough. TOTP apps and hardware keys are common second factors.In Secretus: Secretus accounts support TOTP-based multi-factor authentication.
- OSINT— Open-Source Intelligence
- Intelligence gathered from publicly available sources — social media, public records, leaked databases, code repos. The reconnaissance backbone of both attackers and defenders.
- PII— Personally Identifiable Information
- Data that identifies a specific person — name, email, ID number, address. Its handling is governed by laws like GDPR, and it's a prime target in breaches.
- RAT— Remote Access Trojan
- Malware giving an attacker covert remote control of an infected machine — keystrokes, files, camera, microphone — typically communicating back to C2 infrastructure.
- RCE— Remote Code Execution
- A vulnerability that lets an attacker run arbitrary code on a target over the network — one of the most severe classes, since it typically means full control.
- SIEM— Security Information and Event Management
- A platform that aggregates and correlates logs and events across an organization to detect, alert on, and investigate security incidents.
- SOC— Security Operations Center
- The team (and facility) that monitors, detects, and responds to security events around the clock. Not to be confused with SOC 2, an auditing standard for service organizations.
- SQLi— SQL Injection
- Injecting malicious SQL through unsanitized input to read, alter, or destroy a database. A decades-old class still causing breaches; parameterized queries are the fix.
- TTP— Tactics, Techniques and Procedures
- The characteristic behavior of a threat actor — how they operate at each stage — catalogued in frameworks like MITRE ATT&CK. Harder for attackers to change than a mere IP or hash.
- WAF— Web Application Firewall
- A filter in front of a web app that inspects HTTP traffic to block common attacks like SQLi and XSS before they reach the application.
- XSS— Cross-Site Scripting
- A web flaw where an attacker injects malicious script into a page other users view, running in their browser session to steal data or tokens. Mitigated by output encoding and Content-Security-Policy.
APT groups
Well-known state-linked and organised threat actors, with their common aliases.
- APT1— Comment Crew, PLA Unit 61398
- A Chinese group whose large-scale intellectual-property theft was detailed in a landmark 2013 Mandiant report that publicly tied the activity to a specific military unit — a turning point in threat attribution.
- APT10— Stone Panda, MenuPass
- A Chinese espionage group known for 'Cloud Hopper' — compromising managed service providers to reach their clients downstream, a supply-chain approach to mass espionage.
- APT28— Fancy Bear, Sofacy, Sednit
- A long-running espionage group widely attributed by Western governments to Russian military intelligence (GRU). Known for targeting governments, militaries, and political organizations, including high-profile election-related intrusions.
- APT29— Cozy Bear, Midnight Blizzard, The Dukes
- A stealthy espionage group widely attributed to Russia's SVR foreign-intelligence service. Associated with the SolarWinds supply-chain compromise and sustained, patient intrusions into government and tech targets.
- Charming Kitten— APT35, Mint Sandstorm, Phosphorus
- A group attributed to Iran, focused on espionage against journalists, academics, activists, and government targets, frequently using elaborate social-engineering and fake personas.
- Equation Group
- A highly sophisticated actor widely linked in public reporting to the U.S. NSA, known for advanced implants and firmware-level persistence. Some of its tools later leaked publicly, fueling other attacks.
- Kimsuky— Velvet Chollima, APT43
- A North Korea-attributed group specializing in intelligence collection against think tanks, foreign-policy experts, and researchers, largely through spear phishing and credential theft.
- Lazarus Group— APT38, Hidden Cobra
- A group attributed to North Korea, notable for blending espionage with financially motivated operations — bank heists, cryptocurrency theft, and the 2017 WannaCry ransomware outbreak.
- OceanLotus— APT32
- A group attributed to Vietnamese interests, targeting foreign companies, dissidents, and governments across Southeast Asia, often via tailored phishing and watering-hole attacks.
- Sandworm— Voodoo Bear, APT44
- A destructive group attributed to Russian military intelligence, linked to attacks on Ukraine's power grid and the NotPetya wiper (2017), one of the costliest cyberattacks in history.
- Turla— Snake, Venomous Bear
- A technically advanced espionage group attributed to Russia, known for novel techniques including satellite-based command-and-control and long-term intrusions into government and diplomatic targets.
- Wizard Spider
- A financially motivated cybercrime group behind the TrickBot malware and Ryuk/Conti ransomware operations, responsible for widespread extortion against enterprises and healthcare providers.
Put the theory to work
Share a password or file with end-to-end encrypted, one-time links — free, no account needed.
