I had a chain going about internet security and I thank everybody for the time and effort they put into responding - some good insights were gained.
Update on my interaction with Norton! I spent 4 hours on a chat line yesterday to try to get basic info about my accounts, renewable dates, costs etc. Extremely frustrating experience.
So in the other chain some responders recommended a company named ESET. I looked at their website and it does look pretty good and seems to be cost effective. With all the issues we have experienced or heard about with scamming, hacking, ID theft etc - I felt like it would be responsible to stay with a US based company. Here is the data on ESET:
Headquarters:
Bratislava, Slovakia
Founders:
Miroslav Trnka,
Rudolf Hrubý,
Peter Paško
Founded: September 17, 1992,
Czechoslovakia
With all the turmoil today, hacking, scamming etc - is this a wise, safe thing to do? Not trying to start a political discussion - just want to understand the risks!
Thanks for your insights.
Exec summary : About as safe as anything else. If you are Windows user, just stick with Defender. It's as good as anything else out there and doesn't cost extra.
You brought up the term 'risk'. That's the critical term in any discussion like this. In terms of risk, there are two possibilities. The risk of compromise by the software by a third party and the risk of the software itself being malicious.
In the case of the first risk, the software is likely no more or less risky than any other software package out there.
And in the case of the latter, you have to look at the cost analysis for the government or whoever is pushing it. And not in terms of what the company is making off of sales. Exploits cost money and time both to develop and deploy. Triggering and using an exploit carries the risk that the exploit will be exposed and then patched/corrected.
So the equation for whoever holds that exploit becomes one of risk vs. reward. If a software package with as wide a distribution as ESET is malicious whoever did so will want an equivalent payout worth the cost of 'burning' their advantage.
Odds are they aren't going to want to risk burning that that over users like us
Here's two real world scenarios that may help dial-in what might be considered when a nation state threat actor would consider burning access/exploit to that level:
You may have heard something a few years about about the Solarwinds hack. An external-to-the-company threat actor <cough china cough> compromised the Solarwinds software. Solarwinds has a huge install base within larger environments. Multiple thousands of companies use it. So the bad guys had access to literally thousands of corporate and government systems for months. They chose to only use their access against (if I remember correctly) only against ~200 or so though. Now, they were big targets - major technology firms, govt agencies like the DOJ, etc. I heard they even got access to Microsoft source code.
Against lesser targets they simply disabled the exploit and moved on. Against the primary targets, they went ahead and installed a second exploit and used /that/ to start stealing data and not the original vector. All that to minimize the risk of their first exploit getting popped.
The second scenario is still theoretical. As part of their plundering of Ukraine, Russia stole a lot of Ukrainian tractors. John Deere tractors. The kind that need to phone home on a regular basis. At the request of the Ukrainian government John Deere went in and completely disabled all the stolen tractors.
That's not the scenario. The scenario is all of the things that we get manufactured in China. For example, our solar panels. Thanks to the real world example with John Deere the discussion (finally) is "what will China be able to screw with if we ever go to war with them".
Now, if there is such a backdoor or exploit, China is not going to trigger it early. That will allow us to correct, patch, and otherwise reduce the impact. They are going to wait to pull the trigger for when it will have the maximum impact.
So, all that above distills down to the big players aren't going to come after us, as small time single computer users.
The ones we need to be more worried about are the crime gangs. The ones that are in it for a short term fast buck. And sure, while they may use some weakness in a software package to try and get into your system, they are more likely to use shotgun style attacks like sending a malicious email to millions of people or trying to re-use your password that you used on compromised site "whatever.com"* against other common websites you might have used.
Some of the best pieces of low hanging fruit to lower your risk are things like:
- Strong passwords. Dallas123 isn't cutting it. They don't have to necessarily be gibberish like S_q34D#$@. A good tactic is to take two to four words and string them together for a long password. Tossing in the occasional punctuation, capital letter, or number doesn't hurt.
This link explains it well and has made it into I think every password policy slidedeck - and for a good reason
https://xkcd.com/936/
- Don't reuse passwords on multiple sites
- Do not reuse those personal identifier question answers - you know. What is your mother's maiden name, what was your favorite restaurant in high school, etc. Use a different set of nonsense answers on each site.
- Use a password manager to keep it all straight. Or, if you have to, write them down in a notebook. Whatever you do, do not leave them on your system in an excel or text file called passwords.xls or passwd.txt. (Yes, I know that it's been drilled into our heads to never write down passwords, but again the game is risk management and it's lower there than password reuse or password.txt files)
- Keep an eye on your browser's password manager. They will give you at least some indication if the website has been compromised and therefore your password on that site might be exposed.
- While it's getting harder to distinguish them, still watch out for wack links or files in emails sent to you.
- No really, nobody legitimate will ever ask for your password, your credit card, or anything like that over the phone.
- Also, if there is any kind of pressure being exerted (you're computer is being attacked NOW, click here to clean it / You owe on taxes, if you don't submit payment in the next 3 days the cops are coming for you / etc / etc) it's very likely a scam.
- Back up your files. Figure out how much data you are willing to lose and set your strategy accordingly. f you need real-time protection (ie daily or sooner backups) a cloud based solution that keeps them backed up in real time for a monthly fee. But at the very least have an external drive that you plug in periodically and copy everything over... and then unplug it until it's time to back up the files again
- Keep your anti-virus software up to date. It almost doesn't matter which AV package you use, as they all are minimally effective nowdays but it's better than nothing and you can keep some of the older stuff from getting in. If you are using Windows, just use Windows Defender and save a few bucks. It's as good as anything else and has the advantage of being free as well as not being bloatcode.
(It's not that AV is ineffective in of itself. It's just that how it works traditionally is flawed. The bad guys keep banks of computers each with a copy of different AV packages on it. They will tweak their code until none of the AV packages detect it)
- Opt-in and use additional authentication (aka MFA) methods like text message verification wherever you can. Better if you can use something like Google or Microsoft Authenticator to generate your 2nd authenticator (that string of extra digits that websites ask for), but using text message is better than nothing.
- Contact your phone provider to put a lock or pin number on your account. With everyone moving to text message based MFA, the bad guys have gotten good at bribing, tricking, or flat out commiting violence against phone company agents in order to move your phone number to a new phone - one the bad guys control and therefore all the text messages now go to that. Here's a good article
https://www.experian.com/blogs/ask-experian/how-to-protect-yourself-from-sim-swapping/
- Lock/freeze your credit reports so that new credit lines can't be opened.
https://www.usa.gov/credit-freeze
- File your tax returns as soon as you can to reduce the window that the bad guys have to file a false tax return in your name.
* If you use the same password on multiple sites, there is a good chance that one of them has had it's password database compromised and that password is on an easily accessible list out there. The bad guys can simply take your email address, that exposed password, and try it against thousands of common sites to see what else they can get access to. The site
https://haveibeenpwned.com/ is a good (and legit) site to see where your email address might have compromised passwords associated with it.
