Opinion POTWR 2019 Vol 6: Internet Security Basics

[Cubo de Sangre]

Installing one will force you to uninstall the other. Too many cooks in the kitchen.

Maybe that should change? Or have one solution where competing interests (tech companies or governments) share development and oversight?

 

[GSP_37]

Maybe that should change? Or have one solution where competing interests (tech companies or governments) share development and oversight?

Not sure how that could work. Even one antivirus can cripple your computer trying to run legit software where you cannot even do anything because it's consuming all your CPU/RAM etc. resources. I ran into a problem where I suspect my antivirus was uploading a gigantic file even though I set it not to upload those "anonymous" files where it severely increased the time it took to download a normal work related file. Talking normal download time: 1.5 hrs vs. screwy download time: 5-6 hrs.

 

[Cubo de Sangre]

Not sure how that could work.

Sorry, if your answer explained why then it went over my head. For all I know though it couldn't. But my thinking is that everyone's gonna wanna keep their side safe so at least one party have an interest in pointing out anything they deem malicious.

 

[King of Fists]

I believe anti-virus increases the attack surface.

It can, maybe I should have been more clear about running a good one.

If you're doing any sketchy stuff on the web at all such as downloading questionable content or going to less than reputable websites you absolutely need something, all it takes is one bad download to fuck your world up. I recommend Avast. Commercial version of Trend Micro is also good. Some things like Norton and Symantec are like malware themselves as with their resource hogging and upgrade fees but even those are probably better than nothing, depending on how you're using the internet.

FWIW that's a rule I don't follow myself, because an ounce of prevention is worth a pound of cure -- I basically only use my PC to go to sites like stack overflow or YouTube and only download from places like GitHub so I take a calculated risk and use no AV.

Microsoft puts anti-virus into sandbox

I hate Windows Defender with a passion, we are forced to use it at work and it is such a major resource hog it's constantly hogging all my disk I/O. They should rename it Malware Service Executable and be done with it. It's not surprising it's vulnerable to some RCE bug given how zealously it reads files.

That said, it's one thing for a team of elite hackers (employed by Google) to find these vulnerabilities, it's another for them to be found and implemented in a meaningful way by some bad actor.

North Korea hacks South Korea via anti-virus

Article was behind a paywall but NK cobbled together some spyware designed to look like an anti virus program and that got on the S.Korean network on a computer left unattended but connected to the internet for a year? Lol, beauracracy at its finest.

Mass spread of malware via anti-virus

yeah definitely don't use symantec. But overall for the majority of users it's better to have anti-virus than not. Remember when anti-virus screws up it's a big enough deal to make the news. When someone without anti-virus screws up and downloads the wrong thing and fucks up their life for a bit it doesn't make the news because that's way more common so that's what most people should be more concerned about imo.

 

[GSP_37]

In many years of using internet and antivirus software, the worst I had detected was potentially visiting some phishing/malware website and antivirus blocked my visit attempt or some worm detection before I got the router. I'm not even sure if my antivirus is so good or my disabling javascript and not clicking suspect email links or attachments is what's to be credited. When I used floppy disk at university and home, I did detect a virus on it once. It probably got infected via university computer that was probably infected. Because of this, I am reluctant to plug in someone else's flashdrive into my computer.

I heard of someone having random excerpts of various Word docs emailed to people in his email address book. I had spam email from spoofed or fake email sender addresses from my email contacts with suspect links.

 

[JamesRussler]

So who is better at internet security: @Falsedawn or @King of Fists ?

 

[King of Fists]

So who is better at internet security: @Falsedawn or @King of Fists ?

Definitely @Falsedawn, I just know the basics and am more of an applications engineer than a security expert.

 

[Stoic1]

What are your guys' thoughts on: https://haveibeenpwned.com/ ?

Is it worth it for people to use that, or should they just change up their shit if they are concerned enough that they would check that site in the first place?

LOL.

Hits on that site: AntiPublic Combo List, Collection#1, ExploitIn, Rivermedia, SpecialK, Verifications and Myspace.

Worried? Meh.

Because the DoD had their Human Resources Command hacked not once but TWICE.

 

[Andy Capp]

Could anti-virus software police each-other? For example, instead of relying on one program you have three of them. Among the outside attacks they'd keep the others on check.

They tend to fight each other and degrade performance.

 

[Andy Capp]

@laz0001 What is stopping people from making off-site backups of their data, say, external hard drive?

 

[Andy Capp]

@Cubo de Sangre Also, ever tried to add new hardware to a machine with multiple anti-virus programs running?

What are your guys' thoughts on: https://haveibeenpwned.com/ ?

Obviously it's a security risk to do what everbody does there, which is enter both usernames and passwords they have used, to check if they have been compromised. But on the other hand the site is very high-profile and the man behind it is very publicly forthcoming, and if he was lying or being sneaky, it would already have been exposed.

Is it worth it for people to use that, or should they just change up their shit if they are concerned enough that they would check that site in the first place?

Your best bet if you suspect anyone may have your info is to change all your passwords immediately.

 

[Cubo de Sangre]

@Cubo de Sangre Also, ever tried to add new hardware to a machine with multiple anti-virus programs running?

No.

 

[HeffDoesWant]

What's the general view up programs like Docu-sign?

 

[laz0001]

@laz0001 What is stopping people from making off-site backups of their data, say, external hard drive?

For what purpose? Just backup? For personal use, it's fine. it's more of a 'habit' thing, you've got to make sure the backup actually takes place, but also - check it occasionally.

For enterprise - you'd want something a bit more robust.

 

[Andy Capp]

For what purpose? Just backup? For personal use, it's fine. it's more of a 'habit' thing, you've got to make sure the backup actually takes place, but also - check it occasionally.

For enterprise - you'd want something a bit more robust.

My point is that I have seen it claimed repeatedly that if you are the victim of the encryption scam, the situation is hopeless. Sure, a massive enterprise may find offline backup impacticable, but one also expects them to have better security. For small businesses and individuals, it shouldn't be an issue to take a bit of time now and then to protect your important data from being taken hostage.

 

[Andy Capp]

I feel I should add to the above that even so-called experts being interviewed about this issue never for 1 second talk about backing up your data, let alone using an external hard drive for offline backups. They seem content to let people believe they have no other options when it's an easy solution that practically anyone can use. The only way it makes any sense is if these guys make money off of people who get fucked by these shitstains.

 

[Andy Capp]

Question for @King of Fists:
"4. Never enter any passwords while on an unsecured WiFi network. Also never use an unsecured WiFi network unless a last resort."

Please elaborate. E.g. if you're in a cafe where they have their wifi password posted on the wall, or just give it to anyone who asks for that matter, is that more or less secure than, say, airport wifi?

 

[King of Fists]

Question for @King of Fists:
"4. Never enter any passwords while on an unsecured WiFi network. Also never use an unsecured WiFi network unless a last resort."

Please elaborate. E.g. if you're in a cafe where they have their wifi password posted on the wall, or just give it to anyone who asks for that matter, is that more or less secure than, say, airport wifi?

So basically an unsecured network is one where the router uses no encryption on the traffic going back and forth from individual devices to the router. So on an unsecured network like at the airport you can use a network sniffer to easily see the traffic going back and forth from other devices to the router, and none of it is encrypted.

Comparatively, the coffee shop has much better security because even though you know the password, the data going back and forth between your device and the router is using some sort of encryption, likely WPA2. So anyone watching that traffic can't inspect it.

Some caveats: if someone with a network sniffer knows the password of the network, they could still potentially decrypt your traffic but it is a LOT harder than via an unsecured network.

Also, there is transport layer security to consider -- your data to and from a website served entirety over https is secure even on an unsecured network (unless there is malicious code running a proxy server on the router AND they get your client device to accept their certificate AND the web site you're hitting doesn't block it either -- all together very unlikely). The problem is many websites only use https for login and then drop back to insecure http for all other pages, so all your authentication tokens would be vulnerable on an unsecured network, and there's ways to get into your accounts using those.

 

[Cubo de Sangre]

Thanks to everyone, especially @Falsedawn, @King of Fists, and @laz0001. This thread will be locked shortly.