• What really is the risk?

    Author
    Topic
    #2404421

    In a recent episode of the Security Now! podcast, Steve Gibson brought up a question that’s been bobbing around in my mind for several years. Despite the name of the podcast, on this episode he offered a more sedate perspective on the issue of zero-day vulnerabilities than we might be used to getting from cybersecurity mavens:

    Thanks to a great deal of effort being made by mainstream software publishers, aided by a massive, distributed, and growing community of security researchers, and even with some inadvertent help from the bad guys, today’s devices, even though we absolutely positively know they still contain known and unknown vulnerabilities, are more than secure enough for nearly everyone to use without worry. Only those very few who are likely to be targeted by nation-state actors have any real reason for concern.

    So, yeah. We’ll talk about zero-day vulnerabilities. We’ll point them out. We do need to keep them under control. But by no means should anybody inconvenience themselves, for example, updating their iPhone from 14 point whatever the last one was, or the very first 15 to 15.0.2 today, because there was a problem that was known being found exploited in the wild. It has to have been the case that that was being used by somebody in very tightly targeted attacks. And that’s just not going to affect most of us.

    [emphasis added]

    If we follow the news relating to cyber-attacks, a pattern quickly becomes evident–these attacks appear to focus largely on two categories of target from two distinct types of perpetrator. On the one hand, large organizations (government agencies, institutions, businesses) tend to be preyed upon by ransomware campaigns from private criminal gangs; and on the other hand,  high-profile individuals (high-ranking government officials, political figures, dissidents) are more prone to drawing attention from state actors for espionage/surveillance purposes.

    Apparently not included in either of these threat categories are run-of-the-mill private individuals. And if you think about it, there is sense to this madness: organizations with a lot of money and people with a lot of power offer the prospect of much  bigger “returns” for the effort expended in handling these, uh, “customers.” It’s worth it in such cases to create those “specially crafted websites” that Microsoft patch descriptions so often speak of, and the sophisticated APT campaigns that go into luring this kind of clientele.

    This does not mean that we can just proceed in happy-go-lucky fashion with no security or precautions whatever, but it does make me wonder if we, as individual end users, haven’t been led to worry excessively that we might not be running the latest version of Windows with every single available patch installed and multiple layers of security wrapped around our home PCs for good measure.

    So the question I’d like to ask is: does anybody have good data to share on the level of risk that ordinary private users face from the vulnerabilities that are typically addressed on Patch Tuesday? To borrow a term that has come into general use in the last 22 months or so, is there a good handle on the “infection rate” from these vulnerabilities?

    Note that I’m not talking about the cheap, lazy phishing attempts that we can spot in our inbox a mile away, but about the sophisticated kinds of vulnerabilities that Windows patches are meant to address.

     

    • This topic was modified 5 months, 3 weeks ago by Cybertooth.
    8 users thanked author for this post.
    Viewing 6 reply threads
    Author
    Replies
    • #2404427

      It’s the modern world, I’m afraid. Fear is the key. Fear of crime, fear of being left behind by the latest trends, fear of disease and death. If you really want to control a population, make them fearful

      I live in what was once, and in some ways still is, a sleepy little village on a sleepy little island. There was no fear when I first arrived. Now, everyone keeps a dog, and has security alarms, and bars at the windows, and neighbood watches. The statistical threat of crime hasn’t increased signifcantly, but the fear of crime has

      And, as everyone gets suckered into buying new tech – computers, laptops, tablets, smart phones, every few months – their fear increases. Fear of being hacked, fear of losing personal information, fear of being held to ransom, fear of being scammed. I’m afraid that the media is significantly to blame for all of this. They stoke the fear levels to gain viewers or readers or subscribers

      Personally, as soon as I read about an exploit that involves escalation of privileges because the bad guy already has access to your machine (either physically or virtually), I switch off. If they’re already there, then you’re pretty much jiggered anyway. Otherwise, keep your AV up to date, practise safe online habits, stay firmly away from “social media”, and you’ll probably be ok…

      7 users thanked author for this post.
      • #2404428

        Thanks, I was just about to write the same, you saved me a lot of typing !

        “it does make me wonder if we, as individual end users, haven’t been led to worry excessively”

        I think we have been led to worry excessively. An indigent, elderly friend of mine is still on Vista and had no effective anti-virus the last time I met him. I installed a suitable AV for him and ran a full scan. His computer had no significant issues after running essentially unprotected for years.

        He only uses it to go to news sites, write a few emails and similar innocent activities.

        Windows 10 Home 21H2, Acer Aspire TC-1660 desktop, non-techie

        6 users thanked author for this post.
    • #2404448

      If I had a tech fear, it would be fear of not having a fresh drive image in my library of drive images.  I don’t have that fear because my oldest drive image is no more than a week old, and my data is copied to three different places on my network daily as well as OneDrive throughout the day.

      I concur with Steve Gibson’s assessment, the vast majority of us are not targets.  Microsoft Defender and Malwarebytes Premium (and never clicking on links in email) give me a satisfactory level of protection and comfort.

      That same level of preparedness keeps me immune from the fear of Windows Updates and Microsoft’s FUD associated with stepping outside their box and/or not staying within the lines.  For example, every time I sign on in Windows 11 I get a notification that I have a “Microsoft account problem”.  It’s actually Microsoft that has a “Microsoft account problem”, because I’m not using a Microsoft account to sign on.

      If I break it, I can fix it.  If Microsoft breaks it, I can fix it.  In the extremely unlikely event that I was hit with a ransomware attack, I can fix that, too.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      We all have our own reasons for doing the things that we do. We don't all have to do the same things.

      4 users thanked author for this post.
    • #2404450

      There is seldom a good reason for most everyday users to update immediately. However, I think it is important for most everyday users to let Windows Update do its thing when it wants. The vast majority of everyday users have little clue about security. They open any email and attachments. They click on links without a thought to where they are really going. They fall for the simplest of scams and phishing ploys. They don’t do backups. I can’t give you hard statistics but I can tell you I’ve spent a lot of time talking to friends and family about good practices.

      --Joe

      4 users thanked author for this post.
    • #2404464

      I’m a Home user but I still use the third party 0day  micro patcher  0patch Pro.   For me they do an excellent job.  I can’t speak for enterprise users.

      1 user thanked author for this post.
    • #2404470

      I agree with Cybertooth’s comment at the start of this thread entirely. Small-time users like me are unlikely targets.

      The main preoccupation for one of us should be being infected with malware when browsing Websites, so I am all for adding some protective applications, such uBlock Origin, Privacy Badger, an ad blocker, and a few others of this kind, plus a decent antivirus, using a defensive browser setup, observing good browsing hygiene practices — and, preferably, staying well away from Facebook, TikTok, etc. etc. And only opening emails that come from trusted sources or have an obvious legitimate purpose when examined in the review panel — and trashing the rest, while never using URL links in the emails I decide to open without first hovering the cursor over them, etc. I believe that doing all this does make one’s computing safer whether one is using Windows, or Macs, or Linux PCs.

      To me, the one worry is about installing patches and upgrades of the OS. As a rule I wait for them to “mature”, giving them enough time for problems to surface with people complaining about them. Once I have not heard or read anything bad about the update, I would install. If it is a 0-day bug out in the wild, in a matter of days, if it is something else, of a few weeks.

      On the other hand, businesses, including small ones except, perhaps, tiny ones with just one or two persons in the staff, the owner and one or two others (e.g., the son, brother, spouse of owner or close friend), working there — but definitely government organizations and public utilities (water, sewer, electricity, natural gas, etc.), as well as big Cloud depositories of, besides whatever of one is kept in there, one’s personal identifiable information: Those must be seriously protected against ransomware, big data breaches and other things that make for the regular cybercrime scandal of the week.

      I do not recommend using a little known super-safe browser, as such are often not welcome, or work well, in some sites one needs to access. For those sites, using Chrome of FireFox are good bets, as they are accepted pretty much anywhere these days.

      Am I worried about using Chrome? No, I live a busy life and have not much time for worrying, so I prefer to worry about something else, something more interesting and, if possible, more worthwhile. So far, I have not have had, after using Chrome to access some selected sites for several years, any targeted ads, massive spam, been a victim of phishing attempts, etc. to report.

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      1 user thanked author for this post.
      • #2404510

        **  begin-quote

        that come from trusted sources or have an obvious legitimate purpose when examined in the review panel -- and trashing the rest.
        ** end-quote
        
        And this is a splendid way to get infected, viewing in the review window. One should only examine in a sanbox or in a DMZ.
        [] 🌹 #нетвойнесУкраиной 🌹 #不与乌克兰开战 🌹 []
    • #2404484

      Small-time users like me are unlikely targets.

      In your case I think this time you are wrong.
      As I understand you are remote working with some government agencies (NASA).. so you are a target for hacking becoming a tunnel to agencies servers..

      2 users thanked author for this post.
      • #2404491

        Alex wrote:

        As I understand you are remote working with some government agencies (NASA).. so you are a target for hacking becoming a tunnel to agencies servers..

        I do not use my own home computer for anything related to my work with NASA, but a NASA-loaned one that I only use for NASA business and to send encrypted email only while connected to a NASA Center, to trusted parties, same for receiving emails at that Center (which has to pass some incoming server security filters before reaching me). The email sending and receiving servers are NASA’s and the email client is Outlook, provided by NASA. I only browse Websites with a NASA-approved and provided browser, when this is directly relevant to my work at NASA and, as much as possible, at sites that belong to NASA, or are approved by NASA. I use this computer from home with a point-to-point VPN connection (using an application provided by NASA) directly from the NASA-loaner computer at home (or from wherever else, following the usual safety protocols) to the NASA entry server. The computer is scanned in real time with a government-approved AV. I only participate in teleconferences while connected as already explained to a NASA Center network using an application provided by NASA.

        I do take several annual courses, each with a final exam, about IT security, the handling of sensitive data, etc.

        I believe all of the above is the case when people work remotely or on site (as applicable) for government agencies.

        And no, nothing is absolutely invulnerable to cyber attacks, but I have reason to believe that with the above measures, the chances of my providing a vector for such an attack are acceptably small.

        Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

        1 user thanked author for this post.
        • #2404494

          I suppose that you don’t use a direct ISDN/Fiber.. network connection from home to NASA bypassing your Internet ISP ? If not your PC can be targeted as a entry point to NASA servers if some (foreign) hacker will be interested in NASA’s data. Once hacked they will use your trusted VPN connection to access servers.

          https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/

        • #2404501

          Alex: “[…] Once hacked they will use your trusted VPN connection to access servers.

          If something like that were to happen, it would be because NASA IT security procedures are insufficient — and, please, notice that I am NOT stating that they are.

          It will have nothing to do with me personally. In the case of anyone working remotely while using the NASA-approved VPN connection, doing this will pose an equal risk to the government.

          To repeat: noting is invulnerable. But I cannot discuss this in any further detail, because that certainly would violate the security protocols I am expected to follow.

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

        • #2404543

          The one real danger is hackers breaking into the NASA servers. This has happened to big organizations, public and private, and had nothing to do with the use of VPN by offsite workers.

          To subvert a secure VPN connection as the one I have described, would be necessary to hack the ISP and from there, somehow, spoof the receiving VPN server to look like it’s me calling — and also to know my login credentials.

          So let us not discuss events that are improbable in practice, even if they are possible in principle. For example, until more than a century ago it was considered as possible, but most improbable, that the Moon was made of green cheese, and this was the reason why this issue was never discussed seriously by astronomers — and something that was finally put to rest when in the late 1960s, the Apollo astronauts brought back pictures and samples of fairly ordinary rocks and found no cheese at all up there.

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      • #2404511

        Alex is right!

        [] 🌹 #нетвойнесУкраиной 🌹 #不与乌克兰开战 🌹 []
        • #2404535

          Actually, Fred, Alex might be right, but so what? There is no point in arguing against the idea that any given protection against malware, hackers, etc. is not full proof, because that is a truism. But it is also true reasonable measures do make the odds better, and that is the best one can do about anything undesirable. And what NASA, for example, is doing to protect itself against malicious cyberspace actors is, in my opinion, fairly good, even if inevitably imperfect.

          I don’t make a habit of worrying about things that I cannot improve, change, or avoid.

          So, you know what? I believe that there are better things to do than to continue a discussion about bad things that, potentially, perhaps, might happen some day, if someone nasty is also enterprising, clever, competent and lucky enough to make it happen, but who knows if or when?

          Sorry, Alex.

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

          1 user thanked author for this post.
    • #2404517

      The only time I update WinX is when I buy a new computer. And only then because I am forced, as Windows comes with the computer. (My weakness for not actually making the move to Linux or MacOS instead of threatening to.)

      If you have read my previous posts you know that I ran a Lenovo Flex 3 (WinX 1511) for 4.5 years with ZERO updates. I blocked all windows updates.

      I replaced the Lenovo Flex 3 with a Lenovo Flex 5 (WinX 19.something) more than a year ago. First program I installed was Windows Update Blocker (WUB). I haven’t installed a single update on the new machine since I purchased it.

      Zero problems with either machine (unless they were caused by MS strong-arming an update, caused by a lapse in my defenses due to my mistake. Rollback works – thank MS)

      I do run an antivirus. No worries.

      You don’t need the updates, feature updates, etc. You just don’t. You can do updates if you like, but don’t put me down for not going along with the mindless, scared masses. No offense – just sayin’…

      I know this isn’t a set of statistics, and I’m only one example. But my experience is an example. And a good one so far.

      Be careful out there. Apparently it is too hard to know who all the bad guys are – but I know one BIG one that lives in Washington state. They still get my telemetry, but so far I’ve been able to keep their trouble-making updates off my computer. If you have something that works, you have VERY little to worry about.

      Relax. Don’t Worry. Be Happy.

      RamRod.

      1 user thanked author for this post.
      • #2404544

        RamRod wrote: “You can do updates if you like, but don’t put me down for not going along with the mindless, scared masses. No offense – just sayin’…

        No offense? To people you are calling “the mindless, scared masses”?

        But never mind that … Because, yes, there seem to be a lot of sturm und drang going on, more than usual anyway, and is not just about patching. Maybe that’s the reaction of people that are still self-isolating and getting cranky and stressed and depressed … Whatever the reason, some of us have been trying to cheer them up here with music, science fiction, cartoons, stories about aliens zipping around in flying saucers and carving some honking big, if fancy, crop circles in farmer’s valuable ripening corn, even some actual science, but nothing really seems to be working for them right now.

        Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

    Viewing 6 reply threads
    Reply To: Reply #2404510 in What really is the risk?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Cancel