Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What if My Security Software Vendor Gets Hacked?

//
What do you think about the possibility of security/privacy compromise ensuing from the use of security software? What if my anti-virus, VPN, or security extension (e.g. https everywhere) software or software vendor gets hacked?

This concern has me waffling over whether to use the https everywhere extension (which, by the way, is also available for the Opera and Vivaldi browsers, which you didn’t mention in your video on the subject).

Similar concern with password management software…

Those are good and important concerns.

In fact, we need to apply that thinking to every bit of software installed on your machine, as well as every online service you use.

Become a Patron of Ask Leo! and go ad-free!

Not limited to security software

While understanding the risks of your security software is important, it’s equally important to realize that this concern applies to any and all software you might choose to install on your computer.

These days, almost all software has an online component, even if it’s just to check for updates. Should that online component be hacked, it could be used to download malicious software onto your machine, which can then do anything. While it might be obvious that hacked security software would be a bad thing, in reality, any software vendor that gets hacked runs the risk of causing damage in the form of malware being installed on the machines of all current users.

So, absolutely be aware of your “anti-virus, VPN, or security extension” vendor, but be just as concerned about the software not necessarily related to security as well.

Not limited to software

A Hole in the Wall Around Your DataThe same thinking is important to consider when selecting online services. You mention VPNs specifically – again, where security is an obvious part of the mix – but actually, the concerns are just as valid for any and all online services you might consider using, including your ISP.

Should an online service be compromised, anything you do with the service is at risk. Your private information, as well as any data you store there, could be made public. In an extreme case – say an ISP getting hacked – you could find yourself directed to malicious sites, or downloading malicious software, without realizing it.

Taken to the extreme

As I said, it’s a concern for every single service you use, and every single bit of software you install on your machine, right down to the operating system.

Should Microsoft (or Apple, or your favorite Linux distribution) ever be hacked, absolute chaos could result.

It’s all about trust

Life is not without risk, and one of the ways we manage risk is to make sure we do business only with entities we trust. That’s not to say we necessarily agree with their actions, but that their actions are transparent in such a way that we can trust them to do what they say they will, and do it with an appropriate level of security in mind.

Intent

We begin by trusting that the services and software we use don’t have malicious intent. We’re assuming they’re not out to “get” us; they’re not explicitly out to exploit, harm, or otherwise take advantage of us.

To be clear, not everyone agrees on who does or does not have malicious intent. There are plenty of people who seriously distrust Microsoft, for example. As a result, they may seek out alternatives they find more trustworthy than Windows and other Microsoft software.

The bottom line is, we each need to believe the entity we’re dealing with is at least trying to do the right thing.1

Protection

Protection from malicious software is one thing; what about protection from legal attempts to access our data?

For example, even without being hacked, how easily will your ISP expose your information to local authorities? The same holds true for VPN services; they are, in a sense, acting as a kind of proxy ISP (moving the location of your eventual direct internet access to one of their servers instead of your ISPs directly).

This kind of protection is exceptionally complex, as laws and legal realities vary from one place to another, and companies may not always be in a position to defend themselves, or you, in areas outside of your location.

Qualifications

We also trust the services and software we use to know what they’re doing, particularly when it comes to security. We assume they understand the security ramifications of their tools, and have taken appropriate and sufficient measures to ensure our privacy, safety, and security.

This is difficult to judge objectively. For obvious reasons2 software vendors and online service providers don’t specify their full range of security measures publicly. We need to decide how much we’re willing to trust them with our information and activities based on reputation and track record.

Track record

One way to evaluate whether or not a vendor is worthy of our trust is to review their history. Specifically, we can research:

  • Have there been issues in the past?
  • How were those issues handled?

I might claim the second is more important than the first. There’s no such thing as bug-free software, and there’s no such thing as perfect security. In the face of security-related issues, how did the vendor respond? Was it with quick transparency, or ponderous obfuscation? Did it become apparent that their systems had been designed with security in mind, or was it clear they’d made some boneheaded decisions leading to eventual compromise?

Who do you trust?

It’s unrealistic for every computer user to have a detailed understanding of the security issues and risks associated with all the different kinds of software and services, online or off. As a result, it all comes down to trusted referrals and reputation.

For example, I trust Microsoft’s intent and qualifications. Admittedly, I have a small window others might not have3 into how Microsoft operates on which to base my opinions. But, I’m also in a position for others to choose to trust my thoughts on the matter. Or not, as the case may be.4

Perhaps more objectively, I trust the EFF – the suppliers of https everywhere. My trust is based on my understanding of the organization’s goals, their history, and their online reputation. Will they have perfect software developers? Of course not – there’s no such thing. But I do trust them to understand the security ramifications of their efforts – perhaps better than most – and to take appropriate steps to ensure that what they provide is solid and secure. I also trust them to react appropriately should an issue ever become apparent.

Those are the same qualifications I apply to any software or service I use. It’s one reason I haven’t yet endorsed a specific VPN – I don’t have enough of a track record with any of them to feel my opinion is worth anything. If pressed to make a decision, I’d defer to other resources I do trust – like the EFF, in this case – for their recommendations.

Sleeping well at night

As you can see, there are a lot of issues to be considered once we start down this path – so many we could lose all hope!

For most people, things aren’t nearly as bleak as this picture might paint. Most major vendors are reputable and trustworthy, and will do what they can, within the limits of technology and the scope of the law, to keep their services safe and secure from hackers or other types of intrusions.

As long as you focus on getting reputable software from reputable sources, and maintaining your own security hygiene, it’s not something the average computer user need lose sleep over.

Podcast audio

Play

Footnotes & references

1: For the record, I do believe that Microsoft continues to try to do the right thing – missteps and all.

2: Just in case it’s not obvious: by publicly detailing security measures, hackers can analyze the information and understand specific weaknesses and omissions they can then target.

3: A small and slowly closing window. As time moves on, my experiences of over 15 years ago are less and less relevant to what Microsoft may or may not be today.

4: I’ve been called a “Microsoft shill” more than once.

15 comments on “What if My Security Software Vendor Gets Hacked?”

  1. It’s not just the security software vendors. Recently (this month) the FDIC sent me a letter stating that, …”an agency employee copied sensitive FDIC information to an unencyrpted portable storage device.” This had to do with a bank I once belonged to going bankrupt. The whole enchilada, names, addresses, pwds, acct #’s, SS#’ were stolen by this employee…. TEN MONTHS AGO!,… and the FDIC admits to knowing about it 3 days after it happened. But it’s OK because, “The FDIC has obtained a written statement from the former employee attesting that the former employee did not disseminate or compromise any of the information.” Well don’t I feel reassured. The FDIC has offered 2 years of protection via something called Identity Force, to whom I will have to disclose all my private, personal, information. I am hesitant to take advantage of a security service recommended by a federal agency who could not protect my identity in the first place. And, what guarantees that the security service will not itself be hacked. I have already had two calls this month from fraud departments. If you are interested I would be happy to confidentially share the FDIC letter which has more detail, and my written response. A sage once wrote in my yearbook, “Love many, trust few, learn how to paddle your own canoe.” I’m paddling like crazy but there are leaks everywhere and I don’t know which way to turn.

    • When I go to Amazon.com and look at specific items that then appear on a Google search exactly what I looked at, am I supposed to trust Amazon?
      AND it is not just Amazon, either.

      What if you were researching health info? Would you want that to appear on Google?

      Running CCleaner will remove that info. I run it regularly.

      • That’s simply because CCleaner clears cookies. Do know that the ads only appear to you, and not to others searching Google. Stay tuned because a good article on that is coming up this week. Leo explains it very clearly.

        • The information is not necessarily stored in cookies. I frequently clear my cookies/cache/history, yet still get ads showing my most recent product search. These appear on a lot of different sites that have rotating ads.

          Also, they are not limited to Amazon. There are many retailers that do the same thing. For example, I went to Payless looking for clogs. For about a week I was getting ads from Overstock offering clogs. Most of the others I have experienced were limited to their own ads, though.

          Although there is data sharing, I seriously doubt it is due to hacking or some security breach.

        • Let’s get beyond the regular cookies. There are many other methods that can be used to track searches or links you click on. As a bothersome example, let’s say you search for a medical condition and click on one of the links provided by Google search. Your selection can (and often is) shared with the link web site’s affiliates, partners, and advertisers. Between Google and the site you clicked on, it is possible to grab your IP address, location and other information and pass it along. At the very least, the receivers of this information use it for collecting statistics. This type of active tracking can produce ads on your system that bypass regular cookies. The fact is that the collection of “technologies” built into a web page are as powerful as any full fledged programming language and they can do anything.

          • Not if someone does not use Google or any other search engine. Nor is it limited to Amazon.com. I experience this with other retailers where I go directly to their site without using any search engine.

            As I’ve read elsewhere, many of the larger web retailers have their own tracking mechanism that does not use regular cookies. This was developed a few years ago and is becoming a standard trend in individualized target marketing.

  2. “Sleeping Well at night” is my motto or at least I try. Let’s take LastPass for example. I use it everywhere to take care of my passwords except for everything with regard to my financial institutions, even Paypal, or purchases made online with my credit cards. Anyhow, for the latter, I rarely use my credit card to pay online; I prefer to do it through PayPal if the provider I am buying from offers this service. And most usually do. It’s not that I don’t trust LastPass, but for the security reasons evoked in this article, I wouldn’t be following my motto if I let LastPass be in control of my passwords when my money is at stake. That has always been my big concern. What if LastPass get hacked one day?. Imagine the worldwide panic if something like that were to happen…

    Same thing goes for Microsoft. I know they do have good intentions and are less likely to get hacked, but it’s the policy that they have adopted since the creation of Windows 10 that gets me really aggravated. It’s like more and more they are going beyond the pale, starting with the way they are handling their updates up to the restrictions one has in creating a local account. That was just to name a few…

  3. About 1-1/2 years ago, I received a telephone call. The caller said he was a customer service contractor for Iolo, and that there was a problem with System Mechanic which would potentially compromise system security. Of course, I immediately hung up. He called back right away, and I told him I didn’t use System Mechanic. He then told me I had purchased 2 licenses and gave me the date of purchase. He was correct, so I let him proceed. He wanted to look at my system over the internet to determine if my system was affected, and he proceeded to give me instructions tom allow remote viewing. I wasn’t paying enough attention, so he actually got me to allow for remote control. Of course, when I saw a window open and a search of my hard drive began, I shut the computer down. The caller was irate and proceeded to cuss me out. He really like to speculate on my mother’s activities. Later, I tried restarting the computer, which proceeded to access the internet and activity in the window resumed. I shut down again, and disconnected my router. A search revealed no info downloaded, so I cleaned up the computer and used my backups to be sure. (Hear that, Leo?)

    To me, it seems that the only likely way the caller could have known my telephone number, number of licenses and date of purchase was that Iolo had been hacked.

  4. The concerns about financial loss from “hacking” seem overblown. Assuming you monitor your accounts regularly (at least weekly) it is likely you would not lose any money even if someone hacked into your bank account. Although there would be a fair amount of inconvenience to you, most likely the bank would have to eat it. In my experiences as a consumer attorney, most people who have lost money through computer fraud of some sort, voluntarily send the money to a scammer (and don’t lose the money because an unauthorized person used their login credentials).

    One of the posters said it is better to pay online with your bank account (through Paypal) rather than credit cards. I don’t agree, the protections for unauthorized credit charges are better. While no bank account of mine has ever been hacked, I have had several credit card numbers stolen and misused over the years and in each case the credit card company made good.

    • I totally agree. I’ve had a few cases where my credit card was fraudulently charged (never through online shopping which I use my credit card as frequently as for in store purchases) and counterfeit checks were cashes using my bank account number. In all cases, it only took one short phone call to work it out in my favor.

    • Agreed. I know of several situations where a person’s Paypal account was hacked – usually a result of easy passwords.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.