Let's talk about security

Hey guys,

I am not sure if this has been spoken yet.
But i was wondering if there are any discussions about privacy with security.
I think there should be another page on privacytools about this.

For instance i use Bitdefender as security on all my devices and use maleware bytes for malware.
I use more software to do scans to keep my pc safe…

Any ideas about this yet?

Bitdefender like many other antivirus are terrible for privacy. Just take look through there privacy policy yourself, and you’ll see exactly what I’m talking about.
Security, and privacy go hand in hand. For example want a secure messaging platform use Riot, or Signal. If a option is Private then it will have good security I feel pretty good about saying that since for a option to remain private is has to be able to stop people from eating your data.

Great day to start the topic :slight_smile:
https://arstechnica.com/information-technology/2020/08/snapdragon-chip-flaws-put-1-billion-android-phones-at-risk-of-data-theft/

Latest version(s) of Windows 10 are very secure out-of-box, and in my opinion, there is no need to use any additional 3rd party tools. Just be careful and follow security guidelines and best practices (for e.g. phishing attacks, pirated software, password management, software update, etc.)
The same applies for other systems (Linux, OS X…). Don’t think it is more secure and stop caring about above mentioned things

What worries me the most is SaaS security. I’ve seen many companies offering SaaS for really important things, for businesses (project management, inventory management, CRM, ERP, cloud storage…) with security measurements so low, I wouldn’t even recommend them to my competitor. When I see things such as: “Password must have at least 8 characters, 1 capital letter, 1 symbol, 1 number”, I don’t even want to test it / use trial version. Many of them don’t have 2FA, option to limit IP range for logins, device control, etc. And all of them try to convince users they care about security

Hey,

Great Question

Classic antivirus protection can only provide limited protection in this days. Because of the many rights that a Software has on the machine, it can come to a high risk (vulnerability, privacy, etc). Human Firewall is still a very important point!

Endpoint security becomes more and more important, I would recommend to use an Intrusion Detection System (Snort etc.). Think about securing the whole Network, use a sniffer to analyze the traffic!

Greetings

i am not familiar with sniffers. i know what it is… but i dont know which to trust and how to use it.

pffft… ya… see. i was afraid of that.
i am planning to patch my dns… its on my planning list.
for now i use mullvad

I think the best network sniffer is Wireshark

Are you using the VPN for Pirvacy? Check out this GitHub Gist page why you shouldn’t do that. (in my opinion you should also not host your own VPN on a outsourced cheap Server). Don’t rely on a VPN for privacy!

Yeah, great Idea.

no im not using it for privacy… im using it for an extra layer security

Just a little note here:

Information security is a vast topic. You need to consider technology, humans, and processes. You also need to consider measures to identify your assets, detect malicious activity, respond to attacks, prevent attacks, and recover from attacks.

In the best case, you have your custom mix of security controls.

For instance, a firewall with a strict rule set may prevent some attacks when you continuously improve its rule set. However, a firewall can’t detect all malicious activity. For this, you need an intrusion detection system (IDS). However, an IDS is based on signatures (similar to anti-malware software), so you need to continuously update its signatures. Then, there are honeypots that can detect previously-unknown attacks, but you need to derive new attack signatures from malicious activity that you recorded. This knowledge from honeypots allows you to react to attacks. Moreover, you need current backups and recovery tests to successfully recover from attacks that couldn’t be prevented or detected.
Deploying some technology without a plan adds some security, but it is basically like replacing the lock cylinder of your front door while you leave all windows open.

Besides technology, you as a human need to be aware of new attacks and your security controls. Keep in mind that social engineering (manipulation humans by exploiting their human characteristics) perfectly works without any technology. SE isn’t only phishing.

Finally, there are processes. Things need to be updated, revised, documented. Furthermore, you need to behave in certain ways to ensure that your security controls are used effectively.

Hopefully, you see that single products like Bitwarden vs. Lastpass doesn’t matter. You need to look at a much higher level.

1 Like

Hello (sorry for my English!),

my security set is:

  • Linux (in my case Debian) as OS. Linux is much more secure than Windows, which is a malware itself.
  • Firefox with some privacy plugins: u-block, privacy badger, cookie autodelete, https everywhere
  • Mullvad: I’ve been usign proton but in the last month it gave me some issues, so I switched to Mullvad which is one of the best in terms of perfornance and privacy: it’s in the 14 eyes but I don’t worry about it because Sweden is one of the most privacy friendly countries and, anyway, they have a strict no log policy. 14 eyes still matter, but you have to consider a service country by country, and think that, in case of serious crimes, even Switzerland has an agreement with CIA, NSA and so on… So, 14 eyes matter yes and not. I addition, VPN, at least in Sweden, are not regarded as an electronic communications network nor an electronic communications service.
  • Even if Linux doesn’t suffer viruses like Windows, once a month I make an offline scan with Kaspersky Rescue Disk and/or Antivirus Live CD to be sure it’s ok; even if Linux doesn’t run a Windows virus, I could infect my friends sending dangerous files, so a scan is always welcome!
  • I don’t keep passwords in browser memory and keep it clean from cache, cookies etc…
  • I use alternative search engines. Google is a 10% of my researches.
  • I stay away from http sites, surfing only https
  • Additionally, I run Signal on PC too. Unfortunately most of my contacts use only Whatsapp, so Signal is only for 5-6 friends.

About Windows users I can say Bitdefender is an excellent choice, and Malwarebytes is good too. I don’t know if Bitdefender still consider Malwarebites as a second antivirus (In some cases I had to uninstall Malwarebytes in order to use Bitdefender, but it was some times ago).
Excluding Linux as OS you can act like I do for the rest: search engines, clean browsers (I suggest Firefox: Chrome is Google poison!) and, if you are paranoid like me :laughing: you can occasionally run and offline scan from a live USB using fro example Kaspersky Rescue Disk. Offline scans are more effective than and installed AV, but you cannot scan like this everyday! Live AV from USB are useful most of all when yous PC is severely infected (e.g. a Ransomware) and you cannot use it anymore.

I hope this helps!

Just adding some thoughts:

“Security” isn’t a property. You can’t compare “the security” without defining a threat model and context. For instance, a Debian 6 installation providing an outdated web server on the internet is much more insecure than a current Windows Server 2019 installation.

Besides, there isn’t “a single Linux,” as you know. Some distributions like Debian and Ubuntu heavily rely on backporting, while others like Arch try to provide the newest packages as fast as possible. This basically means that newer security features aren’t available.

Moreover, “the security” also depends on the users and organization. If users fall for social engineering (often the first step of a successful attack), even a technically secure system/process can instantly become insecure.

Keep in mind that Linux-specific malware exists; however, for several reasons, Linux malware isn’t so common. Infamous examples of Linux malware are Mirai and Hiddenwasp. Besides, some state actors also use Linux malware like Drovorub.

Apart from this, Android is basically Linux. Just search for “Android malware” that frequently surfaces on app stores (e.g., 1, 2, 3).

Yes, I know that things: I mean that in general Linux is better than Windows if we talk about security: not perfect, of course, but undoubtedly better. I’ve been using several Linux distros (now Debian is my definitive one) as my unique OS since about 11 years and I never had a problem, or at least not the serious problem I had when I used Windows. If I had to choose where use Tor, for example, I’d choose Linux. Same for a VM. I can see ransomware, PuP and other scam infecting my friends’ PCs, despite the (useless) AV they have. Linux is a VERY different story. At least for me. Sometimes I scan my Linux offline sometimes but I never detected anything. I repeat: nothing is perfect, but we can say, talking about security, between Linux and Windows there’s no comparison. But this is my experience, perhaps other people use Windows and never had a problem. In conclusion, we all know that the best defense is located between the screen and the keyboard! :grin:

I read the article on GitHub: interesting but in my opinion it’s too alarmist and doesn’t add nothing new, compared to what I already knew.
I use Mullvad too; before it I used ProtonVPN and after a while I found they are among the ones suggested by Privacytools. I’m not going to say they are perfect (neither Fort Knox is), but you have to admit that there are more reliable and less reliable VPN services. I stay away from free ones but also from that ones you can find on every security and IT webzine as obsessive Popups or banner all the time. This is just merchandising. On the other side, Mullvad is different: is less know and you can’t find any advertising about it. More, in Mullvad’s website you can find very honest claiming, for example about webrtc: they say you have to set your browser to prevent a leak on that side. They don’t say “we’re perfect”. In addition, they had independent audit, they are open source… They explain very well all details you need: from technology, to privacy policy, to Sweden laws. 5 € /month are not enough to pay a coffee for their lawyers? Remember that a service doesn’t have 10, 20 or 30 people using it! There is a lot of people! And 10 years of story are not a joke! Ok, it’s not a silver bullet, but what is a silver bullet? Many of us trust Signal, for example… is it perfect? No, but it’s one of the best IM app we can use! We use a firewall… Is it perfect? No, but we use it anyway… We use duckduckgo or Searx or Startpage… Are we sure they do what they say? Not completely, but we are sure they are much better than Google in terms of privacy. Same thing for dnscrypt, Tor and other tools. If these tools were perfect police and agencies wouldn’t ever be able to arrest terrorists, drug dealers, pedophiles and so on…
We have to try to use all the tools we can in the right way. We all know EVERYTHING is under the Big Eye. Does it mean that everything is scam just because the NSA can uncover and de-anonymize anyone no matter what they do?
I think a VPN, a GOOD VPN, can be a good deal. You don’t have to trust it as if it was a religion! But, to be honest: the article say that also the most reliable VPN services keep logs. Are you sure? If we don’t know if they don’t keep logs, you are not sure they keep logs. But there are VPN services, as i said above, that are less reliable than others: free VPN and overhyped ones on the top on the black book.
Ok, that’s all! And now, VPN haters… shot me! :rofl: :rofl: :rofl:

1 Like