Are SSWP secured_List of known technology threats

The purpose of this thread is:

To Build a list of the known technology threats to user’s online security and or privacy.

While doing this the thread comes with 3 wishes:

(1) Omit all vendor X versus vendor Y posts.
Example: vendor x forces it’s users to accept secret phone homes and vendor Y doesn’t.
(2) Post the rationale for WHY (in your opinion) the threat IS a threat. An example would be valuable.
Let’s keep this at a level one rung up from tools versus tool. No Fear, uncertainly, and Doubt (FUD) or wild unproven accusations.
(3) Avoid the political / government policy / legal/ issues
These broader issues are already actively covered in this forum and are outside the scope of this thread.


Here is the list as it currenly stands I invite all readers to add to the list as no claim is made that it is complete. The rationale or an example that explains why it is a technical risk would be very valuable.

List of known technology threats (incomplete!)

These should be major threats and not just irritating GUI options or “bugs” or other vendor support issues. Here is a starter list. No claim that these are the best first items or as stated that it is complete list is intended.

1) DNS poisoning.

Rationale: where we are tricked via a false DNS translation to thinking that the valid site we request a connection to is translated to send us to a fake site designed for collection of private information such as account numbers, passwords etc. This can led to theft of funds or id or both.

2) Free SW that purports to offer security benefits.

Rationale: the SW in fact contains adware or hard code etc that collects and reports private information found on our PC’s back to the vendors. This can lead to loss of control of our own systems and providing data to vendors to use free of charge in their marketing ventures. Information collected this way could be sold to 4th parties without our knowledge.
Freeware is an absolutely good thing, and it enables people who may not have the means to acquire the best tools available to secure themselves at the very least reasonably. However, be aware that developers, good intentioned or otherwise, need money just like us, and they will use whatever means are most efficient for them and bring in the most revenue. They are normal people, and, like other normal people, there will always be the good and the bad ones

3) Licensed or paid SW that seem to provide the user with the ability to turn off auto updating and / or sharing our technical settings

This is commonly called “Phoning home” and has been done without permission even when user has opted out (and not just updating)
Rationale: BUT in fact continues to feed this information back to the vendor without the user’s knowledge. This practise is very deceptive and reports private information found on our PC’s back to the vendors. This can lead to loss of control of our own systems and providing data to vendors to use free of charge in their marketing ventures. Information collected this way could be sold to 4th parties without our knowledge.


4) Rogue code in the SW products

Rationale: SW is created by people, thus the code they produce is only as good or as secure as they make it. There have been cases reported of at a minimum a joke message coming out which can undermine user confidence and raises concerns about what else may be lurking in this product. At worst the rogue code may be planted by a programmer with devious or criminal intent. So this could steal information critical to our www security including passwords to our on line purchasing accounts or banking.

5) Piggy-back Software

Piggy-back software is a separate application that is installed either by choice or silently along with the original installation of the program you intended to install. These separate applications range from relatively harmless add-ons that provide extra functionality, toolbars that also add functionality but also may serve a more devious purpose such as spying on browsing and sending that information back to the servers of that application and/or third parties, and all the way up the malicious chain to trojans used to remotely take over a PC.

When faced with a situation where you can obviously see an extra application being installed or asking to be, it is imperative that you not only pour over the EULA included with the original application, but also take a quick look around Google and get as much information as you can. It takes minutes to prevent problems, it can take hours to fix them. You may not be able to use the most rock solid protection out there due to conflicts, money, or some other reason, but there is absolutely no excuse to not attempt to do the best you can do with the tools you are able to use.

Freeware is an absolutely good thing, and it enables people who may not have the means to acquire the best tools available to secure themselves at the very least reasonably. However, be aware that developers, good intentioned or otherwise, need money just like us, and they will use whatever means are most efficient for them and bring in the most revenue. They are normal people, and, like other normal people, there will always be the good and the bad ones.

6) Voice Print Technology

Voice print privacy policy is a service coming soon for some banks

It is on topic since the bank installs the programs and employs the algoritim(s) it is no different IMHO than using a web based AV service. The location of the server we use for these SSW doesn't matter. We the client would be using the SSW product and taking the risks inherent in it.

 

Further data on the DNS Poisoning threat can be found at

https://www.wilderssecurity.com/showthread.php?t=217152

 

For further data on voice print technology google search the following text

voiceprintsystem

 

Hello thread readers:

Here is my 7th threat, I can post it since I know these exist. No I'm not going to name names, just ensure these tools are fully tested independently before laying out your $.

7) Untested or Buggy Code in Security Software

This one is a bad one. We read the features of a FW or an AV/ASW or HIPS and believe we have the security adverstised/listed/described. But guess what, the feature is not working or is not fully functional. So we have vapour functions inside our products. We the client are using the SSW product and taking unknown risks inherent in it. It is bad enough dealing with known risks let alone unknown because we thought we had protection. A false sense of security is a real threat!

 

Here is the 8th threat, probably should have been the 1st!

https://www.wilderssecurity.com/showpost.php?p=172473&postcount=1

 

There is a special edition of :

http://www.sciam.com/sciammag/?contents=2008-sep

The Future of Privacy

 

Hello Thread posters/readers:

Sometime in September I will move to part 3 of my series on the security/lack of security of Security Software Products.

Not many additional threats have been added other than my own add ons, so if that continues to be the case, the third and final thread on this (for me) will deal with solutions or possible remedies for the listed threats.

So if you have a missing technical threat please post it now! Thanks.