Why consumer security products are bad
With LastPass’s implosion and private equity firms buying up the tech sector, what’s to be done?
LastPass, McAfee, Twitter, Optus, WhatsApp, Uber, Shein–you may be familiar with some of these companies, many of whom are now trying to shed the ignominy of rather self-inflicted poor reputations. Most recently, LastPass experienced a data breach in which its executive leadership has now admitted led to the exfiltration of users’ encrypted password files. More egregious than that, LastPass offers no remedy or advice to those affected users. How could a tech company of LastPass’s size get away with such obvious negligence? Private equity. In 2019, LogMeIn, parent company of LastPass, agreed to sell itself to two private equity firms to the tune of $4.3 billion. Understandably, there was concern among tech insiders and LastPass users that the sale would change LastPass’s business model; generally, private equity firms exist solely to purchase assets and maximize the value of those assets for a later sale. In LogMeIn’s case, this was very much the trajectory.
Francisco Partners and Elliott Management were the two private equity firms which bought LogMeIn in 2019. Shortly thereafter, in 2020, LastPass announced it was raising prices. If users wanted access to their LastPass-managed passwords on more than one device, they’d have to pony up another $36 a year. This killed the free option previously offered by LastPass, which represented a significant portion of the company’s user base. Of course, this is expected behavior during a private equity takeover–raise prices, increase shareholder value. The downside, predictably, is that the increased costs that you pay are not reinvested in the company. In fact, one could imagine that LastPass took resources away from its security teams in wake of their sale to private equity interests. That would neatly explain why the platform was hacked multiple times in 2022 alone.
As we covered previously, the password vaults that were stolen during these data breaches were and hopefully are still encrypted. But that doesn’t matter in the context of LastPass. Would you trust a company that didn’t follow basic security protocols to use the strongest available encryption for your data? Given the priorities of LogMeIn’s buyers, it seems far-fetched to believe that those password vaults won’t at some point be decrypted by the very same enterprising hackers who stole them. Handing a safe and a set of lockpicking tools to a master lockpicker doesn’t mean you won’t lose everything just because he doesn’t have the combination.
This trend is a worrying one: the companies who promise to secure your data, monitor your credit, protect your identity, and keep your devices safe are increasingly selling out to the highest bidder, throwing security out the window, and exposing you to risks never before seen. We’ve entered into an age of consumer security chaos. Companies like McAfee preload their obnoxious, resource-intensive, and often ineffectual software onto millions of computers each year. For the record, McAfee, despite being an alleged security-focused company, has not been immune to such security breaches. In 2017, McAfee’s own network sent out malware that directed customers of its ClickProtect software to download a malware-infested Word document.
In 2019, popular VPN service provider NordVPN revealed it had been hacked, although the scale and severity of this particular breach were much less significant than in other high-profile incidents over the last several years. Despite the lower profile of NordVPN’s breach, the incident demonstrated a means by which a cloud service provider (CSP) could be compromised on a larger scale.
As threats have evolved, consumer security products, such as McAfee’s antivirus platform and other consumer-oriented security services, have not kept up. Zero-day threats, or threats which are known to bad actors before they’re known to software and hardware vendors, are often blind spots for these consumer-focused security solutions. In Q4 2021, 66% of malware attacks implemented zero-day vulnerabilities. These so-called zero-day vulnerabilities by definition can’t be detected by antimalware engines because definitions for them don’t exist until after the vulnerabilities are exploited. Therefore, security products use heuristics and machine learning models to detect such exploits as quickly as possible. While software teams are patching code and releasing antivirus signature updates, these heuristically-driven antimalware engines can, in theory, protect critical systems from zero-day attacks.
In practice, however, 80 zero-day vulnerabilities were exploited in 2021–the highest number since monitoring of zero-days began. It must be noted that the majority of zero-day attacks originate from state-sponsored hacking groups, with the remainder largely from financially-motivated hackers. Zero-days are not trivial and are rarely carried out by lone actors. Consequently, the targets of zero-day attacks are usually governments, large corporations, or other valuable assets, rather than individual people. However, individuals are still affected by zero-days, nonetheless: in 2020, Citrix saw remote access vulnerability attacks increase by an astonishing 2066%.
As threats grow ever more sophisticated, protecting yourself from them requires a more sophisticated defense. Installing antivirus software just isn’t enough anymore, in spite of what big antivirus vendors like McAfee, Norton, Kaspersky, and Avast would have you believe. These companies spend hundreds of millions of dollars per year, combined, to convince you that you need their ‘ultimate security’ package, which could cost you hundreds of dollars per year, at dubious benefit to your actual security. Security researchers increasingly think that antivirus software is redundant and unnecessary, considering that modern threats have shifted away from software viruses to ransomware, phishing, and complex social engineering attacks. Naturally, the companies who make antivirus software are incensed at the notion that you don’t need them anymore. To make up for this inevitable loss in revenue, security software vendors have taken to including mostly-worthless features like VPNs, identity theft monitoring, and other baubles as “value adds” in their security software. To their credit, it has been effective as the average computer user doesn’t know why they don’t need these things and fear-based marketing has always been a powerful tool in the tech space.
The bottom line for customers, both individuals and businesses, is that their security solution must involve a multi-pronged approach: antimalware service (eg: Windows Defender), an effective ransomware protection and remediation strategy (eg: offsite data backups), a password manager that is audited and has been shown to be secure (eg: BitWarden), logical network segregation (eg: isolating more insecure devices onto their own networks), and device patching (eg: keeping all of your software and firmware up to date). Don’t go it alone–Geek Housecalls and Geeks for Business are here to help you navigate the ever-changing security landscape.