Whats the probability of a personal computer being hacked?

Question

For a normal computer user following these practices:

1. Have an up to date anti-virus with a firewall installed (Norton).
2. Do not install cracked software.
3. Do not open suspicious links or download software from unknown sources.
4. Do not install unknown add-ons to browsers.
5. Windows updates are installed whenever available.
6. Do not even have a torrent client or similar applications installed.

Extra details:

I open a lot of PDF files and I always knew that PDF files can be infected and cause harm. But I never took this seriously and I never had a dedicated tool to scan them. Not sure if the Anti-Virus I use (Norton) does this job or not.

Q1. What's the probability of having my PC being hacked to steal my documents or private information?

Q2. Are there extra measures to take or tools to install that I am missing?

Answer 1

If you properly follow the recommendations and standards that you've mentioned here, you should be reasonably safe, as long as you also keep your software up to date. It's arguably more important to install updates for PDF readers, Adobe Flash, Microsoft Office, etc. than the OS updates, because those are where most day-to-day attacks are focused.

A few other suggestions:

• Use a sandbox for read-only stuff, like opening PDFs. That way, even if a document is malicious, the chances of your machine getting compromised is significantly reduced. Sandboxie is nice.
• Send any suspicious PDFs through VirusTotal. It has some specific exploit detection tools that it runs on PDF documents, which are very good at catching suspicious documents even if the exploit vector is not yet known to AV vendors.
• Don't ever assume that your AV will catch malware. Studies over the last 5 years or so tend to show that each AV software package catches around 30% of malware. Aggregate tools like VirusTotal have better results, but it's obviously infeasible to run every file you download through it. Keeping your AV up to date helps, but technology is not a panacea.
• Protect any sensitive documents with TrueCrypt. It won't prevent malware from stealing files from a mounted volume, nor is the password screen invulnerable to keyloggers, but it does reduce your chances of having important stuff stolen as long as you don't open the volume whilst infected.
• Make regular backups. Getting owned is, sadly, a fact of life. If your machine gets infected, the only way to be sure is to nuke it from orbit and start over. Even worse, ransomware might corrupt your documents and demand a large fee in order to recover them. The cost (time and money) of implementing backups is far less than the cost of recovery when you lose all of your data.

Answer 2

The possibility of you being a victim of a targeted hacking attack is low. The possibility that your computer might get infected with malware like spyware, spam bots and similar, is medium. I recommend using Microsoft EMET and set it up to protect applications (PDF reader, web browser, Word) which work with documents of outside source (PDFs, web pages, word documents, ...). Second thing you can do is use AppLocker, included in Windows. Set it with default policies. This will prevent your operating system from executing executables (applications) that are not in folders that require administrative privileges to write to (Windows, Program Files, ...). AppLocker allows you to do whitelisting of executables. You could also run web browser and PDF reader in a sandbox (Sandboxie software) for isolation.

Answer 3

It sounds like you're relatively safe, but of course, the only way to be 100% protected is not to connect to the internet. There are two considerations, really:

1) Drive by malware attacks, people hoping to infect as many people as possible. Unfortunately, this is not necessarily restricted to suspicious links. It's not unheard of for legitimate sites to be compromised and used to spread malware. Similarly, advertisements can redirect to pages designed exploit vulnerabilities (sometimes in the browser, but more often in some plugin such as java, adobe reader, flash, etc) to execute code on your machine.

2) Hackers targeting you, specifically. This is preeeeeeetty unlikely, unless you stand out as a higher up employee of a company, which increases your value as a target slightly. Targeted attacks are becoming more common, and if you run a company, it's possible that people will attempt to use public information (think LinkedIn profiles, company registries, etc) to socially engineer you into opening that dangerous pdf, or visiting that exploit laden website.

To sum up, it's not just dodgy third party browser addons, naughty sites and cracked software that will get you. Remember to keep your legitimate browser plugins etc patched up, or better yet, disable them if you're not using them. Disable javascript if you're not using it. NoScript is a pretty great extension for Firefox, and there are similar ones for other browsers. It allows you to whitelist sites that require javascript, and you can block everything else. Disable the java plugin if you're not using it. Adobe Reader is the most commonly targeted PDF reader, so consider doing your reading in another PDF reader.

Answer 4

Answer to Q2 first, you missed a critical point in your list, and that is keeping your PDF reader, java client software, and flash player up to date. Keeping your OS up to date is important, but keeping these up to date is as important as a great deal of malware targets vulnerabilities in those packages.

As for the possibility it's impossible to quantify as it depends on your habits and some of the security settings on your computer. Someone who uses unencrypted, free access points, has poor passwords, and all users are administrators is more likely to get hacked than someone who browses behind a decent ADSL firewall, has good passwords, and uses a non-administrator account.

Answer 5

The most important countermeasure that is omitted is "Do not run with administrative privilege". There are host of other countermeasures; NIST has a published set, CIS has one, and I think the SANS top 20 are probably a critical set - but I'd also consult OWASP. I'd also add to those recommendations that you install a router with a firewall. As @polynomial stated, you also need to keep all the software on your machine up to date. Java, Adobe, Flash, Quicktime, etc. Secunia has a nice tool that assists with that.

You might check VERIS for the most common attack vectors for similar threat profiles, but working from memory, the most likely attacks are

1. Phishing There is no effective detection; modern adversaries can craft a message that will fool even an expert. You state that you don't open suspicious links, but I believe Moxie Marlinspike has shown that humans cannot identify suspicious vs non suspicious links
2. Browser Vulnerabilities Attackers suborn websites and you can be infected merely by visiting the website.

In both of those cases there is no effective prevention - the attackers are able to craft attacks that are able to fool even an expert. Your only hope is to interrupt their attack sequence and stop the attack from completing. And that means running without admin privilege.

Answer 6

Sounds like you are pretty well covered up. But this is what I can think of: Q1. What's the possibility of having my PC being hacked to steal my documents or private information? A: Depends on if you installed a legitimate version of operating system or not. Looking at the list of softwares, you are a Windows user. Windows versions prior to 2008 R2 are insecure in the sense that they allow drivers (read rootkits/bootkits) to be installed and executed before all your security software programs run to protect you. They are planning to change this with Windows 8. Even if you did install a legitimate OS, with the current security scenario that dictates - Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average - http://it.slashdot.org/story/12/10/17/0434200/hackers-zero-day-exploits-stay-secret-for-ten-months-on-average you might not be safe. Adobe is the bane of all these holes.

Q2. Are there extra measures to take or tools to install that I am missing? A: Most of the tools are already listed by many here - Microsoft EMET, Sandboxie, TrueCrypt, AppLocker, etc. but then again softwares are exploited easily. A recent event being 'Pinkie Pie' Wins $60K for Uncovering Google Chrome Exploit - http://www.pcmag.com/article2/0,2817,2410846,00.asp Other than that, you do pretty much everything that is needed. Not trying to be Anti-Norton, you might want to change it to something better.