Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Insecurity of Security Software

Posted by Zonk on from the save-me-from-myself dept.

H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"

9 of 264 comments (clear)

  1. windows by Anonymous Coward · · Score: 5, Informative

    Windows seems to be responsible for that 40 million credit card breach:

    posted originally at groklaw:

    All of the marketing hype in the world cannot make Micro$oft a better system
    http://finance.messages.yahoo.com/bbs?action=m&boa rd=1600684464&tid=cald
    &sid=1600684464&mid=274625
    A Tucson Arizona credit card processor has been implicated in a security breach
    which resulted in fraudlent charges and the exposure of 40 MM accounts.
    CardSystems Solutions has helpfully posted a Computer Operator job listing. This
    makes it clear that the system breached was running M$ OS.
    www.cardsystems.com/careers/ComputerOperator_ 0410. pdf
    A seperate database developer job posting has a VBScript experience requirement,
    leading to the presumption that VBScripts were at the heart of the card
    processors data management.
    A quality assurance job posting required experience in Windows NT and Windows
    2000. Using these obsolete systems was part of the innovative "security
    through obscurity" policy of the part of the card processors.
    http://toolbar.netcraft.com/netblock?q=UU-63-83-95 ,63.83.95.0,63.83.95.255
    3330975
    www.cardsystems.com
    CardSystems Solutions, Inc., 6390 East Broadway, Tucson, 85710, United
    States April 1997
    Microsoft-IIS/5.0 Windows 2000

    Mastercard is running Apache on Solaris
    http://toolbar.netcraft.com/site_report?url=http:/ /mastercard.com
    Mastercard International
    2200 MasterCard Blvd OFallon MO US 63366
    Solaris 8 Apache/1.3.27 Unix mod_ssl/2.8.12 OpenSSL/0.9.7
    mod_perl/1.27 29-Jul-2003

    Was Mastercard to blame running a decent OS
    Or was CardSystems to blame for running Micro$oft crapware.

    1. Re:windows by Saeed+al-Sahaf · · Score: 4, Informative
      Tru about CardSystems Solutions being a Windows house, though I suspect it's not web site VBScript that is at the root, if anything VB6 or some .NET crap.

      As to MasterCard running Apache on Solaris, what makes you think their web server has much at all to do with back-end credit card processing?

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    2. Re:windows by Anonymous Coward · · Score: 2, Informative

      Ah, now that's not the whole picture.

      Looking through Cardsystems job section, the clearly advertise for non-MS expertise; UNIX scripting, Oracle and a bunch of other stuff besides. From the job descriptions of other jobs, it's clear that they run systems on NT and VMS servers, which - sorry to disappoint you here - is pretty standard for credit card processing. It's not security through obscurity at all, it's security through not having the lastest Swiss cheese OS.

      It's also important to point out that they make PoS and client kit for transactions, which again, tends to make a lot of use of NT embedded editions. Now, how they fit into the whole 40 million credit card breach is really all speculation isn't it. Was it their website? Was it their software? Hardware? Maybe someone socially engineered their details out of them? Happened to crack the Mastercard validation mechanism using their account? Who knows...

  2. Doesn't surprise me... by Emetophobe · · Score: 2, Informative

    I've used Mcafee Antivirus for several years now. The current version I'm using relies heavily on Internet Explorer functionality to work, which is a pretty stupid design. I haven't had a virus warning in years, and Mcafee and Norton are resource hogs, I don't see much point on using them anymore. I'm seriously thinking about dropping Mcafee once my subscription expires and trying something else.

  3. AVG Free - infinitely better than norton, et al by abandonment · · Score: 3, Informative

    We've been running AVG for the past 3 years and it is a perfect solution for people looking to actually have a virus protection system that works.

    www.grisoft.com

    It will find a LOT of viruses/trojans etc that the 'big' software won't and is completely free for personal use (including updates, no subscriptions etc).

    AVG is one of the 3 main applications (along with zonealarm & firefox) that get put down on any machine that i'm called in 'to fix' - which happens on a weekly basis...average people think that because their computer came with norton or macafee that they should use it, but these programs do nothing but give a false sense of security, take up significant processor & memory resources and are basically useless in actually finding or preventing viruses etc from getting onto their machines.

    --
    Gekido's Lair
  4. Re:it wasn't supposed to be like this! by Anonymous Coward · · Score: 3, Informative

    I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?

    Realtime virus scans are triggered whenever an application is launched. It literally runs the application in an virtualized sandbox for a designated number of cycles while scanning the memory for heuristic patterns of virus behavior. After the designated time the checker gives up and no longer analyzes the running application.

    I will let you imagine the implications of this approach regarding security.

    But because this happens so infrequently the performance impact is negligible.

    The only way to see if a virus is running in memory is to scan the memory. The only way to do this safely to kill it is to run it in a virtual sandbox. If everyone's computers ran dog slow they'd just turn off virus scanning. This is a compromise, but be sure to keep in mind what is compromised. It only keeps out the amatuers!

  5. Consumers are still the problem by DigitalCrackPipe · · Score: 2, Informative

    Until consumers stop buying broken products just because marketing hypes it up... we'll continue to have this problem. For some reason, big business loves to buy big names even when the product is severely insufficient for the task. No, I'm not talking about OS choice (that's usually a bit more complicated), I'm talking about hardware/software that comes from a big vendor and doesn't perform as advertised. The more the inferior products are subsidized, the more big corporations are encouraged to sell them.

  6. Re:Simple, use the windows firewall and MS antivir by Master+of+Transhuman · · Score: 2, Informative


    Ahem - they BOUGHT their software from a third party.

    And yes, they WILL be charging for their full security package. Maybe not the antispyware one alone, though.

    Read this from back in January of this year (if the plans have changed, I didn't hear of it):

    Microsoft Readies 'A1' Security Subscription Service
    By Mary Jo Foley
    January 4, 2005

    Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named "A1," according to developers who requested anonymity.ADVERTISEMENT

    Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How, when and if it will repackage GeCAD's technology remains uncertain. Ditto for Giant's--although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant's technology this week. Neowin said the anti-spyware beta is code-named "Atlanta."

    Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn't the ultimate plan, partner sources said.

    See more stories on Microsoft Watch

    Microsoft is currently expecting to field its A1 anti-spyware/anti-virus bundle in the form of a renewable subscription service, the same way a number of other security vendors do, sources said. The service will allow users to keep current on the code needed to combat ever-changing viruses, worms, spybots and the like.

    Some elements of A1 are likely to be built directly into future versions of Windows, according to partners. Specifically, some of the security management functionality, such as the security health-validation technology that Microsoft officials discussed last year, would likely be bundled into Windows itself, partners said.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  7. Re:"Security software" is an oxymoron by Foolhardy · · Score: 2, Informative
    Yes, Windows 2000 and XP CAN be brought dead to the metal in certain circumstances NOT involving hardware failure. I've seen it.
    A condition not caused by bad hardware or bad third party drivers or an admin user trying to kill it on purpose? How? You left out all the details.
    IE (a fucking WEB BROWSER) and its integration into the OS is just one example.
    The only thing that IE is integrated into is the shell environment. It has no integration with the security system or the kernel or anything else. IE is implemented by a set of user mode libraries hosted by processes that host the shell, like iexplore.exe or explorer.exe. The shell normally runs in the security context of the currently logged-on user.

    If a shell process is made to run malicious code through a vulnerability (even from a hole in IE) or user negligence, it has exactly the same rights as the current user. If the user is running a web browser as an administrator to browse untrusted sites, then that's just user stupidity. It has nothing to do with the OS's design.

    IE's integration into the Windows shell is just like KHTML's integration into KDE's shell or WebCore's integration into OSX's shell. They're each a set of standard libraries for rendering HTML for various UI components.

    Yes, the defaults for setting up a normal user account are poor. Defaults != OS design.
    Yes, there is a lot of software that needs excessive privileges to run properly. This is not the fault of the OS, but of developers who can't be bothered to write good software. The most that could be blamed on the OS design is that the security model is too complex, but even then, the errors are almost always things that would be illegal on UNIX too, like writing to the same directory that the program binaries are installed in.
    Besides, the OP's point was that Windows was ORIGINALLY not multiuser or secure and the DESIGN flaws from that are STILL present in the current versions, regardless of their current multiuser and memory protection capabilities.
    Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought) Your only example about IE integration has little to do with OS security, and hardly distinguishes Windows since KDE and OSX do the same thing.

    Bring up some of the other supposedly myriad design flaws in Windows NT based OSes.