Slashdot Mirror
The Insecurity of Security Software
H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"
Security software is insecure? Maybe it's just having a bad day and needs a hug. *hugs security software*
Be relentless!
Yeah, don't know if this has changed, but on one of my machines my "virus" protection software absolutely needed Internet Explorer, and would override my default browser setting to use IE for any of it's "transactions"... Considering the history and track record of IE and my long ago decision to eschew any use of IE this was upsetting to say the least. I cancelled my subscription, sent a letter, and re-upped with a different vendor. To this day, I've never gone back to check to see if this vendor has "fixed" their approach, though I never got any response to my letter. (I choose not to name names, it isn't necessarily about "them"... I find this to be a somewhat absurd universe that an entire industry has grown up around an OS stillborn in the context of capable security (not perfect, just capable!) Heavy sigh...
Not to worry, though, maybe an industry will spring up around the security software industry... providing us with meta-security software...! (even heavier sigh.)
Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?
Companies like McAfee and Symantec are out there to make money. Their first and foremost goal is financial profit. Only then do they concern themselves with providing secure security software. It's plainly obvious that profit comes before quality when dealing with PC security software companies.
Cyric Zndovzny at your service.
Next thing you know, not only the OS and the programs that mitigate/stop the harm which patches protect needs patches, but also the program that does the patching.
On the plus side, the patch cycle is probably a lot shorter with the security products and automated patching is less of an issue than with the OS itself, which is much more complicated and requires a ton more testing.
see a Text Widget
"If you put chocolate sprinkles on shit, all you have is shit with sprinkles on top."
The point being, the software that runs on top of any OS can only be as secure as the OS itself.
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
"Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."
If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.
Guy asked me for a quarter for a cup of coffee. So I bit him.
Windows seems to be responsible for that 40 million credit card breach:
a rd=1600684464&tid=cald _ 0410. pdf5 ,63.83.95.0,63.83.95.255
/ /mastercard.com
posted originally at groklaw:
All of the marketing hype in the world cannot make Micro$oft a better system
http://finance.messages.yahoo.com/bbs?action=m&bo
&sid=1600684464&mid=274625
A Tucson Arizona credit card processor has been implicated in a security breach
which resulted in fraudlent charges and the exposure of 40 MM accounts.
CardSystems Solutions has helpfully posted a Computer Operator job listing. This
makes it clear that the system breached was running M$ OS.
www.cardsystems.com/careers/ComputerOperator
A seperate database developer job posting has a VBScript experience requirement,
leading to the presumption that VBScripts were at the heart of the card
processors data management.
A quality assurance job posting required experience in Windows NT and Windows
2000. Using these obsolete systems was part of the innovative "security
through obscurity" policy of the part of the card processors.
http://toolbar.netcraft.com/netblock?q=UU-63-83-9
3330975
www.cardsystems.com
CardSystems Solutions, Inc., 6390 East Broadway, Tucson, 85710, United
States April 1997
Microsoft-IIS/5.0 Windows 2000
Mastercard is running Apache on Solaris
http://toolbar.netcraft.com/site_report?url=http:
Mastercard International
2200 MasterCard Blvd OFallon MO US 63366
Solaris 8 Apache/1.3.27 Unix mod_ssl/2.8.12 OpenSSL/0.9.7
mod_perl/1.27 29-Jul-2003
Was Mastercard to blame running a decent OS
Or was CardSystems to blame for running Micro$oft crapware.
Anyone here actually trust Yankee Group anymore? Remember this? http://linux.slashdot.org/article.pl?sid=05/04/05/ 007214&tid=163&tid=187&tid=109&tid=98&tid=106
Well, it turned out that the study was funded by a windows house: http://filtered.typepad.com/markjones/2004/04/abou t_face_on_y.html "The survey was funded and carried out by Sunbelt Software, a vendor of Windows utilities, which publicised the survey through a mailing list called W2Knews, which bills itself as "The world's first and largest e-zine designed for NT/2000 System Admins and Power Users"."
So who funded this report?
Linux is somewhat ahead in this in that protected memory is part of its "DNA", unlike Windows which ultimately comes from the culture of DOS, which has no protected memory and is not multi-user.
But still, Linux is only just a little bit better. We need to move to real secure designs such as:
I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
It's painfully obvious that for any applications requiring real security, you just plain shouldn't use a PC. I got ragged on a lot by my coworkers, but I always recommended an OpenVMS (on Alpha or real VAX) solution. Funnily enough, that stopped after their PC based solutions running Windows 2003 Server were cracked on a weekly basis. And that was on one of our smaller, less known websites. Our major web sites, which we run off of our OpenVMS cluster, remain completely secure.
Indeed, VMS offers the best combination of security through security and security through obscurity. The system itself is inherently rock-solid, stable and secure. Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint. The chance of becoming the victim of crackery is very minor.
Cyric Zndovzny at your service.
Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.
As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.
See how many anti-spyware, anti-virus, anti-malware apps there are on sale there, with names you've likely never ever heard of. People who cannot even write semi-reliable shareware are now writing these things, and people like gullible fools are buying them.
On the other side, you have companies like Symantec and McAfee whose best written and supported products have been known to totally hose business PCs at the drop of a hat. Secure? I don't trust them to run correctly, never mind actually do what they were installed for.
None of this is very new, most of it seems obvious, and it is truly sad that it so many will read this and think it a groundbreaking notice instead of an afterthought by the IT world which it is. The horses are out of the barn, and now people are realizing that they got out because the tried using screen doors to hold them in, and they will predictably go look for spline and a tool to put more screening in.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Well, the answer here is simple. We need more security products to secure the security products that are securing Windows!
"Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint."
;)
Security by obscurity, security nontheless. But, as some wise man once said something like this: you can increase a system's security right down to unusability. Security only makes sense when you gain from using it. Personally i do not see the point using vms as a webserver, when you could run it for example on openbsd, which would probably decrease security a bit, but improve your productivity a lot. I'm sorry, the DCL-hating person speaks from me.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I've avoided anti-virus programs far as I can recall. I use them, but I don't like to run them in real time or pay too much for them.
Basic problem with them is that they're just more complex code above already complex code, that tries to fix the problems that is mainly caused by that complexity in the first place.
Result is much slower computer that the anti-virus software inadvertly affects like a viruses would.
Stopping programms, and causing something not work correctly.
All virus programs are basically parasites, anti-virus programs are just bigger parasites far as I'm concerned.
They have their place, but they should be simple, free and not be the answer for security. When they are not, they're themselves a risk.
Nobody knows the trouble I've seen, nobody knows has the trouble seen me, even I sometimes wonder why I write these line
The irony is almost delicious, after me using my computer for years without any antivirus program installed on it and not having a single infection, managed to get my first virus through a website and a Java flaw after installing AVG antivirus.
Now Zone Alarm, Black Ice Defender, Symantec, and more have found serious flaws in their security products that actually make them VECTORS for infection by executing the viruses they are designed to detect and safely remove or block. It doesn't make me feel bad at all for using a naked computer all those years, as I may have had fewer unpatched/unknown vectors for infection than if I was running something like Zone Alarm all the time [although to be fair to them, the Windows hole count is far from over].
Saskboy's blog is good. 9 out of 10 dentists agree.
But it is the security firms that promote this idea that if you run their software, your box is "bullet proof". The truth is that these companies are mercenary, and would say just about anything to get people to buy the latest version and than subscribe to updates. I'm not a tinfoil hat type, but there are some who have said such companies have no interest at all in reduction of threats, because it results in lower sales.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.
Yes, my only tool is a hammer. And you're starting to look like a nail.
I've used Mcafee Antivirus for several years now. The current version I'm using relies heavily on Internet Explorer functionality to work, which is a pretty stupid design. I haven't had a virus warning in years, and Mcafee and Norton are resource hogs, I don't see much point on using them anymore. I'm seriously thinking about dropping Mcafee once my subscription expires and trying something else.
"Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?"
On a related note - aren't some of those cpu-cycle-eating virus scan options rather redundant? (Serious question) if you've enabled on-the-fly virus scanning of reads/writes from/to the disk, aren't the other options - incoming email scans, for instance - unnecessary? I guess I'm wondering which "added protections" are driven by marketing rather than actual need.
#DeleteChrome
When Microsoft turned on the automated bug reporting in XP the biggest reported cause of crashes was video drivers. But second to that was security software. Virus scanners and the like. Security software has a tendency to dig deep into the system and then crash. Virus scanners will install low-level file system filters to intercept activity, and then have a buffer overflow, bringing the whole system down with it.
Of course since this was found out. Microsoft has been holding security software conferences and getting vendors to fix their shit. And Longhorn tries to more actively fix the problem by sandboxing kernel file system filters amoung other things.
We've been running AVG for the past 3 years and it is a perfect solution for people looking to actually have a virus protection system that works.
www.grisoft.com
It will find a LOT of viruses/trojans etc that the 'big' software won't and is completely free for personal use (including updates, no subscriptions etc).
AVG is one of the 3 main applications (along with zonealarm & firefox) that get put down on any machine that i'm called in 'to fix' - which happens on a weekly basis...average people think that because their computer came with norton or macafee that they should use it, but these programs do nothing but give a false sense of security, take up significant processor & memory resources and are basically useless in actually finding or preventing viruses etc from getting onto their machines.
Gekido's Lair
I loaded a thirty-day trial version of TDS-3 on her machine and found there were only a couple trojans left.
One of them was that goddamn crap that names a file "t?skmgr.exe" - so that you can't delete it from the XP Recovery Console because stupid Microsoft won't let the RC delete command run wildcards (for "security" reasons, right?), and you can't SEE it in Explorer because it looks just like taskmgr.exe, so you can only tell which one it is by looking at where they appear in the file listing. Then they make it a hidden, system and read-only file and of course it's in use by a process, so Windows won't let you touch it.
Bart's PE and Knoppix couldn't help me with this one.
Acting on a tip from the Net, I loaded Winfile, the old Windows NT file manager, and managed to rename it, move it to another directory, so it couldn't be run, and after rebooting into safe mode, I could delete it.
The other trojan was the one that originally was driving me nuts. I forget how I finally got rid of that one.
There was still at least one spyware somewhere, so I loaded HijackThis on and got rid of some more crap.
And finally I found a "Security Agent" from "CastleCops" which was actually a trojan. The service was running but the rest of it had already been cleaned, so I disabled the service.
Plus I went into the Registry and clobbered everything I could find that wasn't a known user, Microsoft or Dell installed program. I think I cleaned out a lot iof spyware keys that even all the other antispyware programs didn't find.
Then I checked the client's account status and found she was running as Administrator, so I switched her to limited. That caused TDS-3 to stop working under her account (apparently it needs not only Admin status to install, but to run, no surprise given what it does). I got confused by XP's stupid "tri-mod flag" technigue of labeling all file folders faux "read-only" into thinking somehow the disk was screwed, but I finally determined that was not the case. So she's back to running as Administrator until I can tell her to create a new account (because I don't know what's been installed by her as Administrator so I don't think it's safe to just change her back to limited - something other than TDS-3 might break) and move her desktop icons over to the new profile.
She seems to be clean now - no system error messages, no popups, and the system seems stable.
It only took me another eight hours - mostly because I don't have a Bart's PE and Knoppix that's REALLY loaded with anti-trojan, AV, spyware and other tools. That's my next project - buff up my bootable tools so I can access ANY file ANYWHERE and kill it.
I get my hands on the asshole wrote that "PurityScan" adware trojan, I'm gonna nail his knees to the floor with railroad spikes - so he stays put while I really do some damage to him.
Somebody needs to start scanning Web sites where this crap comes from, report the assholes to the law, and get the lot thrown in jail. NONE of this stuff came in through email because my client uses Web mail exclusively. That means it came from Web sites. So why not set up a Web scanner that visits suspicious Web sites, downloads this crap into a sandbox, logs everything as evidence, then publishes it as a blacklist - a "reverse honeypot"?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Until consumers stop buying broken products just because marketing hypes it up... we'll continue to have this problem. For some reason, big business loves to buy big names even when the product is severely insufficient for the task. No, I'm not talking about OS choice (that's usually a bit more complicated), I'm talking about hardware/software that comes from a big vendor and doesn't perform as advertised. The more the inferior products are subsidized, the more big corporations are encouraged to sell them.
Ahem - they BOUGHT their software from a third party.
And yes, they WILL be charging for their full security package. Maybe not the antispyware one alone, though.
Read this from back in January of this year (if the plans have changed, I didn't hear of it):
Microsoft Readies 'A1' Security Subscription Service
By Mary Jo Foley
January 4, 2005
Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named "A1," according to developers who requested anonymity.ADVERTISEMENT
Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How, when and if it will repackage GeCAD's technology remains uncertain. Ditto for Giant's--although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant's technology this week. Neowin said the anti-spyware beta is code-named "Atlanta."
Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn't the ultimate plan, partner sources said.
See more stories on Microsoft Watch
Microsoft is currently expecting to field its A1 anti-spyware/anti-virus bundle in the form of a renewable subscription service, the same way a number of other security vendors do, sources said. The service will allow users to keep current on the code needed to combat ever-changing viruses, worms, spybots and the like.
Some elements of A1 are likely to be built directly into future versions of Windows, according to partners. Specifically, some of the security management functionality, such as the security health-validation technology that Microsoft officials discussed last year, would likely be bundled into Windows itself, partners said.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I disagree. Remember the browser wars? By the time enough people were objecting to the bundling of IE with Windows, it was too late. The consequence? Browser monoculture.
When MS bundles AV software with the OS, it is too easy for Joe Sixpack to adopt that as his AV solution. Then it's MS de facto standards for Windows, Office, and computer security. Even harder to get people to switch.
When MS offers another "secure computing" initiative that 'natively' integrates with MS AV, adoption is immediate and almost total across the Windows install base. The fact that the "secure computing" initiative contains strong IP protection, and maybe hardware integration, and maybe transparent usage reporting is never made clear to the average end user.
Never assume that an attempt to increase market share/integration/adoption by MS does not have a profit motive. There are few altruists working on Redmond Campus.
If a shell process is made to run malicious code through a vulnerability (even from a hole in IE) or user negligence, it has exactly the same rights as the current user. If the user is running a web browser as an administrator to browse untrusted sites, then that's just user stupidity. It has nothing to do with the OS's design.
IE's integration into the Windows shell is just like KHTML's integration into KDE's shell or WebCore's integration into OSX's shell. They're each a set of standard libraries for rendering HTML for various UI components.
Yes, the defaults for setting up a normal user account are poor. Defaults != OS design.
Yes, there is a lot of software that needs excessive privileges to run properly. This is not the fault of the OS, but of developers who can't be bothered to write good software. The most that could be blamed on the OS design is that the security model is too complex, but even then, the errors are almost always things that would be illegal on UNIX too, like writing to the same directory that the program binaries are installed in.Windows NT has always had a secure, multiuser design. (unlike UNIX where security was taped on as an afterthought) Your only example about IE integration has little to do with OS security, and hardly distinguishes Windows since KDE and OSX do the same thing.
Bring up some of the other supposedly myriad design flaws in Windows NT based OSes.
Why is this such a mystery?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
My system slowed to a crawl. I do a lot of CAD design, and the responsiveness of my system is very important to me, as I do a lot of independent work and I am working on my own time, not paid by the hour like a lot of corporate stuff.
So, I nixed the constant scanning, as well as the routes viruses routinely come in ( javascript, Microsoft Outlook, unverified but suspected plug-ins such as RealPlayer, etc. ). Yes, I still run ZoneLabs firewall which lets me know if some site I hit upon is likely to be hostile by the relentless torrent of port connection attempts some unleash on me. Or if I hit upon business sites which require me to enable JavaScript or use some proprietary technology for them, I regard them with the same distrust they may regard to me if I asked them to leave the till of their cash register open, don a blindfold, and trust me not to rummage through their cash. I am fully aware they are asking me to open channels which are used for viral counduits into my machine.
I do like to run integrity monitors from time to time to see if any of my core files have changed, as I still run old DOS/WIN95 installations, and it is simple enough to lock down a few core files and processes, as WIN95 was coded in a day where acceptance of new technology was highly dependent upon understanding of how it worked.
All of my debugging tools (SoftICE, WDASM, IDA ) work great with the old code - if I have any rough edges with anything, its easy enough to open up and fix. Thats something I flat can not do with today's technologies, whose security lays in keeping people like me ignorant of the inner workings of critical computational infrastructures so that someone else can produce code I can neither alter or verify its true intents. My own take is the later code is made mostly for corporations who settle disputes with negotiators and litigation, not a debugger.
If people only knew how their stuff worked, we would not need antivirals.
But then, IP protection would not be possible either.
As a people, we must decide which is more important to our survival - seeing to it our needs are met by fully comprehending how our stuff works, or seeing to it that others have a right to keep the rest of ignorant, and trust them to "do the right thing".
We are heading down a slippery slope these days.
You think the DOS attacks against servers are bad? Just wait for the next wave of viruses which are not designed to snoop, but to alter the machine just enough so its hyper-security software detects the hiccup and uses its full authority to deny obeyance to its own legal rightful owners...
I see the day coming when some huge corporation gets locked out of its own database by some trivial little data manipulator function over some expiring authorization code embedded by some little no-name contractor several years ago... The database is locked. Strong hardware security locks prevent bypass. The contractor died. How do you handle a problem like this through legal means? Sue God to have Him resurrect the dead programmer so he can reauthorize the code?
Or, as one old wise man told me, "Trust, but verify".
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
As I've been saying before, it's not just that they're insecure too, it's that it's a pain even when working as intended. In fact, it's often worse not just than Windows's being vulnerable, but actually worse than being virused.
They're slow for a start. At work we've tried copying the same large directory full of many small source files to a file server, once with Norton Antivirus running on the workstation and once without. Without it takes tens of seconds. With it, it takes slightly over 40 minutes.
And we're talking pretty good workstations. I hate to think of the poor bugger running it at home on some Cyrix 300+ box. (Yes, there are quite a few of those still in use.) I believe being virused and spywared six ways to sunday wouldn't slow their machine as much.
But wait, it goes downhill from there.
At one point I wanted to install Windows 2000 on a new machine. As fate would have it, I didn't have a firewall on a CD, and didn't know yet about the IPSec filtering built into Windows itself. (Yeah, noob.) So I decide to make a sacrificial install, let it get virused (took 10 seconds flat) while I download a firewall, then format and reinstall.
But then I get curious, and after blocking the ports, I try to play with the virus. The saddest part? Installing Norton didn't even recognize it. The almost as sad part? It slowed down the machine more than the virus did.
And then it goes even more downhill, e.g., McAffee. Ooer. Now that was a festering piece of crap.
1. Probably the "least" of problems: the ActiveX updater requires IE to run, but it's too stupid to actually launch IE. It launches whatever default browser is currently configured, e.g., Mozilla or Opera, and then can't update. So basically if you installed Mozilla or Opera on someone's computer to protect them from IE exploits, they won't be able to update McAffee. Stupid.
2. At one point, after an update, I ended up with _two_ versions of it running at the same time. Presumably because the original installation was on the "D:" drive, while the stupid updater installed the new version to the default directory on "C:". So then I had both running at the same time (and slowing down the machine accordingly.)
It's just sad, folks. You know that a piece of software is written by retarded monkeys when it can't even remember a simple setting like the install directory.
3. Their "privacy" part, and the fashionable rushing to proclaim _any_ cookies as "spyware", basically made it impossible to use any web site that requires login.
4. When uninstalling it, point 2 struck again. It only uninstalled one of the versions, and left the other running. With no obvious uninstaller entry, or any other recourse than to manually edit the registry and manually delete files. (Did I mention "coded by clueless monkeys" yet?)
And so on.
And then there's the occasional over-reacting oddball, like G-Data, which (among other nuissances) quarantined all versions of MIRC I had downloaded or installed, for no reason than IRC being in their opinion a security risk. Not a discovered vulnerability in it, not a virus, just an opinion that IRC is bad. Right. So does that mean they'll quarantine IE and Outlook Express soon too, or? Disable the TCP/IP stack because that's where viruses come from? Or?
Or, G-Data again, which still can't keep their code and data segments separated, so it won't run with the NX (no execute) bit protection in XP. Riiight. So a security product can't deal with the Windows security option that prevents buffer overflow attacks. I'm impressed.
I dunno, it's an industry that I find outright sad. Now I can understand a corporate intranet blog site, or something else that doesn't really matter, being coded by cheap monkeys off the street and designed by marketroids purely for buzzwords' sake. ("Oooh, let's _pretend_ we save them from spyware too.") But from an industry whose self-proclaimed goal is to make Windows secure, they have no excuse for doing such a half-arsed job.
A polar bear is a cartesian bear after a coordinate transform.