The Insecurity of Security Software

H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"

Insecure

[MarkRose]

Security software is insecure? Maybe it's just having a bad day and needs a hug. *hugs security software*

Re:Insecure

[Master+of+Transhuman]

Let's put it this way:

Windows is the Paris Hilton of operating systems.

It looks good, but it's wide open all the time.

it wasn't supposed to be like this!

[yagu]

Yeah, don't know if this has changed, but on one of my machines my "virus" protection software absolutely needed Internet Explorer, and would override my default browser setting to use IE for any of it's "transactions"... Considering the history and track record of IE and my long ago decision to eschew any use of IE this was upsetting to say the least. I cancelled my subscription, sent a letter, and re-upped with a different vendor. To this day, I've never gone back to check to see if this vendor has "fixed" their approach, though I never got any response to my letter. (I choose not to name names, it isn't necessarily about "them"... I find this to be a somewhat absurd universe that an entire industry has grown up around an OS stillborn in the context of capable security (not perfect, just capable!) Heavy sigh...

Not to worry, though, maybe an industry will spring up around the security software industry... providing us with meta-security software...! (even heavier sigh.)

Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?

Re:it wasn't supposed to be like this!

[64nDh1]

In my experience Norton Antivirus ignores default browsers and uses Internet Explorer when you ask it to take you to the instructions for manual virus removal.

Norton Antivirus, despite regular updates by LiveUpdate, does not give full scans in that it does not find certain very frikkin' major trojans on any Windows system. The Shinwow virus that still resides on my XP system is a case in point, as is the Java byte exploit which allowed another user on the system to accidentally have it put there by some scurrilous website,

On Mac Norton Antivirus lost a lot of respect, and a lot of Mac users will just tell you that AV is for suckers anyway, but Norton pissed off people when their existing disk utilities (Speed Disk, Disk Doctor I think) which handled drive optimization was not Panther compatible. Certain people (those running the 10.2 Norton on Panther 10.3) lost complete functionality on their hard drives ("churning" is how I saw it described) requiring formatting with (AFAIK) no chance of file recovery. Same goes with using Norton 9 on Tiger - don't.

When using Norton Antivirus year on year the 'upgrades' mean that your boot time, and logon times increase. See my first point that this does not mean that you are more protected as at least one older known trojan is still undetected by a full system scan.

If you enable Program Launch Monitoring then Norton will tell you about absolutely every little thing that accesses the internet. This is a good thing, but from what I can see, they've taken out the damn option to "Don't show me this bullshit again, of course Firefox is going online!" and it keeps happening.

Just earlier today, I let Norton integrate itself into my Dad's mail client, Outlook Express, then I got 5 warnings that NORTON was being called by another program, and accessing the internet. This isn't even the veil of a false sense of protection. I increasingly think this junk is being coded by morons. Compared to each other, EZ Armour, eTrust Antivirus whatever it's called runs a scan faster, finds more, and I trust it more. It's not any worse to boot speeds. And while 'the devil you know is better than the devil you don't' I'm looking to return to some sort of honeymoon period so that you don't feel cheated and abused for spending on a program which you need due to stupid security holes and ignorant malicious script kiddies.

My antivirus experience is getting so bad, and so resource intensive, that I have taken to schooling every member of my family who use the computer and who will listen, and I am showing them how everything can be done as promptly on SuSE 9.1 Pro in KDE with Firefox and KMail. This switch is nothing to do with Windows frustrations which are relatively minor, this is just to do with lugubrious boot times and all those lost proc cycles.

Verisign

[tehshen]

"Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."

If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.

windows

Windows seems to be responsible for that 40 million credit card breach:

posted originally at groklaw:

All of the marketing hype in the world cannot make Micro$oft a better system
http://finance.messages.yahoo.com/bbs?action=m&boa rd=1600684464&tid=cald
&sid=1600684464&mid=274625
A Tucson Arizona credit card processor has been implicated in a security breach
which resulted in fraudlent charges and the exposure of 40 MM accounts.
CardSystems Solutions has helpfully posted a Computer Operator job listing. This
makes it clear that the system breached was running M$ OS.
www.cardsystems.com/careers/ComputerOperator_ 0410. pdf
A seperate database developer job posting has a VBScript experience requirement,
leading to the presumption that VBScripts were at the heart of the card
processors data management.
A quality assurance job posting required experience in Windows NT and Windows
2000. Using these obsolete systems was part of the innovative "security
through obscurity" policy of the part of the card processors.
http://toolbar.netcraft.com/netblock?q=UU-63-83-95 ,63.83.95.0,63.83.95.255
3330975
www.cardsystems.com
CardSystems Solutions, Inc., 6390 East Broadway, Tucson, 85710, United
States April 1997
Microsoft-IIS/5.0 Windows 2000

Mastercard is running Apache on Solaris
http://toolbar.netcraft.com/site_report?url=http:/ /mastercard.com
Mastercard International
2200 MasterCard Blvd OFallon MO US 63366
Solaris 8 Apache/1.3.27 Unix mod_ssl/2.8.12 OpenSSL/0.9.7
mod_perl/1.27 29-Jul-2003

Was Mastercard to blame running a decent OS
Or was CardSystems to blame for running Micro$oft crapware.

Re:windows

[Saeed+al-Sahaf]

Tru about CardSystems Solutions being a Windows house, though I suspect it's not web site VBScript that is at the root, if anything VB6 or some .NET crap.

As to MasterCard running Apache on Solaris, what makes you think their web server has much at all to do with back-end credit card processing?

"Security software" is an oxymoron

You get security by having a secure design. If you need to kludge on some software to take the existing non-secure design and patch it up, that proves that the resulting system is also not going to be secure.

Linux is somewhat ahead in this in that protected memory is part of its "DNA", unlike Windows which ultimately comes from the culture of DOS, which has no protected memory and is not multi-user.

But still, Linux is only just a little bit better. We need to move to real secure designs such as:

• Coyotos
• Jnode
• SE Linux (already incorporated in Fedora)
• EROS - has now become Coyotos, above

Re:McAfee and Symantec are out there to make money

[Raul654]

I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.

For secure applications, don't use a PC.

[CyricZ]

It's painfully obvious that for any applications requiring real security, you just plain shouldn't use a PC. I got ragged on a lot by my coworkers, but I always recommended an OpenVMS (on Alpha or real VAX) solution. Funnily enough, that stopped after their PC based solutions running Windows 2003 Server were cracked on a weekly basis. And that was on one of our smaller, less known websites. Our major web sites, which we run off of our OpenVMS cluster, remain completely secure.

Indeed, VMS offers the best combination of security through security and security through obscurity. The system itself is inherently rock-solid, stable and secure. Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint. The chance of becoming the victim of crackery is very minor.

Just moves the goalposts of 'Trust'

Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.

As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.

Re:Just moves the goalposts of 'Trust'

[slavemowgli]

Here's some food for thought with regard to anti-virus companies possibly being responsible for (some) viri.

If you look at the computer viri there were in the last 20 or 25 years, there's of course many trends, but one in particular stands out: there has been a huge shift from destructive to non-destructive viri. Remember things like Michelangelo, Stoned and so on? Many of these were actually doing damage - they'd delete your harddisk on certain dates, or overwrite files on access, or other such things.

However, things have changed: these days, at least 99% of all viri, worms, trojans and other malware seem to be content to simply reproduce as much as possible instead of carrying an actually destructive payload. Some might be used to send spam, perform (distributed) DoS attacks and the like and thus cause economic damage, true; but the individual users' boxes are typically unaffected (except for slowdowns and similar things).

Why did this happen? One might argue that the reason is simply that virus writers don't want to bite off the hand that distributes them anymore, or that dead zombies are useless for launching attacks against third parties. But it could also conceivably be an indication that it's different people who write viri these days, with different motivations, different limits, and different morals. And the idea that (some) anti-virus companies are secretly helping out with the creation of new malware doesn't seem so far-fetched anymore when you take into account that with a non-destructive worm, it's much easier to convince yourself that you're not doing *real* damage - especially if there's also the prospect of making money, which probably already has weakened your morals.

This is surprising?

[Debiant]

I've avoided anti-virus programs far as I can recall. I use them, but I don't like to run them in real time or pay too much for them.

Basic problem with them is that they're just more complex code above already complex code, that tries to fix the problems that is mainly caused by that complexity in the first place.

Result is much slower computer that the anti-virus software inadvertly affects like a viruses would.
Stopping programms, and causing something not work correctly.

All virus programs are basically parasites, anti-virus programs are just bigger parasites far as I'm concerned.
They have their place, but they should be simple, free and not be the answer for security. When they are not, they're themselves a risk.

Simple, use the windows firewall and MS antivirus

[Glamdrlng]

I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.

Update on My Client's Trojan Problems

[Master+of+Transhuman]

I loaded a thirty-day trial version of TDS-3 on her machine and found there were only a couple trojans left.

One of them was that goddamn crap that names a file "t?skmgr.exe" - so that you can't delete it from the XP Recovery Console because stupid Microsoft won't let the RC delete command run wildcards (for "security" reasons, right?), and you can't SEE it in Explorer because it looks just like taskmgr.exe, so you can only tell which one it is by looking at where they appear in the file listing. Then they make it a hidden, system and read-only file and of course it's in use by a process, so Windows won't let you touch it.

Bart's PE and Knoppix couldn't help me with this one.

Acting on a tip from the Net, I loaded Winfile, the old Windows NT file manager, and managed to rename it, move it to another directory, so it couldn't be run, and after rebooting into safe mode, I could delete it.

The other trojan was the one that originally was driving me nuts. I forget how I finally got rid of that one.

There was still at least one spyware somewhere, so I loaded HijackThis on and got rid of some more crap.

And finally I found a "Security Agent" from "CastleCops" which was actually a trojan. The service was running but the rest of it had already been cleaned, so I disabled the service.

Plus I went into the Registry and clobbered everything I could find that wasn't a known user, Microsoft or Dell installed program. I think I cleaned out a lot iof spyware keys that even all the other antispyware programs didn't find.

Then I checked the client's account status and found she was running as Administrator, so I switched her to limited. That caused TDS-3 to stop working under her account (apparently it needs not only Admin status to install, but to run, no surprise given what it does). I got confused by XP's stupid "tri-mod flag" technigue of labeling all file folders faux "read-only" into thinking somehow the disk was screwed, but I finally determined that was not the case. So she's back to running as Administrator until I can tell her to create a new account (because I don't know what's been installed by her as Administrator so I don't think it's safe to just change her back to limited - something other than TDS-3 might break) and move her desktop icons over to the new profile.

She seems to be clean now - no system error messages, no popups, and the system seems stable.

It only took me another eight hours - mostly because I don't have a Bart's PE and Knoppix that's REALLY loaded with anti-trojan, AV, spyware and other tools. That's my next project - buff up my bootable tools so I can access ANY file ANYWHERE and kill it.

I get my hands on the asshole wrote that "PurityScan" adware trojan, I'm gonna nail his knees to the floor with railroad spikes - so he stays put while I really do some damage to him.

Somebody needs to start scanning Web sites where this crap comes from, report the assholes to the law, and get the lot thrown in jail. NONE of this stuff came in through email because my client uses Web mail exclusively. That means it came from Web sites. So why not set up a Web scanner that visits suspicious Web sites, downloads this crap into a sandbox, logs everything as evidence, then publishes it as a blacklist - a "reverse honeypot"?