Thursday, 26 February 2015

Vulnerable security software

Last week the Superfish debacle became news and PC manufacturer Lenovo was slammed for pre-installing adware on new laptops.

Since then I've had people ask me about how dangerous this stuff actually is and whether or not security software that works in similar ways poses similar threats.

I think that the main issue here is that there is a balance to be found between providing security and exposing the system to extra threats. Core to this is the question:
Are programmers of security tools any more able to write secure code than programmers who work on software that is unrelated to security tasks?
When 'security' makes things worse

This is a true story.

A local shop used to have a security guard who stood by the door. He monitored who entered the shop and who left – and with what. So hopefully he could hinder armed robbers from entering the store and prevent shoplifters laden with stolen goods from leaving it.

This seems like a no-brainer. Even if he’s not a very perceptive guard, and catches only a fraction of the threats to the business, surely he’s better than nothing?

Well, in this case he wasn't better than nothing because he was stealing from the shop! He himself presented a threat to the business. Not only that but he had greater access to the shop’s goods than an ordinary customer.

Even if the security guard was not intentionally malicious he could be completely incompetent. Criminals who know this could target the store assured that they would be able to commit crimes without sanction. His very presence poses a threat because the bad guys know that they can distract him easily while they shoplift. 

Let’s apply that idea to security software. Maybe we have an anti-virus program that monitors SSL connections and detects a percentage of incoming threats that were downloaded from an HTTPS website. This seems sensible – at least it will catch some of the threats, if not all.

Buggy software

But what if the way that software works is a bit broken? What if it exposes an extra jugular for an attacker to aim for? This is the incompetent security guard. Criminals who know about the business’ vulnerability (the broken security measures – software or human) can target it.

In the cases of Superfish and Privdog it seems that the way these products work provides an opportunity for bad guys to pretty much undermine the assurances provided by websites using SSL. On one hand these tools may provide useful functionality (although that’s a matter of opinion) but on the other they have introduced a new and serious vulnerability into the system.

I don’t think anyone is currently accusing security firms of having malicious intent in the way that they have developed anti-malware software. The issue is more about competence.

All software contains bugs, including vulnerabilities that have an impact on security. Security holes in software that works closest to the operating system, at a low level, are potentially far more serious than problems with applications that run at a high level with limited privileges.

As Joxean Koret notes in his research [PDF], “the general aim of an Antivirus is to offer a better level of protection than what the underlying operating system offers alone. And they often fail miserably… Any software that you install makes you a bit more vulnerable. AV engines are not exceptions. Just the opposite… If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer can do… Your attack surface dramatically increases.”

If security software is not created with extra care they actually pose a threat to their users due to the nature of what they do and how they integrate with the operating system. Joxean’s work suggests that some who write security software are not actually any more skilled in writing secure code than those who write software unrelated to security.

Check your system

Is any software disabling your SSL connections? Find out here.