Not so safe: Security software can put computers at risk

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
Is the antivirus program running on your computer really making your computers safer to use, say, for online banking? Is the parental control software you bought to keep your child off inappropriate sites transparent for the overall safety of your computer?

Probably not. New research from Concordia University in Montreal shows security software might actually make online computing less safe.

For the study, Mohammad Mannan, assistant professor in the Concordia Institute for Information Systems Engineering (CIISE), and PhD student Xavier de Carné de Carnavalet examined 14 commonly used software programs that claim to make computers safer by protecting data, blocking out viruses or shielding users from questionable content on the Internet.

Time and again, the researchers found that these programs were doing more harm than good.

"Out of the products we analyzed, we found that all of them lower the level of security normally provided by current browsers, and often bring serious security vulnerabilities," says de Carnavalet, who was surprised by how widespread the problem has become.

"While a couple of fishy ad-related products were known to behave badly in the same set-up, it's stunning to observe that products intended to bring security and safety to users can fail as badly."

At the root of the problem is how security applications act as gatekeepers, filtering dangerous or unwanted elements by inspecting secure web pages before they reach the browser.

Normally, browsers themselves have to check the certificate delivered by a website, and verify that it has been issued by a proper entity, called a Certification Authority (CA).

But security products make the computer "think" that they are themselves a fully entitled CA, thus allowing them to fool browsers into trusting any certificate issued by the products.

This research has important implications not only for everyday computer users, but also for the companies producing the software programs themselves.

"We reported our findings to the respective vendors so they can fix their products," says Mannan. "Not all of them have responded yet, but we hope to bring their attention to these issues."

"We also hope that our work will bring more awareness among users when choosing a security suite or software to protect their children's online activities," says de Carnavalet, who cautions that internet users should not view these security products as a panacea.

"We encourage consumers to keep their browser, operating system and other applications up-to-date, so that they benefit from the latest security patches," he says.

"Parental control apps exist that do not interfere with secure content, but merely block websites by their domain name, which is probably effective enough."

This research was supported in part by an NSERC Discovery Grant, a Vanier Canada Graduate Scholarship and the Office of the Privacy Commissioner of Canada's Contributions Program. These findings were originally presented at the Network and Distributed System Security Symposium 2016.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I even went to the source, they aren't posting it out of respect for the companies I'm sure.
I doubt WD does ToniBalas.
PeAcE
 

juhful

Level 13
Verified
Well-known
Jun 22, 2013
634
A nice read, but without knowing which products they're talking about this is kind of useless as we all know there are a bunch of junk security products out there so this is no real revelation. Thanks for sharing though!
 
R

Rod McCarthy

I noticed the name Mohammad, and wondered hmm....Motive? Maybe security products stop hackers, who happen to be Muslim hackers and he is offering his support, for "The Cause"....Now everyone please stop using internet security products....

LOL I know it's just me being paranoid.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
They state "14 commonly used" so you would think that some of the top AV's are in that mix.
That's why i am so curious over this list.
@Rod McCarthy
This guys a asst professor at a recognized College and a PHD I doubt he's part of the Muslim jihad. lol
 

jackuars

Level 28
Verified
Top Poster
Well-known
Jul 2, 2014
1,717
I noticed the name Mohammad, and wondered hmm....Motive? Maybe security products stop hackers, who happen to be Muslim hackers and he is offering his support, for "The Cause"....Now everyone please stop using internet security products....

LOL I know it's just me being paranoid.

Although a good read, I hope people don't take it seriously. But this ain't the right way to comment about it.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
You can find the PDF document by following back through the source(s).

Here's the original post: New research: security software can put computers at risk

And see end of article for PDF file,

http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.pdf

@_CyberGhosT_ @tonibalas @juhful and others.

----

@Rod McCarthy I think security software that intercepts/modifies with the browser's own security is a risk, as seen previously with vendors who have modified their "Secure Browsers" based on Chromium/Chrome. ;)
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Your a god Huracan :) lol
Nice find brother.
QUOTE:
TABLE V.
LIST OF PRODUCTS TESTED.
HIGHLIGHTED
ENTRIES ARE
PRODUCTS THAT MAY INSTALL A ROOT CERTIFICATE AND PROXY
TLS CONNECTIONS;
WE ANALYZED ALL SUCH PRODUCTS. END QUOTE
List1.png

List2.png

Source: http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.pdf
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
But security products make the computer "think" that they are themselves a fully entitled CA, thus allowing them to fool browsers into trusting any certificate issued by the products.
so the problem boils down to whether you trust the security product or not. If you don't trust it, why are you using it?
Anywhays, they will put themselves out of business pretty quick if they feed you malware, no?
Sounds to me like someone is just looking to make a headline, and waste grant money while having fun.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Shamu26, they are not saying that theres any kind of injections going on, they are talking about how the internet protection portion of these apps handles
certificates and proxy tls. did you read the whole thing ?
By replacing the original certificate, they may "by accident" allow malicious sites to load thus putting the user at risk.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Shamu26, they are not saying that theres any kind of injections going on, they are talking about how the internet protection portion of these apps handles
certificates and proxy tls. did you read the whole thing ?
By replacing the original certificate, they may "by accident" allow malicious sites to load thus putting the user at risk.
I admittedly have little understanding of the technology involved with scanning encrypted connections (all I know is when my AV complains about a broken certificate chain, or chrome can't solve an https address). But I know how university research works, so I am a little skeptical when I see a screaming headline.
 
  • Like
Reactions: Der.Reisende

Morvotron

Level 7
Verified
Mar 24, 2015
307
It is known that security software make harm you sometimes, but i totally ignored the fact that it does most of the time. I've seen malware, that is not enabled because it was never ran, go on because of the antivirus engine scanning it. As a matter of fact, antivirus may become an actual problem because of people thinking theirselves as invulnerable. This is a problem regular users have been facing for a long time, and they get to criticize the product for being an unsafe option, when the main problem of the big chain are them. Antivirus and security solutions usually work better for those who understand them and understand the internet (both good and ugly parts). But sadly, they're still a must. Despite their actual low detection rate compared to the thousand of malware samples out there, they're needed to offer any kind of protection. Low security is still better than no security at all.
 
D

Deleted member 178

I wonder if Windows Defender causes the same problems as other security vendors.

WD is built-in, works at kernel level, so has no-side effects unlike other security products.

What makes a 3rd party less safe than WD (i talk about OS weakening , not detection of whatever):

- Surface attacks: some security softs are badly coded or possess exploitable flaws used by malwares to disable it and then infect the OS.
- Hooks: some security products needs deep access to the OS core, they hook the kernel to be able to protect; by this they weaken the kernel and expose it to attacks if the product fail to protect. Win8 added Patchguard for x64 system to ensure not every softs could hook the kernel; by this some security products were abandoned because the devs were unable to bypass Patchguard and ensure the same level of security as they used to offer (Defensewall is the best example, strongest softs ever , totally abandoned since the dev can't product a reliable x64 version)
- Disable some safety features of the OS: some softs before forced the users to disable UAC to do their job...total crap. UAC should never been disabled.


now on top of that , you add the user factor, some softs gives false sense of security by:


- Default settings: all softs are installed with default setting (for obvious compatibility reason) , however , i don't see any of them launching a wizard to customize the setup for better protection... (most security softs bypasses are made upon default settings).
- Asking user consent via cryptic alerts : most HIPS/BB are the main culprits with their "process xxx try to access COM xxxx " most users will allow (and may get infected) or block (and may cripple their system)
- Weak/stolen certificates: as the article mentioned, some certificates are easy to obtain by malware-writers, best example is comodo , almost anybody can sign their softs (or malware) by buying a comodo certificate (main source of income for Comodo); it happened before, when a malware used a stolen comodo certificate.
- Complex features barely understood and often misused by the user: no need explanations, for example sandboxes shouldn't allow an easy way to automatically recover the files inside it , what is the point of sandboxing if the user can choose to recover the files right away...
- Bad detections/False positives: some AVs will detect legit and clean programs known by the user as malware , so what will happen if the same program later is really infected? i guess you know the answer...
- false advertisement: security = big business = big money = greed; we all know the brand with a black & white bearlike animal :p claiming 100% protection against malwares...really ? not saying some softs claiming to do this or that but without giving technical infos about "the how" , they all hid behind the well-known gimmick "if we tell you , malwares writers will use this infos to bypass us"...


There is dozen of other examples.
 
H

hjlbx

The researchers are talking about an old, known issue whereby some security soft vendors install a root certificate to intercept and monitor SSL\TLS.

Same as Lenovo SuperFish and COMODO PrivDog.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
WD is built-in, works at kernel level, so has no-side effects unlike other security products.

What makes a 3rd party less safe than WD (i talk about OS weakening , not detection of whatever):

- Surface attacks: some security softs are badly coded or possess exploitable flaws used by malwares to disable it and then infect the OS.
- Hooks: some security products needs deep access to the OS core, they hook the kernel to be able to protect; by this they weaken the kernel and expose it to attacks if the product fail to protect. Win8 added Patchguard for x64 system to ensure not every softs could hook the kernel; by this some security products were abandoned because the devs were unable to bypass Patchguard and ensure the same level of security as they used to offer (Defensewall is the best example, strongest softs ever , totally abandoned since the dev can't product a reliable x64 version)
- Disable some safety features of the OS: some softs before forced the users to disable UAC to do their job...total crap. UAC should never been disabled.


now on top of that , you add the user factor, some softs gives false sense of security by:


- Default settings: all softs are installed with default setting (for obvious compatibility reason) , however , i don't see any of them launching a wizard to customize the setup for better protection... (most security softs bypasses are made upon default settings).
- Asking user consent via cryptic alerts : most HIPS/BB are the main culprits with their "process xxx try to access COM xxxx " most users will allow (and may get infected) or block (and may cripple their system)
- Weak/stolen certificates: as the article mentioned, some certificates are easy to obtain by malware-writers, best example is comodo , almost anybody can sign their softs (or malware) by buying a comodo certificate (main source of income for Comodo); it happened before, when a malware used a stolen comodo certificate.
- Complex features barely understood and often misused by the user: no need explanations, for example sandboxes shouldn't allow an easy way to automatically recover the files inside it , what is the point of sandboxing if the user can choose to recover the files right away...
- Bad detections/False positives: some AVs will detect legit and clean programs known by the user as malware , so what will happen if the same program later is really infected? i guess you know the answer...
- false advertisement: security = big business = big money = greed; we all know the brand with a black & white bearlike animal :p claiming 100% protection against malwares...really ? not saying some softs claiming to do this or that but without giving technical infos about "the how" , they all hid behind the well-known gimmick "if we tell you , malwares writers will use this infos to bypass us"...


There is dozen of other examples.
@Umbra, would you say that webroot security anywhere is relatively free from the problems of surface attacks and hooks, since it is so small and so web-based?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top