When you can't trust your security vendor

By on
When you can't trust your security vendor

[Blog post] The watchmen also need to be watched.

We've been told "you must use an antivirus" for decades now, but what if it's not really such great advice?

Of course it’s a good idea to have all the protection you can. People will send you potentially devastating, nasty binaries via email.

Furthermore, the internet is an extremely hostile environment. You can be as careful as you like, but there will be a day when a site you visit is compromised and will try to plant malware on your device.

In that context, yes, you really do need anti-malware.

But what you don’t need is anti-malware that itself comes with security issues.

Not just insignificant problems either, but gaping holes that allow remote code execution and which could reveal all user passwords to attackers, as Google Project Zero researcher Tavis Ormandy found in Trend Micro’s product

Making matters much worse, Ormany found it very easy to identify the vulnerabilities in the software.

But Trend Micro isn’t alone.

Kaspersky, AVAST and ESET provide recent examples of security vendors making users vulnerable to man-in-the-middle attacks.

And in September last year, FireEye and Kaspersky were caught selling products with zero-day exploits. 

The findings from all these cases show that antivirus and security product vendors often make the same basic mistakes other developers do.

Security products have gone from being afterthoughts that are installed post infection to must-have items for organisations.

They often dictate if other functions and features in a business IT scenario can be implemented, and occupy a highly privileged position with full access to systems and data.

For example, a few years ago, one large organisation that shall remain unnamed decided to implement instant messaging across its corporate network to cut down on emails and staff playing phone tag with one another.

A business case was written, an instant messaging server and clients were selected, but well over a month afterwards, nothing had happened. Why?

Because the IT department had earlier signed a two-year deal for a business-wide deployment of an antivirus product. That particular software could not scan files shared via instant messaging, and that was that: back to email and phone calls for staff.

Improve testing

Antivirus and other security products are tested for efficacy by independent organisations such as Virus Bulletin, AV Comparatives and AV-Test.

They do a great job of evaluating how well each product handles evolving threats, and should be any IT manager’s first port of call when it comes to picking a security solution.

However, as the recent work by Ormandy et al shows, the independent testing labs need to start extending their briefs and test the security of the security products themselves further.

This would be difficult, since security vendors would be required to lift the veil on their largely proprietary code in their products for auditing.

Until that happens, users are stuck between a rock and a hard place: they know they need antivirus and security products, but they don't know which they can trust.

That’s not an acceptable situation, and it needs to change fast.

Got a news tip for our journalists? Share it with us anonymously here.
Juha Saarinen
Juha Saarinen has been covering the technology sector since the mid-1990s for publications around the world. He has been writing for iTnews since 2010 and also contributes to the New Zealand Herald, the Guardian and Wired's Threat Level section. He is based in Auckland, New Zealand. Google
Read more from this blog: SigInt

Most Read Articles

Log In

  |  Forgot your password?