Not So Safe: Security Software Can Put Computers at Risk

[Batu69]

Is the antivirus program running on your computer really making your computers safer to use, say, for online banking? Is the parental control software you bought to keep your child off inappropriate sites transparent for the overall safety of your computer?

Probably not. New research from Concordia University in Montreal shows security software might actually make online computing less safe.

For the study, Mohammad Mannan, assistant professor in the Concordia Institute for Information Systems Engineering (CIISE), and PhD student Xavier de Carné de Carnavalet examined 14 commonly used software programs that claim to make computers safer by protecting data, blocking out viruses or shielding users from questionable content on the Internet.

 

Time and again, the researchers found that these programs were doing more harm than good.

"Out of the products we analyzed, we found that all of them lower the level of security normally provided by current browsers, and often bring serious security vulnerabilities," says de Carnavalet, who was surprised by how widespread the problem has become.

 

"While a couple of fishy ad-related products were known to behave badly in the same set-up, it's stunning to observe that products intended to bring security and safety to users can fail as badly."

 

At the root of the problem is how security applications act as gatekeepers, filtering dangerous or unwanted elements by inspecting secure web pages before they reach the browser.

 

Normally, browsers themselves have to check the certificate delivered by a website, and verify that it has been issued by a proper entity, called a Certification Authority (CA).

But security products make the computer "think" that they are themselves a fully entitled CA, thus allowing them to fool browsers into trusting any certificate issued by the products.

 

This research has important implications not only for everyday computer users, but also for the companies producing the software programs themselves.

"We reported our findings to the respective vendors so they can fix their products," says Mannan. "Not all of them have responded yet, but we hope to bring their attention to these issues."

 

"We also hope that our work will bring more awareness among users when choosing a security suite or software to protect their children's online activities," says de Carnavalet, who cautions that internet users should not view these security products as a panacea.

 

"We encourage consumers to keep their browser, operating system and other applications up-to-date, so that they benefit from the latest security patches," he says.

"Parental control apps exist that do not interfere with secure content, but merely block websites by their domain name, which is probably effective enough."

 

This research was supported in part by an NSERC Discovery Grant, a Vanier Canada Graduate Scholarship and the Office of the Privacy Commissioner of Canada's Contributions Program. These findings were originally presented at the Network and Distributed System Security Symposium 2016.

 

Article source

[Vjcobra]

Amazing finding, perhaps the safest place is the most dangerous place to be.

Regards and thanks.

VjCobra(68)

[straycat19]

6 hours ago, Batu69 said:

Is the antivirus program running on your computer really making your computers safer to use, say, for online banking? Is the parental control software you bought to keep your child off inappropriate sites transparent for the overall safety of your computer?

 

People get a false sense of security when they install security programs on their systems.  They think they become invulnerable internet gods.  Some users even use hacked security software because they are too cheap to buy it.  How fucking dumb is that?!?!  For years, those of us with a security background have been trying to tell users that there is one thing the software will not protect them from and that is a 'dumb user' who does things they have been told over and over not to do, like opening email attachments, installing 'free' games, installing software that is referenced in a popup, etc.  Think of security software like seat belts and airbags, they are designed to protect you but people are still killed when the devices are present.  You could say there are two things in this life that are guaranteed, death and malware, both if you do something wrong or live long enough.

[vibranium]

1 hour ago, straycat19 said:

there is one thing the software will not protect them from and that is a 'dumb user' who does things they have been told over and over not to do, like opening email attachments, installing 'free' games, installing software that is referenced in a popup, etc.

 

Yeah, I've lost a few friends who kept on screwing around with their computers and when they fell to pieces because of some virus expect me to mop up all their crap. Get away from me!

 

 

[Jordan]

The best protection is the user himself.

But the self-protection can be aquired only by relatively long experience.

[Sylence]

Okay all of that comes down to this, Internet security programs don't let browsers check for website certificates. but does it mean the Internet security programs fail in doing this job? NO! 

they couldn't prove they failed in doing this. just by choosing some lucrative titles like "security software suits put your computers at risk" or some bullshit try to attract readers

 

there wasn't any need for a professor or PhD students to find out this information. by just one click you can easily see that Kaspersky-root-certificate is responsible for websites loading in your browser, if you're using KIS. 

 

why people think they're the first ones when they find a piece of information ! they think those security firms didn't think this through before adding this feature to their software?

[Holmes]

I agree with you saeed_dc your first sentence is right the answer is NO.  No matter if its security software or any software for that matter its going to have vulnerabilities thats what updates are for and the university notified the product vendors involved making the whole article pointless click bait.