Is no one to be believed?
Thursday, June 29, 2017
"Our product is secure", "Our product’s source code has passed security testing and contains no vulnerabilities", "Our product contains open source code and is being worked on by experts around the world; they will detect any errors"— we hear and read such assurances all the time. Can users trust them? Here’s just one, but very illustrative, example:
Using the fuzzing method, security expert Guido Vranken discovered four important security vulnerabilities in OpenVPN. Interestingly, they were not found during two recently completed audits of OpenVPN code. This invites the assumption that source code audits are not always the best way to find bugs.
It’s funny that the vulnerabilities were discovered through fuzzing—an automated software testing of inputs to search for those causing a program to operate incorrectly. That is to say, a manual code analysis should have eliminated the situations that were detected—and thus, it's quite possible that other vulnerabilities were missed.
This example leads us to the sad conclusion that even if we use a product that has won a huge variety of awards in the field of information security, we cannot be confident in its quality. However, any testing is better than no testing.
Why did that fact disappoint Doctor Web? Before obtaining an electronic signature, a file has to go through compatibility tests, code quality tests, and tests that demonstrate bookmarks are absent. The presence of a signature suggests that a file is legitimate and that anti-virus protection should skip over it.
Several quotes:
The following are excluded from scanning: programs classified as reliable, reliable* and signed programs that by default are included in the application filter’s list of allowed applications.
By default ... files signed by certain suppliers are considered to be trusted.
* - original text
And those anti-virus software programs that don’t take files “at their word” will be outsiders in scan speed tests. Do you get the message?
Criminals also know about the trust users have in signatures—and sign their "creations" with a certificate:
The encoder used a forged Microsoft electronic signature (e-signature technology is used to show users that a program has been developed by a reputable author and guarantees that the software is legitimate—it can be allowed on a computer without verification).
This is about the encoder epidemic that began in Ukraine and spread all over the world.
Naturally, the centers issuing digital certificates have to react:
To protect our customers, we […] made updates to our signature definition packages. These updates were automatically delivered to all Microsoft free anti-malware products, including Windows Defender Anti-virus and Microsoft Security Essentials. You can download the latest version of these files manually at the Malware Protection Center.
But how many users automatically install updates?
#security #technologies #vulnerability #cybercrime #cyber-crime #Trojan #encryption_ransomware #ransomware #remote_access #digital_signatureThe Anti-virus Times recommends
Only paranoiacs survive. The realities of the modern digital world are such that you cannot believe anyone—promises of compliance with security requirements, program signatures, and guarantees that tests have been passed. Of course, you have to have some trust, but do not trust absolutely.
And how should an anti-virus react—should it trust signed applications so as to accelerate scanning or scan everything to protect against signature counterfeiting?
Note: We deliberately don't tell you how Dr.Web works so that our opinion won’t influence yours.
 
        
![Shared 0 times [Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png) 
                
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
04:16:39 2018-07-22
vasvet
10:28:32 2018-07-04