1. (In)Security in Security Products
Who do you turn to when your security product becomes a
gateway for attackers?
1
2. About the report
• Security Products are present in most of the systems and theoretically can
become a “high pay-off” target for hackers after the OS, Browsers etc.
• At iViZ we wanted to study how secure are the security products
• iViZ used databases such as the Common Vulnerability Enumeration (CVE),
Common Product Enumeration (CPE) and Nation Vulnerability Database
(NVD) for the Analysis
www.ivizsecurity.com 2
3. How are security vendors doing in terms of
protecting their own products?
According to our “(In)Security in Security Products” report,
• More recently, hackers have claimed to be in possession of the source
code for Symantec's PC anywhere tool and Norton antivirus.
www.ivizsecurity.com 3
4. Vulnerabilities in Security Products
• Man in the Middle (MITM) vulnerability in Symantec Backup Exec 12.1
• Remote Code Execution via buffer overflows vulnerability in Symantec
Veritas Enterprise Administrator products
• Encryption bypass of major disk encryption software’s including Microsoft
Bit locker, True Crypt and MacAfee Safe Boot Device
• Remote code execution vulnerabilities in various anti-virus products
including AVG, F-Secure, Sophos and ClaimAV etc
For Details: http://www.ivizsecurity.com/security-advisory1.html
www.ivizsecurity.com 4
8. Vulnerabilities by Security Companies
Vulnerabilities by Vendors
ClamAV
Kaspersky Lab
Cisco
Trend Micro
Symantec
McAfee
ISS
Checkpoint
CA
0 200 400 600 800 1000 1200
www.ivizsecurity.com 9
9. Vulnerabilities in Security Products
Vulnerabilities in Security Products
F-Secure Anti-virus
Cisco PIX Firewall
Figure 6: Shows number of
Sophos Anti-virus
vulnerabilities found in
Cisco Adaptivesecurity Appliance some of the major security
products existing today. X
Kaspersky Anti-virus axis display number of
vulnerabilities and Y axis
ClamAV Anti-virus display some of the major
security products. Total
Trend Micro Officescan
vulnerabilities against each
AVG AntiVirus security product are
calculated by considering
Norton Personal Firewall all the versions of the
products and their
Norton AntriVirus individual vulnerabilities
Checkpoint Firewall-1
discovered over the past
years.
Symentec Norton Internet Security
McAfee Anti Virus
0 10 20 30 40 50 60 70 80
www.ivizsecurity.com 10
11. Conclusion
The two largest threats to security product vendors/developers are :-
• The Black 0-Day Market
• Cyber Warfare
Vulnerabilities are as common in security products as they are in non –
security products. As per the Global Risk 2012 report, the cost of each
cyber crime is 5.9 million USD and likely to grow. There is no foolproof
solution to mitigate Cyber Warfare Attacks, but we can take suitable
measures to ensure security is itself more secure in the future.
www.ivizsecurity.com 12
12. Some thoughts..
• Security companies do not necessarily produce secure software
• Security products can itself serve as a door for a hacker
• Security Products are “High Pay-off” targets since they are present in most
systems
• APT and Cyber-warfare makes “Security Products” as the next choice
www.ivizsecurity.com 13
13. • Are you sure if your web-application is Secure?
• Check out our Cloud based Penetration Testing solution with “Zero False
Positive Guarantee” : www.ivizsecurity.com
Bikash Barai
CEO, Co – founder of iViZ
Blog: http://bikashbarai.blogspot.in
Linkedin: http://www.linkedin.com/pub/bikash-barai/0/7a4/669
Twitter: https://twitter.com/bikashbarai1
Thank you
14