When your security software leaves you to the wolves

Summary:If a security product fails, lives can be destroyed.

Okay, I am pissed. I rarely write pure "I am pissed" columns, but this time it's necessary. The objects of my ire are D-Link and a company called Bsecure, which, apparently, is anything but.

First, some back-story. Like most of us, I'm not only responsible for managing my own computers, I'm also the neighborhood's "go to guy" when anything computerish needs doing. It's not a role I take on by choice, but at least the neighbors no longer complain when I play my stereo at dain bramagingly loud levels.

There's an elderly couple in the neighborhood I quite like. They have two computers, send email, and browse the Web.

The woman has a better understanding of tech; her husband tends to get a little lost. He's still confused about the difference between email and Web pages, tends to open any attachment that seems interesting, and browses any old Web page that catches his attention.

He is a malware magnet.

Now, I've gone over his computer in the past, and it's not like he surfs porn. It's just that he goes to lots and lots of sites, has a lot of not-entirely-careful friends, and gets lots of junk in his mail.

Basic antivirus wouldn't necessarily protect him. He worries me. I felt he needed more security. I wanted him to have Web site surfing protection and, effectively, parental controls.

So, with the consent of his wife, I spent about a hundred bucks to get them a D-Link router designed to work with D-Link's SecureSpot, a service which costs an additional $60 per year. My nice neighbors are on a fixed income (plus they feed me home-cooked meals from time-to-time), so I decided to pony up the cash for the router and service and buy them some added protection.

SecureSpot, which is actually run by a company called Bsecure Technologies, has a number of interesting features. It links directly with the router, as well as with light clients running on the PCs. It provides antivirus protection, time-of-access restrictions, and -- most important of all -- the ability to dynamically block my friend from blundering into malicious sites.

The Bsecure service constantly updates the router, telling it about new sites and IP addresses that are dangerous. Then, when my hapless friend tries to go to a nasty site, it blocks him from doing so.

At least it did.

I bought them the service in December, 2009 and paid $60 for a year, with an automatic renewal option. I don't have time to go to their house constantly. I figured this option -- especially since it was sold by D-Link and tightly integrated with their router -- would be a great way to keep my friends safe.

I haven't checked on their machines since November, but didn't think much of it. I assumed I'd be charged, or at least notified, when the next $60 payment would come due. Since I hadn't heard anything, I didn't worry.

Then I got a call last week. My friend's computer had started to go haywire. It actually started bothering him a few months ago, but he knows I work a lot of hours and didn't want to bother me. But by now, it had reached the level where he couldn't actually use the machine.

So I took a look. The Bsecure antivirus component didn't report any errors. But the symptoms he was describing indicated real problems. I downloaded Trend Micro's HouseCall program and ran that. And that's when I started to get upset.

Trend found the following malware on his machine:

  • TROJ_FAKEAV.FIZ: Payload carrier
  • TROJ_DROPPR.SMH: This is a rootkit trojan
  • JS_REDIRECT.SMA: Hosted JavaScript, uses Windows Scripting Host
  • TROJ_DROPPER.TSX: Payload carrier
  • TROJ_FRAUD.AL: Very high risk, sends and recieves information, arrives as email attachment
  • TROJ_Generic.ADV: Not sure
  • TROJ_PIDIEF.SMZB: Damaging

As you can see, nasty stuff. I then ran Microsoft Security Essentials, which confirmed that my friend had a computer filled with very, very malicious things indeed. He had a rootkit, along with a command and control virus, one that likes to send information back and forth.

I immediately told my friends to stop using the machine and visit their banks to make sure their finances hadn't been compromised. I've told them they now need to check their bank balances via phone or in person at least once a week, and keep a very close eye on them. They've also asked their banks to suspend online banking access completely.

At first, I thought my friend had somehow managed to power his way through the SecureSpot protections. He's a force of nature. Even though he doesn't fully understand computer technology, he's occasionally asked me about things like the Registry and Add/Remove Programs, so I figured anything was possible.

When I last looked in on my friends' computers back around Thanksgiving, they were fine. Their security software was doing its job, and everything seemed quiet.

To a degree, the infection was my friend's fault. I'd repeatedly told him not to open attachments, and at least one trojan I found on his machine only transmits via attachments, so I knew he hadn't listened.

Even so, the antivirus program and Bsecure should have caught it. After all, he undoubtedly disregarded my advice all through the year, and he'd been safe up until recently.

But he wasn't safe anymore. Do you want to know why? Do you want to know why I'm so pissed and why I'm writing this now?

I'll tell you why.

They just shut off his service. He's been unprotected since December -- and they didn't bother to tell any of us.

Apparently, D-Link and Bsecure have decided to "end-of-life" the SecureSpot program. Rather than billing me in December for another year, they just canceled my account. And then they stopped protecting my friends' machines.

D-Link and Bsecure never notified me of this. I had the registered email address for the service, and yes, I checked all my layers of spam filters, just to be sure. They never notified my friends of this (I checked their filters as well). D-Link and Bsecure didn't even pop up a message on their machines.

D-Link and Bsecure just simply stopped doing their job -- but left the little icons on the machines unchanged, so it looked like the same protection was in force that had always been in force.

It's as if you hired security guards to protect your house and instead discovered they'd dressed and placed mannequins outside your front door without telling you.

In fact, it was quite deceiving, even to an experienced geek like me. When I first looked at my buddy's machine, I saw the errors, but didn't think his AV program had stopped working. In fact, I went into the settings of the AV program, and there was nothing there to indicate it had simply stopped functioning.

One issue is that this particular suite of protection tools doesn't indicate the last date when virus definitions had been updated. It's designed to run in the background without much user involvement, so that detail isn't presented.

Bottom line: there was absolutely no way -- without going to the D-Link site itself -- to know that D-Link and Bsecure had abandoned my friends to the wolves.

The level of irresponsibility this demonstrates is staggering.

These are seniors on a fixed income. If their computers were penetrated, and if financial information had been exfiltrated, their lives would have been ruined.

Over the years, I've talked to senior executives at various security companies and discovered two types of people. The first type is the executive for whom security is life. Everything about the security of their customers is important and meaningful, and worthy of attention.

But there's a second type of security executive. This is the person who just got a gig. Maybe they were in marketing or PR in some other job, or maybe they were a friend of a friend. In any case, this type of executive doesn't take security seriously, doesn't really understand why people get upset when their software fails to protect, and really wishes everyone would just lighten up a bit.

This type of security executive has no business in this game. While I haven't yet spoken to D-Link executives about this transgression, I suspect I'll find people who just wish I'd lighten up.

Now, normally, I really like D-Link products, I own many of them, and I've recommended them. But I have to think that no one who lived and breathed paranoid security would ever have let a security product "end-of-life" without making absolutely, totally sure customers were aware and protected.

Security companies have an extra responsibility over the regular software company. If the guys who make Angry Birds fail at their job, people will be less entertained for a few minutes.

But if a security product fails, lives can be destroyed.

D-Link and Bsecure failed. Thankfully, my friends' financial information appears secure, but that's through no thanks to the companies we paid to protect them.

So what lessons can we take away from all this? First is the drum I've been beating all these years. You need to be constantly vigilant. I know it takes extra time, but it's necessary to keep safe.

Next is a question of trust. Choose your security partners very, very carefully. If you don't know them or haven't used their products, keep a constant eye on them.

Third, use layered security. Don't use a security suite from just one vendor. If you have malicious site blocking from one vendor, use antivirus from another. I know these tools don't play well with each other, but if one vendor gives up, there's at least a chance that the other will still do something of the job.

And -- finally -- before you go out and buy a security solution from either D-Link or Bsecure, think long and hard about the story you just read.

Be safe out there!

Topics: Software, Hardware, Mobility, Networking, Security

About

In addition to hosting the ZDNet Government and ZDNet DIY-IT blogs, CBS Interactive's Distinguished Lecturer David Gewirtz is an author, U.S. policy advisor and computer scientist. He is featured in The History Channel special The President's Book of Secrets, is one of America's foremost cyber-security experts, and is a top expert on savi... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.