The Danger of Free Proprietary Software
If you Google “free software” right now, you’ll get two definitions. One is free, open-source software (FOSS), and the other is freeware. The two are dangerously different though.
FOSS is a community endeavor for better software, but can lack in some of the refinement brought by the financial advantages of proprietary software. For a lot of enterprise environments and MSPs, FOSS probably won’t be ideal (compliance headaches, support, etc.). Freeware has no real barrier to entry and no real oversight. Not all freeware is bad, but you have to tread carefully.
With the news of the AVG and Avast plugin in the news lately, it’s hard to trust even the bigger freemium software distributors. Data theft is just the tip of the iceberg though. Freeware has had PUA’s (Potentially Unwanted Applications) embedded to make money, and some even include spyware and other malware. You have the Internet of Things which has no real updates or transparency. There is also the threat of cryptojacking which has made its way into websites and applications.
The AVG and Avast plugin issue came to a head due to data theft. Both companies are betraying their customer’s trust in order to make a quick buck by harvesting and reselling their data. This is nothing new, but it is especially worrying for a freemium model security solution. What else is doing this?
The answer is probably a disgusting number of software suites. Many free software suites have to make money, and data harvesting is one of the cheapest, easiest, lowest impact methods to do that. What separates this data theft from spyware? Basic semantics.
PUPs and PUAs
Aside from harvesting data, you also run the risk of them including extra pieces in the form of Potentially Unwanted Programs (PUPs) and Potentially Unwated Applications (PUAs). Both are the exact same, but different security suites name them differently.
A lot of sites with free downloads may repackage an application to include trash like the ask.com toolbar or similar. They make money either by offering this as an option or by each successful install. These potentially unwanted installs can lead to security issues. Sometimes it pays to just spend a few dollars to find a solution which only includes what it needs.
The Internet of Things
The Internet of Things (IoT) is a perfect example of these issues in one package. The IoT can be viewed as selling a device which includes free software. It can also be viewed as a huge security risk and privacy risk.
If the device isn’t profitable, neither is the proprietary software. And once the software doesn’t make money, well… it’s gone and dead. Your expensive smart device is now a really expensive paperweight. Some of them can’t even work as dumb devices when the main servers go under. The Internet of Things is no stranger to being a security concern for you and your business.
Cryptojacking is used to describe when a website or an application takes over a computer to mine for cryptocurrency for a threat actor. Any application that packages cryptomining may as well be the same exact thing though. Again, the only difference is in asking permission buried in an unreadable blog of legalese and asking forgiveness if actually caught.
Some free software products or sites package in cryptocurrency mining software which can create instability and serves as a general security issue. This type of violation can also affect productivity as this proprietary software often impacts the machine’s performance. As the gains from cryptocurrency get more and more promising, this type of monetization scheme will only get more and more common.
Why It Happens
FOSS has an ideal behind it, to create free, open-source software and to make sure that the software stays free. This comes at the cost of not being beholden to the market and potentially lacking features or the impetus to push ahead. ClamAV is free, but it doesn’t really win any awards for efficiency.
Proprietary software follows a philosophy more in line with making money. Software is given away for free to either build a reputation, or to serve as a loss leader. If a company isn’t big, why are they giving you the software for free? Treat it similarly to how you do phishing.
Some small companies may give it away for free because they want to (like Nirsoft), but many do it to work towards a goal. What is the end goal? If you don’t know, then why are you using it?
Stopping the Security Concerns
Make sure antivirus and other security tools are deployed across any site you manage. Use Group Policy in domain environments to lock down installations to control the environment. The harder it is for a user to install an application, the harder it will be for a user to accidentally install malware. Block sites which contribute to these sorts of things.
We use Kaseya in conjunction with OpenDNS and Huntress for response. Kaseya’s RMM portion, VSA, can alert on program installation. For tightly controlled environments, this is ideal. For more lax environments, this can be overkill and more noise than it’s worth.
OpenDNS assists by blocking common spam and phishing sites which can use legitimate programs as a way to slip in adware and similar. You won’t have stopped AVG or Avira this way, but you stop some of the more sinister pieces of software. Huntress can help for response to the more questionable types as well.
Ultimately, the only way to really stay on top of this for your client is to perform regular audits. Collect audit data from the site and comb over it for anything out of place. The sooner you see anything out of place, the sooner you can act on it before the site is compromised.
Security audits take a lot of work, but there are plenty of ways to help automate these processes. This can be an easy upsell to the client. How much does your time cost and how much does the service cost? How much does it save them paying you to audit the service for them? Done right, this means you can charge a retainer to review things while they get assurance everything is good if they get hit with a massive bad installation. The bill is the same each month, and you get money each month.
This is also a chance to either sell a commercial product which might have volume licensing for cheaper than list price, or a chance to sell a support contract to open source software (think Nagios). It depends on your strengths, what you do with your company, and what your client does which is going to be the best fit. If you sell a commercial antivirus, what about response and similar? Software is software, make it a package and make it more profitable if you can. It can also be worth outsourcing SOC services with a minimum guarantee.
Similar applies to open source software you sell a support contract for. Having a technical point of contact at the site can be worth a good amount. You are the IT professional, you should be the professional onsite. You control the environment and make sure the customer doesn’t get taken for a ride or waste time. This is win-win for both parties.
Stopping Dangerous Free Proprietary Software
While free open software isn’t right for everyone and doesn’t fit most businesses, it also tends to be more honest compared to freeware software. Know which one is right for your client and show your value as their IT concierge. With all of the different attacks from data theft to cryptojacking, you have to protect your clients from their tools and from themselves.
Use monitoring solutions and response tools to prevent and contain bad proprietary software. Use GPO and similar administrative tricks to minimize unintended and unsupervised installations where possible. Control devices in the environment and prevent things from creeping (e.g. flat networks). If you play your cards right, this becomes a value add and a new upsell rather than an inconvenience. The magic is in adding value, the more value you add for the client, the more you add for yourself in the longevity of the contract.
by Sage Driskell