Risk
10/20/2010
08:01 PM
50%
50%

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.

The botnets are winning. Despite a recent string of news stories about the Feds and law enforcement agencies abroad busting botnet operators, the number of people plying a profitable trade as botnet herders pales in comparison to people under indictment or banged up.

Every arrest, of course, is a step in the right direction. But Symantec provides a reality check: there are at least 156 Zeus command and control servers currently in operation, and there may be 100 or more different cybercrime gangs currently at work. That counts just the ones using variants of the Zeus financial malware, which is designed for one purpose: to use any and all available techniques to lift sensitive information and bank account details from people's PCs.

Today's attackers know that once their code is in the wild, antivirus software developers will write a signature to block it, greatly decreasing its ability to spread. So attackers aim for quantity over longevity, launching spam malware or massive phishing campaigns. For example, a recent Zeus financial malware attack aimed at LinkedIn users at its peak comprised 25% of all global spam email, which (for the record) already constitutes 90% of all email. Who's safe against that, especially if it's a zero-day attack? Perhaps no one.

Indeed, according to a new report from NSS Labs, an independent research lab, "cybercriminals have between a 10% to 45% chance of getting past your AV with web malware," with the variation depending on the product a consumer chooses. Also depending on the product, "cybercriminals have between 25% to 97% chance of compromising your machine using exploits." Who likes those odds?

Furthermore, what happens if attackers continue to gain the edge? Will we see more scorched-earth PCs, bank accounts and increasing amounts of -- already intolerably high -- identity theft?

Maybe the secret is to abandon the current approach to anything-goes PC applications. Mike Dausin, manager of advanced security intelligence for HP TippingPoint DVLabs, recently predicted that PC "app stores" would soon begin appearing, at least for consumers. "One thing we expect will happen in the near future is that PC users will start to move toward a smartphone-type model, where the average PC will only be able to download and install an application from an app store," he said. "Smartphone manufacturers have done a great job, and you'll see it trickle down."

The smartphone heavyweight, of course, is arguably Apple, which earlier this week was punished by investors for not shipping enough of its products to the hungry masses. But what would taking a page from the Steve Jobs handbook and applying it to PC security look like? Could it be made, in Jobs speak, to "just work"?

"What makes Steve's methodology different from everyone else's is that he always believed the most important decisions you make are not the things you do -- but the things that you decide not to do. He's a minimalist." So said John Sculley, the former CEO of Apple, in a recent interview with the Cult of Mac's Leander Kahney about what makes Steve Jobs tick.

Could this minimalism -- making PCs not do things, as opposed to letting them do everything by default -- be applied to PC security, perhaps in the form of a Windows 7 App Store? Because the walled-garden approach seems to be working well for millions of iPhone and iPad users, and the 300,000 related applications they can download and install? To gain an edge in the botnet war of attrition, perhaps it's time to rally around making PC applications do less, not more.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.