Risk
10/20/2010
08:01 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.

The botnets are winning. Despite a recent string of news stories about the Feds and law enforcement agencies abroad busting botnet operators, the number of people plying a profitable trade as botnet herders pales in comparison to people under indictment or banged up.

Every arrest, of course, is a step in the right direction. But Symantec provides a reality check: there are at least 156 Zeus command and control servers currently in operation, and there may be 100 or more different cybercrime gangs currently at work. That counts just the ones using variants of the Zeus financial malware, which is designed for one purpose: to use any and all available techniques to lift sensitive information and bank account details from people's PCs.

Today's attackers know that once their code is in the wild, antivirus software developers will write a signature to block it, greatly decreasing its ability to spread. So attackers aim for quantity over longevity, launching spam malware or massive phishing campaigns. For example, a recent Zeus financial malware attack aimed at LinkedIn users at its peak comprised 25% of all global spam email, which (for the record) already constitutes 90% of all email. Who's safe against that, especially if it's a zero-day attack? Perhaps no one.

Indeed, according to a new report from NSS Labs, an independent research lab, "cybercriminals have between a 10% to 45% chance of getting past your AV with web malware," with the variation depending on the product a consumer chooses. Also depending on the product, "cybercriminals have between 25% to 97% chance of compromising your machine using exploits." Who likes those odds?

Furthermore, what happens if attackers continue to gain the edge? Will we see more scorched-earth PCs, bank accounts and increasing amounts of -- already intolerably high -- identity theft?

Maybe the secret is to abandon the current approach to anything-goes PC applications. Mike Dausin, manager of advanced security intelligence for HP TippingPoint DVLabs, recently predicted that PC "app stores" would soon begin appearing, at least for consumers. "One thing we expect will happen in the near future is that PC users will start to move toward a smartphone-type model, where the average PC will only be able to download and install an application from an app store," he said. "Smartphone manufacturers have done a great job, and you'll see it trickle down."

The smartphone heavyweight, of course, is arguably Apple, which earlier this week was punished by investors for not shipping enough of its products to the hungry masses. But what would taking a page from the Steve Jobs handbook and applying it to PC security look like? Could it be made, in Jobs speak, to "just work"?

"What makes Steve's methodology different from everyone else's is that he always believed the most important decisions you make are not the things you do -- but the things that you decide not to do. He's a minimalist." So said John Sculley, the former CEO of Apple, in a recent interview with the Cult of Mac's Leander Kahney about what makes Steve Jobs tick.

Could this minimalism -- making PCs not do things, as opposed to letting them do everything by default -- be applied to PC security, perhaps in the form of a Windows 7 App Store? Because the walled-garden approach seems to be working well for millions of iPhone and iPad users, and the 300,000 related applications they can download and install? To gain an edge in the botnet war of attrition, perhaps it's time to rally around making PC applications do less, not more.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.