Risk
10/20/2010
08:01 PM
50%
50%

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.

The botnets are winning. Despite a recent string of news stories about the Feds and law enforcement agencies abroad busting botnet operators, the number of people plying a profitable trade as botnet herders pales in comparison to people under indictment or banged up.

Every arrest, of course, is a step in the right direction. But Symantec provides a reality check: there are at least 156 Zeus command and control servers currently in operation, and there may be 100 or more different cybercrime gangs currently at work. That counts just the ones using variants of the Zeus financial malware, which is designed for one purpose: to use any and all available techniques to lift sensitive information and bank account details from people's PCs.

Today's attackers know that once their code is in the wild, antivirus software developers will write a signature to block it, greatly decreasing its ability to spread. So attackers aim for quantity over longevity, launching spam malware or massive phishing campaigns. For example, a recent Zeus financial malware attack aimed at LinkedIn users at its peak comprised 25% of all global spam email, which (for the record) already constitutes 90% of all email. Who's safe against that, especially if it's a zero-day attack? Perhaps no one.

Indeed, according to a new report from NSS Labs, an independent research lab, "cybercriminals have between a 10% to 45% chance of getting past your AV with web malware," with the variation depending on the product a consumer chooses. Also depending on the product, "cybercriminals have between 25% to 97% chance of compromising your machine using exploits." Who likes those odds?

Furthermore, what happens if attackers continue to gain the edge? Will we see more scorched-earth PCs, bank accounts and increasing amounts of -- already intolerably high -- identity theft?

Maybe the secret is to abandon the current approach to anything-goes PC applications. Mike Dausin, manager of advanced security intelligence for HP TippingPoint DVLabs, recently predicted that PC "app stores" would soon begin appearing, at least for consumers. "One thing we expect will happen in the near future is that PC users will start to move toward a smartphone-type model, where the average PC will only be able to download and install an application from an app store," he said. "Smartphone manufacturers have done a great job, and you'll see it trickle down."

The smartphone heavyweight, of course, is arguably Apple, which earlier this week was punished by investors for not shipping enough of its products to the hungry masses. But what would taking a page from the Steve Jobs handbook and applying it to PC security look like? Could it be made, in Jobs speak, to "just work"?

"What makes Steve's methodology different from everyone else's is that he always believed the most important decisions you make are not the things you do -- but the things that you decide not to do. He's a minimalist." So said John Sculley, the former CEO of Apple, in a recent interview with the Cult of Mac's Leander Kahney about what makes Steve Jobs tick.

Could this minimalism -- making PCs not do things, as opposed to letting them do everything by default -- be applied to PC security, perhaps in the form of a Windows 7 App Store? Because the walled-garden approach seems to be working well for millions of iPhone and iPad users, and the 300,000 related applications they can download and install? To gain an edge in the botnet war of attrition, perhaps it's time to rally around making PC applications do less, not more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.