Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/20/2010
08:01 PM
50%
50%

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.

The botnets are winning. Despite a recent string of news stories about the Feds and law enforcement agencies abroad busting botnet operators, the number of people plying a profitable trade as botnet herders pales in comparison to people under indictment or banged up.

Every arrest, of course, is a step in the right direction. But Symantec provides a reality check: there are at least 156 Zeus command and control servers currently in operation, and there may be 100 or more different cybercrime gangs currently at work. That counts just the ones using variants of the Zeus financial malware, which is designed for one purpose: to use any and all available techniques to lift sensitive information and bank account details from people's PCs.

Today's attackers know that once their code is in the wild, antivirus software developers will write a signature to block it, greatly decreasing its ability to spread. So attackers aim for quantity over longevity, launching spam malware or massive phishing campaigns. For example, a recent Zeus financial malware attack aimed at LinkedIn users at its peak comprised 25% of all global spam email, which (for the record) already constitutes 90% of all email. Who's safe against that, especially if it's a zero-day attack? Perhaps no one.

Indeed, according to a new report from NSS Labs, an independent research lab, "cybercriminals have between a 10% to 45% chance of getting past your AV with web malware," with the variation depending on the product a consumer chooses. Also depending on the product, "cybercriminals have between 25% to 97% chance of compromising your machine using exploits." Who likes those odds?

Furthermore, what happens if attackers continue to gain the edge? Will we see more scorched-earth PCs, bank accounts and increasing amounts of -- already intolerably high -- identity theft?

Maybe the secret is to abandon the current approach to anything-goes PC applications. Mike Dausin, manager of advanced security intelligence for HP TippingPoint DVLabs, recently predicted that PC "app stores" would soon begin appearing, at least for consumers. "One thing we expect will happen in the near future is that PC users will start to move toward a smartphone-type model, where the average PC will only be able to download and install an application from an app store," he said. "Smartphone manufacturers have done a great job, and you'll see it trickle down."

The smartphone heavyweight, of course, is arguably Apple, which earlier this week was punished by investors for not shipping enough of its products to the hungry masses. But what would taking a page from the Steve Jobs handbook and applying it to PC security look like? Could it be made, in Jobs speak, to "just work"?

"What makes Steve's methodology different from everyone else's is that he always believed the most important decisions you make are not the things you do -- but the things that you decide not to do. He's a minimalist." So said John Sculley, the former CEO of Apple, in a recent interview with the Cult of Mac's Leander Kahney about what makes Steve Jobs tick.

Could this minimalism -- making PCs not do things, as opposed to letting them do everything by default -- be applied to PC security, perhaps in the form of a Windows 7 App Store? Because the walled-garden approach seems to be working well for millions of iPhone and iPad users, and the 300,000 related applications they can download and install? To gain an edge in the botnet war of attrition, perhaps it's time to rally around making PC applications do less, not more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.