Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/20/2010
08:01 PM
50%
50%

Schwartz On Security: Can Apple Minimalism Stop Botnets?

Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.

The botnets are winning. Despite a recent string of news stories about the Feds and law enforcement agencies abroad busting botnet operators, the number of people plying a profitable trade as botnet herders pales in comparison to people under indictment or banged up.

Every arrest, of course, is a step in the right direction. But Symantec provides a reality check: there are at least 156 Zeus command and control servers currently in operation, and there may be 100 or more different cybercrime gangs currently at work. That counts just the ones using variants of the Zeus financial malware, which is designed for one purpose: to use any and all available techniques to lift sensitive information and bank account details from people's PCs.

Today's attackers know that once their code is in the wild, antivirus software developers will write a signature to block it, greatly decreasing its ability to spread. So attackers aim for quantity over longevity, launching spam malware or massive phishing campaigns. For example, a recent Zeus financial malware attack aimed at LinkedIn users at its peak comprised 25% of all global spam email, which (for the record) already constitutes 90% of all email. Who's safe against that, especially if it's a zero-day attack? Perhaps no one.

Indeed, according to a new report from NSS Labs, an independent research lab, "cybercriminals have between a 10% to 45% chance of getting past your AV with web malware," with the variation depending on the product a consumer chooses. Also depending on the product, "cybercriminals have between 25% to 97% chance of compromising your machine using exploits." Who likes those odds?

Furthermore, what happens if attackers continue to gain the edge? Will we see more scorched-earth PCs, bank accounts and increasing amounts of -- already intolerably high -- identity theft?

Maybe the secret is to abandon the current approach to anything-goes PC applications. Mike Dausin, manager of advanced security intelligence for HP TippingPoint DVLabs, recently predicted that PC "app stores" would soon begin appearing, at least for consumers. "One thing we expect will happen in the near future is that PC users will start to move toward a smartphone-type model, where the average PC will only be able to download and install an application from an app store," he said. "Smartphone manufacturers have done a great job, and you'll see it trickle down."

The smartphone heavyweight, of course, is arguably Apple, which earlier this week was punished by investors for not shipping enough of its products to the hungry masses. But what would taking a page from the Steve Jobs handbook and applying it to PC security look like? Could it be made, in Jobs speak, to "just work"?

"What makes Steve's methodology different from everyone else's is that he always believed the most important decisions you make are not the things you do -- but the things that you decide not to do. He's a minimalist." So said John Sculley, the former CEO of Apple, in a recent interview with the Cult of Mac's Leander Kahney about what makes Steve Jobs tick.

Could this minimalism -- making PCs not do things, as opposed to letting them do everything by default -- be applied to PC security, perhaps in the form of a Windows 7 App Store? Because the walled-garden approach seems to be working well for millions of iPhone and iPad users, and the 300,000 related applications they can download and install? To gain an edge in the botnet war of attrition, perhaps it's time to rally around making PC applications do less, not more.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.