Are Computer Security Folks Missing the Biggest Dangers?
Possibly, argues some persons interviewed by the New York Times. Attacks against operating systems are decreasing in favor of attacks against vulnerable programs and against websites.
This is no surprise. Computer security–indeed, most security–follows a “catch-up” model: assess what’s going on and defend against it. As defenses improve, attackers naturally move on to different targets.
I used to work for a company that manufactured physical security products, primarily anti-theft and access control software and hardware (I was in the access control support and training function). It was accepted within the company that security could not keep persons from stealing; it could only keep them from stealing from you.
When you buy a better lock, the bad guys will just go down the street till they find a house with a weaker lock.
From the article (the excerpt is heavily edited to cut to the definitions and cut out the illustrations and explanations; follow the link to the article for the whole thing):
. . . on the rise are quiet attacks on desktop programs, such as Microsoft’s Office, Adobe’s Flash Player and Acrobat programs, Java applications, and Apple’s QuickTime program. Attacks on these programs currently account for about 10 percent of attack volume, up from zero three or four years ago. And they are likely to be far more successful, since more than 90 percent of corporate computers are using old, unsecure versions of these programs, according to Qualys.
(and) a “staggering” 60 percent of attack activity was now directed at trying to hack Web sites, often by targeting “SQL injection” and “Cross-Site Scripting” flaws in open-source and custom-built Web applications, which currently account for more than 80 percent of the new vulnerabilities being discovered.
The article goes on to point out that highly visible attacks such as Conficker, the purpose of which is still unknown, get much more publicity than, say, SQL insertions into website databases.
No, I don’t seriously believe that. But it could make for a great conversation at the Geek Bar and Grill.
Aside: I like the way they refer to “flaws in open source . . .,” as if implying that “closed-source” has no flaws . . . .