Are Computer Security Folks Missing the Biggest Dangers?
Possibly, argues some persons interviewed by the New York Times. Attacks against operating systems are decreasing in favor of attacks against vulnerable programs and against websites.
This is no surprise. Computer security–indeed, most security–follows a “catch-up” model: assess what’s going on and defend against it. As defenses improve, attackers naturally move on to different targets.
I used to work for a company that manufactured physical security products, primarily anti-theft and access control software and hardware (I was in the access control support and training function). It was accepted within the company that security could not keep persons from stealing; it could only keep them from stealing from you.
When you buy a better lock, the bad guys will just go down the street till they find a house with a weaker lock.
From the article (the excerpt is heavily edited to cut to the definitions and cut out the illustrations and explanations; follow the link to the article for the whole thing):
- (snip)
- (and) a “staggering” 60 percent of attack activity was now directed at trying to hack Web sites, often by targeting “SQL injection” and “Cross-Site Scripting” flaws in open-source and custom-built Web applications, which currently account for more than 80 percent of the new vulnerabilities being discovered.
The article goes on to point out that highly visible attacks such as Conficker, the purpose of which is still unknown, get much more publicity than, say, SQL insertions into website databases.
This leads the conspiracy theorist in me to wonder whether Conficker may actually be a rabbit, designed to attract attention away from other, less obvious stuff.
No, I don’t seriously believe that. But it could make for a great conversation at the Geek Bar and Grill.
Aside: I like the way they refer to “flaws in open source . . .,” as if implying that “closed-source” has no flaws . . . .