Shifting the attack surface



I’m not a pessimist. In fact, I’m a hopeful guy. But the latest news about vulnerabilities in Apple’s OS X and iOS makes me re-consider the trust I place in the systems I’ve taken for granted. If we all do this, we can take the steps to protect our organization’s most valuable technical assets.

According to a technical report released by Indiana University, Bloomington, Apple’s OS X and iOS suffer from security holes that can compromise a user’s passwords and personally identifiable information (PII). The report, created in collaboration with Peking University and Georgia Tech, details not one, but four flaws in Apple’s operating systems (Actually, there’s a fifth flaw, but I’ll get to that in a minute).

  • The first weakness is a password-stealing vulnerability that allows malicious apps to grab login credentials from other apps. This flaw is so nefarious, it even allows a criminal’s app to lie in wait, ready to pounce once a targeted application is installed at a later date.
  • The second vulnerability allows a malicious app to break into a legit application’s so-called container -- a barrier created by the OS and intended to separate apps for improved safety.
  • A third flaw makes it easy for an attacker to take over a legitimate application’s port and steal data intended for it.
  • The fourth weakness lets a malicious app hijack automatic functions in normal applications and steal authentication tokens and other information.
  • The fifth flaw (not detailed in the report) is not about the OS but Apple’s approval process for apps. To prove the viability of the malicious code, the researchers submitted proof-of-concept apps that were approved. Clearly, the vetting process for the app store needs improvement.

Some might see this as an invitation to bash Apple. Frankly, that’s foolish. Apple’s not alone. Every OS has security flaws. Just about every app will have flaws. Every device -- computer, server, mobile phone, tablet, and router -- has, or will have flaws. The same will be true for Internet of Things appliances. In 10 years, your “smart” laundry machine could get infected and bleach your delicates. And Apple certainly isn’t the first to publish malicious apps in their store, as a quick Google search shows

The problem isn’t with Apple. Nor with Microsoft, [insert favorite Linux distribution], or the app store reviewers. The problem is that we rely on a wide variety of human-built, taken-for-granted solutions to go about our lives. And this hetergeneous approach is governed by one of the immutable laws of computing: the patch-and-pray cycle. The cycle starts with researchers who discover flaws and inform companies. The companies verify and fix, then release the patch. About the same time, a news story breaks about the flaw, and users are encouraged to update. But fixes can often take a long time to reach the market (this series of exploits date back to October of 2014) or users never get around to patching.

Now take this model and multiply it across ten vendors. Or twenty. Or a hundred. That diverse, heterogeneous environment is the surface area we expose to attack every time we go online. This game of patch-and-pray is neverending. Take a look at the US CERT CVE database, and you’ll see that basically every software package has been updated in the past year, and odds are that patches aren’t universally applied.

What's the answer?

So how do we protect ourselves in a multi-device, multi-network, multi-app world? When going online, the answer becomes pretty clear. The attack surface needs to be minimized or, ideally, shifted to someone who is prepared to deal with it.

The concept of a virtualized browser -- where all web code renders in a secure container on a provider's’ servers -- is starting to take hold. We’ve been at it for several years, and recently others have entered the market. With the browser running on a remote server, any potentially malicious code is contained in a disposable environment. And importantly, all native interfaces between the browser and the local system are stubbed out. That means no web-based attack can access any system resources on the local device, and an exploit on the local system can't reach the data in the cloud. It’s what we call “perfect insulation.”

Isolating web code is only one part of the online security equation. If a user types credentials into a login form, they’re susceptible to local interception. If a user downloads data to a local device, it may represent a data leak incident. It's for these reasons that we built a framework for managing identity, access, and data policies as a wrapper around the virtual browser. We considered the security issue holistically and developed this capability to minimize the overall risk of the Web.

The truth is the security of devices, networks, and user behavior will always be outpaced by the rate of flaws and criminal opportunism. If we’re going to get serious about securing our networks, passwords, and sensitive data, we need to accept these facts. Once we do, we will start thinking creatively about how to minimize our exposure. Or shift the management of that exposure to someone more prepared to deal with it.

I’m optimistic that we can.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Security