Trust No One (Device)

In the age of the advanced persistent threat (APT) – a euphemism for China, the NSA, cybercrime Mafia groups or your bogeyman of choice – security pros are telling enterprise customers to “Assume you’re already compromised.” I’m in that camp too, as you may have gathered from my “Restricted Zones Redux” post, in which I recommend enterprises practice defense in depth. The question is not IF your adversaries have a foothold on your employee’s devices (and therefore in your network) but “HOW FAR have they gone and HOW LONG have they been inside?”

This shift in thinking has come within the last three years for so many that it now seems almost quaint to ask whether security pros are being too paranoid, echoing the X-Files “Trust no one” theme. But unlike alien abductions, the myriads of PC, Mac and mobile device compromises are 100% undeniable. In fact, the first of my “laws of malware” (which I published for Gartner in 2007 and again with very minor changes in 2012) reads: “Malware will eventually attack every IT environment, including endpoint security components. Smartphones, tablets, personal computers, and other sophisticated operating environments will attract malware interest in proportion to their installed base or value. Infrastructure [devices] will not be immune…” 

How Many?

Ok Dan,” you might ask, “But how many computers are infected?
I have to say that, although I’ve researched malware off and on for more than 8 years “I don’t know.” Even during the periods when I worked on this pretty intensively at Gartner, I still didn’t really know. Prevalence estimates vary, you see, still do and always will. The estimates come from potentially biased sources (anti-malware vendors!) and even the well-intentioned ones are subject to sampling bias (the systems they looked at) and definitional inconsistencies (is malware just a bad cookie or does it have to be full-on spyware).
The following are my very preliminary current estimates, subject to update as I collect more data. Conservatively, on the order of 5% of Windows PCs are infected with something. Perhaps 1% of Android devices are infected. Macs succumb to something in between those 1% and 5% rates of infection. On IOS and Blackberry, however, infections are still negligible.  Maybe I’m wrong to be so conservative. Maybe the sky is falling and “32% of all devices are infected” as one study claims. But I don’t think so.
This is a blog entry that’s getting a bit long – not a rigorous study 🙂  But here’s a few recent data points that appear credible. 
  • My “5% of Windows PCs” estimate is from Eugene Kaspersky’s blog One in 20 is the Sad Truth. Mr. Kaspersky doesn’t seem to exaggerate, and I’ve seen much higher estimates. 
  • The 1% of Android devices infected comes from Kindsight Security Labs MaLware report – Q2 2013. I like them as a source because they embed security analytics in carrier networks to monitor device behavior. They’re not trying to sell you anti-malware software of dubious deployability and cost/benefit advantage on the Android platform. Kindsight also confirmed my impression that infections of the non-jailbroken IOS devices and BlackBerry devices are still rare.
  • The Mac estimate comes from Sophos Labs, which surveyed 100,000 Macs running its security software. Sophos reported that 20% of Macs carried Windows malware (Typhoid Mary’s that they are) and 2.7% were actually infected with Mac OS/X malware. Symantec’s Internet Security Threat Report 2013 (also recommended reading) notes a similar 2.5% statistic for Macs.

Large populations of tens of millions of devices magnify seemingly paltry statistics; 2.5% or even just 1% still represents a lot of devices and a credible threat against your device. Mac owners once thought they were safe; they should think so no longer. The Mac lost its virginity to malware in a big way at the hands of the Flashback Trojan virus starting in 2011. This malware spread through browser plug-ins (Java, Flash and others), which have been a major infection vector on Windows as well. Microsoft, for all its faults, has at least become proficient at patch management. Apple, Google and desktop Linux vendors not so much. Apple IOS on iPhones and iPads remains a walled garden where the Safari browser admits no plug-ins and only Appstore vetted apps paying the Apple tax can be installed. That’s one reason IOS enjoys relative immunity – so far.

In general, the older the OS, the higher the rate of infection, and rates are also higher in consumer and small business environments. Rates also vary geographically. Android anti-malware vendor Lookout, who also found estimates that approximately 1% of Android devices are infected overall, noted: “The likelihood that new Lookout users will encounter malware or spyware is heavily dependent on their geography and behavior, varying from 0.20 percent in Japan to 0.40 percent in the US and as high as 34.7 percent in Russia.” My recommendation: Don’t unlock your Android device enabling it to install apps without prompting. Be very careful which app stores and download sites you use.

Even in enterprise environments, infection rates are dangerously high. A representative from FireEye, a vendor that deploys advanced malware detection gateways at network access points, gave me the following assessment about 6 months ago: “On average, we find 220 advanced malware files per week in customer environments. 98.5% of all customers had at least 10 per week.”

Attack Vectors

Ok Dan,” you might ask, “Maybe I can’t be sure about the Mac, but can’t I trust my iPhone?
Sort of, but here’s the thing. Even though IOS is a pretty well locked down walled garden and doesn’t get a lot of malware, it has other attack vectors. In general, the devices you use can be attacked one of the following ways:
  • Application- or content-based malware that attacks the OS as soon as web pages, email messages, or other content are rendered
  • Network-based malware that attacks over TCP/IP, wifi subnet, Bluetooth or other interfaces
  • User-dependent malware (also called social engineering, such as phishing)
  • Attacks that take advantage of physical access to a device 

Most of the malware that Kaspersky, Sophos and others find comes from the attack vectors in the first three bullets. Either the user downloaded or opened a Trojan horse attachment – instantly conveying to it his or her privileges on the computer – or the malware directly attacked in a so-called “drive-by” exploit. Phishing and social engineering are pervasive. No matter what device you use, you can get tricked into taking action on a web site (or while reading an email) and cause a breach of security. Even though IOS (and to a lesser extent Android and Windows 8) make it harder for a Trojan horse exploit to permanently persist itself in the OS; while its running, the exploit can steal your data or trick you into revealing secrets. Even on the most secure device, humans will be humans.

But what if you don’t make user-dependent errors? How would an iPhone or some other locked down device get physically compromised? I used to think my iPhone was safe. After all, I had one get wet last summer and the touch input was damaged. Because I couldn’t enter my passcode reliably through the damage, the IOS locked me out forever after multiple failed entries. This led to me a false sense of confidence that only a security pro can feel when his device is ruined that way 🙂 Briefly, I forgot the common wisdom we learn in security: If your device falls into the hands of the enemy (whether she’s an evil maid, a customs official or a thief’s fence with hacking skills) all bets are off.


But I soon learned that various tools are out there to crack IOS if a device is lost or stolen, or the user just wants to recover a password. Using direct connection to the device such tools can bypass the account lockout process on the touch interface to crack the 4 digit PIN. One “legitimate” tool sold to law enforcement customers is Micro Systemation’s XRY, described in a Forbe’s article here. A number of other tools are sold on cybercrime markets or developed for classified government programs. And while you can hope that XRY or other tools don’t work against your latest version of the IOS or Apple’s latest patch, there’s always another hack. You can try another line of defense against physical attack yourself by configuring your IOS password to be long, alphanumeric and very painful to enter – but don’t assume even that 100% guarantees the physical security of the device.

Once you lose physical control of a device – even for just a few minutes – all bets are off. In that regard, check out the following post on “Direct Memory Access Rootkits.”


Subscribe to Blog Notifications...  HERE