Two recent stories described the expanding use of software flaws/bugs as weapons.
On July 13th, Nicole Perlroth and David Sanger wrote Nations Buying as Hackers Sell Flaws in Computer Code in the New York Times. They describe a marketplace where hackers sell the details of software bugs (the polite word is "vulnerability") to assorted governments for prices as high as $160,000.
The best flaws are referred to as "zero day" which means that no one else knows about them. Thus, everyone using the buggy vulnerable software is a potential victim. Some hackers collect "royalty fees" for every month their flaw remains un-discovered.
In the old days ("a few years ago" according to the article) hackers would sell or give away information about flaws they discovered to the companies that produced the software. Now, it's big business. Except in China, where hackers "regularly hand over the information to the government."
It's probably hard to know just how much money a bug can fetch on the open market. But Jeremiah Grossman, founder and CTO of WhiteHat Security wonders "As 0-days go for 6 to 7 figures, imagine the temptation for rogue developers to surreptitiously implant bugs in the software supply chain."
Are the people searchng for sofware flaws the best of the best? Not necessarily, according to a cyber warrior interviewed by Roger Grimes in InfoWorld (see In his own words: Confessions of a cyber warrior July 9, 2013).
Grimes describes the person as "a longtime friend working as a cyber warrior under contract to the U.S. government". When his friend first got his cyber warrior job, he was given a list of software to hack. Quoting the warrior
I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.
The two articles overlap when Grimes asks his friend about their access to software flaws. Here's an excerpt:
Grimes: How many exploits does your unit have access to?
Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.
Grimes: Is most of it zero-days?
Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.
How can we defend ourselves from an entity stockpiling exploitable software flaws?
One approach is to use simple and/or unpopular software. This applies both to the operating system and applications.
Simple software has less code and therefore is less likely to be buggy. The official term for this is a lower attack surface. Unpopular software is less likely to attract attention.
A big reason there are so few viruses on Macintosh computers is that fewer people use them. Linux may or may not be a better mousetrap compared to OS X and Windows, but here to, the fact that almost no one runs client side Linux is a huge part of what makes it relatively secure.
Windows users have a target painted on their back because there are so many of them. Plus, the operating system has a long history of not defending itself very well.
Regardless of the operating system we use, all computer users need to be especially careful opening files people send them.
Most articles touching on this subject would warn to be wary of files sent by strangers. That's actually bad advice, as it assumes you can reliably tell who sent you a file. Bad assumption. And, it assumes that if a good person sent you a file, the file must be good too. Another bad assumption.
A Windows user sent a PDF file, is safer opening it with the Sumatra PDF viewer as opposed to the Adobe Reader. Sumatra is both simpler and relatively unpopular. It also benefits from being the work of a single person. Teams of programmers are as likley to produce great software as a team of painters is likely to produce a great painting.
It is safer to open .doc and .docx files with Wordpad (simpler) or Libre Office (less popular) than it is to open them with Word.
It is safer to open images with a third party image viewer such as IrfanView (again the work of a single person) rather than the default viewers that are part of Windows (Paint or Windows Photo Viewer).
As a Windows user, when I'm sent a file, I open the viewing app inside a Sandboxie sandbox.Sandboxie (again produced by a single person) places a virtual sandbox around a running application that walls it off from the rest of the system. A malicious application can still see everything on your computer, but it is prevented from making any changes. If you have the technical skill for this (it really isn't hard) I highly recommend it (see my 2011 blog on using Sandboxie).
THE NEXT GENERATION
No matter what, however, Windows will always be dangerous. Like OS X and Linux, it was designed long ago when the world was very different. Newer operating systems, whose design is more in tune with the way the world is now, are safer.
Three years ago, Farhad Manjoo wrote about this in Slate, describing how Android, iOS and Chrome OS protected users from malware. His conclusion: "from now on I'm doing my online banking on the iPad."
In 2010 he was right. Now, however, my vote for the safest available computing environment goes to a Chromebook (or Chromebox).
Since you can't install software on a Chrome OS device, infecting the system is close to impossible. Plus, it was specifically designed to defend itself from attack in ways older operating systems were not.
That said, Chrome OS does allow for the installation of web apps. But in guest mode, all web apps are disabled. As a bonus, guest mode is also treated like incognito mode, no records of your actions are kept on the computer. Free privacy along with the security.
That Chromebooks are unpopular is just the icing on the cake. Your not buying one makes mine safer. Thanks.