October 25, 2006
Computerworld Attacked By Sharks
When I was a kid, I was afraid of sharks. I'll admit it: I saw Jaws in 3D (I think it was the third one) back in the eighties and for years going to the beach would make me think about people being swallowed whole - I'd go to the shore and start fixating on the sadistic creatures lurking just below the surface and how they could attack at any time. Whew, scary.
To a kid (at least to this kid), shark attack was both common and likely. From my perspective it wasn't a far-fetched train of thought - in fact, it makes perfect sense in light of what I knew: sharks were publicly observed attacking people, people tended to fear them, and they certainly look vicious enough. In other words, there was a confluence of evidence: anecdotal evidence (i.e. JAWS, the occasional attack on a beach-goer) supported shark attack, rational examination of the shark's body (i.e. they're built for a-killin') supported shark attack, and "social proof" supported it (everybody else was afraid, shouldn't I be too?) Given all that evidence, it's a perfectly rational conclusion that shark attacks are common.
Of course, they're not really common. We know that because somebody counted up the number of shark attacks per year and published the results. As it turns out, shark attacks are pretty uncommon. Gee, who knew? Sharks look mean, right? There are stories of people getting attacked, right? Everybody's scared, right? But none of these things make something likely - they're just happenstance.
So how does that relate to security? This morning, I came across an interesting take on the future of malware in the Martin McKeay Computerworld weblog. If you haven't seen it, take a minute to check it out. I took away the following:
- Phone-borne malware is on the rise and will continue to increase over time
- IM-borne malware is on the rise because of the increased popularity of MMORPG's
- Zero-day exploits are on the rise because of increased professionalism of attackers and motivation by profit
Now, I only have time to pick on one of these things, so I'll choose the first one. Everytime somebody tells me about phone-borne malware, I always say "What phone malware?" to which they invariably reply by relating tons of anecdotes about how prevalent phone-borne malware is in Asia and Europe. The describe how popular phones are for micro-payments over there (and correspondingly how attractive they are for thieves.) They tell me about "SMish"-ing, Trojans, bluetooth worms - all things that have been observed in the wild. In short, they give me tons of anecdotal evidence - stories about sad users weeping over their broken phones and of legions of disaffected Asian youth carrying around phones rife with malware.
But, I've learned my lesson about anecdotal evidence; because anecdotes can be the same as folklore and because anecdotes are not always representative of the norm - I tend to disregard them. To prove this, consider your typical urban legend. It's always a story about "a guy my friend knew" or "a friend of a friend" right? Urban legends are true-seeming anecdotes that appear possible (even probable) on the surface, but are pure confabulation underneath. So anecdotes, without scrutiny, may not even be true. But even if true, there's the broader question of how useful the anecdote is for making a generalization; how representative of the norm is it? Like shark attacks, too many things could be going on to rely on it without further investigation. It certainly seems reasonable that there would be phone borne malware. And I have heard about it happening. But just because it seems a certain way doesn't necessarily mean that it is.
Fortunately for us, there are numbers that we can look to to help determine how true (or untrue) the phone-borne malware thing is (or isn't.) If we take a look, for example, at the estimates from SANS released earlier this month. According to them, we're looking at an estimated 100,000 infections in 2007. 100,000? This from the folks saying it is (or will be) a problem... Now, this isn't 100000 infections today, mind you - this is an estimated forecast for 2007 (after it ramps up from where it is today.)
So, to analyze that, let's put that number in perspective. Depending on whose estimates we use, anywhere from 50 to 70 percent of all PC's are infected with some kind of malware, right? Now, I happen to think those published numbers are astronomically high; so to be ultra-conservative, let's cut it by a factor of ten and assume 5% of total machines are infected. As of 1996, one estimate put the number of PC's in the world at 234200000 (trust me, the number is much higher a decade later.) And 5% of that number is 11,710,000. So based on the number of PC's in 1996 (ridiculously conservative) and one 10th of the published percentage of infected machines (way too conservative), the number of phone-borne infections is .8 percent of the total infections. Of course, the percentage will really be much, much, much lower than that - factor in 10 years of PC growth, and use the "real" percentages for malware infections and you're talking about thousandths of a percent.
But maybe comparing it to PC's isn't useful. Maybe it's its own thing that needs to be analyzed separately from PC malware. Let's look at what that 100,000 number is in light of the total cell phone population. In 2005, for example, there were 120 million new cellular phones sold (or thereabouts), right? Let's assume (ridiculously) that's the total number of vulnerable cell phones in the world (which it isn't clearly, but let's give the pro-cellphone-malware people a break and use this crazy low number.) 100000 is .08 percent of the total. By that rekoning, one phone in 1,250 will become infected. Include the number to include phones sold in 2004 (150 million) and 2006 (estimated to be 780 million according to Gartner), and you're talking about .009 percent. One phone in just over 10000.
To put that in perspective, it's roughly the same chance of someone being hit by a Delta II launch vehicle as it re-enters the atmosphere and falls to earth or that someone has of experiencing significant vision loss as a result of LASIK surgery. In other words, it happens - but it's not damned likely.
Posted by Ed at October 25, 2006 10:56 AM | TrackBackas bad as anecdotes can be, statistics can be pretty bad too...
the way you've framed it i could analogously show that the chances of catching the flu are exceptionally low based on the probability of a mammal catching the flu...
let's start with some additional facts... one is most mobile malware today can only run on a very small percentage of the cellphones out there specifically the so-called 'smartphone'... advances in malware coding are not likely to change this as most cellphones in existence are just cellphones rather than little computers that can make phone calls...
if you don't have a vulnerable phone then your chances of getting cellphone malware is 0... if you do have a vulnerable cellphone then your chances of getting cellphone malware is much higher than 0 and potentially much higher than the figure you're quoting, depending on population density of vulnerable devices in your area and your own sociability and travel habits (since bluetooth worms have an epidemiology roughly equivalent to that of an airborne biological virus)...
smartphones aren't nearly as popular in north america as they are in europe or asia so even if one does have a vulnerable phone one is at much less risk in north american than one would be in europe or asia... additionally, if one doesn't go to places where there are lots of people (like stadiums, airports, etc) then one is also less likely to come in range of an infected device and therefore at less risk...
peter lind questioned the reality of the mobile malware threat as well back in july (http://spiresecurity.typepad.com/spire_security_viewpoint/2006/07/mikko_hypponen_.html), just as an additional datapoint (well many additional datapoints if you consider the month's worth of comments the post generated)...
i think it's clear that mobile malware is a real threat *in some places*, but probably not comparable to what we've grown accustomed to with windows malware...
Kurt,
Valid criticism; you're totally right about everything you say - smartphones are the only succeptible platform and I agree that the likelihood of this being an issue is related to the density of smartphone use (i.e. higher in Europe/Asia.)
I bring this up not because I think that we shouldn't study phone-borne malware (I think we should), but only because people hear about phone-borne malware and start to panic - which I think is excessive... Like, in the case of yesterday's article or the SANS report, I don't think it's a "top trend in information security." (A trend certainly, but I don't think a "top trend.")
Statistically, I'm more likely to be impacted by a targeted phish or by identity theft than by phone-borne malware. This distracts (in my opinion) the "easily captivated by the trade press" crowd from the more common stuff... Like, I'd rather the security guy that sets budget for my bank read an article that says "identity theft a top trend for 2007" and budget in extra fraud-protection vs. reading the phone-malware thing and buying AV for employees' cellphones...
-E
Posted by: Ed at October 25, 2006 01:20 PMfair enough, we're both just looking to maintain a proper perspective on things... i think the fact that only a small percentage of phones are vulnerable communicates the low risk aspect of it... the article calling it a top trend certainly did seem to indicate otherwise, but i suspect it was written by security pundits *for* security pundits and that it really means it's one of the top 10 interesting things to keep an eye on in the coming year...
Posted by: kurt wismer at October 25, 2006 06:36 PMwow thats most interesting!!!!
Posted by: stephanie at March 7, 2007 04:45 PM