The Google Chromebook (that is the first Chromium OS powered devices) was presented few days ago (and is ready to reach our shelves for the half of June), but only yesterday I accidentally came across an interesting article (which I had already reported in yesterday’s post) which led me to several thoughts concerning the future of endpoint security, or better, how endpoint protection technologies will adapt themselves to the rapidly mutating landscape, which is shifting from an endpoint-centric to a cloud-centric model. My personal confessions of a dangerous mind derive from Google’s assertion that: Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Moreover, the fact that data reside mainly on the cloud moves the data protection requirements towards the cloud rather than on the endpoint. If this is true many security giants (such as
Intel McAfee, Symantec, Trend Micro, etc.) focalized on endpoint would seriously have to worry about.
The core of the Chromium OS is represented by the Chrome web browser. Through a Web Interface, and most of all thanks to HTML5, Open Web Platform APIs and Google Chrome Extensions, the users will be able to access virtually any kind of applications from the cloud.
What does it mean from a security perspective? The Security Overview document describing the Security Mechanisms adopted by the Chromium OS is clear: the operating system has been designed from the ground up with security in mind, security as an iterative process focused on for the life of the operating system. As a matter of fact, since the OS is browser-centric, the security design efforts have been concentrated on this aspect starting from the foundation, that is the Operating Systems. Several of the weapons adopted by Chromium OS include:
- OS Hardening through techniques of Process sandboxing (at OS and browser level), toolchain hardening, Kernel hardening and configuration paring, Additional file system restrictions (Read-only root partition, tmpfs-based /tmp, user home directories without executables, privileged executables, or device nodes;
- Modular browser with sandboxes for media and HTML parsers;
- Protection for Phishing, XSS and other Web vulnerabilities;
- Secure autoupdate protecting itself from attacks by mean of Signed updates downloaded over SSL, checking of Version numbers of updates and verification of the integrity of each update on subsequent boot, by man of Verified Boot process;
That said, is really true that Chromium OS will be the death knell for antivirus?
Before answering this 10 million Dollars question (rigorously Monopoly Dollars) there is a due premise that must necessarily be done: classifying an endpoint protection technology as Antivirus is maybe a little bit reductive and anachronistic. The new generations of threats (the so called blended threats or APTs) make use of several combination of attack vectors ranging from malicious phishing web sites to 0-day OS or application vulnerabilities. This has implied in the last two/three years that the concept of multi-layered protection has found fertile ground in the endpoints as well (as previously done in the network with UTM/XTM technologies) since the new threats are not simple malware but complex combinations of attack vectors which need different layers of protections. A simple antivirus does not exist anymore in a corporate context, but has been substituted by a set of protection technologies combining Anti-Malware, Personal Firewall, Host Intrusion Prevention, Encryption, Data Leackage Prevention, Compliance.
With this premise in mind there are some points for which, in my opinion, endpoint protection technologies will be still needed (at least for version 1.0);
- Some Critical voices stress the fact that Google will provide an SDK dedicated to write native applications. Although Google has probably done everything to secure those apps with their double sandbox design, in theory will be possibility to install malicious code or simply bugged code, unaware vector of vulnerabilities in the system (or in the cloud).
- There is also another important point: the security overview document identifies two possible kinds of adversaries: opportunistic adversaries and dedicated adversaries. The first kind just tries to compromise an individual user’s machine and/or data, the second kind may target a user or an enterprise specifically for attack. According to Google version 1.0 will be focuses on dangers posed by opportunistic adversaries. This means that, at least for the first version, the Chromium OS will not offer countermeasures targeted to mitigate network-level attacks.
So what are the conclusions? Maybe the death knell for Antivirus technologies (or would be better to say endpoint protection technologies) is still far, rather I believe more realistically that endpoint security technologies will have to be redefined (or better tailored) to better fit the new scenario in which the endpoints act as web-centric gates for the cloud. Maybe antivirus will be no more necessary, but security efforts on the endpoints will have to be directed to protect this new role from OS and web application vulnerabilities (see authentication tokens in clear), malicious web sites, phishing, data loss/leakage (even if the Chromium OS already offers some native features in this direction), and, last but not least, compliance issues (for an enterprise usage). How this will be achieved? Simple, by mean of cloud based security services…
- Google Chromebooks: How Will They Impact the Antivirus Industry? (webpronews.com)
The title of this post is not a subset of the famous Peter Weir’s Movie “The Year Of Living Dangerously“, featuring Mel Gibson and Sigourney Weaver, but rather refers to the dangerous months which the Android is living, from the second half of 2010 to this first half of 2011, which saw a dramatic increase in Android Malware.
I enjoyed in summarizing in a single picture the mobile malware which affected Google Mobile OS from August 2010 to the present day. As shown the results are not encouraging and seems to confirm, in a qualitative form, the 400% increase in mobile malware (in six months) recently stated by Juniper Networks: un the second half of 2011 we assisted mainly to variants of the first Trojan. In the first half of 2011 the landscape has become much more complicated with mobile malware tailored “for different needs”.
So far the threats are can be divided essentially into two categories:
- Malware capable of stealing data, sending them to a remote C&C, which in a mobile platform may have worst consequences since it may send remote data to a C&C Server);
- Malware capable of sending SMS to premium rate numbers without the user permission (and awareness).
In many cases the malware was downloaded by parallel markets (most of all from China and Russia), with often the pornography acting like a decoy for the unfortunates, hence showing the risks connected with sideloading, that is the practice to enable installation of applications downloaded from external markets.
Two examples were particularly meaningful: the example of Geinimi, which showed all the features of a Botnet. And the example of DroidDream which bypassed all the security control of Android Market and infected something between 50.000 and 200.000 users according to Symantec and were remotely removed by Google, thus prefiguring a new security model which remotely manages the security functions of endpoint (and everything suggests that this trend will soon spread to more traditional endpoints: just today I stumbled upon this really interesting article).
By the way… Just today, three German security researchers discovered a serious flaw on the ClientLogin Authentication Protocol affecting almost all the Android powered devices… Ok it is not a malware, but the security concerns for the Google Mobile Operating System are more relevant than ever…
- 400 Percent Increase In Android Malware; Mobile Security Threats At Record High (techcrunch.com)
- If The Droid Gets The (China’s) Flu (paulsparrows.wordpress.com)
- Chronicles Of The Android (paulsparrows.wordpress.com)