Attacks by viruses, trojans and other malware have often been considered as a Microsoft problem. Whilst Microsoft may have initially been slow to realise the significance and impact of malware, with Windows XP Service Pack 2 and Microsoft’s Trustworthy Computing initiative, led by a former FBI agent, that the company started to get on top of the challenge.
Despite what the anti-Redmond crowd have blogged over the years, however, hackers didn’t target Microsoft products exclusively because they were insecure, or because the people involved had some ideological death-wish on the company. No – they did it because Microsoft was the most used end-point device environment in the world. Bill Gates’ “Windows Everywhere” ambition, once realised, made it the most obvious of all targets.
When times change, however, they don’t necessarily follow the script. In the personal computer era, the debate was about whether Linux (and more recently, MacOS) would gain a foothold on the corporate desktop. While we might not be seeing the demise of the PC, we are in the midst a major fragmentation of the market towards ‘smart’ devices, powered by a variety of operating systems.
Which means, simply, that Windows isn’t the only target anymore. Android, iOS/MacOS and Windows devices all exist in sufficient quantities to make it worth a punt for any hacker to look for weaknesses and exploit them. Equally, threats are starting to appear that target more than one platform at once.
According to the May Symantec Intelligence report, for example, over 30 families of Android threats now exist, up from 11 at the same point last year. And in April, the Flashback virus (which first appeared in 2011) infected over 600,000 Macs. Malware tools such as the Neloweg bot are starting to appear which target browsers rather than operating systems, meaning that they can execute wherever the browser can run.
It’s not about whether one platform or another is more secure – attackers are remarkably innovative when it comes to finding holes in any platform, and devious in how they use social engineering (that is, fooling end-users) to reveal information or allow access. The fact is that, if a platform has sufficient footprint, it becomes worth the while of the hacker to try to exploit it.
Meanwhile, however, many of the people we speak to remain ignorant or blithely unconcerned, still hanging onto the idea that malicious software only exists for Windows computers. The bad guys are not so blasé – the question is, when will people wake up to the fact that all end-point devices are a potential target? Or what kind of major incident will it take to drag IT security into the post-PC world?