KEY POINTS:
There's a popular belief that when it comes to internet security, Apple products keep you safer than those from Microsoft. But according to a recently released report on known vulnerabilities of the past six months, Apple tops the list.
Even more surprising, since security is often touted as a strength of open source software, three open source web tools also make the top 10, published last month by IBM.
But appearance on the list, compiled by Big Blue's martial-sounding X-Force threat analysis service, can be deceptive. The rankings reveal more about the popularity of particular products than they do about those products' inherent security, says X-Force director Kris Lamb, who was in the country last month to put the wind up customers.
What the list also says is that web browser and server software, rather than operating systems, have become the focus of malicious intent.
X-Force's 250 analysts, who became part of IBM in 2006 when it paid US$1.3 billion ($1.9 billion) for 12-year-old company Internet Security Systems, documented 3534 vulnerabilities in the first six months of this year. More than half targeted web applications.
"We keep an eye on the bad guys," says Lamb, adding that the baddies have gone way beyond being a mere nuisance.
"A lot of what you can see is criminal organisations or affiliated individuals looking to make money - looking to either steal data that is worth money or to actually do identity theft that they can translate into money or financial account transaction fraud."
Eastern Europe seems to be the home of many of the perpetrators, although that can be hard to prove.
"Where they're hosting their attack is rarely in the country where the attack originates," Lamb says.
"A lot of it is difficult to trace because much of the activity is distributed, and might involve people who don't know each other. Some of those people might be in one part of the world, some might be in another part of the world."
State-sponsored internet attacks are also taking place, Lamb says, but tend to be more sophisticated and harder to measure.
Also hard to measure is how much money cybercriminals are costing, both in terms of money pocketed and damage done. "When you combine everything, the number is absolutely staggering, I'm sure of that."
Lined up against the bad guys is the internet security industry which, according to Lamb, can be divided in two. On the one hand are anti-virus software vendors and, on the other, vulnerability research organisations such as X-Force, which have a more "holistic" approach to security.
X-Force analyses known threats and devises measures to protect against them. It doesn't do so on an entirely reactive basis - it also entraps and incubates threats before they find a target.
Threats come in many forms. Some target particular organisations; some are launched in bulk, on the basis that a tiny proportion will find a target; some are email-based; and others exploit website or web browser vulnerabilities.
As the bad guys get badder, the computer industry is circling the wagons. Lamb says the degree of co-operation between hardware and software vendors and security companies has increased in the past five years.
Evidence was seen at the Black Hat computer security conference in Las Vegas a month ago, where Microsoft said it would work with the security industry to limit its products' exposure to attack.
Called MAPP (Microsoft Active Protections Programme), the move will see Microsoft give security firms access to software patches before it releases them to customers, so they can provide fixes for any vulnerabilities.
This is intended to break what's become a predictable cycle of exploits being launched the moment Microsoft sends out software updates, which it does on the second Tuesday of each month ("patch Tuesday", as it's come to be known, with the following day sometimes referred to as "exploit Wednesday").
It might be tempting to see that as an admission of Microsoft's security failings. But to Lamb it's an acknowledgement of what the computer industry is up against.
"Microsoft understands the value of co-operating with the security industry and the security industry obviously understands the value of collaborating with Microsoft or another large vendor like that. It's happening because it's in the best interests of all involved."
Are the good guys getting on top of the bad guys? Lamb thinks consolidation of the industry - of which IBM's acquisition of Internet Security Systems is an example - has helped.
For the net to close tighter on cybercriminals, though, there has to be wider adoption of security measures which, in turn, means they need to be more cost-effective and easier to use.
Anthony Doesburg is an Auckland technology journalist
