Many administrators, IT directors, and CSOs are tired of the constant system patch battle and constant security software updates. The Google Chrome OS offers them hope for a safer computing experience but whether it can actually offer this safety is a very difficult question.
The Trend Micro 2010 Future Threat Report discusses how cybercriminals currently take advantage of the fact that the desktop market is mostly dominated by Windows. For attackers focusing on Microsoft platforms, there are simply enough machines available for them to make sufficient money. This is purely economy of scale.
As other operating systems continue to increase in popularity and gain desktop market share, it is not surprising that we also see an increasing number of attacks aimed at them. However, with Google Chrome, the OS is very small and open source, and the data and applications are stored in the cloud. This means there should be fewer bugs, as there are fewer lines of code. As it is smaller it is also not so powerful, so locally installed multipurpose malware perhaps could become a thing of the past.
However, cybercriminals are very adept and agile—their attacks are sophisticated and they regularly alter their focus to misuse the latest technological trends.
Based on this, it is possible that certain attack scenarios could still work such as:
Manipulating the connection to the cloud. If a cybercriminal were to fiddle around with the OS code, just a little bit to change the DNS records. A user might first visit an underground site, which then automatically redirects to his/her Web application page. This might reveal all the user’s data, if the communication channel cannot be locked down. It is possible to rely on a combination of IPv6, encryption, and certificates, but this is still a possible attack vector.
Attacking the cloud itself. If cloud-based applications and cloud-driven OSs become mainstream, a 99.99% availability is absolutely critical. A computer is unable to reach the information and application host is useless. Attackers could potentially use standard botnets (as we will certainly see bot-infected computers on standard multipurpose OSs for the next 10 years) to overload the cloud infrastructure of the host. Or an attacker might “ask” for the payment of a small “donation” to ensure that the cloud host, being overwhelmed with requests, could deliver the service again.
These would certainly provide a lucrative business for cybercriminals. In fact, these types of attack are already taking place, albeit on a small scale, but if one business driver (infect desktop computers with malware to misuse them) loses importance or profitability (not enough targets to reach anymore) then another business model will replace it.
Cloud vendor data breaches. The theft of valuable items (credit card information, social security numbers, login credentials) in the cloud (they can no longer be grabbed from victims’ computers) is a major concern and consideration for any business or home user. The question is whether any cloud vendor could reasonably ensure that unauthorized access is not possible—that a hacker will never be able to copy millions of user records, login credentials, online banking information, billing information, transaction records, and the like.