On Mac Security, April, 2009

I’ve read many of the “botnet debunking” reports on the web, usually from the die-hard “Macs are totally secure” crowd. (I used to be a member, but am no longer.)

The “debunk” always includes the line “the only place you can get this trojan is from illegal downloads of iWork ’09 or Photoshop CS4…[and] it’s hard to feel sorry for those who download illegal software.”

Ummm…. I can agree with the latter contention, but -so what?- Is that somehow the equivalent of “it’s not spreading because it’s illegal?” I don’t feel sorry for the folks who have it, because 1) they usually don’t know they have it, so it’s no problem for them, and 2) it’s ME I feel sorry for. Me and all the other internet users whose use of the internet is crippled by whatever those botnets are doing.

You know, if people wouldn’t drink and drive, there wouldn’t be so many deaths due to drunk drivers. So, what? Having said that, can we now ignore the problem? Let’s not argue about who set the fire as we watch the house burn down.

And vis-a-vis this : “the only place you can get this trojan is from illegal downloads of iWork ’09 or Photoshop CS4…” Talk about wishful thinking! At first it was “”the only place you can get this trojan is from and illegal downloads of iWork ’09 …” and then Photoshop CS4 was added. Do you -really- think that the crooks (and make no mistake, this is a money-making enterprise run by seriously bad people – the days of mostly ‘script kiddies’ are long over) will say “oops: we’ve been discovered. I guess we’ll give up now?”

Of course not: they are going to find more and more delivery mechanisms.

In fact, I personally know of one that doesn’t involve either of those two programs ( a fake Flash updater.)

Further, last month at CanSecWest, a Mac was hacked in 4 seconds by merely loading a malicious web page. Nothing illegal; nothing downloaded; nothing installed by the user – just visit the page.

And the die-hard “Macs are totally secure” crowd said… (can you guess?) “Well, you need to watch what pages you visit. If you had not visited that page, there would be no infection.”

Oh good grief: talking about being in denial! Look: if you simply disconnect your Mac from the internet it will be safe. Well almost. You’d also need to lock it in a vault; rip out the power supply and put it in a block of concrete…

I’ve been sitting in front of Apple-branded computers for almost 32 years now, full-time, making my living with them, and for most of that time, Macs -were- virtually totally secure.

Things have changed.

Based on my own experience this is where things are today:

Macs were immune for a long time because of the way that memory stacks and CPU registers worked on the Motorola CPUs, vis-a-vis the state of the art in hacking at the time. That’s the actual basis of the “Macs are secure” position… and it was true.

Then the OSen and the CPU changed. Unix is largely more secure than Windows, but less secure than the old Macs… and the long-asserted “Macs are only more secure because the market is smaller” rap began to actually show some validity, instead of ignorance.

Firewalls and NAT became more common, so the black-hats quickly adopted to using psychological engineering. (Want someone’s password? Call them up and ask them. 9 times out of 10, if you say you’re with the IT department, they’ll just tell you.) Most folks try to be helpful and are generally trusting.

And because they are that, and curious, not to mention motivated by self-interest, the next evolution was to “phishing” – faking an institution you trust.

Now it’s gotten even more sophisticated, including DNS hacks and even “drive-by” hacks (such as the CanSecWest one.)

Are Mac totally secure? No.
Are they more secure than Windows XP? Yes.
Are they more secure than Vista? Probably not.

What’s the bottom line?

Simple: the biggest security loophole is the person at the keyboard.

But does saying that mean the problem of botnets (et al) has gone away? No.

Does saying “don’t download illegal copies” fix the infections? No. (Although that’s very wise advice, as is “don’t install or open things whose provenance you can’t confirm.”)

Does “don’t visit infected sites” fix the problem? No.

Honestly: I think that many of the “debunkers” are actually in denial.

We’ve reached a stage where the bad guys are using techniques what are platform independent, so being on a Mac is rapidly becoming irrelevant.

These days the Mac is becoming a more desirable target… and not the least of the reasons for that are all the deniers who proudly proclaim that they refuse to install virus protection… and therefore will (obviously) never know -if- they’ve been hacked, while their machine happily pump out spam or run DOS attacks.

Am I screaming that the sky is falling? No: those of us on Macs are relatively more safe than other platforms. Not “safe” – just “more safe.”

If you think you’re completely safe from everything just because you’re on a Macintosh, you’re a fool.

And furthermore, IMHO, the sky IS darkening.

Don’t say I didn’t warn you.