Some days it seems the entire world is waiting with bated breath for the eventual fall from grace of the long-vaunted Macintosh security. From industry publications to the mainstream press, even the slightest Mac security hiccup spurs an onslaught of articles, debates, and even the occasional cable news headline. Some stories declare us invulnerable to attacks, while others give the impression that by the time you jump up from your armchair and rush to your Mac, it will already be infected and funneling your life’s savings and family photos to Nigerian spammers. For us Mac users it can be difficult to discern the lines between truth, hype, and outright fantasy.
As someone who spends most of his time reading, writing, and speaking about security, there are five things I tend to look for in Mac security news to cut to the heart of the story. After all the hype in recent days over the “Mac botnet,” I thought it was time to share some of my tricks.
Is the Story Based on a Vendor Press Release? Many security vendors provide the computing community an invaluable service by releasing vulnerability and exploit information uncovered by their research and incident response teams. While this information is incredibly helpful in learning about and evaluating new security threats, it also comes with a dark side: Vendor marketing departments often see these discoveries as a great way to scare people into buying their products.
They issue press releases to draw as much attention to problems as possible, hoping they will bring more users to their products (since they can always, of course, protect against the new risk). These releases would fade into the ether if it weren’t for a press hungry for readers. Everyone loves a good scare story, and it becomes the digital media equivalent of “if it bleeds, it leads.”
When I read any story involving some new kind of security threat, the first thing I look for is the source of the story. If I see nothing but quotes from a security vendor, or a straight reprint of a press release (an all-too-common practice), my skepticism meter usually starts to peak. (For the record, I don’t consider the vendors malicious or deceptive, but when you truly believe in your product it comes with a certain bias.)
Is the Story Really New? Security stories often percolate for months, or even years, in the industry press before breaking out into more mainstream publications. Even within the industry press, we sometimes see a small group of incidents constantly repurposed in new articles, typically with a healthy dose of additional hyperbole.
The Mac botnet story that flooded the press last week is a classic example of an old story experiencing an unjustified rebirth. The malicious software initially appeared back in January 2009, hidden inside pirated versions of iWork ’09 and Adobe Photoshop CS4.
The story was revived as additional information came to light, but it was unfortunately misinterpreted by many as some new kind of attack. The malicious software was demonstrating some interesting behavior, but nothing in the story indicated any additional risk to users. A quick Google search will usually reveal the root of the story, and help determine if you face a new risk.
Is the Security Issue Really New? It’s not uncommon to see a string of security stories that are all essentially about the same root problem. This happens regularly even in the security industry; once a new vulnerability or exploit becomes public there’s a never-ending string of variants as different bad guys try to circumvent our security defenses. But these variants are typically different colors on the same body, and don’t indicate any increased risk over the original.
For example, some Mac malware hides itself as a fake video player on adult Web sites, and we saw a few new versions appear last year. This social engineering trick – hiding malware inside an innocuous-looking application aimed at prurient interests – has been around nearly as long as people have been looking at digital pictures of other people who aren’t wearing clothes. When I read stories that seem to spin old news, or describe a variant of a well-known problem, I start looking at them more skeptically.
I’m generally unimpressed by any story that involves tricking a user into manually installing malicious software. On occasion we see a particularly creative deception, and I might be concerned if the malicious software was hiding in a mainstream application, but getting someone to install something evil on their system is a fault with the human brain, not their operating system of choice.
What’s the Mechanism of Action? With any security risk there has to be some sort of mechanism of action. Sometimes it’s a new vulnerability in an operating system or software, other times it’s a new method of attack. If the news story doesn’t offer any details on the mechanism of action, I start hunting down sources to determine what’s really going on. Once I do identify the mechanism, I can usually determine the level of risk.
For example, as we discussed above, I tend to be less concerned about software that requires manual installation, unless it’s hidden itself in an extremely common source that affects a large portion of the community. (Yes, you could argue hiding malware in an adult video player hits a large portion of the community, but that’s not something we talk about in polite publications). If I see something that works only under a limited set of uncommon circumstances, the risk is usually low.
However, when I see something that allows an attacker to take over your system via an email message, by getting you to view a malicious Web page, or via a network attack on a common port or other common service, I become more concerned.
First ask yourself how it works (what’s the mechanism of attack?), then how bad it is (what does it damage, or allow the attacker to do?), and then who it affects (any Mac user, or just those running some obscure software?). Admittedly, you need a bit of knowledge to make these interpretations, but you don’t generally have to be a security expert to figure out many of the basics.
Going back to our Mac botnet story, it was mentioned, if not clear, in every article that the malicious software hid itself only inside pirated versions of iWork ’09 and Photoshop CS4. Unless you downloaded those illegally, or grabbed a (possibly illegal) version from a friend, you were safe. End of story.
Does the Story Defend Mac Security Based Solely on History? We Mac users have it pretty good. We face only the smallest fraction of the security risk endured by our Windows brethren. But just because we live in a nicer neighborhood doesn’t mean we are immune to risks. For many years Mac OS X did have an inherent security advantage over Windows, but to those who understand the technologies within the operating systems, those days are long past.
The latest version of Windows (Vista, not that most people use it) is provably more secure in the lab than the latest version of Mac OS X 10.5 Leopard. Leopard lacks proper implementation of the new anti-exploitation technologies included in Vista, and, based on the number of Apple security patches, experiences about as many vulnerabilities.
When I see articles that defend Mac OS X based on the lack of Mac-specific malicious software, and not on current technical capabilities, cybercrime dynamics, or attack methods, I tend to be dubious.
Mac OS X’s Unix core was a powerful security defense for many years, especially the requirement to enter a password before installing most kinds of software, but modern attack methods are able to circumvent that protection. On the upside, Apple started adding some of these technologies to Mac OS X in Leopard (albeit incompletely), and if they finish the implementation, and continue to add new security features, the odds are we will never face the same security risks as Windows users.
You Can Do It — The need for computer security long ago passed from a minor annoyance to something that could affect our personal and financial safety. Just as disasters, crime, and tales of tragedy tend to dominate the news, stories of information security failures never fail to grab the headlines. When it’s a story with the potential to smear a media darling like Apple, you can bet the article will be right up there next to the latest celebrity embarrassment. But with a little consideration of these five tips, you can evaluate the reality level of any given security story.