Is your Mac really secure?

At the recent CanSecWest security conference, Apple’s Safari browser, running on a fully patched OS X 10.6.6 system, was broken into with an attack that took around five seconds to compromise the machine, as part of the "pwn2own" competition. Five seconds.

Security experts are starting to shift their talks from “PC users need to be especially careful” to “Mac users need to be especially careful”, and not just because they’ve got security software to sell. I’ve had that discussion with any number of security software vendors, some of whom don’t even have a Mac OS security suite — yet.

So, is your Mac under any kind of imminent threat? Is all your precious data likely to be wiped out by a rogue virus? Are criminals located somewhere in a shady Eastern European country going to coat their Ferraris in finest Beluga Caviar, all paid for with your credit cards?

To quell your panicked heart and answer those questions in order: Probably, Unlikely and No. A topic like this does deserve a little more explanation than four words, however. I’ll go in reverse order.

No: Eastern European criminals are unlikely to coat their (well, yours, technically — you will have paid for it) Ferraris in Beluga Caviar. It’d do terrible things to the delicate flavour. Of the caviar, that is; I’ve never attempted to eat a Ferrari, but suspect that your dentist would disapprove. Cybercriminals would like your money very much, however; it’s a huge multi-billion dollar industry.

Unlikely: Destructive viruses haven’t been the flavour of the month for some time now. Many years ago, I worked as a overworked phone support operative for a now defunct computer company (think cows, rather than think different), and had to deal with people whose systems had been comprehensively hosed by viruses that overwrote the operating systems, rewriting and reflashing BIOSes and the like. Nasty, terminal stuff written up largely by nasty, immature minds. These days, the virus/malware threat is all about money.

Having said that, there are still sectors of the community that love nothing more than the Mac vs PC war that I personally find quite tiresome. If an exploit became widely known and open enough for the script kiddie level of hacker to insert something nasty in it just to stuff up Mac systems, would they do it? I have this horrible feeling that they might.

Probably: As to the imminent threat question, the answer is actually no. I somewhat lied there — but in the security field, there are a lot of liars. Your Mac isn’t under any kind of imminent threat.

But before you breathe a big sigh of relief, that’s got little to do with anything particular Apple’s done to lock your Mac down, and far more to with my choice of words. Your Mac isn’t under imminent — that is, an impending, clear and present — threat.

The threats are very much here, right now, and spreading. Whether it’s annoyance at Mac/Apple arrogance (as has been suggested to me by a few security types) or the rising numbers of Macs (and affiliated iOS platforms) out there for the bad guys to target, there have been a number of identified flaws and attacks targeting Mac users specifically. To throw up the most recent example, the OSX/MusMinim-A trojan targets Macs specifically. There have been cases of popular Mac apps being distributed with a little extra — such as a trojan — added in at no extra cost. Even iOS has had its share of malware, although that’s been restricted to the jailbroken community to date.

Ah, I hear you say, but Apple assures me that my Mac is safe! Take a look at Apple's page about OS X security — that states categorically that Mac OS X doesn’t get viruses!

OK, I cheated a little there too, but then so does Apple. The exact quote is “Mac OS X doesn’t get PC viruses.”

That is true. Don’t run any PC applications on your Mac, and how could it possibly be false?

It’s just as true as saying that my sandwich press doesn’t get PC viruses. In fact, I’m happy to say that my sandwich press got a 100 percent proof security rating against all PC viruses, something it’s had for many years now. Its ability to toast sandwiches  is second to none, although I might need a little more application space for spreadsheets. Also, it runs undeniably hot.

Getting back on track, I’m still going to say that Apple’s cheating a bit with its security page, for two reasons. First, as the pwn2own experience shows, no system is truly flawless. Admittedly, that five second figure is a little deceptive in itself. The attack itself took, according to this Ars Technica article three researchers and two weeks to write. The five-second figure is just the runtime of the exploit. Still, if one were of an illicit disposition and knew there were millions (or billions) of dollars to be gained, two weeks worth of researcher salary would seem like something of a bargain for access to the world’s Macs.

The second reason Apple’s cheating with its security page? Read down the page, and you’re hit with headlines. “Defence against viruses and other malware”, “Always on the alert”, “Don’t go phishing”, “Surf safely” and the like. It gives you a warm, fuzzy and above all secure feeling.

But then at the bottom is this admission: “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”

It’s a slight cheat, to be sure, and probably there more for complex legal reasons than anything else. Still, if you thought that the Mac was absolutely, undeniably, irrefutably uncrackable, it would appear that not even Apple agrees with you.

So, what’s to be done? Are we all doomed? To borrow a line from the great Kent Brockman, is  it time for Mac users to crack each other's heads open and feast on the goo inside?

No. Again, I suspect the taste would be terrible. More seriously, the threat to Apple’s system is an ongoing one, and the rising popularity of the platform made it an inevitability that the security folks — both on the good and bad side of the fence — would start examining the Mac in more detail. An AV/Malware scanner seems like a sensible idea to me, and there are a number of vendors offering up free security applications for Mac users.

 

Above and beyond that, most of the presentations I see still seem to focus on the socially engineered side of malware and scams, with fake web pages and code you’re asked to run yourself. If you’re not a big fan of illicitly downloading software (and you shouldn’t be), these are the current and most likely threats you’ll hit, simply because a lot of them either rely on software they’ll ask you install yourself (few AV packages can completely protect against this kind of thing), or because they’re web based, designed to deceive everyone equally (ie crack open your skull and feast on the goo inside) and therefore platform agnostic.

You could be running on a PC, a Mac or a Linux system and it wouldn’t matter. The moment you’ve entered your credit card details to donate to what you thought was a Japanese quake disaster fund relief effort (to choose what will sadly but undoubtedly be a popular target for the phishers), they’ve got you. A little careful thinking, especially when it comes to your private details and anything at all to do with your money will go a long, long way to defeating this kind of criminal activity.

Using your brain, and not just relying on your Mac’s operating system brain may be the best defence you’ve got.

 

What do you do to keep your Mac secure? Discuss it with me at MacTheForum!