http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: News and Press Releases
Link: Mac community must wake up to security (http://www.macbytes.com/link.php?sid=20050909100243)

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

obligatory quote from Holy Grail:
Black Knight: [with various limbs chopped off] "I'm INVINCIBLE!"
King Arthur: [clearly the victor] "You're a loony."

Let's just hope it never gets that bad.

Some one really said that Ms has leapfrogged Apple in security ?

I agree that many mac users feel that they are simply immune to the security threats that are out there today. And to some degree, its true.

but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future?

(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?

--thanks...

I believe the communities' response is appropriate considering the lack of trouble we generally have with these sorts of things... when and if it happens that a new piece of code is on the loose that can automatically install and eat your Mac, then I'll worry. Not before then...

but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future? Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.

If Norton Anitivirus worked under OS X as well as it did under OS 8-9, it wouldn't be a problem to keep it loaded, up-to-date, and running in the background.

But now it's no longer the best use of CPU cycles, and it is a subscription based product. :(

I agree that many mac users feel that they are simply immune to the security threats that are out there today. And to some degree, its true.

but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future?

(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?

--thanks...

I do nothing, I don't suggest my customers do anything special.

Mac OS X comes out of the box (off the DVD) quite secure. No services are turned on that can be compromised directly by a remote attacker.

If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator. The program could not even last across log-ins or reboots since to add itself to startup items requires authentication.

The most plausible scenario involves a unix program/process that is simply a zombie for trying to infect Windows systems or sends out spam. Still, getting such a program to install and run across logins or reboots would require some participation by the user.

There is no such thing as an impenetrable fortress, I have no delusions that the Mac can't be hacked; I just don't see any fundamental security flaws that would allow something as innocuous as a JPEG image on a web site to take over a system to track your every move, steal your personal information and become a zombie system for spammers.

Imagine that, people who work for security companies see security issues coming for the Mac.
In other news, insurance adjusters feel that my house could possibly catch on fire.

This article is all about someone pointing out the obvious to users. And then someone wrote an article about it. Hurah.

In other news, insurance adjusters feel that my house could possibly catch on fire.

That's a much better analogy then the one I was trying to come up with.. :)

I do nothing

Same here. Well, almost. I turn on the built-in firewall, and I have my Mac behind a NAT'd router (more for convenience than security). Also I think before typing my admin password into an authentication box. And that's about all... I'm (nearly) invincible!

If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator. The program could not even last across log-ins or reboots since to add itself to startup items requires authentication.

The most plausible scenario involves a unix program/process that is simply a zombie for trying to infect Windows systems or sends out spam. Still, getting such a program to install and run across logins or reboots would require some participation by the user.

Assuming an installer is used, everything you said couldn't happen in that post, actually could. Even if you did a drag and drop install with malware, all it has to do is ask for authentication on first run (like many legit apps do), and then your security situation is bust.

Actually trojans of this type would work just as well under a unix environment as a windows one. The only hoop they have to jump through is granting admin rights. However, once that sudo window pops up, I guarantee that very few people (with the notable exception of ebow above) actually look at the details as to what application they are granting admin rights when they do an install. Plus, once the password is entered, it is trivial to script a chmod 666 during the process (fixing permissions may catch the suid bit though) if there is a server to be run, or if systemwide access is needed.

And yes, the program can add itself to OSX's root (or user, if admin rights aren't requested) cron jobs calling a trivial script every 5 minutes that checks if it is running, and if not then execute. Crontabs last through reboots, just as they are designed.

Trojans suck, because there is no real security from them except for the users themselves. You can use all the ACLs you want, but one well placed social-engineering statement blows it all out of the water. I think trojans are going to be the real vulnerabilities in OSX for a while. Safe computing practice is to know what you are putting on your computer and do not give admin rights out like candy.

Jim

Trojans suck, because there is no real security from them except for the users themselves. You can use all the ACLs you want, but one well placed social-engineering statement blows it all out of the water. I think trojans are going to be the real vulnerabilities in OSX for a while. Safe computing practice is to know what you are putting on your computer and do not give admin rights out like candy.


It would be nice if the OS could force installers to "declare" what they're going to do when they request your password, and then run the installers in an isolated sandbox-type environment until the OS can verify that the software is doing what it said it would do. Once that was (somehow) confirmed the execution or results would be moved from the sandbox and applied to the regular computing environment. I think I've read about something along these lines, but it's been a while, and I am by no means an OS coder, so I couldn't say for certain if it's feasible.

It would be nice if the OS could force installers to "declare" what they're going to do when they request your password, and then run the installers in an isolated sandbox-type environment until the OS can verify that the software is doing what it said it would do. Once that was (somehow) confirmed the execution or results would be moved from the sandbox and applied to the regular computing environment. I think I've read about something along these lines, but it's been a while, and I am by no means an OS coder, so I couldn't say for certain if it's feasible.
I think that parts of Trusted Computing were said to be a hardware solution to this problem, with little overhead. There's just a large potential for abuse by OS vendors. Sandboxing would be interesting, and there are ways to do it on a BSD system (does OSX support jails?), but the overhead would be tremendous to a regular desktop user. Plus integration would pretty much go the way of the dodo if you sandbox every program while it is running.

Yeah, and sandboxing during install isn't necessarily going to help much. A program can install itself anywhere, and would reasonably expect to have access to certain configuration items or schedulers. Malware can act like a regular program on install and get past the sandbox, then it unleashes itself during runtime, and sandboxing every program just isn't sane on a desktop.

Jim

I will get antivirus software when (NOT IF!) there is a Mac virus that isn't blocked by a prompt security update. Even if I HAD virus software I'd need to download the new definitions anyway... may as well wait until then to download the software too.

Meanwhile, my security measures:

1. Non-obvious passwords, and not the same online as for my Mac.

2. Non-admin account for my guests to use.

3. OS X firewall on.

4. Don't download software unless a lot of people have gone first--and only from a trusted central location that tells me so--like versiontracker.com.

5. Software Update.

6. Keep one eye on Mac news so I'll know when the first virus arrives.

7. Never connect my Windows PC to the Internet.

Really, only #6 requires any effort, and only #4 requires any special habits.

Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.

I for one have considered this, and I've come to the conclusion that it would be the PC user's problem. Having made a poor choice in their computer purchase, it must be up to the PC user to take the necessary precautions.

Further, Mac users protecting PC users would allow PC users to continue blindly purchasing PCs, therefore allowing more viruses to be developed for that insecure platform. If computers are to continue to evolve, then we should allow natural selection to weed out the PC.

Imagine that, people who work for security companies see security issues coming for the Mac.
In other news, insurance adjusters feel that my house could possibly catch on fire.

Well said, those people are just trying to increase purchases of their software because only the most paranoid (for the most part) Mac users buy it. :rolleyes:

I don't do anything, not even put up a firewall, and my Macs have been perfectly fine from 1996 up till now. I might be pressing my luck, I dunno, but I've never needed a firewall or antivirus software on my Macs. My PCs on the other hand - ugh. Just clean install WinXP and hook it up to the net and spyware/adware/virii has invaded within 20 minutes. It's craziness.

Still, getting such a program to install and run across logins or reboots would require some participation by the user.

Not necessarily because a malicious attacker can look for undisclosed vulnerabilities (or more easily, disclosed vulnerabilities in un-patched systems) in programmes which allow an escalation of privileges i.e. it offers a way to become a super-user programmatically. Casting a quick eye over any Apple security update reveals these are quite common, especially for local access. Not to mention stuff like brute force password crackers - and how many people do not follow Nagromme's #1 bit of advice?

All you have to do is to get the user to execute something malicious, no password needed.

I just don't see any fundamental security flaws that would allow something as innocuous as a JPEG image on a web site to take over a system.

This was certainly possible up to 10.3.5 (although technically through a PNG (http://www.kb.cert.org/vuls/id/388984) image not a JPEG).

"By introducing a malformed PNG image to a vulnerable application (i.e. Safari), a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user."

The attacker is now local and has their choice of code to execute without the user clicking a thing. See above.

If the same vulnerability is present in Mail, then you have your transmission vector. If not, no worries, they can just mail a link to dodgy page (or pages) to everyone in your address book - something that can be achieved in two or three lines of most scripting languages.

The only limit is the popularity of the vulnerable applications.

All you have to do is to get the user to execute something malicious, no password needed.

The only limit is the popularity of the vulnerable applications.
In theory this is possible. In reality, the likelyhood of accomplishing this and not getting caught isn't very high. ;)

Well said, those people are just trying to increase purchases of their software because only the most paranoid (for the most part) Mac users buy it. :rolleyes:

Or switchers who are so used to having to have virus software they can't contemplate computer usage without it.

Or switchers who are so used to having to have virus software they can't contemplate computer usage without it.

Haha yeah :p It's like the use of antivirus software has been written into their DNA permanently or something...

(1) is it even worth purchasing some sort of antivirus software for a Mac

No. I have owned and administered several hundred Macs over the past two decades from before the Mac128K was originally officially released. I have never had a virus, worm, trojan, etc on any of those machines. I do not waste money on "anti-virus" software.

(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?

A little care goes a long ways. Don't download and run software from dubious sources. Don't be the first, the penguin on the edge of the iceberg. Let others test things and then if no problem is found and you find the producer to be trustworthy then use the software.

Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.Got any examples of the types of files Mac users might download that could infect PCs that run Windows?

If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator.That's simply not true. All any user needs to do is run a one-line command from a Terminal shell (guess which one? ;)) and it'll be partially destructive unless enough file permissions have been secured. To believe and claim otherwise is propagating a myth of a false sense of security when in reality a demonstrable vulnerability does exist (even if it's unexploited).

Too much software is installed with world-writable files/directories by default, which non-admin users can delete. And an admin user can take out a good chunk of /Library (for instance), which would be severely crippling on most systems. The amount of effort it would take to sufficiently protect against that, and sustain that protection (which running Repair Disk Permissions will partly undo), exposes shortcomings in the several-decade-old UNIX security model. For example, it was never designed to scale to filesystems with +100Ks of files on them. While ACLs may help to some extent they're still too high-maintenance, especially for non-technical users.

AlmostThere wrote:

All you have to do is to get the user to execute something malicious, no password needed.

And cwtnospam responded:

In theory this is possible. In reality, the likelyhood of accomplishing this and not getting caught isn't very high.

It's ridiculously easy to deploy a trojan without getting caught, even without enough "social engineering payload" to propagate and wreak havoc. I tend to agree with jim's observation:

I think trojans are going to be the real vulnerabilities in OSX for a while.

... and how many people do not follow Nagromme's #1 bit of advice?The majority of untechnically-inclined mainstream computer users (for lack of a better term)? Generally, if security measures aren't somehow enforced, many people choose to ignore them or simply don't even know about them. And all of us here know how easy it still is for someone to innocently and naively hook a Windows PC to the net with insufficient protection to keep it from being infected and/or hijacked. Etc. etc.

All security for all operating systems must start and end with the user. If the user is knowledgeable and vigilant, then most security products are unnecessary. If he is not, then no amount of add-ons will protect him.

I use Windows PC's at work all the time and part-time (for gaming) at home. I have not invested much in security products, but I do have a set of policies that I make certain to follow:

The networks (home and work) are behind hardware firewalls. The home LAN is behind a Linksys router with NAT turned on and all but one inbound port (SSH) blocked. The corporte LAN has its own firewall, administered by the IT department.
I keep the PC's updated with the latest system patches from Microsoft.
I keep my applications (especially internet-using ones) up to date with the latest patches from their respective vendors.
I only install software that I purchase or download from well-known sites. This is almost always the publisher's own site or a genuine not-pirated CD.
I do not trade "warez".
I do share my disk volumes over the LAN, but with some restrictions. At home, all volumes are exported as read-only (if I need to put a file on another computer, I log-in locally to that computer and use the network to fetch it from the file's source computer, which also exports its volumes as read-only.) At work, I use our network's domain-level security so that only my personal account can mount one of my volumes read-write - other domain users are read-only, and guest-access is blocked.
I disable auto-installation in all programs, including web browsers, games, and the OS itself. I will let apps notify me when updates are available, but I must always give approval before download or installation. When stuff has certificates (like Windows udpates), I review them to make sure the files come from where they are supposed to be coming from.
I never run a program e-mailed to me. Never. Even if the message is expected and comes from someone I know, I won't trust it. If I want someone to give me a program (which happens very very infrequently), I'll have him put it on a known web server and send me a URL to it, or (even better) snail-mail me a CD or load it into a flash drive I always carry with me.
I don't use known-insecure programs (like Outlook)
I configure my e-mail program (Thunderbird) to disable plugins, Java and JavaScript. Remote images are blocked.

I employ these security procedures on all of my networked computers - Windows PC's, Linux PC's and Macs alike. I work from non-administrative accounts on Linux and Mac OS. (Unfortunately, this isn't really possible on Windows.) Note that none of these require the purchase of any special software and none require the overhead of background software.

I do keep a virus scanner (provided by my employer) running on the Windows PC's just in case something should slip by my procedures. (The scanner updates itself every day at 1:00am and scans the local hard drives every day at 2:00am.) To date, I have gotten exactly one virus over the entire time I've had computers attached to the internet (which is as long as the internet has existed.) And this virus arrived via Microsoft's own Office Update server.

I also run AdAware and SpyBot S&D to scan for spyware on the PC's. I run these scans infrequently, but they have never found anything more intrusive than tracking cookies in my web browsers. (Which I make no attempt to block - I don't consider cookies a serious threat.)

I run the Microsoft software firewall on my Windows XP boxes, but I do not normally run software firewalls on any other computers, preferring to rely on the LAN's hardware firewall. I do keep a copy of Zone Alarm installed, but disabled on Windows laptops - I enable it when travelling in case other networks don't have proper firewalls in place.

If Macs should someday come under attack to the degree that PC's are, I don't think I will have very much to worry about. The fact that my procedures have kept virusses and other malware off of my Windows PC's for over a decade, and have only failed once in that time span tells me that they should work just fine for the rest of my computers, including the Macs. If the threat becomes great enough, I will start using a virus scanner (again, just in case something slips through), but not until then.

"I put apple a few years behind Microsoft in understanding how to manage security for the users. I put Microsoft a number of years behind the Unix community because the first systems that got hurt -- ten or fifteen years ago -- were Unix systems. Microsoft had to fix the security because it had such a bad reputation and to its credit, the company has really turned it around, " said Borrie.
That made me laugh.

OS X is more secure than Windows. It is not an issue of the number of virus directed at the platform, it is it Unix base and common sense construction. As I read a while ago, Windows is now just a big mesh of code from the last 20 years, and fixing anything or making any revolutionary security changes would require a substantial reconstruction of the OS. But Redmond won't me doing anything like that anytime soon...

As I read a while ago, Windows is now just a big mesh of code from the last 20 years, and fixing anything or making any revolutionary security changes would require a substantial reconstruction of the OS. But Redmond won't me doing anything like that anytime soon...

I believe the official term is "Windows is a polished turd".

All security for all operating systems must start and end with the user. If the user is knowledgeable and vigilant, then most security products are unnecessary. If he is not, then no amount of add-ons will protect him.Generally, security products are still too complex and intimidating for inexperienced and uneducated users although some have reasonable enough default configurations to be effective, especially low-end hardware firewalls. Even technically savvy users get frustrated and make mistakes trying to properly configure obscure software. And there's always risk of being lured into a false sense of security.

I don't know if it's fair to say users are always the weakest link in the security chain but anyone with an irresponsible attitude about security becomes a more open target. Of course even responsible users have been and can still be successfully attacked.

I have not invested much in security products, but I do have a set of policies that I make certain to follow:Hey, that looks like my list. :)

I also run AdAware and SpyBot S&D to scan for spyware on the PC's. I run these scans infrequently, but they have never found anything more intrusive than tracking cookies in my web browsers. (Which I make no attempt to block - I don't consider cookies a serious threat.)I use the equivalent of Safari's "Only from sites you navigate to" with the PithHelmet plugin. I may occasionally block cookies from a few obvious ad tracking sites but I've never felt it's been worth my time and effort to manage them more diligently. I don't see myself as being irresponsible with cookie security since I'm doing it with awareness. :)

If Macs should someday come under attack to the degree that PC's are, I don't think I will have very much to worry about. [...] If the threat becomes great enough, I will start using a virus scanner (again, just in case something slips through), but not until then.That's how I feel about it, too. And anyone who frequents sites with Apple/Mac-related news is pretty much assured of hearing about any significant attacks (including possible defenses) even before immunization becomes generally available. Like that Opener "malware", which also happens to support the "user is the weakest link" hypothesis.

God help anyone (myself included) who's sincerely trying to understand what it really means and takes for them personally to be a responsible netizen on today's internet, filled with malicious behavior, sloppy security, ad-hoc policies and regulations, and the general lack of accountability. Still, my temporary moments of bleakness are always overshadowed with optimism. :)