Viruses

[Mactrillionaire]

Yep. And running Anti-Virus software that can't do anything good is a prime example in my mind of a false sense of security. If you expect your anti-virus software to catch anything, then you're fooling yourself at this point.

jW

Viruses/trojans still aren't the only kind of malware. I suggest that anyone who thinks that such is the case (or doesn't know the difference) should have a good read here.

The bottom line is that, anti-malware software or not, the most important thing to protect is your sensitive information (by keeping it backed up and having it encrypted when accessible via a network). If you do that, the security of either Windows or OS X is not differentiable enough to be a deciding factor.

Other than what I've said, there is no way you can know how secure the operating system you are using is unless you have personal knowledge about the exploits being developed and how those exploits can be used together. So, please do trust it to us developers to have more insight than the average user has on these issues.

 

[GGJstudios]

So, please do trust it to us developers to have more insight than the average user has on these issues.

Just because someone is a developer doesn't automatically make them an authority on security issues. There are plenty of novice developers who don't even know how to code properly. I don't trust any individual, developer or not, until they've proven that they know what they're talking about. That comes from a history of their statements being proven accurate, having been verified by a number of reliable sources.

 

[wpotere]

LOL, I am a developer with a background in system security as well. I agree with GGJ on this one.

 

[Penn Jennings]

If you're referring to me, I very clearly said, "there are no viruses that exist in the wild that can run on Mac OS X, and there never has been." That statement is 100% factual.

No one has said there has never been an OSX worm or trojan. As I also said, "The handful of trojans that exist can easily be prevented by exercising common sense." That applies to the trojan that you mentioned.

Yes. Read the link in post #5.

You've been claiming this for a while.

Can you PROVE that none exist? Can YOU PROVE YOUR STATEMENT?

Hey, I'm curious, what is your profession? What credentials allow you to make this statement?

God, I love it when people with no serious security backgrounds make such bold, unfounded statements with no proof.

I don't really mean to make this personal, however, with no proof, your statements comes down to your personal credentials.

 

[GGJstudios]

You've been claiming this for a while.
Can you PROVE that none exist? Can YOU PROVE YOUR STATEMENT?

You can disprove my statement quite simply by naming one virus that exists in the wild that has ever infected even one Mac OS X system, anywhere in the world. Name one. Until you can do that, my statement stands as accurate. Just one.

 

[Mactrillionaire]

Just because someone is a developer doesn't automatically make them an authority on security issues.

That's true, but they are at least more knowledgeable about how the operating system works than the average user.

There are plenty of novice developers who don't even know how to code properly.

Tell me about it. I have worked with plenty of them. I know that a high GPA often doesn't even translate into a person who should be hired as a developer. Even some without the proper education are actually skilled. It's highly individual. Most people either have it or they don't (education or not).

I don't trust any individual, developer or not, until they've proven that they know what they're talking about.

Except that I don't have to prove anything to you (please see, poisoning the well: phishing for superfluous information). All that matters is that a given claim can be verified and that it has been verified, not that everyone can verify a given claim.

That comes from a history of their statements being proven accurate, having been verified by a number of reliable sources.

Well, first you have to have the tools and knowledge to verify a given statement. Not all people can verify all given claims and there are justifiable reasons for why this is the case. Yet whenever I give some examples you seem to shrug them off as if logic does not compute.

 

[GGJstudios]

Not all people can verify all given claims...

But some can verify claims, if given supporting evidence to evaluate. The claims that you made referring to hackers and malware developers, if that's what you're referring to, are unsubstantiated because you provided no evidence of any kind for anyone to evaluate. Making a statement that isn't supported by factual evidence or corroborated by other reliable sources leaves that statement unverified. If you care to post any evidence to support a claim, then those in the forum who do possess the knowledge and experience necessary can evaluate such evidence. If you fail to post such evidence, your statement remains opinion or conjecture, until proven otherwise.

 

[munkery]

So you're suggesting that no viruses will be developed for Mac OS X until its market share exceeds that of Windows? Or do you have a "magic market share percentage" number in mind, at which point viruses will appear?

Game theory states that the magic number is a market share of 16%.

Individuals that reached this result cite pwn2own to show Macs are as easily exploitable as Windows but fail to realize that pwn2own exploits don't achieve system level access, acheiving system level access is more difficult in Macs compared to Windows Vista/7 or properly configured Windows XP, many Windows XP users run as superuser so exploitation to system level is not required, and system level access is required for the install of more dangerous payloads such as rootkits.

Also, as you mentioned earlier, the install base of OS X is around 100 million or more and growing. Install base is more important than market share % because a botnet containing 1% of the OS X install base would include 1 million computers; this is more than enough to be profitable.

It is also possible that the the global market share of OS X will start to go down as cheaper hardware that does not run OS X becomes more affordable in poorer nations despite Mac market share increasing in developed nations. Which measure of market share matters: Global, NA, Europe, Asia?

 

[Penn Jennings]

Game theory states that the magic number is a market share of 16%.

Individuals that reached this result cite pwn2own to show Macs are as easily exploitable as Windows but fail to realize that pwn2own exploits don't achieve system level access, acheiving system level access is more difficult in Macs compared to Windows Vista/7 or properly configured Windows XP, many Windows XP users run as superuser so exploitation to system level is not required, and system level access is required for the install of more dangerous payloads such as rootkits.

Also, as you mentioned earlier, the install base of OS X is around 100 million or more and growing. Install base is more important than market share % because a botnet containing 1% of the OS X install base would include 1 million computers; this is more than enough to be profitable.

It is also possible that the the global market share of OS X will start to go down as cheaper hardware that does not run OS X becomes more affordable in poorer nations despite Mac market share increasing in developed nations. Which measure of market share matters: Global, NA, Europe, Asia?

Interesting points

I would like to point out a few things. One thing to remember is that years ago, every fool and his uncle wanted his malware to spread as widely as possible. When I first started dealing with viruses while working at a public school district in 1990, thats how it was.

Today, the best malware designers do NOT want widespread distribution. Wide spread distribution means that you could gain the attention of security community and your malware could be countered in mere days. Because people make money with malware, especially identity theft (banks info, even online game info), the very best of the worst often employ targeted attacks or spear fishing. So instead those attacks being countered in a few day, they can go uncovered for months or longer.

Mac OS X is a VERY secure operating system. I love it, I trust. However, I holes in that could be exploited. I sometimes see holes that ARE exploited or exploitable. The holes are not always Apples fault. Sometimes they are Adobe's fault, or Oracle.

Last, There is a lot of money to be made in security for Windows products. There is almost no money to made in Mac OS X security. That means that we don't have the "watch dogs" that Windows has. Apple is a horrible company for being up front and honest with it's customers but without the 3rd party security companies, sadly they are all we have and that is not good.


Just my observations and opinions. I am a Senior Network Security Analyst at AT&T. Before this, I worked at IBM supporting GM and a few banks so from time to time I come across interesting things.

 

[munkery]

Interesting points

I would like to point out a few things...

Widespread distribution is still the goal of most malware. Botnets.

Describe a targeted attack? Targeted attacks on Mac users can be prevented with user knowledge.

The holes being exploited in Mac OS X only provide user level access. Keyloggers that bypass userspace security mechanisms to log protected passwords need system level access.

Apple is security conscious. Open source foundation. TrustedBSD MAC framework. UNIX compliant. Webkit2 (soon). No examples of malware in the wild achieving privilege escalation via exploitation throughout the history of OS X.

 

[Penn Jennings]

Widespread distribution is still the goal of most malware. Botnets.

Describe a targeted attack? Targeted attacks on Mac users can be prevented with user knowledge.

The holes being exploited in Mac OS X only provide user level access. Keyloggers that bypass userspace security mechanisms to log protected passwords need system level access.

Apple is security conscious. Open source foundation. TrustedBSD MAC framework. UNIX compliant. Webkit2 (soon). No examples of malware in the wild achieving privilege escalation via exploitation throughout the history of OS X.

Targeted attacks cannot always be avoid with user knowledge. That is very false.

Apple works very hard at security. They are very good it. They tend to build security into their products from start. That is all great. They would be the first company in history to be 100%. If you truly think that they are perfect then there is no point continuing this conversation.. stop reading here.

Another person making that claim. A claim that you cannot prove. You cannot prove that there has never been a privilege escalation in the wild. You can only prove that they have been no widely publicized malware releases. A lot of the best malware writers do NOT create malware for wide scale distribution.

Think about, would you rather create a botnet or steal bank account login information? Creating a botnot will get attention very quickly. In short order it might only work well from places with high degrees of privacy, like China. How do you make money with a botnot? Spam? DDoS attacks? You have to maintain C&C of the botnet, update it, find customers, etc.

On the other hand, selective targeting with exploits could earn you hundreds of thousands in the form credit card or banking information. And the fewer people that you use it, the less likely the Anti-malware people will catch on. Just a few months ago, someone obtained the banking login credentials from a company and made off with hundreds of thousands of dollars (And the company didn't get it back).

 

[Mactrillionaire]

Sorry, Penn, but I don't think that statement can be supported. Apple has placed ease of use above security. It essentially makes protection on user accounts worthless when you can just restart the computer with the operating system disk and get an account back if you've forgotten the password. I think Apple should give the user the option of whether they want to enable this option. In reality, most users don't forget their login password and it just enables someone else an easy way to get into your account.

 

[Penn Jennings]

Sorry, Penn, but I don't think that statement can be supported. Apple has placed ease of use above security. It essentially makes protection on user accounts worthless when you can just restart the computer with the operating system disk and get an account back if you've forgotten the password. I think Apple should give the user the option of whether they want to enable this option. In reality, most users don't forget their login password and it just enables someone else an easy way to get into your account.

I won't disagree with anything that you have said.

There is always a trade off with ease of vs security. There are a number of things that Apple should do. Since Apple controls the software and hardware, there should a full disk encryption option built in. Time Machine backups should be encrypted by default. Apple is not perfect but I do think that they try hard.

Mac OS X is an operating system targeted at consumers. There are commercial operating systems that are far more secure... but not many of us want to use those

I would guess that Lion will be better

 

[wpotere]

Mac OS X is an operating system targeted at consumers. There are commercial operating systems that are far more secure... but not many of us want to use those

Please, do tell us which operating systems are more secure.

 

[Penn Jennings]

Please, do tell us which operating systems are more secure.

I'm sure that you can find some using Google.

You often can't run "standard, out of the box" operating systems in secure government environments.

Also remember, a secure operating system enforces strict security by default.

Those OSs have features that are very painful for casual users

 

[wpotere]

I'm sure that you can find some using Google.

You often can't run "standard, out of the box" operating systems in secure government environments.

Now you are in my lane... I know what I can find (and what I know), my question to you was to back up your comment. Please post them up.

BTW, you will be happy to know that we do, in fact, use out of the box operating systems in the government. There are poilicies run against them and they are patched up but there is nothing overly different about the OS, they just leverage on the features that already exist in the same OS that you can buy at a store. Stop making things up.

 

[GGJstudios]

You cannot prove that there has never been a privilege escalation in the wild. You can only prove that they have been no widely publicized malware releases.

First, it's important to stick with correct terminology and to quote people accurately and completely when making and refuting claims. No one has said there has never been a privilege escalation in the wild. Re-read munkery's post:

No examples of malware in the wild achieving privilege escalation via exploitation throughout the history of OS X.

A privilege escalation can be achieved by a trojan that a user installs, entering their admin password to escalate privileges, but these are not widespread, because the users have control over whether it spreads or not. As soon as word gets out about a trojan, news media and forums publish information about it, users are alerted and users thwart the threat by adjusting their behavior. A privilege escalation has not been achieved in Mac OS X via virus, which spreads and infects without the user's permission or knowledge.

Are you really naive enough to believe that a Mac OS X virus could exist in the wild without it becoming widely publicized? Perhaps you don't understand the definition of "in the wild", which is clearly defined in the Mac Virus/Malware Info that you see posted in most virus threads:

According to noted computer virus expert Paul Ducklin, in order for a virus to be considered in the wild, "it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users." This definition excludes "proof of concept" code that is used in a testing situation under strictly controlled conditions, and which poses zero threat to average computer users.

With that definition in mind, there is no way that a malware developer can restrict the spread of a virus released into the wild, to keep it from attracting media attention. If a virus is released in the wild, it will spread to enough users that someone will post about it in a forum, or contact AppleCare to get tech support, or tell another user about it, and the word will be out. You couldn't possibly prevent that from happening.

There are commercial operating systems that are far more secure...

Name one. Don't pass it off to Google. Name one.

 

[wpotere]

I still haven't found my horse!

 

[Mactrillionaire]

GGJ, once you demonstrate that you actually understand the differences between hardware/software based vulnerabilities for manipulation of functionality of a given system, and show us that you understand how operating systems work (since you apparently know) and what is responsible for exploits in those systems then I will take the comments of what you have said about OS X being generally safe without the need for the user to make it safer seriously instead of just as a "I like Macs" opinion as it falls into currently.

As far as the rest of what you said, repeating a false statement doesn't make it true. Some people cannot verify certain claims because there are justifiable reasons for that being the case: The only thing that matters is that a claim is verifiable and that the claim has been verified. Allowing X to evaluate a given claim if X doesn't need to evaluate it or there is a reason why X should not be evaluating it is merely counterproductive. Furthermore, requiring a source can implicitly be taken to mean that "all X must be able to verify claim C", but the fact remains that not all X CAN verify C, even if they had the same information in regards to the claim at their disposal; furthermore, the inability to evaluate C by some X has no effect on its truth value. This means that providing the information to those Xs which are not in a position to verify C is pointless. In addition to this, it leads to one of two paths: I. Appeal to authority with the further possibility of circular reasoning (as in the example cited); II. Poisoning the well: Phishing for superfluous information with the further possibility of ad hominem and various irrelevant generalizations. If you need to be able to verify C and have the ability to verify C and there is no reason why you should be prohibited from verifying C then you may very well be able to verify C. Regardless of our personal opinion on the matter, the entire argument stated is logically sound.

 

[GGJstudios]

I will take the comments of what you have said about OS X being generally safe without the need for the user to make it safer

Please quote where I said that. If you're going to ascribe a statement to me, do it accurately. Quote, please.

The only thing that matters is that a claim is verifiable and that the claim has been verified.

Prove where your claim about hackers and malware developers has been verified by anyone other than yourself. Until you can demonstrate that, your claim has not been verified.

 

[munkery]

Targeted attacks cannot always be avoid with user knowledge. That is very false.

Provide an example?

You cannot prove that there has never been a privilege escalation in the wild. You can only prove that they have been no widely publicized malware releases. A lot of the best malware writers do NOT create malware for wide scale distribution.

In science, you never prove a hypothesis. What you do is support it with evidence. With enough support the hypothesis becomes a theory. Theories are treated as fact until discredited with an example that shows the theory is incorrect.

Provide a concrete documented example as to why my statements are incorrect?

Think about, would you rather create a botnet or steal bank account login information?

One of the goals of botnets is to steal credit card information among other things by installing rootkits, such as keyloggers, that bypass user space security mechanisms to be able to log protected passwords.

It essentially makes protection on user accounts worthless when you can just restart the computer with the operating system disk and get an account back if you've forgotten the password.

You can password protect using the OS disk to recover passwords. You can encrypt your data to prevent data exposure in case that password protection is bypassed. This is not set up by default because most users don't need that level of protection. This is a factor that relates to user knowledge.

 

[MonkeySee....]

These threads are incredible.

GGJstudios posts the same info all the time and people still do not listen and even have the cheek to ask him to prove what he is backing up regarding viruses in the wild.

Its not his job to prove there isn't. How in the hell do you find something that isn't there? haha

 

[Penn Jennings]

These threads are incredible.

GGJstudios posts the same info all the time and people still do not listen and even have the cheek to ask him to prove what he is backing up regarding viruses in the wild.

Its not his job to prove there isn't. How in the hell do you find something that isn't there? haha

He's my personal and simple philosophy on publicly posting.

Penn Jennings is my real name. I have publicly posted where I work and my profession. I stand behind any and everything that I post. If I can't prove something or back it up, if something is not simple to prove or common knowledge, I don't post it or I post it as my opinion. I have posted my profession because it makes a difference how much you should value my opinion. The medical opinion of a hairdresser is probably not as valuable as a nurse or doctor.

Because these forums are search by Internet search engines, I'm putting my personal and professional reputation on the line with every post. My name is pretty rare, there is no hiding for me if I post a lot of ********.

I expect a certain degree of responsible posting in public forums. It is hard to respect people that post things that that they know that they can't prove, using a crazy user name like Ninja-Chick-752 (or equally anonymous) and without having any real credentials, training or education in the area that they are posting. And lets be honest, any name that starts with "monky" or the like does inspire confidence.

if YOU are going to post a statement of fact, YOU need to be able to back it up some how. If you can't back it up it you need to post it as an opinion unless you are using your personal credentials to backup.

GGJstudios does post the same thing every where and he's been posting it for over a year that I've seen. I can't prove that he is right or wrong. The problem is that HE CAN'T PROVE his own statements. He doesn't even try to back them up. He cannot prove his own statement and he doesn't state who he is or what he does. This is the type of behavior that adds to the "Internet Information Noise"

In all fairness to GGJstudios, I"ve seen a lot of his posts over the last year, I almost always agree with his statements. I think he's probably a smart guy. I'm not even saying that content of his statements are wrong. If he can't prove it though, and he can't. He needs to state that this is opinion or state his personal credentials to back it up.

Network Security has been my profession at AT&T and IBM for over 10 years. I do this stuff all day, everyday for living. I'm simply asking him to backup his statements that he puts forth as facts. How is that wrong? I would do that same.

 

[wpotere]

Network Security has been my profession at AT&T and IBM for over 10 years. I do this stuff all day, everyday for living. I'm simply asking him to backup his statements that he puts forth as facts. How is that wrong? I would do that same.

and I am asking for you to back yours...

You can read me your resume all day and it won't mean squat to me. I want you to back the comments you have made. GGJ's comments are backed as all you have to do is a quick search to see that there are no active viruses in the wild.

Guess what, I have 17+ years in the industry and I still support what GGJ is posting.

 

[GGJstudios]

I have publicly posted where I work and my profession.

Just because someone chooses to reveal their personal information on a public internet forum doesn't ensure that they know what they're talking about. Even one's profession isn't a guarantee, as I've met more people than I can count over the years who were doctors or chefs or sales people or IT professionals who weren't very good at their jobs. Stating my name and profession or computer experience doesn't make my statements any more or less accurate.

I have posted my profession because it makes a difference how much you should value my opinion.

I haven't stated mine, because I'm not asking anyone to rely on my opinion. I'm not posting opinion; I'm posting facts, which stand on their own and don't need my personal or professional reputation to give them credibility. I have no intention or desire to make this discussion personal, comparing resumes. If I did, there might be some embarrassed people.

As I place a high value on my personal privacy, the only thing I choose to reveal (because I've already revealed it in other posts) is that I wrote my first assembler language program about 40 years ago and spent many, many years maintaining, debugging, optimizing and enhancing mainframe operating systems, long before personal computers were invented. My professional and technical development has progressed continuously from that point forward. One thing I can absolutely guarantee: I don't know it all. I don't pretend to know it all. But I know what I know.

And lets be honest, any name that starts with "monky" or the like does inspire confidence.

The fact that you would let the choice of a forum member name influence your opinion of their posts tells a lot about you. Many intentionally choose names that will protect their personal identities. Not everyone is foolish enough to put all their personal data on Facebook.

GGJstudios does post the same thing every where and he's been posting it for over a year that I've seen. I can't prove that he is right or wrong. The problem is that HE CAN'T PROVE his own statements.

As has been stated before, you can't prove a negative. Instead, you disprove it by proving the positive that contradicts it. Yes, I've been posting the same thing for almost 3 years and I have invited anyone to disprove my statements by posting the name of a single Mac OS X virus in the wild. Not a single person has, out of over 200,000 views of these virus threads over the years. Not one. You can't prove the absence of a Mac OS X virus. You can prove the presence of one. In all the world, in all the media, in all the forums, in all the IT department and coffee shop and workplace discussions, not one person anywhere has ever named ONE Mac OS X virus that exists in the wild, because there ARE none. If there were, someone, somewhere would have revealed it by now.