2/17/2006

We’ve Joined The Big Leagues!

Uncle AndrewUncle Andrew
Filed under: @ 8:52 am

The first wild-caught Mac OS X trojan was identified this week.

It’s a lame, seemingly useless trojan that must be actively installed by the user by entering their password into an install window, whose only purpose in life is to self-propagate via iChat, and only harms your computer because it’s so poorly written that it accidentally corrupts the applications it hooks to, but hey, it’s our first. Give it a little time to mature, whydontcha.

And this certainly isn’t the only security breach for OS X. Hell it isn’t the only one this week. In addition to the attack against the University of Arizona Journalism Department Mac network, there’s the recent incident at ShmooCon. Macs are getting hacked all the time, through a combination of persistence, ingenuity and bad practices on the part of uninformed users. And yes, security vulnerabilities in the OS itself.

Look, there’s only one kind of person out there who really, truly believes that OS X is invulnerable to attack: complete, soaking-wet n00bs that have fallen for the idea foisted upon them by the industry that a computer is just another household appliance, like a toaster. The kind of person who has no idea what drives the processes that make their computer work, and has no interest in learning. In short, the kind of person who, up to a few scant years ago, would have been summarily labeled a Mac user.

But ever since the rollout of Windows 95, PC users have been able to join their Mac brethren in an ever-expanding cone of ignorance regarding the inner workings of their machines. Making the personal computer easier to use has, by default, made it easier to fail to understand. Which makes individual computers and the computer technosphere as a whole more vulnerable to attack by those who do understand.

I’m no computer security expert. I am, at the very best, an inspired computer security amateur. I run firewall, NIDS, antivirus and anti-spyware software on my home network; I can fire up the Activity Monitor (Mac) or Task Manager (Windows) and look at what applications and processes are running; I can take suspicious-looking processes and look up their names on the Web; I can kill processes that seem to be causing me problems from a terminal window if need be; and I regularly scour the more popular tech Web sites for news of viruses, trojans and sploits that may affect myself and my employer. I consider this to be the minimum that someone in my position—home Web and game servers, sensitive work-related documents, two housemates who, in the words of one of them, are “like an old Amish man trying to work a cotton candy machine” when it comes to computer skills—should be expected to handle. If you can’t safely operate the equipment, find something else to do with your time.

But I know more than a few people who could sail through my firewall like Gouda through a goose, steal my files, poison my wells, rape my horses and leave me nothing but a quivering husk of my former virtual self.

That having been said, I don’t think I’m going out on a limb here when I say that the only person more susceptible to exploitation by technological black hats than an uniformed computer user is an uninformed Windows user. A clueless Mac user is protected by a mixture of elevated security (permissions-based Unix operating system) and obscurity (ten percent market share, give or take). By comparison, a clueless Windows user is like a plump sparrow chirping away in the middle of a suburban lawn, with only a long-expired OEM copy of Norton Antivirus to shield him/her from neighborhood cats. As for a clueless Linux user—well, first of all, such a beast is much thinner on the ground than either of the previous two, due to the relatively complex nature of installation, configuration and upkeep of Linux distros. (Yes, yes, I know, many wonderful distros out there, commercially-available CD installers, tech support and everything, yes indeed, good for you, mazel tov. Until I see HP Pavillions with Ubuntu preloaded available at my local Best Buy, I maintain that Linux will remain chiefly the domain of wireheads.) Secondly, the same overall Unix-based structural security that helps to protect OS X works to the benefit of Linux users as well.

The point I’m trying to make is that, while no operating system is immune to security threats, *nix operating systems are largely exempted from the kind of widely-distributed, largely automated attacks that flood the ether(net) around us. A Mac is susceptible to memory attacks, to ARP and DNS poisoning, to shell attacks, to application-specific buffer overflow security holes. A Mac network can be firewalked as easily as a PC network, and polymorphic shell code can be executed as easily on a network device hosting a bunch of Macs as well any other computer. PPTP tunnels can be intercepted and their contents decrypted, WEP and WPA wireless networks can be hacked and their traffic analyzed.

But an appreciable percentage of the attacks that can be conveniently leveraged against *nix systems have to do with infiltrating networks and intercepting useful information. Even the overhyped ShmooCon incident seems to have been more about cracking some passwords and taking over the computer via legitimate channels, rather than an exploitable security vulnerability in the OS itself. Not like visiting the wrong Web site via Internet Explorer on a Windows machine and having persistent windows advertising cut-rate Segways—or infinitely worse, a keystroke logger—installed on your computer via ActiveX. Or hooking your trusty Windows 2000 box to your new cable modem and having it pwn3d inside four minutes. Or watching wave upon wave of IIS-specific buffer-overflow attacks crash against the shores of my httpd access log.

Like sex since the 80’s, there’s no such thing as a safe computer, only safer. Bearing this in mind, I’m glad my primary platform of choice is safer than the mainstream alternative.

UPDATE: I spoke too soon: Apple’s Web browser just came up vulnerable to a serious-ass exploit. Oops. 😳 Criminy, Apple!

2 Responses to “We’ve Joined The Big Leagues!”

  1. Joe Says:

    I find one fault with your assessment of the safety of a nix-based OS. While it is true that far fewer nix machines are on people’s desktops the same is not true of the server world. The internet runs on nix machines. Nix machines are so important to the internet that Microsoft had to create a down-market version of Windows Server to compete against free nix OS’s for the basic web hosting market. What’s more, on any network where there is a server, the likelihood is that any data worth stealing is located on that server. So while the number of nix machines is relatively small, their value as targets is often quite high. As a result, running a nix-based OS doesn’t in itself move the target off your chest.

  2. Uncle Andrew Says:

    No, you’re right, but those X machines that are targeted are primarily targeted intentionally and with forethought by seasoned hackers, not as part of some sort of widely cast script-kiddie net. I’m not talking about machines that are known or assumed to contain valuable data, and are therefore points of interest for people willing to put in the effort to hack them. But (not all but) many of the easily-concocted, automted attacks that can be levelled against Windows users simply cannot be used against the Unix operating system. So the home user ends up in a doubly fortuitous situation, where his/her computer is neither as easy to infiltrate as a Windows box nor of sufficient potential value to make it worth the effort to attack in a more meaningful way.


All portions of this site are © Andrew Lenzer, all rights reserved, unless otherwise noted.