Security Through Normalcy
NETWORK Security Podcast #144 (mckeay.net), though generally upbeat on the Mac, included a heavy dose of the “security through obscurity” argument — that the Mac doesn’t have the huge malware problem suffered by Windows users because the Mac has small market share. Choice quotes:
“One of the things we’re trying to counteract is the false sense of security that many [Mac] people have because their platform has not attracted the attention of malware authors. We believe that that false sense of security will end up harming these users, and the users of this platform, more when security threats do arise.” —Dino Dai Zovi
“There has been this assumption that Mac’s been more secure, and even when I first— very early on when I first started getting involved with Macs, I kind-of fell into that, until I started doing the research and digging into the operating system. It seems to me there are a lot of cracks here, particularly compared to what Microsoft’s been focusing on. What would you say [Dino] are some of the main areas that Apple probably needs to work on to improve? That’s part one of the question, and part two is: Do you think that they have enough time to do that before more bad stuff starts hitting?” —Rich Mogull
“So right now, there really aren’t many viruses or online threats to speak of. However, as OS X and Macs gain more market share — as I personally hope they do, because I like them — they will inevitably attract more attention from the cyber criminals. And my concern is that Apple isn’t doing enough to counteract that shift when it does occur.” —Dai Zovi
“Apple still has an opportunity to get ahead if they finish a lot of these anti-exploitation techniques. It doesn’t even need to be as good as Windows, and it doesn’t even need to be as good as Vista or Windows 7, because of the market-share issue ...” —Mogull
“If OS X is not secure enough, [malware authors] can just port a lot of this [malware] infrastructure, and invest it into attacking Macs, and then you’ll get the situation we have on Windows now.” —Dai Zovi
Yup, the experts agree: If not for its minority market share, the Mac would be suffering the same malware agony as Windows. And all the malware authors have to do is switch their attention to the Mac, and that’s exactly what will happen to it — or maybe worse, since it’s more vulnerable than Windows!
But pay careful attention to some other parts of this podcast, and you just might see reason to wonder if the above-illustrated argument really holds up. Reasons to suspect that hackers can’t do to other operating systems what they did to Windows, just by wanting to.
“I usually refer to this as the safety-vs.-security argument. And the best metaphor is leaving your front door unlocked. Depending on where you live— Leaving your front door unlocked is always insecure; someone could always enter your house just by turning the doorknob. However, depending on where you live, this may or may not be safe. At the present time, Mac OS X users are quite safe. There’s very little malware that is targeting them.” —Dai Zovi
Imagine two neighborhoods. One of them is just a normal neighborhood: streets, houses, a couple shopping strips. Nothing special about it.
The other neighborhood is a bizarre jumble of maze-like paths, alleys, and crumbling old buildings, many of them connected together by kludgy, patchwork tunnels. In fact, the whole neighborhood was force-built on top of a pre-existing neighborhood, which itself was force-built over a still older one. And that one was deliberately designed to resemble neighborhood schemes that were outdated then. And very little attempt has been made over the years to rip out and rebuild any significant portions of it.
This jumble neighborhood is very difficult, sometime impossible to successfully patrol. It has a much beefier police presence than the normal neighborhood, including cumbersome, sometimes draconian access gates. Most of the houses have bars over their windows, and nobody leaves their doors unlocked. Still, crime is a much bigger problem in this neighborhood than in the normal neighborhood. Why is that? Do the criminals not want to attack the normal neighborhood? Would they not like the things they could take there, or the mayhem they could cause there? No. They aren’t a problem there because the normal structure of the neighborhood just doesn’t give them much opportunity to engage in crime and keep doing it without being stopped.
Dai Zovi continues:
“And while there is some [Mac] malware, this malware is usually social engineering style, where they try and induce the user into installing a rogue application, and once they install this application, it installs a backdoor in their system, giving the attacker access.”
Recently, a botnet of maybe a few thousand Macs was discovered. At first glance, it seems to confirm exactly what Dai Zovi and Mogull are saying: that as the Mac is getting more popular, malware is starting to move in. But take a closer look and what do you find? It seems that these particular Mac users became infected by downloading pirated copies of popular apps like Photoshop off of file sharing systems like BitTorrent. Exactly as described by Dai Zovi immediately above. So what it actually shows is (1) that malware authors do attack Macs when they can, and (2) that they have success only with the people who not only leave their doors unlocked, but invite well-dressed strangers in for tea. Guess what? There’s no way to protect those people from their own foolish actions. Whatever great security features Microsoft may have implemented, that Apple hasn’t, they aren’t going to stop a Trojan-loaded app downloaded by a naïve user. Dai Zovi came very close to admitting this when he said:
“The big problem is that a lot of the exploit mitigation defenses that other operating systems have — such as what’s called Address Space Layout Randomization, and Non-Executable Memory — Apple has partial implementations of these, and one of the things I show in the book, and I showed in these presentations, is that these partial implementations are actually very trivial to bypass. And their inclusion is almost more of a marketing point than an actual, technical barrier to attack.”
Yeah, it is a marketing point. How do you protect users against naïvely downloading malware directly on to their computer and commanding the OS to execute it? You can’t! Nobody can.
So what do you do about that? Two answers: 1. Warn people against acquiring Photoshop that way, and 2. Recommend that they use a normal OS.
It doesn’t have to be OS X. It could be Linux, for example. (Has Linux experienced the Windows malware nightmare? No, not at all. Did they avoid it via “obscurity?” Hardly! Linux has been very popular in IT departments for about as long as OS X has existed.)
“I’m a huge fan of Macs. I just really hope Apple starts paying more attention to these things, so down the road I don’t have to worry about security like I used to when I was on Windows.” —Mogull
Rich, I think the only thing you really need to worry about is that Microsoft will pull a rabbit out of a hat and find a way to keep everyone locked into their legacy systems forever. And I, for one, am not too worried about that.
If Windows as we’ve known it for the past twenty years ever fades into the sunset — either by being massively overhauled by Microsoft (essentially replacing it with a thoroughly modern OS), or by being beaten out of the market by OS X, Linux, or something else — then the era of rampant malware will simply come to an end. It won’t migrate to OS X. It can’t.
Update 2010.05.02 — Another way of putting it: To be effective, a virus (biological or computer) must be able to multiply faster than it is being removed. For a computer virus, that means that if information about how to easily and completely remove the virus spreads faster than the virus itself, then no significant epidemic can occur.
Update 2010.10.30 — It’s been almost a year and a half since Dai Zovi and Mogull made the above-quoted comments. The Mac is more popular than it’s ever been... Where’s the malware outbreak? I’m not seeing it.
Update 2011.01.20 — Apple’s latest numbers just came out, and they’re better than ever on practically every front. Still no malware outbreak.
Update 2011.05.05 — Ed Bott on ZDNet:
“Why malware for Macs is on its way”
“Oh, the rationalizations people come up with to explain away what they don’t want to hear.”
What about the rationalizations they come up with to explain what they don’t want to know? It’s been months since you wrote this, and I’ve never bought any anti-virus software for any of my Apple hardware. And I’m constantly using the internet. And nothing bad’s happened. So am I, like, magically immune, or what? Ed?
Update 2012.04.05 — OK, just heard that maybe 600,000 Macs are infected with something called the “Flashback trojan.” Big point for Dai Zovi, Mogull, and Bott. But it’s a trojan, not a virus, meaning that to get infected, you have to download a suspect executable (app) and intentionally launch it. And I’m not seeing any word that this thing is hard to detect or hard to remove.
Update 2012.04.10 — According to Mogull, Flashback doesn’t need you to intentionally run an app, just visit a website that is rigged to install Flashback on your Mac. But, also according to Mogull:
- You’re immune from infection if you have Apple’s latest Java update on your Mac (available through the Software Update feature in your Mac’s dock), or if you have Java turned off.
- The presence of Flashback can be easily detected without any special security software.
- Flashback can be easily removed (Mogull links to step-by-step instructions) without any special security software.
Update 2012.04.18 — A new Mac trojan has been discovered; this one spreads via an infected Microsoft Word file. Since I don’t have Microsoft Word on my Mac, I am apparently immune.
Update 2016.03.07 — First-ever, in-the-wild, Mac ransomware has appeared, but reached no more than about 6,500 Macs before Apple informed OS X to block the infected app. Even before then, it couldn’t touch you if you didn’t use a now-obsolete version of the BitTorrent client “Transmission” (which I had never heard of until now). No word that anyone actually got their data scrambled.
Update 2017.02.09 — Mac hit with another malware that depends entirely on Microsoft Word’s macro feature. Again, since I don’t have Word on my Mac, I am totally immune.
Update 2017.02.28 — ESET anti-virus for Mac found to have a vulnerability that potentially can grant root access to malware. Since I have never installed ESET (or any other anti-virus software) on my Mac, I am fully immune.
Update 2017.05.05 — “Snake” malware, which originated on Windows, now appears on Mac, disguised as an Adobe Flash installer. Wouldn’t you know it — I don’t used Flash. So I’m immune.
See also:
Malware Isn’t About Total Control
&
Security Through Normalcy
&
Security Through Obscurity Redux — The Best of Both Worlds
&
Basic Reproduction Number