Thursday, January 31, 2013

The Mac Security Myth

You know that feeling you get when someone declares something so boldly which you know is absolutely wrong? It's that moment when you interpret what they said which triggers an internal struggle of trying to decide if you should correct them or not. With kids it's easy; your correct them. With adults, it's harder because there's that whole pride and sensitivities thing involved. In that moment a feeling begins which sort of blends sympathy, "oh man they have no idea what they are talking about," with the driving need to show your knowledge. You brain calls for instruction on how to respond; smile or correct. I was recently on the recipient end of this when I pronounced a medical condition of mine to a friend who is a doctor. He's decided that smiling at people when they are wrong doesn't help them, and so he proceeded to correct my terminology. 

And so in honor of standing up for what is true, Mac users, I have bad news.

The cringe moment I wrote of before for me is triggered when I hear people say something like, "I don't have to worry about cyber threats because I use a Mac and Macs are secure." As someone who has been practicing cyber defense and threat analysis for over a decade, I can't help but cry a little inside when I hear that. Another common one I hear comes when someone who uses a Microsoft Windows based system complains to their Apple yielding friend about an infection. Their Apple buddy retorts with something like, "You should switch to a Mac so you can't get infected. There aren't any viruses for Macs."

<insert cringe/pucker face here>

While this misconception is perpetuated among uninformed Apple fans, Apple themselves have done an incredible injustice to their consumers by stoking these false assumptions through their marketing campaigns and suppression of talking about this in public. I recall a commercial that ran for a while within the "I'm a Mac, and I'm a PC" series where the PC becomes infected and the Mac says something like "I don't have to worry about that." Sorry, that's wrong. Let me burst your bubble with some hard facts:

Apple Malware Exists in Spades

Security research firm and services provider, SOPHOS, revealed in their report, "Security Threats in 2013," that they detected on average 4,900 Mac based malware infections per month last year. Ironically, the majority of these are types of fake anti-virus software. So people who don't think they need to secure their Mac because there are no viruses are being duped into installing fake AV. In 2012 the Flashback malware which uniquely targeted Macs gained public notoriety and is expected to have infected more than 700,000 Macs worldwide. With numbers like that, one can hardly make a claim so called viruses are only a PC problem. Perhaps it's a matter of defining what the word "is" is as former president Bill Clinton became notorious for saying.

4,900 Mac malware detection per month in 2012 by one security firm alone!!

Coincidentally, this week Apple released an update to their iOS (version 6.1) which fixed 27 significant vulnerabilities in their mobile operating system, 20 of which can be leveraged by an attacker to execute code remotely on your Apple device. Considering the fact that iOS 6.0 was released in September 2012 means your precious Apple has been sitting their vulnerable for over three months. Has anyone been taking advantage of these vulnerabilities on your device? If you believe there's no security problem, then you probably don't have detection and prevention software like AntiVirus or AntiMalware installed, and so you simply don't know if you are a victim or not. Ignorance is bliss right?

Ever heard of jail-breaking your iPhone? That is malware at it's finest. Yes, it's a root level exploit which takes control of the entire system and changes core functions (including security mechanisms), allowing users to run and integrate features otherwise prevented. That's hacking.

Apple is Slow to Patch Vulnerabilities

More bad news. The weakness exploited by the Flashback malware were reported 9 months before massive outbreaks became public knowledge. Microsoft released patches in mid-February 2012, while massive outbreaks spread among Mac users through March, and Apple finally released an update in late April. That is horrendous.

One of the fixes released this week by Apple addresses a vulnerability announced in 2011 while another removes fraudulent Google certificates issued in December by TURKTRUST root certificate authority. Certificates are used by your browser to validate it has connected to the correct servers when you browse the Internet. This prevents someone from putting up a fake website (or any other website) without your browser knowing it and warning or stopping you. However, if someone can send your browser a fake certificate through a root certificate authority like TURTRUST, one that matches their fake website, then when you browse on over to the fake site (say to check your Gmail or Google Plus or any other Google service), you'll be hitting that fake site and entering your data trusting the information is safe in the hands of who it should be. Iran used this tactic in 2012 to identify all political dissidents in the country who were using Gmail to communicate with outsiders via the Internet. In the case of the TURKTRUST mishap, Google issued a warning the same day and Microsoft issued fixes that week. Apple took over a month!

This shows a significant risk imposed on Apple users by their slow-to-patch response. Even still, because Apple has perpetuated this myth that they are inherently secure, users may not even worry about installing updates and patches, leaving them exposed for even longer periods of time.

Ok, so I've hopefully broken two false assumptions so far; yes, there is Mac malware, and yes your Mac does have security weaknesses. You might be asking yourself, but is it more secure than Windows? That's not an easy question to answer but I'll try.

False Sense of Security

Apple has long benefited from what we in industry call security through obscurity. That means they are secure because they are insignificant. They are insignificant (in number of users) and so they aren't targeted. It's like saying in a group of 50 people, you are safe because there's plenty of other targets around you. It has nothing to do with your actual state of personal security. There is some truth to that. While the modern adversary can be quite sophisticated, they are also in many ways like us. They need strong return on investment and focus on the path of least resistance. Their target surface has some common attributes. The mass majority of computers in the world run a Microsoft operating system.  If an adversary can create one new form of malware that affects 99% of their target victims, then that's where they are going to focus their effort. Even better, if they can find a flaw in an application used by both platforms (say JAVA), then they cover everyone. Still, they focus on Windows because the majority of computers out there are Windows based. This approach to security works as long as you remain background noise. The moment you become and object of interest, it's game over. Creating Mac targeting malware is also an insignificant task. I've heard some people claim that it's easy for hackers to create Windows malware because Windows is so full of "holes" but Mac malware is hard to create. That's simply nonsense. More and more we in the researcher community are seeing simultaneous releases of new malware that affects multiple platforms; Windows and OS X.

The tide is already changing. Apple's popularity thanks to their cool looks and "i" line of products (iMac, iPhone, iPods, and iPads), is drawing more users away from Microsoft, thus reducing the shadow they've hidden behind for all these years. They are becoming a larger target for the adversary. SOPHOS reports that among companies surveyed, 52% plan on issuing more Macs to employees in 2013. The move away from Apple's proprietary hardware into the Intel common hardware market also means virtualizing Intel based software no longer requires trading performance for style. Now you can get both. Now you can run Windows on your Mac without much performance difference. This means the Mac is becoming more popular, and actually viable for most users including the enterprise. The most sophisticated malware out there starts in the government and enterprise world, then moves public. As enterprises adopt Apple, the adversary will change their attention and will develop new capabilities unique to that platform, which will make their way to the public very quickly. This isn't a prediction, it's happening.

This trend is proving itself as multiple reports showed significant increases in unique Mac malware released  in 2012. As the pendulum swings, so is the adversaries attention. Fortunately for iOS users, the Android open app development environment is still too tempting to part from so I think the adversary will stay there for a while. But, that's not the case for OS X.

Without repeating too much of what I wrote in a previous article, the primary flaw in cybersecurity is you. Adversaries know this and so they use tactics which exploit you, or mostly your inherent trust in the Internet and your own computing device. Their primary paths of entry into your computer are your email inbox and your web browser. Again, as I previously documented in a past article, Safari (Apple's web browser) has significant security gaps just as IE does. Also, as mentioned before, the primary method of exploiting a computer via the browser is to use a vulnerability in a 3rd party application like JAVA. Since both Windows and OS X use a 3rd party provider (Adobe) to supply them JAVA, they are both vulnerable to weaknesses in JAVA.

Yes, OS X does include some features to prevent administrative functions from automatically executing (this was their primary claim to security for a long time), but so does Windows as of version 7. Because most malware requires the ability to make system level changes to persist, this prevention mechanism can be effective (when the malware doesn't evade it by using an application which already has hooks into administrative level tasks). It used to be that Windows users were by default system administrators, making it easier for malware to establish a foothold. Windows 7 changed this and added the security feature of monitoring all running processes and warning you whenever one attempts a administrative function. Apple was also early to incorporate network access controls of their platforms, but Microsoft's inclusion of the Windows firewall as met this capability as well. They are competitors after all.

Since the primary threat vectors are the same, and the target is the same (you), and the primary defense is the same, what then is left? Patching and application control. It's about ensuring your system and applications are not vulnerable, and monitoring those applications for abuse or malicious behavior. Those two areas are strengths of Microsoft, and significant weaknesses of Apple. Again, because Windows is so widely used, the number of available applications far exceeds those available for OS X. This means by nature, there are more possible points of vulnerabilities to control. Security through obscurity.

You can't exploit what isn't vulnerable and patches fix vulnerabilities. I hear people moan and groan all the time about the weekly patches from Microsoft. The IT world lovingly refers to this weekly event as "Patch Tuesday." However, if a critical flaw is discovered in Windows or an associated application, at least we know we only have to worry until Tuesday. Apple is notoriously slow at releasing security updates, sometimes taking several months. They have no defined or regular patch cycle. Updates are released as Apple get's around to it. Microsoft was forced into this rapid pace of releasing updates through user pressure. No such pressure exists for Apple, because a) use is still really low and b) they perpetuate the idea that Macs are inherently safe. Being a minority in a market means you are shielded by the majority. It's that simple. Microsoft takes the brunt because they are the biggest and have more users.

Then there's application control which is mostly administered through AntiVirus or AntiMalware products in the public market. Windows users are well accustomed to needing and using AV, and the AV market is well mature in terms of effective products. If you believe you don't have a malware problem, then you probably aren't running any sort of AntiMalware software on your Mac. This means you have no way to stop malware from running or knowing if it exists except through the native Apple permissions control feature. This feature warns you and prompts for an administrator password when system changes are being made (or an application is attempting to). If you are relying on this, then you are assuming the malware hasn't bypassed that mechanism and that you know everytime you enter your password, exactly what that application is doing in the background. You have no idea if that file you opened contains malware...all you know is you needed to enter your password to open it.

Secret Society

Apple is very secretive and closed. As a fond user of the Apple TV and iPad, I'm often frustrated by their policies which control content and apps so strictly. For example, I can't stream my Amazon cloud content through my Apple TV because Apple won't let Amazon develop an app without promising a certain level of revenue sharing. Same goes for the Amazon Kindle app; you can no longer buy books directly through the app. They are also very quiet on releasing new products and product updates. They develop in secret and closely control what is allowed on their products. I thought Microsoft was sued over this a few years ago...oh yeah, they were. This secretive approach permeates everything they do...including security.

Maintaining their image of a secure platform is mission critical for Apple.

However, they are noticeably absent in the world of threat information exchanges and cybersecurity conferences. In 2012 I attended the annual Blackhat conference in Las Vegas where security researchers (good guys and bad guys) come together to present new ideas and findings. Microsoft was there in a big way, talking about security and reaching out to the researcher community to promote an open dialog. Apple was absent. This is a common scene at every security conference I've been to over the past 12 years. Wherever cybersecurity is being discussed, Microsoft is there, Apple is a no show. They simply don't talk about security in the public. This makes them even more prone to weaknesses and exploitation. In the world of intelligence sharing, there is a balance between divulging information which can aid or expose the adversary, with divulging information to aid the defenders. Apple doesn't participate in this exchange very well. As adversaries use their tools, once exposed the game's up. Everyone defends. With Apple, they suppress notifications which means the adversary (like in the case of Flashback) has a long time to wreak havoc on their targets. Once Apple is forced into the public light (as with Flashback), they suddenly respond.

This lack of visibility also means no accountability. If Microsoft knows about a vulnerability, and the public knows, then all users (government, commercial  and consumer) put on the pressure. If no one knows about an Apple flaw, then there's no pressure. If Apple is made aware, but the public isn't, then there is no accountability. Works well for them, no so well for us.


For these reasons (slow patching, false claims of security, real threats, and detachment), I believe Apple products are less secure than their Microsoft counterparts. More specifically, I believe Apple users are at greater risk than are Microsoft users.

The key is of course practicing smart Internet use. Don't panic, and switch back. Don't dump that investment. But do get yourself a quality AntiVirus or AntiMalware solution for that Mac, check for updates regularly, and be careful with web browsing and email.

Just please, for the love of Pete, don't go buy a Mac simply because you think it's more secure. You won't be.

No comments:

Post a Comment