[ISN] For Mac Users, the End of Innocence

From: InfoSec News (isnat_private)
Date: Tue May 01 2001 - 16:35:25 PDT

  • Next message: InfoSec News: "[ISN] FBI "hack" raises global security concerns"

    By Alex Salkever
    May 1, 2001
    OS X's heavy reliance on Unix makes Macs tempting potential targets
    for hackers and viruses. It's a threat Apple must do more to head off
    Time was, malicious hackers ignored Macintosh users. The MacHeads were
    few in number, and breaking into their machines was generally a
    thankless endeavor. Macs didn't run at all like ubiquitous Windows or
    Unix machines, and they were far less useful in hacking exploits. No
    one launched distributed-denial-of-service (DDOS) attacks that bury
    Web servers under avalanches of spurious queries off the backs of
    hacked Macs.
    So, where security was concerned, Apple users enjoyed a free ride.
    Same with virus attacks. Mac users avoided the carnage of the I Love
    You virus in May, 2000. Nor did they have to worry about nasty
    Trojan-horse attacks, such as the SubSeven variety that could give
    hackers remote control of a computer. Mac users lived in a digital
    Garden of Eden, a simpler place free of serpents.
    But with the coming of OS X, Steve Jobs has led Mac users out of that
    land of innocence. The software heart of Apple's newest operating
    system is a derivative of the basic Unix OS developed long ago at AT&T
    Labs. As such, it's more similar to the operating software that powers
    Sun Microsystems workstations, IBM mainframes, and VA Linux servers
    than it is to previous Mac operating systems. And here's the danger:
    Cybercrooks, who love to hack these types of machines, could easily
    develop a taste for Apples. Thanks to OS X, Macs have become easier to
    penetrate with standard hacking tools -- and also more useful for
    launching extended and potentially damaging hack attacks.
    To be sure, hackers have yet to bite into OS X. As yet, no one has
    spotted any alarming spikes in vulnerabilities reported to the
    federally funded CERT Response Center, which flags computer-security
    threats, and by private security groups. And since few big companies
    use Macs to run their enterprise networks, the guts of most remain
    That said, OS X is so new and, so far, so little used that it's simply
    too early to say that the hackers just aren't interested. While there
    is not much glory for the hacker who brings down the network of a
    four-person design shop, the fact remains that Macs could now be
    hijacked to participate in DDOS attacks or break into connections on
    other Unix machines. Moreover, Mac users could well end up being
    vulnerable to viruses. Finally, media companies still use lots of Macs
    for everything from design to advertising. Combine all this with Unix,
    and that could prove an irresistible temptation to malicious hackers,
    who just love to mess with the press. (Witness the numerous hacks of
    The New York Times' Web site.)
    That means Apple users now have to consider all the security issues
    that come with operating in a Unix world. Too bad Apple hasn't figured
    this out yet. Steve Jobs proudly boasts Apple will soon be the largest
    seller of Unix-based operating systems in the world due to the
    expected widespread adoption of OS X. But the company has yet to take
    basic steps to set up the kinds of monitoring-and-reporting systems
    needed to ensure continued security for Mac users. "OS X has the
    potential of being one of the biggest security liabilities on the
    Internet," says Preston Norvell, a network-security expert and member
    of the professional group Macsecurity.org.
    To be fair, OS X is probably more secure than the previous Mac
    operating systems that remained hack-free due to isolation rather than
    secure software design. Apple chose to build OS X atop a relatively
    secure Unix platform called Free BSD (Berkeley System Distribution).
    And the company has done some good things to protect its users. For
    example, it's the first consumer OS with a firewall built right into
    the software core. Plus, Apple has shipped OS X with many of the Unix
    functions that can be security risks switched off. "Apple's done a
    decent job of out-of-the-box security in OS X for a first go-round,"
    Norvell says.
    But the nature of threats facing Unix machines is far more dynamic
    than those that confronted Mac OS users in the past. On an almost
    daily basis, warnings about new Unix vulnerabilities emerge from CERT
    and various security firms. These alarms generally elicit a prompt
    reply from software vendors. But thus far, Apple has shown little
    inclination to build a systematic response-and-evaluation effort to
    ensure that OS X users know what they need to worry about.
    For starters, there's no security destination for OS X users on
    Apple's Web site. Nor does Apple operate a security mailing list to
    notify users of potential weaknesses and patches they could apply to
    lock down their systems. Microsoft, Sun, and Red Hat all maintain
    security mailing lists and security destinations.
    Apple also has failed to provide a way for programmers or others to
    notify the company of new security flaws. "There is currently no known
    e-mail address, or drop box of any sort, to notify Apple of a
    potential or confirmed security problem in any of their products,"
    Norvell says. That isolates the best source of information about new
    security leaks: Apple's customers.
    Furthermore, Apple hasn't shown any indication that it has assigned
    dedicated staff to tackle security issues and writing patches. A key
    component of security for any serious OS is a team of experienced code
    writers that can quickly evaluate threats, assess the damage
    potential, and inform customers. Such a dedicated response team is
    particularly crucial with Unix products.
    Here's why: Due to the underlying similarity of all Unix systems, a
    vulnerability in one type of Unix system can often be to compromise
    another. That means security engineers must scramble to ensure that
    Unix problems announced on one platform won't prove hazardous to
    others. This is the way the CERT notification system has worked until
    now, and it has depended on software vendors investigating reports in
    a timely manner. That's tough to do without a dedicated security
    "STEP UP."
    "In any situation where a security hole is found that affects general
    Unix services, it is relatively likely that it will affect OS X," says
    Adam Engst, editor of the popular Mac newsletter Tidbits. "The problem
    is that Apple has to step up to the plate and take the lead in
    informing users about the security issues."
    Apple claims it's committed to the security of its users. The company
    refused to comment specifically for this article but did release a
    statement: "Apple is very conservative in setting up secure solutions
    for our customers by default. In addition, we actively participate
    with industry advisories, such as CERT, to quickly provide our
    customers solutions to any emerging security issues as they arise."
    But according to Norvell, Engst, and others, Apple has been slow to
    respond to CERT advisories, often taking months to patch big holes.
    And Apple has so far failed to respond to the first CERT advisory,
    released on Apr. 10, that could affect OS X -- a warning about a flaw
    in the Free BSD software platform that was used to develop the
    operating system.
    That's symptomatic of a largely secretive Apple culture, which is
    still coming to grips with its shift into the far more transparent
    Unix world. This head-in-the-sand approach seems to be coming from the
    top down. "At the OS X launch, when I asked Steve Jobs about security
    issues, he gave me the total hand wave," recalls one concerned Apple
    software developer.
    Apple may well hire dedicated security engineers in short order,
    setting up e-mail bulletins and building an easy-to-use security site
    -- just as Bill Gates has done. And Mac users might also find a
    treatise on how to secure new OS X machines tucked into their product
    literature. But neither of those developments has happened yet. Until
    they do, Steve Jobs is leading what could be millions of new users out
    of the garden and into a den of possible serpents.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 01:37:59 PDT