Do Macs Have an Edge Against APTs?

← Back to Stories (view on slashdot.org)

Do Macs Have an Edge Against APTs?

Posted by timothy on Thursday August 4, 2011 @12:58PM from the not-the-debian-variety-of-apt dept.

itwbennett writes "Macs aren't being hit with advanced persistent threat (APT) attacks, but that doesn't mean they're invulnerable, say researchers at iSec Partners. Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of an APT attack — and compared how the Mac would do versus Windows 7. Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story. 'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'"

22 of 210 comments (clear)

Min score:

Reason:

Sort:

Here We Go Again ... by WrongSizeGlass · 2011-08-04 11:41 · Score: 2, Insightful

Wash. Rinse Repeat.

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.
1. Re:Here We Go Again ... by EreIamJH · 2011-08-04 13:11 · Score: 3, Insightful
  
  Wash. Rinse Repeat. Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly.
  
  I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.
2. Re:Here We Go Again ... by Jerry · 2011-08-04 13:18 · Score: 2, Interesting
  
  Apparently you've never read about James Plamondon and his "Technical Evangelists". The Combs-3096.pdf is a collection of his training manuals and describes "The Slog", and a real jewel you'll love called "The Stacked Panel". Then, I suppose, you've forgotten about the stuffed ISO committees, or the scam which gave expensive laptops to journalists in exchange for favorable stories about VISTA?
  When his "work" was revealed in the Combs vs Microsoft trial Plamondon did a Mea Culpa, and now decries the tactics he used to help Microsoft establish market dominance. Too little, too late.
  
  --
  Running with Linux for over 20 years!
3. Re:Here We Go Again ... by Jerry · 2011-08-04 13:28 · Score: 2, Insightful
  
  Two points:
  1) That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.
  2) Blaming Windows users for security holes that Microsoft keeps secret from them is worse than obscene. It's fanboism to the extreme.
  That 4,300,000 Windows zombie bot farm discovered last year wasn't all Windows because they were hard to break into, and the handful of command & control computers weren't Linux and Mac because they are easy to break into.
  
  --
  Running with Linux for over 20 years!
4. Re:Here We Go Again ... by Gadget_Guy · 2011-08-04 14:02 · Score: 3, Insightful
  
  Do you have any evidence to suggest that Microsoft is behind this story in some way? Any at all?
  Apparently you've never read about James Plamondon and his "Technical Evangelists".
  So the answer is no then.
  Surely attempting to demean a study and its researchers by alluding to bad things done by a completely separate group of individuals (without any evidence linking the two) is exactly the kind of behaviour (of Plamondon) that you are decrying. The fact that Microsoft had technical evangelists does not mean that the opposition's products are without criticism, nor that such criticism will be sponsored by Microsoft. I have yet to see any indication that Robert McMillan or iSec Partners are shills for any company.
5. Re:Here We Go Again ... by jc42 · 2011-08-04 14:19 · Score: 3, Insightful
  
  The article seems unlikely to be MS propaganda. Note that the writer quotes that one investigator (Rob Lee) as saying that he's never seen a compromised Mac, and he advises his clients to replace their compromised MS-Windows machines with Macs to prevent re-infection. Would a MS-paid writer be likely to put such suggestions in their article?
  This does bring up a curious aspect of the "logic" behind all the claims that poor little MS is being picked on because it's so popular. If this were true, you'd think that a sensible person would simply refuse to buy anything with a MS logo. True, if you buy a Mac or Ubuntu or whatever rather than Windows, you machine might be attacked sometime in the remote future. But, since we "know" that no commercial systems are totally secure, it would make sense to choose a system that might be attacked in the far future over one that you know will be attacked repeatedly on the first day and probably compromised in the near future. You don't need to know the technical reason for this; you just need to be sensible enough to trade likely near-future failures for possible far-future failures.
  So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda. I wouldn't think MS's marketers would be so stupid as to tell everyone such a good reason to avoid their brand. I wouldn't think a Windows fanboy would say this either, because it would amount to admitting that they intentionally bought a machine because it was highly likely to be compromised. But there doesn't seem to be any good reason for other vendors to make this suggestion, either, since it amounts to saying that their security isn't any better than Microsoft's. So who is really behind this bizarre bit of logic? Who profits from it?
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
6. Re:Here We Go Again ... by artor3 · 2011-08-04 14:20 · Score: 4, Insightful
  
  While I agree with your conclusion (that Windows is a less safe OS than Linux), your first point is completely illogical. The number of viruses released in a given year can be a function of market share without being a 1:1 function of market share. Criminals will always target the OS with the largest numbers of technically unsavvy users. Why double your efforts to increase your pool of potential victims by only ~10%?
  Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.
7. Re:Here We Go Again ... by thegarbz · 2011-08-04 15:05 · Score: 2, Interesting
  
  I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.
  So you reason that malware writers would do something because 20 years ago in a very different environment for different reasons people did something? The comparison is absurd.
  Firstly 20 years ago malware looked different and had completely different goals. The vast majority of them were written for comical / destructive purposes not to make money. These days malware is a business and the ultimate goal is not to have malware which affects the user experience but rather is invisible to the user meanwhile exploiting system resources for profits (botnets). Some are still destructive such as the malware which encrypts portions of your harddisk and demands a ransom, and others just exist to serve you ads. One thing in common is profit, and that wasn't the game 20 years ago.
  Secondly 20 years ago malware travelled differently. The vast majority of it spread via physical media and relied people moving it from one machine to the other. The majority of malware today spreads via infection over the network whether automated or via social engineering.
  Thirdly and critical to your understanding of why OSX isn't a target, modeling of virus spread has shown that only a small percentage of possible targets need to be immune to stop a spreading virus in its tracks, not 100% as you may think. If by chance your carefully written virus manages to infect one of the only 10.9% of total users who run OSX, there is a very good chance it won't spread further as the computer may be isolated from others by a horde of windows machines preventing the spread of malware. Why risk that when 85% of the remaining users run Windows and thanks to Microsoft's brilliant backwards compatibility you can exploit holes in nearly all of the target market at the same time?
  It is simply uneconomical for the modern malware author to target OSX. If you think otherwise I'm sure you'll eat your words if OSX becomes even remotely popular among the general internet population.
  Oh and Safari users were smarter than IE users a few days ago and thus don't fall for social engineering attacks, remember ;-)
8. Re:Here We Go Again ... by Daniel+Dvorkin · 2011-08-04 15:18 · Score: 4, Insightful
  
  I think russotto wasn't calling TFA Microsoft propaganda, but rather calling WrongSizeGlass' "Macs are only secure because they're less popular" comment Microsoft propaganda. Which it is, of course. Any argument that relies on security-through-obscurity is wrong, no matter how you try to dress it up. WrongSizeGlass and the zillion other posters who repeat this tired canard may not realize they're propagandizing for Microsoft, but that's what they're doing, sure enough. They should at least demand payment for their services.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
9. Re:Here We Go Again ... by CharlyFoxtrot · 2011-08-04 17:00 · Score: 4, Interesting
  
  Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.
  The guy who won all those Pwn2Own contest says that OSX Lion's security is now better than Windows 7.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
10. Re:Here We Go Again ... by 1729 · 2011-08-04 17:01 · Score: 5, Insightful
  
  OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to.
  That's simply not true. For example, OS X is very popular among scientists and engineers at many of the national labs.
11. Re:Here We Go Again ... by Divebus · 2011-08-04 17:31 · Score: 2
  
  Hmmm...
  1) Hacker sets up server with a big trap door
  2) Hacker takes the machine he wants to win and drives the browser through the big trap door
  3) Hacker willingly executes the instructions he set up in the big trap door
  4) Hacker wins a new MacBook Pro
  That doesn't sound like a random attack in the wild to me. Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough.
  "Click Here to See the Dancing Monkeys" is self inflicted "hacking".
  
  --
  
  Most of the stuff on /. won't survive first contact with facts.
12. Re:Here We Go Again ... by benjymouse · 2011-08-04 19:19 · Score: 2
  
  Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own. And then you'll see that the attackers attack the system they believe most vulnerable first. Or they risk someone else does it. What you'd rather have, a MB pro + $5000 or a HP/Dell + $15.000?
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Article is crap by topham · 2011-08-04 13:06 · Score: 4, Insightful

"For example, Mac's Keychain software is vulnerable to what's known as a brute-force attack, he said."
Idiot alert, article is crap.
1. Re:Article is crap by gumbi+west · 2011-08-04 13:23 · Score: 4, Informative
  
  The NSA's guide to security Apples talks about how to make the keychain reasonably secure here. They notably, do not recommend turning it off or using third party software.
2. Re:Article is crap by dgatwood · 2011-08-04 14:08 · Score: 2
  Idiot alert, article is crap.
  Agreed. If they're talking about an authentication model in the context of mDNS, that's prima facie evidence that they don't know the first thing about Mac OS X... or mDNS. mDNS is:
  
  Not authenticated at all; it's a multicast service advertisement protocol. The service has security, not the advertisement.
  On Windows, too.
  
  And on most Linux distros.
  And they seem to think Kerberos is insecure. Kerberos is, of course:
  
  An open, published standard.
  
  On Windows, too.
  
  And on Linux.
  
  And the rest of their comments seemed to be about the ability to brute force passwords locally. Yeah. No kidding. You can do this... yup, you guessed it:
  
  On Windows, too.
  
  And on Linux.
  
  As far as I can tell, there's basically nothing but pure FUD here, with no real information to back up the rather sweeping generalizations. As they say in Apple developer circles, specifics and Radar number or GTFO.
  Besides, access to any machine on a network is generally access to the data flowing across it and the files stored on it. It doesn't really matter how secure the keychain is if half the corporate networks in the world are sending confidential email around in cleartext, sending passwords to web servers in cleartext, etc., and if all the user's email is stored in an unencrypted mail spool file on the hard drive. In the grand scheme of security problems, if you're worried about somebody brute forcing a keychain password, you're either trolling for article views or you've grossly overestimated the security of most corporate infrastructure.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:Article is crap by gumbi+west · 2011-08-04 14:19 · Score: 3, Informative
  
  Yep, that one is copyright Apple. Here is NSA's guide to hardening OS X. It does not recommend turning off keychain (though there are several other items it does recommend turning off).
Sysadmin decides. by mjwx · 2011-08-04 13:10 · Score: 4, Insightful

Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.

As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
1. Re:Sysadmin decides. by Anubis350 · 2011-08-04 13:21 · Score: 2
  
  I'd argue that my car isn't secure, but I'm still going to make sure I lock the door when I park it. There's a difference between perfect, adequate, and "please break into my stuff". In everything.
  
  --
  "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
2. Re:Sysadmin decides. by samkass · 2011-08-04 13:33 · Score: 2
  
  Most of the core MacOS X systems are not closed source. You can download most of them here. It's true that a lot of the GUI is closed source, but if you're talking about a remote exploit, you're probably hitting a lot of open source packages.
  
  --
  E pluribus unum
once you install OS X server you're toast by Culture20 · 2011-08-04 15:00 · Score: 3, Funny

Good News! Apple is taking steps to making that impossible!
So does Windows by benjymouse · 2011-08-04 21:17 · Score: 2

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Windows.
In Windows, files downloaded from the internet has the origin written in an alternate datastream. If you execute such a file you get a warning (like in OS X), but then even if you choose to run the executable, it will run with low integrity. Low integrity is part of UAC and sandboxes the process so that it by default has only read access as the current user. Write access (safe a few cache locations) is completely blocked, safe a few safe cache locations. This is a major obstacle for anyone wanting to use a trojan to install malware. He cannot even infect the local user, bar som sandbox escape vulnerability or some more clever social engineering.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*