For Mac Users, the End of Innocence
By Alex Salkever
Time was, malicious hackers ignored Macintosh users. The MacHeads were few in number, and breaking into their machines was generally a thankless endeavor. Macs didn't run at all like ubiquitous Windows or Unix machines, and they were far less useful in hacking exploits. No one launched distributed-denial-of-service (DDOS) attacks that bury Web servers under avalanches of spurious queries off the backs of hacked Macs.
So, where security was concerned, Apple users enjoyed a free ride. Same with virus attacks. Mac users avoided the carnage of the I Love You virus in May, 2000. Nor did they have to worry about nasty Trojan-horse attacks, such as the SubSeven variety that could give hackers remote control of a computer. Mac users lived in a digital Garden of Eden, a simpler place free of serpents.
But with the coming of OS X, Steve Jobs has led Mac users out of that land of innocence. The software heart of Apple's newest operating system is a derivative of the basic Unix OS developed long ago at AT&T Labs. As such, it's more similar to the operating software that powers Sun Microsystems workstations, IBM mainframes, and VA Linux servers than it is to previous Mac operating systems. And here's the danger: Cybercrooks, who love to hack these types of machines, could easily develop a taste for Apples. Thanks to OS X, Macs have become easier to penetrate with standard hacking tools -- and also more useful for launching extended and potentially damaging hack attacks.
To be sure, hackers have yet to bite into OS X. As yet, no one has spotted any alarming spikes in vulnerabilities reported to the federally funded CERT Response Center, which flags computer-security threats, and by private security groups. And since few big companies use Macs to run their enterprise networks, the guts of most remain safe.
That said, OS X is so new and, so far, so little used that it's simply too early to say that the hackers just aren't interested. While there is not much glory for the hacker who brings down the network of a four-person design shop, the fact remains that Macs could now be hijacked to participate in DDOS attacks or break into connections on other Unix machines. Moreover, Mac users could well end up being vulnerable to viruses. Finally, media companies still use lots of Macs for everything from design to advertising. Combine all this with Unix, and that could prove an irresistible temptation to malicious hackers, who just love to mess with the press. (Witness the numerous hacks of The New York Times' Web site.)
That means Apple users now have to consider all the security issues that come with operating in a Unix world. Too bad Apple hasn't figured this out yet. Steve Jobs proudly boasts Apple will soon be the largest seller of Unix-based operating systems in the world due to the expected widespread adoption of OS X. But the company has yet to take basic steps to set up the kinds of monitoring-and-reporting systems needed to ensure continued security for Mac users. "OS X has the potential of being one of the biggest security liabilities on the Internet," says Preston Norvell, a network-security expert and member of the professional group Macsecurity.org.
To be fair, OS X is probably more secure than the previous Mac operating systems that remained hack-free due to isolation rather than secure software design. Apple chose to build OS X atop a relatively secure Unix platform called Free BSD (Berkeley System Distribution). And the company has done some good things to protect its users. For example, it's the first consumer OS with a firewall built right into the software core. Plus, Apple has shipped OS X with many of the Unix functions that can be security risks switched off. "Apple's done a decent job of out-of-the-box security in OS X for a first go-round," Norvell says.
But the nature of threats facing Unix machines is far more dynamic than those that confronted Mac OS users in the past. On an almost daily basis, warnings about new Unix vulnerabilities emerge from CERT and various security firms. These alarms generally elicit a prompt reply from software vendors. But thus far, Apple has shown little inclination to build a systematic response-and-evaluation effort to ensure that OS X users know what they need to worry about.
NOWHERE TO TURN.
For starters, there's no security destination for OS X users on Apple's Web site. Nor does Apple operate a security mailing list to notify users of potential weaknesses and patches they could apply to lock down their systems. Microsoft, Sun, and Red Hat all maintain security mailing lists and security destinations.
Apple also has failed to provide a way for programmers or others to notify the company of new security flaws. "There is currently no known e-mail address, or drop box of any sort, to notify Apple of a potential or confirmed security problem in any of their products," Norvell says. That isolates the best source of information about new security leaks: Apple's customers.
Furthermore, Apple hasn't shown any indication that it has assigned dedicated staff to tackle security issues and writing patches. A key component of security for any serious OS is a team of experienced code writers that can quickly evaluate threats, assess the damage potential, and inform customers. Such a dedicated response team is particularly crucial with Unix products.
Here's why: Due to the underlying similarity of all Unix systems, a vulnerability in one type of Unix system can often be to compromise another. That means security engineers must scramble to ensure that Unix problems announced on one platform won't prove hazardous to others. This is the way the CERT notification system has worked until now, and it has depended on software vendors investigating reports in a timely manner. That's tough to do without a dedicated security staff.
"In any situation where a security hole is found that affects general Unix services, it is relatively likely that it will affect OS X," says Adam Engst, editor of the popular Mac newsletter Tidbits. "The problem is that Apple has to step up to the plate and take the lead in informing users about the security issues."
Apple claims it's committed to the security of its users. The company refused to comment specifically for this article but did release a statement: "Apple is very conservative in setting up secure solutions for our customers by default. In addition, we actively participate with industry advisories, such as CERT, to quickly provide our customers solutions to any emerging security issues as they arise."
But according to Norvell, Engst, and others, Apple has been slow to respond to CERT advisories, often taking months to patch big holes. And Apple has so far failed to respond to the first CERT advisory, released on Apr. 10, that could affect OS X -- a warning about a flaw in the Free BSD software platform that was used to develop the operating system.
WAVING AWAY CONCERNS.
That's symptomatic of a largely secretive Apple culture, which is still coming to grips with its shift into the far more transparent Unix world. This head-in-the-sand approach seems to be coming from the top down. "At the OS X launch, when I asked Steve Jobs about security issues, he gave me the total hand wave," recalls one concerned Apple software developer.
Apple may well hire dedicated security engineers in short order, setting up e-mail bulletins and building an easy-to-use security site -- just as Bill Gates has done. And Mac users might also find a treatise on how to secure new OS X machines tucked into their product literature. But neither of those developments has happened yet. Until they do, Steve Jobs is leading what could be millions of new users out of the garden and into a den of possible serpents.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecht