Mac botnet: Who's at fault?

Summary:At least 600,000 Macs were infected by the Flashback Trojan. Did Apple fail to protect its users? Or were users defeated by their own misguided fantasies of invulnerability?

Ryan Naraine

Ryan Naraine

Apple's fault

or

Users' fault

Christopher Dawson

Christopher Dawson

Best Argument: Apple's fault

The moderator has delivered a final verdict.

Opening Statements

Unforgivable

Ryan Naraine: To really understand Apple’s negligence on security, we have to go back to 2006 and that famous “Mac vs PC” commercial http://www.youtube.com/watch?v=GQb_Q8WRL_g   where PC is sneezing from a virus infection and Mac passes him a tissue while smugly dismissing security as a legitimate threat to Mac OS X.

This perpetuates a false sense of security among the Mac faithful. Mac OS X users have the mindset that security is not important and this complacency leads to long delays in patching dangerous security flaws and responding to in-the-wild attacks.

This iBotnet (more than 685,000 infected Mac machines) is entirely Apple’s fault.  The Java patch (CVE-2012-0507)  was issued for Windows on February 14, 2012. This same vulnerability affected Mac OS  X but Apple didn't provide a fix until April 3, 2012.

Apple left its users exposed for 49 days, providing a large window of opportunity for malware writers to build a botnet.  Unforgivable.

Naive users

Christopher Dawson: It's easy to blame Apple for the widespread infection of Macs with the Flashback Trojan. Actually, most would argue that Apple should be more proactive in anti-malware development; to date, this has taken a backseat to user experience. However, that lack of focus on security is as much (or more) the fault of naive users who blithely go on buying shiny new Macs and iOS devices, smug in their apparent invulnerability to rogue software as it is Apple’s.

Why has Windows evolved into a remarkably secure environment? Because the market first demanded and paid for powerful third-party software and then demanded native anti-malware solutions, again speaking with their wallets, by purchasing (ironically) Macs or running Linux. How many Mac users run antivirus tools on their machines even if only to prevent spreading Windows infections? Not many (says the debater writing this on his Mac running both Avast and ClamXav).

The Rebuttal

  • Great Debate Moderator

    Thanks for joining us

    Ryan and Chris will post their closing arguments tomorrow and I will declare a winner on Thursday. Between now and then, don't forget to cast your vote and jump into the discussion below to post your thoughts on this topic.

    Posted by Jason Hiner

  • Great Debate Moderator

    Is it Apple's fault and will the bad publicity cause Apple to change?

    Is the threat from the Flashback Trojan ultimately Apple's fault and do you think it will cause Apple to change? Why or why not?

    Posted by Jason Hiner

    Change will be gradual, and sloooow

    Apple has done very well with the security-by-PR approach. Look at MacBook and iPad sales. When your security message is driven by the marketing department, legitimate issues will be buried in favor of selling more computers. I do expect Apple to change their thinking because they really have little choice. However, this change will be slow and gradual. The Mac platform is much more security today than it was two years ago with the addition of anti-exploit mitigations like ASLR (Address Space Layout Randomization) but these changes came years after they were already implemented in other operating systems. Gatekeeper is coming as a new anti-malware feature that works behind the scenes to let Mac users either allow or deny application downloads based on where they come from. The creation of Gatekeeper is a not-so-subtle admission from Apple that malware on the Mac is real.

    Ryan Naraine

    I am for Apple's fault

    Users must demand better

    Ultimately, it remains the fault of users who have not demanded with their pocketbooks, with their awareness, or with their business that Apple change its practices. Hopefully, this marks the beginning of a shift both at Apple and among users who expect better from the company.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Is this the tipping point?

    As the Mac has been hit with various malware attacks in recent years, the tech industry has repeatedly pointed to it as proof that Macs are vulnerable. However, it has had little change on the behavior of Mac users or the overall perception that using a Mac is generally safer than using a PC. Why will the Flashback Trojan be a tipping point in changing those perceptions?

    Posted by Jason Hiner

    I don't expect much a change

    That question assumes there will be a tipping point in user behavior or perception. I don't see it. Apple was slow to respond to this issue and even when they did, their advisory was hidden and they were not upfront about a lot of stuff. I think some users are aware (AV vendors said sales spiked during the attack) so it's clear that something happened. But I think we'll go back to the old situation where Apple fools its users into false sense of security.

    Ryan Naraine

    I am for Apple's fault

    It's the New iPad

    The sheer volume of infected users, as well as mass media attention and user outcry make this attack different. More importantly though, it follows on the heels (at least in terms of media attention) of the New iPad, which raised Apple's profile to new heights.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mac anti-malware software

    Many of the Mac anti-malware solutions have been as bad (if not worse) than Windows solutions about bogging down the system and causing as many problems as they prevent. What software do you recommend that won't be more trouble than it's worth?

    Posted by Jason Hiner

    Where are you hearing that?

    I don't agree that Mac anti-malware solutions are unusable. Where are you hearing that? In fact, I think Mac users should get used to the reality that AV software is necessary today to handle mass-malware attacks like Flashblock. In addition, Mac users should ignore Apple???s security-by-PR and consider a defense-in-depth approach to staying security. There are some nifty utilities and tricks that can help. I like Little Snitch, a tool that informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection. If you use Firefox, then make sure you use the NoScript add-on. Invest in a password manager to manage the mess of creating strong, unique passwords for multiple online accounts. Some additional OS hardening techniques: Create a non-admin account for everyday activities like web browsing or e-mail; Uninstall the standalone Flash Player; Use a password manager and turn off connectivity services when not in use, or when not required (AirPort, BlueTooth, etc).

    Ryan Naraine

    I am for Apple's fault

    Several options...

    ClamXav (http://www.clamxav.com/) is a reasonable solution based on the ClamAV software that protects more *nix operating systems. ClamAV is open source, actively developed, and reasonably unobtrusive. That unobtrusiveness comes at the price of requiring more user management to regularly scan and deal with any threats. Avast also has relatively lightweight software and a free version for the Mac. Additionally, relying on webmail solutions like Gmail or Yahoo Mail, which apply sophisticated anti-malware, anti-spam, and anti-phishing technologies to incoming mail, can limit exposure to malware. Finally, using a simple gateway device (like Untangle, which can be had in both free, DIY versions and as paid services and appliances) can provide a high degree of protection for both home and small business networks (full disclosure, I'm writing a book on Untangle).

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Security tips for Mac users

    Beyond just installing protective software, can you reiterate some of the best tips you would share with Mac users for protecting themselves against attackers?

    Posted by Jason Hiner

    Common sense please

    I've listed some OS hardening advice in my previous answers. Some more: Download files only from known and trusted websites; Use FileVault 2 to encrypt everything on your Mac; Control access to your Mac by locking your screen after a period of inactivity; Securely delete outdated sensitive files with the Secure Empty Trash command. More importantly, use common sense when browsing the web. If you are prolific on social networks like Facebook and Twitter, get into the habit of distrusting links, even from people within your own network. A compromised 'friend' can do bad things on Facebook. If it looks too good to be true, it probably is.

    Ryan Naraine

    I am for Apple's fault

    It starts with awesome passwords

    1) Use awesome passwords and protect them carefully 2) Be careful of the apps you install, both from Apple's Mac store and on iOS (or Chrome's store, or the Android Market, or wherever else); freebies are great, but aren't always kosher in terms of how they track, use, and mine data from your phone 3) Install third-party anti-virus, even if just the open source ClamAV (it's an inherent part of most Linux distributions, available as ClamWin for Windows, and available as ClamXav for Mac) 4) Use webmail to send and receive email 5) Patch your OS the minute new software updates become available 6) Use browsers (like Chrome) that warn you of potentially malicious sites and software

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    How can Mac users protect themselves?

    If Apple doesn't change its tune and start releasing patches more quickly then what steps should Mac users take to protect themselves from potential malware threats?

    Posted by Jason Hiner

    Some basic recommendations...

    I have a few strong recommendations: Stop surfing the web with Safari, it's just not safe. Download and use Google Chrome to take advantage of the browser sandbox and to get patches in a timely manner. Use the KB SSL Enforcer add-on for Chrome to encrypt browser connections. Uninstall Java. Apply patches to third party desktop software as soon as they appear, especially from Adobe Reader or Office for Mac because these are common targets in advanced targeted attacks.

    Ryan Naraine

    I am for Apple's fault

    Two choices

    As Windows users did in years past, they have two choices: 1) Begin using third-party tools 2) Look to other hardware and software vendors. One of the reasons behind Apple's success was Microsoft's early failures in terms of security. It would be a sad day to see Apple be referred to as the "new Microsoft". Users across all platforms must ensure the security of their cloud services, beware of app permissions, and be totally conscious of passwords and identity issues.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Why did Apple delay?

    In terms of the Flashback Trojan itself, what's the deal with Apple delaying the security patch? Is there a reasonable explanation?

    Posted by Jason Hiner

    Nobody knows

    No one knows why Apple has to ship Java for Mac independently. I have asked repeatedly why Apple won???t allow Oracle Sun to ship a Java for Mac issue directly but, as usual, the response from Apple has been complete silence. But it's not only Java. WebKit fixes for Safari are always months late, compared to the same fixes on Mozilla Firefox or Google Chrome. PHP fixes are always late. There are numerous open-source components that get patched but these fixes get to Mac OS X much, much later. We don???t know if there's a technical reason for this and Apple???s secretive approach (they never answer questions) means we are in the dark.

    Ryan Naraine

    I am for Apple's fault

    It wasn't yet a PR issue

    How many users knew about Flashback until the past month when it made headlines everywhere? It wasn't until Flashback exploded all over the media and tech press that Apple suddenly had a fix. Did users hold off purchasing Apple products until a patch was issued? Of course not! They continued buying Apple hardware in droves, secure in the illusion that they were immune to malware. The only reasonable explanation is that Apple ignores security concerns until they become a PR issue. Users then need to make security a PR issue for Apple. They need to make it an issue that affects Apple's bottom line. Only then will Apple take security seriously.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    What can Apple learn?

    What, if anything, can Apple learn from Microsoft and/or the Linux community about designing and maintaining a secure operating system?

    Posted by Jason Hiner

    Copy everything from Microsoft

    Apple can learn a lot from Microsoft. In fact, I'd say Apple should simply copy Microsoft's playbook word-for-word when it comes to security response. Apple needs a SDL (security development lifecycle) process to make sure developers build security into every stage of the software development process. Apple should copy Microsoft's security advisories program so that users are properly educated when there is legitimate security threat. If Mac users have to wait a long time for a patch, Apple should be providing temporary mitigations. How about a scheduled Patch Day? This will help IT administrators prepare for patch deployment instead of being surprised by ad-hoc Mac OS X updates. When it comes to security response, Apple is stuck in the 1990s.

    Ryan Naraine

    I am for Apple's fault

    Security needs to stop taking a backseat to user experience

    Utter ease of use and dead-simple usage can't lull users into flagrant disregard for security. As Microsoft has learned, third-party tools are no substitute for integrated security measures and, particularly in Apple's case, when users pay a significant premium for Apple hardware and software, security needs to be part of the package. This has always been a core of Apple's value prop: Buy an Apple and get a complete end-to-end solution. That solution can't ignore security.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Is it one of the worst security threats of 2012 so far?

    Would you characterize the Flashback Trojan as one of the most dangerous security threats of 2012? If so, why? And, if not, then what are some of other most dangerous threats to users so far in 2012?

    Posted by Jason Hiner

    Could have been nastier

    Like I just said, this has the potential to be really dangerous because the malware can update itself via the trojan-downloader component. The known variants are doing click fraud but, in an age when botnets are rented out to cyber-crime groups, it???s not a stretch to imagine that Flashback could have been used for more nefarious purposes. In terms of the total threat landscape, it???s not the worst thing we???ve seen. Some of the more virulent mass-malware attacks, especially on Windows, steal banking credentials and hijack data to perform identity theft. We are seeing signs of sophisticated targeted attacks with nation-state involvement. Global businesses are under constant surveillance in APT attacks. Those things are much more dangerous than the Flashback variants we saw. However, on Mac OS X, this had the potential to be quite nasty.

    Ryan Naraine

    I am for Apple's fault

    Users are their own worst threat

    No, I would call it one of the highest profile. I would even call it the threat that disillusioned a user base. However, I would call the biggest security threat of 2012 computer users themselves. As more and more of us move our digital lives to the cloud, that password of "12345" that worked just fine on a lone machine in our basement is no longer the least bit adequate. Users who continue to ignore the need for anti-malware, don't patch their operating systems, etc., put everyone at risk. We may be moving more and more to the cloud, but the portals to the cloud we use need to be secure, as do the services we use every day.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mac security, overall

    Overall, what do you consider the most dangerous security problem about the Mac platform?

    Posted by Jason Hiner

    Apple's tardy patching

    There are quite a few but, in my mind, the most dangerous is Apple???s intransigence. The company is always tardy on supplying patches for known security problems. Java for Mac is just one example but, if you monitor Apple???s patch release process, you???ll find they are constantly late with fixes, especially for open-source components. WebKit and Safari are a constant security nightmare. Then we have the whole veil of secrecy thing. Apple simply ignores all media queries about security problems. Whenever there is a legitimate threat, users get zero communication from Apple. There are no pre-patch advisories with mitigations for users. They don???t provide data to security vendors to help keep the ecosystem secure. When there???s an outbreak, Mac users have to rely on third-party guidance instead of getting help from Apple. As a Mac user myself, it???s really frustrating.

    Ryan Naraine

    I am for Apple's fault

    Identity theft, compromised accounts, and rogue apps

    This relates perhaps even more to iOS than than to OS X (which, we're seeing, are beginning to converge). iPads are replacing consumer PCs for more end users, and Macs (especially the Air as the original ultrabook) are booming in popularity. Similarly, the iPhone remains the smartphone to beat. All of these are designed to operate in the cloud, where we do our banking, connect to corporate networks, and manage virtually all aspects of our lives. Even the games we play in the form of those free, addictive apps are sending data and enabling all sorts of financial transactions, meaning that users are trusting precious passwords and vital data to iOS more than most other platforms. For the sake of convenience, users often forget the importance of security.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Vulnerability of Macs versus Windows and Linux?

    If we step back and look at the Mac platform compared to Windows and Linux (for example, Ubuntu), how much more or less likely are Macs to end up being infected with spyware and malware?

    Posted by Jason Hiner

    Market share tipping point has arrived

    It comes down to market share, attacker motivation and user mentality. If market share is high enough, cyber-criminals are motivated to invest in attacks. Flashback, in my mind, is confirmation that the Mac market share tipping point is there to validate mass-malware attacks. Malware authors have dabbled in Mac OS X attacks in the past with DNS changers, scareware (fake anti-virus) attacks and the usual phishing lures but if you put everything together, you can see we???re entering a new phase. The fact that Apple users have been brainwashed to ignore security threats means that vulnerable desktop applications will remain unpatched and there will always be a large pool of victims waiting to be infected.

    Ryan Naraine

    I am for Apple's fault

    Growing ubiquity = bigger target

    OS X continues to be relatively secure, both because it still trails far behind Windows in market share and because as a *nix-based OS, it has the potential to be tightened up in pretty extraordinary ways (even if Apple hasn't done that as well as it should have to date). Linux enjoys tight security both from an OS perspective as well as from an obscurity perspective (at least on the desktop), but its growing ubiquity in the datacenter and the growing importance of the cloud services it powers will make it a target in the months and years to come. One could argue that security should be the primary concern of all OS distributors; whether or not that will be borne out remains to be seen.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    How bad is the Flashback Trojan?

    Before we dive into the blame game, let's start with a basic security question: How bad is the Flashback Trojan and is it worth all of the fuss that's being made?

    Posted by Jason Hiner

    Reality hits home

    It's bad. Very bad. More than half a million Macs in a for-profit botnet owned by cyber-criminals. In terms of market share numbers (percentage of Mac users infected), this is the Mac version of Conficker/Windows. It's the first in-the-wild malware attack on Mac OS X with such a large number of victims and is further confirmation that the growth in Mac market share is providing a major incentive to attackers. Flashback is particularly nasty because it was spreading via drive-by downloads -- no user interaction, no extra clicks, no admin password required. Surfed to a rigged or hacked website, and the malware gets installed automatically. The known variants were used for click-fraud but it could have been even more dangerous because of the trojan-downloader component that allowed the attackers to install additional malware onto the infected machines. Flashback isn???t hype in any way. It???s a real dangerous -- and eye-opening -- issue.

    Ryan Naraine

    I am for Apple's fault

    It's a big wakeup call

    This is probably a question better answered from a technical perspective by my colleague on the other side of the debate. From my perspective, however, it's a matter of principle. Several hundred thousand infected Macs are enough to create one heck of a botnet. More importantly, though, Flashback represents the end of an era in which Mac users could count themselves relatively immune to viruses. It's important to remember that this "immunity" was largely a result of small market share, making OS X an unworthy target for malware distributors, not because of the inherent security of the operating system. Flashback is a big deal because it's a wakeup call to users

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mic check

    Are both of my debaters online and ready?

    Posted by Jason Hiner

    One two, one two...

    Check check.

    Ryan Naraine

    I am for Apple's fault

    Ready to rumble

    ...for the truth and justice...

    Christopher Dawson

    I am for Users' fault

Closing Statements

Apple needed this reality check

Ryan Naraine

A decade ago, in response to a string of debilitating network worm attacks, Microsoft implemented “Trustworthy Computing,” a major initiative aimed at making the world’s most widely used operating system more resilient to malicious hacker attacks.  It worked. The security posture of the Windows operating system has improved and Microsoft’s security response process is now the standard that others -- like Adobe -- are copying.

Now it’s Apple’s turn.  The company must use the Flashback attack as a reality check and reject the security-by-PR approach that tricked its user base into complacency. Apple needs to take the security game seriously.  We are no longer in 2006 when Macs were deemed safe from attacks and cute commercials could be used to sell an operating system.  Flashback is the first major Mac botnet but you can bet there will be more.  Apple cannot afford to ignore the lesson of Flashback.

 

 

Users have the power

Christopher Dawson

There are many reasons that we use and love our Macs so passionately. First and foremost is a nearly flawless user experience. Apple has, without a doubt, set the bar for great software integrated seamlessly with hardware that is at once elegant, artful, and totally usable.

None of that, however, is worth a hill of beans if using Apple products means exposure to malware that the  company ignores without a media frenzy. Of even greater concern, though, is a user base blissfully unaware of security issues without said media frenzy. Sure, we should be able to expect our OS vendor of choice to proactively address security issues. But if we don't back up those expectations with our pocketbooks, Apple will never take the same leadership role in security that they have in hardware and software design (or, for that matter, that Microsoft did when users began to walk away).

 

It's squarely on Apple's shoulders

Jason Hiner

What I really liked about this debate is that it got past all of the hype and scare tactics that always surround big security incidents and tried to get at the real threats and provide users with some actionable tips for dealing with current and future security threats on Macs. Chris was right on the mark about the fact that users who own Apple products have had a false sense of complacency for too long and they need to demand better security practices from Apple, and move to other products if security is important to them and Apple doesn't deliver any meaningful improvements in its security practices.

Ultimately, we have to place the onus for the Flashback Trojan squarely on Apple's shoulders. The company dragged its feet for almost two months in getting out a security patch, and once it did, it released it quietly in the background without alerting users. These are not the practices of a company that is serious about running a highly secure platform that is accountable to its users. That's why Ryan clearly wins this one.

Topics: Great Debate

About

Jason Hiner is Editor in Chief of TechRepublic and Long Form Editor of ZDNet. He writes about the people, products, and ideas changing how we live and work in the 21st century. He's co-author of the upcoming book, Follow the Geeks (bit.ly/ftgeeks).

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.