Apple's malware challenge: Usability as its security world changes

Apple's malware challenge: Usability as its security world changes

Summary: Apple's security reality is changing right before our eyes and the company's response will be telling. The toughest challenge will be shutting down hackers while keeping its trademark usability in tact.

SHARE:
146

Apple's security reality is changing right before our eyes and the company's response will be telling. The toughest challenge will be shutting down hackers while keeping its trademark usability in tact.

Steve Jobs & Co. is known for creating devices that can spur gadget lust with just a mere rumor. Apple customers for years have taken the view---inspired by the company's commercials---that its software is safer. If you have a Mac there's no need for anti-virus software. You're secure.

The reality is Apple enjoyed security by obscurity. Its market share wasn't worth the attention from hackers. Now Apple is worth the attention. Where's the glory in taking out a smaller computing player when you can take out the big dog---Microsoft?

As a result of Apple's lack of hacker interest, the company could talk about being more secure even as it tended to rewrite QuickTime and plug security holes every time it launched a new product or generated buzz. While you were playing with your latest greatest Apple software release the company would patch vulnerabilities.

Here's Apple's chain of events over the last month:

  • Mac Defender malware attacks Apple users.
  • Apple remains mostly silent and tries to thread the customer service needle.
  • Apple then announces a fix and that a future update will put Mac Defender to bed with an update.
  • Evil doers launch a new renamed version just a few hours later. The new malware is renamed (predictable) and split into two parts, a downloader that delivers a payload similar to Mac Defender (not so predictable).

Does any of this sound familiar? It should. Microsoft went through this same learning process with its security procedures. Microsoft had to button down its security operations and today is able to fend off a lot of attacks.

Ed Bott nailed the importance of these malware attacks against Apple when he said:

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

Microsoft eventually got security religion, but there was a cost---usability. Vista's most hated feature was UAC (user account control). Bott later noted that UAC was enough to drive any level-headed person to PC rage.

In a nutshell, Microsoft added a key security feature---and drove its users nuts. Apple naturally capitalized on Microsoft's UAC flub.

This usability vs. security line is one Microsoft has been walking for years. If you use all three of the top Web browsers regularly---IE 9, Google Chrome and Mozilla's Firefox---you notice pretty quickly that IE 9 has more prompts and security features that can be annoying. I don't doubt that IE 9 is the most secure browser around, but there are times I feel like I'm taking medicine that has a nasty taste to it.

It's not like Apple hasn't paid any attention to security. The biggest issue is that Apple seems to be underestimating what it is up against. Apple is just supposed to work. Security sometimes requires some inconvenience to users. If you build security in from the ground up, usability can suffer.

Apple's trade-off will between security and UI will be its biggest challenge in the years ahead. If I were to guess, Apple's Mac malware issues are just the warm-up act for bigger things.

  • Why not target Apple's iOS, which is a dominant mobile OS?
  • Why not target iTunes and all of those credit card accounts on file?
  • Why not go for the glory of bringing Apple down?

In other words, Apple may have to spend some time talking security frameworks. That's quite a sea change. If Apple can integrate hardware, software and more security into a package where the consumer doesn't notice then it will have pulled off a great feat.

Final thought: One natural reaction to talking Apple security is to bring up Google's Android. Android will be just as big of a hacker target and Google will have to respond to the same challenges as Apple. Ironically, Microsoft's Windows Phone 7 will have a free pass for a while. Why? Security by obscurity. Microsoft in mobile just isn't big enough to matter.

Related:

Topics: Malware, Apple, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

146 comments
Log in or register to join the discussion
  • Message has been deleted.

    Dietrich T. Schmitz, -*- Your Linux Advocate
    • Message has been deleted.

      DDERSSS
      • RE: Apple's malware challenge: Usability as its security world changes

        So, I guess the malware on Apple computers are the most usable and easy to ... get (and use?) .
        nomorebs
    • Larry, at last somebody sees the real issue here

      I have posted repeatedly that the real target is not a few Mac users stupid enough to grant permission to malware for it to install. This happens all to frequently with Windows too. Also, Mac OS X has a UAC like feature. The MacDefender could not install without getting an admin password, just like Windows. Further, the "security through obscurity" theme is not only trite but incorrect. This exploit takes no advantage of the obscurity of OS X to attack its vulnerabilities. It uses the same method used by Windows exploits in the wild now: social engineering.<br><br>But you did point out what I have been saying for over two weeks. All of the smart phone and tablet platforms are the real gold mine for hackers. Android may top this list, but RIM and iOS may not be far behind. There are a lot more people using these than OS X and these folks are a lot more naive and susceptible to social engineering exploits (read here kids, teens and adolescents). <br><br>As an example, think of all the "smart" people that have rooted their smart phone. The entire internet appliance market is up for grabs by these thieves. It's time to educate everyone about the real dangers that exist for EVERY platform.
      jacarter3
      • Security through obscurity is not limited to...

        @jacarter3: [i]This exploit takes no advantage of the obscurity of OS X to attack its vulnerabilities. It uses the same method used by Windows exploits in the wild now: social engineering.[/i]

        ...exploiting vulnerabilities. What it is related to is whether a particular platforms market share is sufficient to warrant the attention of malware authors.
        ye
      • RE: Apple's malware challenge: Usability as its security world changes

        @jacarter3 RIM is about as secure as is practical. It is the only smartphone OS that has emphasized security form it first concept.
        hayneiii@...
      • I think you misunderstand security through obscurity

        @jacarter3
        in reference to this. [i]It uses the same method used by Windows exploits in the wild now: social engineering[/i]

        Agreed, but the "obscurity" is in reference to those writing the malware - They can't see the OS X machines for all the Windows machines in the forest in terms of ROI.

        Yes they could have just as easily snagged an OS X user as easily as a Windows user (Mac Defender proved this) but that would require the writers of this to constantly work on 2 versions of their malware, 1 for Windows, 1 for OSX.

        It's the same reason why many software companies don't write versions of their software for Macs - Is it really worth the time, effort, and cost when just the Windows versions targets 90% of the market? OS X is just as "obscured" to them as it is to a malware writer.
        Will Pharaoh
      • RE: Apple's malware challenge: Usability as its security world changes

        @jacarter3
        Mac Defender has already been updated to install without prompting for the admin password, by installing to the applications folder.
        bwat47@...
      • RE: Apple's malware challenge: Usability as its security world changes

        @jacarter3

        I think you have trouble reading. He noted in the article both the historic and continued vulnerability of Windows and OTHER OSes as well. Additionally, I'm not convinced that it was all obscurity that protected Apple, but your logic is intrinsically flawed. That a common social engineering attack required merely a graphical layout change to look like a Mac interface SUPPORTS the argument that the only thing protecting Apple was obscurity.
        tkejlboom
      • OS X has weaker defences than Windows

        @ jacarter3

        On Windows, IE9's SmartScreen would have effectively stopped malware like Mac Defender, which uses a very basic social engineering tactic. Apple have got a lot of catching up to do to close the security gap with Windows/IE.
        WilErz
      • RE: Apple's malware challenge: Usability as its security world changes

        @jacarter3 Actually, those poisoned images that launch the attack exploit libjpeg. Which is a part of OSX. Sorry, but you're wrong.
        snoop0x7b
      • Exploiting vulnerabilities

        @jacarter3:
        Question: which OS X vulnerability is this so-called virus exploiting.
        Answer: None. This is not an OS exploit but rather a much simpler and much more effective social one. The trojan is nothing more than a cheap, easy to create app that one way or another convinces the user to install it at which point is specifically asks the user to give it their credit card number. At worst it could steal enough data from that one document to clean out somebody's available credit, at best, a smart user would generate a one-time-use-only card number that would steal only the original 'requested' amount and no more (at least one bank currently offers this capability.)

        The point is that this is not a virus by any definition and is only barely a trojan in that it uses one app to download another one which, for now, does nothing more than make an annoyance of itself for those who are aware of its purpose. The only vulnerability here is the user.
        Vulpinemac
      • UAC is much more than just a password prompt too

        @ jacarter3

        Another point is that UAC is far more than just a password prompt. It shows who digitally signed the software trying to run with elevated privileges and runs on a separate desktop -- the latter of which a fake prompt from a browser can't do. In order to fake a UAC prompt on a separate desktop, the malware would already have to be installed/running locally -- i.e. the machine would already have to be infected.

        UAC can be made even stronger by enabling the setting to require the SAS (Secure Attention Sequence), Ctrl+Alt+Delete. In order to fake a UAC prompt with the SAS, the malware would have to have already installed a kernel-mode device driver (which requires running local code with admin privileges), which would mean the machine was already fully compromised, so there would be no need to fake a prompt anyway.

        Granted some naive users will still respond to fake prompts (and respond to emails asking for their passwords, etc.), but Windows makes it very difficult for malware authors to trick experienced users.
        WilErz
      • RE: Apple's malware challenge: Usability as its security world changes

        @jacarter3 Thank you... although, I do believe that OSx has less instanced of malware because it is a less desirable target to malware developers. Just my opinion, but either way I agree that an OS is software... will always have users as the weakest link!!!
        apetti
    • RE: Apple's malware challenge: Usability as its security world changes

      @Larry Dignan



      Mac Defender is a ?scareware? scam. If a user receives an email from a stranger telling them to download and install an unknown application from an unknown source, they only have themselves to blame if they go ahead an download and install that bad application.

      What if that same user fell for another scam? What if they received an email from a ?Nigerian prince? asking to send them money? Is Apple also responsible to reimburse that user for lost money , simply because the request came to them in an email on their Mac computer?

      There is now a version that doesn?t require a password to install, but this doesn?t really change things. There is still no excuse for a user to purposely install and run it on their own computer.

      Since the default setting in Safari is to NOT open downloaded files automatically, it still would not install or run without the user?s determined involvement.

      Not only THAT, but if a user did change the default settings to allow downloaded files to open automatically, it is limited to only ?safe? files (videos, pictures, PDF, text, and archives). But downloaded applications and installers WON?T run automatically.

      A user still needs to purposely run any downloaded application themselves.

      If a user does make the mistake of downloading and installing one of these scareware application, it?s just as easy to uninstall it by dragging the application to the trash and deleting it.

      Mac Defender is a scam (NOT a virus), and there is no ?protection? for a user?s stupidity? and Apple is certainly NOT responsible for a user?s ignorance.

      Larry, you as a Windows user might think that the "sky is falling" for Mac users, but nothing is further from the truth. Mac OS X has ALWAYS been free of viruses... as opposed to Windows which has hundreds of thousands of viruses and new ones coming each day.

      It's quite obvious that articles written by Windows users about Mac Defender are not aimed at Mac users (who already know that the sky is NOT falling) but is instead aimed at your Windows-using readers.

      By trying to paint Macs as being in the same virus-prone league as Windows PCs, it seems your goal is to placate Windows users (and yourself) by distracting them from the real, unjustifiable problems caused by Windows' terrible security.

      Like a magician, you get your Windows user audience to look at this diversion (trying to make them believe that Mac OS X is just as bad as Windows) so that they don't focus on how totally inadequate Windows security is.
      anonymous
      • Nope....you definately dont know what you are...

        @Harvey Lubin ... talking about... MS Windows has some of the highest security measure for an OS. As usual, the user overrides them to install, run, or whatever with his or her system. OS X has the very same problem, user override execution. NO OS can protect the user from this (unless the user does not have admin rights at all, which our system do at the university does). Here at the university, our open area computers available to the public, never get malware, viruses, trojans or the like. WHY? They cannot override the security of execution/install software prohibited.

        The comments you make almost look like a rabbid, disturbed Mac supporter. Or, maybe so?
        dtroyerSMU
      • RE: Apple's malware challenge: Usability as its security world changes

        @Harvey Lubin

        "Like a magician, you get your Windows user audience to look at this diversion (trying to make them believe that Mac OS X is just as bad as Windows) so that they don't focus on how totally inadequate Windows security is."


        You may have been able to make this claim in 2005, but not 2011. Most security professionals seem to believe that Windows 7 is more secure than OS X. Everyone knows that XP had horrible security but to bash Windows security in general in 2011 is incorrect. Come back to the present.

        BBeck
        B.Beck
      • RE: Apple's malware challenge: Usability as its security world changes

        @Harvey Lubin - delusional viewpoints like this are the cause of the problem in the first place. You cannot completely guard against users being socially engineered into installing malware (unless you have a locked down environment that doesn't allow installing software full stop), so you need realtime antivirus tools to spot suspicious behaviour and known malware before it executes.

        Windows users by and large ensure they have this, often via free, unintrusive third party software like Windows Defender, Avast or AVG. Mac users by and large do not. It's a situation that obviously leaves Mac users wide open to this sort of malware, and it's only going to increase in popularity in tandem with that of the Mac platform.

        But feel free to keep your head in the sand over there in HappyMacLand.
        Psdie
      • RE: Apple's malware challenge: Usability as its security world changes

        @Harvey Lubin

        please run for President!
        androo85
      • RE: Apple's malware challenge: Usability as its security world changes

        Finally we are seeing some attacks or attention given by hackers to the MAC system! Android also? I'm happy Microsoft has lost pretty much market share so hackers can go and bother also MAC users. They were always proud and showing off that they wouldn't get any antivirus since it was ridiculous to have one on the MAC systems.<br>I'm happy to see that finally Hackers are attacking MAC and ANDROID or other OS. So they can give some very little rest to Microsoft that has been attacked for many many years. Everyone should get his turn. Other OSes get ready to protect yourself. LoL
        dr_paddo