Mac botnet: Who's at fault?

Moderated by Jason Hiner | April 16, 2012 -- 07:00 GMT (00:00 PDT)

Summary: At least 600,000 Macs were infected by the Flashback Trojan. Did Apple fail to protect its users? Or were users defeated by their own misguided fantasies of invulnerability?

Ryan Naraine

Ryan Naraine

Apple's fault

or

Users' fault

Christopher Dawson

Christopher Dawson

Best Argument: Apple's fault

The Rebuttal

  • Great Debate Moderator

    Thanks for joining us

    Ryan and Chris will post their closing arguments tomorrow and I will declare a winner on Thursday. Between now and then, don't forget to cast your vote and jump into the discussion below to post your thoughts on this topic.

    Posted by Jason Hiner

  • Great Debate Moderator

    Is it Apple's fault and will the bad publicity cause Apple to change?

    Is the threat from the Flashback Trojan ultimately Apple's fault and do you think it will cause Apple to change? Why or why not?

    Posted by Jason Hiner

    Change will be gradual, and sloooow

    Apple has done very well with the security-by-PR approach. Look at MacBook and iPad sales. When your security message is driven by the marketing department, legitimate issues will be buried in favor of selling more computers. I do expect Apple to change their thinking because they really have little choice. However, this change will be slow and gradual. The Mac platform is much more security today than it was two years ago with the addition of anti-exploit mitigations like ASLR (Address Space Layout Randomization) but these changes came years after they were already implemented in other operating systems. Gatekeeper is coming as a new anti-malware feature that works behind the scenes to let Mac users either allow or deny application downloads based on where they come from. The creation of Gatekeeper is a not-so-subtle admission from Apple that malware on the Mac is real.

    Ryan Naraine

    I am for Apple's fault

    Users must demand better

    Ultimately, it remains the fault of users who have not demanded with their pocketbooks, with their awareness, or with their business that Apple change its practices. Hopefully, this marks the beginning of a shift both at Apple and among users who expect better from the company.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Is this the tipping point?

    As the Mac has been hit with various malware attacks in recent years, the tech industry has repeatedly pointed to it as proof that Macs are vulnerable. However, it has had little change on the behavior of Mac users or the overall perception that using a Mac is generally safer than using a PC. Why will the Flashback Trojan be a tipping point in changing those perceptions?

    Posted by Jason Hiner

    I don't expect much a change

    That question assumes there will be a tipping point in user behavior or perception. I don't see it. Apple was slow to respond to this issue and even when they did, their advisory was hidden and they were not upfront about a lot of stuff. I think some users are aware (AV vendors said sales spiked during the attack) so it's clear that something happened. But I think we'll go back to the old situation where Apple fools its users into false sense of security.

    Ryan Naraine

    I am for Apple's fault

    It's the New iPad

    The sheer volume of infected users, as well as mass media attention and user outcry make this attack different. More importantly though, it follows on the heels (at least in terms of media attention) of the New iPad, which raised Apple's profile to new heights.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mac anti-malware software

    Many of the Mac anti-malware solutions have been as bad (if not worse) than Windows solutions about bogging down the system and causing as many problems as they prevent. What software do you recommend that won't be more trouble than it's worth?

    Posted by Jason Hiner

    Where are you hearing that?

    I don't agree that Mac anti-malware solutions are unusable. Where are you hearing that? In fact, I think Mac users should get used to the reality that AV software is necessary today to handle mass-malware attacks like Flashblock. In addition, Mac users should ignore Apple???s security-by-PR and consider a defense-in-depth approach to staying security. There are some nifty utilities and tricks that can help. I like Little Snitch, a tool that informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection. If you use Firefox, then make sure you use the NoScript add-on. Invest in a password manager to manage the mess of creating strong, unique passwords for multiple online accounts. Some additional OS hardening techniques: Create a non-admin account for everyday activities like web browsing or e-mail; Uninstall the standalone Flash Player; Use a password manager and turn off connectivity services when not in use, or when not required (AirPort, BlueTooth, etc).

    Ryan Naraine

    I am for Apple's fault

    Several options...

    ClamXav (http://www.clamxav.com/) is a reasonable solution based on the ClamAV software that protects more *nix operating systems. ClamAV is open source, actively developed, and reasonably unobtrusive. That unobtrusiveness comes at the price of requiring more user management to regularly scan and deal with any threats. Avast also has relatively lightweight software and a free version for the Mac. Additionally, relying on webmail solutions like Gmail or Yahoo Mail, which apply sophisticated anti-malware, anti-spam, and anti-phishing technologies to incoming mail, can limit exposure to malware. Finally, using a simple gateway device (like Untangle, which can be had in both free, DIY versions and as paid services and appliances) can provide a high degree of protection for both home and small business networks (full disclosure, I'm writing a book on Untangle).

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Security tips for Mac users

    Beyond just installing protective software, can you reiterate some of the best tips you would share with Mac users for protecting themselves against attackers?

    Posted by Jason Hiner

    Common sense please

    I've listed some OS hardening advice in my previous answers. Some more: Download files only from known and trusted websites; Use FileVault 2 to encrypt everything on your Mac; Control access to your Mac by locking your screen after a period of inactivity; Securely delete outdated sensitive files with the Secure Empty Trash command. More importantly, use common sense when browsing the web. If you are prolific on social networks like Facebook and Twitter, get into the habit of distrusting links, even from people within your own network. A compromised 'friend' can do bad things on Facebook. If it looks too good to be true, it probably is.

    Ryan Naraine

    I am for Apple's fault

    It starts with awesome passwords

    1) Use awesome passwords and protect them carefully 2) Be careful of the apps you install, both from Apple's Mac store and on iOS (or Chrome's store, or the Android Market, or wherever else); freebies are great, but aren't always kosher in terms of how they track, use, and mine data from your phone 3) Install third-party anti-virus, even if just the open source ClamAV (it's an inherent part of most Linux distributions, available as ClamWin for Windows, and available as ClamXav for Mac) 4) Use webmail to send and receive email 5) Patch your OS the minute new software updates become available 6) Use browsers (like Chrome) that warn you of potentially malicious sites and software

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    How can Mac users protect themselves?

    If Apple doesn't change its tune and start releasing patches more quickly then what steps should Mac users take to protect themselves from potential malware threats?

    Posted by Jason Hiner

    Some basic recommendations...

    I have a few strong recommendations: Stop surfing the web with Safari, it's just not safe. Download and use Google Chrome to take advantage of the browser sandbox and to get patches in a timely manner. Use the KB SSL Enforcer add-on for Chrome to encrypt browser connections. Uninstall Java. Apply patches to third party desktop software as soon as they appear, especially from Adobe Reader or Office for Mac because these are common targets in advanced targeted attacks.

    Ryan Naraine

    I am for Apple's fault

    Two choices

    As Windows users did in years past, they have two choices: 1) Begin using third-party tools 2) Look to other hardware and software vendors. One of the reasons behind Apple's success was Microsoft's early failures in terms of security. It would be a sad day to see Apple be referred to as the "new Microsoft". Users across all platforms must ensure the security of their cloud services, beware of app permissions, and be totally conscious of passwords and identity issues.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Why did Apple delay?

    In terms of the Flashback Trojan itself, what's the deal with Apple delaying the security patch? Is there a reasonable explanation?

    Posted by Jason Hiner

    Nobody knows

    No one knows why Apple has to ship Java for Mac independently. I have asked repeatedly why Apple won???t allow Oracle Sun to ship a Java for Mac issue directly but, as usual, the response from Apple has been complete silence. But it's not only Java. WebKit fixes for Safari are always months late, compared to the same fixes on Mozilla Firefox or Google Chrome. PHP fixes are always late. There are numerous open-source components that get patched but these fixes get to Mac OS X much, much later. We don???t know if there's a technical reason for this and Apple???s secretive approach (they never answer questions) means we are in the dark.

    Ryan Naraine

    I am for Apple's fault

    It wasn't yet a PR issue

    How many users knew about Flashback until the past month when it made headlines everywhere? It wasn't until Flashback exploded all over the media and tech press that Apple suddenly had a fix. Did users hold off purchasing Apple products until a patch was issued? Of course not! They continued buying Apple hardware in droves, secure in the illusion that they were immune to malware. The only reasonable explanation is that Apple ignores security concerns until they become a PR issue. Users then need to make security a PR issue for Apple. They need to make it an issue that affects Apple's bottom line. Only then will Apple take security seriously.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    What can Apple learn?

    What, if anything, can Apple learn from Microsoft and/or the Linux community about designing and maintaining a secure operating system?

    Posted by Jason Hiner

    Copy everything from Microsoft

    Apple can learn a lot from Microsoft. In fact, I'd say Apple should simply copy Microsoft's playbook word-for-word when it comes to security response. Apple needs a SDL (security development lifecycle) process to make sure developers build security into every stage of the software development process. Apple should copy Microsoft's security advisories program so that users are properly educated when there is legitimate security threat. If Mac users have to wait a long time for a patch, Apple should be providing temporary mitigations. How about a scheduled Patch Day? This will help IT administrators prepare for patch deployment instead of being surprised by ad-hoc Mac OS X updates. When it comes to security response, Apple is stuck in the 1990s.

    Ryan Naraine

    I am for Apple's fault

    Security needs to stop taking a backseat to user experience

    Utter ease of use and dead-simple usage can't lull users into flagrant disregard for security. As Microsoft has learned, third-party tools are no substitute for integrated security measures and, particularly in Apple's case, when users pay a significant premium for Apple hardware and software, security needs to be part of the package. This has always been a core of Apple's value prop: Buy an Apple and get a complete end-to-end solution. That solution can't ignore security.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Is it one of the worst security threats of 2012 so far?

    Would you characterize the Flashback Trojan as one of the most dangerous security threats of 2012? If so, why? And, if not, then what are some of other most dangerous threats to users so far in 2012?

    Posted by Jason Hiner

    Could have been nastier

    Like I just said, this has the potential to be really dangerous because the malware can update itself via the trojan-downloader component. The known variants are doing click fraud but, in an age when botnets are rented out to cyber-crime groups, it???s not a stretch to imagine that Flashback could have been used for more nefarious purposes. In terms of the total threat landscape, it???s not the worst thing we???ve seen. Some of the more virulent mass-malware attacks, especially on Windows, steal banking credentials and hijack data to perform identity theft. We are seeing signs of sophisticated targeted attacks with nation-state involvement. Global businesses are under constant surveillance in APT attacks. Those things are much more dangerous than the Flashback variants we saw. However, on Mac OS X, this had the potential to be quite nasty.

    Ryan Naraine

    I am for Apple's fault

    Users are their own worst threat

    No, I would call it one of the highest profile. I would even call it the threat that disillusioned a user base. However, I would call the biggest security threat of 2012 computer users themselves. As more and more of us move our digital lives to the cloud, that password of "12345" that worked just fine on a lone machine in our basement is no longer the least bit adequate. Users who continue to ignore the need for anti-malware, don't patch their operating systems, etc., put everyone at risk. We may be moving more and more to the cloud, but the portals to the cloud we use need to be secure, as do the services we use every day.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mac security, overall

    Overall, what do you consider the most dangerous security problem about the Mac platform?

    Posted by Jason Hiner

    Apple's tardy patching

    There are quite a few but, in my mind, the most dangerous is Apple???s intransigence. The company is always tardy on supplying patches for known security problems. Java for Mac is just one example but, if you monitor Apple???s patch release process, you???ll find they are constantly late with fixes, especially for open-source components. WebKit and Safari are a constant security nightmare. Then we have the whole veil of secrecy thing. Apple simply ignores all media queries about security problems. Whenever there is a legitimate threat, users get zero communication from Apple. There are no pre-patch advisories with mitigations for users. They don???t provide data to security vendors to help keep the ecosystem secure. When there???s an outbreak, Mac users have to rely on third-party guidance instead of getting help from Apple. As a Mac user myself, it???s really frustrating.

    Ryan Naraine

    I am for Apple's fault

    Identity theft, compromised accounts, and rogue apps

    This relates perhaps even more to iOS than than to OS X (which, we're seeing, are beginning to converge). iPads are replacing consumer PCs for more end users, and Macs (especially the Air as the original ultrabook) are booming in popularity. Similarly, the iPhone remains the smartphone to beat. All of these are designed to operate in the cloud, where we do our banking, connect to corporate networks, and manage virtually all aspects of our lives. Even the games we play in the form of those free, addictive apps are sending data and enabling all sorts of financial transactions, meaning that users are trusting precious passwords and vital data to iOS more than most other platforms. For the sake of convenience, users often forget the importance of security.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Vulnerability of Macs versus Windows and Linux?

    If we step back and look at the Mac platform compared to Windows and Linux (for example, Ubuntu), how much more or less likely are Macs to end up being infected with spyware and malware?

    Posted by Jason Hiner

    Market share tipping point has arrived

    It comes down to market share, attacker motivation and user mentality. If market share is high enough, cyber-criminals are motivated to invest in attacks. Flashback, in my mind, is confirmation that the Mac market share tipping point is there to validate mass-malware attacks. Malware authors have dabbled in Mac OS X attacks in the past with DNS changers, scareware (fake anti-virus) attacks and the usual phishing lures but if you put everything together, you can see we???re entering a new phase. The fact that Apple users have been brainwashed to ignore security threats means that vulnerable desktop applications will remain unpatched and there will always be a large pool of victims waiting to be infected.

    Ryan Naraine

    I am for Apple's fault

    Growing ubiquity = bigger target

    OS X continues to be relatively secure, both because it still trails far behind Windows in market share and because as a *nix-based OS, it has the potential to be tightened up in pretty extraordinary ways (even if Apple hasn't done that as well as it should have to date). Linux enjoys tight security both from an OS perspective as well as from an obscurity perspective (at least on the desktop), but its growing ubiquity in the datacenter and the growing importance of the cloud services it powers will make it a target in the months and years to come. One could argue that security should be the primary concern of all OS distributors; whether or not that will be borne out remains to be seen.

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    How bad is the Flashback Trojan?

    Before we dive into the blame game, let's start with a basic security question: How bad is the Flashback Trojan and is it worth all of the fuss that's being made?

    Posted by Jason Hiner

    Reality hits home

    It's bad. Very bad. More than half a million Macs in a for-profit botnet owned by cyber-criminals. In terms of market share numbers (percentage of Mac users infected), this is the Mac version of Conficker/Windows. It's the first in-the-wild malware attack on Mac OS X with such a large number of victims and is further confirmation that the growth in Mac market share is providing a major incentive to attackers. Flashback is particularly nasty because it was spreading via drive-by downloads -- no user interaction, no extra clicks, no admin password required. Surfed to a rigged or hacked website, and the malware gets installed automatically. The known variants were used for click-fraud but it could have been even more dangerous because of the trojan-downloader component that allowed the attackers to install additional malware onto the infected machines. Flashback isn???t hype in any way. It???s a real dangerous -- and eye-opening -- issue.

    Ryan Naraine

    I am for Apple's fault

    It's a big wakeup call

    This is probably a question better answered from a technical perspective by my colleague on the other side of the debate. From my perspective, however, it's a matter of principle. Several hundred thousand infected Macs are enough to create one heck of a botnet. More importantly, though, Flashback represents the end of an era in which Mac users could count themselves relatively immune to viruses. It's important to remember that this "immunity" was largely a result of small market share, making OS X an unworthy target for malware distributors, not because of the inherent security of the operating system. Flashback is a big deal because it's a wakeup call to users

    Christopher Dawson

    I am for Users' fault

  • Great Debate Moderator

    Mic check

    Are both of my debaters online and ready?

    Posted by Jason Hiner

    One two, one two...

    Check check.

    Ryan Naraine

    I am for Apple's fault

    Ready to rumble

    ...for the truth and justice...

    Christopher Dawson

    I am for Users' fault

Talkback

127 comments
Log in or register to join the discussion
  • Not mutually exclusive?

    "Did Apple fail to protect its users? Or were users defeated by their own misguided fantasies of invulnerability?"

    Probably a bit of both. Although I'd hold Apple more accountable.
    CobraA1
    Reply Vote I'm Undecided
    • Although . . .

      Although the real fault actually lies with the one who wrote the botnet to begin with. Let's not forget the real criminal in all this. Apple and users can take actions to protect themselves, but ultimately we really need to work on tracking these people down and shutting down their operations. Otherwise, they'll just keep coming back for more.
      CobraA1
      Reply Vote I'm Undecided
      • True ...

        As long as there is greed in the world, people will continue to look for ways to beat their neighbor out of that is rightfully theirs!
        M Wagner
        Reply Vote I'm for Apple's fault
      • 49 day delay is Apple's shame, but obviously only *twice* clueless people

        ... could get infected:
        1) they had to believe that Flash does not update itself -- even though it does, and does it quite visibly;
        2) they had to believe that Flash update should be on some weird non-Adobe site.

        Otherwise, getting this trojan would be impossible.
        DDERSSS
        Reply Vote I'm Undecided
      • DeRSSS still spreading dangerous misinformation

        Flashback would infect macs even if the user did not do something stupid. Regular sites were infected by the drive-by exploit which would infect any visiting macs.
        honeymonster
        Reply Vote I'm for Apple's fault
      • Honeymonster still spreading dangerous misinformation

        @honeymonster: no regular websites ever hosted this infection. This particular botnet software used Trojan tactics that would bait people into going to some link with "Flash update" (hence the name).

        You could never get infected visiting any regular site (ZDNet, CNN, et cetera).
        DDERSSS
        Reply Vote I'm Undecided
      • .nu services

        Most of the servers that flashback reports back to are .nu domains. The companies who host these web sites should police their services for terms of services violations. Go after the criminals, not the victims.
        BradMacPro
        Reply Vote I'm Undecided
      • You can blame cyber crims....

        ...but with Apple now encouraging (almost to the point of REQUIRING) users to log into icloud for everything across the whole range of Apple devices, I would be targeting Macs too as getting access to an Apple ID would gain me access to information on that person's iPhone, iPad, and all iOS devices without even hacking into any of those idevices.
        Apple has put ALL their user's data in one huge basket and that is a very dangerous trend.
        This is before you even argue about the merits of Apple's security measures in their OSes. Or the fact that Apple has sold their users a false sense of security thus the users lower their guard. Couple that to the fact Apple is the SLOWEST to offer security updates and you can bet that Apple users will be targeted by crims because Apple set up the ideal environment and infrastructure for hackers.
        Crims are opportunistic. You can blame crims but Apple is largely to blame for setting up the opportunity.
        No organisation, not even Apple's billions, has enough resources to shut down cyber crime significantly. The money is better spent in improving security and educating users.
        warboat
        Reply Vote I'm for Apple's fault
      • @warboat

        [i]"...but with Apple now encouraging (almost to the point of REQUIRING) users to log into icloud for everything across the whole range of Apple devices, I would be targeting Macs too as getting access to an Apple ID would gain me access to information on that person's iPhone, iPad, and all iOS devices without even hacking into any of those idevices.
        Apple has put ALL their user's data in one huge basket and that is a very dangerous trend."[/i]

        First, just because you use a Mac does not mean you have to use iCloud but of course I am sure you actually know that. Second, isn't Google putting all the customer information into one place in the same way that Apple is. Do you have an issue with Google doing this or is it like so many other statements you have against Apple, it's only an issue because it's Apple and not somebody else?
        non-biased
        Reply Vote I'm Undecided
    • Enough Blame to go Around. Twice!

      Count me as a vote for both Apple and users sharing the blame. Apple is a victim of its own success, plying the vision that Macintosh is easy to set up, easy to learn, easy to use, and easy to own. Well, with mechanical devices such as cars, furnaces, and especially computers, ownership includes an element of informed maintenance.

      The users who are drawn to Macintosh tend to be non-technical people, and a huge element of that attraction is the belief that you can use Macintosh and own it, problem free, without needing any technical smarts. And so, these people willingly and enthusiastically buy into the Macintosh Mystique.

      And so, you end up with a huge Macintosh user base that enshrines beliefs such as Macs don't get viruses (or other malware), and which have no understanding of file and directory fragmentation, the prospect of hardware failures (e.g., bad blocks on a disk), the high failure rate of today's SSDs, or even things such as a tested and proven data backup/recovery strategy.

      It could be said that in some ways, Apple and its users deserve each other: Those who so want you to believe in heaven, and those who are so willing to believe there is one.

      FWIW, I was a rabid MacZealot for over a decade. I still have several Mac, but my main computer by a wide margin is a Windows XP PC. I don't think Macs are crap. I believe Apple has created a solid niche for a certain type of computer user. But I also believe that even that kind of user is best served to have a moderate level of knowledge and understanding about the machine they operate, and how to maintain it properly.
      SteveMak
      Reply Vote I'm Undecided