Mac users 'must wise up to social engineering'

It's not just PC users who can be victims of their own stupidity when it comes to Internet security

It's not just PC users who can be victims of their own stupidity when it comes to Internet security

Ignorance is bliss, as the saying goes, but users of Apple's OS X platform could pay a hefty price if they continue to live in denial, industry observers have warned.

The biggest security vulnerability could lie in the fact that OS X users aren't "trained" to monitor and identify social engineering tactics that have been used against Windows-based users for years.

Over the past week, two pieces of malware targeting OS X have been found in the wild. One arrives over an instant messenger application and requires a user to decompress and open a malicious file while the second exploits an old vulnerability in Mac's Bluetooth software, which was patched in June 2005.

Mark Borrie, IT security manager at New Zealand's University of Otago, said although he hasn't experienced any infections, he's concerned at the ease in which social engineering can be used against the Mac community.

Borrie manages a total of 12,000 desktops, including nearly 5,000 Macs.

"These viruses rely on user action. That is where the vulnerability lies — the person behind the keyboard. Mac users have been immune from mass mailer viruses," said Borrie.

Senior security researcher at software security specialists Suresec, Neil Archibald, who has been credited with discovering several security vulnerabilities in Apple's increasingly popular platform, told ZDNet UK sister site ZDNet Australia that Mac users are not immune from malware that requires user interaction — such as the Leap-A Trojan discovered last week.

"I would hope that most people would be aware that there is nothing protecting them from file-based infection on their system. However... it would seem most people think they have an invisible bubble protecting them from harm," said Archibald.

Archibald said that samples of OS X malware have been circulating on the Internet for some time and he is surprised that Leap-A did not take advantage of any unpatched vulnerabilities.

"The methods used by this malware (resource fork infection and method swizzling) have both been published by numerous sources... A local privilege escalation vulnerability, however, would have been quite useful for the malware to escalate privileges on the compromised host, without requiring user interaction. There are an abundance of local vulnerabilities in Mac OS X... it's very surprising that this malware did not use any," said Archibald.

Over the past year, the Mac community has been advised to pay more attention on security but the warnings seem to fall on deaf ears.

In September 2005, Borrie said: "On the security side of things I reckon the Mac community has yet to wake up to security. They think they are immune and typically have this idea that they can do whatever they want on their Macintosh and run what they like... If I can get our Mac users up to speed and say 'you are not immune' — so when [the malware] hits, hopefully we will be pretty safe".

At the time, he was accused of scaremongering by Mac users but Borrie hopes that the recent malware attacks will help send home his message of education and vigilance. "There were a lot of people saying 'it is a load of rubbish' and 'he doesn't know what he is talking about' but that is exactly the kind of attitude that I was worried about. Maybe [the malware authors] have done us a favour."

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.