Monday, May 23, 2011

the mac malware phenomenon

i posted something to twitter earlier (which was already too big to actually fit in a normal tweet) but i think there's more to be said.

those who downplay the mac threat landscape by comparing it to the pc are missing the point. the mac will never be the pc, it'll never follow the same path or be in exactly the same place, but the mac community was sold false hope and many of them are either unaware or in denial about the fact that they were lied to.

one of the most crippling thing about mac security awareness is the pc comparison. people can't look past the fact that things aren't as bad for the mac. does that really matter? crime in your neighborhood likely isn't as bad as crime in a ghetto (unless you happen to be unfortunate enough to be living in a ghetto), does that mean it's safe to leave the door to your house or car unlocked? no.

stop thinking about the comparison, stop thinking about the pc entirely. imagine there are no pc's. think about the things that have happened in the mac landscape over the past several years and what they mean to the various subsets of the mac user population.

there are users who believe macs are immune to viruses. that was proven technically false five years ago (i wrote about it here). the viruses that have been produced may have never reached epidemic proportions, but epidemics are a poor yardstick for measuring risk. car crashes aren't exactly an epidemic, but you should still fasten your seatbelt.

there are users who believe macs are inherently secure because of their *nix lineage. this, in spite of the fact that the initial academic investigation of the concept of computer viruses involved successful experiments in a professionally administered unix environment. also in spite of the fact that rootkits originally come from the *nix family of platforms. also in spite of the fact that a security researcher renowned for successfully attacking the platform on multiple occasions has explicitly contradicted the notion that macs are especially secure.

there are those who believe that for something to be a real threat it has to activate by itself without user intervention, that something that requires the user's help is only an issue for dumb users. this despite the obvious success of social engineering attacks like phishing that are already platform agnostic.

there are users who believe macs aren't really a target of criminals yet. they believe that the criminals have bigger fish to go after so the mac isn't worth the effort. they believe criminals have to make an either/or decision about which platform to attack. these beliefs are in stark contrast to a nearly 4 year old reality of professional cybercriminals attacking the mac platform - specifically the zlob gang taking their already successful windows trojan and porting the important functionality over to the mac (which i mentioned here and here). the more recent example of java based malware is an indication that the cybercriminals are trying to take the either/or question out of the equation entirely.

and then there are those wonderful users who are actually security aware but somehow believe the rest of the mac user community is largely like them so the efforts to raise awareness of security issues are pointless and alarmist. this is even though it's plain to see that security aware people are a minority in any population. and as far as the mac user population goes, apple's marketing was quite clearly designed to appeal to people based on style, image, and simplicity, and told users that security was something they didn't have to worry about. to imagine such a population is somehow better at dealing with security issues than the average person seems more than unjustifiably optimistic.

macs can be attacked, they have been attacked, their attackers are enjoying increasingly numerous successes, and not enough mac users know it. it's a growing threat and there has yet to be a compelling argument put forward that it won't continue to grow. knowledge is the first prerequisite for people to be able to protect themselves. stop pretending everyone knows what you know or are smart enough to make the threat a non-issue, there's just too much variety amongst humans for that to be true.