August 11, 2010

Hacking the Apple, when where how... and whether we care why?

One of the things that has been pretty much standard in infosec is that the risks earnt (costs incurred!) from owning a Mac have been dramatically lower. I do it, and save, and so do a lot of my peers & friends. I don't collect stats, but here's a comment from Dan Geer from 2005:

Amongst the cognoscenti, you can see this: at security conferences of all sorts you’ll find perhaps 30% of the assembled laptops are Mac OS X, and of the remaining Intel boxes, perhaps 50% (or 35% overall) are Linux variants. In other words, while security conferences are bad places to use a password in the clear monoculture on the back of the envelope over a wireless channel, there is approximately zero chance of cascade failure amongst the participants.

I recommend it on the blog front page as the number 1 security tip of all:

#1 buy a mac.

Why this is the case is of course a really interesting question. Is it because Macs are inherently more secure, in themselves? The answer seems to be No, not in themselves. We've seen enough evidence to suggest, at an anecdotal level, that when put into a fair fight, the Macs don't do any better than the competition. (Sometimes they do worse, and the competition ensures those results are broadcast widely :)

However it is still the case that the while the security in the Macs aren't great, the result for the user is better -- the costs resulting from breaches, installs, virus slow-downs, etc, remain lower [1]. Which would imply the threats are lower, recalling the old mantra of:

Business model ⇒ threat model ⇒ security model

Now, why is the threat (model) lower? It isn't because the attackers are fans. They generally want money, and money is neutral.

One theory that might explain it is the notion of monoculture.

This idea was captured a while back by Dan Geer and friends in a paper that claimed that the notion of Microsoft's dominance threated the national security of the USA. It certainly threatened someone, as Dan lost his job the day the paper was released [2].

In brief, monoculture argues that when one platform gains an ascendency to dominate the market, then we enter a situation of particular vulnerability to that platform. It becomes efficient for all economically-motivated attackers to concentrate their efforts on that one dominant platform and ignore the rest.

In a sense, this is an application of the Religion v. Darwin argument to computer security. Darwin argued that diversity was good for the species as a whole, because singular threats would wipe out singular species. The monoculture critique can also be seen as analogous to Capitalism v. Communism, where the former advances through creative destruction, and the latter stagnates through despotic ignorance.

A lot of us (including me) looked at the monoculture argument and thought it ... simplistic and hopeful. Yet, the idea hangs on ... so the question shifts for us slower skeptics to how to prove it [3]?

Apple is quietly wrestling with a security conundrum. How the company handles it could dictate the pace at which cybercriminals accelerate attacks on iPhones and iPads.

Apple is hustling to issue a patch for a milestone security flaw that makes it possible to remotely hack - or jailbreak - iOS, the operating system for iPhones, iPads and iPod Touch.

Apple's new problem is perhaps early signs of good evidence that the theory is good. Here we have Apple struggling with hacks on its mobile platform (iPads, iPods, iPhones) and facing a threat which it seemingly hasn't faced on the Macs [4].

The differentiating factor -- other than the tech stuff -- is that Apple is leading in the mobile market.

IPhones, in particular, have become a pop culture icon in the U.S., and now the iPad has grabbed the spotlight. "The more popular these devices become, the more likely they are to get the attention of attackers," says Joshua Talbot, intelligence manager at Symantec Security Response.

Not dominating like Microsoft used to enjoy, but presenting enough of a nose above the pulpit to get a shot taken. Meanwhile, Macs remain stubbornly stuck at a reported 5% of market share in the computer field, regardless of the security advice [5]. And nothing much happens to them.

If market leadership continues to accrue to Apple in the iP* mobile sector, as the market expect it does, and if security woes continue as well, I'd count that as good evidence [6].

[1] #1 security tip remains good: buy a Mac, not because of the security but because of the threats. Smart users don't care so much why, they just want to benefit this year, this decade, while they can.

[2] Perhaps because Dan lost his job, he gets fuller attention. The full cite would be like: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, Bruce Schneier, "CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft's Products Poses a Risk to Security." Preserved by the inestimable, a forerunner of the now infamous

[3] Proof in the sense of scientific method is not possible, because we can't run the experiment. This is economics, not science, we can't run the experiment like real scientists. What we have to do is perhaps psuedo-scientific-method; we predict, we wait, and we observe.

[4] On the other hand, maybe the party is about to end for Macs. News just in:

Security vendor M86 Security says it's discovered that a U.K.-based bank has suffered almost $900,000 (675,000 Euros) in fraudulent bank-funds transfers due to the ZeuS Trojan malware that has been targeting the institution.

Bradley Anstis, vice president of technology strategy at M86 Security, said the security firm uncovered the situation in late July while tracking how one ZeuS botnet had been specifically going after the U.K.-based bank and its customers. The botnet included a few hundred thousand PCs and even about 3,000 Apple Macs, and managed to steal funds from about 3,000 customer accounts through unauthorized transfers equivalent to roughly $892,755.


[4] I don't believe the 5% market share claim ... I harbour a suspicion that this is some very cunning PR trick in under-reporting by Apple, so as to fly below the radar. If so, I think it's well past its sell-by date since Apple reached the same market cap as Microsoft...

[5] What is curious is that I'll bet most of Wall Street, and practically all of government, notwithstanding the "national security" argument, continue to keep clear of Macs. For those of us who know the trick, this is good. It is good for our security nation if the governments do not invest in Macs, and keep the monoculture effect positive. Perverse, but who am I to argue with the wisdom in cyber-security circles?

Posted by iang at August 11, 2010 09:30 AM | TrackBack

I don't think this is quite the whole story....

I agree that, all other things being equal, there would be a bigger risk when using a system with larger market share and higher profile, both from the point of view of potential prestige gained (hacker) of potential gains (criminal).

But I don't really agree that other things are anywhere near equal. Historically windows has long had a woeful lack of security in the kernel, and since the NT redesign has addressed this to some extent at the kernel level, the design priorities of the layers above fail completely to capitalise on it.

Unix and unix based plaforms (and I include reimplementations of the basic unix architecture such as Linux and MacOS/BSD in that category) have evolved with a security paragigm developed by the people that had to use it, not by people planning to sell it. It is possible to do day to day work without requiring administrator access, and certainly without ever executing foreign code that requires privileged access and with no knowledge of the details of what it is doing.

With windows this is not the case. To attempt to work as a non-administrator means being frequently inconvenienced and bombarded with popup demands to entry an administrator password without any clear explanation as to why it is needed, either to get a software package to install or some automatic update to complete.

The only choice is to enter the password and hope, or to decline and wonder what is now not going to work properly as a result. And even if you accept the need to forgo the applications you need in the name of security, there is still the problem of a system configured by default to go off and execute, automatically and sometimes with administrator privilege, programs that happen to be residing on removeable media, received from Internet or scripts embedded in spreadsheets or other objects the opening of which is not normally thought of as running an executable.

The bottom line is that security in windows is a bit like the Posix subsystem. It is there so that a box can be ticked, but if you actually try to use it you have to be willing to forgo most of the functionality of the system.

A very clear indicator of what is wrong with Windows security is the existence of the almost mandatory anti-virus products. It is like having so little confidence in the locks on your front door that you pay someone to call in at regular intervals to check for for signs of intruders. Serious Unix administrators know it isn't enough to just keep throwing them out. If an intruder does get in, the only safe thing to do is pull pull the house down and rebuild from scratch.

Sure, popularity and market share increases the profile and
attractiveness of a system to an intruder. And hence increases the security threat. But an attacker has to balance that against the robustness of the defenses, and hence likelihood of finding an exploit, and once found, the proportion of systems attacked that are likely to be vulnerable.

So I would list as examples of other factors that would be significant in determining the security threat to users of a particular operating system to include the soundness of the security architecture, the attractiveness of likely users (is it used in financial industries, defense, etc) and also the likely sophistication of the average user/administrator. I am sure there are more.

Posted by: Regards, DigbyT at August 11, 2010 08:24 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.