Macs: Not Necessarily Secure
The CanSec Conference has a reputation as one of the best information security conferences anywhere, and apparently the recent one that was held in British Columbia was no exception. One of the most interesting events at this conference was a hacking event in which white hat attacker contestants launched attacks against a variety of machines running different operating systems—Windows, Linux, Unix, and others. Interestingly, a Macintosh running Leopard OS X 10.5.2 was the first to be broken into. I know a lot of Mac fanatics who probably will not believe the news about what happened—many of them believe that Macs are very secure out-of-the-box and that vulnerabilities that are discovered in these boxes are almost always minor ones. In the past, some of my job responsibilities included issuing security alerts; more than a few times Mac users who received them bristled at the notion that any serious security vulnerability could be present in this operating system.
I have no ax to grind concerning Macs. I would, in fact, if anything call myself a Mac enthusiast. Most of the computers that I personally own are Macs, and I have converted my wife, my father, my children and several close friends over to Macs because, frankly, Macs are in my estimation the easiest type of computer for home users to operate day in and day out. Macs do not, for example, seem to get infected by viruses, worms or Trojans nearly as frequently as do Windows systems. Additionally, Macs do not have a Registry or anything resembling this massive, confusing repository of system and application parameters in Windows systems. At the same time, however, even the most avid Mac enthusiast needs to be acutely aware that Macs are becoming a more and more frequent target of attacks. Just look the recent growth in the number of Web postings on this topic and the greater emphasis Mac hacking has been receiving at information security conferences. The black hat community is now openly interested in attacking Macs; only a few years ago, the opposite was true. Remember, too, that MacOS 10 is actually a variant of Berkeley Unix, an operating system that has been frequently and proficiently attacked for several decades now.
Out-of-the-box Macs (like many other operating systems) are not bad when it comes to security. Some amount of effort must be expended to make this operating system adequately secure. But securing an operating system is only the beginning of achieving suitable levels of security. Vulnerabilities in Web browsers and other applications can be exploited just as readily as operating system vulnerabilities, as nicely shown by the fact that the break-in into the Mac at the recent CanSec Conference was through exploiting a vulnerability in Safari. So believing that Macs are sufficiently secure to withstand attacks without having to change certain configuration settings, turn off services, and install patches is sheer idiocy.
Which particular operating system is most secure is more a matter of religious debate than anything else. At the same time, however, CanSecWest’s hacking contest produced a clear winner—Ubuntu (a version of Linux)—which was the only operating system that withstood all attacks against it. Hopefully, all these events will help serve as a gigantic wake-up call to the Mac user community—Macs, like any other operating system, need to have their security tightened if they are going to be able to withstand today’s highly sophisticated and numerous attacks.