Security Experts:

Don't Panic Over the Latest Mac Malware Story

  Mac OS Might not be as Attractive to Attackers as you Might Think.

William Safire, the late pugilistic pundit and language maven for the New York Times, had as much fun with the English language as a person could have. His On Language column anchored the weekend New York Times Magazine for 30 years, and his bi-weekly observations on the Washington political scene were legend. He wrote with great wit and style. One of my favorite musings of his was his last posting, “How to Read a Column.” In it, he instructs readers how to read “between the lines” of opinion and editorial pieces. Among other advice, he exhorted savvy readers to 1) look for insights halfway down the column, rather than in the headline or lede; 2) question motives by asking yourself “who benefits from the story?” and 3) watch out for too-cute writing that tries too hard to be unpredictable or deliberately controversial.

MacOS Malware StatsI mention Safire because I suspect he would be amused to read about the recent wave of attacks on the Mac, or perhaps I should say, the current wave of predictions about attacks on the Mac. Longtime Microsoft columnist Ed Bott made national news on May 2nd, when he asserted categorically that “serious malware is coming soon to a Mac near you.” As evidence, Ed pointed to a video made by a Danish IT security company named the CSIS eCrime Unit, a company I have never heard of. That video describes a “crimeware” program that can build Mac-compatible Trojan-horse programs for capturing keystrokes and passwords. To lure customers into installing the Trojan, customers that visit poisoned websites are shown native-looking dialogs that try to scare them into downloading fake security software. Ed has since followed up his initial column with four more posts on the same subject. The most recent one describes a large increase in customers who are complaining about malware in Apple support forums. All of these posts are meant to persuade readers that, indeed, the Mac is becoming just like Windows: malware-laden and dangerous.

As with most stories Mac-related, the malware-is-finally-coming story attracted a lot of press. It made the rounds on Techmeme, started a huge flame war on Slashdot, and set Twitter afire. As a former analyst and full-time professional pundit, whenever I see a memes like this one racing around The Interwebs, my ears perk up. And in a manner that Bill Safire would likely approve of, in my perked-up state I ask four questions:

• Who benefits from the story?

• Why should we care?

• If we do care, what do we do about it?

• What else should we be thinking about?

First, let’s start with the question of who benefits. As mentioned above, Ed Bott incited the most recent round of Mac malware stories. No doubt, the increased page-views for his recent columns and attention from readers benefits him and his publisher. But speaking as a fellow writer and geek, his motives clearly flow from a desire to alert consumers and enterprises about a trend he feels is important to discuss, and not from a desire to make news for its own sake.

The second beneficiaries of Mac scareware stories are the incumbent security vendors that sell anti-virus products. These companies are predisposed to predicting things that validate their business models. As early as 2005, companies ranging from Symantec, McAfee and Trend Micro to Kaspersky and Sophos have all erroneously predicted the rise of Mac malware. Conveniently, these firms also sell subscription medicine that makes these future ailments go away. John Gruber, author of the popular Mac-centric blog Daring Fireball, assembled some of the choicest predictions in a post called “Wolf!”, which I recommend you read as entertainment. The security firms may yet be proved right, but to date they have been flat wrong — wrong enough to be called scaremongers. (Which I did, in print, five years ago.)

An important — but unstated — beneficiary of this latest apocalyptic Mac prediction is a cadre of IT professional who seems to derive a perverse pleasure from the prospect of seeing Mac customers deal with the same daily security annoyances they have been putting up with for years. The Germans have a word for this, schadenfreude, which means “taking delight in the suffering of others.” Note to readers: whenever you see or hear an author voicing contempt for customers by calling them arrogant, smug, complacent, oblivious, shiny-shiny obsessed members of a cabal, “living in a false paradise,” or “fanboys” (with or without the i-for-y substitution), take a whiff of the air nearby. You’ll sniff the sickly sweet smell of schadenfreude wafting in from the general vicinity of the speaker. The condescension doesn’t persuade customers to take security any more seriously, but it probably makes the speaker feel better, right?

Now that we’ve established who benefits from Mac malware predictions — security companies and a certain type of IT professional — the second question is, do we care about the prediction that “serious” malware is coming to Macs? Only a little. It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

The business of malware, in the Windows world, is a lot like the fast food industry, with results almost as toxic. Crime syndicates sell dozens of exploit kits, readily available from purchase or rental on underground forums. It’s a super-sized supply chain operation with raw materials manufacturers (who turn exploits into weapons), assemblers (who make the exploit kits), distributors (forums), franchisees (who run botnets) and customers (victims).

Malware Tageting MacOSIt has taken the Windows malware supply chain twenty years to evolve to its current level of stratification and sophistication. It stands to reason that supply chain won’t be replicated overnight for the Mac. Charlie Miller, a noted security researcher with serious OS X and iOS creds, calls the Mac “safer, but less secure… Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.” Could that change? Yes, although crime syndicates have a larger “addressable market” in at least one mobile operating system, and are much more likely to seek to replicate their business models there first. (More on that in a minute.) In the meantime, the Mac was a relatively low-risk computing platform last month, and will continue to be one next month, too.

Third, let’s assume we do care about this, perhaps a bit more than previous predictions of Mac malware epidemics. What do we do about it? As with malware on Windows, remedies include both technical fixes and policy recommendations. If you are a home or small business Mac customer, you should take sensible technical precautions. For example, you should reduce the likelihood that the most popular target for attackers — the browser — will be compromised, by turning off defaults settings that OS X foolishly ships with. Switch off the Java plugin and turn off the setting that causes Safari to open “safe” files after downloading, such as less-safe-than-they-used-to-be PDF files. Use a Flash blocker such as ClickToFlash to prevent another potential point of compromise. Turn on your Mac’s application firewall. If you are highly security-conscious, you may also want to encrypt your home directory using FileVault, protect access to your computer’s firmware with a password, use a password wallet such as 1Password, or consider using an outbound firewall such as Little Snitch . Whether you feel you need a Mac anti-virus program is a judgment call; personally, I feel that it is still overkill. If you work in a large enterprise that uses Apple Remote Desktop or a cross-platform desktop management tool, your admins can implement these technical precautions in an automated way.

From the policy perspective, this current round of Mac malware predictions gives employers a good excuse to reinforce existing policies about social engineering and fake-antivirus scams. Bott’s recent posts describe how many Mac customers apparently fell for the fake anti-virus scam that led them to unwittingly download the Mac Defender Trojan horse. Fake AV is not a uniquely Mac problem; just the other day, for example, a family member using a Windows laptop nearly fell for a similar scam. And in 2006, a Harvard study called “Why Phishing Works” showed that the best phishing websites fooled 90% of participants. Both of these examples show that susceptibility to trickery is a platform-independent problem.

Companies should take the opportunity to train and test employees about spotting scams wherever they are encountered: on Windows, on a Mac, or on a mobile device. They should also reiterate and enforce policies about how software is officially distributed and installed for each platform IT supports, such as through an in-house software distribution service or an online app store.

Lastly, as we consider what the current debate about Mac security means, we need to ask: what else are we missing that we should be thinking about? Let’s assume for sake of argument that the Mac security landscape is a little more dangerous today than it was yesterday. Let’s assume also that this discussion gives consumers and corporate security teams the excuse they need to reinforce existing controls and policies. So, what’s next? Here are the two things I am thinking about:

The desktop Mac OS might not be attractive to attackers as you might think.

Security researcher (and friend) Adam O’Donnell released an influential presentation in 2008 that used game theory to predict that malware on Macs would increase dramatically once Apple’s PC market share reached 5-10%. Essentially, he argued that the larger desktop OS share would provide a critical mass of targets for attackers to exploit. Ed Bott cites this study as an explanation for the malware wave he is predicting. Adam’s presentation makes a good point, but it didn’t consider the Mac in the context of the larger computing market. By focusing on PC operating systems only, he excludes from the analysis the largest growing segment of computing: Post-PC devices such as smartphones and tablets. According to Apple, the Mac installed base is approximately 50 million users. But according to Gartner, the number of Android handsets sold in 2010 alone exceeded 67 million units, giving it an installed base that is larger, and growing much faster, than the Mac base. If large numbers of eyeballs is indeed the lure that causes criminals to write malware for a given operating system, surely Android is a more tempting target than Mac OS. Judging from the recent stories about Android malware such as DroidDream, it appears that attackers agree.

Over time, the Mac App Store will increase customer security.

I predict that the increase in perceived risks to Mac customers will give Apple the excuse it needs to increase its control over the Mac software ecosystem, by moving ISVs to the Mac App Store. It is no accident that the theme of the upcoming Lion desktop operating system is “Back to the Mac”: taking concepts that Apple employed successfully with the mobile version of OS X (iOS) and back-porting them to the desktop OS. One of those features is the introduction of the Mac App Store, an Apple-controlled storefront for selling and distributing applications. As with the iPhone/iPad App Store, Apple screens and signs all apps sold through the Mac App Store. This provides buyers some assurance that their apps are from known points of origin and that they don’t contain malware, such as the Mac Defender Trojan horse. I predict that once the two 500 pound gorilla ISVs — Microsoft and Adobe — distribute apps through the Mac App Store, Apple will announce that this will be the only mainstream way to install applications on Macs. Apple will do this because the Mac App Store makes it easier to discover and buy applications, and because it makes them money. But as a side effect, cutting down the number of ways that foreign code can be installed should, over time, vastly reduce the (already low) risk Mac customers face from malware.

Neither of these two considerations will change the relative levels of risk Mac customers face in the near term. Although the Mac Defender Trojan horse gives Neither of these two considerations will change the relative levels of risk Mac customers face in the near term. Although the Mac Defender Trojan horse gives customers more things to worry about, the Mac remains the safest mainstream desktop operating system, albeit one that is increasing in importance relative to Windows but declining in importance relative to Android and iOS. It’s no time to be complacent (there’s that word again), but also: no need to panic. The one thing we can predict with absolute assurance is that Mac malware stories will keep making the rounds, and that I’ll have plenty to write about in the years ahead.

Andrew Jaquith is CTO at SilverSky. Prior to his current role, he served as a senior analyst with Forrester Research where he led team coverage for data, endpoint and mobile security topics. Prior to joining Forrester, he was program manager in Yankee Group's enabling technologies enterprise group, with coverage of client security, digital identity, and web application security. Before joining Yankee Group, he co-founded @stake, a security consulting pioneer, which Symantec acquired in 2004. Before @stake, he held project manager and business analyst positions at Cambridge Technology Partners and FedEx. He is the co-developer of the Apache JSPWiki open source wiki software package, and the author of the 2007 Addison-Wesley Professional book "Security Metrics: Replacing Fear, Uncertainty and Doubt." Andrew holds a B.A. in Economics and Political Science from Yale University.