Insecurity

iMarc is a little unusual in its Mac-PC distribution. More than half of our design team use Windows, while more than half of our developer team use Macs. Overall, we are almost exactly split: eight Windows users, eight Mac users, and Will, who recently went Ubuntu.

Security is of general interest, but in particular, I think the Mac is becoming a more insecure platform ... not so much inherently, but because it's finally becoming interesting to organized internet crime.

BBC News has published an interesting article about the business of "cyber crime" Boom times for hi-tech criminals.

Let's start with a key excerpt from the BBC article:

"2007 was a fairly interesting year," said Joe Telafici, vice president of operations for McAfee's Avert Labs, "cyber crime continued to fuel most of the security attacks we saw."

It was a year, he said, which saw the effective extinction of young hackers who wrote viruses and other malicious programs for fun.

Now, he said, Windows malware was all about money.

Some attacks, such as phishing runs, were clearly about stealing cash from victims either from a credit card or bank account.

But, he said, many others that looked more innocuous were done with money in mind. For instance, he said, trojans placed in banner ads that try to hijack a home PC were all about getting hold of resources that can be rented out for a fee to spammers or other net-based criminals.

"There's a real eco-system built around this," he said.

Paul Henry, vice president of technology evangelism at Secure Computing said the tool of choice for many hi-tech criminals was the botnet - a collection of hijacked home PCs.

Ars Technica has just published a summary of Mac OS X market share, discussing both absolute numbers and trends.

As of November 2007, the Mac had reached 7.3% market share. Remember, we're coming from just 4% two years ago. That's nothing to sneeze at.

Now, let's tie these two articles together and do a little New Year's forecasting: as the Mac market share grows, Macs will begin to become relevant to the botnet market. There are enough out there to be interesting, and the POSIX-compliant BSD (Unix) layer provides some nice tools for crackers once they're in.

In fact, it's already happening. In October, a Mac-specific trojan horse masquerading as a video plug-in for Safari/Firefox was sighted in the wild and took over lots of Macs. Admittedly, we joked about it because it was pretending to give you access to free pornography, and it was pretty primitive in its effects, but as a proof of concept, it does its job nicely. The writing is on the wall.

Of course, marketshare alone isn't everything. Ten years ago, Linux distributions were the target of choice for early botnets. Linux was vastly outnumbered by Windows on the net, but Linux distributions were insecure by default and very easy to exploit. After a few years, all the major distributions got the message and new (and updated) Linux distros were secured by default. It worked -- crackers turned their attention to the next easiest system to exploit, Windows.

Back Oriface had its day, followed by worms such as Code Red and Nimda, which spread themselves with startling effectiveness. (Nimda is said to have become the most widespread worm ever in just 22 minutes.) In January 2007, Storm Worm appeared, and by September, it had created a botnet of ten million Windows PCs. Big business, indeed.

Well, the Mac is next. There are enough Macs on the net to be interesting; they make a nice platform for internet-connected processes and distributed computing; and Apple is slow to respond to security vulnerabilities, making it a ripe target for attacks in the period between discovery and patching.

I am frustrated, at times, by the constant stream of tiny Windows security updates from Microsoft, but the fact is, that stream of rapid patches helps keep modern versions of Windows secure. Apple's approach of occasional monolithic updates is easier for users, but leaves much longer gaps between the discovery of security vulnerabilities and their resolution. To date, Apple has been reasonably responsive in quickly patching actual exploits (which are of far more concern than vulnerabilities, which are usually theoretical), but I fear that Apple's model of slow response and no public acknowledgement of issues while they're working on them is going to leave the Mac platform vulnerable.

We've seen Apple improve its security response times over the past year, but there is still progress to be made. Ultimately, however, responsibility for good security lies in the hands of end users -- you and me. Keep your firewall up; install security updates; don't install software from unknown sources (especially if it promises you free pornography, folks!); don't open email attachments from strangers.

In the Windows world, you can -- contrary to popular belief -- stay virus and worm free without antivirus software (if you start with a clean install of Windows XP Service Pack 2 or later), but it requires diligence and care. I believe that Mac users must adopt a similar mindset. Mac OS 9 was virtually immune to attack because the core OS was so unfriendly to networking, while Mac OS X has been too insignificant to be of interest to professional cyber criminals. This has changed.

Mac OS X is now interesting to organized internet crime. We, as users, must adopt good security practices. Mac OS X provides a fairly secure base, but it's not perfect, and it's up to us to maintain our Macs' integrity.