Ignorance is bliss, as the saying goes, but users of Apple’s OS X platform could pay a hefty price if they continue to live in denial, industry observers have warned. The biggest security vulnerability could lie in the fact that OS X users aren’t “trained” to monitor and identify social engineering tactics that have been used against Windows-based users for years. Mark Borrie, IT security manager at New Zealand’s University of Otago, said although he hasn’t experienced any infections, he’s concerned at the ease in which social engineering can be used against the Mac community.
Pretty ironic that the biggest fault Windows has been accused of, said to be at the basis of it’s vulnerabilities, goes for Mac users as well: running as admin by default.
Not 100% the same of course, but the door is open to social engineering as always.
it may ‘run’ as admin, but you have to put your password in, if you didn’t run as admin, you’d have to put in admin (or root, or whatever), then your password, not quite sure what the difference would be to be honest.
Pretty ironic that the biggest fault Windows has been accused of, said to be at the basis of it’s vulnerabilities, goes for Mac users as well: running as admin by default.
Not restricted to Mac. Look on almost any mainstream linux forum, and you’ll find posts from people complaining that they can’t login to Gnome/KDE/whatever as root. To my way of thinking, if you can’t figure out how to configure your system to permit root logins, then you have no business running under root.
Mac will become more and more susceptible to problems like this, as will *nix. As each platform increases in popularity, the technical aptitude threshhold for the common user base goes down; that sounds elitist, but I don’t mean it that way. It’s just a fact, if you look at any OS other than Windows, you’ll find that the early adopters were more technically oriented than the average user, but over time, whether you want to use the Mac Mini or Ubuntu as an example, the bar is lowered and more and more people are willing to try the alternatives.
Similarly, just as happened in Windows with users defaulting to admin for convenience’s sake, naive users will simply become accustomed to frequent popup windows asking for the admin password and may stop thinking about it.
I think that’s something that all of the OS designers need to think carefully about. Don’t know what the solution is, maybe it’s time to have different shades of admin separation. There’s a difference between configuring a hardware device, and installing new system libraries, for instance. I dunno.
The biggest question, why even log into root when there is a perfectly good sudo sitting there if you need to use root for a small period of time.
Ultimately, even Kevin Mitnick pointed out, the biggest vulnerability is the individual who sits at the computer; either via deceptive links via mail, social engineering over the phone or instant messaging or just down right cluelessness when it comes to being a little wise over things sent – I mean, lets be honest, who the f*ck sends and executable over email? more correctly, *WHY* would a software company send updates over email, and email address that YOU as an individual never gave to the company in the first place!
For me, I strip off all attachment, if you can’t copy and paste the document in the email or upload the picture to a hosting service like photobucket, its obviously not important.
Mac OS X userland apps don’t run as root. It has something similar to sudo built in, which prompts for your password, so no worries. 🙂
– Simon
“Mac OS X userland apps don’t run as root. It has something similar to sudo built in, which prompts for your password, so no worries. :-)”
Really.
So what happens instead is the malware authors makes their program emulate the look of the sudo password dialog, use that to capture the password by simulating a run of some common already installed program and voila, it’s all set to run programs as root.
So what happens instead is the malware authors makes their program emulate the look of the sudo password dialog,
Little Snitch ( http://www.obdev.at/products/littlesnitch/index.html )
“Little Snitch tells you when a program tries to send info to the internet so you can see whats going on in the background.”
If malware has the root password, then it can install software, kernel modules, and do pretty much anything that it wants to do.
In this case application firewalls like Zone Alarm on Windows, and Little Snitch on MacOS will be of little help. This is because malware with root privialiges can easily (for some definition of easily) hide it’s communication in ways that cannot be detected by application firewalls.
For an example of a proof of concept of this on Linux read the paper on Passive Covert Channels on Linux at Joanna Rutkowska’s website ( http://invisiblethings.org/papers.html ).
For those of you who are too lazy or don’t have time to read this stuff, it describes an attack where data is sent over the internet by piggy backing on packets produced by trusted applications.
This type of attack is possible on every OS on current hardware.
Wake me when the real news comes in.
How is it that Widows users are trained to watch out for social engineering tactics? LOL most of them don’t even realize there machine is infected.
If you weren’t already at the highest score, I would give you anoter plus vote.
Out of all my friends that use Windows (almost all) I’d have to say at most, 1 or 2 know to look out for “social engineering tactics”. Your average Windows user is no where close to being trained to watch out for social engineering. All of the viruses they get through AIM are from just click a link that another buddy “sent” them – even if it is clearly labeled as something like “download.php” instead of some jpg image.
I do have to agree though, with more Mac users coming on bored, people are going to unfortunately have to start watching what they’re downloading more and more. Other than that though… this article was pretty much garbage IMO.
…when you receive strange email messages… Also keeping pop-ups disabled, use a firewall (preferably something in front of your own computer/firewall), blah blah blah.
Article = FUD
“…when you receive strange email messages… Also keeping pop-ups disabled, use a firewall (preferably something in front of your own computer/firewall), blah blah blah.
Article = FUD”
common sense? chances are half the people out there have never even heard of a firewall.
My family has had a computer around since the Mac LCIII, so a bit over a decade, my mom still doesn’t know how to copy and paste.
this is the kind of people running computers out there. there is no such thing as common sense.
although i admit none of those people will probably ever read the article, author probably knows that to, so probably is just shit-stirring
Edited 2006-02-21 23:42
common sense? chances are half the people out there have never even heard of a firewall.
My family has had a computer around since the Mac LCIII, so a bit over a decade, my mom still doesn’t know how to copy and paste.
this is the kind of people running computers out there. there is no such thing as common sense.
Yes there is. Did your mom ever tell you not to accept candy from strangers, to lock the door or to not let people in unless you know who they are and what they want ?
Translates perfectly to “don’t download stuff if you don’t know it’s from a trustworthy source”, “choose a good password” and “never let a program do anything unless you already know exactly what it is going to do beforehand and you trust it”
Now go tell your mom : “Don’t accept candy from strangers on the internet!” 😉
Of course, the evidence of how well trained Windows users are against social engineering attacks lies in the fact that these types of viruses and malware never spread among Windows users anymore. Wait, did you say we just recently we had an outbreak like this? Right, nevermind then.
This won’t go over well with the elitist!
Just kidding 😉