Mac expert takes you through the threats, holes, and exploits surrounding Mac OS X, and offers some tips, tactics for protection
Security and Mac OS X is never an easy topic to write about. There's so much emotion, advocacy, and arguing going on that getting to the heart of the matter can sometimes seem impossible. However, once you sort past those issues, the state of security on Mac OS X isn't terribly complicated, nor bad at all. It's not perfect, but it's not the final world in Quake, with pitfalls and monsters behind every corner.
Even with the recent QuickTime Java vulnerability discovered by Dino Dai Zovi at the CanSecWest contest, the Mac isn't suddenly a kitten in a shark tank, waiting to be devoured. There always have been, and always shall be, vulnerabilities in this, or any other operating system and platform. It's a fact of life, and one that Mac users in particular, should approach with more of a sense of equanimity and awareness.
When we're talking about the state of security on Mac OS X, it's useful to use the kinds of threats we hear about or have heard about in the past as a guide to help us focus our discussion. I'll do the same here, moving from the more "human-based" issues to the more "human-excluded" issues. I'm also going to, in the interests of clarity and space, stay out of larger security issues like firewalls, NAC, etc. This article is focusing on Mac OS X and the Mac user as much as possible.
1: Phishing And Social Engineering
Mac users are exactly as vulnerable to phishing and social engineering attacks as any other platform. If you voluntarily give out personal data, passwords, user ids, etc., there's nothing an operating system can do to protect you from the results of those actions. Browsers and e-mail clients are starting to try to incorporate various antiphishing measures, but at the end of the day, this isn't something that can be solved via a purely technical solution. If you give out the keys to the kingdom, as it were, you will have some rather severe barbarian problems.
The best way to deal with these problems is awareness and avoidance.
Be aware of the people and entities that would have a legitimate reason to get various kinds of information from you. In the case of passwords, there's no IT department that is even vaguely competent that needs your password to run any kind of test, upgrade, or what have you. Unless you are the sole possessor of the root/directory administrator password, there's no reason for IT or anyone else to need "your" password.
On the networks I run, I can do anything I need without needing a user password. If I need a user to log in as themselves, then I have them do that. I don't know, nor do I wish to know, anyone's password but the ones I have to know to do my job. It's a bad idea on every level to know other people's passwords unless you have a hard, unavoidable reason to do so. I've yet to run into one.
If you give someone your login credentials, especially if they're admin-level access credentials, then there's little the operating system can do to stop them, as they'll not be "hacking" into the box at all. They'll be signing on as a legitimate user: You.
At that point, the operating system is going to let them do whatever those credentials allow for, because that's how it's supposed to work. Even worse, any action they take will look like you took it, because it's happening under your credentials.
The same thing goes for phishing. If you click on a link and give someone at random your credit card numbers, Social Security, tax ID, or government ID number, there's nothing the operating system can do to stop them from using that information in a way you don't like. Remember: No operating system in the world can stop someone determined to do something silly.
The solution here is simple: Don't do that. Don't enter financial or personal data on because "eBay" says your account is messed up, or someone is waiting for payment on something you didn't bid on.
I get tons of those a week, and I just delete them. If you don't have an Amazon account, then how can your Amazon account be messed up? What you can do is, where possible, report phishing attempts to the organization that the phisher is attempting to spoof. For example, eBay's contact point for such things is spoof@ebay.com, Amazon's contact is https://www.amazon.com/gp/help/contact-us/report-phishing.html. Both sites have excellent help topics on phishing via the "help" URLs on their respective Web sites to help you learn more about their respective policies. Any organization you do business with should be able to provide you with the same information.
As far as other social engineering, again, some basic common sense works. If "Bob" in IT needs your user ID and password, first, make sure there actually is a "Bob" in IT. Then contact your security person or liaison and make sure that kind of thing is correct behavior.
If your security people don't know that this is happening, they can't do much about it. If all of this seems fairly obvious, well, it is. Not getting phished or engineered is actually easier because you have less to do to avoid it; don't provide the information. Also note there isn't an antivirus or anti-anything around that is able to stop you from giving personal information to people who shouldn't have it.
Next Page: 2: Trojan Horses
