Apple Security

For a long time, Apple has not been significantly affected by malicious code. There has not been an I Love You, Code Red, or a Zeus affecting the Apple ecosystem that I can recall. This lack of malicious code epidemic has led many to assume that Macs are more secure than PCs. While I am an Apple fan and a Mac user, I think this attitude is a case of mistaking causation for correlation. While there appears to be a negative correlation between Macs and malicious code compromises, I don't think the cause is a function of the superior programming and security of the OS X or IOS operating systems.

Next time you're bored and looking for something to do, head over to your local Apple store and start asking questions about the Mac and OS X. Start asking about the usability of the system and ease your way into some technical questions. Once you are in the throws of the Mac lovefest ask the Genius helping you about the security of the Mac. Chances are that the Genius will tell you the security is not a problem with the Mac and it is inherently more secure than the PC. Wait for the smugness to set in and then tell the Genius that the Mac is not more secure than the PC, it is just more ignored. Ask him about the Pwn2own competitions and he says.

Ask an INFOSEC professional what they think about Security Through Obscurity and you are likely to get a response that includes a deep breath and rolling eyes before they tell you that Security Through Obscurity is not a security strategy and I partially agree.   By itself, Security Through Obscurity is not a reliable means of securing information. However, a robust security strategy is composed of many layers and obscurity is a valid layer in that defense strategy. Apple has proven this over the last twenty-five or so years as the bad guys have focused their attention on the PC world.

The PC world has garnered most of the attention over the last twenty-five years because it has been the most popular operating system by far. And, over the past twenty-five years the world of hacking has evolved from a community of hobbyists exploiting systems for bragging rights to a community of organized criminals exploiting systems to make a profit. The bad guys are now businessmen looking to make their operations as efficient as possible to maximize their profits.

If you can spend 40 hours developing an exploit code for a new software vulnerability affecting 85% of the computers on the Internet running Windows or spend that same 40 hours to exploit the 10% running OS X or IOS, which option makes more business sense? [3]  It seems like a no-brainer to me. Given this operating system distribution, it seems that Apple can continue to rely on Security Through Obscurity for a little while longer. However, that might not be the case for long if they keep up their recent growth trends.  [1] [2]

I think the development that could most significantly impact Apple's ability to rely on obscurity as a valid layer of defense is the popularity of IOS and its mobile devices and services such as the iPhone, iPad, and iCloud. As they become more popular and widespread and touch more financial transactions the bad guys will start paying more attention. Apple's share of the mobile market will just draw more attention from the bad guys.

Apple users should consider themselves warned, your days of being ignored are dwindling. Start thinking about how to protect yourselves and your data.  Future blog posts will have some concrete recommendations.

 

REFERENCES

[1]
“Apple Results Strong; Record iPhone, iPad Sales,” National Public Radio, 19-Jul-2011. [Online]. Available: http://www.npr.org/2011/07/19/138523187/apple-results-strong-record-iphone-ipad-sales. [Accessed: 22-Jul-2011].
[2]
JR Smith, “Hackers Set Sitghts on Apple,” AVG Blogs | JR Smith, 12-Jul-2011. [Online]. Available: http://jrsmith.blog.avg.com/2011/07/hackers-set-sights-on-apple.html. [Accessed: 20-Jul-2011].
[3]
“Usage share of operating systems,” Wikipedia, 19-Jul-2011. [Online]. Available: http://en.wikipedia.org/wiki/Usage_share_of_operating_systems. [Accessed: 22-Jul-2011].