Friday, March 20, 2009

Mac First to Get Hacked: The Risk of Being Popular

When I was working as a network defender for the USAFE NOSC back at Ramstein Air Base, Germany, I attended a Hack & Defend training course. In the class, we learned how to hack and defend computer networks, learned how to properly protect a PC, and got a chance to play with all the cool tools hackers have at their fingertips. I got to take control of another user's computer and flip the screen upside-down, enable key logging and watch all of their keystrokes, and even activate his webcam. It's an amazing world and it has always been interesting to me.

The teacher was a huge Mac fanboy though. He touted his Macbook and Mac Mini all around the globe wherever he trained at. I'll never forget the analogy he used to promote his favorite consumer electronics company. He said that choosing between a Mac and PC was like choosing tires. He hated people who gave the argument that the reason Windows machines have more security flaws was because it was more commonly used. He said PCs are like cheap tires that are guaranteed to fail a few months down the road. Or, there are Macs which are like more expensive tires that will last longer and work better. He stated that being popular or more commonly used has absolutely nothing to do with it.

I'll admit that I ate it up at first. It made sense. You're paying more for the quality of machine, right? The hardware is well-made and the software is more complex. But does that mean it's more secure?

I quickly learned that the instructor was wrong. As Apple's products became more popular, they became a greater target. Hacking into a Windows environment doesn't make headlines anymore. Now, it's all about hacking into Macs, iPods, and iPhones. Google "hack iPhone" and you get 9,720,000 results. "Hack Zune" barely even gets one million hits at 989,000.

Which leads me to the Pwn2Own 2009 security competition held at the CanSecWest conference in Vancouver, Canada this week. It provides us with a great clue on why some systems are more vulnerable than others.

On day 1, Safari, Internet Explorer 8, and Firefox were all exploited. This proves that all of the major browsers are vulnerable. Opera was not included in the running "based on market share". Opera has captured only a fraction of the worldwide personal computer browser market despite its prevalence in the mobile market. Camino was also not included because... well... have you even heard of it before? Google's Chrome, however, was in the competition, but escaped unscathed. Why? No, not because it is a superior browser, but rather the top hackers hadn't taught themselves the program yet. And why should they? As of February 2009, Chrome has a 1.15% usage share. There's no point. If Pwn2Own offered $1 million for a Chrome bug, you know that the competitors would be all over that. They go where the money is; there is no depth to their shallowness. The hackers will attempt to crack all of the left-overs on day 2, which includes the mobile devices and Chrome.

But let me get back to the all holy Apple. Safari was the first browser to fall in this year's event. It only took 10 seconds, it's the second consecutive year to be the first browser to fail, and it was compromised twice by two different players with different exploit techniques! You cannot argue the quality of the software anymore.

Caught red-handed eating a donut at my desk! Using my Vista
Ultimate laptop. Lurve it. But, is that a G5 you spy behind me?

So what makes Safari and OS X so vulnerable? According to hacker and winner of this year's tournament, Charlie Miller, "Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats. With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is." Read that bold part again. It is exactly what I've been thinking these past few years. I mean, this was a fully patched MacBook and web browser and the guy cracked it faster than you can peel a potato. Miller also added that what makes Safari an even more attractive target is the fact that it runs on Mac OS X, which he states lacks several security features that Windows Vista and Windows 7 do have, such as address space randomization. A PC running Vista and Safari would be harder to hack than a Mac running Leopard and Safari. Microsoft, why are you not jumping all over this free advertising!?

You cannot argue that Apple has not gotten more popular in the last five years. With popularity comes great vulnerability and the Pwn2Own contest is the best example of this. People have been writing malicious malware and exploiting zero-day weaknesses in Windows for years now because that's where the money was. That money is now being shared with Apple as the company continues to grow and as it retains that reputation it once had.


The real question you should be asking yourself is, do I want to spend $2,800 on an insecure laptop or $500 on an insecure laptop? Alright, alright... so you're really paying for functionality, but I think I've made my point from a security stance. Windows has gotten this terrible reputation lately and I just want to prove that it's not all that bad. I've never once had a virus, blue screen, or any other major problem with my Vista laptop. In a lot of ways I think it is too secure. Win7 improves on this a little. My XP machine at home has also gone uninfected since 2002, which is after I learned how to properly protect my PC. That all being said, I've never had a problem with my Mac at work either. I love it. I've been playing around with Final Cut Pro and I must say that it's a really nice video editor. If someone offered me a free MacBook Pro or a free PC laptop with similar specs, I'd definitely go for the MCP. Have I proven that I'm not too biased yet?

How about we just stick to Ubuntu and call it a day?

Why do you use Mac/PC? What do you like and dislike? What web browser do you use?
at

9 comments:

  1. Charlie3/20/2009 10:37 AM

    I use a MacBook only because I longed for something different at home vs. what I used at work.

    I really liked this write-up Cam. No you didn't sound biased, and you did a good job at citing many resources for your points.

    I have always agreed that there is no one system that is 100% secure. Each OS has it's flaws, if they didn't the manufacturers wouldn't be releasing security patches or hotfixes.

    The most secure OS is that which does not connect to any other computer or network, and is turned off 24/7.

    So I use a Mac, my wife uses a Mac (iMac), and my kids both have Ubuntu running. I use Firefox with NoScript and a few other security plugins. Also have a program on my mac called Little Snitch.

    Oh and you should read this page every so often. It really shows that nobody is safe. http://www.securityfocus.com/vulnerabilities

    Cheers

    ReplyDelete
  2. Charlie3/20/2009 10:39 AM

    Oh yah, and don't forget this....

    http://www.youtube.com/watch?v=Uau0aIbrzkQ

    :P

    ReplyDelete
  3. Cam-Fu3/20/2009 10:55 AM

    I also run Firefox with NoScript. For security purposes, I also use Web of Trust and AdBlock Plus. It's the safest way to surf on a major browser. The safest browser is the one no one is using.

    lol @ Bill. Man, he was so young then.

    While we are sharing links, I don't know if you've ever visited Bruce Schneier's blog which is linked in my "Other Blogs I Read" section. He is the master netsec guru.

    ReplyDelete
  4. Charlie3/20/2009 10:58 AM

    Yeah I have read his blog. I actually have it in my GReader and it's because of you having it on your sidebar.

    Cheers

    ReplyDelete
  5. Joel Mayward3/20/2009 11:52 AM

    I love my Mac. I won't pretend like it's unhackable or anything, but every time I use my wife's PC laptop, I get frustrated now. It's definitely more about functionality for me. And I got mine for $700, so it was totally worth it.

    And the reason there are so many more hits for "hack iPhone" than "hack Zune" is because no one owns a Zune. :)

    ReplyDelete
  6. Cam-Fu3/20/2009 11:57 AM

    I love my Mac, too. It really does come down to user preference. PCs and Macs can do all of the same things, but Macs have more proprietary software (and hardware). If you are a gamer, obviously you would lean more towards PC. If you are a film editor, obviously you would lean more towards Mac.

    And the whole Zune thing exactly proves my point about popularity. That hacking instructor I had was really smart, but he was completely off about this. Unfortunately, he's not the only person I've come across that is like this.

    Do you use Safari to surf?

    ReplyDelete
  7. Joel Mayward3/20/2009 8:50 PM

    Cam, I do use Safari. The irony of this is that Safari suddenly started to freeze up today after I left a comment on your post. I am not making this up. This current comment was written on my wife's laptop. Pretty sure I'm gonna have to take my Mac to the Apple store if it doesn't work in the morning.

    ReplyDelete
  8. Cam-Fu3/20/2009 9:56 PM

    Well, that's because I wrote a script that initiates a Safari exploit when people click on my comments section. j/k! Sorry to hear about that. Have you tried downloading Firefox and seeing if you have the same problem? Let me know if I can be of any help.

    ReplyDelete
  9. Charlie3/20/2009 10:00 PM

    OMG, Safari hack inside of blogger. Hilarious.

    ReplyDelete