h1

A Smug Mac User Gets Pwned

November 1, 2007

I got an email today from the Wisconsin Road Runner Abuse and Security unit informing me that my home computer was sending “mass quantities” of spam email, that they’d received complaints from other service providers, and that if I didn’t reinstall my operating system or have my computer professionally serviced they would – without further notice – disconnect my internet service.

So I’m thinking to myself, hey, I’m a Mac user. Both my laptop and my web server are running Mac OS X. There isn’t any malicious botnet-style malware for us… is there? Then I start to think maybe the email itself is a scam. So I call the number in the message.

Turns out it’s for reals. I talk to a security guy and he confirms: spam email has been coming from my connection. I say I think that’s pretty unlikely because I’m a (smug) Mac user. He agrees that it would in fact be odd. Then he asks me the million dollar question: do I have a wireless network at home?

Doh! Picture me slapping myself on the forehead. Why, yes, yes I do have a wireless network at home, Mr. Security Man. And I just bet my Windows using neighbors have been helping themselves to it. And I bet it is they who are infected with spam-spewing botnet garbage. I tell the guy I’ll secure my WiFi and get back to him tomorrow to make sure everything is cool.

Five minutes later I’m remoting into my wireless router and restricting the WiFi by MAC address, excluding all wireless devices but my laptop and the Wii. Bang. Problem solved within one hour of receiving the email.

Yeah, yeah. I had my WiFi unsecured and wide open. I forget why I did that, but I’m sure part of the decision-making process was me reflecting that nobody could use my WiFi to do malicious things to my computers. I neglected to think about other things that might occur. Let this be a lesson to all smug Mac users: just because your computer is secure, it doesn’t mean you can ignore security issues altogether.

Advertisements

No comments yet

  1. Just read an announcement about a new Mac Trojan yesterday. They detailed how it infected, but never actually said what it did. Slackers.


  2. What it does is screw with your DNS, making it so that when you type an address into your browser it seruptitiously redirects you to a different site. But one has to remember that this trojan isn’t the same kind of malware that has plagued Windows users for years. It requires you to a) go to an evil web site, b) download something when prompted, and c) enter your password to install it. It lies to you about what it is, but it requires a significant amount of participation from the user. Plus it doesn’t self-replicate in any way.

    I could send an email out to all the Mac users I know advising them to open Terminal and type rm -rf and enter their password, and it probably would amount to the same kind of risk.


  3. Tsk. Tsk. Must remember to secure one’s wireless connection 😉

    What has always amazed me is how easily non-technical Windows users get themselves infected. I’ve never had a PC of mine get infected. But I’m a technical guy. I know not to click the first result that comes up in a Google search without first looking at the URL and thinking about where that link just might take me. Same thing with emails, new programs, careful typing of addresses, etc.

    But I have seen so many users get there stuff trashed within days of purchasing and hooking it up to the Internet.


  4. Reminds me of that 2004 study which indicated new PC buyers had approximately 20 minutes to get the thing fully patched and protected once they plugged it in. Problem was, it took longer than 20 minutes to do all the protecting! Were it not for the inclusion of SP 2 on subsequent PCs, the Windows world would soon have reached a point of singularity where all computers were infected with everything prior to their even being built.


  5. I don’t have my AP restricted by MAC address, but I do have a strong WPA2 password on it.

    I have Win XP on this machine and as far as I know I don’t have any infection.

    -A


  6. Network security man just shakes his head back and forth….I preach this stuff practically every day…..maybe I should do more of it on my blog, but I don’t really talk about what I do for a living on my blog…..

    When people go to Best Buy or Circuit City and bought those routers (nowaydays if you run thru the wizard it usually configures security for you) early on, they just didn’t know about SSID broadcast or any of the various available wireless security modes and their encryption strengths….and routers have been around long before Geek Squad or Firedog assistance…..so people usually trusted the wizards out of the box…..

    The router companies have gotten better at it….Linksys (Cisco) I think is the best (especially since Cisco took over)…..

    Part of my job in computer security is to scan for open access points around my job, but there have been times where I’ve lived where I wanted to see just how good a job folks were doing where I’ve lived and it’s shocking…..you can tell those that are in the “biz” by how they’ve named their routers, and those that have simply pulled the routers off the shelf because they are still at the default router names…..that was awhile ago…haven’t done a scan since I’ve moved….

    At one time I thought about doing a router education seminar in my old apt complex because I knew there were alot of them….but…alas…just got too busy….


  7. Oh, I know plenty about how it works. It doesn’t have a default name, I’m port forwarding http and ssh to my web server… no, my problem is that all I was thinking about security-wise was my own machines. Mistake.


  8. Gotcha Scott…incidentally, here’s a link with a screenshot on what Patrick was referring to in his initial comment…

    http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html


  9. Yeah, I read all about it. I just have a hard time seeing this as some kind of exploit that one can blame Apple’s software for. I mean I could make a web site purportedly to distribute my fabulous new freeware game, but instead when folks authenticate to install IncredibleFun.dmg it actually deletes their home directory. What kind of software “fix” can prevent that? None that I know of. It’s a piece of malware that doesn’t rely on any “vulnerability” or “exploit” in the user’s software.


  10. […] your Mac makes you immune? November 5th, 2007 — thoughtfulconservative Learn the lesson Scott Feldstein learned. So I’m thinking to myself, hey, I’m a Mac user. Both my laptop and my web server are running […]


  11. So…the lesson here is that the security issue had absolutely nothing to do with your Macs. In fact, the reason you were able to pinpoint your wireless network and your neighbors virus-infected PC was because both you and your ISP knew that it was highly unlikely that it was your Mac causing the problem.

    I know this was a technically complex post, but too many people will get the wrong impression that Macs are just as vulnerable as PCs when nothing could be further from the truth.


  12. I agree. There’s a lot going on here and it would be a disservice if the reader were to walk away thinking it’s a wash, that the Mac OS is just as vulnerable to malicious intent as Windows is. It definitely isn’t.


  13. My favorite security moment is when someone in a small office plugs the local side of their new unauthorized firewall/router/wireless access point into their office’s jack, thereby polluting the entire network with a new DHCP server pointing nowhere. And they complain about all those nasty security precautions and computer lock-downs and constantly changing passwords! Who’s getting paid to think that what can go wrong, will?


  14. […] posted on this from Scott Feldstein earlier with the moral of “…just because your computer is secure, it doesn’t mean you […]


  15. …it would be a disservice if the reader were to walk away thinking it’s a wash, that the Mac OS is just as vulnerable to malicious intent as Windows is. It definitely isn’t.

    And it would be an equal disservice to leave a reader thinking their MAC is secure, just because it’s a MAC.

    From Network World: Apple Patches 41 Bugs in Monster Day of Fixes.

    A separate firewall is always in order for a home Internet connection, no matter how secure you think your MAC or PC is.


  16. But none of those 41 bugs were actual malware/virus exploits in the wild. Therefore, they posted a theoretical –not actual–risk to Leopard users. And actually, most of them probably had nothing to do with security at all, just stability or unusual behavior of the software.

    I stand by my earlier comment: too many people see headlines like that and conclude that it’s a wash, that things are equally perilous on either side of the platform divide. This isn’t true. Not by a long-shot.


  17. …41 fixes, 15 of which could be considered critical by virtue of Apple’s designating them capable of “arbitrary code execution,” its terminology for an attack that could result in a compromised Mac. The more than two dozen remaining patches fixed flaws that could crash the system or applications, poison the Mac’s DNS cache, allow malicious Web sites to conduct drive-by downloads, or let hackers steal information or look at files on the hard drive. [emphasis mine]

    Those sure look like security fixes to me. Most of Microsoft’s monthly patches are theoretical as well. But it doesn’t make them any less important. I guarantee you that if Mac was used on 90% of the world’s desktops many of those theoretical holes would have been exploited.

    You’re right, the security difference between a Mac and PC is in no way a wash. But I think it’s foolish to simply rely on a Mac’s alleged “security” as the only barrier between your system and the wild open Internet.


  18. As I said, David, most of them were not security related.

    I guarantee you that if Mac was used on 90% of the world’s desktops

    And I guarantee you that if the Mac had 90% marketshare, it would not have the number, frequency or severity of security problems that Windows has had over the last 5-10 years. It would certainly have more than it has today, but it would absolutely not become an equivalent scenario.

    I think this is an important point, because it implies (wrongly) that Windows’ security issues are simply an artifact of its popularity rather than bad design choices.

    It is a fact that Apple makes their OS software in a more secure by design than Microsoft historically has.

    Nothing is perfect, of course. And Apple does have security patches, past, present and future. But it doesn’t change the fact that they have designed their software in a more secure fashion, and even if they had Windows’ markeshare they would not inherit Microsoft’s terrible track record on security.

    But we’re not disagreeing on much, I don’t think. You think it’s foolish to put a naked Mac on the net, I think it’s perfectly fine, especially for non-critical systems. I’ve had Macs naked on my home network–no firewall on the machine or on the router, no anti-virus software or other protection–for years. 24/7 for literally years. Know how many security issues I’ve had? I mean even a little teeny tiny popup or other malware annoyance? Of course you know the answer is zero. And more to the point, I think that my experience is by no means unique among Mac users. In fact, I think it’s very, very typical. So typical in fact that I don’t think I’ve ever even met a Mac user during that time who has had an issue like that. Not one.

    So is it “foolish” to leave one’s Mac unprotected by firewalls and anti-virus software? Some say so. Security software makers surely do. I say it’s fine–until such time as some serious problems are actually found in the wild.


  19. But we’re not disagreeing on much, I don’t think.

    True, but now you’re getting a little smug 😉

    As someone who works in the world of networking and network security, I can assure you that the primary reason your Mac’s have never been hacked while naked out on the net has everything to do with luck, and nothing to do with the Mac being some impenetrable force.

    The Mac is, first and foremost, an end-user operating system designed for comfort and play – not a security appliance. Just Google “hacked macs” and you will find that when given a little bit of time and some financial incentive, a skilled hacker can gain root access.

    I’m not defending Windows. But if I was to take your logic of never having one of my Windows machines hacked in the roughly 15 years I have been connecting them to universities, BBS’s, and the Internet, I might be naively convinced of their “security” as well. But knowing what I know, I maintain that it’s a risky thing to do.

    I live in a safe neighborhood. I could well leave my front door unlocked every day and probably never be burglarized. But a) how would I know if someone came in and just snooped around without stealing anything? and b) what good did my “safe” neighborhood feeling do for me after someone ripped me off?

    Same deal with the Mac.


  20. everything to do with luck, and nothing to do with the Mac being some impenetrable force.

    I think the truth is in the middle of these two extremes. It’ isn’t mere luck, nor is the Mac “impenetrable.” (And I never claimed it was.)

    if I was to take your logic of never having one of my Windows machines hacked

    No, my logic isn’t merely that I myself have escaped problems–it’s that we all have. And that’s a far more powerful statement. If you could say t hat neither you nor anyone you’ve ever met has had a Windows security issue, I bet my bottom dollar that you’d be saying the same thing I’m saying: box security isn’t a big issue, and certainly not one that ma and pa need to spend time and money on.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: