Just Because I'm Paranoid Doesn't Mean My Mac Is Secure

It is hard to imagine a consumer in this economy having to press a salesperson to sell a particular product to her. It is even harder to imagine a sales rep successfully talking said consumer out of the purchase. Yet that is what happened at the Pentagon City Apple (Nasdaq: AAPL) Store in Arlington, Va., late one Sunday afternoon in May.

I was buying a fully loaded Mac to replace the 4-year-old Mac I had at home. Along with Microsoft (Nasdaq: MSFT) Office for the Mac, I also wanted to buy a standard security antivirus and firewall application compatible with Mac OS X. The sales associate's response? Not necessary. I was sufficiently chastened by the US$2,000-plus tab I had racked up that afternoon to let it go.

The next day I rethought my decision: Years of writing about online security had made me paranoid. I ran out Monday morning to buy the software at a nearby Best Buy (NYSE: BBY).

Still, there's doubt in my mind about the wisdom of that last-minute purchase. Did I waste my money?

Pros and Cons

Here are the long-standing, widely accepted reasons why that may be the case:

First, despite a growing number of breaches, Macs on average are still less targeted by virus writers than Windows systems. Windows still dominates the vast majority of desktops on this planet -- a fact that hasn't escaped profit-conscious virus writers.

Second, the breaches that do target Macs are largely based on social engineering tricks designed to entice users to download a piece of malware. Mac users, so the theory goes, are savvier than the average PC user and are not inclined to fall for such tactics. (For the record, I don't consider myself savvier than the average PC user, but I am, as noted above, paranoid about living safely online.)

Yet the arguments for buying security software for a Mac are equally compelling: As Macs grow in numbers, virus writers will begin to target them more aggressively. Also, just because most of the malware thus far has required some sort of human intervention to be activated, there's no guarantee that will always be the case. Malware is becoming increasingly sophisticated each year.

Indeed, the computing/Internet environment is in a constant state of flux. Truisms -- and exaggerated stereotypes, such as the savvier-than-thou Mac user -- must therefore change as well. So, I'll concede that six months ago, a Mac user might have been "safe" without security software. However, that is not necessarily the case today.

Current Status

The supposedly superior wits of Mac users are no match for the professionally packaged human engineering tactics that virus writers are using these days, Don DeBolt, director of threat research for CA, told MacNewsWorld.

"They have become very good at tricking you into installing malware," he said.

For example, when the Zlob's OSX DNSChanger (also known as "RSPlug") struck last year, CA discovered two OS X backdoor trojans capable of infecting Macintosh users' machines, CA's Methusela Cebrian Ferrer wrote in a blog post.

One did a very good job masquerading as a fix for "Video ActiveX Object Error," arriving as a disk image file (.dmg) which, when downloaded, automatically mounts and displays a pop-up message to start the installation process.

"Definitely, I would buy packaged security software for the Mac," CA's DeBolt concluded. That said, he does still think Macs are safer machines.

"The Mac OS provides a nice separation of duties between the system administrator and user privileges. Users typically have a lower-level account status," he explained, "while in Windows the average user is running as an administrator and has more power."

Safe vs. Secure

Users should not assume that Macs are safer, cautioned Michael Sutton, VP of security research with Zscaler.

"It is a myth that Macs are perceived to be safer -- and I say that as a Mac user," he told MacNewsWorld.

"Users need to distinguish between 'safer' and 'secure,'" he suggested.

"Windows is a more secure environment -- Microsoft has invested a lot more money in the security. Yet a Mac is a safer computer because it is less likely to be target of an attack," he noted.

Apple is behind the curve in investing and upgrading its security features, said Sutton, simply because it has never been forced to do so by market demand as Microsoft was in the early 2000s.

"But as [Apple's] market share changes, that reality will change as well," Sutton predicted.

Furthermore, Apple doesn't have a good track record for security even with respect to the measures it does take, he maintained. "It has a poor record in the timeliness of its patch updates."

He cited the practice of jailbreaking iPhones to illustrate his point: "The way to jailbreak an iPhone is to take advantage of a vulnerability in the OS. The first jailbreak that occurred with the iPhone was someone who was able to exploit a known vulnerability."

Users can probably get by without a security package, said Sutton, but at $30 or $50 a pop for the bare minimum, why take the chance?

Still, Sutton acknowledged that he personally doesn't use security software; he feels he can avoid the socially engineered malware that comes his way.

The fact that a lot of Mac users go naked is not worrisome to Rohyt Belani, CEO of Intrepidus Group. "Even though Apple's market share has been increasing over the past few years, PCs are still dominant," he told MacNewsWorld. "If I were a bad guy I would focus my attention on writing malware for PCs -- especially since Windows still dominates the corporate sector."

Macs are based on Unix, which is a more solid networking stack, Belani explained. As for Mac users, he believes they do tend to be more experienced: "Usually, they are people who have gone through a few Windows machines and given up on them in frustration."

Given these reasons, "it is probably a little premature to have users spend extra money to add security controls to the Mac," said Belani.

Heterogeneous Viruses, Environment

Not surprisingly, though, the majority of security experts contacted for this article favor Mac users implementing security software.

"The belief that the Mac OS is secure from hacker penetration concerns me greatly," said Rob Fitzgerald, president the Lorenzi Group, a computer forensics company.

This persistent, ill-conceived idea only creates new opportunities for hackers, fraudsters and thieves to walk away with millions of dollars completely undetected, he told MacNewsWorld.

"The Apple platform has become a very popular accessory to the tech-savvy and tech-idiot alike," said Fitzgerald, and not protecting the Mac OS opens up the Mac machine -- and any other machine with which the user connects -- to potentially devastating Trojans, viruses and spyware.

Also, the growing number of threats in the wild can target both environments, Andy Hayter, anti-malcode program manager for ICSA Labs, told MacNewsWorld.

Although the number of Mac-specific malware incidents is limited, one of the greatest vectors in a heterogeneous computing environment is the possibility of storing a Windows malware sample in a file that is shared with a Mac, he said.

"This can happen with a .jpg or pdf, for instance," Hayter noted. "That is why it is important to use a product that not only protects a Mac, but also looks at Windows-based files."

The heterogeneous nature of computing today is an important security consideration, echoed John Dasher, director of product marketing for PGP Corporation.

"Like it or not, most enterprises are heterogeneous regardless of the particular OS standard they have adopted," Dasher told MacNewsWorld. "In fact, studies have shown that over 80 percent of all enterprises have some level of Mac presence. The legal and regulatory environments which require corporations to protect customer and employee data do not care what operating system is in use -- only that it is secure."

As users exercise greater influence over corporations in terms of which technology they are using, he concluded, "Mac security will occupy an increasing level of mindshare."

"Anyone using a computer should be paranoid about security, regardless of what operating system they are using," Andrew Storms, director of security operations for nCircle, told MacNewsWorld.

"For example, the recent Adobe (Nasdaq: ADBE) security flaws affected Windows, Mac and Linux, and recent Microsoft Office bugs needed to be patched on Windows and Mac. No user can afford to be lulled into a false sense of security because they believe that one OS is always more secure than another," he argued.

"The deeper problem is that conversations around operating system security in the press tend to be extremely polarized and devolve into these Jihad-like conflicts," Storms observed. "Mac users on one side butt heads with PC users on the other -- and then both are flanked by virulent comments from the Linux community."