Gallery

Mac hacks, BBC attacks and backing hackers

Posted on 18 Jun 2009 at 11:20

Davey Winder exposes the 100% secure mac myth, questions the BBC's botnet morality, and considers hiring hackers.

I'm not an enthusiast for OS or platform wars, and just hated it when I wrote for an Amiga magazine and got bombarded with letters (in those pre-email days) from Atari fans nagging about my wrong choice of computer. Regrettably, this same juvenile "my dad's bigger than your dad" mentality still lives, wearing an Apple logo in one corner and a Microsoft logo in the other. I'd have to confess to something of a love affair with both brands: although my main work machines are Windows-based PCs, I have a Mac to satisfy my more artistic talents, not forgetting my iTouch.

However, if one thing really riles me it's hearing the more loud-mouthed and less intelligent Mac enthusiasts propagating the "Macs are 100% secure" myth. No doubt the average Mac user is at less risk than the average PC user due to their different OSes, but that's far from implying 100% security. The only 100% secure computer is one that's still in the box it came in. IT security expert Sophos took a poll last year to try to lay this myth to rest, asking people whether they expected Macs to be targeted by the bad guys in coming years, and the results showed a whopping 93% believed Mac users will face increasingly serious threats, compared to 79% the previous year. The same poll concluded that half of us didn't think the threat level would remain less than for Windows users, though.

Sure enough, recently came news that around 20,000 Mac users had downloaded an infected pirate version of iWork 09, which carries a nasty little trojan - the download installs peacefully enough, along with an iWorkService.pkg package that turns into a STARTUP item with READ, WRITE and EXECUTE permissions for ROOT, then it lets the bad guys know that it's installed and ready to rob. Mac users need to show far more common sense ("safe hex" if you like) by steering clear of the link-clicking, Warez-seeking Windows mob, and they shouldn't underestimate how important a wake-up call this incident was - especially in light of events that took place at a recent gathering of hackers.

A brand-new MacBook with the latest OS and running a fully patched Safari web browser fell to a hacker's exploit in less than ten seconds at the recent PWN2OWN competition during the CanSecWest security conference. This annual event offers a big cash prize to the first hacker who can gain remote control of the machine in question, and was won for the second year running by one Charlie Miller. Last year, it took Miller two minutes to pull off this feat, but this year he reckons it was somewhere between five and ten seconds. Time isn't really the issue here, though, as the hack was achieved via a pre-prepared malicious link that exploited a previously unrevealed vulnerability to inject malicious code from a remote website. The mere fact that the Mac is vulnerable to such web-based link-clicking exploits at all should drive home the message to take security more seriously.

Just to keep the playing field level, shortly after Safari was so easily slain, so too was Microsoft's latest Internet Explorer 8. Ironically enough, this happened just a few hours before the official IE8 launch when all the Internet Explorer big guns were due to give a keynote speech stating that IE8 was the only browser that provides "built-in protection from cross-site scripting and out-of-the-box protection against clickjacking". In that same keynote speech Microsoft's Dean Hachamovitch insisted that IE8 has been engineered to better withstand evolving hacker attack methods, but obviously nobody had told Nils - the hacker who used a similar malicious link to that of Miller to take down the new browser at the PWN2OWN comp.