Apple Doesn’t Understand This “Secure” Thing

For years, people have loved Apples and Macs because of their relative security when compared to the likes of Microsoft, who are the target of tens of thousands of viruses, worms, trojans, and other types of malicious programming.

A large part of this has been because of the prevalence of Microsoft Windows, and the fact that Macs make up a tiny little percentage of the home or office computer realm.  However, ever since Apple released the iPhone, it would seem as if they have taken a step out into the world of the unknown, venturing into new territories where no one has gone before.

The problem is, many people have already been in these territories for many years, and Apple obviously has not been paying attention.  It’s like they never considered the thought that once they started venturing outside of the obscure marketshare into the eye of the general public, they too would become targeted by script kiddies, spammers, and all-around evildoers.

The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.

Take, for example, this new TechCrunch article explaining a simple way for spammers to harvest all the email addresses of MobileMe users.

From the article:

Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”

Um…ok.  So if I use MobileMe, I can expect a lot of spam.  Maybe they think I’ll get used to it.

TechCrunch goes as far as suggesting that Apple is falling apart at the seams.  They suggest failures with customer service and security exploits as warning signs.  The sad part is, Apple seems to either not care about fixing things, or just not get it, both of which are starting to come off as being arrogant.

Look at the recent ‘patching’ Apple did with the widely-publicized DNS spoofing vulnerability last month.  While every other vendor quickly tackled the problem, Apple released a patch that fixed only their server products, leaving their entire desktop user base still vulnerable.  It took them two more weeks, but on August 15 they finally patched it for everyone.

The nature of being secure, in my opinion, relies upon being open, recognizing vulnerabilities, and taking them head-on.  That’s why there is such a large, active community of security-aware researchers, vendors, and system administrators out there.  Apple seems to be shying away from all of this, perhaps out of naivity, perhaps out of conceit.

Whatever the case, I sincerely hope they come to their senses before it is too late.

About Will Chatham

Will Chatham is an Information Security Analyst, OSCP, Ethical Hacker, and Penetration Tester at a federal data center in Asheville, NC. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.
Bookmark the permalink.

7 Comments

  1. There is no too late. Just look at Microsoft. People, companies and all kinds of other in between entities can and do go on and on and.. nobody creates enough racket to fix things. It’s very difficult for even a large group of individuals to force change in companies that have a strong power base.

    Your article is very strong yet large organizations only respond to a direct threat, meaning that they have to have something significant to lose. That kind of threat is difficult to muster. These groups want to get “into the zone” of making money/power and once they do, it’s really tough to make significant change. It’s like the knight in Monty Python screaming about how it’s just a flesh wound and how you should come back so he can bite your kneecaps off. These groups really go that far into denial.

  2. I think you are right – about the only thing that might make them take notice would be when sales figures start declining. That doesn’t seem too far out of the realm of possibility, given recent events, but only time will tell.

  3. Dude, Mac users hear the same “security through obscurity” bull shite every year. There are always a bunch of so-called security experts promising that “this will be the year” Apple loses it’s reputation for security.

    You know, previous versions of the Mac OS had even less market share than OS X and they all had viruses. Do you really think that there aren’t some Apple Haters sitting at home right now that haven’t tried to inflict some damage on those “smug, arrogant” Mac users? You think anyone is really going to buy that argument, as much as Apple is hated? Anyway, I’ll add you to the list of fear mongers.

    2003

    “The truth is that the Mac OS is just as vulnerable as Microsoft Windows.”—Lance Ulanoff, Security, IT Hub.

    2004

    “Windows is more secure than you think, and Mac OS X is worse than you ever imagined.”—Matthew Broersma, Techworld.

    2005

    “The naming of Apple’s Mac OS X to the list of latest warning from security experts to users that Apple’s operating system is not immune to threats.”—Robert Lemos, Security Focus

    “Attacks on Apple’s OS X operating system, thought by many who use the Mac to be virtually immune from hackers, are on the rise, according to a report from Symantec, an anti-virus software vendor.”—Wired.

    2006

    “Several security researchers have predicted that 2006 will be the year Mac OS X loses its image as a “safe” operating system.”—Matthew Broersma, Techworld.

    “Anti-virus software firm McAfee has identified Mac OS X as a growing target for malware attacks.”—John Leyden, The Register.

    2007

    “There will be a significant rise in virus attacks on both the Mac and open-source platforms, according to renowned security expert, Eugene Kaspersky.”—Barry Collins, PC Pro.

    “After years of relative safety in obscurity, the Apple Mac is becoming an increasingly tempting target for malicious computer hackers, according to a new report published this week.”—Kevin Allison, Financial Times.

    The reality is that the era of serene isolation is ending, partly because of technical changes that increase a Mac’s vulnerability to infected documents-and even programs—originally created on a PC.”—James Fallow, The Atlantic.

    2008

    “With Apple’s market share now around 8.5 percent and growing quickly, with sales of almost 2.5 million last quarter these Mac newbies are a tempting target for profit-minded cybercriminals.”—Dwight Silverman, Chron.com.

    “Macintosh computers have been gaining market share and catching the interest of hackers, according to Zero Day Initiative (ZDI) security vulnerability analyst Cameron Hotchkies.”—Glenn Chapman, Yahoo.

    The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.—Will Chatham, Geekamongus.

  4. I think you misunderstood my point. My point was simply that Apple had been slow to react to recent security problems, which is unfortunate for those of us with Apple products. My conjectures about the reasoning behind this were that Apple is either naive or arrogant, which i backed up by the quotes and articles I linked to. I hope I am wrong, as I want to see Apple succeed in grabbing more marketshare, not unravel after making bad decisions. Where this “fearmongering” thing came from, I’m not sure…

  5. Do you actually think spammers check your address first before sending? It’s far quicker to just have their spambots enumerate through their dictionary of usernames and send them to username@me.com and other hosts, then to validate them first.

    I don’t think this is really an issue at all.

  6. Actually, a list of valid email addresses is quite valuable to spammers. When a mail server detects a bunch of attempts to send mail to usernames that do not exist, it can easily (and automatically) block such requests. Knowing all of the valid email addresses allows spammers to avoid being blacklisted by a mail server, plus it takes much less time and effort for them to send the mail.

  7. Gustav & Will> I’m getting deja vu as the arguments you are making to each other have been very well explored in the comment section of the TechCrunch post referred to earlier.

    I’m with Will – knowing valid email addresses is valuable to spammers – this is reflected in the premium’s charged by malicious individuals when selling them

Leave a Reply