Thursday, May 26, 2011

Apple standard procedures won't work with security

from cnet.com

On May 24, Apple posted a support forum entry on how to avoid or remove the MacDefender malware that's been plaguing an unknown number of users since early May. And I'm glad they did. But the support forum is way overdue, and Apple's standard method of responding to user issues--ignore them until they won't go away and then issue a response when the outcry gets too loud--simply won't fly where user security is at stake.
Mac users are a juicy, unprotected target for hackers, phishers, and scammers, and Apple needs to drop the impenetrable fortress act and help them raise the drawbridge.
Mac Defender installer
Mac Defender installer (Credit: Sophos Security)

MacDefender and its malicious software variants have been landing on Macs since at least May 2, when Intego and Sophos first reported on a massive SEO poisoning scheme that had Windows and Mac users alike clicking on malicious links and becoming infected with a Trojan program.
My colleague Ed Bott's attempts to bring the MacDefender issue to light were a fascinating saga all their own. Bott faced massive backlash from Apple users who insisted there was no malware problem--or if there was, it paled in comparison with the security nightmare that is Windows (their words, not mine). Fanboys accused him of inventing the whole tale. And John Gruber of Daring Fireball denounced the MacDefender concerns and said Bott was "crying wolf."
Nevertheless, the problem persisted, and the support calls increased. And then a source inside Apple support told Bott that Apple had issued new instructions for support reps to follow when handling MacDefender cases. Those instructions? Don't help them.
The full text of the instructions are here. Support reps were told not to tell customers infected with MacDefender how to force quit Safari, remove items from the start-up process, or how to force quit the Mac Defender process--and not to refer those customers to forums where they might actually find help. Support reps were also instructed to dodge "general" questions that might lead to resolutions if they knew the customer was calling about MacDefender. Why? Because the customer (the victim of this malware, to be clear) was trying to ask "obvious questions to skirt our policy."
So, when Apple--more than three weeks after this malicious software appeared in the wild--got around to posting a support forum on how to remove or avoid MacDefender, it was also nearly a week after Google reportedly killed a lot of the poison links that were infecting people in the first place, a week after CNET and others posted instructions on how to remove MacDefender, and at least one support memo too late to demonstrate a serious commitment to customer security.
As both Mac defenders (if you will) and critics alike point out, this behavior is Apple's standard operating procedure for dealing with problems of imperfection. MacBook discoloration and whining? Deny or ignore for weeks, then eventually fix the problem. Cracks in MacBooks? Never happened. Defective display reports on iMacs that cropped up in 2007? Ignore for years and continue to ship problem displays until 2010, when you say they've been fixed. The "raster shift" problem with eMacs? Ignore, deny, and quietly fix case-by-case. iPhone 4 death grip issues? Tell everyone they're holding the phone wrong, then eventually hold a press conference and offer free bumpers.
From the perspective of, say, John Gruber at Daring Fireball, this approach represents a commitment to decisive action that leaves the customer hanging for a brief, uncomfortable period, then ultimately results in a satisfactory outcome. From my perspective, it represents a commitment first and foremost to not admitting fault, canny observation of which way the media winds are blowing, and action only after outcry has reached a sufficiently intolerable din.
But whatever the reasoning behind this silence-then-solution pattern, it won't work as a response to security issues. Phishing attacks, Trojans, even viruses are not hardware problems that can be fixed in future revs or by the helpful Genius Bar--and by all accounts, these attacks are becoming ever more common and there's every reason to believe Macs will be increasingly a target, according to Sophos researchers.
And why shouldn't they be? After all, Mac users are uniquely trained not to be security aware, thanks to all those years of being told that Macs don't get viruses. When it comes to falling for phishing attacks and cheerfully installing malware (after all, what Mac user should be afraid to install software? Macs don't get viruses!), Mac users are like sheep ready to be led to the slaughter. And today's phishermen are sharpening their hooks.
This is not an attack on the security of the operating system--any OS is hackable, for one thing, and phishing attacks rely less on zero-day vulnerabilities and more on the complacency of an unsuspecting victim. Mac users? Pretty unsuspecting. Heck, when a friend of mine told me, two weeks ago, about a storm of porn pop-ups plaguing his Mac, I said, "it sounds like a virus, but it can't be. It's your Mac!"
If Apple's future response to security issues is to take weeks to respond, instruct support reps to obfuscate or refuse to help customers, or continue to act like an unsinkable Titanic of security, they'll only put users more at risk. Hackers will happily take advantage of any delays in response.
In fact, while researchers believe the initial MacDefender Trojan was, perhaps, a proof of concept, by May 25 it had evolved into a variant that, according to this article, didn't need an administrator password to install itself, bypassed system folders, and installed itself in your user account folder. That's a much more dangerous piece of software than it was when it started, and a pretty scary precedent.
Let's hope the next Trojan to come along doesn't get such a helpful window of opportunity. No one is immune from attack, not even Mac users. And Apple needs to take care of its customers (who include me!) without its own support reps having to act like anonymous whistleblowers to get the word out. Security is a whole new game on the Mac--time to think different.
-------------------------------------
That last line says it all for me.  Mac users need to learn about security before it's too late, not stick their heads in the sand.

8 comments:

  1. Apple's "fix" has already been circumvented.

    www.slashgear.com/macdefender-malware-renamed-macguard-bypasses-apple-fix-26154467/

    ReplyDelete
  2. Er, no. Apple hasn't actually released the fix yet.

    Either way, this is a pretty hypocritical argument.

    ReplyDelete
  3. I agree. Mac users DO need to learn about security-- specifically how to avoid being suckered into installing trojans.

    While this new variant doesn't request an admin password, neither does it just download in the background and begin running by itself. Even a user with Admin privileges is presented with an installer window that they have to confirm. People must be taught understand the potential risk of allowing this.

    Ultimately there is only so much that any company can do to protect users from their own stupidity (without hobbling the computer for other useful purposes).

    ReplyDelete
  4. why not use software firewall like this:
    http://www.protemac.com/netmine/
    In my opinion that's it is easier

    ReplyDelete
  5. The thing is, most Mac users don't think they need the protection. Maybe it's this blog should be called "Arrogant Mac-User Haters" :P

    ReplyDelete
  6. And now it's fixed...

    ReplyDelete
  7. Um, not completely it's not. The "fix" is only for newer versions of the OS. Plus it could still allow someone to install known malicious software.

    http://www.zdnet.com/blog/hardware/apples-mac-defender-update-allows-users-to-run-known-malware/13099

    I expect the malware creation kit made especially for Mac OS will churn out a few more variants before it's done.

    ReplyDelete
  8. Because, unlike viruses and worms, trojans don't exploit a software weakness (but rather user gullibility), there really is nothing for Apple to "fix", and never was. Sure Apple can play whack-a-mole in a attempt to keep up with each new trojan. Daily automatic black-list updates will help, but ultimately users must learn to take responsibility for the software they install.

    If owners of older Macs choose to rely on software to protect themselves from their own stupidity, there are plenty of *legitimate* options available (both commercial and free) to anyone willing to do the research. Once and for all, It is not Apple's responsibility!!

    If people continue to hold Apple accountable, then realize that the end game is that only Apple-approved software will be allowed on Macs. I'm sure the haters will find nothing to complain about with that scenario. Ha!

    ReplyDelete