Call them the hack attacks that weren't. Late last week and into this week, the sometimes Mac-ignorant media piled on the news that there appeared to be some malicious software circulating that targeted Apple's (AAPL) Macintosh computers.
Even Matt Drudge got into the game, with headlines on his heavily-trafficked Drudge Report Web site that screamed: "Two Viruses Target Apple's Macintosh."
One piece of malicious software was dubbed Leap-A. It masqueraded as Jpeg images of screen shots of the next version of Mac OS X. An unsuspecting Mac user might download the files by clicking on a link, either via iChat or the Web. The worm replicates by sending itself to other Mac users via the iChat buddy list. No one seems to know exactly how many people have been affected, and there have been no reports of actual damage (see BW Online, 2/21/06, "Macs, Safe No More?").
GHOST IN THE SHELL. The other one, known as OSX.Inqtana.A, was designed to spread through a vulnerability in Bluetooth wireless technology that was patched by Apple eight months ago.
A third vulnerability -- this one a potential chink in the armor, rather than a piece of naughty software -- was disclosed early this week. Apple's Safari Web browser has a feature that lets you open downloaded files that are considered safe as soon as the download is complete. It's a rather innocuous feature designed to speed things along as you get files from the Web, with no waiting to open a PDF or text file.
Where it could become a problem is if the file you're downloading contains a shell script -- that is, a series of commands designed to be executed in the Mac OS X terminal window. (For those unfamiliar with the jargon, the terminal window is where those computer owners versed in Unix commands can interact with the machine by typing into a box that's analogous to the old DOS interface some Windows users still swear by.) Typically, Safari doesn't consider shell scripts to be "safe" and by default doesn't run them automatically upon download. But this vulnerability allows malicious programmers to fool Safari into treating a shell-script file as safe, and thus running it.
LEVEL CLEARANCE. Depending on your level of access, the Mac's terminal can be a pretty powerful tool. A user who is signed in with administrative privileges has a lot of control, but not enough to do any real damage if he or she were so inclined. On the other hand, a user with root access -- the highest level -- is essentially a god on that computer, and with a little knowledge and malicious intent can cripple a machine. Apple generally discourages the use of root accounts, and disables the ability to create them by default.
Administrative accounts on the Mac can do most of the housekeeping tasks a root user would normally do on Unix-based systems, without fear of the damage that could be done by an uninvited root-access user. But that doesn't mean a shell script sneaking in under administrative auspices can't make a mess. It could, for example, contain commands to delete files accessible at the administrative level. And if it happens to sneak onto the machine of that rare individual with root access, the damage could be far worse.
Your best bet in avoiding this vulnerability is to turn off Safari's preference for "Open 'safe' files after downloading," and wait until Apple issues a security update. Either that, or use Mozilla's Firefox browser, which is available at www.mozilla.com. (It's my browser of choice on both the Mac and Windows machines.) With Mozilla, any file you download will simply sit inert on your desktop until you decide to open it. With the number of dubious downloads on the rise, knowing whether or not the file came from a reliable source always helps.
BRAIN DRAIN. Collectively, these two pieces of malicious software -- if you can even call them that -- posed practically zero threat to Mac users, and the third vulnerability caused no reported damage. But they did serve to renew the discussion about how secure the Mac actually is -- and among Mac loyalists, it's a rather rancorous debate. One side is defiant in its absolute faith in Mac security, the other far more skeptical and pragmatic.
But I'm coming to the conclusion that your choice of computer-operating system is almost irrelevant to the debate over information security. Sure, Windows has more holes than the U.S. border with Mexico. But the biggest security vulnerability is quickly turning out to be the human brain.
Two of these three security issues involved at least some action on the part of the computer's user -- clicking through to see the pictures of the new OS X or downloading a deceptive file containing a malicious shell script.
FALSE PRETENSES. In both cases, scammers make sure the bait looks legitimate, thus taking advantage of a phenomenon security specialists call "social engineering."
If someone shows up at your door and says he's a police officer while flashing a badge, you might be inclined to believe him and let him in, only to be robbed blind at gunpoint. And if you get an e-mail claiming to be from your bank, your first instinct may be to believe it and click the link inside it.
Computer criminals eager to go after bank accounts, credit-card numbers, and other personal information for financial gain are quickly learning that they need not necessarily break into a computer to get it. Instead, it's proving disturbingly easy, using various degrees of subterfuge, to convince computer users on Macs and Windows PCs alike to give their info away, through "phishing."
PHISHING PHRENZY. Phishing attacks typically come in the form of e-mail messages that direct the recipient to a phony Web site that looks just like like that of a bank or other financial institution. Once there, the victim is asked to provide account numbers and other sensitive information under the guise of account maintenance or some other flimsy reason. Such attacks are on the rise. I see a few phishing e-mails pop up in my various accounts every day.
The Anti-Phishing Working Group, a coalition of companies that includes eBay (EBAY), McAfee (MFE), Symantec (SYMC), Adobe (ADBE), and EarthLink (ELNK), pegged the number of phishing Web sites at 7,197 at the end of 2005, up from 1,707 at the end of 2004. That tells me that, so far, phishing is working, and it isn't necessarily limited to those using Windows. The best guards against a threat like that are knowledge and vigilance.
Hesseldahl is a writer for BusinessWeek Online in New York
Printer-Friendly Version