On the Security Protocols blog I came across an interesting entry today; specifically, they pointed out a Blog entry criticizing the recently-hyped “iAdware” (F-Secure’s designation) detailed by F-Secure earlier in the week. To quote from the entry:

# F-Secure bear the ultimate responsibility because through their staggering pompousness and ineptitude they totally misrepresented the issue.
# F-Secure were playing ’stir the pot’. It’s one thing for Kevin Finisterre to publish his POC; it’s quite another for a security company to pick it up and run it – especially in the reprehensible way they did.
# When it comes to Unix in general and OS X in particular, the boobs at Fucking Insecure don’t know jack shit. And Mister Bill still has time to cancel his cheque.

This “iAdware” thing has received quite a reaction from the press at-large. Sophos via ZDNet has come down on the “it’s not an issue” side of the equation and InMascatine has said that it doesn’t count as malware. Once again, another OS X proof-of-concept has been received, cataloged, and passed on by the Mac community. Apparently, Apple’s marketing is winning the day – according to consensus, there is no malware for the Mac.

Yes Mr. O’Brien, you are holding up five fingers…

Did you ever see that South Park episode where everyone was so self-satisfied from driving hybrid cars that a gigantic cloud of Smug formed over South Park and threatened to cause the end of the world? People were going around saying things like “I prefer to be part of the solution rather than part of the problem” and holding themselves up on a pedestal because they’re so great. Something about that scenario reminds me of Apple’s recent marketing. Here’s what I mean.

Back in the day, when Apple went live with their new message about how they’re better than everybody else because they don’t have the same quantity of malware, I thought it was only a matter of time before they got slammed. However, they didn’t get slammed. In fact, I don’t know what the bad-guys are doing, but not only has this message not caused Apple any pain, but it has actually been so successful that they have expanded it to further emphasize their contention that there is no malware for the Mac. This time, the PC dude is wearing a trench coat and trying not to be recognized because of all the spyware while the Mac guy is just relaxed and at peace. Apparently, Mac’s don’t get malware, and they don’t get spyware. Behold the power of marketing.

Not only do they not get malware now, but Infoworld has taken it a step further in their recent longwinded diatribe about why the Mac is has superior security and can’t get spyware/worms (apparently, the architecture of the Mac is so superior that malware just “can’t happen under OS X”.) Not that these arguments have any technical merit: I won’t go into all the reasons why this kind of thing is specious again, since I’ve done it so many times in the past… but, trust me, there is absolutely no technical reason why malware won’t run on a Mac. It will, I guarantee it. No matter what the bloggers over at Infoworld tell you, all general purpose PC’s can get malware. It’s just plain logic.

Look, computing platforms are built to allow the user to manipulate the environment, right? And if a user can do it, a user’s agent can do it. And since there is no way to know user intent programmatically, if a user’s software agent can do it, malware can do it. For example, if a user can install software that gets launched at boot and uses system resources, then spyware can install software that gets launched at boot and uses system resources. If a user can reformat the disc, malware can reformat the disc. But buy in to Apple’s message, and it seems like there’s something magical about Mac that defies this – somehow once software is undesirable to the user, it can longer be installed on the system. Bull. Sooner or later, people buying Macs based on these flawed assumptions marketing by Apple will get a wake-up call, and I think it sucks that Apple’s capitalizing on these false claims in the meantime.

Interestingly, McAfee has decided to warn us all about the probability of malware appearing for OS X in the near future. McAfee has apparently put out a whitepaper called “The New Apple of Malware’s Eye.” The Register implies that the McAfee’s whitepaper is pretty much a hollow justification for their new VirusScan product for Mac on Intel, but there’s actually some good data about the growth of Mac vulnerabilities in the paper. Anyway, it’s 6 pages, so it’s minimal time invested, and it’s a very interesting read.

You know that sweet little icon that Apple (the company) paints on their products? You know the one I mean; it’s a (usually glowing) picture of a stylized apple (the fruit) with a tiny bite taken out of it. Well, what if I told you that Apple (the company) was going to replace that icon on all it’s products with a gigantic friggin bulls-eye that says “hack me, pencil-neck” right in the center of it? Ok, they’re not really doing this; at least not literally. What they *are* doing, however, that’s likely to generate almost as much attention from the malware community is proclaiming themselves to be completely virus free. Oh, I’m quite serious – check out the advertisement; it’s a scraggly looking “I’m a Mac” guy in jeans wiping the nose of the “I’m a PC” guy in a suit. The “I’m a Mac” guy goes on to say how there are so many viruses for the PC, but none on the mac.

Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much left it alone… Then Oracle stepped up on the soapbox shouting “we’re unbreakable”, only to find themselves getting the kind of scrutiny from hackers usually reserved for new flavors of Mountain Dew.

The Mac press has apparently “bought in” to the hubristic message and has decided to run with it. For example, The Mac Observer (in the article “Cutting Through the OS X Security Rhetoric”) whitewashes Apple’s recent security problems (or, in Mac Observer parlance, the “misinformation being spread by the media”) by attempting to “debunk” the recent press that has painted Apple unfavorably. Now, I love my Mac as much as the next guy, but I’m not going to accept a statement like “…it’s obvious that Mac OS X is currently a more secure and stable operating system than Windows XP…” without questioning why it’s obvious. What data is being used to back up that assertion, because it’s not obvious to me?

And, as we know, much of the user community has already bought in in absence of evidence. Check out the comments from the Mac Observer article:

Apple I think responds far more quickly than Microsoft especially if they find something that is dangerous. But they’re not going to drop everything for the knit picking that Sans and others say may be or could be type scenarios. .. [For the record, Apple responds consistantly slower than Microsoft, even if the issue is more dangerous. Plus, most of us in the security community tend to view 0-day remotely exploitable bugs with a certain amount of gravity (i.e. not "knit-picking")].

A good reason for Apple’s “slow” response time is because of how insignificant the threats are. You can’t really expect them to pile in a million technician hours to fix a flaw that is basically theoretical or has only been seen in action once in the wild. [it's true, 0-day remote code execution is hardly worth a developer's time]

Along with a bunch of other folks, I’ve been following the numerous discussions about Apple’s Bootcamp with a bit of interest; “dual booting” isn’t a particulary new technology for most of us, but it’s interesting nevertheless. Today, I cam across a post on Peter O’Kelly’s Reality Check that made the topic even more interesting – a technology called “Parallels” that allows a Mac user to run a virtual Windows image. Ok, ok – virtual machines aren’t new technology either – but all these discussions about maximizing the flexibility of the new Apple hardware open up interesting possibilities for Mac users. Which leads me to something… Notice this language in the article that Pete references (emphasis mine):

Most people comment that an Intel Mac runs Windows faster than any PC they’ve ever owned. And if the Windows side ever gets bogged down with viruses and spyware, you can flip into Mac OS X and keep right on being productive.

While this isn’t really the point of the article, the obvious subtext is that virtualization technology increases the overall security of the platform. This is a view I hear more and more commonly; for example, Security Focus has an article that came out yesterday about the security advantages of virtualization:

Mike Danseglio, a Microsoft program manager in the company’s security group, recently had this to say at a security conference: “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.” So it’s come to that. Everyone reading this knew it all along, but there it is in black and white – if a Windows machine gets infected, wipe it and start again from a baseline install. Virtualization, however, makes that easy, affordable, and quick.

I think it behooves us to question the assumptions here – is it a given that virtualization will bring with it a corresponding increase in platform security? I used to think so, but now I’m not so sure… but we’ll get to that in a minute. Let’s start by looking at how some of the products out there enumerate the perceived security benefits.

• VMWare says, “Users protect their PCs against adware, spyware and other malware while browsing the Internet with Firefox in a virtual machine… isolation capabilities to prevent malware downloaded in the browser from propagating to the normal desktop.” Point 1: applications are “isolated” from the host operating system.
• IBM says, “The partitioning-capable server is designed so that one partition is isolated from software running in other partitions, including protection against software defects and even deliberate software attempts to break the partition barriers.” Point 2: applications are “isolated” from each other.
• Sun says, “N1 Grid Containers are shielded from the outside world and the tenants of a container are assured that no other users of a container on the same system can “see” what they are doing, or derive or compromise information. Additionally, an administrator, such as the traditional ‘root’ user, inside of a container only has authority over his own container, so if the container is illegally accessed, the container isolates the intruder inside the boundary.” Point 3: users are “isolated” from inappropriate resources.

Hmm… Sounds to me like the hubub is about isolation; in other words, the claim is that virtualization improves security because applications and users can now be grouped in any number of ways at the application level. Hearing no argument, if this type of isolation is the primary goal, what does that mean for us from a security perspective? Let’s look at it from the top down – can we make the broader statement that “isolation” in other contexts is always a security benefit? Is it true that segregation in and of itself has a clear security benefit in all cases? Some would argue with me on this, but I happen to think the answer is “no”… I think segregation improves security only to the extent that it is manageable… period. Without management, segregation adds nothing to security (best case) or even detracts from security (worst case).

By analogy, take isolation technology at the network layer. For a long time, a bunch of people thought that buying and deploying firewall technology (thereby isolating portions of their network) would solve a ton of security issues; but we learned over the course of events that it wasn’t the isolation itself that brought the benefit, but the broader context of how that isolation is used and maintained. In other words, a firewall won’t do anything unless you deploy it in an intelligent way. It’s fairly accepted nowadays that firewalls (while a useful tool in most cases) can also decrease security depending on how they are used and deployed.

It seems to me that virtualization is the same thing: use it intelligently as an isolation tool and you increase security – use it without thinking through how it will fit in your current world and you decrease security. Create a well-thought out and manageable set of virtual images/apps/whatever along with a well defined plan for how to maintain them and you probably will (as VMWare, IBM and Sun claim) create an environment in which security thrives. However, create yet another unmanageable mess (e.g. unmaintained VM images, unpatched “disposable” guest OS’s, etc.) and the only thing you’ve done is increased complexity, increased administrator workload, and built new “virtual” pathways to your assets. I guess the moral of the story is the same one I’ve made countless times: management first, technology second.

Thus endeth the rant.

Today, I came across a post on Illuminata called “Apple, Enemy of Reason” discussing the Apple “Boot Camp” technology. Briefly, BootCamp allows OS X to run XP applications on Macs with Intel hardware. Most of the pro-Apple sites that I read tend to view this as a positive development… I’m just ticked cause I have a PowerPC Mac so I’m left in the wake.

OK, long story short – I just figured out that Illuminata (one of my two most favorite analyst firms) has a real bona-fide weblog called “Illuminata perspectives”. I had been subscribing to the “new articles” feed over there, but the blog is way cooler. Anyway, courtesy of them, check out the nifty Easter-egg in OS X.