For starters, let me just say that I personally have three Mac systems and three Windows systems I interact with on a regular basis.  I’m writing this blog post from a Macbook Pro.  However, there is a wide and growing misconception about the security of Mac systems vs. the security of Windows systems.  I just came across the following post in PC Magazine’s Security Watch blog, and there is a lot of good information in there; specifically the following quote which I want to share:

In the abstract, Macs are every bit as vulnerable as Windows systems, perhaps more so. But in the real world Mac malware is so rare that it actually makes news. Hundreds of Windows trojans like OpinionSpy come out every day. Mac users are generally “irresponsible” about such things, but for now they can afford to be.

My neighbor mentioned the other day that she got a Mac and loved it because (a) it was easier to use, and (b) it was more secure. Point (a) can be argued both ways, some things are easier to do on Windows and some are easier on Mac… but point (b) is something that troubles me.  The lack of publicized vulnerabilities and attacks does not mean more security.  Joe User wasn’t concerned about the advanced persistent threat before Google released information about the Aurora attacks.

The bottom line I try to keep telling people: there are more vulnerabilities written for Windows because that is where the market share is; the attackers are going after the largest market out there.  As the market dries up they will focus their efforts on OSX, and when that happens, beware.  Mac users, don’t be too comfortable.  Get an anti-malware product. Turn on your firewall. Turn on FileVault. Disable automatic logon. Don’t make yourself the easy target when the bad guys turn their attention to Macs.

As many have noticed, Apple has released their new lineup of laptops, software, OSes, and iPhones. As I watched live coverage of the keynotes on Monday (thanks Gizmodo) – a few things caught my attention when they were speaking about the new iPhone 3G S.
The first thing that caught my eye was the mention of “hardware encryption.” Now, simply mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this “hardware encryption.” The official word from Apple is…

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.

…according to that, it would sound like the remote wipe is dependent on the hardware encryption, which makes me believe that instead of actually wiping the data (as in a format), it would simply delete the private key – therefore making the data inaccessible. (Since iTunes stores a backup of all your iPhone data at every sync, securing this also seems important.)  This also assumes it’s using a strong form of encryption. I’ve also read in other posts…

…hardware encryption for Exchange users…

…as the listed feature. Does this mean it’s only available through Exchange, and at what level is it being used? Is it only securing your email? We know the iTunes songs and videos are already being encrypted on the device. Is this the same form of encryption they’re talking about?  We’ve asked an insider at Apple to help us out with some of these questions and are still awaiting a response.

All of this brings up major questions about the REAL security behind all these marketing terms. How much do companies actually care about security, and how much do they actually do to help protect their users? Is everything just a marketing ploy these days?

Users were upset about the lack of security in our last model of product X. Let’s add minor revisions and throw some good marketing verbiage in the features list and hope that fixes everything.

Is this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board. They just happen to be the ones asking for the most attention at his current point in time.  Stay tuned as I hope to find and relay some answers to many of these questions as more details are revealed.

I really like my mac. It usually is pretty secure. However, Apple just patched their copy of BIND yesterday. I just got the software update request today. This is almost a month since Kaminsky’s coordinated release of the DNS patch. I wonder why Apple was the recalcitrant one that waited so long? Could it be because the exploit was finally in the wild and was on longer just proof of concept? Could it be that the patch was more critical on servers rather than desktops, and desktops are Apple’s mainstay?

Whatever the reason for Apple’s late release, it has made me think about Apple’s security practices. As far as I know, Apple doesn’t have a “patch Tuesday”, and the DNS patch release coincided with Microsoft’s patch Tuesday. Perhaps Apple is moving in that direction, and their patches just happen to come at the end of the month? Will this affect Apple’s security? Probably not, unless you have a release as huge as the DNS flaw. Because vulnerabilities that affect Microsoft don’t necessarily affect Apple, so there is no issue with the delay between Microsoft’s release and Apple’s.

Apple has known about this flaw for as long as everyone else has, and since they run BIND, they’ve even had the patch, so their delay in patching their systems is a little concerning. What else have they delayed so long on that we don’t know about?