I always loved Apple commercials for the Mac, it was always fun to see the new jab they would take a Microsoft. I specifically got a chuckle out of the claims the Mac is so super secure and Windows was plagued with security issues.
In reality though, Mac OS has more vulnerabilities on a month to month basis than Microsoft Windows. I brought up this in a previous post Apple Joins the Army and referenced an article with the exact statistics. If I remember correctly, the average monthly vulnerabilities on the Mac platform was five times higher than Microsoft Windows.
I was reading this article today about Marc Maiffret, an ex-hacker who turned professional. Featured in People Magazine’s 30 People under 30, he is definitely someone to listen to. I immediately thought of Kevin Mitnick but that’s another story. Marc is a co-founder for eEye Digital Security and now works as Chief Security Architect at FireEye.
He goes on to mention that he believes Microsoft does a better job auditing their code than Apple. I would take this further in the fact many Mac users do not take security serious and many do not run any third party security products. Until recently, many security vendors did not create products for Mac OS. Apple commercials would you lead you to believe the Mac is super security and not vulnerable to hackers, viruses, and other forms of malicious software.
Apple has two things in their favor regarding security. Mac OS is based on Unix, and inherits a lot of security developed over the many years. The second reason I think is more significant, no one used to care about hacking the Mac OS outside of academic reasons. As of December 2009, Microsoft Windows had over 92% market share compared to Mac OS at just over 5%. Hacks built for the Windows OS can reach a larger user base and yield an exponentially higher ROI to hackers.
Although I am a big fan of Firefox (albeit far from perfect) Microsoft made impressive improvements with the security of Internet Explorer. Ever since Bill Gates released his Trustworthy Computing memo in January 2002, Microsoft has shown significant attention to security.
Famous Apple security expert Charlie Miller is preparing to announce 20+ new Zero Day security holes in Mac OS X at CanSecWest. Charlie says “OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise.” He further explains “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.” As I have been saying for years, Apple users are currently safer only because hackers see a larger ROI (return on investment) attacking Microsoft Windows based machines.
I have been noticing Apple Mac users more frequently requesting and installing third party anti-virus protection software than in previous years. More key players in the anti-virus industry are releasing their flagship security products for the Mac OS. When the Mac OS becomes a key target to hackers the damage caused will be quite significant due to most Apple users not installing third party security software solutions and the general mindset that the Mac OS is secure from hackers and exploits.
Another recent large scale breach has been identified as University of North Carolina at Chapel Hill notified around 163,000 women that there is a potential compromise that may result in the leak of personal information as well as their social security numbers. This potential leak is due to a hacker breaching a system containing this data.
Although the breached server at UNC School of Medicine contained information on 236,000 women, only 163,000 contained social security information. Matt Mauro, chairman of the university’s Department of Radiology said the breach was originally discovered in July but the intrusion may have taken place as long as two years ago. Mauro said “We think we found some viruses that date back to 2007”.
The server was taken offline since July when the breach was detected and the sites sending information to UNC have temporarily stopped. Forensic teams required time to piece together the extent of the damage and potential leaked information and is the main reason given for the delayed annoucement. They do not believe the information was downloaded or modified in anyway at this point.
Federal Adviation Administrion (FAA) recently fell victim to another malicious hacker attack. This time two servers were compromised resulting in the exposure of personal data for 45,0000 employees and retirees. The second server contained encrypted medical records which are believed to be safe.
FAA spokespersons confirm this attack had no reach to Air Traffic Control systems.
“These government systems should be the best in the world and apparently they are able to be compromised,” said Waters, an FAA contracts attorney.