Apple's relative success in the mobile market is attracting the attention of the cybercriminal underworld. Each reported breach leaves a little more blood in the water.
Personally, I've long been convinced that Apple's vaunted invulnerability when it comes to malware has been primarily a function of its limited penetration of the personal computer market (historically barely 10 percent, but climbing a little this year). Only secondarily is it an effect of supposedly "baked in" security features.
Hackers may be tenacious, but they're not stupid. With all that low-hanging Windows fruit out there, why bother engineering smart new ways to attack the Mac OS? Indeed, Apple's recent security embarrassments have sprung from high profile "white hat" attacks rather than for-profit criminal exploits.
That may be about to change, precisely because of the relative success of the iPhone, and especially the iPad. A share of the tablet market in excess of 60 percent is bound to grab the bad guys' attention. The signs have been around for almost a year. The enterprise security vendor Imperva publishes a monthly "Hack Intelligence" report. The October 2011 edition, which tracked discussions in hacker forums, reported a startling growth in discussion of iPhone exploits.
Ironically, one problem facing iOS devices seems to spring directly from the assumption that Apple has security well covered. Developers working on apps for the iPhone and iPad have been lulled into passivity by Apple's reputation for looking after security at a deeper level than apps and add-ons. Informed audiences, however, are starting to raise their eyebrows.
At the Black Hat hacker conference last month, delegates were disappointed by an "underwhelming" speech from Apple's platform security manager. Meanwhile, at the same conference, Jonathan Zdziarski, an iOS forensics expert, was describing methods to hack an iPhone, both with and without physical access: "Give me two minutes with somebody's phone and I can dump the entire file system from it."
Enterprises should be paying attention to these developments, slow and nebulous though they may be. If iPhones are vulnerable to malicious exploits, including attacks via apps, it makes sense to believe that the same is true of iPads.
With iPad uptake continuing to accelerate within the enterprise this summer (a prediction I made, and which was greeted by general disbelief, last year), security managers should take little comfort in Apple's reputation for invulnerability.
I don't quote authority to prove I'm right, but just to show that my thinking is in the mainstream.
Security expert Bruce Schneier credits the Mac's small market share: "If you're looking for the masses of naive users, Windows is where to go," he says. Adam O'Donnell, director of emerging technologies at Cloudmark, agrees. He's applied game theory to the question and concluded that producing Mac malware won't be economically viable until the Mac's market share hits 16 percent (it's now under 9 percent). O'Donnell says, "There is no economic benefit to investing the time in compromising a Mac when you can compromise 10 to 20 times more systems for the same level of effort by going after PCs."
Mitch, the vulnerability of Windows is - or has been - self-perpetuating. Most hackers do not devise their own exploits: they copy what others have done. What others have done is hack Windows.
This is not to say Mac OS isn't more secure than Windows.
I think it was just a matter of time before hackers turned their attention to something else. Something 'shinier', like Apple's iOS. A couple of months ago, around April (if my memory serves me right), the Flashback Trojan affected over 600,000 Macs. It was obvious that Apple was unprepared for an attack of such magnitude. With all that attention on Apple and their OS, it was only logical that hackers would look towards the iOS next.
Mitch, I agree that it's not as simple as market share. On the other hand, I think it's still a major factor.
You should read Mat Honan's description of what happened to him. He actually was contacted by a hacker who was involved in the deletion of his Google account, and the wiping of all three of his Apple devices, an iPhone, iPad, and Macbook, all tied together through his iCloud account. As he says:
[T]heir ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
So thinking of hackerdom in economic terms isn't adequate. What economic benefit did they gain from wiping his devices? In fact, as Mat Honan says:
By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life — weren't the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.
Collateral damage. They didn't gain a direct economic benefit. They simply wanted a popular Twitter feed.
We've got tons of postings and comments around here about "The Cloud" and Cloud-based services. It's entirely possible that "iOS vs Windows vs ChromeOS" is not even the question we should be asking. Maybe iOS *has* been more secure all these years. Maybe it was lucky from a security perspective simply because of its small footprint.
Or maybe the REAL question is: is the digital infrastructure really ready for a cloud-connected and cloud-dependent market?
While there is a grave moral difference between hacking and legitimate applicaiton writing, the economics are the same.
Hackers don't care where the loot comes from. Neither do legitimate developers. They go where the money is.
And most legitimate app developers aren't writing their own binary code; they're using off-the-shelf development tools. Which are more far more commonplace on Windows than on the Mac.
If the rarity of attacks on Macs were a simple matter of market share, then we should see a similar scarcity of Mac apps. Which we do not. Somethin else is causing the disproportionate representation.
Another way of looking at it, Mitch: as a writer, I care somewhat who I write for. If I was a bank robber, I wouldn't care which bank I stole from. There's a conceptual asymmetry there.
There's a difference between specializing in writing apps for a OS and specializing in stealing from a certain OS. Hackers don't care where the loot comes from. What's more, most cybercrooks aren't devising their own exploits; they're grabbing or buying tools already available. This has tended to perpetuate the vulnerability of Windows.
The recent Epic Hack of Wired correspondent Mat Honan should point out just how weak Apple's security posture really is. I mean, last four of the credit card number to reset passwords that permit wiping devices? For real?
That number is on virtually every receipt, virtual as well as physical, where the card has ever been used, and many of those same receipts have your name on them as well.
Apple thought this was secure? Let's not ignore, either, that Apple has so far (as I have seen) refused to even acknowledge the security failure, even though it cancelled over-the-phone password resets.
Now isn't the time to say that Apple's security is dismal. But it's facing a challenge, and there is very real reason to doubt that they are ready for it.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Apple's numbers show that it may be giving Microsoft an opportunity to gain ground in tablets by failing to cement Mac, iPhone, and iPad lines together with an effective cloud strategy.
The new iPad may not have an official name, but its mission is to make an appliance/cloud combo as good as a desktop. The question is whether the business model of wireless broadband can keep up with the technology capabilities of Apple.
The Internet has changed the way that companies market products. Now "Likes" and thumbs up carry a lot of weight. So perhaps it's not surprising that a black market technique has emerged whereby some Websites offer to boost ratings in exchange for cash.
As smartphones and tablets forge into the mainstream, vendors can begin work on the next big wave: wearable devices. Apple and Google are two of the heavyweights reportedly investing time, effort, and money here. This broad category spans the range from devices that can be worn like watches to computers integrated with people's clothing.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
