The Official Blog of the Duke Chronicle Development Team.

Macs Can't Get Spam: The Dangers of a False Sense of Security

I recently had the pleasure to graduate from Duke University. At one of my graduation ceremonies, I ran into the parent of a friend who asked me what I was doing after graduation. This parent was no tech-fanatic, so I summarized my cloud and virtualization automation gig at Microsoft by saying I worked on a product that allowed operating systems to run other operating systems as applications, so one could run Linux on their Windows machine, Windows on their Mac machine, etc. Of course, this is only a tiny sliver of the true description and value of virtualization to computer systems, but to a parent who probably had never even heard of BootCamp or VMWare, let alone hypervisors or virtual machines, it seemed like an acceptable summary.

Of course, the parent said how cool that was and how proud they were of me, the same thing all parents say to their children’s friends. But what was really interesting was what she said next. “I could actually really use that software,” she said. “I run a business on Windows machines and I just get so much spam! I’d love to switch to Macs without having to buy new computers for my business.” I kind of just scratched my head for a second. I tried to explain to her the fallacy of her argument – that email is a completely separate module from a computer operating system, and no matter what OS she used, spammers could still send email to her email address. Sure a different email client might filter the spam out better or automatically delete it, but that has nothing to do with the operating system. There’s a variety of clients for Mac, Windows, and in the browser that do a good job filtering spam. My comments seemed to go in one ear and out the other. “But Macs are a closed system. They can’t get viruses or malware or spam,” she said. You can’t make this stuff up…

Now before I go on, I’d like to note that Macs definitely have their uses. For one, their hardware is great. They’re built on top of Unix, so they have a great terminal which makes development easy. They work great as general purpose computers. And they look pretty. But Macs are not a safe-haven when it comes to security, and the fact that Apple advertises them as such actually makes Mac users even less secure because they have a false sense of security. Because of this false sense of security, many Mac users click on questionable links on the internet, install sketchy programs, and don’t install antivirus software. Apple has always stated things to this effect, such as this snippet from their website:

with virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware

Literally making users believe they have to put zero effort or thought into defending themselves on a Mac! If this were the case, would security vendor ESET have found that Mac users lost more money on average than PC owners did in phishing attacks? Would the recent Flashback Trojan have infected 1% of all Macs in the world – a larger percent infection than the “most dangerous malware to attack Windows-based computers” ever, Conficker? Would Mac vulnerabilities in WebKit, Samba, DNS, MDNS, Apache, and Java have gone unpatched by Apple for many months after all other platforms had fixed the same vulnerabilities in their software? Despite all this, another ESET survey found that more than 50% of computer users thought of PCs as very or extremely vulnerable, whereas only 20% of computer users thought of Mac that way. If there’s one thing Apple does better than making computers, its marketing!

Until recently, Windows usage was much greater than Mac usage, and for this reason virus makers always targeted Windows PCs in their attacks, because they simply had more users to exploit. Macs were more secure than PCs, not due to the operating system’s security, but to the lack of interest by malicious parties. Today, however, Mac market share has grown enough that malicious parties are starting to target the platform, and while PC users know they must be mindful of what they click on and download to their computer, because they have had to be mindful in the past, Mac users have been lulled into the naivety that they are safe. The problem is even worse considering social engineering attacks like phishing scams work in the browser and so are cross platform, and are almost impossible for OS protection software to prevent due to their social nature. For example, if someone emails you saying they are Facebook and they need your password emailed to them to confirm you are who you say you are because someone recently tried to hack in to your account, is anything built into the computer operating system going to delete this email or warn you its fishy? Nope. Maybe, and only maybe, an email client will. But social engineering attacks happen in so many ways that the only way to truly defend against all of them is to recognize that the Internet is a dangerous place, and to take things with a grain of salt before you click on or install them. The best defense one can have in the world of ubiquitous Internet isn’t something on the computer, but something in the brain.

Think of it this way – if you were wearing an impenetrable suit of armor from head to toe, why not run into the middle of a battlefield? The problem is, if that armor isn’t as safe as its maker says, you’d actually be putting yourself in way more danger than even someone wearing no armor, because you are willing to put yourself into much more dangerous situations with no thoughts of the consequences, whereas the defenseless person knows not to do that. Where this metaphor isn’t completely sound is that, in sword fighting, it is a no brainer to all of us that you should take precaution no matter what defenses you’re wearing. But this isn’t the case in computer security. Staying away from an enemy with a sword is a much more straightforward “instinct” than the lessons people need to learn about defending themselves on the Internet, where malicious attacks are disguised or socially engineered. That’s the problem with Mac security. It is good, just as Windows security is good, just as Linux security is good. But Mac security is no where near as good as its marketing presents, and it never will be, because no amount of secure software can replace the basic understanding that one must be alert to danger on the Internet at all times.

So next time you log on to your computer, regardless of what OS you use, or how secure you think it is, make sure to proceed with caution.