GCN Tech Blog

By GCN Staff

Blog archive

Apple security: Myth or magic?

Recently, I had to do some work on a remote Linux server. Usually, in such cases, I get command-line access to the box through a Secure Shell session, using the free Putty client for Microsoft Windows.

At the time however, someone had a Macbook notebook nearby, so I decided to use that machine instead. The nice thing about the newer Macs is, that, underneath the snazzy OS X user interface, they are built on the Darwin base operating system, which is a Unix OS based on the Portable Operating System Interface (POSIX), a set of standards that specify how an implementation of UNIX should operate. I could use the built-in SSH on this Mac.

Ultimately, I was foiled by the security features of the Mac. I found that SSH attempted to log me in as the account owner of the Mac itself, rather than letting me to supply my own log-in name and associated password. In effect, I couldn't log on as anyone except the owner of the Mac account, at least by default. Because I didn't have an account on that Mac and my friend with the Mac didn't have an account on my Linux box, I couldn't log in.

Sure, this was a roadblock for me, but I appreciated how the SSH was tied directly into the OS on the Mac. This could prevent someone else from possibly using this Mac as a launching point for other malicious activities. The Windows/Putty combo offered no such checks. (Windows' own Telnet client, which is a less secure version of SSH, does not supply the local log-in name to the destination).

While a small example, it nonetheless shows one way that Macs may in be more locked down by default, security-wise, than Microsoft Windows.

Are Macs inherently more secure than Windows? We hear this claim both from Apple and from Mac enthusiasts. But is it true?

"We like to think of OS X, both the client and the server, as being, by default, a very secure OS," Apple senior worldwide product manager Eric Zelenka told us in a recent interview. "By default" seems to be the operative phrase here.

Zelenka pointed to Mac's strict control of user permissions as an example of such security, which I had learned about first-hand in my aborted SSH sessions. Macs have a fine-grained set of permissions that determine which applications a user can run and which files and directories they can see.

Macs do not, by default, have a root account. A root account is the account you would use to make whatever changes you want on a computer. In contrast, all Windows accounts are root accounts by default. Of course, an administrator can easily configure a Windows computer to limit which actions a user can execute on computer. But Macs come like that out of the box. They follow the old Unix tradition of restricting users to their own workspaces, and keeping them — and any serendipitously planted programs operating within their accounts —- away from the sensitive parts of the OS.

"The system’s default configuration is one of the most important security features provided by Mac OS X," noted a OS X 10.3 security configuration guide posted by the National Security Agency. "The root account comes disabled in Mac OS X. Second, network services are all initially disabled. Third, the initial logging setup is consistent with good security practice."

Another advantage that Zelenka pointed out was how that underlying OS, Darwin, was open source. In theory that means more developers are combing through the source code and looking for incorrectly written code, which is a major source of vulnerabilities.

"It is not a closed-source environment where only Apple knows how the inner-workings of the OS and only Apple can improve it — it is available for the entire world to see," Zelenka said. Moreover, many of the programs and the utilities included within the OS package (such as SSH) also come from the open source community. They have been battle-hardened within the many Unix, Linux and Berkeley Software Distribution deployments out there.

Apple's security guide for OS X 10.5, mentions a number of other advanced security features designed to discourage unintended malicious activity, including sandboxing of applications within controlled environments, the use of mandatory access controls and the Keychain service to manage credentials.

But mitigating factors must also be considered as well. As Laura DiDio, principal at analysis firm Information Technology Intelligence Corp., pointed out, Macs have not been used as much as Microsoft Windows. Macs have not attracted the attention of neither the malicious hackers nor the more noble-minded security researchers, both of whom wish to make a name for themselves by finding new vulnerabilities in popular software products.

In other words, the reason that we don't see as many vulnerabilities in Macs as in Microsoft Windows is that less attention is being paid to them, not because they are inherently more secure.

This may change as Macs grow more popular. In fact, we are already starting to see this in play. In the upcoming Black Hat D.C. conference, at least one researcher will take aim at Macs. Italian security expert Vincenzo Iozzo promises to show how to have a Mac program execute entirely within the memory space of another program, thereby thwarting any efforts to detect the program through process tracing.

So only as Macs inch more and more into the enterprise will their mettle be truly tested.

Posted by Joab Jackson on Jan 30, 2009 at 9:39 AM


Reader Comments

Sun, Nov 22, 2009 houston computer repair http://www.24hrsnetwork.com/

i agree..default setting should be require a username.To increase the amount of work required for an application bug to be exploited, heap memory is made to be non-executable and memory address are randomized...contact us if you need help to repair you computer.

Sat, Apr 25, 2009 Elvedin Trnjanin

The other security issue with OS X is that it does not have the security features that other modern operating system have. To increase the amount of work required for an application bug to be exploited, heap memory is made to be non-executable and memory address are randomized. These are two of the many things that Linux, BSD, and even Windows do. OS X does either not do these things, or it does them poorly. While it may be easy to find an exploitable bug in an application, memory randomization and those other tricks make it significantly more time consuming to successfully exploit. This would either (hypothetically) give you more time to patch a security issue or give you more evidence to find an application that someone or something is attempting compromise. With OS X, once the exploitable bug is found, the exploit can be run successfully without any work on part of the attacker. Allegedly, the 10.6 update will address these issues.

Sat, Feb 28, 2009 Site Submit http://sitesubmit.ezedir.com/

Thanks for the info, great work... appreciate Hugh mano

Sun, Feb 1, 2009

I agree the default setting should be to require a username. However SSH is like any safety util, if you dont know how to use it... RTFM first. Your thinking the Microsoft way, "everyone else uses it so it has to be "safe"", "nobody has ever hacked my windows". And finally your assumptions preceeds your requirements. How do you even know if your connected to the right host, nevermind the correct username? Ever tried, as a new user, to find out what the actual fingerprint for the current host is.

Sat, Jan 31, 2009

Any ssh client lets you choose the account you want to get into. Simply do "ssh someuser@someserver" Mac always has a root account (so does Linux). That's the account the operating system itself is running under. Whether a user gets access to that is another issue. Please don't confuse your ability to not do something with security. Judging security of an OS requires understanding the OS itself.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities