I’m often exasperated by blinkered mindsets in the Mac community, of the security-related kind that Randy highlighted in a recent blog. You might have picked up a certain irritation in some of my blogs around the end of last month relating to Snow Leopard and malware detection, too. So it was refreshing to come across a light in tone but very much to-the-point piece by Adam Banks in Mac User.
The bit that originally caught my attention was a reference to a Mac keyboard hack described by K. Chen of the Georgia Institute of Technology at this year’s Blackhat: it describes a Proof of Concept attack on Macs using the firmware update mechanism for the Apple Aluminum Keyboard. (It’s an interesting paper, but the content is both less dramatic than some have implied and wider-reaching: lots of peripherals and other hardware has updateable firmware – not just PCs and routers, but stuff you might not have thought about such as audiovisual equipment. I’d worry about this a lot more if there weren’t mitigating factors such as the sheer diversity of brands within product classes and the fact that physical access is usually sine qua non for this kind of attack so far. Even the keyboard attack isn’t specific to Apple, but to USB keyboards in general. There’s some interesting comment to all this at Slashdot and at Intego by the way.
[Though no-one seems to have noticed that Trojanized keyboards for Macs are, not unlike Win32/Induc.A, a new spin on an old concept. The "Welcome Datacomp" message, often mistaken for a virus symptom in pre-OS X days, was actually caused by a third-party keyboard for Mac. A quantity of these keyboards were released with a Trojanized ROM.]
Still, it’s unusual to read about security matters that geeky in a Mac consumer magazine, so I read on. (Ken Bechtel, if you’re reading this, put your coffee down.)
Adam wonders "What’s going to be the next cyber-security threat? Biscuits?" Well, he could be right there. Biscuits (or cookies, if you must) are, according to the Daily Telegraph, responsible for a wide range of injuries to humans including scalding, chipped teeth, choking, and assaults by hungry pets. Strangely, the article doesn’t mention the damage that can be done by an over-dunked Morning Coffee biscuit to an adjacent keyboard. Not a pretty sight.
But I’ve strayed from the point: what was Adam’s point about security that appealed to me so much? Well, there was a whole barrage of points about Gary McKinnon, Sony rootkits, and attacks on social networking. But the one that really grabbed me was the one about a suggestion by London’s comic-relief-in-political-residence,Boris Johnson, that the Pentagon should employ McKinnon as a consultant. I’ve often wondered, sometimes publicly, why people who don’t have much experience of IT security are so apt to assume that getting caught is proof of hacking competence that eclipses the knowledge of security professionals. But Adam puts it much more succinctly and wittily.
"Employing McKinnon as a security consultant would be like catching a six-year-old nicking sweets and enrolling him in Hendon Police College."
I’m not sure that McKinnon deserves the years in prison that are hanging over his head. But I’m pretty sure the US security services have lots of IT security expertise. They’re probably not responsible for the slack systems administration that allowed McKinnon access to all areas.
[Tip of the hat to Gadi Evron for pointing out the aggressive biscuits article!]
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET