Social engineers don’t care about your OS: and nor should you

Security companies in general and, unfortunately, anti-malware companies in particular, are often accused of ‘hyping’ threats because of a perceived self-interest. However, in the main, legitimate vendors and researchers like those at ESET typically try to resist overhyping or playing up threats where possible, in favor of more balanced discussion that can help customers take the sensible precautions needed to protect themselves.

So, then, there is something of a dilemma when faced with threats that are certainly not as widespread, but that are relevant to a population that is largely (if not entirely) unaware of the threat’s existence. Do we want to go the route of avoiding talking about the issue, and risk being accused of understating the issues to the market? Or do we try to find a way to talk about the problem that reflects the accurate risk level to the community, despite the peril of being perceived to be building market share by hyping lower impact threats? This, for instance, is the quandary we face when we try to talk about threats that affect Apple’s Mac OSX platform. When we see the current discussion in the media, we feel obligated to make some comment and answer our customers' questions, but we certainly don't want to be involved in spreading hype or misinformation.

On the one hand, we know that OSX malware does exist – and I’ll talk about that in a moment – but on the other, we have a two-fold problem of a lack of awareness regarding internet security within the user community, combined with a lower level of threat volume compared to other platforms.

When epidemiologists start to see new strains of influenza breaking out in populations of animals such as swine, birds or bats they always have the concern that this could lead to the infection crossing the species barrier in to human (or other species) populations. In fact, as pathologist Steven Riedel states “Many infectious diseases are known to cross species barriers, and generally many of these infections occur because humans come into contact with an organism that is already capable of causing human infection” (Riedel, 2006) While at a certain point direct comparisons with biological epidemiology break down when speaking about computer related malware, there is a salient point here.

The main justification for using an Anti-malware product on non Windows systems (e.g. Macs or GNU/Linux systems), at least in a business scenario, has long been to prevent the spread of Windows malware via that platform to Windows systems on the same network. The main argument against using anti-malware is based on a related presumption: that 'Only Windows systems get PC viruses’. Of course, other systems won't get PC viruses, because there’s a big architectural difference between Unix like systems and Windows systems that precludes the possibility – but that's like saying that cars don’t get in airline accidents. This is where an analogy might actually take flight (sorry!) – there are many more cars in the world than there are aircraft, and there are aguably more security measures taken over aircraft safety than there are for cars – and yet, nobody would deny that there are threats and risks applicable to both modes of transport, or claim that the threats to aircraft are overhyped because cars have the most accidents (leave aside that the media typically do disproportionately report aircraft accidents – because their frequency is so much lower).

If you have been involved in computer security (and particularly the antimalware branch of that world) for any length of time, you will have come across the typical arguments about Windows vs. Mac  vs, GNU/Linux (or whatever your favoured OS flavour here) security, which more often than not are informed by platform loyalty or antipathy, vs. a deep understanding of behavioral and technical issues that determine the true security “surface” of a platform (and perhaps a mistaken belief that the security issues relevant to Windows ME and earlier still apply to NT-derived Windows versions like Windows 7).

There is a saying that ‘security is only as strong as its weakest link’. In almost every case, regardless of platform, the weakest link is the interface between the chair and the keyboard. So let us look at security from that point of view, and try to decouple the issue from specifics about platform:

  1. Most systems can be configured in ways that make them more, or less, secure.  And, since security can be usually reduced or overridden by user action – malware authors often rely on tricking the user into accepting/installing malicious software, as it’s much easier than trying to attack vulnerabilities in the system or applications (which can often be quickly patched when discovered). For instance, fake anti-virus scam attacks are entirely predicated on such social engineering. It’s not really about what OS you use – some of the threats will be common across all platforms, (there is also, in fact, a steady trickle of application-specific malware that doesn’t care much about hardware) while others are unique to the ‘platform’.
     
  2. Viruses are now a tiny subset of the sorts of malware we see in the 21st century, and the idea that viruses (that is, self-replicating pieces of code) are the ‘main problem’ relating to system compromise by malicious software is very much “last century” thinking. In principle, any system that can run computer software can run self-replicating computer software – there’s no magic to a virus. However, most modern malware does not replicate by itself – it has a different purpose: malware designed to disrupt or destroy systems has largely been replaced by malware intended to commit financial or identity theft related crimes.
     
  3. It doesn’t matter how silly you think it is, but people are very frequently manipulated into entering their admin credentials to install malware and bypass security, and this is totally independent of the system. People do it because they are used to the requirement to enter an admin password to install a legitimate piece of software (or even to change the time on the system).  Malware authors know that if they trick you into believing you need to install software, you will do the very thing required to bypass system security.   If you feel secure in your status as an advanced user with superior knowledge of every file on your system, you are not the majority, and you, lucky you, are not the target of the social engineer. Your immunity is probably due to years of expertise on a system and maybe a technical background, and is not a general rule for the wider population.
     
  4. "I’ve never been infected so I don’t have a problem.”  How do you know? This assumption is related to the 20th century thinking about viruses being nasty programs that delete things, pop up funny messages on your screen and blow smoke out of your monitor.  In an era where much well designed malware is designed to be invisible to the user, this is no longer valid logic. 

Business customers recognize the importance of comprehensive security (and often have mandatory compliance initiatives) as well as ensuring that their non-Windows user population do not distribute files which are carriers for Windows threats.  Also, and we believe equally importantly, we know that security is defensive in nature.  The time to deploy security is BEFORE you have a problem, not afterwards

So, to sum it up, we never want to be the ones hyping threats, but we recognize that there’s a need for good information and that all our customers deserve the ability to be able to catch the threats that they might otherwise fall prey to through clever social engineering, or just bad luck.

Finally, because the ultimate vector for most malware is not the system, it’s the user, we’ve taken the added step of bundling in online security training (a quick and easy program for typical users) into our ESET Cybersecurity product for Mac. This will help users to configure their networks and systems for effective security, and to recognize the common ploys malware authors use in social engineering attacks.

The recent MacDefender malware outbreak on OSX is a good example of this:  if you didn’t accept the software’s invitation to install itself to “remove” the nonexistent viruses you were told you had, it could do no harm to the system.  If you were running ESET Cybersecurity, you would have had the extra protection in place to block the attack (removing any doubt about whether to install or not – not an easy choice for less technically advanced users). If you had taken the training you would have recognized MacDefender for the rather primitive social engineering attack it was (and before any Windows users get smug, this is an attack that has been very common on that platform for some years with fake products like Antivirus XP 20xx http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx).

You may believe that anti-malware software is something only a Windows user needs, and in some contexts, you may be correct. “Do I need anti-virus” is not a question with a simple one-size-fits-all answer, but I’m sure most people would agree that education is a good thing and that defensive Security software combined with training equates to a safer online environment for all of us.

As Dan Clark noted in his recent post, Apple has issued a support document on how to avoid or remove MacDefender that can be found here: http://support.apple.com/kb/HT4650

Riedel, S (2006) “Crossing the species barrier: the threat of an avian influenza pandemic” (Online) Available from: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1325277/

 

Author Andrew Lee, ESET

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

20 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.