Apple security: Myth or magic?

 

Connecting state and local government leaders

Apple enthusiasts insist that Macs are inherently more secure than Windows. But is that true?

Recently, I had to do some work on a remote Linux server. Usually, in such cases, I get command-line access to the box through a Secure Shell session, using the free Putty client for Microsoft Windows.

At the time however, someone had a Macbook notebook nearby, so I decided to use that machine instead. The nice thing about the newer Macs is, that, underneath the snazzy OS X user interface, they are built on the Darwin base operating system, which is a Unix OS based on the Portable Operating System Interface (POSIX), a set of standards that specify how an implementation of UNIX should operate. I could use the built-in SSH on this Mac.

Ultimately, I was foiled by the security features of the Mac. I found that SSH attempted to log me in as the account owner of the Mac itself, rather than letting me to supply my own log-in name and associated password. In effect, I couldn't log on as anyone except the owner of the Mac account, at least by default. Because I didn't have an account on that Mac and my friend with the Mac didn't have an account on my Linux box, I couldn't log in.

Sure, this was a roadblock for me, but I appreciated how the SSH was tied directly into the OS on the Mac. This could prevent someone else from possibly using this Mac as a launching point for other malicious activities. The Windows/Putty combo offered no such checks. (Windows' own Telnet client, which is a less secure version of SSH, does not supply the local log-in name to the destination).

While a small example, it nonetheless shows one way that Macs may in be more locked down by default, security-wise, than Microsoft Windows.

Are Macs inherently more secure than Windows? We hear this claim both from Apple and from Mac enthusiasts. But is it true?

"We like to think of OS X, both the client and the server, as being, by default, a very secure OS," Apple senior worldwide product manager Eric Zelenka told us in a recent interview. "By default" seems to be the operative phrase here.

Zelenka pointed to Mac's strict control of user permissions as an example of such security, which I had learned about first-hand in my aborted SSH sessions. Macs have a fine-grained set of permissions that determine which applications a user can run and which files and directories they can see.

Macs do not, by default, have a root account. A root account is the account you would use to make whatever changes you want on a computer. In contrast, all Windows accounts are root accounts by default. Of course, an administrator can easily configure a Windows computer to limit which actions a user can execute on computer. But Macs come like that out of the box. They follow the old Unix tradition of restricting users to their own workspaces, and keeping them — and any serendipitously planted programs operating within their accounts —- away from the sensitive parts of the OS.

"The system’s default configuration is one of the most important security features provided by Mac OS X," noted a OS X 10.3 security configuration guide posted by the National Security Agency. "The root account comes disabled in Mac OS X. Second, network services are all initially disabled. Third, the initial logging setup is consistent with good security practice."

Another advantage that Zelenka pointed out was how that underlying OS, Darwin, was open source. In theory that means more developers are combing through the source code and looking for incorrectly written code, which is a major source of vulnerabilities.

"It is not a closed-source environment where only Apple knows how the inner-workings of the OS and only Apple can improve it — it is available for the entire world to see," Zelenka said. Moreover, many of the programs and the utilities included within the OS package (such as SSH) also come from the open source community. They have been battle-hardened within the many Unix, Linux and Berkeley Software Distribution deployments out there.

Apple's security guide for OS X 10.5, mentions a number of other advanced security features designed to discourage unintended malicious activity, including sandboxing of applications within controlled environments, the use of mandatory access controls and the Keychain service to manage credentials.

But mitigating factors must also be considered as well. As Laura DiDio, principal at analysis firm Information Technology Intelligence Corp., pointed out, Macs have not been used as much as Microsoft Windows. Macs have not attracted the attention of neither the malicious hackers nor the more noble-minded security researchers, both of whom wish to make a name for themselves by finding new vulnerabilities in popular software products.

In other words, the reason that we don't see as many vulnerabilities in Macs as in Microsoft Windows is that less attention is being paid to them, not because they are inherently more secure.

This may change as Macs grow more popular. In fact, we are already starting to see this in play. In the upcoming Black Hat D.C. conference, at least one researcher will take aim at Macs. Italian security expert Vincenzo Iozzo promises to show how to have a Mac program execute entirely within the memory space of another program, thereby thwarting any efforts to detect the program through process tracing.

So only as Macs inch more and more into the enterprise will their mettle be truly tested.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.