Rich at Securosis (@securityninja on Twitter) made an interesting post yesterday about the fact that, in referring to Mac security, the possibility of a threat doesn’t equate to there being a probability of it. While we can argue the toss about who in the security industry does or doesn’t have a clue about basic probability theory* the point made is none the less worth examining.
There’s definitely something in the fact that, as yet, the Mac OS has not been a great target for malware. This, as most people with any sense will acknowledge, is not due to the fact that Macs are automagically non-virusable, but rather due to the lower market penetration they currently hold, making them a somewhat lower priority for exploitation. Although there are signs that this is changing, particulary with the porting of the Zlob Trojan to Mac, to this point I agree with Rich, the risk is relatively low AS FAR AS GETTING INFECTED with something is concerned.
Where I have a problem with his post is that, in pointing out one logical fallacy, he makes another; that of confusing correlation and causation. The fact that you use a Mac may protect (to whatever limited extent) against certain types of threats, but that does not mean that you are not equally exposed to other threats – in fact, precisely because of your false sense of security, you may be even more so. Phishing, for instance is completely platform agnostic – having a Mac won’t protect you – because the thing being infected is the USER not the SYSTEM – there’s nothing to stop you getting caught out and putting your banking credentials onto a fraudulent website (unless of course you have some security suite that might warn you of the fact…oh, that’s right, you don’t need that on a Mac). To be fair, the fact that security against malware isn’t really all about getting an Anti-Virus program on your system is also something that should be emphasised more often and that’s something that probably is the fault of the industry.
Similarly, many have been predicting the rise of malware for mobile phones, with all sorts of dire prophecies of doom, however, as Mikko Hypponen (@mikkohypponen on Twitter) points out; at the moment the prevalence of mobile malware is falling because most phone OS vendors are tightly controlling the applications that go on their platforms. He goes on to point out something that should be blindingly obvious (even to the most devoted of Mac fanbois), but sadly isn’t – once you get past having the user involved in the infection cycle and start finding a way to exploit the OS itself (or an application running on it) – by discovering and exploiting vulnerabilities – the game changes.
I’ll leave you with a lovely image that demonstrates my general feeling about life, the universe and everything – http://twitpic.com/snklj/full – if there’s one thing I’ve learnt in my years in the Anti-malware industry, it’s that ‘There will be Malware”. And that’s more than just a possibility.
*For a great (and very funny/bitter) introduction to statistics and probability I recommend John A Paulos’ excellent book “Innumeracy: Mathematical Illiteracy and its Consequences”
Andrew Lee CISSP