There’s a lot of great information out on the Intertubes about Mac security and computer security in general. This is my take on the state of Mac security for the typical home or business user.
Back in the good old days of OS 9, computers viruses and worms were actually out and about in Macland. Passing around a floppy disk was a typical way to get a virus that infected the Microsoft Office suite or installed a viral extension into the system folder.
It was an annoying and problematical situation that users avoided by running a security package. Graphic artists in particular would be susceptible to virus problems because of their rapid file sharing habits in their work flow. It wouldn’t be uncommon to get a macro-virus lurking in a Word document that was passed from a PC user via email.
Since the advent of OS X, there has yet to be a virus or worm in the wild that has become successful in propagating itself. Unlike in the Windows world, there has yet to be a known exploit that can be transmitted via a network without a user’s action behind the infection. Translation: Windows PC’s have been known to catch exploits simply by being on a network with other infected PC’s. That includes the Internet as well as local networks in offices or homes.
Does that make you feel safer? It should, then again maybe not. Just because OS X has a stellar record among users does not mean that OS X is secure. There are many subtle insights about security in computing, one of which is this: the failure to observe an exploit or intrusion does not mean that an intrusion has not occurred. In other words, we only know about the unsuccessful attacks that have been discovered, not the ones that are not found out.
It’s also been shown repeatedly that OS X has holes that can be exploited via web pages crafted to exploit Safari vulnerabilities. There are also other ongoing security issues with Apple software as well as third party applications. Is this a problem for you personally? So far, it doesn’t seem to be a problem insofar as the security community can figure out, or at least no one has admitted to being hacked by a criminal endeavor via a Safari insecurity.
The known exploits to date on OS X have depended on user interaction. For example, the iWork suite was injected with a Trojan exploit (a means of remotely controlling a computer) and put on bit-torrent sites for people seeking to gain commercial software for free. There have also been cases of Trojans masquerading as music files on these same sites. The Safari vulnerabilities depend on a user surfing to a particular site crafted to exploit security holes within the program that grant access to the OS.
It may be that Safari and OS X is less secure than Windows Vista at this point due to some advanced security elements in Vista. Despite all this, Apple computers running OS X have no known exploits occurring at the moment as far as is known. It would be safe to say that the vast majority of OS X users do not use anti-virus, firewall or security techniques beyond those provided by the default settings of an OS X installation. Compare that to a Windows world where any rational user would always insist on having anti-virus/anti-exploit software loaded on their systems before surfing.
With a 15% market share you would think that attacks on the platform would be substantially greater regardless of arguments about total user base. So far, that doesn’t seem to be happening. Users continue to use OS X without having their data stolen.
A prudent person would take some precautions regardless of perceived safety of any computing platform. Just like in your home or office, security preparations should be like an onion, in layers, so that ultimately any attacker simply has to foil too many schemes and so is repelled.
Here are some suggestions. Number one on the list: don’t keep your Very Important Passwords on a list taped to your monitor. In fact, a good way to keep your passwords is in an encrypted file of some type. I use ‘KeyPassX’ a cross-platform freeware application that uses security encryption based on quantum foam or some other ungodly unhackable mathematics. You can also create an encrypted disk image using Disk Utility and keep a text file in it with your passwords.
There are also websites where you can keep your sites and passwords in a protected format. Google on ‘password storage website’ for some ideas.
You might also use a locally encrypted storage area on your PC or Mac to keep your Quickbooks or Quicken data. After all, what criminals are after are your Social Security #’s, your credit card numbers, and banking information. It’s all about the money. Your pictures of Aunt Jane, or your download of Wuthering Heights simply aren’t going to gain the same types of interest as something that has $ signs attached. If you protect those types of data from real world exploits, then you’ll find that the online world will also be excluded.
Should you use anti-virus, firewall, and anti-exploit software on a Mac? Personally, I vote with the vast majority and don’t think it is particularly useful at the moment. I caveat that statement with the observation that if one’s personal workstation is stolen, if the data on it is unencrypted, then your entire personal story is probably laid out for whoever gets the machine.
So, think encryption. Don’t go to nasty third party sites where they offer to give you the latest copy of iWorks or other disreputable software. Consider creating an administration user, and another login user that you use to do day to day work. Use Firefox instead of Safari. It’s probably not hugely safer but it will check an online database of known exploit websites and tell you in big bright letters ‘Do You Want to Get Out of Here Now???’. That’s a good thing.
And if some windows pops up unexpectedly asking for your password to proceed, say firmly ‘No’, and figure out where that window came from before proceeding.
The Great Oz has spoken.
