Apple Mac users read in dismay this week that their beloved and seemingly impregnable machines are just as susceptible to trojan attacks as Windows systems. The MacDefender trojan presents itself as a genuine warning message that lulls unsuspecting Mac owners into believing that their machine is compromised and that by installing Mac Defender normal service will be resumed.
This comes at a time when the volume of phone calls I receive from people claiming to represent a company that’s detected an infection on my PC is on the rise. Two in one night this week — a new record!
Both these attacks attack the same weakness — the person that’s placed themself between the keyboard and chair. The phone calls are not well targeted. They know that the majority of the people they call will have a PC and that it’s highly likely to be PC. The MacDefender does specifically target Macs and shows that with popularity comes tall poppy syndrome. There are now sufficient mac users out there for scammers to bother writing an application that targets them specifically.
This brings me to an admission. I was taken in by a fake site recently. I work for the government and my department has an intranet called OnePortal. Unthinkingly I googled the name rather than using my bookmarks — a natural instinct for a Chrome user but if you do that the top link takes you to OnePortal.net.
This website is a pretty basic copy of the genuine article but with the site being largely static, it’s pretty easy to rip off the code and some images. I should have spotted that the news was months out of date (but isn’t that often the way with intranets?) and that it didn’t greet me by name. I REALLY should have been suspicious when it wanted me to download an active-x control but so many intranets do feature media from various sources that I went ahead and clicked the ‘I’m a dumbass’ button at which point I was hit with ads for various products, not all of which were legal.
Being in the position I am in, I have local admin rights on my machine and so I was very, very lucky that this website did nothing more than fill my screen with ads. A full scan revealed no adware and there were no rogue processes running and no ill effects since. All the same, it reminded me that a) nobody should have local admin rights and b) even people who should know better make mistakes from time to time.
This last story also highlights that anyone can be a target. Whilst the spoof phone calls rely on the popularity of Windows and the MacDefender exists because of the growing popularity of Apple OSX, the cloning of OnePortal is evidence that some people are prepared to fish in relatively meager waters.
The good news from this? The fact that attacks on users are so popular suggests that the computers themselves are pretty damn secure. Microsoft and Apple are quick to patch security holes as and when they are discovered and the majority of major viruses these days infect a system via a trojan… i.e. they require somebody to be fooled into letting them in.
So where now? We can’t patch humanity and so people will continue to be fooled into installing rogue software. Maybe not. Look at Apple to see a reliable method of massively increasing your system security. If you want to install software (apps) on an iPhone the only way to do this is through the Apple App Store. Apple carefully vet all applications before making them available. The iPhone, iPad and iPod are, as far as I can tell, trojan-proof.
Of course, if you head down this route you lose some of the control and freedoms you have enjoyed up to this point. Whilst Apple do use their powers for good (i.e. ensuring that apps don’t contain trojans or viruses) they can also use them for evil, such as in the case of the Podcaster app which was refused entry for being too similar to its own iTunes. By disallowing you access to software that is potentially better, Apple are stifling innovation and being anti-competitive. Apple don’t have to bother giving you a better music player when they can block any serious competition.
The Podcaster example is from way back in 2008 so things may well have changed since then, but the principle stands.
And this leads me to my final question: Would you rather a world where somebody else had a say in what you can and can’t do with your computer? Would you be happy to relinquish freedom in return for security? It is, I suppose a question that can be leveled at many other aspects of life but it’s likely that in the not too distant future you will have to choose.