Silicon Shecky

Infosec Practitioner

Connect

Apple, how secure are you?

By Leave a Comment

We all know that Mac fanatics claim how secure Mac OSX is. Is it really that secure though?

The last couple of months have not bee kind to OSX. The Mac operating system has seen its first round of widespread malware. Apple has been busy playing whack-a-mole trying to stop it. The Mac fanbois have been denying it. Apple is still more secure they claim. If this is true, then how did Apple top the Stack of Shame this week?

The reality of the situation is that Apple is entering uncharted territory for OSX. Not only does it have enough percentage of the market to make it a more viable target for the underground Internet, but it doesn’t have a true plan in dealing with such issues. This was shown by Apple’s response to the MacDefender malware. The denials, the bad press, and finally a solution that keeps getting circumvented. Yes, overall the amount of people infected might be small beans, but it is a larger outbreak than ever before, plus it shows that it can be done.

The next question comes in with these 26 vulnerabilities, how quickly will they be patched? That is the key to preventing exploitation of said holes. Is Apple ready to do monthly patches, weekly patches, out of band patches? How will they respond to all of this?

No Operation system is 100% secure. There is too much code, too many different vectors to attack from, and there is always the end user who is the biggest threat to security. Apple response to the OSX security issues should enlighten us to the iOS plans for security issues. No, there aren’t many now, but there will be.

Androids Biggest Weakness

By Leave a Comment

I have an Android phone, and I enjoy it. I don’t care for the iPhone. That being said, Apple has one huge advantage over Android.

The Android Smartphones are popular. The work well (for the most part), and are reliable (again for the most part). The open development community for apps has produced some great free applications, that you would have to pay for on iOS. There is a drawback to Android though, and it is something that by all rights should be more of a strength.

When you look into the world and history of Operating Systems, you see a bloody trail over security. Which OS is more secure, which one addresses security problems the fastest, etc. The Open Source community has always claimed that because more people can look at the code, patches can come out faster, and in the Desktop arena this definitely seems to be true. In the world of Smart Phones though, this “advantage” is lost.

The problem is not directly Android or Google, or the Open Source community. The problem is in Manufacturers, and even more so on the carriers. There is a process for patches and updates. Google writes an update, tests, sends to the manufacturer who tests, approves and then sends to the carrier. Android is so customizable, and on so many different manufacturer’s phones that this process has to happen for each model, each customized OS, and each carrier.

Now we are getting into a situation with this long protracted system of updates. Holes being found in the systems are there for months, possibly years before a patch gets pushed out. In this age of phone upgrades every 18 months, of more mobile applications for smart phones, more people banking and shopping off smart phones, and the upcoming Near Field Communications, updates for security need to happen a lot faster. The risk of more and more identity theft is growing, and the slowness of the pipeline is maddening.

Now add on that every manufacturer has been customizing the Android OS to try and differentiate itself from the others. How many more security issues can this raise. How many of the mods are creating security holes (we won’t go into other issues these mods cause)?

Yes, Apple has to go through the same sort of pipeline, but Apple has only piece of hardware (with different chips for GSM or CDMA) and just the carriers to deal with. Its a much shorter pipeline, and Apple can cut a carrier off from future iPhone releases if it wants to. Android needs to come up with something similar soon, especially with all the malware that has been coming out for the platform already.

Patch Tuesday is here

By Leave a Comment

With all the hacks going on out on the net today, patching your machines is more critical than ever.

Microsoft is releasing 16 Patches, 9 of which Microsoft deems critical. Patches include Windows, Office, and .Net, and all attempt to address RCE attacks.

Oracle has also released a major patch for Java in the past few days which addresses a number of security vulnerabilities. Adobe has patches out recently for Flash, Apple is playing whack-a-mole with malware, and basically there is a lot of patching to do.

Don’t forget though, with all these patches, to test them before deploying them. It doesn’t happen very often, but some patches can break your software.