Security

The Macalope Weekly: Insecurity complex

Time to push the panic button again as Apple products get hacked at the annual contest seemingly named by 8th graders, CanSecWest Pwn2Own! Aren’t hackers adorable?!

(Answer: no, they are not.)

iPHONE HACKED! (Others also hacked. See page D13.)

Media critic that he is, the Macalope has some complaints about how the results of Pwn2Own were reported. It was easy to miss it in the headlines, but IE 8 and Firefox, both running on Windows 7, were also hacked. Which puts Safari in, well, pretty lousy company. Apple topped most of the reports probably because people are so used to thinking of Windows as being insecure that it’s not news anymore. Kudos to Google Chrome for being the only browser to remain unhacked at the end of the contest.

The Macalope’s pretty tired of what has become the de rigueur and breathless inclusion of “was hacked within seconds!”—as if these guys had never seen an iPhone or IE 8 before and figured out how to hack it that fast. The winners actually spent two weeks coming up with the iPhone attack.

The time interval is really only interesting in terms of the contest. In the real world, what matters is if the attack is successful or not, not how long it takes. If someone steals your social security number, it doesn’t matter whether they did it 15 minutes or 20 seconds.

At the end of the day, what hackers are able to access are the system-wide features we already know to be vulnerable: SMS, contacts, email, pictures and iTunes (the winner chose SMS, making off with the entire database). The iPhone proved more secure than any of the desktop platforms that were hacked because the attacker was still unable to get out of the sandbox, yet the iPhone hack topped the news. Personally, the Macalope found it interesting that the IE 8 hack overcame ASLR, one of the Windows security features Microsoft was so loudly clapped on the back for adding.

The Macalope’s sure this isn’t the case with everyone, but he thinks anyone hacking into his SMS database is going to be pretty disappointed. There’s three texts from friends that read “WHERE ARE WE MEETING?” and a couple of pictures of his naked antlers he sent to his wife. That’s it.

OK, maybe there’s a black market value for the pictures, but probably not much. And, um, if anyone does ever see them on the Internet, the Macalope would just like to point out it was really cold when he took them.

She’s a witch! Burn her!

Don’t think the iPhone’s deadly insecurity has gone unnoticed. A survey of security professionals — who undoubtedly all use nothing but Google Chrome at the workplace and not IE 8 (cough) — tagged the iPhone as the most insecure mobile device.

The iPhone is the highest-risk smartphone to carry into the workplace, a study of security professionals found on Thursday. Of those asked by nCircle, 57 percent said Apple’s phone is the worst mobile device threat, followed in a distant second by Android at 39 percent.

Wait, Android gets a better rating?

The statements come despite Android lacking hardware encryption and having features that, while powerful, lend themselves more to security risks. As apps don’t always need to be signed and can expose features such as the file system, Android devices can theoretically have all their data compromised in software and be used to carry off data of their own.

And isn’t that revealing about our very serious security professionals?

You know what might be a slightly worse workplace risk than the iPhone? Security “specialists” who make descisions based on their personal biases rather than actual threats.

Don’t shoot the messenger, no matter how obnoxious he is

The Macalope has long suggested Apple could do a lot better in the security sphere. In the horny one’s anecdotal experience, the single biggest thing that’s driven former Windows users from their abusive relationship with Microsoft and into the waiting arms of Apple is wanting to not have to reinstall the operating system every six days after your fourteen layers of spyware protection failed. The Macalope would hate to see Apple lose that advantage. Someone in the comments will surely say it’s the magic of Unix and not the magic of small market share that makes Apple products less likely to get attacked but, well, you’re wrong.

Far be it from the Macalope to suggest that Apple base its development decisions on his level of entertainment, but he’s so bored with this security stuff he could bang his antlers against a rock. He wishes the company could wave a magic wand and make it go away, but they can’t. As Pwn2Own winner Charlie Miller suggests, Apple (and the other companies) need to take a more comprehensive approach to security than just patching holes.

The security mafia (“That’s a nice operating system you got there. It’d be a shame if something were to happen to it.”) tends to give Microsoft more of a pass because Microsoft is more open open about its problems and how it pretends, uh, plans to deal with them. Apple, as we know it, is simply never going to be that open. The only way for Apple to protect its advantage and make this a non-issue is to look at security holistically (the iPhone sandbox environment is actually a good start). The Trojans may have found Cassandra annoying, but that horse was even more annoying.

[Not enough Macalope for you? The horned one was also a guest on this week's Macworld Podcast.]

Subscribe to the Apple @ Work Newsletter

Comments