Do Macs Need Antivirus Software? More Answers to this Persistent Question

A few days ago we trained our blog's spotlight covered the Stuxnet Worm and the incredible piece of reporting done at Wired to bring this story the attention it deserves.

Since the Wired article, there has been just tons of coverage about how the worm came to be, about the threats to equipment like the Siemens controllers in the article, and what the real threats are from these types of attacks.

One of the best ones was in an ITWorld piece this week, "Does the Mac have an edge against state-sponsored hacking?"

This isn't just about state-sponsored hacking but about the question generally of: Does a Mac Need Antivirus Software?

This question is posed indirectly in the outsanding research document Macs in the Age of the APT [Advanced Persistent Threat] done by iSEC Partners.

There's a second question-within-the-question though: Does the Apple computer need antivirus software?

Let's start with a quote from the ITWorld article,

When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?

"Not necessarily, according to researchers at iSec Partners, a security consultancy that is part of NCC Group.

"Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of the type of intrusion that hit Google -- called an advanced persistent threat (APT) attack -- and compared how the Mac would do versus Windows 7.

...and as you might expect this is where things get interesting.

It's commonplace in the Mac community to believe--even recklessly--that Apple OSX is immune to viruses and other malware.

Malarky. If it has a CPU, it can get a virus. Full stop.

Right now there are still fewer--far fewer--threats for the Mac. No question.

Some pundits claim this is because there are fewer Macs than PCs; others will claim this is because the Mac is so much more secure, it's all but impervious to attacks technologically.

While that may--and I want to emphasize may--be true, that doesn't mean the Mac really is impervious technologically. It's not. It's just that the bad guys haven't publicly put the attention onto the Mac that they have onto Windows.

Further, the Mac is no more immune at all than a Windows 7 PC against a social engineering attack where the user is tricked into installing malicious software.

Again quoting the ITWorld piece on the iSEC research,

Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story.

"'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'

"The problem is that many of Apple's server protocols -- mDNS, Apple Remote Desktop, the Mac Kerberos authentication, for example -- use weak authentication models that give the attackers ways of getting access to parts of the network that should be blocked.

"'Every password-based authentication mechanism in OS X has problems,'[Editor's Note: Emphasis mine.] Stamos said.

Interestingly, Stamos echoes the same key point we like to make about security: Security isn't just about protecting against technological attacks. It's also about protecting against social engineering attacks, too.

'Most people get malware because they intentionally install it,' he said. 'At an institution of thousands of employees, you have to assume that one of them going to get tricked.'

And, it isn't even so much a question of getting tricked. It's also a question of accidental installations, too.

Who hasn't been typing away when suddenly you get some popup message from your OS or your web browser as you're typing in something else and you accidentally hit [space] or [enter] to the popup message as you're going?

"Oh crap. Did I just hit [OK] to something? What was that message?"

It happens.

And this, regardless of threats from government- or crime syndicate-funded viruses and crackers, is why the Mac--just like its PC brethren--does need antivirus software.

The ITWorld piece goes on to say how the attacks are much more commonplace than you might think. And there's research to back this up.

McAfee released a report saying that it had uncovered evidence of a sophisticated hacking operation that had broken into systems at more than 70 companies over the past five years.

"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion," wrote Dmitri Alperovitch, McAfee's vice president of threat research in a blog post.

Here's the thing, too. A lot of these companies are very sophisticated companies. Just take Google for example.

Most anyone would be hard pressed to come up with a more technologically adept company. Yet, they got hit with an APT attack.

The point being, if a highly sophisticated company can get hit, doesn't it stand to reason that you can, too? Even if you do run OS X?

As the iSEC researchers said so well in their pdf,

Bottom Line: Run your Macs as little islands on a hostile network.

Huh. I think that's great advice for PC users, too.