Network Computingwww.networkcomputing.com

Inside OS X Security

Posted by John C. Welch
June 09, 2007

Tags: John C. Welch, OS X, OS X Server, QuickTime Java hole, malware, phishing, security, social engineering, Access Control, Access and Physical Security, Administration, Advanced IP Services, Anti-spam, Antivirus, Asset Management, Authentication, Backup & Recovery, Backup and Redundant Systems, Business News, Business and Finance, Client/Server Protection, Computers, Corporate Data Security, Corporate Training, Data Center Access, Data Encryption Software, Data Networking & Management, Data Protection, Data Security, Desktop PCs, Disaster Recovery Planning, E-discovery, Emerging Security Specifications, Firewalls, Green Computing, Hardware and Infrastructure, IT Trends and Practices, Infrastructure, Internet Security Software, Intrusion Detection and Prevention, LAN Access, Mac, Management Strategy, Network Security, Operating System Security, Other, Physical Security, Power Backup and Conditioning, Regulatory and Legal, Remote Management, Restricted Web Sites, Secure Remote Access, Security Collaboration, Security Policies and Management, Security and Privacy, Servers, Servers & Storage, Software, Software Security Patching, Software and Hardware Vulnerabilities, Software and Web Development, Systems Management and Monitoring, Threats and Attacks, Trojan Protection, VPN Servers, VPN Client Software and Hardware

Channel: Other, Networking & Mgmt, Servers & Storage, Data Protection, Green Computing, E-discovery

Security and Mac OS X is never an easy topic to write about. There's so much emotion, advocacy, and arguing going on that getting to the heart of the matter can sometimes seem impossible. However, once you sort past those issues, the state of security on Mac OS X isn't terribly complicated, nor bad at all. It's not perfect, but it's not the final world in Quake, with pitfalls and monsters behind every corner.

Even with the recent QuickTime Java vulnerability discovered by Dino Dai Zovi at the CanSecWest contest, the Mac isn't suddenly a kitten in a shark tank, waiting to be devoured. There always have been, and always shall be, vulnerabilities in this, or any other operating system and platform. It's a fact of life, and one that Mac users in particular, should approach with more of a sense of equanimity and awareness.

When we're talking about the state of security on Mac OS X, it's useful to use the kinds of threats we hear about or have heard about in the past as a guide to help us focus our discussion. I'll do the same here, moving from the more "human-based" issues to the more "human-excluded" issues. I'm also going to, in the interests of clarity and space, stay out of larger security issues like firewalls, NAC, etc. This article is focusing on Mac OS X and the Mac user as much as possible.

Mac users are exactly as vulnerable to phishing and social engineering attacks as any other platform. If you voluntarily give out personal data, passwords, user ids, etc., there's nothing an operating system can do to protect you from the results of those actions. Browsers and e-mail clients are starting to try to incorporate various antiphishing measures, but at the end of the day, this isn't something that can be solved via a purely technical solution. If you give out the keys to the kingdom, as it were, you will have some rather severe barbarian problems.

Related Reading

More data-protection Insights