The idea that Macs or any other computer are immune to Viruses, Malware or other forms of malicious code is Interesting but completely wrong. There is no such thing as a secure computer that talks to the internet, exchanges data with a device or is operated by a human being.

In reading an article in the Houston Chronicle recently I felt I needed to again address some of the misconceptions the author and some of the readers like to make, misconceptions that I have heard over and over again from many sources: (See bottom of Page)get

On reader stated “Security means you minimize the amount of code the “other” people can cause to execute.” Not true, this is not security, this is an exploit vector. The only way to ensure that only valid code will ever run on a computer is to turn it off or to use something called Application White-Listing.

Simply put, security means protecting assets from risks; IT Security means protecting employee’s private data, company assets (intellectual property) and customer data from losses, whether accidental or malicious, based on risks.

The same reader stated, “When a virus comes into your computer it has the same permissions to run code as you do.” Partially true, some viruses do this, many others do not, and the malware will execute code that takes advantage of bugs in code (Buffer Overflow) or design flaws in code that allows the attacker to elevate privileges and run their attack as “admin” or to execute at the System or Root level access of the operating system, in other words, full control.

What the majority of people fail to understand is that a large majority of attacks and the growing trend in attacks are all about bypassing security and elevating privileges in order to execute malicious code and take control of the asset. You do not need administrator-level rights to get hacked. The attacker will use exploits that allow them to infiltrate the system and execute their code as admin. All you need do is open a web page or a malicious e-mail and the attacker will take care of the rest.

The only way a computer can be mostly immune to Malware is if that system is hardened by a combination of System Hardening policies, Patching Cycles, Anti-Virus, Firewalls and Application White-Listing. What you may or may not notice is that here I just described a layered defensive posture or Defense in Depth.

Full disk encryptions would also be an effective layer of defense against data loss but are not relevant to preventing malware and is also no relevant to the issues addressed in the article.

A system operating as I just described has many hurdles in place that has to be broken or bypassed in order to successfully exploit that system.

System Hardening Policies are a combination of company policies and standards, or best practices for the individual, that reduces systems vulnerabilities by configuring, disabling and tuning specific services as needed and disabling the unused or irrelevant services. A service that is disabled cannot be exploited. This tactic, while good, is not enough.

Patching Cycles are also important. Most people and vendors tend to only focus on patching the operating system. This is OK but the majority of active exploits today take advantage of vulnerabilities in applications like web browsers, Adobe products and thousands of different applications. There are free personal use services like Secunia that will tell you about the patch status of all applications and your operating system. Secunia is one of the most trusted names in IT Security and they have free products for the individual. While patching is important and it will close many holes, patching alone is still not good enough by itself.

(Link at end of document)

Anti-Virus protection is, in my opinion, becoming antiquated and obsolete and is no longer an adequate only line of defense product. The reason it is becoming outdated is the simple basis of the technology itself. The technology is a signature based protection scheme and can only protect your computer against the things that are known. With about 50,000 new pieces of malware being created everyday fighting only the knowns is a strategy doomed to fail. No matter what vendor or product you choose there is not one single product out there that will detect more that 60% of the current malware out there. Many of the products have additional Zero Day protection features and those add value to the products, but they are still largely ineffective against a lot of attacks these days. However, the knowns are still bad and annoying, protecting against those still has value for now.

Firewalls are also another important step in protecting against an attack. One of the key elements to an attack is the ability to communicate with a target system. With a firewall, an attacker cannot see nor communicate with a system that is behind a firewall. That is, of course, unless that system has already been compromised and can initiate an outgoing message inviting the attacker in through the firewall. Firewalls render secure systems invisible to the rest of the world. Add this to your strategy and you have another effective layer of defense.

With Application White-Listing no unauthorized programs or files can be executed, regardless of user admin level. Essentially no files can be modified by any process that is not approved by an administrator after a proper change control process. The only files that can be modified are user data files in defined locations and the user has no rights to alter the protective function afforded by Application White-Listing.

The problem is not the operating system, it is the user. Computer users do not understand security. Computer users do not understand malware, rootkits or drive by downloads. Security is a complicated, dynamic and rapidly evolving beast. The user community doesn’t have the desire or time to learn what I know.mac

Computer users simply want to do what they want and they want it to work, the end.

There is no such thing as a secure web browser. As long as humans use browsers, they are vulnerable.

What is the biggest risk right now (Today) is something called drive-by downloads? Take the web page in my example from The typical person will think they are looking at one web page.

Malware Wrong:

On the Web Page hosting the Chronicle, article viewers are actually looking at content generated or linked to 14 different websites. Of those sites, they appear to only have content control of one.

The web page has content from Google, Google Analytics,, Twitter, Rubicon project, Technorati, biographers, FeedBurner, yield manager, yahoo, overture, areola, taco de & If anyone of these sites was compromised then the reader was very likely being hacked and would never know it.

Anyone of these websites is constantly under attack by known vulnerabilities. For example, our company sees about 300 million attempts per day against our web facing domain. We spend a lot of money, time and effort with a wide variety of tools and service providers to prevent, detect and eradicate these attacks. So do a lot of other companies out there. But it is expensive, labor intensive and requires well-trained professionals to maintain.

There are a huge number of companies out there that don’t have the resources, don’t care or are even complicit with the bad actors out there, and they number in the millions.

The attackers are using the same exact enterprise-class security tools I mentioned earlier that we use to test their malware to validate that it is not detected. The malware is able to defeat and disable most security products, escalate privileges on a system and be completely invisible to an experienced computer operator or IT Support staff.

To catch today’s’ threats takes a suite of tools, years of hands-on experience and continuous learning to just tread water.

Today’s attackers do not want to be detected or noticed. The attackers are no longer the pimply teenager looking to impress some girl.

Today’s attackers are highly educated, well trained and financially motivated. These attackers are operating in what we term as an Advanced Persistent Threat. The attackers want access to your computers, your data, and your company. They want to sell what they find and they want to access to never stop. Many of these attackers are criminals, some are organized crime and many are either agents of foreign governments or sell what they find to criminal organizations or foreign governments. These people are now part of one of the most profitable criminal enterprises on earth. For the last four years, they have been making more money than the illegal drug trade.

Part of my job is to find the new, unknown malware and attacks that are not being detected. I see this stuff every single day, I live it, I breathe it and, well you get the picture.

Any individual that is saying that the Mac OS or any operating system is invulnerable or malware proof is irresponsible, misleading and a flat out lie. Anyone who tells you this is an idiot and has no business telling anyone what to buy or what to do with a computer.

You may think to call these people idiots is harsh, I completely disagree. This is my business and how I pay my bills. I am an expert and I know for a fact that the MAC OS is even more vulnerable than the Windows platforms. The exact opposite of what they have stated in their commercials on TV. Someone at the FCC should jump all Apple for that lie to consumers. I also believe they bear some liability there because they are selling systems with a lie. But that is a totally different article.

The simple fact is that all computers that are used by human beings are at risk. The good news is that there are steps you can take. You don’t have to spend half a lifetime learning IT Technology like I have either.

Here are some things you can do to minimize your exposure and risk.

Use complex passwords, preferably pass phrases that are 16 or more characters long and contain special characters mixed with numbers. Most Passwords can be broken in a matter of minutes with readily available tools for FREE. An example of a complex password would be
%!# 1 L0v3 [email protected]
Always run a current anti-virus product. That will protect you from the known.
Always use a physical firewall with Network Address Translation (NAT) that will hide your system from the internet.
Use a more secure browser like Firefox or PaleMoon with the NoScript plugin.
Use a web validation tool like Web of Trust (WoT) or McAfee’s Site Advisor to filter out malicious web search results. There is a SiteAdvisor version that is free. Save yourself the trouble of clicking on what are known bad links.
Always patch everything. The OS bugs are nowhere near the top now, Applications like every browser, adobe, etc. are being exploited far more than operating systems. But once they get a valid exploit to work, then they are in and then they attack in force with a whole suite of attacks, it is all automated and it is lightning fast.
Try the Secunia tool to check your system for vulnerabilities. Patch monthly at the very most, weekly would be ideal.
Also, use an application firewall for your systems to that will prevent unauthorized modification to your computer. This will not stop malware from getting onto your system but it will stop it from modifying the files on your system. Broken malware is ineffective malware.
Then if you are savvy enough look at getting an Application White-Listing tool for your computer. Wipe your system completely and make the whitelisting application the first thing you install after the operating system. Never install Application White-Listing on a system that has been used to browse the internet even once. If you end up trusting a piece of malware then you are owned.malware
The best defense is the defense in depth. An attacker can breach one or two defenses but will have a very tough time penetrating 5 or more layers.

My goal here is not to slam the Apple OS but rather the misinformation that is so prevalent about the OS. What we all have to remember is that the internet is really a 60’s era technology that was never designed with security in mind. Security for the internet is a many decade afterthought.