Generally Macs have been considered more secure than PCs using the Windows OS. However, it's not the case anymore. We've rounded up the six biggest security threats to Macs and looked at how they can be overcome
Security flaw No. 4: Naïve use of Back to My Mac
Mac OS X includes one special service that sounds alarming at first glance and can be a real security hole in unmanaged environments. Back to My Mac, a remote access system built into Mac OS X 10.5, requires both a MobileMe account (formerly .Mac) from Apple and administrator privileges. Back to My Mac operates like the GoToMyPC familiar to Windows administrators, although it's less insistent about working around intentional blockades.
While Apple uses IPv6 tunnels, IPsec encryption, and Kerberos tickets to secure connections, starting up such a connection from anywhere on the Internet requires just the password to someone's MobileMe account. With that password, all computers with Back to My Mac enabled can have their files examined or screens remotely controlled.
In a managed enterprise, security experts don't believe that Back to My Mac creates any real risk, despite its feature set. "No enterprise is going to allow something like Back to My Mac unless it's running through a VPN tunnel," Mogull says, at which point it would conform to the enterprise's policy. If users are running Back to My Mac on their own, "it would mean that [IT] royally screwed up" the firewall, he adds.
Matasano Chargen's Ptacek says that Back to My Mac will eventually fall under the category of services that businesses ban their employees from using in the office. "Enterprise users are not allowed to use Gmail or Yahoo mail," he notes, and Back to My Mac should be treated the same.
Confirm that Back to My Mac won't work in your environment. Establish a policy that bans its use.
Security flaw No. 5: Complacency over malware
The recent appearance of a kit that lets malicious parties install Trojan horses in legitimate software to, in turn, obtain root access to a Mac seems to run counter to the widely held view that Macs are immune from many of the exploits that once plagued Windows (and that Vista has ameliorated).
But that Trojan horse doesn't meet the smell test: Like a few other 'concept attacks', the exploit requires that someone download and install software, although no password is required for the malware to run. (The exploit relies on the escalated privileges available for the Apple Remote Desktop agent, or ARDAgent, even when it's turned off. An AppleScript command can be sent to the agent, which is handed off as a root-level shell command.) A survey of security experts and the buzz among the Mac enterprise management community shows that this threat is a nonstarter.
NEXT PAGE: The solution to complacency over malware