We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
74,881 News Articles

The six biggest Mac security flaws

Why IT should be worried about Mac security

Generally Macs have been considered more secure than PCs using the Windows OS. However, it's not the case anymore. We've rounded up the six biggest security threats to Macs and looked at how they can be overcome

Security flaw No. 4: Naïve use of Back to My Mac

Mac OS X includes one special service that sounds alarming at first glance and can be a real security hole in unmanaged environments. Back to My Mac, a remote access system built into Mac OS X 10.5, requires both a MobileMe account (formerly .Mac) from Apple and administrator privileges. Back to My Mac operates like the GoToMyPC familiar to Windows administrators, although it's less insistent about working around intentional blockades.

While Apple uses IPv6 tunnels, IPsec encryption, and Kerberos tickets to secure connections, starting up such a connection from anywhere on the Internet requires just the password to someone's MobileMe account. With that password, all computers with Back to My Mac enabled can have their files examined or screens remotely controlled.

In a managed enterprise, security experts don't believe that Back to My Mac creates any real risk, despite its feature set. "No enterprise is going to allow something like Back to My Mac unless it's running through a VPN tunnel," Mogull says, at which point it would conform to the enterprise's policy. If users are running Back to My Mac on their own, "it would mean that [IT] royally screwed up" the firewall, he adds.

Matasano Chargen's Ptacek says that Back to My Mac will eventually fall under the category of services that businesses ban their employees from using in the office. "Enterprise users are not allowed to use Gmail or Yahoo mail," he notes, and Back to My Mac should be treated the same.

Solution

Confirm that Back to My Mac won't work in your environment. Establish a policy that bans its use.

Security flaw No. 5: Complacency over malware

The recent appearance of a kit that lets malicious parties install Trojan horses in legitimate software to, in turn, obtain root access to a Mac seems to run counter to the widely held view that Macs are immune from many of the exploits that once plagued Windows (and that Vista has ameliorated).

But that Trojan horse doesn't meet the smell test: Like a few other 'concept attacks', the exploit requires that someone download and install software, although no password is required for the malware to run. (The exploit relies on the escalated privileges available for the Apple Remote Desktop agent, or ARDAgent, even when it's turned off. An AppleScript command can be sent to the agent, which is handed off as a root-level shell command.) A survey of security experts and the buzz among the Mac enterprise management community shows that this threat is a nonstarter.

NEXT PAGE: The solution to complacency over malware

  1. Why IT should be worried about Mac security
  2. Serious third-party security flaws are slow to be fixed
  3. The solution to slow to be fixed third party security flaws
  4. Why naïve use of Back to My Mac is a problem
  5. The solution to complacency over malware
  6. Why naïve use of Back to My Mac is a problem


IDG UK Sites

LG G3 release date, price, specs and new features 2014

IDG UK Sites

iPhone 5s review: why the iPhone 5s is still the best phone you can buy in 2014

IDG UK Sites

PCs vs consoles: PCs still pwn when it comes to gaming (and everything else)

IDG UK Sites

NAB 2014: Affordable 4K cameras, boundary-pushing plug-ins & drone domination