As I have said in previous threads regarding Apple, I think the toughest challenge that Apple will face will be changing their culture from one that was all controlling (in effect security through obscurity) to one that embraces openness...whether they can do it time will tell.

Apple is sitting on top of the tech world. The company has set the standard for smartphones and tablets, tech’s biggest growth markets, and the company’s Mac sales in the U.S. are growing faster than the industry average. So what could derail the most valuable company in the world? Forget rivals like Microsoft and Google: Apple’s biggest threat may come from hackers.

By Antone Gonsalves, June 18, 2012 06:00 AM

These cyber-criminals are upending Apple’s carefully cultivated perception that the Mac is more secure than Windows PCs. Hackers smashed that notion in April when 650,000 Macs were infected by the Flashback Trojan.

Worse for Apple, the company itself took public blame for the largest Mac infection ever. Hackers penetrated the Mac’s defenses exploiting a flaw in Java that Oracle had patched six weeks before Apple released a fix for its customers. The delay gave the bad guys time to compromise hundreds of thousands of Macs.

What Apple Risks

If Apple continues to stumble on security, it risks losing a key pillar of its leadership in consumer technology. A string of major malware infections on the Mac would shake people’s perception of Apple security and foster suspicion about security vulnerabilities on the iPhone and iPad, which account for the largest portion of the company’s revenue. Customers might then start looking more closely at Microsoft and soon realize the truth – Windows is more secure than the Mac.

For years, Microsoft has worked closely with the security industry in bolstering the defenses in its operating system. Experts say the company is now the best in the industry at informing customers about vulnerabilities and patches for its products. Starting with the release of Windows 8, expected in the third quarter, Microsoft plans to include anti-virus software.

In comparison, a lack of attacks has allowed Apple to pretty much ignore security issues. Changes so far are rudimentary, such as patching Java in Mac OS X on the same day that Oracle, which owns the application platform, releases fixes. Apple did that for the first time this past week and hasn’t explained why it took so long to begin that practice.

Backpedaling in Marketing

Beyond tackling the obvious technical issues, Apple is also softening its marketing messages around security. Graham Cluley, senior technology consultant at Sophos, points out that the company recently tempered its security claims on the “Why you’ll love a Mac” Web page. Apple used to say the Mac “isn’t susceptible to the thousands of viruses plaguing Windows-based computers” and that the Mac would protect against malware “with virtually no effort” from users.

Apple no longer makes those claims. Instead, it highlights the Mac OS X’s “built-in defenses,” such as sandboxing. That technique, which has always been in the Mac, restricts the OS services an application can access. While sandboxing is helpful, it is a long way from being bulletproof.

Following Microsoft’s Lead

Despite the perceptions, Mac OS X was never more secure than Windows. Hackers ignored Apple’s OS because its market share was so small. Now that Apple has grabbed about 10% of the U.S. computer market, OS X is increasingly being targeted.

That means Apple now has no choice but to take a lesson from Microsoft and start working more closely with the security industry. The secretive approach Apple takes to product development won’t serve it well in securing the Mac, iPhone and iPad.

While Flashback should have been a wake-up call for Apple, “it seems like they might be leaning on the snooze button still when it comes to open disclosure or providing enough disclosure,” said Paul Henry, a security and forensic analyst from IT secuity firm Lumension.

An example? In releasing its Java patches this week, Apple fixed only 11 of the 14 vulnerabilities - with no explanation of why it skipped three.

Openness about its products is not in Apple’s DNA. The company’s tight-lippped stance has served it well over the years, of course, helping to build excitement among fans for new products. Secrecy about security, however, could have a very different result.

http://www.readwriteweb.com/enterprise/2012/06/why-security-could-be-apples-greatest-threat.php

---

4 Signs That Apple's Sharpening Its Security Game

Apple is quietly making some subtle, incremental security moves in the face of new threats to its products.

By Kelly Jackson Higgins, Dark Reading, Jun 28, 2012 07:19 PM

Subtle but significant signals over the past few months from Apple indicate that the company has been doubling down on its security efforts prior to and after the Flashback Trojan attack that infected hundreds of thousands of Macintosh machines worldwide.

Apple’s security efforts appear to uncharacteristically acknowledge that the Mac isn’t immune to today’s threats, such as giving Safari the ability to detect and disable outdated versions of the Adobe Flash plug-in, and changing its "Why you'll love a Mac" marketing material on the Mac website from “It doesn’t get viruses” to “It’s built to be safe.” Apple also reportedly plans to institute automatic updates to its upcoming OS X Mountain Lion operating system so that patching isn’t left up to users anymore.

Charlie Miller, a security researcher who has found several Apple vulnerabilities, says Apple's software is actually relatively secure; the company just doesn’t broadcast what it does security-wise. “I don’t believe they’ve found security religion, but at the same time, I think [Apple software] is pretty secure,” says Miller. “They march to a different drum: they secure stuff and don’t make a big deal out of it.”

Miller says Apple has been improving its security for some time now. “When they added ASLR [Address Space Layout Randomization] for iOS, they didn’t even tell anybody,” Miller says.

While Apple's shroud of secrecy in security and with the press -- Apple did not respond to media inquiries for this article -- isn't likely to change any time soon, recent events hint that it's shoring up its security in the face of new threats and even venturing out into the public eye. A member of Apple's security team is scheduled to give a briefing on iOS security next month at Black Hat USA in Las Vegas. Apple's manager of its platform security team Dallas De Atley's talk will be a first for Apple, which in 2008 at the eleventh hour canceled a session at Black Hat with three of its security engineers, called "Meet the Apple Security Experts."

Meanwhile, the Flashback Trojan is considered a wake-up call for Mac users' naive assumptions of immunity to malware. The botnet of some 600,000 Macs, most of which were in the U.S., sent a chill across the Mac community, and critics say it's time Apple stepped up and dispelled Mac user misconceptions about threats.

And here are four noteworthy security moves by Apple -- post-Flashback -- that appear to subtly do just that:

1. Safari browser now disables unpatched Adobe Flash plug-ins.
Adobe Flash Player is a popular attack vector, mainly because users don’t bother updating their plug-ins. Adobe, which offers automatic Flash updates now for Windows, is working on the same thing for Mac users.

Adobe’s Brad Arkin, senior director of security for products and services, early last month announced that Apple and Adobe had worked together to help prevent attacks against Flash Player with a new feature in Apple’s Safari 5.1.7 that disables older versions of Flash Player, and sends users to Adobe’s Flash Player Download page for an update.

The Mac version of Adobe’s Flash Player background updater is still in beta, so Arkin pointed to Apple’s move to help push users to update in the meantime. “Remember: The single most important thing we can do to protect ourselves from the bad guys is to stay up-to-date. A thank you to the security team at Apple for working with us to help protect our mutual customers!” Arkin said in a post about the vendors working together.

Rodrigo Branco, director of vulnerability and malware research at Qualys, says disabling Flash is definitely an option for Mac users now: “Flash by itself was always a problem ... now with updates for Safari, you can just disable Flash from the browser. You don’t need to patch it, you can disable it,” says Branco, who welcomed the new Safari feature.

The Flash feature comes on the heels of Apple halting Java plug-ins from automatically launching with Safari. Java, too, is a big fat target for attackers, and Apple’s adoption of these third-party, cross-platform apps has opened it up for vulnerabilities and as with Flashback, attacks.

2. Macs “don’t get viruses” claim is no longer on the Mac website.
Sometime in June, Apple made some key edits to its “Why you’ll love a Mac” Web page.

Apple edited its original wording from “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part” to a more tempered: “It’s built to be safe. Built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac” and “Safety. Built right in,” which describes how OS X’s sandboxing works.

Graham Cluley, senior technology consultant at Sophos, discovered the edits on the site a couple of weeks ago and says it shows that Apple is becoming “bolder” in acknowledging that Mac OS X malware is a reality. “Mac malware is a reality these days, with regular users finding their computers are becoming infected. The problem may not be as significant as Windows malware, but it exists,” Cluley said in his post. “And there's no longer an emphasis on Apple customers having to ‘do nothing’ to keep their Macs malware-free.”

But Apple still doesn’t recommend that Macs run antivirus software. Nor do some key security experts, for that matter. Miller says you should only get AV for Mac if you’re “totally paranoid.” He says it doesn’t add up: “AV costs money, user resources, and can cause problems. On the other hand, it can protect you. But right now, there’s not that much of a threat [out there] for OS X [besides Flashback] and some others, he says.

“The equation lands on the side of ‘you don’t need it yet,’” he says.

3. Apple helped derail the Flashback botnet.
Apple was criticized for being part of the problem with Flashback after taking two months to fix the reported Java flaw that the attack ultimately exploited.

“That was one of those situations where companies make their own version of something and part of that planning has to be to have response team that’s going to patch your version when vulns are found,” says Chris Wysopal, CTO at Veracode. “It took then eight weeks to release their fix to Java ... that shows security was not baked into the process.”

The patch for the flaw and the Flashback Removal Tool were released in May by Apple after Flashback, for OS X Lion and Mac OS X v10.6. Apple also issued an update for OS X Lion that killed Flashback in systems with no Java installed on them.

Apple joined the ranks of Microsoft by taking part in the in the takedown of the botnet, a tactic Microsoft has aggressively adopted over the past few years. Apple revealed that it was working with ISPs to dismantle Flashback’s command and control network: “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network,” Apple said in its advisory.

4. OS X Mountain Lion to get automatic updates.
It’s the next logical step: Apple plans to provide automatic updates for OS X Mountain Lion, according to Mac developer forums and industry reports. Apple also has touched on the release of its Gatekeeper technology, which will let users opt to run on their machine only apps from the Mac App Store that were authorized by Apple.

Still, any new security Apple offers will be incremental and careful not to disrupt its famed end-user experience. “At the end of the day, Apple is known for its focus on the end-user experience, which dictates the approach they take to every aspect of development,” says Marcus Carey, security researcher at Rapid7. “People should not expect Apple products to be the most secure options available, because that’s not their goal. Apple doesn’t want to create insecure products for sure, but their focus is on making magical, shiny things that their consumer base loves.”

But that may not matter. “I believe that consumers and organizations don’t typically buy Apple products because they are secure anyway -- they buy them because they are cool,” Carey says.

http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240002945/4-signs-that-apple-s-sharpening-its-security-game.html

---