48 Social engineering comes to the Mac

So apparently there’s been some ruckus these days regarding what has been dubbed «the first trojan for Mac OS X». It’s called Leap-A, it spreads over iChat (a popular instant messenger for the Mac) and the antivirus companies have already compiled info sheets for it.

Update Feb 20: See also OSX/Inqtana.A, which spreads over Bluetooth and requires a system without the latest security updates and the user to accept the transfer prompt.

I fully expect that by now there are at least some articles and a few thousand comments all over the Web saying: “See? It wasn’t so secure after all!” There’s going to be heated debates and perhaps a small wave of FUD spreading around for a while. BSD systems and, of course, Linux will also come up.

The general message will probably be one that has been vehiculated for quite some time now, although only as speculation thus far: that once the operating systems praised as secure, such as Linux and the Mac, start becoming popular, their security will also decrease. In other words, their perceived security is only a side effect of not being popular enough to deserve the attention of the bad guys.

There’s some truth to that, as with any good piece of FUD, except there are also examples that can prove it wrong. Take Apache (world leader of the Web servers) vs IIS (not world leader). The security status of these two products is quite the inverse of their popularity.

So what’s with this trojan? Simple: it’s good old social engineering, which is used as the main drive for the trojan’s propagation. Yes, once the trojan program executes on the victim’s machine it will take steps to ensure its own wellbeing, as well as send itself to all the victim’s contacts. But how it gets executed in the first place is not due to a security flaw in iChat or Mac OS X. It doesn’t execute automatically as soon as the user receives it. It needs to trick the user into running it themselves.

Anybody or anything that can do that can do anything, no matter how secure the target machine itself is. And there not going to be any shortage of methods to exploit the users’ lack of expertise in the computer world, any time soon.

On a decently secure desktop OS, one thing left for the bad guys to try is social engineering. If Windows usage will ever go down (or Windows becomes secure — it might happen!), the next targets (Mac, Linux) will experience a lot of social engineering attacks.

So far that hasn’t worked because the Linux user pool, for example, used to be quite a bit more computer savvy than the average bear. This had to do with the large amounts of effort and perseverance required of anybody who wanted to use Linux. Any Linux user was automatically above average in terms of computer knowledge. So give a Linux user a script over email and ask him to run it and he’d laugh in your face.

I’m afraid that’s not true for the Mac as well. But it doesn’t matter much, since it will definitely stop being universally true for Linux too, as more “ordinary” people start using it. It’s just a matter of time.

Social engineering will never go away. As long as people have to use complex systems that they can’t possibly understand completely, someone will be able to exploit their greed, or lust, or stupidity, or momentary lapse of attention, or whatever, to make them do something wrong, and exploit that however they see fit. This happens more and more with the increasing role of technology in our lives.

Most people want to be trusting of the others around, and they love hearing and spreading rumors. If they hear something juicy which they can’t verify readily, they’ll take the “try first, think later” approach.

Think of all the silly tricks people have tried with their cars for “radar protection”. People who hang CD’s from their rear view mirror will readily run a Bash script received over email, as long as they think they’ll get to see Jun Natsukawa naked. They may be quite knowledgeable or smart people in general or in their own domains of expertise, but they’re going to lower their guard sometime. We can’t be paranoid all the time.

And the beauty of it is that you don’t even have to be a total amateur to get bitten in the fanny. Experts can quite easily pork it too. Don’t shake your heads. If you’re a Linux user, would you think twice about double-clicking on a file called naked. jpg? Did you notice the extra space? What if it had the execute bit set? Will the file manager consider it an image and feed it to a viewer, or will it execute it? Wanna guess?

Steps can be taken to tighten security even for such cases. In particular, any application used for human-to-human communication should never be allowed to create local files that can be mistaken for executable files, neither by the user nor by the machine. But it’s just one possible social engineering scenario. Human imagination is endless and quite perverse.

Social engineering will never go away. Like a chain, security is only as strong as its weakest link, and I’m afraid that the weakest link will always be the users.