Understanding the Threat

"Understanding the threat" is the subject of a large portion of the rest of this book ”understanding it, and understanding how you can mitigate or respond to it. We'll cover a large number of known threats, including both current ones (so that you can fix them right away), and threats of historical significance (so that you can better grasp where typical vulnerabilities lie). Understanding the threat, however, isn't simply understanding a particular problem that exists with a particular piece of software, or understanding a particular vulnerability in a subsystem of Mac OS X.

Understanding the threat involves realizing that it's not about specific problems and specific security holes; it's about the fact that you now live in a world where your computer isn't limited to just "doing what you tell it." Your Mac OS X computer is running dozens if not hundreds of programs simultaneously , from the moment it starts up until the moment it shuts down. A flaw in any one of those can allow someone else to start making it do what he tells it, as well as what it's apparently doing for you. Apple could fix every current threat discussed in this book, and the threat would remain because there are malicious people, who do malicious things. So long as you use a sophisticated system in which portions are capable of acting without your permission, there will be assorted security vulnerabilities that you will need to address, and responsibility that you will need to assume. In a sense, yes, this means that you and your choices are a part of the threat that must be understood . This is true in more ways than one. We, as users, are often our own worst enemies when it comes to security: Our desire for more features and more conveniences from our software and computers is often in direct opposition to what will keep our computers secure. Unless we're willing to live with an entirely Spartan and uninteresting computing environment (and even this would never completely solve the problem), the best we can do is understand where we introduce weaknesses by the systems and features we choose, and how we can responsibly minimize the threats we introduce.

Briefly, threats to the ongoing usefulness of your system and software can be broken down into a few major classifications, each of which provides a number of different avenues for malicious intent. These classifications are discussed in a number of contexts and in considerably greater detail in the remainder of this book.

• Theft of your data . Malicious network encroachments, poorly designed software, poorly conceived algorithms, simple program bugs , or the actual physical theft of hardware from your system, as well as a number of other avenues of attack, can all allow unintended access to your information. Theft of data is one of the attacks that's most discussed, and possibly most feared and/or romanticized, but it actually accounts for only a small percentage of security breaches. It's definitely the most damaging , whether it involves corporate espionage or the theft of your credit card number, and putting the pieces back together after you've had your patent stolen or your credit destroyed is not going to be fun.

• Theft of your resources . It's quite simple for an unauthorized individual to slip one more process onto a multitasking machine in such a way that the additional load is never noticed. This type of attack is often accompanied by theft of data. The recent Nimda and Sircam network viruses that have caused uncounted millions of dollars of damage have been resource thieves , designed with the clever feature that they're never written to disk on the compromised machine ”they invade the computer's memory and begin running, and leave no physical trace of their presence, and the load they place on the machine is insignificant as well. These viruses have the goal of stealing the resources of your machine and using them to attack other remote machines ”a pattern that is typical in theft-of-resource attacks. Although the loss in terms of actual resources on your system might be minimal, if someone's used your machine to attack someone else, and it's tracked back to you, you can bet that you will be spending a considerable time with some law-enforcement officers trying to explain and prove your lack of involvement. If the offense is serious enough ”say someone's used your system to send threatening email ”you'll find that the men with nice suits and dark glasses were not issued senses of humor.

• Denial of access to machine resources . Lacking any way to do anything more interesting, many cracker-wannabees engage in the cracking equivalent of smashing your mailbox ”repeatedly. Because of the inherently networked and collaborative nature of Unix, it's almost impossible to completely defend against denial-of-service attacks. They can be effected simply by repeated connections to open services, and if you want remote access to those services, there's no way for your machine to authenticate valid users without accepting all connections, and then disconnecting the invalid ones. Occasionally a denial-of-service attack can lead to something more serious than the consumption of resources, but usually the danger is largely a significant inconvenience rather than an avenue to allow theft-of-resource or theft-of-data attacks. Still, consumption of resources can be bad enough, if it's targeted at the right (wrong) places: The mid-2002 attacks on the root name servers that nearly crippled the entire Internet were denial-of-service attacks, just directed at a very important service.

Because of the enormous complexity of modern operating systems such as OS X, the problems that enable each of these types of attacks upon your system's security interact with each other and compound in an unpleasant fashion that is often difficult to predict except in hindsight. For example, there are instances where two aspects of the operating system use the network to communicate with each other. A denial-of-service attack on one of them might tie it up to such an extent that an intruder could masquerade as that service and speak to the other, claiming to be a part of your OS, and thereby acquiring sufficient data or access from the second service to be able to hijack your system to attack some third party. Because of these types of interactions, it's insufficient to consider only one aspect of your system's security. The vast majority of malicious individuals who will try to compromise your system are not particularly bright; they're just amazingly numerous . There are, however, some quite smart minds out there with too much time on their hands, and nothing more exciting to do than to exercise their creativity trying to find the errors in your operating system, your software, and what you've done to protect it.

In many senses, computer security is a frame of mind ”one that takes a conscious effort to attain and maintain. It involves deciding to do the right thing, regardless of whether it's the most convenient thing. If you want to go about it professionally, it often means looking for the worst possible combination of circumstances, and planning for the worst possible outcomes . This often results in security professionals being thought of as wildly pessimistic and sometimes draconian in their outlook, but you can be certain that if you can think of something that can be done to damage your system, someone else can think of it as well. The worst thing that can possibly happen probably won't happen every day, but not planning for it is a sure way to not be prepared for it if it does.