[unisog] AV for MACS - Additional Info as requested
Jim.Dillon at cusys.edu
Mon Dec 6 19:55:13 GMT 2004
Seems there's interest in the details of the honeypot test I mentioned. I don't have study info, just a clip from a cohort, and I located the following news reference:
Appears it was a Mitnick managed test, set up to test particularly for automated hacks. I don't know what to make of that. Did they ignore manual attacks?
Anyone willing to do the specifics research, I'd be interested, but it isn't high on my priority list. In the meantime, just knowing something/anything can be trying to break in that often is enough to support the theme of multilayered defense.
The most interesting thing to me is the difference between unpatched and upgraded / firewalled XP. There would seem to be a clear proclivity to attack that which was most likely to yield a good result - duh, we'd expect that, but this is the first time I've seen it asserted in data. I personally expected Macs to be way down the list, given simple volume/exposure stats, perhaps 20% or less. It was alarming to me to see so many Mac "attacks" referenced, as I know many around my institution are too comfortable that their Mac will protect them. I'm not an irrational Mac bigot (used to be - back during the Amiga/Mac wars some technical eons ago, still have that Amiga...) but I find it disturbing that anyone would take less care with one than they would with a PC - I have no reason to believe a Mac browser wouldn't be as susceptible to Internet weaknesses or email to email weaknesses than any other modern OS, so it seems it should receive similar security/AV rigor.
From: Marty Hoag [mailto:marty.hoag at ndsu.nodak.edu]
Sent: Monday, December 06, 2004 11:00 AM
To: Jim Dillon
Subject: Re: [unisog] AV for MACS
I certainly agree that all systems need to be protected.
Were the OS X attacks "OS X specific"? In other words, someone
might construe at attempt to open port 445 on a box an "attack"
but that may not really be a fruitful path for exploiting an
OS X computer so I was curious in how they count attacks (it
may just be my ignorance of the honeypot configs, etc.).
More information about the unisog