I woke up this morning to discover my Twitter box was filled with identical messages, all touting the same software package. Someone had worked out how to spam Twitter in a very effective way: through social engineering. Instead of hacking the system or the API, the company behind the spam had offered people a substantial discount on its software if they cut-and-pasted a message about it into their feed.
My hat is off to MacHeist for its ingenuity, but I won’t be buying its products, ever. There are two reasons for that: firstly I do not buy anything from spammers, ever, and I encourage you to follow me in this; and secondly because MacHeist only sells Mac software.
If you’re a PC user like me, you will be sick of Mac-owners telling you that their computers are safe from viruses and trojans, and yours aren’t. That may or may not be true—recent evidence suggests the latter—but what this Twitter exploit proves is that while OS X may be secure, Mac users aren’t. All it took was a modest bribe and they were happy to compromise their online identity and turn themselves into spam-vectors.
I’ve just unfollowed 5% of my Twitter list. Given that most estimates put Macintosh/OSX at just 10% of the total computer base, that means that in a 12-hour period 50% of the Mac users in my immediate circle were happy to take a bribe to tarnish their online reputation. And MacHeist didn’t pay them, it just gave them a discount on a product. Ultimately, they paid MacHeist to let them spam for it.
In other words the majority of Mac users, smug behind the perceived impermeability of their shiny machines, are clueless about internet security and best-practice. In  hacking, social engineering has always been the best way to break into a machine. The weakest point in most computers’ security is the user. If your computer is secure, all that means is the chances of you becoming the target for scammers and opportunists is much higher. But if you believe your set-up is safe, that lowers your defences and increases your chances of getting pwned. You, not your machine.
Be alert. There’s a war on, and the battlefield is your silicon.
Sometimes a little known vulnerability can be a valuable thing.
I saw a few of them and didn’t really notice that much, mainly because I skim most of my Twitter posts and partly because I’m not even running Windows, let only using a Mac. Anything to do with software tends to go right past me.
Being a smug Linux weenie I tend to find both Mac and Windows fans confusing. I don’t understand why people want to use computers that don’t cause physical pain once in a while. Generally when you’re not expecting it.
Anyway back to the coding, and trying to write… again with the pain.
Dear mr Wallis,
The vulnerability used by Charlie Miller, the winner of the CanSecWest Pwn2Own competition to which you link, did not infect a mac with a virus. Currently there are no mac viruses. The exploit in question requires the active participation on the end user’s part in order to work.
Of course, I am telling you this just because I am a smug asshole, right? To hell with facts?
You’re right, there are no Mac viruses if you take the strict definition of ‘virus’. There are, however, quite a lot of Mac Trojans, malware, spyware, keyloggers, &c &c. To say “There are no Mac viruses” and make it sound as if that means Mac-users don’t need to think about computer security is to bury your head in the sand and encourage others to do the same.
Yes, Charlie Miller’s exploit “requires the active participation on the end user’s part”. How long did it take him to get that end-user’s participation, during a computer-security contest? Two minutes.
Two. Minutes.
Macs may be secure. Mac users clearly aren’t. Which is the point I was making.
- A year ago is not quite “recent”. I believe that exploit was patched soon after.
- *No* user is safe, regardless of OS. Even us Mac users (well, those of us with half a brain) know this.
- MacHeist is not a developer, and does not have their own products. It is, essentially, a promotional portal for other developers’ apps.
- I don’t really see how pasting a PR message *into one’s own Twitter feed* is analogous to giving up a password or compromising one’s security. (I do agree that it tarnishes the users’ rep, but were any of them anything other than normal punters to start with?)
Surprised to see such vitriol from you, Mr Wallis.
You’re right, a year ago is a long time in computer security. In fact I linked to the wrong story: I meant to link to this one,
about Charlie Miller pwning a fully-patched copy of Leopard on a Macbook Air at this year’s Pwn2Own. Same guy, same OS, different exploit, a year later. You can understand my mistake.
At no point did I claim MacHeist was a developer.
If you are willing to become a spam vector, you either don’t understand computer security or you do understand it but don’t care. Either way, you are part of the problem. 50% of the Mac users in my sphere of ambient intimacy just showed me that they lacked clue, including people whose job involves advising others on good blogging practice.
And you’re “surprised to see such vitriol from me”? You don’t know the first thing about me, do you? I’m the guy whose last company motto, printed on our letterheads and business cards, was “Life is too short to do business with fuckwits”.
Perhaps I should have said “such a lack of even-handedness” ;)
You didn’t claim MH was a developer, but you did say you “wouldn’t buy its products”. I was unsure if you realised they were only a middleman. Knowing how they work, I doubt the individual app devs had any say in the Twitter promotion. (Though also knowing how MH works, they probably shouldn’t have been surprised.)
Good blogging practice, lacking a clue and, yes, fuckwittery are all certainly concerns. But I still don’t really see how it equates to bad security — it’s not like these people were somehow fooled into the retweet (I suppose you could argue that’s worse, but it still doesn’t mean they’d give up their passwords). *I* wouldn’t do it, but that’s more to do with my own principles than an awareness of social engineering.
(And just in case you’re wondering, as your last para made me think — this isn’t a case of “the Macheads invading”, by the way. I’ve been a regular reader for some time.)
I only noticed two MacHeist Twitters among my list. Either you have a greater number of Mac users on yours or those on mine are more discerning. :)
I’ve never taken up any of the MacHeist offers because it seemed that the deep discounts still didn’t make most of the software useful to me and if I went directly to the developer of the one or two programs I might actually want and use, I’d pay about the same.
When I saw your tweet regarding this I thought that, perhaps, the MacHeist people had made use of the Twitter vulnerability that allows any random web page to post to your Twitter account if you have logged into the Twitter web page and not logged out. It seems this is not the case, but is another avenue of Twitter spam that users of the service should be aware of. See http://bit.ly/lvjPx.
including people whose job involves advising others on good blogging practice.
Of course, if you hadn’t leapt on the “unfollow and rant” button, you might have learnt a little more about the situation.
But clearly some years of pre-existing relationship aren’t enough to give people even a moment’s benefit of the doubt.
Heigh-ho.
I am member of the Mac Cult, but my fellow cultists annoy the crap out of me. The Mac Heist is even more annoying. For me, I use what I like, and fell life it too short to tell others what they should us.
James,
Hummmm…
There are some who succumbed that I simply refuse to believe you de-Twitted (or whatever the kids are calling it these days…)
:-)
My apologies for selling out a few moments of your attention for free extra software for me, James. I’ve purchased from MacHeist before, and I generally believe they give good value for money. I don’t have a problem sharing that with the many Mac users I know. A few even thanked me for pointing them toward the sale. Unfortunately, you’re correct that a tweet is a blunt instrument for accomplishing that.
I don’t have Twitter set to tell me who stops following me, as I don’t much care. Still, I’m sure you’ll understand that I never meant to offend.