|
|
http://www.forbes.com/home/technology/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221army.html
By Andy Greenberg
Forbes.com
12.21.07
Given Apple's marketing toward the young and the trendy, you wouldn't
expect the U.S. Army to be much of a customer. Lieutenant Colonel C.J.
Wallington is hoping hackers won't expect it either.
Wallington, a division chief in the Army's office of enterprise
information systems, says the military is quietly working to integrate
Macintosh computers into its systems to make them harder to hack. That's
because fewer attacks have been designed to infiltrate Mac computers,
and adding more Macs to the military's computer mix makes it tougher to
destabilize a group of military computers with a single attack,
Wallington says.
This past year was a particularly tough one for military cybersecurity.
Cyberspies infiltrated a Pentagon computer system in June and stole
unknown quantities of e-mail data, according to a September report by
the Financial Times. Later in September, industry sources told
Forbes.com that major military contractors, including Boeing, Lockheed
Martin, Northrop Grumman and Raytheon had also been hacked.
The Army's push to use Macs to help protect its computing corps got its
start in August 2005, when General Steve Boutelle, the Army's chief
information officer, gave a speech calling for more diversity in the
Army's computer vendors. He argued the approach would both increase
competition among military contractors and strengthen its IT defenses.
Apple computers still satisfy only a tiny portion of the military's
voracious demand for computers. By Wallington's estimate, around 20,000
of the Army's 700,000 or so desktops and servers are Apple-made. He
estimates that about a thousand Macs enter the Army's ranks during each
of its bi-annual hardware buying periods.
Military procurement has long been driven by cost and availability of
additional software--two measures where Macintosh computers have
typically come up short against Windows-based PCs. Then there have been
subtle but important barriers: For instance, Macintosh computers have
long been incompatible with a security keycard-reading system known as
Common Access Cards system, or CAC, which is heavily used by the
military.
The Army's Apple program, created after Boutelle's 2005 address, is
working to change that. As early as February 2008, the Army is planning
to introduce software, developed by Arlington, Texas-based Thursby
Software, that will also enable Mac desktops and laptops to use CAC
systems--a change that should make it easier to get Macs into the
service.
Though Apple machines are still pricier than their Windows counterparts,
the added security they offer might be worth the cost, says Wallington.
He points out that Apple's X Serve servers, which are gradually becoming
more commonplace in Army data centers, are proving their mettle. "Those
are some of the most attacked computers there are. But the attacks used
against them are designed for Windows-based machines, so they shrug them
off," he says.
Apple, which declined to comment, has long argued its hardware is less
hackable than comparable PCs. Jonathan Broskey, a former Apple employee
who now heads the Army's Apple program, argues that the Unix core at the
center of the Mac OS operating system makes it easier to lock down a Mac
than a Windows platform.
And Apple's smaller market share has long meant that it didn't attract
cybercriminals hoping to wreck the most havoc possible. "If you look at
the numbers, you see that malicious software for Macs is very limited,"
he says. "We used to sell Apples by saying they don't get viruses."
Of course, cyberspooks may be honing their Mac-attacking skills, too. An
end-of-year report by Finnish software security company F-Secure
highlights the growing number of hackers targeting Apple systems with
malicious software, some of which could allow cybercriminals to steal
security passwords. In the past two years, until this October, F-Secure
found only a small handful of malicious programs targeting Macs. In the
past two months, the company has found more than a hundred specimens of
Mac-targeted malicious code.
Charlie Miller, a software researcher with Independent Security
Evaluators, worries that the Army's diversification plan isn't enough to
thwart the bad guys. He sees a two-platform system as a "weakest link"
scenario, in which a determined cyber-intruder will seek out the more
vulnerable of the two targets. "In the story of the three little pigs,
did diversifying their defenses help? Not for the pig in the straw
house," he says.
The marketing pitch that Apples are inherently more secure than PCs is
also largely a myth, contends Miller, who gained notoriety for remotely
hacking the iPhone last August. He points to data gathered by software
security firm Secunia, which showed that Apple had to patch nearly five
times as many security flaws in its software over the past year as
Microsoft had to patch in Windows. Apple's Quicktime player alone, he
says, was patched 34 times. "I love my Macs, but in terms of security,
they're behind the curve, compared to Windows," Miller warns.
But the Army's Jonathan Broskey stands by his claims of Apple's
security: He says the high number of patches to Apple software is a good
sign--evidence of the large community of developers actively working to
tighten Unix programs and eliminate bugs. Nonetheless, like any
responsible IT department, he says the Army's Apple program will closely
monitor security updates to Mac-specific programs. "The Army's no
different from any corporation," he says.
Still, relative to corporate cybersecurity, Lieutenant Colonel
Wallington points out, the stakes are much higher. A leaked deployment
order, for instance, might reveal the path of a supply truck and the
points where it could be sabotaged, he says.
"This is information that affects the lives of soldiers and the
civilians we're trying protect," Broskey adds. "It has to be
safeguarded."
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/