It’s long been legend that Macs are harder to hack than other computers. Not only are they said to be more secure, but fewer people use them, so hackers have less incentive to break in.
Cybersecurity company Crowdstrike is happy to bust that myth. At the RSA Conference on Thursday, CEO George Kurtz and CTO Dmitri Alperovitch detailed hacking techniques they’ve seen used to do a host of bad things on Apple-built computers.
Attackers can trick Mac users into downloading malicious software and then get deep access into the computer, the Crowdstrike executives said. They also have tools to loot the system’s keychain for more passwords and build backdoors into the machines, allowing hackers to have repeated access.
“They have interesting tradecraft on Macs,” Alperovitch said of the hackers.
The Crowdstrike presentation comes in the wake of iPhone users, as well as , which stores the passwords of apps connected to a Mac. Taken together, these flaws mean Mac users should take steps to keep their computers secure instead of relying on Apple’s reputation for security to keep them safe.that could have let hackers listen in on unwitting
Apple didn’t immediately respond to a request for comment.
Kurtz and Alperovitch recommended keeping Apple’s Gatekeeper feature enabled, to help make sure software comes from a valid source. They also suggested disabling macros, a feature in some Microsoft products, if you’re using them on your Mac. What’s more, the pair recommended users disable a feature in Apple’s Safari web browser that automatically opens some files, which might end up being malware.
The pair also said they had found a vulnerability in the MacOS that they had reported to Apple. Alperovitch said that Apple is building a patch for the flaw right now and that it would likely be included in an upcoming MacOS software update.
Attackers also rely on baiting users into clicking on malicious links and following prompts that eventually lead to malware. That, of course, isn’t a Mac-specific issue. Crowdstrike found malicious software that required users to click through two prompts to give permission. They did.
“Users click on just about anything,” Alperovitch said.