Thursday, December 17, 2009

Unencrypted Drone Data: More Fun With The NSA

Dateline 2009-12-17.


How did it get there? No US military computer hacking evident!

REVELATION: Data stream was captured out of the air by the Iraqi insurgents!

PROBLEM: Data streaming to and from US military drones is UNENCRYPTED!

Massive DUH Factor!

Video data only? What if the control code for US drones is now in the hands of insurgents, if not the Taliban and Al Qaeda? IOW what if they can not only watch exactly what any US drone is seeing anywhere in Iraq, Afghanistan or Pakistan, but they also know exactly how to control the drones. Fun for them. Big black eye for the USA, specifically the NSA, the so-called National "Security" Agency.

Hey NSA! Just give away my country! Go on. Hand it over! Who needs Benedict Arnold when the US federal government is being run by a bunch of BLITHERING IDIOTS.

Odd how a security novice like me knows better than to allow unencrypted military data. The mind boggles. Seriously. Could we do worse?

Great to have you protecting our home NSA. Such a good NSA. Sit NSA! Sit! Roll over. Play dead. Cute little NSA! You get a treat. I have a great big bone for you.

For more NSA FAILS, enjoy articles published here: FAIL and FAIL and FAIL and FAIL and FAIL again.

And I thought the Bush League Era was over. Tsk tsk on me.



We're living in the Realm of the Surreal.
Our Mission
The NSA/CSS core missions are to protect U.S. national security systems and to produce foreign signals intelligence information.

Saturday, November 21, 2009

The SANS Institute sez: NSA Helping to Harden Operating Systems

I'm kind of surprised to read this blurb from the latest edition of the SANS NewsBites newsletter (Vol. 11 Num 92):
--NSA Helping to Harden Operating Systems

(November 7, 18 & 19, 2009)

In testimony before the Senate Subcommittee on Terrorism and Homeland Security, National Security Agency (NSA) information assurance director Richard Schaeffer said that his agency helped Microsoft harden Windows 7 and that it is also helping Apple, Sun Microsystems, and Red Hat with similar endeavors. The NSA's involvement in the development process has led to speculation that backdoors will be built into the software to allow communications monitoring and interception. The NSA refutes those claims and says it is helping develop security guidelines and checklists. Schaeffer also said that agencies can protect their systems against 80 percent of known cyber attacks by following three steps: implementing best security practices, configuring networks properly, and monitoring networks effectively.

[Editor's Note (Pescatore): Ah, conspiracy theories. NSA and other government agencies have been involved in developing "gold" configuration definitions for standard software and network hardware products for a long time, along with the IT industry. Hardening in this case means better configuration and minimization of unneeded services.]

You can subscribe to the SANS newsletters HERE.

My concern about this news:

If the NSA is so good at hardening operating system security, and good at protecting their systems from 80% of known cyber attacks, how come the US federal government computer system has been PWNed by China and other countries every year since 1998, including 2009?

Read THIS list from the Center for Strategic & International Studies and have a heart attack. Included on the list are:

February 2009 - US Federal Aviation Administration hacked.

March 2009 - US federal computer containing plans for the new presidential helicopter hacked.

April 2009 - The revelation that the US power grid had been hacked.

May 2009 - US Homeland Security Information Network hacked.

So where was the NSA during all this? And the NSA has what skills to offer Microsoft, Apple, Sun and Red Hat? Just asking.

More likely the NSA is supplying their experiences in security FAILure, such as sharing what hacking methods were successful against federal computers during their watch. Just saying.

You know I'm itching to point out that switching to a proven secure operating system is always helpful. For example, why are the feds still using Windows?! It boggles my mind. Windows is dead last on the list of secure operating systems. The top 3 are still:

- OpenBSD
- FreeBSD
- Mac OS X (which incorporates BSD Unix)

But I'm just some laymen guy with a few science degrees and some decades of computer experience who rants about the ridiculous state of computer security in my country.


Monday, September 21, 2009

Security Concerns After Installing Snow Leopard

We all hopefully know that, at this time, Mac OS X is the safest commercial GUI OS on the planet. But in the spirit of perfection, here are some problems I found with the default installation of Snow Leopard. Some of them are very bad. Some are merely worrisome.

1) The firewall is OFF. So TURN IT ON!!! You can do this in the Security preferences.
--> I'm very annoyed with Apple on this blunder. Firewall protection is fundamental these days. A good scolding is in order. I have no doubt the professional security experts will do the job for me.

2) Automatic login is ON. So TURN IT OFF!!! You can do this is the Accounts preferences.
--> Again, Me = very annoyed. Again this is fundamental. Scold scold scold. You'd think no one at Apple had ever studied the security hell known as Windows. Both firewall protection and login protection were lacking in Windows for years, leading to major hacking and cracking.

3) In Accounts preferences, under the 'Guest Account', the checkbox "Allow guests to connect to shared folder" is ON. If you have no interest in guests doing anything on your Mac, turn this off.
--> If you are on a LAN with other people and want to allow sharing, leaving this on is important. But if you are on your own at home, it's safer IMHO to just leave this off until such time as you want to use it. Mobile laptop users most likely want this off by default until such time as they return to their LAN. I would have much preferred Apple left this off by default after installation.

4) In the Accounts preferences, Login Options, "Display login window as:" is set to "List of Users". I suggest you change this to "Name and Password".
--> Family computer users should ignore me on this one. At home, who cares. But if your computer is going out into the wild, I like the added security of forcing any would-be hackers to have to guess at BOTH your username AND password. Why give them a break and give away usernames?

5) In the Security preferences, General tab, "Require a password to unlock each System Preferences Pane" is turned OFF. I like this checked ON.
--> This is one of those fiddly things that maximize security but can also be annoying. Turning it on means that no rogue software running on your Mac can play around with your system preferences. As soon as it did you'd see boxes popping up requesting your administrator password. Theoretically this could happen with one of the current Trojan horses for Mac OS X. So to play it safe, check it on. But it's not a major deal. On the other hand, it's not exactly paranoia either.

6) This one is for MacBooks and iMacs only: In the Security preferences, General tab, at the bottom of the window are the setup switches for your infrared remote. The remote can be used to access Front Row, among other things. After installation it is important that you 'Pair' your specific remote with your Mac. Otherwise, as it says in settings, "This computer will work with any available remote." That's BAD. Therefore, hit the "Pair" button and go through the process.
--> This is a very good chore to follow immediately after your Snow Leopard installation. If you are extra paranoid about having a remote, or you lost your remote, you can always check ON "Disable remote control infrared receiver."

7) Software Update preferences are set to "Download updates automatically". Please turn this OFF.
--> Allowing your computer to automatically download anything is BAD. It has already been proven that it is possible to hijack a server address, have it fake being an update server, then have it spew at you malware downloads. No, it has never happened to Macs. But it can. Therefore, only YOU should approve ANYTHING that is downloaded. No auto-downloads EVER. OK?

8) Safari preferences, in the General tab, "Open 'safe' files after download" is checked ON. Please turn this OFF and leave it off forever.
--> Much as it is nice to have .zip and .dmg files open up for us immediately after they download, get out of the habit. This is another really BAD IDEA in all cases. It is as bad as auto-downloads. Instead, you personally want to open anything you have downloaded.

Imagine this: Some malware was somehow downloaded to your computer, via Safari, and automatically opens up its downloaded file. There it is in front of you in a window and you think everything is OK and run the application that was inside. You may have just infected yourself with the malware. Therefore, making sure that only you open anything you personally download is important as part of a deliberate process of verifying that you are not installing a Trojan or other malware. And remember to always verify a file or application is 100% legitimate before you download it or open it.

Once we get into the habit of clickity-click on every little thing, we can get ourselves into trouble. Some people say that going through all these extra steps of caring about exactly what you are doing can become drudgery and you end up doing clickity-click anyway. Nope! That never happens with me. Instead what I found is that I got into the habit of being careful. That is the entire point, and making that point a habit is very good for all of us.

There is some other minor stuff of concern in Snow Leopard, but I need a break. You can breathe now and/or break into joyful LaUGhTeR at all these extraneous security precautionary maniaism stuff things. It's OK. I'll just go cry quietly into my hanky. I can take it. (;_;)

Windows users have to be incredibly meticulous about all this security rigmarole. Every little nook and cranny of Windows can be a security hole. We Mac OS X users get to relax, mostly, about security regiments. At the moment, the worst we can do is download and install a Trojan and get out Mac zombied. That's all! ;-) If we think about being careful, no Trojans can get us.

Nonetheless, I'm attempting to show other Mac users how to be as safe as possible. Therefore, all of the above list applies if you are security conscious. I use myself as a guinea pig to see what it takes to be stealthed and defended to the MAX, and to see if I can stand it. The answer is yes, I can stand it. But I woudn't wish it on my granny!

Check this out: I have Little Snitch popping up asking if this app can go do that on the Internet. I have the mess known as 'JavaScript' turned OFF by default in my web browser. I only turn it on only for trusted websites. My browser is set to never accept cookies from third party sites. That stops Tracker Cookies. I read up on the latest security problems and updates via Apple, Intego, Secunia and SANS, among others. That means I've always got the lastest versions of Flash, Shockwave, AIR and Adobe Reader installed in order to avoid Adobe security vulnerabilities. The same goes for FireFox, QuickTime, iTunes, etc. I have Intego VirusBarrier installed, kept up-to-date with malware signatures and always running. I also have both ClamXav and iAntiVirus freeware installed (mostly for testing). And there's more! (0_0)

That's just me playing with Mac security for my interest and yours. You could ignore all this stuff, except the advice about Trojan horses!!!, and be happy as can be. You've got a Mac.

But there are ways to be SAFER. That's why I write this blog. Put it to use as you will. Hopefully you won't actually need any of this stuff. But maybe you will...

Share and Enjoy!
Glad to be of service!
Nothing ever goes wrong at
Cirus Cybernetics Corpororpororpor*@%


Saturday, August 29, 2009

The Anti-Mac Security FUD-Fest Is Fun For All! Rah! Rah! Rah!

Man, I am getting a lot of traction out of that moronic article at CNET, not worth reading HERE. For me, it really is fascinating to sit down and contemplate what is actually going on in computer security right now. Here are some of the elements:

I) 7ista, aka Vista Service Pack 7, is now insighting cacophonous riots of anger because its security is still terrible. A net acquaintance posted these URLs over at MacDailyNews:

Cybercrime Rises and Vista 7 is Already Open to Hijackers

Vista 7: Broken Apart Before Arrival

Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again

Researchers show how to take control of Windows 7

That last article is about how to 'PWN' 7ista. Not good. Google provides a few hundred thousand similar complaints.

II) Meanwhile, the Anti-Mac Security FUD-Fest continues apace, thanks to our usual line-up of hacker pals. Mac OS X is already the best GUI OS for computer security, in part thanks to integrating the two best CLI OSes, OpenBSD and FreeBSD. The result: Mac OS X progresses forward to become BETTER than the BEST! That's good. Thank you Dr. Charlie Miller and friends.

III) So of course we get dumbass articles about how nasty bad and laughable Mac OS X security is, right? (o_0)

It's a strategy with many purposes, perpetrated by many sources. Figuring out the motivations behind the deceit is quite intriguing. Laughing at it all is fun! It lowers your blood pressure. Live longer and laugh at the clowns.

Here is yet-another post I made, this time at, regarding the FUD-Fest and Microsoft. It sort of encapsulates it all:
Microsoft have put in place some modern methods of deterring hackers and crackers. They had to. They had the motivation. Their operating system is a bloated catastrophe of spaghetti code that is well beyond their comprehension. They can't fix it. They've made many attempts over the last 15 years and consistently failed. They gave up. Vista is the proof. 7ista is icing on the proof.

Should Apple add in these modern security measures? Damned right!

But is it a BFD? Will Mac OS X roll over and DIE? Will THE BIG ONE virus hit Mac OS X and make us all go running home sobbing to mummy? Of course not!

Apple's attention to security has been increasing exponentially over the last two years. This month's security updates were the most in Apple's history. But as is typical with humans, the house has to be on fire before you pour water on it and fix the cause. Mac OS X does not have a faulty electrical system that will burn the house down. Apple know that. We know that. So what's the motivation? Planning ahead takes extra prodding. Prod Apple and they respond eventually.

This is one reason I actually praise the Anti-Mac FUD-fest we've enjoyed since Symantec insighted it exactly four years ago. It has hurt no one. It has inspired Apple. We benefitted.

We the customers know we already had an incredibly secure operating system. It's based on the two most secure operating systems in existence bar none: OpenBSD and FreeBSD. So why not make it EVEN BETTER?!

Let's go MaNIaCaL!
Go Apple Go!
Add steal bar reinforcement to the castle walls!
Add boiling oil caldrons!
Put alligators in the mote!
Install the rotating knives!
Hire some Cenobites!

Conclusion: We win any which way you look at it. If users of the less secure operating systems can't deal with it, oh so sad for them.

As long as we keep our eye on the ball, which is keeping our computers as safe as possible, our progress toward better than best will continue. :-)
Rah! Rah! Rah!
Go! Apple! Go!
Yayyyyyyy APPLE!

Amusing, eh? Behind all the 'FEEL BAD DAMMIT!' garbage is not just a silver lining. The clouds are bogus, a theatre prop. Knock them over and there is the golden sun shining on all us Mac users.

OK, sober up! Enough euphoria! We have 21 Trojans to avoid. There continue to be security flaws in Apple stuff that deserve our attention. ClamAV still needs to further catch up with Mac malware. Mac OS X is not perfect, never will be. Be attentive.

For my next article I intend (for whatever that's worth) to provide another monthly summary of Mac OS X security patches. Bring your caffeine.



If you haven't read the news, check this out:

Snow Leopard has built-in Trojan horse MALWARE DETECTION! Its database is auto-updating! Right now it only has two Trojan signatures, yawn. But expect improvement. And no, Apple didn't stick in someone else's anti-malware engine, least of all Symantec's (gag! gag! puke!! puke!!).

Snow Leopard installs just fine over TIGER! I thought this had to be bogus, but I've read it from several sources now and they weren't just quoting each other. It's a fact that even Apple verified. So if you don't have Leopard already, get the $29 (or $24 at some stores!) Snow Leopard disk and go to it! Well, when you're ready. There are some application incompatibilities.

Snow Leopard is FAST! That's faster than Leopard! Bless you Apple.

Snow Leopard is SMALLER! Saving at least 5 Gigabytes of space on your Mac appears to be normal. Ever heard of that? Try that move Microsoft.

-> But of course note that Snow Leopard is for INTEL MACS ONLY.

More on Snow Leopard in a couple weeks once I've ripped it apart, with my CLAWS.

Thursday, August 27, 2009

A Primer on Trojan Horses and Their Aliases

There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.

Count with me!

As of today:
  • The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
  • The Lamzev Trojan has no variants. Add 1.
  • The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
  • The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!


I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth?
I don't think so.

Quickie: My POV on the "invulnerability" lie

The POS CNET article I noted in my previous post, not worth reading HERE, perpetrated the two most popular Anti-Mac Security FUD lies. Of course the author perpetrated the usual 'security by obscurity' lie that was proven ridiculous years ago. Go backward in my posts for my QED proof. Then there's the other one, upon which I commented:
My favorite LIE in the article:

"Most Mac users seem to take pride in their supposed invulnerability...."

Never have I ever heard or read any Mac user ever say that Mac OS X was 'invulnerable'. This is pure invention. The motivation behind inventing this lie is up to you to interpret. But I should add that it is a very popular lie.
Just laugh.

CNET hits an all time low: Anti-Mac Security FUD

I just read:

Snow Leopard could level security playing field

My response was:
This is the most shameful article I've ever read at CNET. I've been studying and writing about Mac security since 2005. All I can say is:

Elinor: YOU'RE FIRED ! ! !

For those interested in reality:

The anti-Mac security FUD-fest was started in August 2005 by Symantec. They were attempting to sell their worst-in-class anti-malware program Norton Anti-virus to Mac users who were smart enough not to buy it. MacAfee then joined in the FUD, but reversed course when their CEO pronounced that the best way to secure your computer was to Get A Mac.

After that point most FUD has come from hackers who have done their best to whip up a frenzy surrounding flaws they found in Mac related software, such as QuickTime, WebKit and Safari. But it is fair to say that they helped track down and patch several flaws in Mac OS X as well.

Meanwhile, the only malware that has shown up for Mac are Trojan horses, currently 4 types of 17 varieties. Trojans require user failure, not computer failure, in order to be installed and do damage.

In spite of the FUD-fest, the hype-mongers have been effective in forcing Apple to get serious about security, which previously they were not. So folks like myself actually thank Dr. Charlie Miller and friends for their help making Mac OS X even more secure than it already was. I have Charlie's book and I look forward to his continued useful work, and even his FUD foisting.

It's worth noting that only highly ignorant people still tell the tale known as 'security by obscurity'. It is easily disproven by anyone who can perform math, i.e. any 4th grader.

If you'd like to read Mac security facts and suitably laugh at the FUD, you might find my personal commentary and coverage of interest:

:-Derek Currie

Thursday, August 6, 2009

Security Update 2009-003 & Mac OS X 10.5.8 Update Released

Look Apple, I'm trying to enjoy the summer. So what's with the almost daily Apple software security updates? Enough already! - Actually, I'm not complaining. The faster the bug fixes for Leopard the better.

You can read about the 18 security patches in Security Update 2009-003 & 10.5.8 HERE. Several of the security patches are for Mac OS X 10.4.11 as well as 10.5.7. Therefore, if you're using Tiger, be sure to check for and install the update.

Primer on how-to-update:

1) Repair your boot volume's permissions via Disk Utility.

2) Verify your boot disk via Disk Utility. If you have disk problems, boot from another volume or your Mac OS X installation DVD/CD and perform the repair.

3) After both steps 1 & 2 are completed, install the update.

4) After the update and associated reboots have been completed, repair your boot volume's permissions again.

Note that are even more fanatical and suggest that all of the above be done after booting into Safe Mode. They also recommend NOT installing system updates via Software Update. Instead they recommend DIY downloading and installing of Apple's provided 'combo' updates.

I've been a member at MacFixIt for several years. If there is one consistent thing I've learned from hanging out over there, it's that those people who run into problems after installing updates most likely did NOT follow steps 1 - 4. Even Apple are known to leave behind messed up permissions after update installations. Making sure your boot volume is in good repair before any installation is obvious. Repairing permissions is of course not a panacea for fixing your Mac. But it never hurts, and it is very important before and after any major update. I will not entertain any arguments to the contrary. So there.

Techy stuff:

What's in Security Update 2009-003? No surprise: Lots of bad memory management repairs! Let's count them together:

I) bzip2 has been updated to version 1.0.5 to stop out-of-bounds memory access dangers.

II) Improved ColorSync profile validation to prevent the ramifications of a heap buffer overflow.

III) Improved bounds checking of Canon RAW images to prevent the ramifications of a stack buffer overflow.

IV) OpenEXR has been updated to version 1.6.1 to prevent the ramifications of a heap buffer overflow.

V) Improved memory initialization and validation of OpenEXR images to prevent the ramifications of an uninitiated memory access flaw.

VI) Improved bounds checking of OpenEXR images to prevent the ramifications of multiple integer overflow flaws.

VII) Improved bounds checking of EXIF metadata to prevent the ramifications of a buffer overflow in ImageIO.

VIII) Improved validation of PNG images in order to prevent the ramifications of an uninitialized pointer flaw.

IX) Improved handling of fcntl system calls in order to prevent system privileges escalation and arbitrary code execution caused by overwriting kernel memory.

X) Improved validation of AppleTalk response packets in order to prevent a buffer overflow flaw in the kernel.

XI) PCRE has been updated to version 7.6 in order to prevent the ramifications of a buffer overflow flaw in the PCRE library used by XQuery.

Of the 18 security patches, that's 11 memory management patches. This proves once again that memory management remains the primary bane of contemporary coding. This is one of my favorite rants, if you haven't previously noticed.

The remaining 7 patches repair certificate warnings, JavaScript handling, Multi-Touch access, inetd-based launchd services, format string handling by the Login Window, MobileMe credentials deletion, and file descriptor sharing.

OK. Attention Apple: It's August. Go on vacation please so I can have one too. Thank you. Over and out.


Wednesday, August 5, 2009

GarageBand v5.1: Tracking Cookie Security Patch

Apple is now offering an update via 'Software Update' to GarageBand version 5.1, available for users of Mac OS X 10.5.7. You can read about the included security patch HERE.

To quote Apple:

Impact: A user's web activity may be tracked by third parties and advertisers.

: When GarageBand is opened, Safari's preferences are changed to always accept cookies. The default preference is to accept cookies only for the sites being visited. The altered setting may allow third parties and advertisers to track a user's web activity. This update addresses the issue by not changing the preference setting. Users who have run previous versions of GarageBand should confirm that their Safari preferences are set as desired.

What's going on:

GarageBand is allowing what are called 'Tracking Cookies' to be accepted by Safari. This type of cookie is used for marketing purposes to watch your individual behavior on the net. IOW you are under surveillance. This is essentially the same as having a chip implanted in your brain that collects data on your interests. It triggers off advertisements that 'fit your interests' as you visit further web pages. I personally find this form of marketing to be invasive and disrespectful. I never allow it.

If you think you've been messed over by this bug in GarageBand, here is what I suggest:

1) Update to GarageBand v5.1.

2) Just to be safe, make a backup of Safari's 'Cookies.plist' file. You will find it here:


3) As Apple suggests, go into Safari's Preferences and hit the 'Security' tab. Change the 'Accept cookies' setting to "Only from sites I visit". This stops any 3rd party cookies from being dumped into your browser, killing off any chance of being infected with Tracking Cookies.

4) Click the "Show Cookies" button. It is just below the settings in #2.

5) Either painstakingly go through your cookies and 'Remove' those you don't want, or simply hit the 'Remove All' button. This makes certain that all Tracking Cookies have been deleted along with all your other cookies.

There are of course complications after tossing your cookies. The most common result is not being able to automatically log in to sites where you have an account or membership. If you haven't kept track of all your IDs and passwords then you're hosed and will have to create new accounts. My solution is to keep a personal list of my net IDs and passwords in text file stored on the encrypted .DMG volume that loads when I log into my user account. I also keep my IDs and passwords encrypted inside the application 1Password, which is a shareware super form of keychain. I've mentioned it here on the blog several times.

In the worst case scenario where you MUST have something that was stored in your cookies, you can always swap back in your backed up Cookies.plist file from step #2 above.

Tracking Cookies aren't actually malware, and having a few buried in your cookie pile won't kill you. Nonetheless, they are a form of spyware. They are also IMHO of no benefit to anyone but marketing companies.

Saturday, August 1, 2009

Adobe Releases Security Patched Reader and Acrobat v9.1.3

As promised, on Friday, July 31, Adobe released security patched versions of Acrobat and Adobe Reader. The links in the previous article about the subject should get you started, but I've provided them again below.

NOTE: verify that you are downloading and installing versions 9.1.3 of Reader and Acrobat and not an earlier version. The download page for the Acrobat 9.1.3 update is clear regarding versions. However, the Acrobat Reader page is NOT. Therefore, after you download and install "the latest version" of Reader, go under the Help menu to "Check for Updates...". Otherwise you may have only installed an earlier version of Reader without the new security patches.

Those patch download links again:

1) Adobe Flash Player v10.0.32.18. There is a special patch for version 9 users to v9.0.246.0.

2) Adobe Air v1.5.2.

3) Adobe Reader v9.1.3.

4) Acrobat v9.1.3.

Glad to be of service!

iPhone OS v3.0.1 Patches The SMS Security Hole

Friday, July 31, Apple released iPhone OS version 3.0.1 ahead of schedule to patch the SMS security hole revealed Thursday at Black Hat USA 2009. According to the Associated Press, iPhone users must connect their iPhones to their computer in order to be alerted about the update, download and install it.

It is important to install this update ASAP. You can read Apple's description of the SMS security problem and patch HERE. Credit for discovery of the SMS problem was given to Charlie Miller and Collin Mulliner.

The AP report that Google have patched the SMS problem in their Android OS. Meanwhile, Microsoft are "investigating the vulnerability" in their Windows Mobile OS. There are no announcements at regarding the SMS problem at this time.

Thursday, July 30, 2009

Critical Adobe Security Patches Arrive, Again

I just gotta rant for a couple paragraphs:

The most disappointing thing I learned this week is that Adobe knew about this current crop of security holes last December, 2008. So why are we only learning about it now and only getting patches now. Didn't I say Adobe sucks?

And isn't it amusing that Adobe patched up one slew of security holes last month, and waited on this slew of further security holes. What do they do over at their offices? Argue about whether to patch? How to patch? When to patch? How long can they delay it without people saying 'Adobe sucks"? I know they have a messed up work culture over there. Get with it dummies!

The Patches:

1) Adobe Flash Player v10.0.32.18. There is a special patch for version 9 users to v9.0.246.0.

2) Adobe Air v1.5.2

3) Adobe Reader v9.1.3 - Theoretically available Friday, July 31

4) Acrobat v9.1.3 - Theoretically available Friday, July 31

NOTE: Verify which version you have downloaded. Adobe often don't mark what specific version you are downloading. Instead they may tell you that you are downloading "the latest version" when in fact you are NOT. You need to DIY update whatever you downloaded to the actual 'latest version'. Adobe provide no warning whatsoever. Adobe know about this problem and maybe will stop this practice in the future.

As I say ad nauseam: We're still in the Stone Age of Computing, and in the future they will pity us for the clunky junky stuff we had to put up with. (o_0)

Wednesday, July 29, 2009

Black Hat Nails iPhone SMS Security Hole

I don't follow iPhone security, but this one is major. It is also coming out of Black Hat USA 2009. So if you have an iPhone, you'd better read this! Or you may become INFECTED!

Short version: SMS stands for Short Message Service. Thanks to a security hole in the iPhone OS, your iPhone can get pwned via a malevolent SMS message. To quote Forbes Magazine:
If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.
Why Thursday? At 11:15 AM, Los Vegas, NV time, our pal Dr. Charlie Miller along with cybersecurity expert Collin Mulliner give their talk "Fuzzing The Phone In Your Phone". To quote Dr. Miller from his website Security Evaluators (you owe me for all this publicity Charlie!):
In this talk they will show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. They will present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). They’ll show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, they will present the results of this fuzzing and discuss their impact on smart phones and cellular security.
As you can see, the SMS security hole is NOT just on the iPhone.

Apparently Dr. Miller notified Apple about this hole over a month ago. One website said Apple knew about the hole 6 months ago. Apple is slow poke. Ars Technica reported July 3rd that Apple are working on a patch for this problem. At the moment there is no patch from Apple or any announcement regarding this problem. Theoretically the patch will be in iPhone OS X v3.1. World of Apple reports that yesterday, July 28, Beta 3 of iPhone OS X v3.1 was distributed for testing. They believe the release will be in mid-August. Oops. That's a couple weeks away. Time for suspense!

Some further reading pleasure can be found at MacFixIt, PCWorld and InfoWorld.

My suggested, but I don't have an iPhone, interim work around: Turn OFF incoming SMS on your iPhone. Or just leave your phone off, like that's an option.

Here is a discussion on how to stop SMS on the iPhone:


Note that turning off SMS previews is NOT effective. You want to stop the messages from getting to your phone entirely. (You have permission to hit me if I am incorrect on this point).

Oh BTW: Dino Dai Zovi gave his talk "Macsploitation with Metasploit" today at 10:oo AM Los Vegas time and his talk "Advanced Mac OS X Rootkits" at 11:15 AM Los Vegas time. When I learn of any important ramifications, I'll post. There is an audio interview with Dino Dai Zovi at that reviews his interest and experience in Metasploit and Mac Rootkits.

Saturday, July 25, 2009

July's Round of Critical Adobe Vulnerabilities: New, Fresh, Dangerous

For those of you who took earlier advice from Intego or myself and killed off ADOBE READER, good work, because Adobe have released yet-another CRITICAL SECURITY ADVISORY! But this time it also includes FLASH as well as Acrobat. You knew it had to happen. Tsk tsk Adobe.

Here is where you can read all about it. I'm not going to quote the advisory. Just know that it was written by someone who is Windows-centric and it provides NO HELP for Mac users. Brilliant! Typical! ... As they say in Britain.

So I came up with my own stopgap probably sort of solution if you insist upon keeping Adobe Reader, Acrobat and the Flash Plug-in on your system. I originally posted this over at Please note that the preference setting names in Acrobat can be slightly different from the names I provide here for Adobe Reader. Otherwise, the setting changes are identical:
WHAT TO DO, my best guesstimation:

Since the information Adobe provided is Windows-centric and a total FAIL for Mac users, seeing as Mac OS X has no-such-thing as .dll files, here is what I guesstimate is what's required to stop this vulnerability:

1) In Adobe Reader Preferences, go to "Multimedia Trust (Legacy)" and UNCHECK "Allow Multimedia Operations". That should kill running any Flash crap in PDF files.

2) In the Preferences, go to "Trust Manager" and UNCHECK "Allow opening of non-PDF file attachments with external applications". That should prevent any embedded Flash crap from running anywhere else on your computer as well.

3) In the Preferences, go to "JavaScript" and UNCHECK "Enable Acrobat JavaScript". That will disable a PDF from even being able to call the Flash plug-in for embedded Flash crap. (Considering the sewer of malware code that JavaScript has become, thank you Microsoft, I'd leave JavaScript off FOREVER if you want to seriously be safe).

*** Or to be extra special safe: Delete BOTH Adobe Reader AND their Flash plug-in from your computer. :-)

AND! Delete these folders, if you've got them:

/Applications/Utilties/Adobe Utilities/Adobe Updater5
/Applications/Utilties/Adobe Utilities/Adobe Updater6

AND AND! To be extra special safe, do a Get Info on the Adobe Utilities folder, noted above, and LOCK IT! This will prevent any installers from replacing the nasty Adobe Updater folders and the auto-installation garbage they contain, preventing Adobe from reinstalling Adobe Reader or Flash.

RIP Adobe insecure buggy crapware. :-P

NOTE: If you use other Adobe software, be sure to DIY check for updates on Adobe's website regularly. Adobe has some great software! But they also make some crap insecure software. Protect yourself. :-D
Alternatives: Use Apple's Preview to open, view and create PDF files. To play Flash files that are not stuck in web pages, I use MPEG Streamclip. For web page embedded Flash files, you're hosed. Sorry. Write hate mail to Adobe.

(If you really need to view web page embedded Flash files, try using FireFox running with the latest version of the DownloadHelper extension and download them onto your computer. I love it. Extra crunchy. Also be sure to use the NoScript extension for added safety from bad JavaScript. And be super duper safe by adding on the McAfee SiteAdvisor extension. And to have almost god-like security be sure to add in ...).

Mac Attacks @ Black Hat USA 2009


It's time for the second Black Hat Technical Security Conference of the year, this one being held in Los Vegas, NV. Where else! I wonder how much money casinos will lose to participants after hours.

The conference runs July 25 through July 30. I'll be keeping an eye on Mac related revelry. Here are a couple announced Mac security events, researched and presented of course by two of our greatest Mac hackers, Dino Dai Zovi and Dr. Charlie Miller. My anti-heroes. *sw00n*

Advanced Mac OS X Rootkits

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.

Macsploitation with Metasploit

While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
Here is Dino's bio from the site:
Dino Dai Zovi
Endgame Systems

Dino Dai Zovi has been working in information security for over 9 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, and Matasano Security. Mr. Dai Zovi is also a regular speaker at information security conferences including presentations of his research on MacOS X security, hardware virtualization assisted rootkits using Intel VT-x, 802.11 wireless client security, and offensive security techniques at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is a co-author of "The Mac Hacker's Handbook" (Wiley 2008) and "The Art of Software Security Testing" (Addison-Wesley Professional 2006). He is perhaps best known in the information security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.
Also featured is a talk by Kostya Kortchinsky on how to use breakout vulnerabilites in VMWare virtualization software for Mac to hack into the host machine. And that's bad. Kostya works in France and is infamous for being first to exploit announced Microsoft vulnerabilities.

Some other somewhat Mac relevant subjects that will be presented:
  • BitTorrent Hacks - Michael Brooks and David Aslanian
  • Reversing and Exploiting and Apple® Firmware Update [for an Apple aluminum keyboard] - K. Chen
And of course an array of new PHP and SQL vulnerability hacks. What, no Microsoft exploits? There's no fooling you! Of course there are! And let's not forget exploitation of ye olde Intel® BIOS, Oracle, parking meters, iPhones, routers, and the US federal government. Included is an in depth discussion of the Windows worm of the year, Conficker. The favorite subject this year appears to be rootkits. The Pwnie Awards will be announced July 29th. There's fun for everyone.

Monday, July 6, 2009

Quickie Reviews of ClamXav, iAntiVirus and MacScan

Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:
I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.
II) iAntiVirus Is Basic, Not Perfect, Mostly Works:
Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*
Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:
Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].


1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

Wednesday, June 24, 2009

Adobe Shockwave Player v11.5.0.600 & Apple vs. Java Insecurity

In its recent attempt to get serious about application security, last week Adobe released Shockwave Player v11.5.0.600 for Mac. Oddly, they released the Windows version a week later. I say oddly because Mac versions of Adobe software are almost always late. It's amusing to see a swap for a change. Now if only Adobe would release the many years delayed 64 bit versions of their applications. Hint hint Adobe.

MacWorld messed up today (6/24) and reported that the Adobe security bulletin about the Windows version of Shockwave Player had anything to do with the Mac version. So I posted a reply comment, which you'll find below. After I posted my comment I visited the Adobe site to find any news about the Mac version. There isn't any. I did however learn that Shockwave Player is compatible with Mac OS X Tiger. That's good to know. I dug around in the installer package and found nothing there as well. If you find anything relevant to Mac security improvements in Shockwave Player v11.5.0.600, please leave a comment.

Here is my comment to MacWorld regarding Adobe Shockwave Player. It is also relevant to Apple's slow poke response to Java security problems:

A couple points:

1) The Adobe Security Bulletin (it's not a blog) is specific to the Windows version ONLY, which apparently was just finished and released. The Mac version of Adobe Shockwave Player v11.5.0.600 was released a week ago on June 16th. Adobe didn't post a security bulletin for the Mac version. And that means what?!

2) bousozoku sez: "Adobe seems to be the only company slower than Apple at taking care of security concerns."

Adobe's attention to security went into deep decline until this past month.

In the meantime, Apple have been improving their attention to security exponentially over the last couple years. It appears to be in response to both the moronic anti-Apple security FUD-fest instigated by Symantec in August 2005, and the White Hat focus on Apple security bugs and vulnerabilities. As is typical with Apple, drag them through the press and they respond.

Where Apple recently fell on their face was with regards to a slew of vulnerabilities in the mess known as Java. Apple were over 6 months behind in Java patches. Sadly, Apple's incredibly slow response to Java updates is consistent. Never has Apple had a serious Java team. Of course one reason is that Apple has to do ALL the work to provide Mac OS X Java updates. Sun provides nothing.

Meanwhile, despite Microsoft's outright hatred of all things Java, to the extent that they were found guilty in court of attempting to destroy Java via their J++ monstrosity, Sun Microsystems write and provide all Windows Java updates. Microsoft never has to lift a finger. That is the single sole reason Windows gets Java updates before Mac OS X. Hey thanks Sun. Sorry you're dead.

Friday, May 29, 2009

Microsoft Senior Security Architect Said WHAT?!

Someone needs a good spanking and a time out for bad behavior. He's considered to be a professional computer security expert, (so it's not me!).

This afternoon I was checking out the Intego Mac Security Blog and read about interviews ZDNet Australia had done with security specialists regarding the question "Do Mac Users Need Antivirus Software?" (They got the software category wrong as usual. It's anti-malware, not 'anti-virus'. I'll go down in history as the curmudgeon who chanted this fact to the grave, and nobody cared. Poor me). So I clicked over to ZDNet OZ, read their article and watched the video, found HERE.

In the video, note the fellow in the white shirt with a British accent. That's Greg Singh from RSA. As Intego point out, Singh is incorrect to say Mac users will have to get used to the degradation in performance caused by anti-malware applications. He could be talking specifically about Symantec's Norton Antivirus for Mac, in which case no one could argue with him. He also insinuates that Apple have said Mac OS X is not susceptible to 'viruses'. Oops, I think he got his Apples mixed up. He must have meant Apple Corps, the folks who make Beatles CDs. Yeah, I'd agree that Beatles recordings are not susceptible to viruses. **snicker**

Then there's the guy in the black t-shirt and hat reading 'ULTIMATE-DEFENCE". That's Rocky Heckman from Microsoft. He has the title of "Microsoft Senior Security Architect". I was freaked at what was coming out of his mouth. First he thinks BSD is something new to Mac OS X Tiger. He was born yesterday. Then he says that because BSD is part of Mac OS X, hackers are now realizing they can write 'viruses' for it, "and there have been a couple out there." He's from the Bizarro World. There are no viruses for Mac OS X. There are only Trojans, and he knows the difference. I wrote a ripping comment about Mr. Heckman over at the ZDNet OZ site. See below.

Then there's an Australian fellow in a white striped shirt with a big pad and marker hanging around his neck. I don't know his name, sorry. His odd statement, if you listen carefully, is that anti-malware products for Mac OS X are 'immature'. Based on what information? Based on ignorance. Very strange.

OK, so where were all these incorrect people when they were interviewed? The AusCERT 2009 IT Security Conference. The mind boggles.

Here is the concerned comment I wrote to ZDNet Australia regarding the statements of Mr. Heckman from Microsoft:
Microsoft Senior Security Architect Said WHAT?!

"Microsoft senior security architect Rocky Heckman said AV became necessary when Apple in 2001 decided to underpin OS X Tiger with the BSD operating system because it made Macs an easier platform to write malicious code for."

Why did anyone ask Mr. Heckman his opinion? We certainly have no reason to care. Windows is the single LEAST secure operating system, commercial or Open Source, available on the planet.

Why Heckman's opinion is lunatic:

1) Apple didn't decide to underpin Tiger with BSD. NeXT decided to underpin NeXTStep with BSD decades ago! Mac OS X inherited it when Apple decided to make NeXTStep/OpenStep the foundation for Rhapsody, which was then developed into Mac OS X.

2) The three most secure operating systems on the planet have been repeatedly proven to be:
A) OpenBSD
B) FreeBSD
C) Mac OS X
Mac OS X incorporates elements of both OpenBSD and FreeBSD into it's core OS called Darwin OS. So what Mr. Heckman it talking about is incomprehensible. He is either a blithering idiot or is pulling a FUD manoeuvre by telling the opposite of the truth in order to fool the public that black is white, war is peace, hate is love, the usual doublespeak routine from the book '1984'. Shame on Mr. Heckman.

This has to be one of the most dishonest statements from a Microsoft executive of all time. It's running neck-and-neck with Bill Gates' moronic statement that Mac OS X is exploited everyday, when it fact it is HIS operating system that is exploited every day.

Or maybe there's lead in the water over at Redmond. (o_0)

Tuesday, May 26, 2009

Hope For ClamAV For Mac

As you recall from our last episode, ClamAV was essentially worthless for detecting and removing the current 11 malware for Mac OS X. However, hope appeared last week thanks to the persistence of Mark Allan, the developer of the ClamXav GUI application, and myself.

I wrote a series of posts over at the ClamXav Forum last week that revved up some interest in sorting out the problem with ClamAV. I found out that a number of people, including Mark Allan himself, had submitted MOSX malware to the ClamAV project, using the official protocol, and had been entirely ignored. From my experience, there are a number of plain old dickheads over at the ClamAV project who resist any improvement in MOSX support. You have to wonder what goes on in some people's heads.

However, Mark Allan and I chatted about the situation and he was inspired to try once again to contact someone sane over at the ClamAV group. And he SUCCEEDED. I could not be more pleased.

Mark is now working with the ClamAV project to provide them with Mac OS X malware. The resulting malware definitions will then be integrated into ClamAV. If this relationship works out, and Mark is able to continue his freely given dedication to Mac OS X security, we should soon see and continue to see ClamAV as a free useful tool for Mac OS X users.

You can read about and download ClamXav, Mark Allan's free Mac OS X GUI version of ClamAV, HERE. Donations are welcome. You can join in on the ClamXav Forum discussions THERE.

Thursday, May 21, 2009

Java is DANGER! Apple is SLOW POKE!

One of my favorite jabs at the anti-Mac security FUD mongers is to point out that their FUD attack party, ongoing since it was started by Symantec way back in August 2005, has happily prodded Apple to get serious about Mac OS X security updates. I then extend them a hearty handshake and gleefully, maniacally, laugh.

However, Mac security mavens point out that Apple is still a slow poke. Damned right! There are a couple short articles over at Intego about an ongoing security hole in the current implementation of Java in Mac OS X:
-> Apple Hasn’t Updated Java to Protect Mac Users from Critical Vulnerabilities
-> Intego Security Memo: Java Vulnerability

To defenders of the faith, such as myself, this is annoying. First off, we get to be poked by the FUD mongers with the 'see, I told you' routine. Second off, I am so sick of the corrosion that has happened to the great and shiny image in the sky of Java being this ultra-safe, can't break into your computer, can't hurt you, technology. Yeah, and Sun is now no more. Justice is served. But we're stuck with the mess as a web standard.
*rolling eyes*

Twitter Spamrat Attacks -> Nuisance

Last night I became aware that someone has, dare I say, 'hacked' Twitter such that logged in users are instantaneously befriended/followed by scum spammers. For all I know, this is deliberate by the Twitter folks or there is some other nebulous explanation. What I do know is that it is a BLOODY NUISANCE!

Thankfully it is easy to block the spamrats as they show up in your followers list. But then you have to scour through your followers list at least every day to kick them out. So far it is also easy to spot them by checking out their page. It will be full of moronic spam tweets. If by chance you've been vacant enough to choose to follow them and your tweet collection turns into a pile of blithering idiotic ads for rubbish, again it is easy to kick them.

I hope Twitter get a handle on this, if indeed it isn't some sort of sell-out collaboration, because it is soooo boring having to sort through your lists and play Spot-The-Loony. Bloody! Bloody I say!

Sunday, May 17, 2009

Current List of Mac OS X Active Malware

This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

Friday, May 15, 2009

Proof Of Concept Trojan.OSX.Tored.A & Related Rants

Last month an eMail distributed proof of concept (aka nonfunctional) malware program was discovered for Mac OS X. A couple different companies claim they 'discovered' it. It is being labeled as a 'worm' because it is able to replicate itself after infection. It does not qualify as a virus because it does not damage the host computer. However, it is actually a Trojan horse because it requires user error in order to be installed. Its worm behavior is therefore secondary and cannot be used in its name. Sorry. (;_;)

Rant: I'm a biologist who became addicted to Mac technology and works as a professional Mac technologist. So how come I, without a computer science degree, am able to distinguish a Trojan horse from a worm while professional computer security companies can't? I am thoroughly baffled. Was there perhaps one person who made the initial error and everyone followed along like good little sheep? Likely. It became evident eight years ago in the USA that sheep are the 'in' thing to be. Shameful. End of rant.

The best reports I found on Tored.A are over at Intego, F-Secure and CA. The lamest report is at Sophos, not worth linking.

An interesting short article about Tored.A was posted over at the HowStuffWorks blog. I wrote a reply to the article and tossed in some of my usual educational chatter. Here is a repost for your pleasure:

Here are some useful facts:

1) Symantec started the Anti-Mac security FUD campaign back in August 2005. In the intervening three and a half years Mac OS X has failed to be deluged in malware. There was no doom and gloom. The sky did not fall. Symantec continues to make the single worst anti-malware app for Mac. Figures.

2) There is a standard naming system for malware. This is how it works: First comes the type of malware. Tored-A is a Trojan horse. It is NOT a 'worm' until AFTER it has been installed by a computer user, which is of secondary importance. Therefore, the first part of its standard name is 'Trojan'. Second comes the name of the operating system on which it runs. In this case it is 'OSX'. Third comes that identifying 'name' of the malware. The discoverer in this case chose 'Tored'. Why is up to them. Last comes the 'strain' or version of the malware. The first discovered version is called A. Next is B, etc. Take note that despite this long published standard, anti-malware companies usually don't care. That's why there are often many names for exactly the same malware, resulting in needless chaos and confusion.

3) There never was any such thing as 'security by obscurity' for Mac OS X. The fact is that Mac OS X is incredibly harder to hack than Windows. That is why there are only Trojan Horses for Mac OS X. They require user error in order to break into a Mac. There are no viruses, worms or illegal spyware/adware for Mac OS X for that reason.

Responding to the article:
"Many accounts say that the MacOS is naturally more secure than Windows."

Accounts have nothing to do with it. Mac OS X = UNIX = consistently proven to be the safest operating system commercially available. Its rivals are the Open Source operating systems FreeBSD and OpenBSD, both of which are integrated into Apple's CLI version of UNIX called 'Darwin OS', the basis of Mac OS X. That being said, UNIX / Mac OS X is NOT perfect. Security flaws are frequently being patched. Never at any time was there any myth that Mac OS X was not 'mortal'. If you want hacker heroes, applaud Dr. Charlie Miller and Dino Dai Zovi, the most revered of those who have proven how to break into a Mac (with user error required). They wrote a book about it called "The Mac Hacker's Handbook" published March 2009.

The least secure Apple software is NOT Mac OS X. It is in fact QuickTime, which Apple write and provide for both Windows and Mac OS X.

Windows was never designed to be secure until Vista. And even then Microsoft significantly failed. Theoretically Windows 7, which is mainly a paid service pack for Vista, may repair this problem, but it has not been proven at this time.

The future: Watch for the Mac malware coming out of Red China. Few people know that China formally declared a "Technology War" against the USA several years ago. China has been successfully cracking into US federal computers since 1998 when they formed The Red Hacker Alliance. Note that this was the year China was provided "Most Favored Nation Status" by the US government. Despite being caught red-handed cracking government computers all over the planet, the USA still maintains this favored status. Conclusion: We are out of our minds. Enjoy the results.

Wednesday, May 13, 2009

May 12: Massive Mac Update Day

Macintosh updates on the second Tuesday of the month?!
Déja vu man. Is Apple syncing updates with Microsoft? Is this to make Enterprise IT folks happy? I strongly suspect so.

I prefer the ASAP approach. Waiting around for the second-Tuesday-of-the-month is a dim idea from my POV. Hmph. What happens in the Microsoft world is that hackers get geared up for THE DAY and pounce on all the announced security holes via new malware. This works very well because only a small percentage of people update their Microsoft software on THE DAY. This allows hackers a window of opportunity to get into user machines while the getting is good. Alternatively, the ASAP approach provides no expectation time for hackers. It also gets security patches out in the field immediately rather than waiting around for potentially weeks, during which time each security hole sits out there ripe for the hacking.

Therefore, I hope this second-Tuesday-of-the-month security update is merely coincidence. Sorry Enterprise IT folks! Having THE DAY each month for security patches may be convenient, but it is BAD security protocol. Security wins in this business.

Rules for System Update Preparation:

1) You know what I'm going to say: Make A Backup! Expect updates to go wrong. They often do.

2) Repair your boot system! It is amazing how many system updates go bad simply because the boot system was corrupt. What else would you expect? Boot from your system installation disk and run the repairs inside Disk Utility.

3) Repair your boot system preferences! Despite the myths, bad file permissions are also a prominent reason why system updates go bad. Again, what else would you expect? Note: You also need to repair your permissions AFTER the update. Adobe always leave behind a mess. Even Apple make slip ups! Apple left behind bad permission settings after Leopard Server Update 10.5.6! Expect it to happen. Use Disk Utility.

4) Don't forget to update! Keeping up with system updates is very important! Check this out:
An example of how few computer users actually apply updates: The Microsoft Windows security hole exploited by the Conficker worm was patched way back in October, 2008. And yet, the Conficker worm zombied an estimated 15 MILLION+ Windows boxes after Microsoft provided the patch. Incredible.

The Update List:

Your Mac's System Update app will tell you what updates are necessary for your particular setup. The list of updates from 5/12 is long. All the links below are for each update's general description and download page. Each page has a further link to its detailed information page. If you would like to go directly to the security improvements list for each update, please go HERE.

Safari v3.2.3 for Windows, 19.69 MB

Safari v3.2.3 for Tiger, 26.29 MB

Safari v3.2.3 for Leopard, 40 MB

Safari v4.0 Public Beta Security Update for Tiger, Leopard, Windows XP and Windows Vista

Security Update 2009-002 for Tiger PPC, 75 MB

Security Update 2009-002 for Tiger Intel, 165 MB

Security Update 2009-002 for Tiger Server PPC, 130 MB

Security Update 2009-002 for Tiger and Leopard Server, Universal, 203 MB

Mac OS X Combo Update 10.5.7 Leopard, including 2009-002, 729 MB

Mac OS X Server Combo Update 10.5.7 Leopard, including 2009-002, 951 MB

Mac OS X Update 10.5.7 Leopard, including 2009-002
, 442 MB

Mac OS X Server Update 10.5.7 Leopard, including 2009-002, 452 MB

Coming up will be my summary and analysis of the security improvements provided by these updates.

Wednesday, April 29, 2009

Dump Adobe Reader? Yeah, why not.

I never like articles with a title ending in a question mark. You know what you're going to get: no answer to the question. Therefore, they are typically filler. Yawn on that. So here is my question and answer title. Let's get to the point right off the bat: Adobe Reader is a security risk.

The chatter on the net this past week has come to the conclusion that the long line of security holes in Adobe Reader over the past two years is enough already. Dump the thing. It's like my conclusion from decades past that Windows, among its many disappointments, is too much of a security risk to use professionally. That any business or any government uses it greatly concerns me. But it's not Microsoft bashing day. It's Adobe bashing day. If you don't need Adobe Reader, don't use it. Thankfully, Mac OS X users have Apple's Preview application, which has not got the JavaScript vulnerabilities of Adobe Reader. So use Preview instead. It's not totally immune to infected PDF files, but it's much safer than Adobe Reader.

OK, it's not like anyone's Mac got pwned by using Adobe Reader. There is no malware targeting Macs that I know of that weasels its way in via holes in Adobe Reader. So really there is no major alarm going off telling us to kick Adobe Reader off the bus for having cooties. But considering that Mac OS X is the safest professional operating system on the planet (not that I'm dissing Linux mind you), avoiding Adobe Reader at this time is a very good idea.

Personally, I've been a fan of PDF since Adobe Acrobat version 3. It's brilliant and has only become better over time. Thank you Adobe, and especially thank you for making it an open standard. Its integration into the core of Mac OS X is incredible. However, Adobe allowed in some poor code, including support for the catastrophe oddly known as JavaScript. I'll skip my usual lecture on how it got its misnomer and how it was ruined as a standard by Microsoft. Simply know that it is a security holey mess. Apple has gotten burned by JavaScript in QuickTime since 2006. The same JavaScript insecurities are equally plaguing Adobe Reader. Apple got control of their JavaScript problems. Adobe are still playing catch up.

Me, I'll still continue to use Acrobat. I'll still keep Reader around for when I absolutely need it. And there are indeed times when I require Reader. But I'm also going to keep an eye on the latest Reader problems and continue to update it (manually!) when updates are offered.

Monday, April 27, 2009

Multiple Symantec Software Vulnerabilities Found

This isn't so much a useful article as a thumb in the eye of my least favorite anti-Mac security FUD monger, Symantec. Have an *evil laugh* along with me if you like:

Digging around at the F-Secure site tonight I happened up on this article from a few days back:

Symantec Brightmail Gateway Control Center Multiple Vulnerabilities


Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

Detailed Description

Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

1) Certain unspecified input passed to the Control Center is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) An error when processing unspecified console functions can be exploited by a Control Center user to gain administrative privileges.

The vulnerabilities are reported in versions prior to 8.0.1.
The vulnerabilities were discovered by Secunia.

They were NOT discovered by Symantec.

So next time Symantec strike one of their Overlords Of Security poses, just laugh at them.