Wednesday, April 29, 2009

Dump Adobe Reader? Yeah, why not.

--
Intro:
I never like articles with a title ending in a question mark. You know what you're going to get: no answer to the question. Therefore, they are typically filler. Yawn on that. So here is my question and answer title. Let's get to the point right off the bat: Adobe Reader is a security risk.

The chatter on the net this past week has come to the conclusion that the long line of security holes in Adobe Reader over the past two years is enough already. Dump the thing. It's like my conclusion from decades past that Windows, among its many disappointments, is too much of a security risk to use professionally. That any business or any government uses it greatly concerns me. But it's not Microsoft bashing day. It's Adobe bashing day. If you don't need Adobe Reader, don't use it. Thankfully, Mac OS X users have Apple's Preview application, which has not got the JavaScript vulnerabilities of Adobe Reader. So use Preview instead. It's not totally immune to infected PDF files, but it's much safer than Adobe Reader.

OK, it's not like anyone's Mac got pwned by using Adobe Reader. There is no malware targeting Macs that I know of that weasels its way in via holes in Adobe Reader. So really there is no major alarm going off telling us to kick Adobe Reader off the bus for having cooties. But considering that Mac OS X is the safest professional operating system on the planet (not that I'm dissing Linux mind you), avoiding Adobe Reader at this time is a very good idea.

Personally, I've been a fan of PDF since Adobe Acrobat version 3. It's brilliant and has only become better over time. Thank you Adobe, and especially thank you for making it an open standard. Its integration into the core of Mac OS X is incredible. However, Adobe allowed in some poor code, including support for the catastrophe oddly known as JavaScript. I'll skip my usual lecture on how it got its misnomer and how it was ruined as a standard by Microsoft. Simply know that it is a security holey mess. Apple has gotten burned by JavaScript in QuickTime since 2006. The same JavaScript insecurities are equally plaguing Adobe Reader. Apple got control of their JavaScript problems. Adobe are still playing catch up.

Me, I'll still continue to use Acrobat. I'll still keep Reader around for when I absolutely need it. And there are indeed times when I require Reader. But I'm also going to keep an eye on the latest Reader problems and continue to update it (manually!) when updates are offered.
--

Monday, April 27, 2009

Multiple Symantec Software Vulnerabilities Found

--
This isn't so much a useful article as a thumb in the eye of my least favorite anti-Mac security FUD monger, Symantec. Have an *evil laugh* along with me if you like:

Digging around at the F-Secure site tonight I happened up on this article from a few days back:

Symantec Brightmail Gateway Control Center Multiple Vulnerabilities

Summary

Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

Detailed Description

Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

1) Certain unspecified input passed to the Control Center is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) An error when processing unspecified console functions can be exploited by a Control Center user to gain administrative privileges.

The vulnerabilities are reported in versions prior to 8.0.1.
The vulnerabilities were discovered by Secunia.

They were NOT discovered by Symantec.

So next time Symantec strike one of their Overlords Of Security poses, just laugh at them.

;-D
--

Saturday, April 18, 2009

The First Reported Mac BOTNET

--
Let me first share news from SANS Institute, then provide a brief perspective on the situation.

Below is a quote from SANS NewsBites Volume 1, Number 30, released last night. (I added some bolding for emphasis). You can sign up for the SANS newsletters HERE.
--Trojan in Pirated Mac Software Helped Create First Mac Botnet
(April 15, 2009)

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet. The zombie network attempted to launch a distributed denial-of-service (DDoS) attack against an unidentified website. The malware had spread to several thousand computers before it was identified.

http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html

http://blogs.zdnet.com/security/?p=3157

[Editor's Note (Honan, Schultz): Looks like the Mac platform is an increasingly fruitful target for cyber criminals. ]
Indeed it has. "Several Thousand Computers." This is incredibly sad, but also inevitable.

While all the FUD mongers have a sadism party at our expense, (and they will), keep in mind that NONE of the current Mac malware is able in penetrate any Mac unless the user (often called the 'luser') deliberately installs a Trojan horse on their computer. This happens specifically because the user has been conned by what is called Social Engineering, or in this case, the luser is using pirating software that has had the Trojan carefully placed in the installer to go along for the ride. What do you call it when a dirty deed is done to someone pulling a dirty deed? How about 'Dishonor Among Thieves'. It is more like poetic justice, parasite chewing on parasite.

Anyway, Mac Botnets have arrived. What is done with them will be of interest. Typically these days they are used for money making schemes. Go read all the news about the Windows Conficker worm scare of April 1st and beyond. Once created via infection, a botnet can pull off just about anything you can do over the Internet except in mass numbers at one time.

OK! You're a luser and maybe you did something that could have gotten you infected. Now what?

What NOT to use:

ClamAV. Worthless for Macs. I've covered this disappointment several times.

MacScan. The botnet Trojans are out of its league. It's clunky unreliable software anyway.

Symantec Norton Whatever. I consistently get reports that Norton Anti-Virus continues to be one of the single most buggy and CPU hogging applications you can buy for Macintosh. Symantec also invented the anti-Mac security FUD campaign back in 2005. Save your money and your patience. Avoid. Run away. Just my opinion.

Freeware:

iAntiVirus from PC Tools. It can detect and remove all current Mac malware. You don't have to pay for the application unless you are a business or are running a large network. The paid version offers technical support. Note that it only runs on Leopard. I use it and find it to be very simple and unobtrusive.

Shareware / Commercial-ware:

Sophos Anti-Virus. It is designed for companies and networks of computers.

Intego VirusBarrier. I find them to be the best-in-class for single users. I'm disappointed at their disorganization as a company. But the program is top notch. Just be prepared to shell out money year after year. Bleh. Nonetheless, I own it, use it and like it.

I used to use Virex X, now called McAfee Virus Scan. But it got clunky. Many people downright hate it. I don't know why. These days it is designed for companies and networks, not single users. I would have shoveled McAfee into the grave along side Symantec for having FUDed the Mac. But oddly, their CEO ended up stating that the single best way to escape computer malware was to "buy a Mac." So they can't be entirely stupid over there.

There is other stuff around, but it makes me yawn. You can get a listing of it all at the download sites by searching for 'virus'.

DEFENSE!

If you are in charge of a home computer shared by others, or you are an IT manager, stop the luser users from installing Trojans by giving them Mac OS X accounts that Do Not Allow Program Installation! If a user wants a program installed, let them ask you to do it for them in YOUR account. Then give them access to the program.

But of course this means that YOU, the boss of the machines, have to be careful too. Always verify that what you install has specifically been tested somewhere. I always use the download sites like VersionTracker or MacUpdate. There are many others. Be sure that either the site itself has tested that version of the program and given it an OK, or that a lot of users have tested it and OKed it. Buy commercial-ware directly from the company, and make certain they are entirely, unquestionably reputable. Adobe.com = reliable. Jake's Super Deluxe Fly-By-Nite Site.com ≠ reliable. You get the idea.

And just to tick off the FUD mongers:

A) There is no such thing as a 'virus' for Mac OS X.
B) There is no such thing as a 'worm' for Mac OS X.
C) There is no such thing as illicit 'spyware' for Mac OS X. All Mac spyware is sold legally for the purpose of surveillance of network machines.
D) There is no such thing as 'security by obscurity' for Mac OS X. If you know how to do math, you can prove this for yourself. Go backwards in my blog if you want to read the gravestone I wrote for this mythological absurdity form of FUD.
E) As a Mac user you must keep computer security in mind. Follow the basic rules:
  1. Make regular backups. This is the #1 Rule Of Computing.
  2. Learn how to use your router's firewall and use it.
  3. Learn how to use Mac OS X's built-in firewall and use it.
  4. Always use password protected accounts. Make very sure your password is strong, obscure, unintuitive and plain old nasty. Be sure you remember it. Don't give anyone else access to it.
I've gone into greater detail about add-on measures in previous posts. The list above covers the essential basics.

And of course, don't ever pirate software. Now it's extra dangerous. If that gets you excited, welcome to the botnet.

:-Derek
--

Wednesday, April 15, 2009

Attack of the Black Hats 2009

--
Intego's Mac Security Blog pointed out that the Black Hat Europe 2009 security conference starts tomorrow, April 16th. Two of my most un-favorite Mac crackers will be presenting a paper entitled "Fun and Games with Mac OS X and iPhone Payloads". The point of their presentation will be introduce "advanced payloads which help to avoid detection, avoid forensics, and avoid countermeasures used by the operating system for both Mac OS X and iPhone."

White Hats are hackers who try to keep the computer world in order. Black Hats are hackers who try to put the computer world into disorder. The entire point of the Black Hat movement is beyond my comprehension. My opinion is that it is all a matter of human personality. Some centered people relish being helpful to others. Some lost people relish hurting other people. Obviously this is a simplistic description, but I find it to be entirely parallel to the humane versus troll warz on the Internet. The point of trolling is sadomasochistic induction of suffering in others. IOW trolls are mentally deranged. I can't help but think of Black Hats in the same black light. They will never gain my respect, and they like it that way.

But then there is my Angst Theory: Creativity is proportional to angst. When angst is introduced into any living system, the typical reaction is creativity if only to maintain survival or to reach a new steady state. Obviously, too much angst = breakdown of the system. But there are those who believe that contained and defined units of angst are good for a system and keeps it in a state of evolution. Stagnation leads to devolution, aka status quo. For me this explains the revolution imperative in all teenage kids. Teens aren't just trying to establish their own authority and territory. They are in their limited way, with their limited perspective, trying to topple the stagnant and irrational status quo in favor of a system they believe to be more contemporary and sane. This is one reason I enjoy championing creative obnoxiousness in kids and why I believe the entire anti-ADD, ADHD movement is, in and of itself, an illness of our culture. Diversity rules in any natural system. Drugging kids to smash them into status quo molds, conforming them to the spirit of the old age, is demented.

Those who know me can attest to the fact that I am not at all like the persona I typically portray on the Internet. Why do I deliberately induce angst in my readers? I am a change agent. That is part of my personal manifesto within my culture. I am very deliberate about it and know I am doing my job when I upset people whom I believe require upsetting. I also have a fearless rational mind. If I believe my purpose is just, I'll induce angst into anyone. I have no sense of class system or authority. Instead I am what I call a positive anarchist. To put it simply: I believe in maximum choice and maximum responsibility for the consequences of one's choices.

Having now blethered at you my personal POV, perhaps you can understand how I analyze Black Hat hackers. Are they inducing angst into the status quo? That could be excellent! Are they taking responsibility for the consequences? To know that you would have to know each individual involved, and I certainly don't. I can only read the stuff they publish and analyze their words from my personal inner world POV.

Here is my quick analysis of the abstract Dr. Charlie Miller and Vincenzo Iozzo provide for their 'Fun and Games...' paper:
Mac OS X continues to spread among users...
Obviously the word 'spread' was carefully chosen to infer Mac OS X is equivalent to a spreading disease. It has no positive connotations in this context. Sadly, there is no indication of what OS Charlie and Vincenzo would prefer. They're out of their minds if it's Windows, that's all I know. I like to assume they are Linux freaks. There is some basis to this assumption: Linux is rarely bashed, as far as I am aware, at Black Hat tribal rituals. The fact that Linus Torvalds is himself a rebel and that Linux is Open Source freeware tends to lend credibility to the tribals. Or the two of them may simply be UNIX freaks, which explains why they bother with Mac OS X, which is UNIX to the core.
... with this increased market share comes more scrutinization of the security of the operating system.
That has been the history, and I like it.
The topics of vulnerability analysis and exploit techniques have been discussed at length. However, most of these findings stop once a shell has been achieved. This paper introduces advanced payloads which help to avoid detection...
IOW, Charlie and Vincenzo are going to be particularly vicious dickheads this time around. No more water-boarding for them. It's time for flaying and evisceration. I always did enjoy reading Clive Barker, so this could get interesting. But I believe the point here is to make the victim, Mac OS X, suffer for its failings. This is IMHO irresponsible and therefore stupid. It is little kids playing with blasting caps. Charlie and Vincenzo might get their hands blown off or lose an eye. Darn. Worse yet, Mac OS X security might be damaged.

Or will it? If Charlie and Vincenzo are skilled, their coding scalpels will reveal security tumors in Mac OS X that require removal and replacement. Apple will of course respond and Mac OS X could end up more secure. From my positive POV, that is the goal. But from a Black Hat's point of view, what is the point? Self-aggrandizement? Some other form of psychopathic mental orgasm? Again, you have to know the people to know their personal problems.

If you'd like some insight into Charlie Miller, have a read of his recent book "The Mac Hacker's Handbook", written with Dino Dai Zoni, ISBN 978-0-470-39536-3. One of these days I'll be posting a review. He publishes articles at the Independent Security Evaluators website. You can also hear him speak in the Black Hat Briefings podcasts via iTunes. I am willing to bet he also plays the persona game, acting the angst inducing change agent while being a nice guy behind the scene. But you figure him out for yourself.
--

Derek's Minor Intego Adventure

--
Intego VirusBarrier remains my favorite Mac anti-malware application. Yeah, like many of it's competitors, it's named incorrectly, (should be 'MalwareBarrier'). And yeah, they don't publish a list of their malware definitions, but I still... WHAT? No malware list?!

So I contacted Intego and had an email chat with a nice fellow at their Support Team. My question: Where is your malware list? Their reply:
We do not provide a list of every virus that VirusBarrier X5 protects against. If you have a question about a particular virus threat, please let us know and we will be more than happy to answer the question for you. You can also find information on our security blog about new threats:

The Mac Security Blog
This is actually a very good blog. However, it does not cover all Mac malware. So I persisted in my conversation with Intego. It turns out that there is a disconnect between their blog and their news releases; Therefore, you have to keep track of both:
Intego Press Releases
I found it is indeed possible to scavenge together a list of Mac OS X malware detected by VirusBarrier. I was also pleased to find the list is complete.

(The possible exception is Trojan.OSX.RSPlug.G, which for all I know is mythological. Only PCTools' iAntiVirus program notes it having been found in the wild. Or, on the other hand, Intego may include the G variant with the F variant. It's hard to tell thanks to the industry's insistent lack of conformity to malware description and naming standards).

So why doesn't Intego provide a simple list of detected malware with descriptions of each malware family and variant, like you know, everyone else does? I call it disorganization, which is a shame since they easily have the most organized and best written anti-malware program for Mac.

Until Intego get better organized, I suggest keeping track of the Mac OS X Threat List provided at the PCTools iAntiVirus site page. It contains a lot of baloney proof-of-concept, inert and ancient Mac OS (not X) malware. Otherwise I find it very useful. Yes, it has the same old problem of not adhering to malware naming standards resulting in the same old comprehension chaos. And yeah, this list has some incomprehensible duplication of malware, like DNSChanger and RSPlug being listed separately when in fact they are the same thing. *rolling eyes* But so far, it's the most complete, literate and up-to-date list I have found:
iAntiVirus Threat List
[I continue to ask: Why do I have to write this blog? Why isn't there a nice, up-to-date, simple, complete, sane, standards compliant site dedicated to Mac OS X malware? Until one appears, I'll continue trying to fill the void.]
--