Friday, September 9, 2011

Apple Security Update 2011-005:
DigiNotar Certificates Revocation

--
This Apple Security Update is for Mac OS X 10.6 Snow Leopard and 10.7 Lion. I believe at this point we can forget about further 10.5 Leopard updates. But emergencies do happen.

Here is where you can read all about it:



What's it all about? It's about the CRISIS of fraudulent SSL security certificates issued by the DigiNotar in the Netherlands, as well as other certificate authorities.

This will NOT be the last of the security certificate revocations. Expect another from Apple in sort order. The full extent of this CRISIS is still unknown and has most certainly not been stopped or contained. This may end up being the biggest Internet security crisis of the year.

Read more about it in my detailed article to follow.
--

Tuesday, August 30, 2011

ZeoBIT MacKeeper Crapware
Marketing Moron Attack

--
Yesterday I got hit with my first ZeoBIT MacKeeper bomber page while searching on Google. I call it a 'bomber' page because it uses JavaScript (the sworn enemy of web security) to force a popup page into your web browser, despite your popup settings. When the nasty page appeared and blared its rhetoric at me, I thought I must have found a new version of MAC Defender. But no, this is a legal Mac software suite being foisted at you via offensive marketing moron methods.


The nasty ZeoBIT MacKeeper popup page attempted to tell me that the Google result page I had open was considered potentially dangerous. Right. Therefore, I used Google again to find out what this crapware really was. I was pleased to discover that my net colleague Thomas Reed had created an excellent write-up about this crapware last week. Thomas and I work together in a Mac malware discussion group on the net. Enjoy:





I also found an article about MacKeeper provided by Daniel Feeney:


To quote one comment from Daniel's initial review of MacKeeper:

Mostly what they do is take existing features of your operating system and put it in one place, and make you pay for the privilege. Add in their aggressive marketing, the fact it uses Wine (classic half-assed windows developers trying to cash in on gullible Mac users), and the reports of horrible system performance after installing this crap, and well, do you really want to deal with it?
Needless to say: 
I suggest that NO ONE install MacKeeper or believe a word ZeoBIT spew at you via their marketing moron attack methods.


[Marketing Moron: Any human who uses abusive or disrespectful methods of selling or promoting a product or service. Antonym: Marketing Maven. Use in a sentence: 'The decay of the modern business practices is morbidly illustrated by the unprecedented increase of marketing morons, self-destructive brigands who treat customers with contempt. ]
--

Monday, August 22, 2011

China Shows Their Cyber Warfare Cards,
Oops

--
The hilarity.

Red China has been hacking into USA computers, as part of what has been a declared cyber war, since 1998, the year they were provided 'Most Favored Nation' status. In 2007 the US feds finally couldn't hide this fact any longer after they found their Windows computers exposed to the Internet had been invaded with bots that were feeding every available bit of data back to Red China.

So I am laughing away at this bizarro news report via Neowin.net:






Well DUH! (0_o)

The source article at ThePochTimes.com is here:




There is no big revelation here except for people with their heads buried in the sand. Also, I'm not so sure China made a booboo here. I think they just don't care. China knows perfectly well that thoughful people of the USA know that China has been hacking us since 1998. China knows that we uncovered their internal memo, circa 2007, formally declaring cyber war against the USA. We know the Chinese government financially backed the Red Hacker Alliance. Officially China says 'no', but who cares? They lie. We know they lie. They know we know they lie... (>_<)

'Here world, check out our cyber war hackware. Enjoy yourselves. HaHaHa.'

The ACTUAL issue here is what the H E L L are the US feds are going to do about it?!

AND:
What are YOU going to do about it?
Buy more cheap crap from China?
Feed the Chinese military machine?
Help herald in the next Chinese empire?

I'm not, if I can help it.

And good luck to me with that endeavor! The USA is firmly latched onto the teet of cheap labor from China. The US Vice President was just over there making all nice to the commy dictators in order to persuade them to keep propping up the US debt despite recent Tea Party boobery.

What is an informed public to do when our US Corporate Oligarchy prevent the rule of the sane?
--

Tuesday, August 9, 2011

Adobe CRITICAL Security Updates for August!

Adobe released another slew of 'Critical' security updates today. Here's the lineup:

- Adobe Shockwave Player - Update to v11.6.1.629. (Be careful which version you install, either 32-bit or 64-bit, to match the bit mode being used by your web browsers. If one version fails, uninstall it and try the other). Numerous memory corruption (buffer overflow) vulnerabilities.

- Adobe Flash Media Server - Update to v4.0.3 or v3.5.7. Memory corruption (buffer overflow) vulnerability.

- Adobe AIR - Update to version v2.7.1. (Apparently required as part of the Adobe Flash Player update).

- Adobe Flash Player - Update to v10.3.186.5. Numerous memory corruption (buffer overflow) vulnerabilities and a cross-site information disclosure vulnerability.

- Adobe Photoshop CS5 - Update via CS5/CS5.1 Standard Multiplugin Update. Malicious GIF file vulnerability.

- Adobe RoboHelp / RoboHelp Server - RoboHelp v9.0.1.262 users are NOT vulnerable. Earlier RoboHelp 9 users update via APSB11-23_1.zip. RoboHelp 8 users update via APSB11-23_2.zip. Cross-site scripting attack vulnerability.

You can access links to all the security announcements and update files here:

Adobe Product Security Incident Response Team (PSIRT) Blog

--

Friday, August 5, 2011

New: Trojan.OSX.BASH/QHost.WB.A,
Posing as FlashPlayer.pkg Installer (heehee!)

--
F-Secure has posted news about a new Trojan horse for Mac OS X. It is currently being called "BASH/QHost.WB". Using the standard malware naming system, the official name should be Trojan.OSX.BASH/QHost.WB.A. So far I am unaware of why it is being given a 3-part name. Most likely there will be the usual proliferation of other names across the anti-malware community before a final name is established.

F-Secure's report is well documented and worth reading here:

Trojan: BASH/QHost.WB

Why I'm laughing, heehee: Of all the software to fake for Mac OS X, it is HILARIOUS that these malware rats chose the Adobe FlashPlayer installer. Is there any more hated software for Mac OS X than Adobe Flash?! Oops. I don't see this Trojan becoming very proliferated. But there are always victims, so it is worth documenting what this thing does.

So far there is no documentation as to where the Trojan is found. As usual, double-check the source of ALL your software. NEVER install anything you've been sent or randomly picked up off the net without verifying it as legitimate. Obviously, the safest place to pick up the Adobe FlashPlayer software is directly from Adobe. Also keep in mind that Adobe FlashPlayer has historically been found to be profoundly insecure. Be absolutely certain you are installing the most recent version of FlashPlayer and check Adobe at least once a month for security updates.

When installing the fake FlashPlayer.pkg file, it looks like Apple's standard installer, fooling you that it is legitimate.

After installation, Trojan.OSX.BASH/QHost.WB.A takes over your 'hosts' file and damages it to dump your web browsers to a phishing site located in the Netherlands. The malware can easily damage the hosts file for further fake forwarding in the future. (Say that 10 times!). The Mac OS X hosts file is located here:

/private/etc/hosts

You can read about the purpose of the hosts file here:

Hosts (file) @ Wikipedia

The current version hijacks a series of Google web addresses. If you read F-Secure's notes you'll see that there are detectable differences between the real Google pages and the fake phishing pages.

Using the phishing site results in bogus search results. Clicking on the result URLs only returns you back to the phishing site. Meanwhile, however, the bogus site nails your browser with a series of pop-up pages which it grabs from a nefarious remote server.

At this time, the pop-up remote server is not providing any information to the phishing site. Possibly, this is a prototype malware being used either for demonstration purposes or to prove a hacking method to the hacking community. No doubt we will know more about the situation in the near future.

Most likely, Apple will be integrating a signature for Trojan.OSX.BASH/QHost.WB.A into their XProtect anti-malware system in Mac OS X 10.6 and 10.7. At the moment of my posting this article, Apple has not yet updated their XProtect.plist file.

Share and Enjoy!

:-Derek

Infamous SPAMRAT 'Spamford' Indicted,
Facing A Possible 16 Years In Jail :-D


I'm a veteran SPAMRAT hunter / destroyer. I've killed off so many SPAMRATS, I'm convinced I'm on their 'Do Not Spam' list for fear that I'll hunt them down and eliminate them. I very rarely receive SPAM in my email these days. Instead, I get verification and thank you notes from ISPs when they shut down SPAMRATS I've reported.


Therefore, it is with great glee that I read over the past couple days that the single most infamous SPAMMER of all time is facing a possible 16 years in jail for his nefarious damage to the Internet. Who's the SPAMRAT? It's Sanford 'Spamford' Wallace. He represents the ultimate Marketing Moron, an idiot who literally hates his customers and bombs them with marketing manure at every opportunity with no conscience, no respect for the consequences. I'd go so far as to label him and his ilk psychopathic, but don't consider me any expert on psychology.

Spamford's trial is scheduled to start August 22nd. Below are a few articles about the story so far.

Spam King Sanford Wallace Indicted for Facebook Spam

Infamous spam king could get prison time for Facebook spamming, phishing

Sanford Wallace @ Wikipedia

If you'd like to become a SPAMRAT hunter as well, here's a great place to start. I've been a paying contributor since 1998:

SpamCop.net

Every chunk of SPAM you turn in to SpamCop.net is verified, reported to affected ISPs, the offender listed on a SPAM blacklist provided free to the public. I've heard SPAMRATS rant in public about how much they hate SpamCop.net. Relish that thought. Contribute to the cause.

;-Derek

Wednesday, August 3, 2011

McAfee Figures Out That Red China
Has Been Hacking The USA
For Five Years



Red China has been hacking the USA government since 1998, the year China was given 'Most Favored Nation' status. 1998 was the year the roots of China's government hacking gathered together and formed 'The Red Hacker Alliance'. It used to be that the Red Chinese government denied paying The Red Hacker Alliance for its services. These days TRHA has simply been integrated directly into the Chinese government. They no longer operate as in independent entity.


The USA government was forced to admit China's activity in 2007 after the public was informed that government Windows OS computers connected to the Internet had been infected with bot malware that was feeding ALL available USA government documents directly to China. An internal Chinese memo was also uncovered around that time which declared a cyber war against the USA.


And now we get to read that McAfee figured out, here in 2011, that Red China has been hacking the USA for the last five years. Incredible DUH Factor:


Travel back to some of my earliest posts in this blog for more about the history of Red China's declared Cyber War against the USA. Here's a relevant article from 2006, five years ago:


Here's a link to a post I made over at Soft32.com's Mac forum on May 31, 2007:


As I quoted from the SANS Institute's NewsBites newsletter, Volume 9, Number 43:
--DoD Report: China Bolstering Cyber Warfare Capabilities  (May 28 & 29, 2007) 
China "has established information warfare units to develop viruses to  attack enemy computer systems and networks, and tactics and measures to  protect friendly computer systems and networks," according to a recent  report from the US Defense Department (DoD). In previous years, the  Pentagon's annual report to Congress on China's military power has  indicated that China was focusing on defensive measures, so the shift  to offensive tactics merits attention. 
So where have you been for five years McAfee? And why does the tech press think McAfee's late revelation is news?

Here are a further few China cyber war articles from way back when:

May 30, 2007

Cyber Warfare: Beyond Estonia-Russia, Rise of China's 5th Dimension Cyber Army for the 21st Century


September 14, 2007


October 9, 2009


CONCLUSION: Think about Red China screwing over the USA as well as the rest of the world the next time you buy cheap stuff 'Made In China'. Wonder why the USA still provides Red China with 'Most Favored Nation' status considering the fact that China has declared war against us. Think about the motives of the traitorous Corporate Oligarchy that really rules the USA government.
--

Friday, July 8, 2011

Current Mac Malware, 2011-07:
Introduction

In order to help Mac users understand the current state of malware on the platform, I am providing a review  of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.


The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

Friday, July 1, 2011

World Laughs At China's Blundered Trickery


There are few things as carthartic as a good laugh in the face of deceitful intent.

Just in time to counter 'China Chip-gate', officials of the totalitarian 'communist' nation are caught using blundered Photoshop trickery for a publicity photo. The press is all abuzz about the magical picture where three Huili country officials are miraculously floating inches above the road they are inspecting.

Such is the level of attention to facts and honesty in the current Chinese culture. (0_o)

Joyfully, the ongoing response around the world has been to copy and paste the Huili officials into various other scenarios. Do a search on the terms 'Huili officials' and you'll get a boatload.  Check back often for new configurations. ;-)

Google: Huili officials

Here is an article about the hilarity that includes an incredible number of creative examples:

Floating Chinese Government Officials Inspect New Road

For your own photo trickery pleasure, I have provided rough .PNG images of the three Huili officials, with invisible backgrounds. Just drag them out of the article into your favorite scenario! It's fun. Post your images to the internet and be sure to put 'Huili officials' in the title.

Share and Enjoy,

;-Derek

Wednesday, June 29, 2011

China Laughs At US Federal Security

Way back in 2007, when I started this blog, I had a run in with the members of China's 'Red Hacker Alliance'. I reposted their history and reiterated hacker crimes they'd been pulling against the USA since 1998, the year China was given 'Most Favored Nation' status. 2007 was the year the US feds finally admitted the reality of the situation, after the Chinese government memo declaring 'Technology War' on the USA became public knowledge, after the US feds discovered that every one of their computers connected to the Internet had been botted by Chinese malware, sending to China ever piece of accessible data.
•••
Now here we are 4 (FOUR) years later and THIS happens:

If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.
Who can blame China for laughing?
•••
How about the Obama administration offers me the CIO cabinet position? I couldn't possibly do any worse.
--

Friday, June 10, 2011

More Critical Adobe Security Updates
blahblahblah

--
If you haven't gotten the hang of it yet, despite Adobe's scheduled quarterly updates to their software, they've been pushing out security updates at the rate of about once a month. March was no exception. April was no exception. May was no exception. I didn't bother to announce them all here because it has become all so predictable that I figure everyone knows to watch for them coming.

And now it's June. Here comes the quarterly update, like we care that it's quarterly. Why Adobe bother with his BS is beyond my comprehension. I personally think they're nuts over there.

So here we go, the quarterly update announcement is HERE. The quarterly update comes out Tuesday, June 14th. As per usual, it is a CRITICAL security update. It will be for both Adobe Reader and Adobe Acrobat.

If you'd like to keep track of when future 'out of band' (non-quarterly, once a month) security updates from Adobe are released, the two best web locations are:

Adobe Security Bulletins and Advisories

Adobe Product Security Incident Response Team (PSIRT) Blog

Predictable as these 'out-of-band' critical security updates have become over the last full year, keep in mind that if you use Adobe's stuff, it is important to keep up-to-date with their security patches if you want to keep your Mac as safe as possible.

Over and out.
--

Saturday, June 4, 2011

The CARO Malware Naming Scheme

--


In 2009, amidst my trying to sort out why malware naming is chaotic within the anti-malware community, I came across an elegant malware naming system from CARO (The Computer AntiVirus Researcher's Organization) that is considered the standard. It has no competing proposed system apart from the 'whatever' mess practiced by the various anti-malware researchers/companies.


Recently I have been volunteering time with a group of other Mac security geeks as we try to keep track of what is going on with the Trojan.OSX.MAC Defender scamware series and provide malware signatures to the ClamAV Open Source project. One of our members was musing about applying the biological taxonomy system to malware naming. I wrote back that malware naming doesn't successfully fit within that system. Instead I described the CARO Scheme while tossing in a few of my usual rants about chaos in the anti-malware community. For those interested, here is my description of the CARO Scheme:


~~~~~~~~~~



There is an standard malware naming system called the 'CARO Malware Naming Scheme'. Despite its existence and age, it is generally ignored in favor of chaos. As the description article itself states:
No matter how good a naming standard, it is mostly worthless if nobody is using it. And, as experience has demonstrated, some anti–virus producers would fol- low their own malware naming scheme in royal disregard of any proposed standards.
You can read about the CAROS scheme here:


To quote:
The general format of a Full CARO Malware Name is
[(type)://][(platform)/](family)[.(group)][.(length)].(variant)[(modifiers)][!(comment)]
where the items in square brackets are optional. According to this format, only the family name and the variant name of a piece of malware are mandatory and, as we shall see later, even the variant name can be omitted when reporting it. The Full Name is white space–delimited. That is, it cannot contain white space (i.e., space, tab, car- riage return, line feed), and there is a white space before and after it.


Here is the general CARO approach:

1) The name starts with the type of malware. For Macs, all the malware are Trojan horses. Therefore, they all begin with 'Trojan' followed by a period. 

Due to the mixed types of malware being created these days, this can get messy. Some malware these days are Trojans that infect the target with a bot, which itself is a worm by way of spewing SPAM or DDOS attackes. This is the case with the iServices Trojan. But I believe the best approach here is to name the malware type as that which is initially presented to the target computer. Therefore, Trojan works in all the current Mac cases.

However, I still argue that hacker tools are NOT Trojans. They're just hacker tools. They are only infected onto computers by way of 'LUSER' behavior whereby a hacker inadvertently has physical access to the target computer.

2) The malware type is followed by the target OS name. In our case it is 'OSX'. Previous to Mac OS X, the term 'MacOS' was used. But since Mac OS X is certified UNIX, the term 'Mac' is being dropped and only 'OSX remains. The OS name is followed by another period.

3) The third part of the name is supposed to be left to whomever first discovers the malware in the wild and chooses a name for it

For example, Andrew Welch (of Ambrosia Software) was the first person to fully describe and name the proof-of-concept Trojan which he named "Oompa-Loompa" or simply "Oomp". Using his variation on the Caro scheme, the resulting name was:

Trojan/OSX/Oomp-A

But Symantec has more clout than Andrew and after his work pushed out the name 'leap' instead, resulting in their name of it:

Trojan.OSX.Leap.A

4) The fourth part of the name specifies the variant, starting with A through Z, proceeding to AA through ZZ, etc. Therefore, at this point we have (I think):

Trojan.OSX.MAC Defender.A
Trojan.OSX.MAC Defender.B
Trojan.OSX.MAC Defender.C
Trojan.OSX.MAC Defender.D

Unfortunately, it is left up to interpretation as to what constitutes a new variant. As I noted over the weekend, I've seen MAC Defender.E listed, for reasons I cannot explain. With the two new proven varients, apparently that naming source would be up to MAC Defender.G at least, at this point.

I like Shawn's idea about digging into the actual Trojan app's Contents directory to check out the guts of each potentially new 'variant'. The web page GUI variations are clearly of little importance compared to the actual Trojan app variations.

5) If there are further details about a specific malware, they are typically put in parentheses after the variant identifying letter. For the MAC Defender variants this would include all the names for the installer files and the various names the Trojan application gives itself. Therefore, we could have:

Trojan.OSX.MAC Defender.B (aka Apple Security Center, aka Apple Web Security...)

~~~~~~

I have never seen the Caro scheme used exactly in the original proposed format. But the general approach of focusing from abstract to specific has remained in most of the offshoots of the scheme. Typically, the separators between the naming items are simply periods, as in: 

Trojan.OSX.MAC Defender.A

Intego stick to this specific pattern.

Microsoft use a colon instead of the first period, resulting in:

Trojan:OSX.MAC Defender.A

See:

Some companies choose to use forward slashes and dashes in their malware naming, resulting for example in:

Trojan/OSX/MAC Defender-A

Overall, because this is what I call 'The Wild West Era' of the anti-malware community, malware naming chaos reigns. There are commonly three publicly published names from various anti-malware researchers/companies for exactly the same malware. In the case of MAC Defender I've counted over 15 names at VirusTotal for what may only be MAC Defender.A.


I hope my lecture was helpful. ;-)


:-Derek
--

Thursday, June 2, 2011

XProtect from Apple,
New MAC Defender variant:
Excellent Summary from Sophos!

--
Early this AM Sophos published an EXCELLENT article about Apple's XProtect software. XProtect is part of Mac OS X 10.6 Snow Leopard (not 10.5 Leopard, sorry). It was updated as part of Apple Security Update 2011-003 this past week. It now automatically checks every 24 hours for new malware signatures from Apple. It's terrific! Except the malware rats immediately responded with a new work around version of the MAC Defender (the correct spelling) Trojan horse series. And that sucks.

Read all about it!

Apple to malware authors: Tag, you're It!

. . . Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.
If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions. . .
Keep in mind folks that this is a series of Trojan horses. Our computer's worst security flaw isn't Mac OS X! It's you and me. WE install Trojan horses, not our computer. Trojan horses are the bane of EVERY computer. Every Windows box, every Mac, every Linux box, etc., is vulnerable to Trojan horses.

Therefore, the 'Security Through Obscurity' ignorant FUD trolls can take a nap. Trojan horses do not apply. (And why is that? Read the paragraph above over and over until it sinks into your empty troll heads).

What IS new is that social engineering malware rats have hit the Mac in a persistent wave. If Mac LUSERS weren't falling for their fake anti-malware, they wouldn't bother. It's time for we the Mac users to grow up and pay attention to EVERYTHING we click and EVERYTHING we install.

There are psychopaths (aka malware rats, Neo-Con-Jobs, TardPartiers, The Red Hacker Alliance, etc.) out there in the world. They want EVERYTHING they can lay their self-destructive claws and fangs on. Nothing is sacred. We are the target, as well as themselves. That munching sound is them eating your computer, while their own insecurities eat them.

Thursday, May 19, 2011

The Rules Of Computing:
Keeping Your Mac Secure

--
When I was a computer newbie, what I heard repeatedly was "The Number One Rule Of Computing is Make A Backup!" I've been working on an extended list beyond one item in order to help newer newbies consider further aspects of their computer experience that can help save them in a crisis. I don't consider my list definitive or even finished. But I like the list enough to publish it as a starting guide. So here I go:


The Rules Of Computing


1) Make a backup. Have two backup strategies. One strategy regularly backs up your crucial data to local external media away from your computer. The other strategy backup up this same data to an off-site location, such as in 'the cloud' or onto external media you take to a separate location each day. The idea is to have an off-site backup in case your computer site burns to the ground. Backups are also your first and best defense against malware damage and hardware failures. If you don't back up your data, you get what you deserve.


2) Verify all software before installing it. Verify your software source is reliable and that the software itself is reliable. Look up the software title on the Internet using a search engine to discover if it has been reported as problematic. Download software from reliable sources such as VersionTracker, MacUpdate, Major Geeks, etc. Don’t ever blindly install emailed software. It could be malware.


3) Verify that websites you visit are legitimate. This third rule is difficult to implement on your own. Use tools provided inside web browsers, as well as add-on browser extensions, that help you check websites you visit against a blacklist of known bad websites. One of the most popular ways of spreading malware at this time is via 'drive-by' infections via JavaScript and Java.  Don't ever blindly click on web links in email. The could be sending you to a malware infection or identity phishing website.


4) Keep your computer up-to-date with the most recent security updates. Apple provide security updates on a regular basis. Security Preferences, built into Mac OS X, should let you know when an update is available. You can also open Security Preferences yourself and have it check for you.


5) Use a 'Standard' account when surfing the Internet or using your Mac on any network. Do NOT use an 'Administrator' account in these situations. This is not a cure all to prevent your Mac from becoming hacked or malware infected. But it adds a terrific layer of security to help prevent malicious root access to your computer.


6) Password protect your user account. Make sure your account password is not a dictionary word or you'll be hacked in no time flat. Use something long and obscure that you can remember but that you expect no one could guess. To this day I run into people who tell me 'But I'm the only one who uses my computer!'. Cure your ignorance please. There is NO excuse for not protecting your computer with a password. If you don't protect your user account, you get what you deserve.

Yes, I'm that mean and cruel when it comes to computer security. There are wonderful security strategies and tools that Apple provide, such as Time Machine, Disk Utility, Standard user accounts and password protection. If you don't put them to use, I have no sympathy! If you have questions about how to make them work for you, write to me, talk to Mac users you know, contact users on the Internet or at your local Mac user group. These tools are not difficult. They are important and they are FREE.




A Few Further Strategies:


I'm only going to list these strategies as they are more complicated and involved to install and get running. What's important is that they are available, they are also FREE, and they may well save you from giving away data to the bad guys.


A) FileVault. You will find it inside the Security System Preferences. It lets you transparently encrypt your entire user account folder so no one can ever get to your data without knowing the decryption password. This is rock solid encryption you can rely upon. Apple will be providing an option for encrypting your ENTIRE computer hard drive in Mac OS X 10.7 Lion. I personally consider whold drive encryption to be overkill. But it is considered to be critical in Enterprise business situations. Note that there are some minor dysfunctions that result from encrypting your user account. But if you have critical data, it is an excellent security tool.


B) Firmware Password. Apple provide a utility to set their Firmware Password Utility on all Mac OS X installation DVDs. It adds another layer of security to keep the bad guys out of your computer. Sadly, it is not fool proof. A tech savvy bad guy can work around it. Encryption is a much more effective tool. Also note that you lose some minor computer functionality when you use a firmware password.


C) GnuPG, aka GNU Privacy Guard. I have been using GPG for many years at this point. I'm a fairly infamous critic of the bugs that have should up in the related tools from time to time. Also note that GnuPG has a steep learning curve and can be a bit frustrating. However, it is a FREE and brilliant tool with many users. You can encrypt and password protect anything you like. The Apple Mail tool lets you digitally sign all your email in order to verify exactly who you are to those who receive your email. You can encrypt your email such that no one can read it in transit over the Internet. It lets you create any number of encryption keys as well as collect public keys from your friends and acquaintances. And more! If you want to be serious about encryption, GPG is excellent. These days it also has a terrific group of developers dedicated to keeping it bug free and up-to-date.


D) Disk Utility. Among the many features of the Mac OS X Disk Utility application is the ability to create encrypted, password protected .sparseimage files. I absolutely love this feature and use a sparseimage I created all day, every day. I have my sparseimage open every time I log into my user account. I provide the decryption password and it sits on my desktop like a disk volume. Anything I put into it is encrypted and unavailable to anyone but me as soon as I close the disk image. Because its a sparseimage, it can grow to as large a size as you choose as you add more into it. Recently the DropBox application and server have become notorious because nothing-at-all is encrypted when you use it. That can be very bad. However, I work around this problem by putting only my sparseimage file into my drop box. No one has any access to anything I have in my DropBox ever, thanks to this great tool.


E) Anti-Malware applications. I own, use and love Intego's VirusBarrier X6 ($50). There aren't any better anti-malware applications, period. But I have to pay for malware signatures every year. If you are a professional user, VirusBarrier is well worth the cost. 


If you're a casual computer user, paying for anti-malware is a bit less critical. I've worked fairly closely with Mark Allan and friends who develop and support the FREE program ClamXav. There was a time when I had quite the run-in with the ClamAV Open Source project because most volunteers there cared not-a-whit about Mac OS X. But gradually Mark and I managed to turn a few heads and encourage them to get up-to-date with current Mac malware. At this point in time I can tell you that just about all current Mac malware is being detected by ClamAV. Therefore, I highly recommend downloading, installing and running ClamXav from time to time if you are concerned about malware. The GUI Mark provides is excellent. 


Also, if you own Snow Leopard Cache Cleaner ($15) you will find that it includes its own implementation of ClamAV, also highly recommended. I no longer recommend free iAntiVirus as it is now out-of-date and less effective than the ClamAV alternatives.


There are plenty more security tools and strategies, both free and for a fee. But the above is a good start with reasonable coverage.


For the extra security conscious, as ever I highly recommend the TWiT.tv podcast 'Security Now' with the most excellent Steve Gibson. It gets highly technical but is wonderfully presented and very contemporary. You can look up the podcast in iTunes or visit its dedicated webpage at:


http://GRC.com/SecurityNow


:-Derek
--

US NSA (National Security Agency):
'Hardening Tips for Mac OS X 10.6 Snow Leopard'



I believe I mentioned this publication last year. I was reminded of it by a tweet from Dr. Charlie Miller today:
NSA's hardening tips for OS X 10.6 < looks like a good way to make things randomly stop working.
Oh dear. But the brochure has helped me today to finish up my current 6 Rules Of Computing list, which I will post as my next article.


Overall, the NSA's 'tips' are fine and useful. But they go a bit mental over trivial points. Some examples:


A) Their section entitled: "Au Revoir, Bonjour!" is TechTardy from my POV. They suggest using a Terminal command to turn Bonjour off. Ignore it. Bonjour is an innovation I personally love. It has nothing (so far) to do with compromising a Mac's security.


B) Their section entitled "Disable Bluetooth and AirPort Devices" is whacked. I'm all for killing off Bluetooth technology, which I despise as decrepit, low bandwidth, buggy and insecure. But to have the NSA say you need a "certified technician" to remove your Bluetooth hardware is absurd. Equally, their suggestions about disabling AirPort are strange and likely to lead to unnecessary confusion.


C) Their redundant "Disable IPv6 and AirPort when Not Needed" section continues the strange and confusing. There is no reason to disable IPv6 at all. In fact, a year from now we are all going to find IPv6 to be essential when surfing the web.


Etcetera. 


The weak points in the brochure continue to dismay my trust in US government comprehension of contemporary technology. I've railed against NSA technology ignorance before and at this rate I expect I'll be railing on them for years to come.
--

FUD! FUD! FUD! FUD!
Anti-Apple Security FUD
for the last SEVEN and a half years!
Hee hee hee!

So what does computer security FUD actually signify? Insecurity on the part of those who perpetrate it.


If you haven't read it already, here is a wonderfully insulting article about the ongoing anti-Apple security FUD Fest. It is from John Gruber of DaringFireball.net:




Hey, I learned something new! It was NOT Symantec who kicked off the FUD Fest in March 2005! It was Eric Hellweg, October 2004, in an article entitled "Hackers Target Apple? Congratulations!"


Let's stroll down nostalgia lane and read some of what Mr. Hellweg perpetrated:
The Apple community has, since its inception, been largely immune to nefarious hackers bent on spreading harm. If you are a Windows user, as I am, you know the routine. You complain about the latest spyware or virus attack, and Apple devotees respond with good-natured teasing — they don’t have worry about such nonsense. Well, now they do.
Predictably, posts on various Apple-related message boards have been offering varying levels of concern, ranging from mild disappointment to utter gloom. I think this reaction is fundamentally misguided. MAC users should not be upset about this malware news; they should rejoice.
What is really going on here? It's called Defective Rationalization, Deceptive 'Truth', or more popularly, the act of being an Apologist. From WordNet:
apologist
     n : a person who argues to defend or justify some policy or institution; "an apologist for capital punishment" [syn: vindicator, justifier]
What is being 'justified' or 'vindicated' by all the anti-Apple security FUD, hate, cynicism and doom mongering? 


Windows


Here is what I consider to be the definitive publication on the subject:


The World's safest Operating System
London, UK - 19 February 2004, 17:30 GMT - A study by the mi2g Intelligence Unit reveals that the world's safest and most secure online server Operating System (OS) is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin. The study also reveals that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Microsoft Windows based servers have fallen consistently for the last ten months.
That was in 2004. Since that time, to be fair, Microsoft got more serious about security with Windows Vista. They refined their security features in Windows 7ista. These two operating systems have been significantly more secure thanks to features like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These are security features that Apple has yet to perfect in Mac OS X. And yet, even Windows 7 has enough security holes to keep the the Windows operating system on the bottom of the OS security list.




(One example: The Canonical Display Driver security bug in 64-bit Windows 7, May 2010).


Let's perform a brief Compare and Contrast exercise:


New Mac OS X malware this past week, as reported by Sophos:


• OSX/FakeAV-DPU: 4 variations of a scamware anti-malware Trojan horse (MAC Defender, MacSecurity, MacProtector...).


New Windows malware on May 10th, as reported by Sophos:


• Troj/Hiloti-BZ
• Troj/FakeAV-DPV
• Troj/Avent-RNY
• Troj/DwnLdr-JAZ
• Troj/SpyEye-AJ
• Troj/Agent-RNZ
• Troj/FakeAV-DPT
• Troj/JavaDI-CF
• TrojDwnLDR-JAY


New Windows malware May 11th, as reported by Sophos:


• Troj/Mdrop-DKE
• Troj/Sasfis-O
• Troj/Zbot-AOY
• Troj/Zbot-AOW
• W32/Womble-E
• Troj/VB-FGD
• Troj/FakeAV-DFF
• Troj/SWFLdr-W
• W32/RorpiaMem-A
• Troj/Agent-RNT
• Troj/DwnLdr-JAE
• Troj/FakeAV-DPS


Get the idea? That's about 70 new malware per week for Windows compared to 1 new malware per week for Mac OS X, and that's a heavy week for Mac malware. That's a rough ratio of 70 : 1. Keep in mind that the current ratio of Windows market share to Mac market share is about 87% : 10% or about 8.7 : 1. Note how the malware ratio is not tracking the market share ratio.
What if we compare the total number of currently active Windows malware to the current number of active Mac OS X malware? 


Finding any published number appears to be impossible. I have what I consider a definitive number of currently active Mac OS X malware because I collect data on all of them as they appear in the wild. That number is 30, as of today anyway. That generously includes four variations of the scamware anti-malware app originally called MAC Defender.


To come up with a number for Windows malware, I had to do a bit of work. First I went to Symantec's Threat Explorer and collected the numbers they provided from A-Z. I then subtracted the number of Mac OS X malware in their list. That total of Windows malware detected by Symantec, as of today, is 39,335. Why this number is so small compared to other estimates is up to Symantec. I don't mind!


39,335 : 30 = 1311.17 : 1


That's about 1311 x more malware for Windows than for Mac OS X.


Using our market share ratio of 8.7 : 1, let's create a proportion equasion of malware on a per user basis. This means, if the number of users of both operating systems was equal, how many more malware are there for Windows than for Mac OS X?


1311 / 1 = (8.7 / 1) * X


X = 150.69 per user


That means, on a per user basis, there are about 150 times more malware for Windows.


150x ! ! !

And this does not equate to poorer Windows security because why?


Oh and so much for the 'Security Through Obscurity' baloney. What's obscure is the number of Mac malware as well as the intelligence of STO proponents.


FACT: There is no such thing as a perfect operating system. Mac OS X has security holes discovered and patched on a regular basis.

FACT: Since I noticed the start of the anti-Apple security FUD Fest in 2005, Apple have exponentially increased their attention to security. I like that. Thank you FUDsters and hackers!!!

FACT: I've never encountered a Mac OS X malware infection. I run an up-to-date copy of Intego Virus Barrier X6 to verify this fact. I have also run VirusBarrier X6 against a collection of malware provided to me by friends. It works.

FACT: Nearly all Mac OS X malware requires social engineering / LUSER behavior in order to be installed on a Mac. There are no viruses or worms for Mac OS X. There are no malware that exploits any Mac OS X security hole.


FACT: The vast majority of hacks and cracks into Mac OS X have been either through 3rd party software, such as Flash, PDFs and JavaScript, or through Apple's Achilles Heel of insecurity: QuickTime.


If you're a Windows apologist and would like to dispute my numbers or information, please post a comment. (Troll posts will be tossed).




Meanwhile, here is a reiteration of my often stated complaint against Apple's worst security flaw:
HEY APPLE! 

Why didn't you finish the 64-bit rewrite of QuickTime X LAST YEAR?!?!?!

Where the  H E L L  is it?!

Seriously! What is your problem Apple?! You're going to stick us with 32-bit QuickTime 7 again in Mac OS X 10.7 Lion? In a fully 64-bit operating system? Disgraceful.