Thursday, March 17, 2011

BBC:
"US cyber war defences 'very thin',
Pentagon Warns"

--
A quick post to note an article that finally points out the big DUH: That the US government has terrible cyber-security. It is well known, certainly if you've been following my posts, that the US government has been repeatedly PWNed by Red China since 1998. The US feds only admit, however, to being PWNed since 2007 when they discovered all their computers attached to the Internet had been infected with bots that were feeding every piece of their data over to Red China. It was also uncovered around that time that Red China had been circulating an internal memo declaring 'cyber war' on the USA. This is our #1 trading partner benefiting from 'Most Favored Nation' status. The mind boggles.

It's a good and short read, important if only because the Pentagon has finally come clean about their incredible LACK of readiness in the ongoing cyber-security warz.

US cyber war defences 'very thin', Pentagon Warns

And yes, despite FUD to the contrary, the US feds would be remarkably better off if only they would dump Windows and, chant along with me:

GET A MAC

Red China says: "Thank you USA for using Windows!" (0_o)

Mac OS X is far from perfect. But Windows is far from adequate. Mac OS X remains the single safest GUI operating system on the planet. Only OpenBSD and FreeBSD have better security reputations. Sorry Linux.
--

Tuesday, March 15, 2011

Mac Security Status Report,
Part II

--
Internet Privacy Tools

One of the quietly astounding developments on the Mac platform is the arrival of terrific tools for establishing real privacy on the Internet. 2010 was rife with stories about how our privacy and even our identity was being stripped away by everyone from the Corporate Oligarchy to the legitimate US federal government. You'd think we were still living under the thrall of The Bush League Era, the assault on privacy has been so persistent and thorough. But serious tools for reestablishing US Constitution guaranteed privacy rights are here and they work. I would go so far as to say that 2010 established an Internet revolution of user privacy. I could not be more pleased.

Here are a few of the wonderful privacy tools and events from 2010. Keep in mind that much of this has been in the works for years and that there are more privacy tools on the way:

1) The Onion/Tor/Vidalia Project: The "Onion Router" project began back in 2002 as a method for concealing Internet user's identity and network activity, preventing surveillance and traffic analysis. Amazingly, the project was originally supported by the US Naval Research Laboratory. In 2004 the Electronic Frontier Foundation (EFF) began supporting the project, providing important guidance and solidification of the project's manifesto. In 2006 the Tor Project was established as a non-profit organization gathering and providing all financial support.

There are a number of FREE pieces of software that make use of the Tor Network. The prime program is Vidalia, aka 'Tor'. This is the software that runs the show. If you use Firefox, you will also need to install the Tor Button add-on. The next useful tool is a web page called "Check". It will verify for you whether you have Tor properly running on your system and web browser. Of side interest are a few other tools such as the Tor Browser Bundle (currently in beta for Mac OS X), and the Firefox add-on FoxyProxy.

Learning how to use Tor is difficult. Try to find someone who understands it to help you out. It is very much 'geek' level technology with meagre documentation and lots of obscure tricks required to use it to the fullest. With patience you'll find that Tor is astounding, effective and important for maintaining real Net Neutrality and user privacy.

In the near future I will be providing a long promised Mac specific article about how to use Tor for overcoming media marketing blackouts on the Internet. Keep an eye on my MacSmarticles blog. If you wish very hard, you may find me providing a series of articles about how to use Tor, translating geek-speak into intermediate Mac user lingo.

2) Ghostery: This is a FREE tracking cookie and web-bug tracking system. The tracker list is frequently updated and is very thorough from my experience. It runs on-the-fly killing off inter-website tracking systems. As you move from page to page it provides you with a small window listing all the detected and blocked tracking sources. As you use Ghostery you will seriously astounded at the amount of tracking/surveillance being perpetrated at you. Maybe you don't care. Maybe you're in marketing and you believe anti-tracking tools are evil. Personally, I love Ghostery and won't leave my home page without it.

Here is what the Ghostery developers have to say about it:
Be a web detective.

Ghostery is your window into the invisible web – tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior.

Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity...
There are THREE versions of Ghostery that work on Mac. One is the Firefox add-on. Another is the Safari extension. The last version is for Google Chrome. You can access all versions of Ghostery HERE.

3) Safari Cookies: This is an indispensable FREE add-on for Safari. It works great with Ghostery and provides further functionality. It has three main functions:
  • It allows you to create a website Cookie white list while killing off everything else.
  • It allows you to create a Flash Cookie white list while killing off everything else.
  • It allows you to create a website Database white list while killing off everything else. (I bet you didn't even know that websites could dump database information into your web browser! Very nasty).
Important: Do NOT use versions 1.6.4 - 1.6.7 of Safari Cookies. I've been in contact with the developer about their bugs and he most kindly has overcome them all with version 1.6.8 onwards. Now that it is working again, I cannot recommend Safari Cookies enough. Many thanks to SweetP Productions!

4) ECMAScript/JavaScript Prevention Tools: JavaScript is both a boon and a plague on the Internet. JavaScript allows such nifty things as Ajax coding on web pages. And yet, frequent readers of this blog know that I would very much enjoy JavaScript being erased from history and replaced with a scripting language that is actually and reliably SECURE. IOW: JavaScript is a gateway for malware and OS pwning. The blame for this catastrophic mess lies with three sources:
  1. Netscape, who invented Mocha, renamed LiveScript, the original name of 'JavaScript' before marketing-morons were allowed to license and inflict the utterly confusing and wrong 'Java' name into its title. (I despise marketing-morons. Have you noticed that? I worked with them every day for five long, stressful, infuriating years at Eastman Kodak, gawd help me. But I rant...).
  2. Microsoft, who inflicted their own typical insecure crapcode into JavaScript in the form of a monstrosity they call 'JScript'. Until recently, if you had attempted to resolve a web page that was designed using Microsoft's worst-in-class web design program 'FrontPage' you found the result to be a disaster. JScript was the main culprit. These days most web browsers comprehend JScript. But it remains a prime cause of hit-and-run website malware infections. Microsoft trolls will find this statement infuriating I exaggerate not. Just be glad that Mac users don't also have to contend with ActiveX, yet-another insecure Microsoft scripting language. (The Mozilla Project used to support Active-X but a couple years back banned it from any of their browsers for the benefit of their users and future generations of Internet users, amen).
  3. Adobe, who own what was once Macromedia, who perpetrated an insecure scripting language called ActionScript. It is mainly used in Flash and SWF embedded web pages, is one reason why Flash hacking is well known as a prime method for pwning Mac OS X. It is also one of the many reasons why Apple wisely banned Flash from their iDevices. It is also a prime source of malware for the Google Android OS.
Preventing this toxic brew of dangerous scripting languages from ruining your Internet browsing experience has become increasingly crutial. That is why I champion browser add-ons that let you choose when or whether to load JavaScript. Here are a few of the JavaScript prevention tools for Mac web browsers:

NoScript: This celebrated FREE Firefox add-on from InformAction is brilliant. It is frequently updated to keep up with the lastest in scripting crapcode. And it not only protects you from evil JavaScript! It also protects you from evil Java, Flash and other insecure web plug-in code that may be out to infect or pwn you. This add-on is one of the prime reasons to dump all your other web browsers and go 100% Firefox. I kid you not. Much as I like Safari, when I want first class web security, I use Firefox with both NoScript and Ghostery running. Get it. Use it. Enjoy!

JavaScript Blacklist: This is a rather meagre FREE Open Source add-on JavaScript killer for Safari. It allows you to block JavaScript from any web domain. Sadly, it is little more than proof-of-concept with a teeny-weeny 2.5 inch text box for inputting  your blocked website list. The best way to use it is to create your list in a text editor then copy and paste it into the teeny-weeny box. Whenever you want to add to your list, edit your text file then copy and paste again. There is no point in bothering to do any editing within JavaScript Blacklist itself. If you can deal with its shortcomings, this is a nice add-on for Safari fans like myself.

If you're ambitious, there are places to find lists of websites know to be infected with dangerous JavaScript. Ideally you could hack together a list from NoScript. But you'll find the task arduous. Don't bother.

5) Open Wi-Fi Router Defense Tools:

HTTPS Everywhere

This is a Firefox extension/add-on that specifically counters the hackware Firesheep extension/add-on. You can read about Firesheep here:

Firesheep

The general concept of this hacker war is that every website must stop using mere http connections and move over to https, SSL encrypted connections. HTTPS forces on SSL at websites exploited by Firesheep that are known to offer it.

6) Evercookie Defense Tools:

The 'Evercookie' is a concept developed this past year that threatens even the most obsessive of personal privacy web surfers. You can read about it here:

Evercookie

The basic concept is that there are multiple files tossed onto our computer as we surf the Internet. What we call browser 'cookies' are only one form. Using the Everycookie concept, a personal privacy parasite needs only one of these several files to track us across the Internet. And any one of these files can be used to respawn all the others. Therefore, with the Evercookie system, real personal privacy requires deleting every single one of these tracking files from your web browser

The best tool to combat the Evercookie so far, that I am aware of, is the BetterPrivacy extension/add-on for Firefox. You can read about hit and download it here:

BetterPrivacy

~~~~~~~~~~~~~

There are further Internet privacy tools a plenty! But this shortlist covers the best of them and will get you going. I know! These tools don't fully solve the 'Evercookie' dilemma. But I don't know anything that does, not yet anyway. Hopefully an Evercookie killing tool is in store for us in 2011.

Coming up in Part III will be my version of a comprehensive list of currently active malware for Mac OS X, including all their various names. All of them are either Trojan horses or hacker tools. I am also looking forward to putting together an article on Mac OS X 10.7 Lion security, which so far sounds like a decent improvement. Stay tuned!
--

CRITICAL Zero-Day Security Exploit
In-The-Wild:
Adobe Flash
& Adobe Acrobat
& Adobe Reader

--
Q: So Adobe! How's that quarterly 'in-band' update schedule working for you?
A: Um...

After a nice break from The Summer Of Security Holes, we are back on track with CRITICAL Adobe zero-day exploits. This one hits ALL versions of Adobe Flash (v10.2.152.33 on down) on ALL OS platforms, except of course Apple's iOS which does not allow Flash content. Now perhaps skeptics can understand why. It also hits versions 10.0.1 on down through v9.x of Adobe Reader and Adobe Acrobat on Mac and Windows.

Here is the security advisory from Adobe.
This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. 
Here is an article by Electronista.
Given the popularity of the Flash platform, it would seem that this could be a somewhat difficult situation to manage.
Here is the advisory from Adobe's PSIRT (Adobe Product Security Incident Response Team) blog.
We are in the process of finalizing a fix for the issue and expect to make available an update . . . during the week of March 21, 2011.
And here are even more details from yet-another Adobe security blog, this time called ASSET (Adobe Secure Software Engineering Team).
We currently plan to address CVE-2011-0609 in Adobe Reader X with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.... We determined that the above patch schedule would allow us to provide the best balance of risk mitigation and admin/update costs for our customers.
Translation: Watch for patches of Adobe Flash Player, Adobe Acrobat and Adobe Reader v9.x (not 10.x) the week of March 21, 2011. There will be NO patch for Acrobat Reader v10.x until the scheduled quarterly "in-band" date of June 14, 2011. There is an explanation of this inexplicable schedule in the ASSET article.

The currently known exploit is a Microsoft Excel (XLS) file sent via email to victims. Embedded within this file is a Trojan horse Flash file (SWF). Adobe does not explicitly state that this specific file is directed only at Windows users. However, the details they provide refer only to using 'Protected Mode' in Adobe Reader, which is a Windows-only feature. Therefore, I can infer that this is a Windows-only exploit file.

Other exploits are possible. Therefore, until Adobe patch this hole, beware of Flash in general, either as straight Flash files OR embedded in another file type.

My solutions:

A) Use one of the many Flash blocking extensions in your web browsers AT ALL TIMES.

B) As a corollary of The Second Rule Of Computing:
  1. Only open files emailed to you AFTER you have verified that their source is legitimate.
  2. Only click on embedded Flash on web sites that have been verified to be legitimate.
C) Don't use Adobe Reader. Use Apple's Preview application.

D) If you just 'have to' use Adobe Reader: Be sure you are using 'Enhanced Security' inside the Preferences. You'll find it listed under 'Security (Enhanced)'. Note that this is enabled by default when you first install Adobe Reader.

E) Or to be totally safe: Remove Adobe Flash, Adobe Acrobat and Adobe Reader from your computer.

Q: Does this make the Internet more dangerous than ever?
A: You bet!

Q: Why does the Internet have to be such an annoying pain?
A: Bad coding practices by developers as well as poor code documentation, critical to cleaning up bad code.

Theoretically, newer coding students are being taught how to avoid computer memory security holes. However, even if they are diligent at writing 'perfect' code, other problems persist in the code languages themselves. For example, the Java code language was created specifically to never be able to exploit the user's computer. And yet it does. As I ever rant: We are still in The Stone Age Of Computing.

Q: Are Mac users really vulnerable to this security exploit?
A: Absolutely!

Keep in mind that this is not an Apple or Mac OS X problem. This is an Adobe problem. It is their software that is being exploited and ends up damaging the computer. There is nothing Apple can do to prevent Flash exploits apart from ban Flash, which is thankfully the case with all Apple iOS devices.

Meanwhile, whether this exploit will be targeted specifically at Macs is entirely up to the evil scumbag hackers writing the exploit code. If I hear of a Mac specific exploit file, I will post here.
--