Tuesday, July 31, 2012

WPA2 Encryption Internet Sharing:
Another Security Upgrade In
OS X 10.8 Mountain Lion

--
Glenn Fleishman, of TidBITS and MacWorld, has posted an article about a long delayed but very welcome security improvement in OS X 10.8 Mountain Lion. Users can now use WPA2 connection encryption when using a Mac as a Wi-Fi router. It allows sharing the Internet with other Macs on a network. Apple has dumped worthless old WEP into the dumpster of the decrepit, although WEP is still available if you're stuck sharing with older hardware that is WPA2 illiterate.


Read all about it:

Software Base Station in Mountain Lion Adds Modern Encryption
. . . But Internet Sharing’s security options were left firmly mired in the 1990s until Mountain Lion. For years, Apple offered only 40-bit and 128-bit WEP (Wired Equivalent Privacy). WEP was the original “link-layer” encryption built for 802.11b, the first widespread wireless local area networking protocol put into use, starting in 1999. WEP had a lot of compromises, partly because of encryption export restrictions at the time and partly to accommodate the minimal computational power available in router-sized devices. WEP was shown to be thoroughly broken by about 2003, and subsequent years have brought tools that can extract a WEP key and see all the traffic on a network in a matter of seconds. 
. . . This situation has at last been resolved in Mountain Lion, although it’s not listed among the 200+ features that Apple trumpeted...
Glenn is the author of the eBook 'Take Control of Your 802.11 Airport Network'.

--

Tuesday, July 17, 2012

KISSMetrics Wants To Surveil You:
Illegal Alien Invasion Of Your Computer

--
[Updated 2012-07-20. I was able to trace the source of my KISSmetrics permanent cookie infection to the application 'Boom' from Global Delight in India. This discovery was made via both Little Snitch and the fact that Boom would not work properly if the KISSMetrics.identity file was edited and locked.

I wrote Global Delight to ask about the purpose of the KISSMetrics permanent cookie. In response, Global Delight has provided a new build of Boom v1.4 that has had KISSmetrics technology removed. This new build is now the standard downloadable version at their website HERE. (Click on the 'Try Boom' button to begin downloading). Future versions of Boom will no longer use KISSMetrics technology. Thank you Global Delight!

In order to upgrade to the KISSmetrics-free version of Boom, you must first uninstall the current version via its Preferences window. After the uninstall, install the new build of version 1.4 or later. After the update installation, be sure to DELETE the KISSmetrics.indentity file that has infected your user account Library folder as it was NOT removed by the uninstallation process.

The uninstall and update install process kept my registration number intact. If yours is somehow deleted, simply re-register the software using your registration number.]
--

As we discovered in my previous personal privacy article, Marketing-Moron infested companies (those that don't respect their customers) insist upon ignoring 'Do Not Track' requests from Internet users in order to surveil them and make money from the resulting data they collect. Therefore, user tactics are required to thwart their abusive schemes. This involves blocking Tracking Cookies of various kinds as well as databases they load into your browsers. But what if there was already a scheme to thwart the limitations of these methods of user surveillance? What if a company went rogue and snuck a secret permanent cookie equivalent onto your computer?
There is a company that competes with Google Analytics called KISSMetrics. In 2011 there was a class action lawsuit against KISSMetrics (and others) for installing 'permanent cookies' onto Internet user's computers. They supposedly relented and stopped that practice. Oops, no they didn't! I found one on my computer dated today. So here is how to remove the KISSMetrics permanent cookie ourselves!


DO THIS RIGHT NOW (and get revenge):

A) Open the Library folder inside your user account.
(This step is required because Apple hobbled Spotlight such that it won't search inside your Library folders unless you actually go there first or use other trickery)

The easiest method for getting there on recent versions of Mac OS X (which hide your user account Library folder by default) is to:
  1. Open a Finder window.
  2. Hold down the Option key while going to the 'Go' menu and select 'Library'. You're there.
B) Hit Command-F to make Spotlight find stuff in the Library folder.

C) Type into the Find box "KISSMetrics".

I am betting that you are going to at least find a file called 'KISSMetrics.identity' at the root level of the user Library folder. If so, you've been invaded! And KISSMetrics never asked for your permission! Aren't they swell people? Does this remind you of how computers are infected with spyware? Of course it does! It's not supposed to happen! The Internet is supposed to be safe. But it's not.

Before you trash that nasty 'KISSMetrics.identity' file you probably found, here's a really fun trick you can play on KISSMetrics! (Shhh! Don't tell them!) They'll laugh and laugh...

[IMPORTANT: Editing and locking the KISSMetrics.identity file may cause certain applications, such as Boom from Global Delight, to no longer work properly. If this is the case, unlock the file then contact the maker of that application and ask them to please remove KISSMetrics technology from their application. In the case of Global Delight, they were swiftly responsive in providing a KISSMetrics-free updated version of their application.]

D) Open the KISSMetrics.identity file with TextEdit. You'll notice that the file contains some gibberish cookie code meaningful to KISSMetrics.

E) Highlight all that code and delete it.

F) Now type in a very special message you'd like to send KISSMetrics to thank them for invading your computer without your permission. I would suggest some 4 letter epithets, choice comments about their mother, or instructions regarding the anatomical placement of their surveillance data. ASCII pictures of suggestive behavior are also a nice idea. Keep in mind that this data will be sent straight to KISSMetrics on your behalf the next time they attempt to surveil you on the Internet. Be creative!

G) Save the KISSMetrics.identity file in TextEdit.

H) Do a 'Get Info' on the KISSMetrics.identity file.

I) In the Get Info box, look under the 'General' heading and check the box marked "Locked".

J) Close the Get Info box and you're done! Think of all the giggles they'll get over at the KISSMetrics offices. :-D


HOW DID THEY INFECT ME?

In my case, I found the installation of the KISSMetrics permanent cookie to have been installed by the Boom application by Global Delight whenever the application was booted. Infections of this kind can also use a variety of methods for overcoming basic computer security via a drive-by infection. The 2011 lawsuit against KISSMetrics accused them of using HTTP ETags for this purpose. Alternatively, this can be done with malicious 'JavaScript', or via a security hole riddled version of Java, or a nasty Trojan horse application you installed, or some application you use on the Internet may have been coerced to sneak it onto your computer. It can be difficult to know exactly how.

CONCERNS FOR THE FUTURE

Behavior such as that of KISSMetrics indicates that marketing-moron infected companies are becoming just as devious and deceitful as politicians and our Corporate Oligarchy. The key word is 'disrespect'. Therefore, I fully expect these scum to take advantage of any means available to track our behavior and take away our right to personal privacy.

There is no reason to expect they will be as obvious with their trickery in the future. For all we know, the future version of the KISSMetrics cookie will be called "Finder" or "824t980havs", any name at all buried on our computer. I think of it as a fight between us and disrespectful people out there on the Internet. There is no question from my point of view that this behavior, when performed without your permission, is entirely illegal and unconstitutional in the USA. With luck and sanity, governments will respond and kill off this disrespectful behavior. Well of course, only if the governments aren't themselves intent upon illegally surveilling us! In the meantime, anti-tracking tools are going to have to keep up with the convolutions and coils of marketing-moron behavior in order to maintain our right to personal privacy.

Should we just give up? No way! There are organizations such as EFF.org (Electronic Frontier Foundation) that keep track of the nefarious trackers and help us fight for our right to personal privacy. We have a wide variety of anti-malware and Internet browsing tools to help keep this CRAP off our computers. With time this issue is only going to come more to the fore, causing the SurveillanceRats to scurry away into ever darker corners in order to avoid the light of reason, sanity and justice. This is a fight we can and shall win. I'll do my best to track the trackers here, as will many others across the Internet.

We shall never surrender!

Q: What do you call a marketing professional who holds respect for the customer foremost in their mind during their endeavors?

A: A Marketing-Maven. When you come across a marketing-maven, treat them as gold. Without them, all our business decays to mere biznizz.

:-Derek
--

Sunday, July 15, 2012

The Future Of Personal Privacy And Security

--
INTRODUCTION

[Please note that this is something of a crossover article between my 'zunipus' blog and my Mac-Security blog. Because it is pertinent to personal privacy and security, I decided to place the article here. It goes abstract. But it is my hope that you will also find it to be specific to how you think about personal privacy and security.]

FUD (Fear, Uncertainty and Doubt) is a propaganda tool used to control human beings. It uses language, communication, to attack our sense of security in order to herd us as cattle into the desired direction of the propagandist. In our current Age of Marketing, the herding of human beings has become something of a science.

All of us have our own personal little world running inside our heads. I call it our 'Inner World', as opposed to what actually goes on around us, our 'Outer World'. We know that inner worlds can be insane beyond the comprehension of anyone out here in the outer world. I recall the moment I realized a friend of mine was insistently serious in his assertion that he was 'Jesus Christ' and that I was one of his new 12 disciples. I began shaking uncontrollably. The disconnect between his inner world, the outer world and my own inner world was so profound and incomprehensible to me that my sense of safety broke down and I exhibited physiological symptoms of shock.

What is a suicide bomber? How can a human being be so disconnected from our outer world that they murder themselves and everyone else they can take with them for the sake of a personal 'truth' they hold that insists they perform this ultimate, final act of local destruction. I have never been able to fathom why we humans are DRIVEN to self-destructive acts. Think on a broader scale beyond one suicide bomber to our entire world economic system that is DRIVEN to destroy itself here and now. How does this happen? How is a kind, compassionate and sane human being supposed to rationalize what amounts to massive herd insanity?

One of the best tools in psychology for understanding some basic ways in which we humans think inside our inner worlds is the Maslow Hierarchy Of Needs. It is commonly pictured as a triangle of needs factors starting at a broad base of physiological human needs, shrinking in importance on up to a point where our self-actualization needs reside. As you can imagine, a propagandist who wants to control our behavior attempts to throw us entirely out of the realm of self-actualization because that is where we are the most rational and activated to affect the world around us with our personal skills and insights. Instead the propagandist wants to reduce us to dumb animals who are running away from cattle prods provided by way of FUD and other propaganda tools.

The USA is unique in that its government puts in writing and enacts in law and law enforcement the rights of all of us to seek and establish self-actualization. It is not merely a government convenience or option. It is a full and eternal right. To restate it in my own personal terms, the USA acknowledges and enforces what I consider to be "god's" great gift to use as living beings: The Right Of Choice. From that right and ability springs everything important about our lives. Because of that greatest of gifts, we are able to learn and grow into something more than simply human cattle. We can ascend to wisdom, insight, responsibility and greatest of all, spirit.

Take a moment to consider what resonates in your inner world regarding choice and personal growth. Consider the remarkable miracle of our sole planet in the universe, that we know of, that brought forth, developed and enhanced this extraordinary system we call life. We live on the miracle planet, Earth our only home. Consider the gift of being cosmos dust that got to wake up, look around, learn and grow into that remarkable creation we call spirit. Amidst all of this, how can we help but pursue and find our personal happiness? Think of the splendor and joy of sharing our lives of growth with fellow kind, compassionate and sane human beings. This is what wraps around the best of ourselves as homo sapiens, the wisest animal.

Then there's this: Maintaining our hierarchy of needs amidst the masses of self-destructive people who strive to take as many victims with them as possible. Don't be fooled into thinking along the primitive concepts of good versus evil, thinking in 1-dimensional terms. It's thinking along one single straight line with no added dimensions. It limits us to blindly thinking only of left and right with everything else being some variation in between. It limits us to ignorance. We live in a 3-dimensional world of 3-dimensional people thinking in 3-dimensional ways. What is good and what is evil comes down to how we view this wide world of human thought from the limited perspective our own inner world. There is so much more going on than we can possibly comprehend. We want to believe there are simple good guys and bad guys in the world, adhering to the simplest concepts we can imagine just to get through the complexity of it all. But simplicity is nothing more than ignorance. As I am ever saying:

We never know everything about anything.

We want a formula for living. We want physics that just work the same way every time with no possible variations due to unseen factors. We want simple. We want ignorant. But by doing so we kill that great gift we're given: Choice. We run away from choice and hide in 1-dimensional thinking.

A fun illustration, from the lyrics to the Devo song 'Freedom of Choice':
Freedom of choice
Is what you got.
Freedom from choice
Is what you want.
(Freedom Of Choice lyrics © EMI Music Publishing)
Sorting through this basic problem of ours, wanting simplicity in a complex world, is a terrific source of stress. We keep wanting to climb down the Maslow Hierarchy Of Needs so we can minimize the stress and just relax and vegetate.

And doesn't the propagandist, who wants to herd us all, find our desire for simplicity to be so incredibly helpful to his cause! It's as if we want to be reduced to cattle. Give us a push with a bit of FUD and we're stampeding into the abattoir. Here come the rotating knives.

What a dilemma.

For me the solution has been to take all the negative being shoved my way by both myself and all those other people pushing their simplistic negative inner worlds at me and push back with my own positivity. I call it 'Positive Push'. I consider it an offensive act. I offensively push my calm sense of what is good about being alive onto other people.

Here is what I find: Positivity from others is soooo welcome. We drop our security walls and let the positive in. It is the welcoming of a sense of security with others so we can joyfully climb back up our own personal Hierarchy Of Needs. This is where we enjoy having others around us and where we experience what I consider to be the ecstasy of being alive as a human being. There we are living our lives of choice to the fullest.

Take a moment to consider how sharing positivity with others resonates in your inner world.

I wanted to write this introduction in order to establish a useful perspective before considering aspects of the future of 'The Lost', as I call everyone who can't get a handle on positivity in their lives. These are the self-destructives with no concept of everyone else's right to choice. They choose and demand that everyone else take the ramifications of that choice along with them. The worst of these people would 'murder the world' to fit their own personal insane inner world vision. They are the psychopaths, they are severely damaged by personal experience, they are the ill and the deceived. They are lost and they loathe themselves. They act out their self-loathing through their behavior toward the rest of us. They hate themselves, they hate everyone, they want to destroy themselves, they want to destroy the rest of us.

There is a great film, based on the Shakespeare play 'The Tempest', that beautifully illustrates these situation, pointing out that each of us is capable of self-loathing and self-destruction, that we are all capable of what we 1-dimensionally call 'evil'. It is a classic that is required viewing: Forbidden Planet. Get past the sci-fi aspects and the 1950s cheesiness. That is each of us, there in that film, hunting down ourselves and therefore everyone else through our own self-destructive self-loathing.


NOW GO WATCH THIS

Linked above is a 20 minute talk by Marc Goodman, an expert on law enforcement and actual/factual terrorism (as opposed to all the conveniently abusive re-definitions of that the term 'terrorism'). His talk is entitled: "A vision of crimes in the future". It's about what I call 'Future Noise' that is likely to get in the way of discovering self-growth. It is about The Lost imposing their self-destruction upon the rest of us. When I watched it I thought about the term 'FUD'. Here we have what may well be 'practical' FUD as opposed to propagandist FUD. I like how Marc Goodman ends his talk. He points out that this encompassing human 'inner world' is for all of us to consider. We can all take responsibility for helping The Lost out of their hell while helping ourselves be free from their inner worlds of self-deception.

What does that mean in our personal lives, our own inner worlds? What does it take to remain our positive selves amidst the acts of ANY self-destructive person? Does it matter how big the invented catastrophes around us become? Does it matter what convoluted methods are used to throw us off from self-actualization? What does it take to remain our best selves at all times, in all weather, through every disaster? How do we grow to become spirits that don't need to be victims of real or imagined Fear, Uncertainty and Doubt? What is our individual path to becoming our best selves in spite of all the noise from The Lost around us?

There's the great challenge. Getting there is the point of our great gift of choice.

:-Derek
--

Friday, July 13, 2012

CRAP Internet Computer Security
For The Last 14 Years

--
Today I ran across a fascinating article at the great Ars Technica entitled:

iTunes has "more robust" security than some of our critical infrastructure.
Security researchers have blown the whistle on serious vulnerabilities in an Internet-connected system used by the US military, hospitals, and private industry to control boilers, air-conditioners, security alarms, and other critical industrial equipment.
The defects in the Niagara Framework, which links more than 11 million devices in 52 countries, could allow malicious hackers to seize control of critical infrastructure, an article published by The Washington Post warned. . . . 
"Sadly, we can honestly say that the security of iTunes is more robust than most ICS software."

The full article is well worth a read by anyone interested in the state-of-the-mess we call computer security. We also get to smile that Apple is getting seriously serious about security these days. And you thought iTunes sucked. ;-D

I posted a couple comment responses to the article under my old nick of 'zunipus' (the same name I use for my personal abstraction rants blog). My comments will sound familiar. But I added a paragraph about the recently discovered 'Flame' titan malware for Windows. Enjoy, get all paranoid, or laugh:

"...the most disappointing thing he encountered in his interactions with Tridium was its "eagerness to blame the customer." "
And why not! It's the Spirit Of The Age in biznizz:
Abuse Thy Customer!
This is how business FAILs. This is why we continue to be stuck in our ongoing worldwide economic depression, the second worst in a century.
Until we rid the world of what I call 'Marketing-Morons', those people who insist upon selling products with total disregard for respecting the customer, our system of world business it totally fracked. 
~ ~ ~ 
One historical perspective:
In 1998 the country of China was provided 'Most Favored Nation' status by the Clinton Administration.
At that point, the government of China became involved with Chinese computer hackers and assisted them in forming what became the 'Red Hacker Alliance'. (Please Search for this term for references). [I have a number of articles here at Mac-Security covering my anti-pals from the Red Hacker Alliance].
For the next eight (8) years, the China government-assisted Red Hacker Alliance succeeded in 'PWNing' (OWNing) or botting every single US government Windows-based computer exposed to the Internet. All of them. The infection bots were able to send all data on those computers directly to China. It was not until 2007 that the US government publicly acknowledged the problem.
Last month the 'Flame' malware and its bot network were discovered, exposed and shut down. It has been estimated that Flame had been running on the Internet for at least five (5) years before its discovery. This malware was found to be the most ambitious, best designed and capable malware ever created, to our knowledge (!). Experts have stated that Flame could only be the work of a consortium of malware developers or a major government. Flame took advantage of what was, until its discovery, an extremely old zero-day exploit in Windows. Flame was capable of performing literally any computer task assigned to it by the bot wranglers, whoever they were. It was the perfect multi-functional malware, the ultimate spyware. It could infect and PWN any Windows-based computer by a mere drive-by Internet infection. That means no Windows machine connected to the Internet was immune unless the bot wranglers designed them so. The only data we have regarding its activity and purpose was its proliferation across the Middle East.
That's how CRAP Internet computer security has been, across the world, for the last 14 years.

Of course, it's tempting to add: "Thank Goodness We Use Macs!" But don't be too naive. The fact that the Java drive-by infection version of the FlashBack malware managed to PWN over 600,000 Macs this past spring should keep us all humble and wary.
--

SpamCop.net Goes FUBAR Follow-Up

--
I've heard back from SpamCop regarding its problems.

The SpamCop website is significantly automated. This automation has become, for unspecified reasons, out of control. This ended up being illustrated by the fact that my own SpamCop account was terminated because the automated system decided I had been submitting too many spam reports within too short a period of time. This was in fact an insane conclusion. What I had actually done was attempt to submit the same single spam repeatedly with total failure being the result. These spam report attempts built up in an 'Report' attempt list, which I emptied once I was actually able to access the full SpamCop interface.

The folks at SpamCop were extremely apologetic and cleaned out the automation error within 24 hours after I reported it. Thank you!

Since that time I have found the automation blundering to be somewhat dissipated. But the automation continues to be slow. On two recent occasions I ran into dead end results when attempting to report spam.

This is bad. This is a disincentive to bother reporting spam. I know the SpamCop folks are attempting to gain control. I know their attempts have been ongoing for a full month now.

Happily, I can report that the email submission method of reporting spam is working perfectly. (So bite me, SpamRats!) This is now the method I am using while I snooze waiting for SpamCop's automation system to be cleaned up and reestablished.

If I discover SpamCop's automation to again be working perfectly or I hear further details from the folks at SpamCop, I will report here. Despite this setback, I continue to encourage everyone to use the SpamCop service for wiping SpamRats off the face of the planet.
--

Friday, July 6, 2012

SpamCop.net goes FUBAR

--
If you're an avid SpamCop.net user, as I am, you are not alone if you have found their website to have gone FUBAR. From reading the SpamCop Discussion forum, this problem has been intermittent since June 14, 2012. Apparently I have been lucky logging in and reporting until today. At this point I find it 100% impossible to report spam via the website. A variety of errors are being thrown. I can occasionally log into the main page but cannot log into the forum, which makes no sense.

Thankfully, I verified that the email method of submitting spam is working perfectly at this time. Each verified account has its own email address it can use for submissions.

I'd like to say the problem was being caused by a DDOS attack from some SpamBot network. That's easy to solve. But there is no sign at this point of that being the problem. IMHO they have hosed their server and don't have an adequate backup to restore it again. IOW, IMHO, FGS!, they broke the #1 Rule Of Computing. It doesn't get any worse. I.E. not good.

It is particularly disturbing to me that SpamCop has not publicly acknowledged this problem. There is no official announcement anywhere on the site. That means they're freaked, have no solution, and/or are too embarrassed to admit the situation. I.E. not good.

I'm sure the SpamRats are having a party. SpamCop remains a primary source of free spam blacklist data to the world. Enjoy the party while it lasts little SpamRats. We have other methods of spam reporting up our vigilant sleeves. Darn! :-P

As the SpamCop.net problem evolves, I will be reporting here.
--

Thursday, July 5, 2012

'Find And Call' Trojan horse
Found At iOS App Store
(and removed)

--
The Walled Garden Has Been Breached. 


This was very bad. Thankfully it was over in a hurry.


Find and Call: Leak and Spam



Quoting Denis at Kaspersky:
...a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book. 
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
I checked it out via iTunes at the Apple iOS app store. 'Find And Call' had been there as it comes up in the hot help as you type in the name. Thankfully, Apple has pulled the app out of the store.


I hereby declare this iOS malware to be INERT. However:


1) The app is active In-The-Wild on victim's iOS devices.


2) Technically, people could grab it out of their iOS backup or off their iOS device and plant it onto a jailbroken iOS device, which is highly unlikely.


3) The malware writers could fool Apple again and get it back on the iOS app store, which is highly unlikely.


Meanwhile, the Android version of this malware is more likely to remain hanging around at the various Android app stores unless Google, and everyone else running a store, use live running anti-malware to detect it and kill it off their stores.


IMHO: It is of grave concern that Apple did not catch the behavior of this malware before approving it for the iOS App Store. It's another kick in Apple's nuts, hopefully further awakening their security vigilance.


BTW: This is not the first time 'malware' has appeared in the Apple iOS app store. Apple security expert and hacker Dr. Charlie Miller managed to slip one by Apple last year. This IS, however, the first time that deliberately malicious software has been slipped by Apple.


Kill the deceitful messenger, love the results...
---