Tuesday, December 11, 2012

Java 1.7 Update 10 (AKA Java 7u10)
Is Available From Oracle

--
On November 29, 2012, Oracle released Java 7u10 (v1.7 Update 10) for Mac. I discovered it by accident. Apparently, inevitably, suitably, few Mac users now bother with Java.

Here is where you can get the latest version of Java 7:

http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

Venture back through my previous posts for rants about how much Java sucks, how it's the most dangerous software you can install on your Mac, how a drive-by Java malware infection zombied ~600,000 Macs this past summer and how you should never run it except on specific trusted websites. If you don't need Java, either turn it OFF in your web browsers or uninstall it.


WHAT'S NEW IN JAVA 7u10

I) Release Notes

Oracle buried its 7u10 release notes under three layers of links. But I have spared you frustration and provided it here:

http://www.oracle.com/technetwork/java/javase/7u10-relnotes-1880995.html

Mac Relevant Highlights:
This update release contains the following enhancements:
- Additional Certified System Configurations
- Security Feature Enhancements
. . .
 
For JDK 7u10 release, the following additional system configurations have been certified: 
Mac OS X 10.8
. . . 
The JDK 7u10 release includes the following enhancements: 
The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel.... 
The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument. 
New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.
. . .
 
Known Issues. . . 
Area: deploy
Synopsis: System level disable switch does not work on Mac OS_X (10.8) platform. 
On some systems running Mac OS X Mountain Lion (version 10.8), applying system level switch from the Java Control Panel to enable or disable Java does not work even though the correct credentials have been provided. 
The workaround is to delete the file /Library/Application Support/Oracle/Java/Info.plist and then reinstall the JRE. . . 

II) Visible changes in this version:

The Java System Preferences pane is still Mac illiterate, opening its own separate 'Java Control Panel' application. What is Oracle's problem?! (0_o)

1) The 'General' tab now has an 'About...' button.

2) The 'Security' tab has a new GUI. Sadly, it is reminiscent of Windows. But at least it's simple. Here is a screenshot:



As you can see, I recommend setting the 'Security Level' on 'Very High'. 

Do NOT use the 'Medium (recommended)' setting unless your web browser is specifically at a trusted website. When you're done with that website, REMEMBER to set Security back to 'Very High' and just leave it there. I also recommend turning Java OFF in all your web browsers. This is the only way to stay verifiably safe from Java drive-by malware.

Stay safe!
--

Monday, December 10, 2012

Passwords
Versus The Limits of Human Comprehension
Versus The Anti-Security Rats

--
This past week I listened to a US NPR (National Public Radio) program on the Diane Rehm Show entitled 'The Illusion of Online Security'. Despite the fact that the program featured terrific security expert Kevin Mitnick, among others, it was worthless garbage chatter. I personally sent off two simple and direct email questions to the program in order to get the discussion above the level of coffee talk, but both were ignored. I asked about multi-factor authentication, specifically the concept of using something we KNOW, such as a password, and something we HAVE, such as a Yubikey. But apparently, from what little was said about multi-factor authentication, the subject flew far over the heads of everyone in the discussion but Kevin. I felt sorry for Kevin, as he reiterated several times the key problems with today's Internet security, and not once did I have any sense he had penetrated the skulls of the others speaking. I wished I had been there to help Kevin speak to the issues on something closer to the level of their comprehension. But I realized they were simply not going to understand.

The concept of technology being beyond the comprehension of average people is very old. I remember the 1970 book 'Future Shock' by Alvin Tofler. It was a fanciful adventure in FUD, mixed with some bits of actual futurism, designed to sell books. It was also made into TV special to add illustration to its sensation. One thing it did manage to portray well has been the inability of the human mind to comprehend the full complexity of our world. As we watch the ramifications of the damage our species wreaks upon our miracle planet, how can any of us comprehend a solution beyond our individual lives? It is too much for any one mind to grasp. Similarly, today's technology is well beyond the comprehension of most human beings. Understanding it all is simply NOT going to happen among the average populace. There is no solution any of us can comprehend beyond making certain we are safe and secure within our individual lives.

For those of us who can and wish to understand the issue of passwords on the Internet, I want to pass along a nicely concise article entitled "How Attackers Steal Passwords" by Joe Golton. It is well worth a good read to both yourself and anyone willing to listen. I'll be reading it to the local PC user group where I often teach.

I must add to Joe's list of 9 methods of stealing passwords Number 10: Illegal government surveillance in violation of your personal privacy rights. In the USA this pertains specifically to violation of the Fourth Amendment of the US Constitution. We might as well be realistic. Illegal US government surveillance of US citizens on US soil is a constant, ongoing event at this time. This isn't the place to discuss the politics of why. It is simply a fact we must consider. It is also one reason I will be discussing tools for encryption of personal data in future articles.

Related articles by Joe Golton are:

'A Guide to Using Passwords Without Distraction.'

'Which Password Manager?'

:-Derek
---

Wednesday, December 5, 2012

Mac Security Information Resource List
2012-12

--
[Updated 2012-12-05 7:43 pm]
--
The purpose of this list is to point out Mac security information resources we can all use. I am adding the most directly useful of the Mac security web locations to my "Friends Of Mac-Security" list on the right of the blog page for your convenience. Please do NOT count on my blog as a summary of any of these resources. I have neither time nor ambition to meet that expectation. Instead please visit these all of these sites directly.

NOTE: Please add to my list via your comments. I will be updating this article with your suggests, giving you credit for your contributions. They are always appreciated.

This list is in no order of priority. I'll leave that to you. But I will start with my net friend Thomas Reed, with whom I collaborate. Together, with a group of writers, developers and others who work with malware, we attempt to keep a complete list of active Mac malware which we present on our perspective websites.

I) Thomas' Tech Corner

Thomas's terrifically useful website, like this blog, is entirely an act of altruism to the Mac community. He attempts to keep track of all the currently active Mac malware, as do I. We will be collaborating in the future to share our collected list of malware with out via both our websites. Thomas is also involved with anti-malware software analysis. I highly recommend his interesting article Mac anti-virus detection rates.
altruism
    n. The quality of unselfish concern for the welfare of others.
II) Brian Krebs: Kreb on Security

Brian wrote about computers for the Washington Post through 2009. We benefit from his, again altruistic, contributions to the computer security community via his terrific web blog. His work has been exemplary. He does not focus on Mac security. However, he's one of the very best independent resources on computer security issues, many of which are directly applicable to Mac users.

Brian also, like myself, has had a run-in with the Red Hacker Alliance as they used to be called. This Chinese hacker group is now simply called the Chinese government. Brian also points out that one of the former RHA members is now involved with, ironically and ominously, an Chinese 'anti'-malware company called 'Anvisoft'. Here's his article on the subject: Infamous Hacker Heading Chinese Antivirus Firm?
philanthropy
   n. An active effort to promote human welfare; humanitarianactivity. In this sense, it is an action, not merely a state of mind. [PJC]

Rich is the Mac security expert at venerable TidBITS. His correspondence has personally helped me learn a great deal about Mac computer security. He's a terrific fellow and great resource. Rich is not the only contributor to his Securosis Blog. Nor is his blog specific only to Mac computers. Like Brian Krebs, Rich is extremely knowledgable about the entire field of computer security and highly recommended for general knowledge.

Rich's Mac security specific articles typically turn up at the TidBITS website and in the weekly TidBITs newsletter, available for sign up HERE.

Rich is also a contributor to the Macworld Mac Security Superguide, available through TidBITS Publishing.

IV) MacWorld Security

I've been a paying subscriber to MacWorld magazine for nearly two decades (electronic version preferred). I very much enjoy other Mac magazines and websites. But I consistently come back to MacWorld as my best general Mac resource. Their writing is excellent. The magazine itself still lags a full month behind reality. But the website is terrifically up-to-date. Recently their website has gone through a hellish beta period of revision. However, it appears to have settled into usefulness again, including its Security website area. I would never count on MacWorld as any sort of definitive source of Mac security news. Much of it is second hand. None of it is provocative or particularly insightful. However, they keep track of the big issues and write about them effectively.

V) Topher Kessler at MacFixIt

Topher is another member of the Mac security interest group to which I belong. I used to be a paying member at MacFixIt and have been reading Topher's terrific articles for years. He frequently writes about Mac malware and Mac security strategies. I've found his insights to be extremely valuable.

VI) Intego's Mac Security Blog

I've had a very positive relationship with the folks at Intego. I still prefer their VirusBarrier X6 to the alternatives I've tested and continue to be a paying user. Their Mac Security Blog has been the best commercial source of Mac Security news I've found. Lately the blog has been expanding in some odd directions that have concerned me. You may find my comments there stating so. Nonetheless, their Mac security reports have consistently been on target, timely and insightful.

I continue to wish Intego would publish a list of known active Mac malware! They won't, sigh. No one will. It's the usual 'secret malware', 'go get your own' competition within the commercial anti-malware industry that irks me to no end. And yet, Intego have gone out of their way to help me whenever I've had specific malware questions. I am extremely grateful for their work within the Mac community and look forward to their supporting them in the future.

V) The NakedSecurity blog at Sophos

The Sophos blog covers a lot of computer security news and issues. As such, you're likely to find their articles to be slightly more obscure for the average Mac user. Nonetheless, I find their articles to be timely and interesting. They dive deep into what's going on in computer security today. For example, they're a great place to keep up with the latest DIY malware kits, aka Exploit Kits and Hacker Tools. All of this is increasingly relevant to Mac users as the cyber criminals in China, Russia, Iran and elsewhere become more Mac literate and more desperate to abuse both users and LUSERS alike.

~~~~~~~~~~

That's it for my quick Mac Security Information Resource List. Here are links to additional resources I recommend for those who wish to know more about computer security:

Steve Gibson's 'Security Now' podcast @TwIT.TV
Secunia
SANS
The Ed Bott Report
Jeremiah Grossman's Whitehat Security Blog
• The Fishbowl: Dr. Charlie Miller's Weblog
Trail of Bits: Dino Dai Zovi's Blog
Adobe's PSIRT Blog

If you have other great computer security information resources, please post them in the comments!

Share and Enjoy,

:-Derek