Wednesday, May 20, 2015

Apple's First Watch OS Security Update: v1.0.1

--

Apple has released the first security update for the Watch via Watch OS 1.0.1 You can read the security content document here:

About the security content of Watch OS 1.0.1

Included in the update are eight Watch OS Kernel patches, some of which are critical. There are also another couple patches that protect Kernel data. Also patched was the good old FREAK/Logjam security hole caused by the potential use of decrepit RSA encryption algorithms in HTTPS Internet communication.

For fun, here is the document for CVE-2015-1067, 'FREAK':

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1067

The document provides links to all of Apple's previous FREAK patches.

If you're interested in why FREAK/Logjam remains a worldwide problem, as well as its more recent implications, Dan Goodin at Ars Technica wrote a relevant article last week:

HTTPS-crippling attack threatens tens of thousands of Web and mail servers
Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.
The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.
"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."
IOW: Politics as a security hole. :-P

--

Monday, May 18, 2015

LUSER Factor Strikes Again

--

The most appalling term I use on this blog is 'LUSER'. I capitalize it to emphasize it. The LUSER Factor is that one security hole that can never be patched. All we can do is guard against it as a problem source from others and a problem source from ourselves. 

Brian Krebs wrote a great article last week specific to the LUSER Factor:

Starbucks Hacked? No, But You Might Be
... Those customers had all chosen to tie their debit accounts to their Starbucks cards and mobile phones. Sullivan allowed in his story one logical explanation for the activity: These consumers had re-used their Starbucks account password at another site that got hacked, and attackers simply tried those account credentials en masse at other popular sites — knowing that a fair number of consumers use the same email address and password across multiple sites.
Protect yourself from yourself and sort out your passwords. All of them must be different. All of them must be as random and unguessable as possible. Store them all up in a password protection program like 1Password or LastPass. Learn how to put the OS X Keychain to good use.




--

Tuesday, May 12, 2015

Installer Adware Infestations: MPlayerX...

--

An old plague on the Windows platform is now infesting the Mac platform: Nefarious ADWARE.

I want to bring attention to Thomas Reed's 'The Safe Mac' new article about an adware infection in the MPlayerX installer:

MPlayerX adware behaving like malware!

Marketing moron crooks are making it tougher to stop them from shoving adware onto victim's Macs or to identify when the infecting installers are dangerous. This is the same bad attitude as the spamrats. Therefore, my new term for these vermin is adwarerats.

As I've covered previously, it's important to avoid software download websites that deliberately infect installers with malware. At this point, these are the three safe download sources I use every day:

MacUpdate
MajorGeeks Mac
Apple's Mac App Store

Evil Download Mirror Sites

Recently, I've seen mirror sites for innocuous application downloading infesting those downloads with 'installers' that hide the actual application you wanted to install behind an adware installer. I personally experienced this when attempting to download the FrostWire application from it's source website. For the download, my browser was passed along to a mirror site that then dumped on me a fraudulent installer. (FrostWire does not actually have an installer! It's installation is simply a drag and drop into your Applications folder). Knowing something was wrong, I dug into the 'Installer' and found it was simply a script that triggered the further downloading of:

A) ZipCloud adware.
B) FrostWire AFTER the adware had been installed.

Installing the ZipCloud garbage was required before I could actually get at the FrostWire installation.

IOW: We're now in a state of Man-In-The-Middle meddling with the installation of Mac software.

If you've been the victim of CNET's AWFUL Downloads.com (formerly dear old VersionTracker), you know this story already. This intervention between you and what you want to download and install is now standard at that horror of a website.

CONCLUSION:

If you download an application from any website (as opposed to Apple's Mac App Store), and you're confronted with an 'Installer', BE WARY. 

If that 'installer' attempts to download and dump on you ANYTHING other than what you intended to install, STOP THE INSTALLATION and complain to the source download website.

Adware is NEVER acceptable, unless you specifically ASK for it to be installed. Never let an installer shove that crap on you, with or without asking you.

Yes, marketing morons ARE out to get us. It's called Customer Abuse. Please join in the effort to wipe this crap out of the Mac community.

One concept: If you run into one of these evil mirror sites for download, post their URL here as a comment. I'll happily test them out, share my results, and raise a loud noise to have that site firebombed, metaphorically speaking.

And as usual, the best way to find and remove adware from your Mac is to use Thomas Reed's Adware Medic. It's donationware. It's excellent.

:-Derek

--