Sunday, November 28, 2010

Mac Security Status Report,
Part I

--
Introduction:

As a non-expert at computer security, it's a bit silly to believe I can provide any comprehensive report of current Mac security. However, I don't see anyone else bothering. Instead I see a variety of niche groups and niche skill sets involved with Mac Security but not pulling the pieces together. I also hear incessant vacuous FUD attacks from frustrated sources who wish Mac OS X was even remotely as unsafe as Windows blatantly is. It's plain old propaganda, not unlike the worthless political rhetoric in the media attempting to divide people through the promotion of fiction and fear. :-P

Therefore, I'm not going to worry about the areas in which I have lack of insight. Instead I'm going to take a stab at it and do what I do best: Examine the overall system of Mac security, provide some relevant details, then offer my summary and conclusions. Never rely on only one source of information about anything. Lord help anyone who uses Fox News as their soul political information source. Equally, lord help anyone who uses my work as their soul Mac security information source.

I) A Critical Mac Problem, Inadvertently Provided Via My Pet Troll:


The IT Ignorance Factor

Every source of difficult information has its trolls. It's difficult for Windows users to face Mac OS X security facts. Mac OS X is the #3 safest operating system available. The two better operating systems are OpenBSD and FreeBSD. It is no coincidence that Mac OS X is built upon an Open Source foundation that is based in part on pieces of both OpenBSD and FreeBSD.

This upsets my pet troll very much and makes him angry. This month he calls himself 'Tom' the troll. He is an anonymous coward reader of the blog, unwilling to let anyone know who he is or his stake in propagandizing Windows over Mac. It's all entirely dull and predictable to me. Occasionally my pet troll attempts to post FUD commentaries into my blog. I take a look at them, laugh a while, then step back and consider what pieces of his dishonest propagandist point of view could be useful to me. This time he wanted me to listen to the 'woe is we' rantings of one Roger Grimes, a Windows apologist and security analyst paid by Microsoft. You can listen to this fellow yourself at:

SecureABit.com

Scroll down to episode #67 of their podcast. Most of the dull program includes commentary from Mr. Grimes.

This fellow pulls the usual pro-Microsoft, anti-Apple myth mongering and propagandist garbage. What is unique in my experience is his defeatist attitude regarding computer security. He says essentially that we're all screwed no matter what, but OpenBSD is the best we've got for operating systems, but darn it's too difficult to use for mere mortals, so use Windows. (o_0) Oh that makes (no) sense! He then tosses out 'The Grimes Corollary' that restates the 'Security Through Obscurity' myth. Been there, killed that, yawned.

However, I was able to pull out of Mr. Grimes' rants one useful comment. It is this: Enterprise IT technologists don't adequately, or in a timely manner, patch the computers under their care. They also allow their users to use simplistic passwords that are easily cracked. This is most particularly evident on Enterprise Mac computers. The reason why is simple: Enterprise IT technologists rarely bother to learn Mac security or enforce it. Therefore, Mr. Grimes tells his tale of enjoying visiting businesses that integrate Macs because so commonly the machines are not up-to-date with security patches and are using easily guessed passwords. I would assume he uses a dictionary attack program against them, which these days are extremely fast and effective. He also keeps track of all the reported Mac vulnerabilities and uses them against unpatched machines.

So here we have Macs, the safest GUI OS based computers available, being easily cracked via very basic techniques that anyone's granny could use. This is shameful. Mr. Grimes would like to blame the users for this state of affairs. But of course it is the IT technologists and the IT managers who are entirely to blame. Never, ever, expect a business user to be any kind of technology security expert. To do so is to literally invite into your business The LUSER Factor. I've covered this issue many times in the past. It is the main reason why Mac OS X has any malware at all and is the reason that nearly all Mac OS X malware are Trojan horses.

There is more going on in the Enterprise than just problems of 'the user', or what's 'between the chair and the keyboard'. In business the computer is a tool, and the tool master is the IT expert in charge of that tool. This leads me to create another descriptive phrase that I call The IT Ignorance Factor. This problem occurs due to a multitude of factors. I'll toss out a few of them:

A) The business does not provide adequate time and resources for adequate computer maintenance. IT people often pull out their hair trying to get biznizz types to comprehend technology. But the fact remains that not keeping computers maintained means directly damaging the company. There are multitudes of tales of woe. Here is one from today concerning the shockingly computer ignorant US federal government:

US embassy cables leak sparks global diplomatic crisis

If the government's IT 'experts' had been on the ball, this could not have happened. I strongly suspect that they were kept off the ball with the help of bad management. This is when IT technologists must become educators and stop the 'boss' from being an 'ass'.

B) Laziness. Clearly most IT technologists live in the Windows world. Why bother to learn that other platform if they don't have to. You've heard this illogic before.

C) Fear. It sounds odd, but many IT technologists have trouble enough dealing with Windows hell. They're scared to get involved with another platform, making things even more complicated, or so they illogically believe.

D) Arrogance. Most Mac users have met the know-it-all geek who is a gawd of Windows and sneers at Macs. Then of course when someone defends the Mac these stick-up-their-ass bozoids accuse Mac users of going all 'religious' or counter 'arrogant', ad nauseam.... Therefore, of course such creatures are not going to bother to learn or apply proper Mac security methods.

There are of course more excuses and failings involved. Post your faves in the comments if you like.

    

Thus ends Part I. Further parts of my Mac Security Status of 2010 will include a summary of all the current active Mac malware, a summary of the consistent types of security vulnerabilities in Mac OS X, and a summary of the non-Apple security threats against Mac OS X. I'll be covering the Koobface/Boonana worm, the 'Evercookie' technique and how to combat it, as well as further coverage of the ongoing foolish attempt by the US federal government to backdoor every computer data encryption method.
--

Wednesday, November 17, 2010

Adobe CRITICAL Security Update
Of The Month Club

--
And now for something useful:

Adobe have posted their promised CRITICAL "out-of-band" security updates for Adobe Acrobat and Adobe Reader. The new versions are 9.4.1. If you use either of these applications, get the security updates now. Proof-of-concept exploits for the previous versions have been available for weeks.

You can read about the CRITICAL security updates here:

Security updates available for Adobe Reader and Acrobat

The direct download URLs, to save you from suffering Adobe's lunatic website:

Adobe Acrobat 9.4.1 Pro update

Adobe Reader 9.4.1 update - PPC

Adobe Reader 9.4.1 update - Intel

See you back here next month for the latest in "out-of-band" CRITICAL Adobe security updates!

Stay safe, stay secure, laugh at the FUD.
--

Hilarious Anti-Apple Security FUD Attack! By eWeek!

--
Lots going on this week, with me gathering up news from all corners. But when I see something as hilarious as this, I have to post it ASAP. It's one of the infamous slide show articles over at eWeek. What is hilarious is that it says nothing that wasn't shouted to the rafters in 2005 by Symantec when they were trying to prop up their worst-in-class anti-malware application for Mac OS X. What I am posting here is verbatim. I did NOT add any capitals. The SHOUTING is all their's:

Security: Mac Malware Attacks Prompt Security Vendors to Rush Out Antivirus Tools
By Fahmida Y. Rashid on 2010-11-12
SECURITY VENDORS ARE SAYING THAT ATTACKS ON THE MAC ARE NOW SIGNIFICANT ENOUGH THAT APPLE USERS SHOULD INVEST IN ANTIVIRUS SOFTWARE FOR WHAT WAS ONCE THE "INVULNERABLE" PLATFORM. WITH KOOBFACE VARIANT BOONANA FRESH IN PEOPLE'S MINDS, THE CONCEPT OF A VIRUS ATTACKING MACS SEEMS LESS LAUGHABLE THAN IT DID EVEN TWO YEARS AGO. "MAC USERS MUST REMEMBER THAT LESS TARGETED IS NOT THE SAME AS INVULNERABLE," SAID RICHARD WANG, MANAGER OF SOPHOSLABS. THE THREAT IS STILL NOT THAT PREVALENT, WITH ONLY "ONE TO TWO" ATTACKS ON MACS EACH WEEK, COMPARED WITH THE "TENS OF THOUSANDS" PER DAY AGAINST WINDOWS PCS. MAC OS X HAS ONLY 10.6 PERCENT MARKET SHARE IN THE UNITED STATES, ACCORDING TO IDC AND GARTNER, BUT THE DAY HACKERS WILL FIND THE PLATFORM WORTH TARGETING IS NOT FAR OFF, VENDORS SAID. MAC ANTIVIRUS SOFTWARE IS NOT NEW, BUT IT USED TO HAVE A BAD REPUTATION FOR BEING RESOURCE-HUNGRY AND INCONVENIENT. THAT'S SOON TO CHANGE AS VENDORS RELEASE NEW MAC ANTIVIRUS TOOLS THAT ARE QUITE UNOBTRUSIVE. HERE ARE SOME OF THEM...
OMFG! MAC USERS ARE ALL GONNA DIE!

My usual point: NEVER has anyone but trolls said Mac OS X was "invulnerable" or anything similar. It's a propaganda trick: Make up a nasty, indicting quote with no attribution provided. Yes, Fahmida Y. Rashid of eWeek and Richard Wang of Sophos are acting like assholes. But this trick has been pulled countless times. Therefore, they're acting like unoriginal assholes. Just laugh.

I could do my usual lecture about the insane nature of the 'Security Through Obscurity' myth. If you care, go back a few years in my posts. Just know that Windows has over 1000x more malware than Mac OS X on a per user basis, which blows the stupid myth off the planet. Such silliness. But that's what happens when Marketing Morons get desperate to sell Sell SELL!
--

Wednesday, November 10, 2010

Firesheep Wi-Fi Warz

--
The Sheeple Are Burning

October 25 a hackertool was released for Firefox in the form of an add-on called Firesheep. It is extremely easy to install and use on Mac, Linux and Windows versions of Firefox. (I will not provide the link. Sorry.) It provides casual Firefox web browser users to spy on and doppelganger anyone who is connected to the Internet via a shared, open Wi-Fi connection. Simply connect your computer to the same open Wi-Fi connection and commence surveillance and identity theft.

It performs its dirty deeds by way of coopting the cookies being sent in the clear from any victim's computer. It is not a thorough form of identity theft, but it adequate while the hacker's computer remains within that open WiFi connection. IDs and passwords are typically not sent in the clear. However, the Firesheep add-on is able copy out of the air the cookies any user is sending to any website. The contents of the cookies may remain completely incomprehensible to the hacker. All that is required is the contents of that cookie to literally "BE" the intercepted victim. This means the hacker can access any active website connections and fake being that person through the use of their intercepted cookies. The hacker can do ANYTHING on those websites AS the victim. If at any point the website asks for password verification, such as when buying items from Amazon.com, the hacker is thwarted. Their identity theft stops dead at that point. However, anything else goes. This can create incredible havoc on the Internet.

At the point in time of this article being posted, well over HALF A MILLION PEOPLE have downloaded Firesheep. That essentially says it is becoming universal, endangering ALL unencrypted Wi-Fi connections to the Internet. And that was the purpose of creating and providing this add-on to the entire computer community.

The creator of this hacker tool is a Black Hat, which is to say that he bulldozes improvements in computer security by providing the means of exploiting a security hole to the world at large without any prior warning to anyone. To use a very mild metaphor, it is the equivalent of 'Tough Love' for computer users and software developers. In this case the desired effect is to lock up ALL Wi-Fi connections via encryption, ending forever open Wi-Fi connections.

There are two cures for this dilemma:

1) All websites must provide SSL encrypted connections at all times, not simply when a user logs in. This means that all websites would stop using merely HTTP connections and instead use only HTTPS connections between themselves and their users. This adds some minor overhead burdens but is entirely feasible. How long it will take the entire World Wide Web to catch up is the big question. The hope is that it will be immediate. But we're dealing with humanity here, therefore...

2) All Wi-Fi connections must require WPA account encryption. This means that all users of an 'open' Wi-Fi connection site must have and use a password in order to access the Wi-Fi hub. Surprisingly, this is an incredibly simple thing to do with nearly all modern routers. (Older routers that only use WEP encryption are SOL). Everyone making a connection to the router can use the exact same password! Routers know the MAC address of every device that connects to them. This allows them to keep each and every connection entirely separate. The fact that each connection uses the same password provides almost perfect separation of users while providing unbreakable (at this time anyway) encryption.

Here's how #2 cure would work at Starbucks: A simple sign is provided at the counter that says something to the effect of "To access Starbucks' Wi-Fi connection, please use the password 'starbucks'." That's it! Simple.

Since Firesheep was let loose for the average computer user, there have been plenty of happy stories of users speaking to the manager of shops that provide free Wi-Fi and asking them to turn on WPA account encryption. For anyone familiar with setting up Wi-Fi routers, turning on WPA is trivial. The shop managers have been happily changing their router setup and killing off the Firesheep threat. I strongly suggest that you do the same EVERYWHERE you go with your Wi-Fi device.

WEP encryption, unfortunately, was created in haste and provides NO SECURITY. It is trivial for hackers to obtain tools that can break into WEP encryption within less than a minute. It is expected, in fact, that future versions of Firesheep or similar hacker tools will include a WEP cracking tool.


The Next Best Thing To A Cure


I knew further shoes were going to drop regarding this subject. I just found out this evening that a helper tool has been provided by Zscaler that can warn you when there are Firesheep prowling around in an open Wi-Fi connection. Once again it is a Firefox add-on. Its name is Blacksheep. (Why black? Read back in the article about Black Hat hackers.)

Below is a quote from our pals at the SANS Institute from SANS NewsBites Vol. 12 Num. 89:
--Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)
Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
http://www.theregister.co.uk/2010/11/08/firesheep_detection_tool/
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
http://www.zscaler.com/blacksheep.html ]
The Blacksheep add-on page provides instructions and a video showing it in action.

Also of interest: Microsoft, Intego and other anti-malware providers have added Firesheep to their list of detected 'malware'. This is IMHO a weak move as Firesheep is NOT malware. It is a hacker tool that requires deliberate installation by the hacker and has no user-based malware behavior whatsoever. However, parents or employers would be interested to know about the hacker behavior of their children or employees.

Do NOT consider Blacksheep to be any kind of cure! It is merely a defensive tool when you're STUCK at an unencrypted Wi-Fi spot, such as the Airport or wherever they are too clueless to turn on WPA encryption, or they don't know how, or they're stuck with worthless WEP encryption on their router. Do NOT consider Blacksheep to be thorough defense! It is not. I personally would only use it out of desperation.

The single best defenses against having your cookies stolen and your ID doppelgangered when you're STUCK in an open Wi-Fi spot are to:

1) Never log into anywhere that does not provide end-to-end HTTPS/SSL encryption. An example would be Google's GMail. You can't turn off HTTPS at the GMail site if you try! That's the way it should be everywhere.

2) Remember that eMail provides NO SECURITY apart from possibly an SSL connection to and from your eMail server. Otherwise, everything you email is in the clear for anyone to read. These days I think of some dorky, bored CIA/NEA/FBI human intercepting everything I email and reading it. I even write them little notes from time to time to set off their keyword alarms just to wake them up. Unconstitutional as it is to invade any US citizen's privacy, the Bush League set the precedence for breaking the law anyway, and sadly the Obama administration is goose stepping right along to the same deranged tune. I have further rants on such subjects at my zunipus blog.

The safest thing to do when you're STUCK at an open Wi-Fi spot is to merely browse happy, smiley, shiny websites for fun, not for work, not for financial interactions, not anywhere a hacker could steal your identity. With Firesheep they are you anywhere you go on the web.

Stay safe kids! And watch out for sheep.

;-Derek
--

Smartphone Bank App Security Problems

--
The benefit of Apple having a closed App Store is their scrutiny of all applications submitted. This has helped maintain a superior security record for the iPhone versus any Android phone. However, a big hole in Apple's vetting system has become evident whereby all smartphone users have been put in danger by poorly designed and coded banking applications. Thank you to the SANS Institute for bringing this issue to my attention on in SANS NewsBites Vol. 12 Num. 89:
--Security Flaws in Smartphone Banking Apps (November 5, 2010)
Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.

http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves.]
Dear Apple,

Please vet submitted Apps more thoroughly for security flaws. Much appreciated!

Dear Google,

'Anything goes' does not trump application security.
--

Friday, November 5, 2010

Evercookie,
Koobface boonana worm Trojan,
Firesheep and MORE!
Oh My

--
There are four ongoing scary security monsters threatening ALL the popular computer platforms this month. But that I mean they affect Mac, Linux and Windows. At the moment, there is nothing dire or critical about them. But each of them is nasty in their own way.

I've been holding off tackling each of them in order to gather day-by-day new information and to wait for 'the other shoe' to drop from each of them. I expect they're all going to be annoying aspects of our computer lives for quite some time to come. I'll be devoting an article to each of them individually. But first I want to introduce you to our gang of circus animals:

I) A round of applause for the Black Hat creation known as the EVERCOOKIE. Essentially, it is a collective set of methods for spying on your web browser behavior, able to renew itself despite actions you take to prevent it. Stopping this monster can be annoying and complicated. I'll discuss the currently known tricks.

II) Next up in circus ring number 2 is the latest in Java insecurity. As per usual, the utterly chaotic computer security community can't agree upon a name for the thing. Having reviewed the data, I am going with the name Intego are using: Koobface. Because of its various activities, it can be called a worm, a Trojan horse, a root kit, a back door AND a bot. Because its primary interface to the user (or 'LUSER' in this case) is as a Trojan horse, I am unofficially going to refer to it as Trojan.OSX.Koobface.A. Apparently a second version has just been discovered, which I will call Trojan.OSX.Koobface.B. Meanwhile, you are bound to see the exact same thing also called the 'Boonana' Trojan. (o_0)

III) In the third ring of our circus of naughtiness is Firesheep, the Black Hat extension for Firefox that simplifies the long standing ability to spy on and doppelganger anyone connected within the same unencrypted WiFi connection. It's not just for hackers any more! This one piece of software has sparked an Internet encryption revolution, or so I'd like to believe.



IV) But wait! That's not all! Get a load of the latest idiotic idea from The Corporate Oligarchy! They want government access to ALL things encrypted. Say goodbye to Internet privacy! George Orwell's '1984' Big Brother has arrived and you're going to want to kick him in the balls! Anti-privacy efforts have become that invasive and deviant. The control freaks are out to run our lives.
(>_<) ACK!

So hang onto your propeller beanies while, during the next few days, I cover each of these gnarly subjects relevant to the future of Macintosh computer security.

Oh fracking my!
--

Thursday, November 4, 2010

Adobe Flash Player 10.1.102.64 CRITICAL Update

--
THIS MONTH'S critical Adobe Flash Player update for Mac OS X is available a few days ahead of schedule. Thank you Adobe! It patches 18 security holes.

Security update available for Adobe Flash Player
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64. We expect to make available an update for Flash Player 10.x for Android by November 9, 2010. . .
The download link is HERE.

NOTE: We're still waiting for CRITICAL security updates for Adobe Reader 9.4 and Adobe Acrobat 9.4. You can read details about the ongoing security problems HERE.
--