Security
PayPal welcomes Safari back into the fold
Posted on Apr. 20, ’08, 10:00 AM PT by Aayush Arya
Category | Internet
A few days ago, on Friday, we brought you word of PayPal’s decision to ban those web browsers from visiting the site which do not have any anti-phishing measures built-in. The idea behind it is that if people are unable to use PayPal using their subpar browsers, they’ll switch to one that is more secure (like, perhaps, Internet Explorer 7).
Given that PayPal has already singled out Safari for its lack of such a feature in the past and they made no specific comments regarding Safari this time round, we (along with the rest of the media) naturally assumed that this move would block the majority of Mac users from accessing the website.
However, Ben Worthen of The Wall Street Journal brings us word today that our favorite little web browser has been spared the wrath of PayPal and isn’t among the list of soon-to-be-banned web browsers. I guess someone high up in the PayPal administration got a friendly call from the Apple CEO.
Apparently, they’ll only be blocking “old browsers and old operating systems”, so unless you’re using Windows 95 with Internet Explorer 4.0, we think that you have nothing to worry about. If you are indeed using those, then, my dear friend, you have bigger problems than just not being able to access PayPal.
[Via MacDailyNews]
PayPal tells Safari it’s not wanted
Posted on Apr. 18, ’08, 12:53 PM PT by Dan Moren
Category | Security
What. The. Hell. Paypal. So, just because you ragged on Safari for not having anti-phishing features, you’re going to block them from your site. We have a word for that, but it’s not printable on this blog, so use your imagination. No, worse than that. There you go.
At last week’s RSA security conference, PayPal (which, in case you were unaware, is owned by the folks at eBay) Chief Information Security Officer Michael Barrett presented a paper (PDF link) on the topic, filled with choice analogies like this:
Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.I’m not trying to begrudge the seriousness of identity theft in today’s world, but that seems a little extreme.
According to Barrett, there are two features that web browsers must have in order to pass muster: blocking known or suspected phishing sites, and support for Extended Validation certificates (a kind of uber version of the SSL certificates most merchants use). Those on non-compliant browsers, such as Safari, will first be warned, then later blocked.
From my experience, PayPal and eBay are both commonly used in phishing emails, so I can understand why they’re eager to institute more security. But putting the burden on browsers to comply with safety regulations seems a little bit like passing the forged buck to me.
Think I’ll go see what Google Checkout is up to…
Secure your Mac, just in case
Posted on Apr. 17, ’08, 12:15 PM PT by Dan Pourhadi
Category | Security
We of the Mac Elite love to tout the fact that Mac OS X is hella (yes, I said hella) secure — no real virus threats, or serious exploited vulnerabilities, or miscellaneous malware of virtually any kind. Most of us don’t use anti-virus software or firewalls, and hell, I have a big sign on the lid of my AirBook that says “Go ahead. Try to hack me. I dare you.” I download known Windows viruses for fun, just to play with the files and amuse myself with the comfort of knowing that it can’t do anything to me.
Of course, some have told me my feelings of digital safety are misguided; that somehow I only have the illusion of safety and one day this apathetic approach to computer security is going to seriously bite me in the ass. Fear-mongering, if you ask me.
But just to be on the safe side, I recommend we all take a look at this great piece at Ars Technica detailing some basic ways to secure Mac OS X. Most of the tips and techniques use features that are already built into OS X, and includes info on how to improve the built-in firewall, set up security-oriented user accounts, take full advantage of the Mac’s included security options, and more. Plus, it’s three pages, so it has to be good, right?
If we’re secure now, imagine how secure we’ll be if we follow this simple advice. Talk about arrogance overload. I might explode.
Sophos warns against scarrrrry ware
Posted on Apr. 2, ’08, 11:32 AM PT by Dan Moren
Category | Security
We’ve got a little over six months until Halloween, but that doesn’t mean that there aren’t spooktastic happenings all over the place. Antivirus maker Sophos is warning of a piece of “scareware” that’s floating around for the Mac, called “iMunizator” (I think there’s an “immunize” joke in there…somewhere).
Far more common on Windows than OS X, “scareware” refers to programs that runs “scans” and then inform you about problems on your computer—which you can conveniently “fix” by purchasing the full version of their “application.”
Frankly, we thought in this case the “scare” part might be a side effect of the program’s achingly bad user interface—an interface that has reputedly already caused more than one Mac developer to intentionally blind themselves.
The app, which Sophos describes as a “Trojan” is said to be closely related to another similar program called “MacSweeper,” which was using ads on British TV sites as an attack vector.
We suggest our patented MacUser rule of thumb: think of banner ads as bums with signs. Would you take a “scan” from a bum with a sign? No? There you go. Now, if you’ll excuse me, I need to replenish my supply of sarcastaquotes™.
[via Macworld]
Security researcher hacks Mac at CanSecWest
Posted on Mar. 27, ’08, 2:26 PM PT by Dan Moren
Category | Security
As we mentioned last month, the CanSecWest security conference is running a hacking competition on Vista, OS X, and Linux. News just in from day two of the PWN 2 OWN contest suggests that OS X has fallen at the hands of Dr. Charlie Miller, a security researcher from Independent Security Evaluator (and former NSA employee), who’s perhaps best known for demonstrating a Safari security vulnerability on the iPhone last July.
While there were no winners on day one of the contest, which limited attacks to external forays over the network, day two added to the list the potential for visiting sites or reading emails from the computer. Miller was the first to give it a shot; when the contest directors visited his site, he was reputedly able to use his exploit to take control of the computer. Rules prohibited any additional software from being installed.
The exploit means that Miller will take home $10,000 as well as the MacBook Air that he successfully hacked—had a participant managed to win on the first day, they would have gotten $20,000 from sponsor TippingPoint. Miller was also required to sign an NDA which prevents him from giving out details on the exploit until Apple is informed.
This is scary stuff, to be sure. Last year at the same event, researcher Dino Dai Zovi managed to take advantage of a loophole in QuickTime to win the prize; his method also involved visiting a malicious URL. Despite that, we anticipate a prompt fix from Apple once they’re alerted; they patched Dai Zovi’s two weeks later. So don’t break out the duct tape and emergency rations just yet.
[Glenn F. via Twitter; Image via New York Times]
Security Update 2008-002 v1.1 comin’ atcha
Posted on Mar. 26, ’08, 3:30 PM PT by David Dahlquist
Category | Security
Apple has released Security Update 2008-002 v1.1 for Leopard client and Leopard server. Here’s what Apple has to say about this stunning new release:
Security Update 2008-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
Not really sure what kind of security improvements this entails, but one can never be too secure, right? Right. You can download the update by opening Software Update from the Apple menu, or by downloading the client or server installer package from the Apple Downloads website.
Digital Camera RAW Compatibility Update 2.0 hits Software Update
Posted on Mar. 20, ’08, 12:50 PM PT by Aayush Arya
Category | Updates
If you’re a voracious Aperture or iPhoto user and love to play have to work with RAW formats, you’ll be glad to know that Apple has released Digital Camera RAW Compatibility Update 2.0 today, which extends RAW file compatibility for both Aperture 2 and iPhoto ‘08 for the following cameras:
- Hasselblad CFV-16
- Hasselblad H3D-31
- Hasselblad H3D-31II
- Leaf Aptus 54S
- Leaf Aptus 65S
- Nikon D60
- Olympus E-3
- Pentax *ist DL2
- Pentax *ist DS2
- Pentax K100D Super
- Sony DSLR-A200
- Sony DSLR-A350
Even if that is not much of a priority for you, Apple highly recommends that you download this 2.3MB update because it contains a fix for a scary sounding security vulnerability.
Apparently, someone can trick you into using a maliciously crafted image that might ultimately lead to “arbitrary code execution” and, trust us on this one, as much fun as it sounds, it’s not a good thing.
Fire up Software Update or get downloadin’ from Apple’s support website.
Kay’s “Icarus” argument waxes ridiculous
Posted on Mar. 19, ’08, 3:14 PM PT by Aayush Arya
Category | Security
Roger L. Kay, over at BusinessWeek, has a beef with Apple. In a short article composed mostly of whimsical allegations unsupported by any sources (with a pinch of unicorn dust), he lays blame on Apple for being pompous about security and making fun of Microsoft in their “Get a Mac” ad campaign. Roger seems to think that the tables are turning now and Apple is in for a taste of its own medicine.
For years, Apple’s marketing has consisted of accentuating the positive and ignoring everything else.
Unlike, say, every other company’s advertising. There’s a reason why we have marketing and advertisement: they’re meant to convince you, the consumer, to go out and buy the product—the last thing any company seeks to do in an advertisement campaign is be honest. Self-righteousness sells products. Honesty makes you friends in a book club.
Apple sold nearly 7.8 million Mac desktop and laptop computers in 2007. That’s a 37% gain over the number sold in 2006 and well more than double the 2001 volume. It’s little surprise then that reports of Mac viruses have been rising steadily.
In Roger’s little dream world, where Microsoft is the knight in “heavy armor,” maybe—but in the real world, the only Mac viruses we know are the desktop-crumbling, Sudden Motion Sensor-powered awesome displays of hacking genius. Apparently, it’s easy to write that Mac viruses are on the rise but maybe a bit too inconvenient to actually provide links to stories that support that theory.
Amoeba team tracks down Rogue bugs
Posted on Mar. 19, ’08, 11:59 AM PT by Dan Moren
Category | Updates
Yesterday’s Security Update 2008-002 brought with it a lot of handy patches, but some users ran into trouble trying to run command-line versions of ssh: the programs would crash pretty much instantly. And here I thought that was a feature. My mistake.
The issue was eventually tracked down to Instant Hijack, a component used by several of Rogue Amoeba’s programs: Audio Hijack, Nicecast, and Airfoil. A bug in Instant Hijack combined with an updated version of ssh that took advantage of a new Leopard security feature appear to have created a perfect storm.
Fortunately, the Rogue Amoeba crew has responded in the prompt and professional manner that we expect from them, issuing updates for all affected software. So if you don’t enjoy repeatedly crashing ssh and sftp (and if you don’t, how can you say you’ve been living?), hie yourself over to Rogue Amoeba’s site and get a’downloadin’.
Security Update 2008-002 says German is for firewall lovers
Posted on Mar. 18, ’08, 3:08 PM PT by Dan Moren
Category | Security
We are pretty psyched about the changes brought by Security Update 2008-002. Amongst diverse patches for the likes of AFP Client, Apache, Emacs, and mDNSResponder we also get wonderful improvements such as an updating of the German translation for the firewall. Here’s das skinny:
The “Set access for specific services and applications” radio button of the Application Firewall preference pane was translated into German as “Zugriff auf bestimmte Dienste und Programme festlegen”, which is “Set access to specific services and applications”. This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.Excellent. This isn’t the first time that Apple’s changed the text in the firewall system preferences pane; they updated the English back in 10.5.1 as well.
If you’re looking to grab the download, it’s available via Apple’s download site or Software Update in multiple flavors of security deliciousness.
Recent Entries
Zune hits 2m sales, still way, way short of iPod sales
Back to My Mac helps theft victim reclaim her Mac
Macworld reviews the Open Computer and we've had enough of it
Apple patent reveals the possibility of a 3D remote control
New iMacs get the benchmarking treatment by Macworld
Solved mysteries: MacBook USB ports solve your Cylon infestation
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun. (Plus, we've got columns by Andy Ihnatko!)
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- on Zune hits 2m sales, still way, way short of iPod sales
- on Zune hits 2m sales, still way, way short of iPod sales
- Eric on Zune hits 2m sales, still way, way short of iPod sales
- Anonymous 2 on GTA 4 totally disses Apple
- Anonymous2 on Zune hits 2m sales, still way, way short of iPod sales
- doc on Back to My Mac helps theft victim reclaim her Mac
Categories
- Apple (169)
- Advertising (132)
- Events (197)
- Huh? (139)
- Humor (228)
- News (126)
- People (222)
- Rivals (333)
- Speculation (134)
- Steve Jobs (141)
- Stores (166)
- Apple TV (50)
- Business (371)
- Games (128)
- Geekery (406)
- Hardware (830)
- Accessories (52)
- Intel Macs (157)
- Ihnatko (18)
- Internet (373)
- Legal (193)
- MacUser (87)
- Money (152)
- Music (310)
- Podcasting (97)
- Photography (66)
- Security (203)
- Software (1356)
- Updates (451)
- Tips (320)
- Troubleshooting (172)
- Video (353)
- Windows (189)
- iPhone (174)
- iPod (557)
- iPod Accessories (86)
- iPod Software (56)
- iTunes (96)
- iTunes Store (375)
Archives
- May 2008 (59)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
IDG NETWORK: