Security
Don’t get plugged by OSX.RSPlug.D
Posted on Nov. 19, ’08, 5:25 AM PT by Derik DeLong
Category | Security
Intego passed along word about a new variant of a trojan horse, called OSX.RSPlug.D. Like many trojan horses, it relies upon social engineering to catch its victims. Upon visiting a pornographic website (cough), you’re prompted to install a new plugin to handle content.
Naive users will click ok, let the disk image download, and either the installer will come up and be continued by the user or he will launch it himself. However, if you’re savvy, you’ll click cancel, but you will then get prompted to do it by a dialog with only an OK button that refers you back to the original dialog.
Obnoxious. The only way to avoid this is to either download or to quit the browser. The correct choice should be obvious (hint: quit the browser).
While I appreciate Intego’s continued vigilance and their reminder that their own Virusbarrier X5 will protect against this threat, I do find it amusing that I got three emails from them yesterday. The latter two were information about this malware (much appreciated). The first was an announcement about their involvement at Macworld Expo. The first two emails were separated by mere hours.
Safari goes anti-phishing
Posted on Nov. 14, ’08, 7:40 AM PT by Scott McNulty
Category | Security
I’ve bemoaned Safari’s lack of anti-phishing features for awhile now to anyone who will listen (and sometimes even for Macworld). For those of you who aren’t as paranoid as I am, phishing is a type of attack that typically involves a fraudulent email which appears from to be from a legitimate source (perhaps your bank or eBay). Clicking a link in one of these emails takes you to a Web site crafted for one purpose: to steal your login information. The Web site looks legit, but it is, in fact, nefarious.
It looks like someone in Cupertino was listening to my frequent caterwauling. Apple yesterday released Safari 3.2, which addresses a number of security issues (detailed here) and also adds a new setting in the Safari Security preferences: ‘Warn when visiting a fraudulent website.’ Finally, Safari offers the same protection that the other major web browsers have had for a while now.
Safari 3.2 is available via Software Update or you can download it directly for Tiger, Leopard, or Windows.
Also worth noting is this Knowledge Base article that Apple recently posted. It outlines a few tips that will help you figure out if an email is legit or if it is a phishing attempt (the article is aimed at MobileMe users, but many of the tips are helpful to anyone who uses email).
WPA has been partially cracked
Posted on Nov. 7, ’08, 6:14 AM PT by Derik DeLong
Category | Security
When using wireless technology, security is important. Anybody can observe the traffic between your computer and your router. The only thing keeping your data private (unless otherwise guarded by something like SSL) is the encryption you’ve set up on your router. WEP is about as strong as a wet tissue. We’ve relied on WPA being strong to keep our data safe.
It turns out that dependent upon how you’ve configured the WPA you use, it may not be as safe as you thought. Researchers have found a way to crack into a WPA with TKIP connection. For now, it only allows the hacker to read the data coming out of the router. In 12-15 minutes, the researchers can collect enough data to gain access.
For now, if you’ve got the equipment for it, you should configure your router to use WPA2 with AES. This latest crack doesn’t work in that configuration as it seems to rely on weakness in TKIP. More details will be revealed at PacSec next week.
Macworld Superguide helps keep you safe and secure
Posted on Nov. 4, ’08, 11:49 AM PT by Dan Moren
Category | Security
Look, up on the web. It’s a PDF, it’s a book, it’s…a Superguide! The latest Macworld Superguide is out, and it’s devoted to an issue near and dear to our hearts: security. We all know Macs haven’t had quite the level of exposure to security problems as our Windows friends, but that’s no reason to be complacent. It’s a dangerous world out there, and software and hardware are really only one part of what’s really risky.
Macworld’s collected a host of security tips and tricks into an 84-page Mac Security Superguide that covers everything from web browsing safely to keeping your data secure. And it features contributions from a bunch of knowledgeable Mac folks, including security experts like Rich Mogull, Glenn Fleishman, and our very own Scott McNulty.
You can pick up the Mac Security Superguide as a downloadable PDF for $9.95; if you want to grab a CD-ROM copy, it can be yours for $12.95; and if you want the physical paperback book (pocket-sized, so you can take it wherever you and your Mac go), it’ll run $19.95. To try before you buy, you can download a free 1.2MB sample, which includes the full table of contents and a handful of sample pages.
Espionage protects your files from, er, espionage
Posted on Oct. 30, ’08, 2:05 PM PT by Dan Moren
Category | Software
It’s not just that i want to be a spy—though I do, badly—but I just love encryption. I wrote a paper on it in college. I took an online course about it when I was working in IT. I read Neal Stephenson’s epic Cryptonomicon. I kind of even want to name a band “Diffie-Hellman Key Exchange.”
So you can see why the promise of TaoEffect’s new folder-encryption program Espionage might appeal to me on many levels. The $15 application is designed as a lightweight replacement for those who don’t need the extensive powers of FileVault. Espionage integrates with the Finder and allows you to encrypt folders with AES 128-bit or 256-bit encryption (you can also choose to password protect some folders rather than encrypt them). There’s even full support for Spotlight and Growl integration. And because you’re not encrypting your full home directory, as with FileVault, you won’t fall prey to the constant performance hit upon logging in or shutting down.
Of course, the basic tenets of encryption apply: for example, be careful not to lose your password, or else you’re screwed—but don’t put it on a sticky note next to your computer. Unless you want to get laughed at by all the other spies. Those guys can be merciless.
MacGuard knows malware because it is malware
Posted on Oct. 20, ’08, 4:56 AM PT by Derik DeLong
Category | Security
Regardless of how you may feel about anti-malware software developers for the Mac platform, you have to appreciate that Intego is warning Mac users of anti-malware software that’s at best completely ineffective, at worst selling your bank and other personal information. At time of writing, the site was locked behind a password prompt.
MacGuard is part of a growing trend that takes advantage of inexperienced, naive computer users that in an attempt to guard against the evils of the internet, download the software they are trying to guard against. It’s yet another example of social engineering.
As OS developers like Apple and Microsoft get more clever and close up security holes, the real threat will be from software that preys on probably the weakest link in any security system, the human fallibility factor. While I’d hope that everyone is careful about what they download, it needs to go double for something as serious as security software.
From Apple with love: The name’s Update. Security Update.
Posted on Oct. 9, ’08, 2:24 PM PT by Dan Moren
Category | Security
You ever feel, you know, not so secure? You could lock yourself in an underground bunker in an undisclosed location without any contact with the outside world, but let’s be honest: who wants to live in North Dakota?*
Instead, just make sure you get Apple’s regular Security Updates for a quantum of solace. Newest to the list is Security Update 2008-007, available in your choice of Leopard Client, Leopard Server, Intel Client, PPC Client, PPC Server, or Universal Server. This martini-swilling patch fixes issues in everything from Apache to Weblog, with fixes in the likes of Finder (where a malicious file on your desktop could apparently lead to a denial of service) and Quick Look (which isn’t too fond of threatening Excel files).
The size of the update varies depending on what flavor you need: the Leopard Client update’s a mere 31.4MB while the Universal Server update is a hefty 199MB. They’re available via Apple’s software download page or via Software Update. Just please, please, please refrain from shaking or stirring this update.
* My apologies to North Dakotan readers. Please substitute Canada in that joke.*
* My apologies to Canadian readers. Please substitute Alaska in that joke.*
* You know what, Alaskan readers? I’m standing by that one.
I propose the word “jack” be banned from future browser exploits
Posted on Sep. 29, ’08, 10:00 AM PT by Kate Marshall
Category | Internet
So…”clickjacking.” Is it a new browser security concern or a new offering from the Land of F.U.D.?
According to SecTheory’s CEO, Robert Hansen, “clickjacking” is similar to cross-site request forgery, where unauthorized commands are sent from a user that a website believes to be legitimate. Hansen and WhiteHat Security’s CTO, Jeremiah Grossman, recently shared their concerns with Computerworld on how attackers (or as I like to call them, “jerks who ruin the Internet for everyone else”) get around the current security features in browsers via clickjacking:
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said in an e-mail on Friday. “Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
So if clickjacking will be the rage for less-than-savory types, can anything be done about it? Although the two security people say they’ve contacted Microsoft, Mozilla, and Apple about their respective browsers, they warn that the best defense is to, “use Firefox with the NoScript add-on installed.” Hmmm….veeeery interesting…. Some days, I do wonder if I should just completely turn off the Internet for ever and ever-but then I wake up.
QuickTime vulnerability discovered, world keeps turning
Posted on Sep. 18, ’08, 10:58 AM PT by Cyrus Farivar
Category | Security
So y’allz might not want to keep this one on the QT, even though it involves QT.
Intego’s Mac Security Blog reports that the company has discovered a vulnerability on the latest update to QuickTime, version 7.5.5.
Basically, the way it works is that the quicktime type tag doesn’t know how to deal with long strings, regardless of whether Safari, Firefox, Mail or any other program encounters it. Right now, when those long strings are handled, the offending app simply crashes. No harm, no foul, right?
Well, if a miscreant were to put bad code in there, conceivably some bad stuff could go down. For now it appears that this is merely a proof of concept and that there are no actual examples of this in the wild, but still, you might want to make sure all your software updates are all, you know, up-to-date.
The fix is in with Security Update 2008-006
Posted on Sep. 16, ’08, 8:27 AM PT by Dan Moren
Category | Security
For those that aren’t updating to 10.5.5—because you may be on, say, Tiger—you’ll still want to grab Apple’s latest security update, the fetchingly named Security Update 2008-006. It’s rolled into 10.5.5, so Leopard users who have updated have no need to worry, but there are some fixes in there worth having.
For example, 2008-006 contains two fixes for the DNS cache poisoning vulnerability that we discussed a while back. In addition, you’ll also be protected from a login window, maliciously crafted fonts, and a program called “slapconfig.” Which, I’m hoping against hope, will finally keep me safe from slap bets.
The update is available for both OS X client (PPC and Intel) and OS X server (PPC and Universal). That’s a whole lot of flavors—maybe Apple should take on Baskin-Robbins next.
Now, on to the more important question: why the hell do I keep thinking of ice cream when I’m writing up about software updates?
Recent Entries
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- the truth on iPod touch users get second classed again with the omission of new Maps features
- James Katt on Apple levels DMCA on iPodhash project
- AdamC on Apple levels DMCA on iPodhash project
- sf addict on Ch-ch-ch-ch-changes afoot at MacUser
- Paul Norton on iPod touch users get second classed again with the omission of new Maps features
- me on iPod touch users get second classed again with the omission of new Maps features
Categories
- Apple (234)
- Advertising (162)
- Events (235)
- Huh? (182)
- Humor (259)
- News (148)
- People (258)
- Rivals (405)
- Speculation (167)
- Steve Jobs (172)
- Stores (206)
- Apple TV (58)
- Business (451)
- Games (143)
- Geekery (460)
- Hardware (935)
- Accessories (79)
- Intel Macs (162)
- Ihnatko (18)
- Internet (463)
- Legal (244)
- MacUser (95)
- Macalope (8)
- Money (177)
- Music (344)
- Podcasting (100)
- Photography (74)
- Security (246)
- Software (1544)
- Updates (538)
- Tips (352)
- Troubleshooting (189)
- Video (403)
- Windows (219)
- iPhone (199)
- iPod (602)
- iPod Accessories (96)
- iPod Software (61)
- iTunes (128)
- iTunes Store (443)
Archives
- November 2008 (92)
- October 2008 (138)
- September 2008 (151)
- August 2008 (177)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
