Â
A recent iPad thread got diverted briefly into an exchange about cyber-security (in the context of maintaining software updates). This inspired YA <
excellent post> by tacit.
i think it would be good if we could have one thread to turn to as a resource for such info. Hopefully, this will be it.
In his own online blogs, tacit furnishes a wealth of articles (only three of which i list here):
- Polyamory and crime on the Internet -- Dec. 12, 2007
- Anatomy of computer crime -- Mar. 26, 2008
- More computer crime anatomy -- May 5, 2008
Back in the MFI forums, we were sometimes treated with supplemental threads, such as:
- Analysis of virus distribution -- Dec. 13, 2007
- Mac virus distributed by Russian Business Network -- Mar. 26, 2008
- Well, the Russians are back -- Dec. 27, 2008
As we have learned from the links above, the dangers out there are not limited to pr0n sites or pirate-laden p2p networks... but rather everyday places like google.com, and various "worldpress" forums (who don't update their software and/or take sufficient precautions). The trends tacit taught us about continue today...
- Preview to a Possible Future of Rogue AV -- Dec. 2, 2009
- Be Careful Clicking on the Google Doodle -- Dec. 15, 2009
- Yet Another Reputable Site Asks You to Install Rogue AV -- Dec 18, 2009
- Scammers Cashing in on Facebook ‘Un named App’ Hoax -- Jan. 30, 2010
And here's a small item i ran into today:
The world is hacked, and it's users' fault -- Feb. 19, 2010
--
Anyway, i hope members will choose to use
this thread as a convenient one-stop place where useful security info can be either deposited or easily located.
For example, this (Mac-oriented) website was quite good (in terms of articles) in the past...
http://blog.iantivirus.com/...and i believe that's still the case today.
Note however that the name “iAntiVirus†also appears on some sketchy-looking software product, which is *not* related to that blog (afaik). EDIT: ooops, i guess they're the same?
Hmm, what do you folks think about it?
[the blog was pretty good a ways back.]
Anyway, it is freeware... i just hope it's safe.
[i definitely like
ClamXav 2.x myself.]
Wow! A whole new resource for me to ignore.
Seriously though... Thanks for starting this thread; may I suggest to the M Squad that it be made "sticky?"
I split a branch of replies off to a separate thread so this one can stay focused on the subject of cyber security. I might end up moving the new one to FineTunedMac Feedback, but for now at least it's here in the Lounge:
Discussion about "THE CYBER-SECURITY THREAD"
Hmm, anyone ever heard of this?
•
Trusteer  (
Rapport)
I've poked around and read parts of the FAQ, but if someone could assess its value to Mac users and summarize how we would use it (or whether we should bother with it), i'd be interested to learn more.
tacit, I'm wondering if you missed the question I posed in my original response to this post, namely, which, if any, of your three "how-they-do-its" is of the nature that it can be prevented by an existing or future Apple Security Update?
Or, on the other hand, are they all simply "user beware" type threats?
(I'm trying to put your post into perspective with the rest of the discussion.)
Thanks.
Edit: This was originally a response to tacit's reply in "iPad" (the same "<excellent post> by tacit" that Hal referred to in his opening post of this cyber security thread).
Hmm, anyone ever heard of this?
•
Trusteer  (
Rapport)
I've poked around and read parts of the FAQ, but if someone could assess its value to Mac users and summarize how we would use it (or whether we should bother with it), i'd be interested to learn more.
Thread about this
hereI eventually signed up just to shut them up / stop them nagging me every time I logged in.
Interestingly, it's attached to my ID, not to my computer. How do I know this? Because I went into on-line banking from another computer. No nagging, Rapport already "loaded".
As to whether it's any use or not, I cannot tell from this end.
tacit, I'm wondering if you missed the question I posed in my original response to this post, namely, which, if any, of your three "how-they-do-its" is of the nature that it can be prevented by an existing or future Apple Security Update?
Or, on the other hand, are they all simply "user beware" type threats?
(I'm trying to put your post into perspective with the rest of the discussion.)
That's hardly the point,
nor does it belong in this iPad thread (as presented).
If we both visit some page and click on some link which contains code exploiting some vulnerability for which my OS/browser has been patched and yours hasn't... then your computer will crash (or whatever), and mine won't. It's really really really simple: known weaknesses get patched... and there is zero wisdom involved in
not updating. We could argue about whether or not that page
actually exists and whether or not we might
actually click that link, and conclude that it probably won't ever happen (and so the extra security may not be needed "
necessarily")... but that's not a very meaningful discussion.
Supplemental reading:
edit: note that —on those 3 pages there —the phrase
“arbitrary code execution†is a euphemism which (more often than not) actually means a cleverly crafted script could run (likely with root privileges, and thus do
whatever it wants to).
> That's hardly the point, nor does it belong in this iPad thread (as presented).
My bad... I should have posted, with a link, in the other thread. I posted to tacit in the thread in which he posted.
And it is the point, because I posed a clarification question, not one about security.
Edit: You're saying then that the situations described in tacit's post are of the nature that's addressed by security updates?
Just to be certain, though, which, if any, of your three "how-they-do-its" is vulnerable to an Apple Security Update?
Any of them.
The people, usually Eastern European organized crime, who distribute malware via compromised Web sites or poisoned banner ads will often rely on known security vulnerabilities in popular Web browsers or plugins in order to download malware.
Once you have ended up on an attacker's site, whether that's by a poisoned banner ad or by clicking on a seeded link in Google or whatever, the site will often attempt an assortment of different exploits. It may try to exploit holes in the Flash player plugin, for instance (that's one I'm seeing a lot of lately--on Macs it just crashes the browser, on Windows it silently downloads and runs malware); ir it might try to exploit known flaws in known browsers (like Internet Explorer flaws); or it might try to exploit something like a RealPlayer security hole. If all of those fail, it will try to trick you into downloading and installing the malware yourself.
Apple security updates will fix flaws in the browser and often will include third-party software or plugin fixes as well. For example, the update that just came out earlier this year fixes flaws in the Mac version of the Adobe Flash plugin. Even though Apple didn't write the plugin, they included the security fix as part of the general security update.
So to answer your question directly, security updates can mitigate Web attacks regardless of the mechanism used to get you onto the attacker's page.
Thanks, tacit, for continually sharing your in-depth knowledge of this subject.
Last link in this particular chain...
>
It may try to exploit holes in the Flash player plugin, for instance (that's one I'm seeing a lot of lately--on Macs it just crashes the browser, [....]Will running
ClickToFlash, which prevents Flash content from loading, prevent such exploits?
Yes. The exploit works by loading a poisoned SWF file that contains special code which crashes the Flash player (and, on a Windows machine, allows the execution of arbitrary code. Applications which block Flash code from loading will mitigate against this kind of attack.
Thanks!
Thanks for the link. There's not really much to read, but I did find the info that there's
"a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors" interesting.
I guess my neck is now stretched 8 notches longer than it used to be stretched.
I suppose
Safari 4.0.5 may address some of those.
[hello... anybody? ]
[hello... anybody?
]
Dare I say it?
Perhaps not Safari-specific (or "cyber" related even), but...
•
Charlie Miller to reveal 20 zero day security holes in Mac OS X... i guess we'll have to wait and see what the world is permitted to learn.
[in the past, actual "how-to" details have been kept (more-or-less) private.]
EDIT: here's the original article at the "Heise Media" website:
Mac OS X: "safer, but less secure" -- March, 18 2010
EDIT#2: and here are the rules/gameplan for the upcoming (March 24th) event:
Pwn2Own 2010
Charlie Miller to reveal 20 zero day security holes in Mac OS X
100% of which will require having physical access to the computer and a local account to login to. They usually leave that factoid out until they show them off. When someone comes up with a network exploit, I'll pay more attention.
Charlie Miller to reveal 20 zero day security holes in Mac OS X
100% of which will require having physical access to the computer and a local account to login to. They usually leave that factoid out until they show them off.
Not true.
This is the same guy as the last few years, and all previous reports used words to the effect:
• The MacBook was able to withstand external network attacks.
but then later on...
• [ . . . ] with the interaction of a user who surfed to a specially crafted website.
Sorry but, that's not
physical access in the sense that the term "physical access" is normally used. If simply
visiting a webpage page can infect a computer, then that's a serious problem (imho). Trying to lump that sort of weakness under "physical access" is a prevarication.
More past clips...
Pwn2Own 2009: Safari, IE 8 and Firefox exploited -- March 2009
Security researcher Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X, in a matter of seconds. The exploit won him $5,000 and the MacBook. According to CNet Miller said that he used a security hole which he discovered last year that allows a remote attacker to gain control of a machine when a user visits a malicious URL. Last year Miller also cracked Safari in a few minutes and won a MacBook Air and $10,000 in prize money.
MacBook Air first to be cracked at PWN to OWN hack competition -- March 2008
Of three laptops to be hacked, a MacBook Air with Mac OS X 10.5.2 was the first to fall victim to crack attempts of participants in the PWN to OWN contest at CanSecWest. The laptops running Windows Vista SP1 and Ubuntu 7.10 remain uncompromised. According to information provided by organisers of the TippingPoint competition, Charlie Miller, Jake Honoroff and Mark Daniel of security service provider Independent Security Evaluator were able to take control of the machine through a hole in the Safari web browser. The vulnerability has supposedly not yet been made public and is still under wraps until Apple is able to provide a patch. In addition to $10,000 prize money, the winners also get to keep the MacBook as a bonus.
Hack-a-Mac - security vulnerability found in Apple's Safari -- April 2007
As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, two competitors succeeded in hacking a fully patched MacBook Pro running Mac OS X 10.4.9. They did not, however, penetrate the computer directly, rather they exploited a vulnerability in Apple's Safari web browser. On visiting a website prepared by the hackers, malicious code was injected onto the MacBook and executed with user privileges.
When someone comes up with a network exploit, I'll pay more attention.
Well the local ones are no party either, especially if they give admin->root escalation. Because that's the first place a hacker will head, once they poke through one of these little backdoors in Safari.
But don't worry, i'll keep you posted from now on.
Wow... interesting article (all on one page too):
http://www.sans.org/top-cyber-security-risks/
Wakey wakey, eggs and bakey...
ZDNet:
Computerworld:
interesting article on inside a global cyber crime ring. Wondering should i copy and paste the whole article?
http://tvnz.co.nz/technology-news/inside-global-cybercrime-ring-3431576
Wondering should i copy and paste the whole article?
Hi Chris, and thanks for that link. You did the right thing by posting it rather than copying the page's contents into your post. The latter might infringe on copyright, and for that reason is not recommended.
Thanks Alternaught, I am not sure how long TVNZ leaves web pages and items like that up, hence the query on copy and paste.
My 3 cents worth ...
Back in the MFIF days when this policy was initiated (for exactly the reasons given by alternaut) it yielded the additional benefit that tons/tonnes of articles originating from other sources would no longer have to be stored on MFIF's (and now FTM's) server.
Moreover, nothing disappears from the InterWeb. Even if TVNZ doesn't leave such pages up, usually Googling it will bring up a cached version (ie, Google saves everything — I was even able to dredge up a disgruntled employee's diatribe against a former employer which had been removed by management on kijiji months earlier because it was defamatory).
My 3 cents worth ...
Moreover, nothing disappears from the InterWeb.
I was not aware of that, thanks.
Moreover, nothing disappears from the InterWeb.
I was not aware of that, thanks.
http://en.wikipedia.org/wiki/Wayback_Machinehttp://www.archive.org/web/web.php
good article, full of interesting details and yet not too geeky for most to read
Apple Mac OS X - 10.6.3Snow Leopard operating system.
Apple Security Update - 2010-002For Leopard Mac OS X 10.5.
Both OS versions share the same security page:
http://support.apple.com/kb/HT4077
HELLO... 11 instances of the string “
working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11
11 instances of the string “working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11
Yesterday brought 10
more ZDI-assisted fixes (among others) in
QuickTime 7.6.6.
So then... 21 total would
seem to cover the
20 mentioned by Miller (hopefully).
I'm all for encouraging "responsible disclosure", as long as the fixes are timely. It's when someone "responsibly discloses" a bug to the manufacturer, and half a year later it's still not fixed, and so the guy goes public, causing hysteria, and the manufacturer snipes back in a public response, crying about his lack of "responsible disclosure". You lose the right to cry Use Public Disclosure when you drag your feet on it.
When someone fixes things quickly in response, that's how things should work.
11 instances of the string “working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11
Yesterday brought 10
more ZDI-assisted fixes (among others) in
QuickTime 7.6.6.
So then... 21 total would
seem to cover the
20 mentioned by Miller (hopefully).
Yesterday's
Security Update 2010-003 mentions Charlie Miller by name (along with "TippingPoint's Zero Day Initiative"), bringing the count to
22 tweaks apparently related to that particular event.
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?
Thanks.
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?
Pretty much mostly the former.
--
In
other news (file under irony):
Thousands believed affected by faulty McAfee virus update
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?
Pretty much mostly the former.
That's interesting, because:
- I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
(Responding to this post merely as a matter of convenience.)
Edit: Oops! I was thinking of Panther's 10.3.9.
Sorry!
Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems.
Almost all of the holes I've seen lately involve a standard user logging in and running a program or visiting a web site, and as a result, getting a root shell on the machine (local program) or leaking information. (browser) While these aren't good things, they're much more benign than remote exploits, the things that make for worms.
The majority of the web browser issues are via java or adobe plugins. Too bad safari doesn't properly sandbox those things... they're notorious for giving safari a bad rep for security. (tho quicktime certainly has its fair share... QT itself should also be sandboxed imho)
Also, most of them are of the "denial of service" variety, meaning they cause something to crash. In all but a few cases, these crashes are difficult to exploit to get something useful like a root shell.
That's interesting, because:
- I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
- wrong
- right
__
In other news:
Cryptographer (and OS security expert) Callas joins Apple
That's interesting, because:
- I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
- wrong
- right
Do Hal's "wrong" and "right" contradict your
"Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems?"
In this context, various posts in MacInTouch's
Security Reader Report are relevant. Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party.
Note in this context that Intego retracted an initially published list of 'compromised' software after stating there were multiple instances of this issue when in fact they had found only one. This list has now been published in the recently edited MacUser article you linked to (the list did not appear in the original version of the article, only a link to the Intego press release containing it, the one that was later retracted by Intego). Moreover, if Tetraults observations are correct, the installation of spyware items 'bundled' with the listed packages can easily be avoided.
The reader report also contains posts discussing diagnosis (e.g., searching a suspected volume for '
PremierOpinion'), repair and possible prevention (Little Snitch port monitoring, taking care while installing the 'carrier' software).
Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party.
Well i agree there... i'm no fan of Intego, i don't use it and i don't recommend that anyone else use it. (ClamXav is more my speed).
Nonetheless, i still find this particular screensaver/trojan rather suspicious (especially in the
admin password request department).
Here is
Intego's update posted yesterday:
Intego has been monitoring the actions of the different versions it has found of this spyware. It has discovered that, after a certain time, the spyware makes an “upgrade†and installs another application, which is another variant of the same spyware, called PermissionResearch. (It is also possible that further versions of this spyware will upgrade themselves to other variants.) Intego has updated its threat filters today (June 2, 2010) to improve proactive detection of this type of spyware. We strongly recommend that all VirusBarrier X5 and X6 users update their threat filters as soon as possible.
And also: some place called
Hardmac has posted the "terms of agreement" between the user and some company called VoiceFive.
idunno... perhaps they don't harvest credit card numbers, but it still smells rotten somehow.
Albeit, very sugar-coated:
http://7art-screensavers.com/Mac_OS_X.shtml   (vomit)
I absolutely agree about the less than user-friendly approach of the spyware distributor, aided and abetted by the original software publisher (7Art). Anyone used to simply hit Return during the installation of ‘regular’ software stands a good chance of installing ‘bonus’ material of the spyware kind. Requiring an admin password for software that doesn’t need it (i.e., the screen saver, not the spyware) is bad manners and a clear sign of potential danger to the educated user.
Unfortunately, not everyone is sufficiently alert all of the time, so inadvertent installs will increase with this setup. Since the software involved seems to be exclusively freeware, at least you’re not paying for the VoiceFive privilege. Still, the main reason to mention Tetrault’s experience was to point out that it’s apparently possible to install the main software of a 7Art package while avoiding that of bonus material like this spyware.
Of course, the main importance of this issue in this
tabnabbing week is the addition/improvement of yet another route for distributing malware, and in that sense Intego’s alert is appreciated.
Think i'll post this news here instead, because (so far) the real culprit seems to be AT&T:
AT&T's Worst Security Breach: 114,000 iPad Owners Exposed Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.
To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.
Goatse Security notified AT&T of the breach and the security hole was closed.
Of course —as i googled earlier —most of the hyped-up headlines are worded in such a way (to attract more hits i guess) which sound as if the iPad itself was responsible.
AT&T has always had problems like this. Back before the iPhone allowed MMS, when someone tried to text me a picture, I would get a text with an AT&T Web site address instead. By going to the address, I would see the picture.
The AT&T Web site that allowed me to see the MMS pictures had the exact same security flaw. I could manipulate the address bar to see pictures that other people were getting in MMS messages, too! It was trivial to do so--and in fact I discovered it because of a bug in the AT&T system that would only let me see the full-sized picture that had been texted to me if I messed with the address in the address bar.
I never bothered to report it because shortly after I discovered it, AT&T enabled MMS on the iPhone and did away with the need to go to their Web site to see an MMS picture. But it worked *exactly* the same way as the bug that exposed iPad information, so I bet the same Web developer was responsible.
Ho-hum... may as well toss this one into the mix for good measure:
Initial analysis of trojan.osx.boonana.a[i've always made sure Java was disabled in Safari anyway, so] what can i say?
I saw that with the pwn2own contest... did you see, BOTH apple and Google are playing a little dirty here.
The contest requires the contestants to work on "fully patched" machines. There's no grace time, software updates are run just before they start.
Both apple and google released updates immediately before the contest started. It's unreasonable to believe that the entrants in the contest are sitting down, cracking their knuckles, and saying "ok lets look around for a hole". Naturally they're bringing in zero-day exploits they've been polishing for weeks or months. So there's (A) a chance that the new surprise updates will block the exploit, and more importantly (B) a very high chance that an exploit that still works will have to be tweaked due to the binary being recompiled and addresses changing.
I personally don't think that's fair to allow patches the manufacturers are deliberately withholding until a few hours before the contest to be installed. There should be a cutoff of say, one week. Testing the security of something that was "released" an hour ago is not a practical real-world scenario unless you're releasing updates every day. Systems will have an average lag time of weeks usually before available patches are applied, and the contestants should have the opportunity to try to beat a system they've had a little time to work on beforehand.
But I can see the other side of it, it would also be nice to see just how well an unprepared hacker can do against a new binary. That could be very hard to enforce though, how do you tell them they're not allowed to use priorly developed private exploits? It's probably not possible, so all you do by applying last-hour-upates is to take a random pot shot at the contestants, some of which may have worked very hard to find a major hole, one that requires many hours of tweaking to make work properly, that now has changed locations and will require hours of adjustment. (the hole is still there, the target has simply moved, it's no more secure than it was an hour ago, it's just going to eliminate them from the contest due to the added investment in time just introduced)
My experience is the (not too steep) cost of SSL certs for HTTPS without browser nags tends to make administrators not think it's a justifiable expense. What's your experiences?
And IT'S ABOUT TIME now to see safari offer an easy immediately available checkbox for 'always trust' on web sites. That previous stupidity of having to open the cert and change trust settings scared users away from it.
I assume (since i'm not hosting anything) that the "you" there is collective [?].
[i did notice that facebook finally offers https as of a week or two ago]
Sophos -
The Conficker worm, three years and counting
"At its peak, Conficker infected more than 10 million PCs."
"Flaw was patched, 4 weeks before Conficker began it assault."
"Today, an estimated 3 million computers are still infected."
Against the backdrop of today's
WikiLeaks releases of documents about the surveillance industry, here are some links covering Android developer Trevor Eckhart's early disclosures about
Carrier IQ, the name of the company providing 'embedded analytics' to the telecom industry and that of the hidden spyware rootkit found on many android, Windows and BlackBerry phones, and quite possibly
iPhones too.
-
Android Security Test-
Carrier IQ Part #2-
How much of your phone is yours?Perhaps the—for the consumer—singlemost 'incendiary' capability of the Carrier IQ spyware is a full-fledged keylogger, since it's hard to see why private data
content (including that transmitted over WiFi networks) is important for the improvement of phone provider 'service quality' and 'network efficiency', the official reason for Carrier IQ's contracted services and the presence of its spyware.
This latter is an important point: it's
providers like Verizon Wireless, AT&T and Sprint rather than the phone
manufacturers, which hire Carrier IQ and allow it to put the Carrier IQ rootkit on the phones they provide their customers with. To be clear: not all carriers do this; for instance, several European telecom companies deny participating in the CIQ program (although they may use other, comparable services).
This MSNBC story has been updated with some details from Cult of Mac about iOS 5:
AT&T, Sprint, T-Mobile use Carrier IQ, but don't collect personal info.
The story about similar issues in Germany linked at the bottom of the page is worthwhile.
As Lugnut, the first responder to this article said, I just don't believe the statement that the key-logger is not being used. I'm willing to believe it only when this capability has been demonstrably removed from the rootkit. And AFAIAC, that's not the only thing that needs to be changed.
I agree that this topic should be subjected to the empirical method.
Some further developments on the Carrier IQ front:
-
Apple ended Carrier IQ support with iOS 5-
Carrier IQ, mobile providers grilled over spyware charges-
Which companies are on the Carrier IQ bandwagon?The implications of the second article are quite interesting. If the phone manufacturers didn't put CIQ on their phones
*, and carriers like Verizon, RIM, and Nokia Europe claim they didn't either, how did it get on there in the cases where it was found? At least it's easy to determine if CIQ is installed on your android phone with Eckhart's
Logging Test App v7.
Removal is possible with the Pro version of this app; alternatives can be more involved, but all methods require the device to be rooted.
*) So far, HTC is the only manufacturer to admit installing the CIQ rootkit on its phones
because US carriers require it. It'd be interesting to see if HTC phones supported by non-US carriers claiming not to participate in the CIQ program also contain the rootkit. As far as known, however, at least
Dutch android phones do not seem to carry the CIQ spyware. In contrast, Vodaphone Portugal stated they did use CIQ, as did Sprint and ATT in the US. That said, and as alluded to above, several of the carriers denying the use of CIQ are known to use
Deep Packet Inspection.
Things that make you go hmmmmmm:
[admins: i'm not sure onto which thread to tag this]
A couple of really interesting articles...
§
 i guess this only applies to people who
already have "google accounts" (presumably gmail, Google+, etc.):
>>
How to Remove Your Google Search History Before Google's New Privacy Policy Takes Effect <<
^ Whatever the case may be... the (March 1st) deadline is fast approaching.
Thanks for the link, Hal. I removed Google Search History but haven't (yet) cancelled my account. I may very well do just that.
And my thanks too. 'Tis greatly appreciated.
Did i guess right?... that only users with some sort of preexisting "google-dom" account need take any action?
Or would it somehow behoove others (e.g., me) in some way, to create a
new account now, and follow that procedure?
[i realize that question sounds absurd... but i just want to be certain.
]
[i realize that question sounds absurd... but i just want to be certain.
]
Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).
I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.
Have never used the email account, have never used their browser, and yet..... Hmmmm.
Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).
I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.
Have never used the email account, have never used their browser, and yet..... Hmmmm.
Well that's why google is "worth" billions, that's what they do (though i'd be curious how they tied all that activity back to "you" -- i guess cookie processing is all it takes).
But still... for someone with no previous account... if i go create one now, will there be some old history file (of my various browsers' movements over the years) that they'll then attach to my newly created 'official' account? That would be even freakier. [not sure i want to create an account there just to find out... but it's probably the only way.]
Not worried, just wonderin'.
>
[not sure i want to create an account there just to find out... but it's probably the only way.]I'm in the same situation as you, so please post your findings if you do create an account.
(I delete all my Google cookies other than prefs periodically, which seems like it ought to be at least somewhat limiting
, at the least.)
Thanks.
Edit: Y'know, I just remembered having received an e-mail (about this very subject) from Google a few days back, and it's now occurred to me to question how they got my Verizon e-mail address; I've got no record or recollection of ever having opened
any sort of account with Google...GMail or other.
Anybody got a clue?
Edit 2: Just to convince myself, I entered the address to which the Google e-mail had been sent in their log-in pane, and I found that it was associated with an account, set up a new password, logged in to my account, and found that "History" had been turned off.
Oops!
I maintain an encrypted disk image (10Mb...I've never been able to get a sparse image to work.) just to store the 8Kb record of my log-in IDs and passwords, and I now remember having created a Google account the day I found out that "History" could be turned off, months ago, but for the life of me, I can't imagine why I didn't leave myself a record of that account. (I now wonder how many other forgotten accounts I've got?)
If you create a Gmail account, log into it, and then use Google, Google will track everything you do and associate it with your Gmail account. Even if oyu log out of Gmail but leave the cookie in place, Google may still track your activity and associate it with your Gmail account.
Looks like Intego may be drumming up some business.
Or perhaps there's more to it, as i haven't read this yet:
Flashback Mac Trojan Horse Infections Increasing with New Variant
I haven't seen this malware yet. It's interesting that it uses a bogus certificate named "Apple Inc"--that's a nice trick that will likely fool a lot of people.
This may be slightly off-topic, but
Viewpoint: How hackers are caught out by law enforcers is an interesting read. It never explains "onion routing", however. Tacit? Anyone?
I thought tacit had discussed this somewhere along the line, but a search of the forums couldn't bring it up.
Check out:
www.onion-router.net/
Thank you. I should have googled that myself.
support tor. run an exit node.
I'm unconvinced that Tor is really as secure as it thinks it is. For one thing, all that a hostile government or law enforcement agency would need to do to eavesdrop on it is to run a large number of entry and exit nodes themselves.
Despite the obvious interest of anti-virus utility makers in publishing it, this may be worth to keep an eye out for:
Malware infects Macs through Microsoft Office vulnerability.
More 'old' news: Mac Trojan
Flashback is at it again with a new variant, no longer needing an admin password. Plus, some anti-malware utility makers'
opinions on Mac vulnerability.
Just what do these trojans do? I can't find any info in the related articles as to what might happen if it infects my Mac — ie, what sort of havoc does it wreak?
Will the Java update remove or render inoperable anything which might have been installed? And if not, what to do?
(After 15 minutes I'm still unable to access Oracle's release notes.)
EDIT:
Finally got the release notes which had no user-friendly information whatsoever.
Flashback malware evolves to exploit unpatched Java vulnerabilities provides some insight into what the trojan in question does.
When these programs are then launched, the malicious code attempts to contact remote servers and upload screenshots and other personal information to them.
Thanks. But am I safe? And how might I find that out?
The article you cite (dated 2 days ago) has contradictory statements, one on top of the other:
"... in most cases Mac users should be relatively safe. Starting with OS X 10.7 Lion, Apple stopped including a Java runtime with OS X, so if you have purchased a new system with OS X 10.7.0 or later, or have formatted and reinstalled Lion, then you will, by default, not be affected by this malware.
"However, if you do have Java installed on your system, then for now the only way to prevent this malware from running is to disable Java."
According to my iMac, it came from Apple with both 64-bit and 32-bit versions installed: Java SE 6 v 1.6.0_29-b11-402.
Those statements aren't contradictory; "
if you do have Java installed" refers to versions of OS X earlier than 10.7 and to those users who've elected to install Java in 10.7 on their own. (That article has been cleaned up; the first time I looked at it it said that Apple had dropped Java in Snow Leopard as well as in Lion.)
I wonder why your iMac has got both Lion and Java?
>
But am I safe? And how might I find that out?Here's a pretty much useless description of what the trojan does:
First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.
If you've installed the update and haven't been doing any questionable browsing lately, you're probably safe.
I hope somebody will be able to expand on that.
Those statements aren't contradictory;
I wonder why your iMac has got both Lion and Java?
That's why (I consider that) they're contradictory.
I hope somebody will be able to expand on that.
So do I.
EDIT:
For what it's worth, my Java SE 6 is now updated to v 1.6.0_31-b04-413.
But/And I'd still like answers to earlier queries.
I would hazard a guess that somewhere early on when you were trying out some website such as
http://www.speedtest.net (which runs a Java Applet to get its' result) you were prompted to install Java from the Apple support download page and simply forgot that you did that.....
In my case, that's exactly what I did.....and then there are those pesky Java utilities that companies as DLink embed in their control pages for IP cameras and such. I discovered that 10.7.3 actually disabled the Java runtime that I had installed earlier and I had to go find the intermediate update which resolved the security issues at that time -- and now the latest version is the one that we both have installed, 1.6.0_31-b04-413.
That version specifically addresses the risk presented by the Trojan described in the article above. (CVE-2012-0507)
(Edited to add the specific CVE addressed)
Re the latest Java Trojan: I'm a bit surprised that some enterprising chap or chapette has not yet created a (free) app/script or whatever that ascertains if one is infected, and if so, removes the offending code.
I would hazard a guess that somewhere early on when you were trying out some website such as
http://www.speedtest.net (which runs a Java Applet to get its' result) you were prompted to install Java from the Apple support download page and simply forgot that you did that....
It's possible, but if so, I've long since forgotten that I did.
I discovered that 10.7.3 actually disabled the Java runtime that I had installed earlier ....
When I checked my Java Preferences - General earlier I did notice that the the applet plug-in had been disabled. Whether that was a saving grace, I don't know.
The Java Applet Plug-in 14.0.3 is still enabled in my browser (Firefox 11.0).
But it would still be nice to know if there's something lurking in some program somewhere.
It's a computer with all the flaws (and benefits) of being made by humans.....of course there's something lurking in some program somewhere!
...and there are folks out there right now searching for just the right "something lurking" in order to find an exploit for same.
...and I personally still have no concerns for the security of my Mac OS and installed software as things currently stand.
Re the latest Java Trojan: I'm a bit surprised that some enterprising chap or chapette has not yet created a (free) app/script or whatever that ascertains if one is infected, and if so, removes the offending code.
Those who cannot update Java with the latest patched versions because they are running Mac OS X versions earlier than Snow Leopard, can do the following before browsing the Web:
- disable Java in your browser (e.g., Safari>Prefs>Security>Enable Java;
Firefox, Chrome)
- disable Java on your Mac (use
Java Preferences in
Utilities to uncheck the boxes in the first column) Caveat: this may make Firefox 11.0 quit incorrectly (see
Raj Gurdwara's comment).
Note that you can temporarily re-enable Java on known sites, or for known apps whenever you need it.
Testing for the presence of and removing
Trojan-Downloader:OSX/Flashback.I * can be done with Terminal, following the instructions provided by
F-Secure. That said, I don't know if these instructions are valid for all current
Flashback variants out there (but see below).
*) PS, the (similar) detection/removal instructions for the more recent
Downloader:OSX/Flashback.K variant are found
HERE. This is the variant that doesn't require an admin password to install. For other variants, see
this list.
PS2, the following list with
definitions of threat categories may come in handy for those of us who are losing track of the mushrooming details.
Testing for the presence of and removing Trojan-Downloader:OSX/Flashback.I * can be done with Terminal, following the instructions provided by F-Secure. That said, I don't know if these instructions are valid for all current Flashback variants out there (but see below).
*) PS, the (similar) detection/removal instructions for the more recent Downloader:OSX/Flashback.K variant are found HERE. This is the variant that doesn't require an admin password to install.
The F-Secure protocol for identification and disinfection seems to be valid only for Safari.
I'm way too unsophisticated to make the necessary changes to see if my iMac might be infected via Firefox.
Any other suggestions?
First I recommend you update Java if you have an older version installed; that will block the current malware.
As to detection (and eventual removal) of the trojan's presence in Firefox, I don't know. The Safari instructions look for certain items the trojan installs at certain locations. While you can easily substitute 'Firefox' for 'Safari' in the Terminal command, it's by no means certain (although likely) that the malware-installed items have the same name or are at a comparable location for the response to be meaningful. We'd need confirmation of this one way or the other.
See my earlier posts (#21376 and #21379) in this thread, re Java.
Java for OS X Lion 2012-002 (which, at the moment, links to the "Java for OS X Lion 2012-
001" Apple doc) just turned up, but it's not clear yet what it's all about. (*)
You may find several articles on this
MacFixIt - CNET Reviews page,
How to remove the Flashback malware from OS X in particular, both informative and helpful.
Edit:The latter linked article includes location/removal instructions for Firefox.
and
(*)
For the non-believers. (And:
Java for OS X Lion 2012-002
About Java for OS X Lion 2012-002
April 03, 2012 - 66.9 MB
which is also confusing...old date on new release.)
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.
The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.
EDIT:
OK, I took a leap of faith and ran the 4 detection commands in Terminal. 'Twould appear that nothing is awry and/or rotten in my iMac. {sigh}
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.
The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.
Yeah, I noticed that the "new" updated Java had the same version number as the "old" one, so I don't blame you for hanging back until Apple updates its doc and clarifies.
Terminal... If you
copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...
Artie-s-Computer-4:~ artie$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-06 06:39:50.014 defaults[784:903]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Artie-s-Computer-4:~ artie$
CAVEAT: Terminal commands are always subject to typos by their posters, so you can accommodate your skittishness by avoiding the "destroy" commands, if your iMac is, indeed, infected, until you know they've been tested. (I didn't look, but you may find confirmation in the comments appended to the article.)
In closing, though... Both being a bit of a gambler and having a current backup, I've run any number of Terminal commands posted here on FTM, as well as many others gleaned from sources such as MacFixIt - CNET, and the worst scenario I've ever encountered was a command not running.
Edit: Crossed in the mail...good for you! I was terrified of Terminal at first, but I've come to realize that it's both benign and enormously useful.
RE
Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...
That's exactly what I did.
Aside: We seem to running up each other's tailpipes in posting.
Something is very wacky at Apple.
The other software update which popped up yesterday is:
Digital Camera RAW Compatibility Update 3.12
This update adds RAW image compatibility to Aperture 3 and iPhoto '11.
• Canon EOS 5D Mark III
April 05, 2012 - 8 MB
But it too points to a previous update:
http://support.apple.com/kb/DL1513Digital Camera RAW Compatibility Update 3.11
This update adds RAW image compatibility for the following camera to Aperture 3 and iPhoto '11
• Nikon D800
March 22, 2012 - 7.50 MB
Somebody ain't looking after the shop. And it's way too late for an April Fool's Day prank.
Updates have been linked to outdated Apple docs consistently, although not necessarily universally, for a while, now.
But don't y'all worry, 'cuz "
It just works!"
Glad to hear that the Java update issue has been settled (more or less), and that my Terminal guesstimate of the Flashback detection for Firefox was correct. I had run it myself before posting, but since it's a read command a negative result doesn't necessarily mean much.
It's perhaps good to mention again that an additional measure of protection against these variants is afforded by the presence of certain utilities, mostly of the anti-malware or packet sniffer kind. That may not last (and it won't work if you fall for the trojan's request for your password), but at least it's there now for those who are not offered a Java update.
Yu wuz right, re RAW Camera Update 3.12:
Even though it pointed to 3.11 (which, strangely enough, seems to have disappeared from the Support Downloads page), downloading it produced the correct update.
In my case, 7.6MB took 15.5 minutes to download; the last 1MB took 235 sec to download = 4.2 KB/sec.
So, I'm going to wait to get to a high-speed access to download the 'new' Java 2012-002 (if only to see how it might differ from the Java 2012-001 which I installed the other day).
I just d/l'ed from the
Apple v 001 page (the v 002 page to which I linked earlier), and got a package
labeled identified by command-I as "Java for OS X 2012-002," the checksum of which differs from that of v 001, so there's apparently some difference between the two.
Web tool checks if your Mac is Flashback-free.
I suppose (hope) this is ok to use, but until I know more about this gang and their bona-fides, a bit of caution can't hurt.
Please, if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.
Why bother?
How to (Added: find and) remove the Flashback malware from OS X has already been tested...its "search" functionality, anyhow - neither of us had need for "destroy" - by myself and grelber among, I assume, many others.
I agree with Artie here: the 3 Terminal commands provided in his link are easy to run (copy & paste!). No need to involve an unknown entity like Dr. Web. In the rather unlikely case that you should prove positive for a Flashback variant, we'll see about the best way forward.
>
the 3 Terminal commands [....]grelber's reference to
four commands confused me until I noticed this:
In addition to the above commands, you can check for the presence of invisible .so files that past variants of the malware create in the Shared user directory by running the following command in the Terminal:
ls -la ~/../Shared/.*.so
From <<
http://www.macintouch.com/readerreports/security/topic4832.html#d06apr2012>> :
David Henderson
I found this email at:
http://prod.lists.apple.com/archives/java-dev/2012/Apr/msg00022.html Java developers,
Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.
We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.
<snip>
Thanks for that. I'll credit it as a semi-reasonable excuse, but only semi, because they could have gotten the word out immediately by including it in the release-note to the Software Update item. (I'm assuming that they didn't...don't run Lion, can't check, and nobody's posted otherwise.)
Dr. Web, "
the same Russian security firm that's been tracking the scope and scale of the Flashback malware's spread worldwide," has just turned up on
MacFixIt....
In order to do this, it cross-checks your Mac's unique hardware with its own database of machines that have been compromised. If it doesn't find your machine, you're in the clear.
Sorry, but I dunno about that...certainly wouldn't recommend it.
How has Dr. Web accumulated this database?
tacit?
...
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.
So ... Does this mean that those of us running Lion and who have installed 2012-001 should
not install 2012-002, even though Software Update thinks that we should?
> We considered creating a delta update for users who already installed 001, [....]
No, it means you should install it.
Rather than take the time to prepare both an update to 001 for those who've already installed it and 002 for those who haven't, Apple simply released 002, which is applicable to both. 002 is a "combo."
In case you didn't see it, you should be aware of this exchange quoted from
MMT3' first linked source:
Ira Lansing
Re:
When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."
Anybody else?
Yes, I saw that as well. I thought it might have been because I stopped and started the download a couple of times and thought I had finished but hadn't. When it was completely downloaded it did go through the installation process with no apparent problems that I could see.
I'm running Snow Leopard, and I got the same warning; it came up before the dmg opened.
Ditto, re 2012-001.
EDIT:
But it didn't happen when I just installed 2012-002.
... if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.
For what it's worth, there's a dandy little website out there which provides safety/reliability information on other websites: Webutation.net
It touts itself as "Open Website Reputation against fraud & malware".
Review of Dr. Web at www.drweb.com would seem to indicate good things.
I think it would be great if the basic info about this and its removal could be split out and stickied, so we could link to it, perhaps somewhere other than the Lounge.
That's pretty much incorporated in artie's post #21433 (and slightly altered by me herein):
How to [detect and] remove the Flashback malware from OS X
yes, but I'm trying to drive a bit of traffic here. there is also perhaps more information than a casual Mac user would need in that article.
just thinking out loud.
MacWorld compiled a decent summary of the current Flashback trojan story, arguably the worst malware to hit the Mac so far:
What you need to know about the Flashback trojan.
For those of you who don't like to use Terminal to check for the Flashback.K presence, there are scripts to perform the check for both Safari and Firefox:
Quick Applescript to check your Mac for the Flashback infection. This script is partially based on earlier efforts by
Hannes Juutilainen and
Patrick Gallagher.
A direct download link to the script here appears not possible, but the download is accessible by pasting the following URL in your browser's address bar and hitting
Return:
http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zipor via the link marked 'Flashback Checker Script' immediately above the script window on the first page linked to above.
How to use the script:
- Double-click on script to open Script Editor, then select Run from SE's toolbar.
- Alternatively, you can move Flashback_checker.scpt_1 to the
/Library/Scripts folder and access it transparently from the
Script menu in the (right side) menu bar.
That link takes me
here, a dead end. Can you fix it?
Thanks for the heads-up & sorry for the link failure: my Copy-Paste trial and the initial use of the hyperlink worked OK, but a direct link to
http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zip is now apparently disallowed, although pasting the URL in your browser's address bar still works. I changed the post above accordingly.
Comments on disabling Java1. Java in browsers. Perhaps the most important precaution against the latest Flashback trojans for those who cannot update Java (PPC Macs and Macs running on Leopard or older Mac OS X versions), but who still need Java functionality in their browsers to access and use certain web sites, is to disable Java in the browser's preferences
during general web browsing.
This will block the trojan's main infection vector by preventing Java applet execution.
When Java is needed, as for cross-platform functionality like that in certain secure banking sites etc., Java can be enabled for the duration. It would be prudent to
make sure that your Mac is not infected with the trojan before you use such banking sites. It wouldn't hurt to verify with your bank if their site is still secure either.
2. Stand-alone Java apps. A secondary recommendation associated with protection against the Flashback trojans is to disable Java on your Mac entirely, using the
Java Preferences utility installed in
Utilities as part of a Java install. This will prevent
local stand-alone Java (dependent) applications to run on your Mac. If you already disabled Java in your browser(s), however, this will not provide any added protection against
the current Flashback trojan variants. That said, disabling Java instead of removing it has the advantage that you will still be able to quickly run any Java dependent software you may need, without having to reinstall Java from scratch.
While many users will not be discombobulated by disabling Java entirely, others could be. You can find out which Java dependent apps you have installed by Spotlight-searching for
.jar, and checking which app any such file belongs to, using the path provided at the bottom of the Spotlight results window. It turns out that a surprising number of software titles is more or less Java dependent. The following non-exhaustive listing may help to get an idea. Please note that the presence of a particular item doesn't mean it is particularly important (or even current). It's just a set of examples, some of which you may recognize, particularly the ones in bold.
Adobe products such as Flash, Fireworks and Dreamweaver (GoLive)
aMaze
antlrworks
Apache-TomcatApple Disk Transfer ProDOS
Arachnophilia
Art Of Illusion
ATutor
Barcode4J
Birthday
ClickRepair (and other Brian Davies audio utilities)
CMS Made Simple
CompileAndGo
CrushFTP
CyberduckDatabrid (installer)
DataCrow
DateStamp Batch Stamper
Decrypto
Duplicate Files Searcher
Eclipse
eCueCardsMac
ekspos
Electronics Optimizer
Elite People Search
Elite Video Downloader
Encyclopedia Brittanica discs
FilePhile
FoundationStone
Gallery
GIFted Motion
GlassFish Server
GoToMeeting
GraphicConverterHelma
Home Credit Card Manager
Home Loan Interest Manager
HostMonitor
iDiet
ImageJInstall_MovieFinder
[installers], variousInteractive 3D Surface Plot
IPMonitor
iTunes Lyrics Locator
iWisdom
JaBackJAlbum
JAME
JarBundler
JavaEmbeddingPlugin
JJSplit
JmolJSubFixer
KemetAPI
Log Parser QL
Mac FLV To Mp3 Converter
Mare Internum
Matrex
MJPEG Lossless RotateMM3-WebAssistant
MoneyDanceMRJ Adapter
myPhoneDesktopMyster PR
Nevitium
Newton-II
NM Collector JE
Obba
OpenDS
OpenMocha
OpenOffice (and other open source application suites)
Osmose
PageSucker
Panther Sleek
PDF OCR X
PMan
PowerFolder
Professional Data Security
PSCafePOS
Puzzle Collection
ReFactorIT
Requiem
Saphe
ScenePainter
Sophie
Space Exploration
Speech and Debate Timekeeper
Stanza
StarLogo
StreamRipStar
StreamTastic
sudokumat
SuperAnalyzer
Timekeeper
TiVo TransferTurboTax 2010U3
UnixExplorer
[updaters], variousVidMasta
vSEC CMS U-Series
Wamcom
WebEdition CMS
WebEx
WebMin
Wireless Link Test
Xerver
XMLSpear
YouTube Downloader
Zumocast
Application to check your Mac for,
and remove if necessary, the Flashback Trojan.
Here. But how well this works, and if there are downsides/risks in using this critter, well, the reviews are still forthcoming.
On top of your uncertainty is the fact that this utility leaves the PPC Macs out in the cold. Still, it's an improvement over yesterday and easier than the Terminal approach for most users.
PS,
supposedly the current version of the free
Sophos Anti-Virus for Mac Home Edition will do the Flashback trojan detection and removal job for both PPC and Intel Macs running Mac OS X 10.4 or higher. I'm sure other malware utilities will follow, if they aren't there already.
Gradually, the ins and outs of the latest Flashback malware outbreak are becoming clearer. In the article
Security firm offers more Flashback details, free tools Dan Moren of MacWorld summarizes some of the findings so far.
Briefly,
Kaspersky Labs, a Russia-based computer security company, managed to
reverse-engineer the latest Flashback (aka Flashfake) trojan, and in particular the way a computer infected with it (a 'bot') interacts with its command & control server(s). Like
Dr. Web (the Russian computer security vendor who first provided numbers of infected Macs) before them, this allowed Kaspersky to impersonate such a C&C server, and eavesdrop on the ongoing communications between Flashback bots and their C&C servers. Such a monitoring setup is called a 'sinkhole'. Since each bot calling 'home' identifies itself with a code incorporating its unique hardware identifier (UUID, see System Profiler), this allows for a bot count. Depending on the exact UUID format used in combination with
OS fingerprinting of the bots, this allows a platform estimate (Macs vs computers running another OS). Hence the conclusion that at least 98% of over 600.000 computers infected are Macs.
Another important issue is where exactly those infected computers picked up the Flashback malware. It appears that this is related to the recent and
widespread compromise of sites using WordPress, a popular blogging software. While the
details of this subversion are not entirely clear, what happened to visitors of affected blogs is: they were redirected to several malicious sites that hosted malware 'kits' including the Flashback trojan. It turns out that the C&C servers of the subverted WordPress blog sites closely match those of the Flashback trojan, clearly suggesting a link between the two.
Kaspersky is now offering an
online Flashback check based on the computer's UUID, another downloadable
checker-removal utility (Intel only), plus a set of
security recommendations for Mac users.
Something's fishy with that online Flashback check at
http://flashbackcheck.com/I just visited the site and the following came up as part of the home page:
IMPORTANT JAVA UPDATE
We have checked the version of Java installed on your computer and discovered that you are running a vulnerable version. You should update as soon as possible.
We suggest that you use the Mac OS X automatic software update feature. Given that I've updated my Java SE 6 twice (2012-001 and 2012-002), unless those updates are defective (which we've all been assured they are not), then the Flashback check site might well be a portal to contaminate one's computer with something nasty.
Anybody want to speculate on what's going on?
I can't say exactly what Kaspersky's web site is checking when you visit it, but it may have been your browser's Java
plugin rather than Java itself. Plugins have an update cycle all their own. Assuming your Java update went well and is now up to snuff, that may not be true for your browser's plugin or the plugin
database. Search for 'Mama LaGrande Chung' on
this reader report page for more details and the associated fix.
Well, if they're claiming to check Java (and not the Java plug-in), then it would give one pause as to how reliable anything they have to say is.
I'm taking a big pass on this one.
Can the world really rely on this UUID # check?
- What's the liklihood that any one particular infected Mac is included in the database?
- Is there any estimate of how many Macs were infected in the earliest days of the trojan's life, prior to its being discovered, reverse-engineered, and having its activity logged, however long that period of time was?
- In the face of Terminal commands, and GUIs therefore, that actually detect the presence of the trojan, what's the point of even wasting your time with such a contraption?
And this... I don't remember in which of the many articles I've looked at this was reported, but I did read that the first thing the trojan does is scan a Mac for particular apps,
Little Snitch likely being the the most widely distributed one, and passes by machines that are running any of them.
I don't recall that being mentioned in this thread, and I'm wondering whether it's factual?
Dealing with your questions/comments in sequence:
1. I assume you're referring to the database of Flashback infected computers Kasperski compiled with their sinkhole approach. Given the fact that the bots regularly contact home, or can be made to do so with appropriate commands, the likelihood that any particular infected Mac is included approaches 100% in a matter of hours
as long as it's running and connected to the internet.
2. An estimate subject to the constraints you list is effectively meaningless. To my knowledge
Dr. Web was the first to come up with numbers of infected Macs, using a sinkhole approach similar to the one Kasperski used in their confirmation of these numbers. But this was in early April, and candidate Flashback variants have been around for months.
Another aspect of this is the size of the drive-by network of WordPress (and perhaps other) sites that redirected its visitors to the Flashback infection sites. That had to be in place and sufficient large to be able to quickly build the Flashback botnet we now have (or had, as people are cleaning up). But this number too is an estimate, albeit one that precedes that of the Flashback botnet by a month or more.
3. Your local Flashback detection via Terminal or script is just that: local, and it looks for the actual spoor of the trojan. Kasperski's UUID-test approach does things in a different way, by checking its database of infected Macs (the ones that called back 'home' or the sinkhole) for the UUID you provide. I wouldn't be surprised if this Kasperski tool may still claim (for some time at least) you're infected
after you've cleaned the trojan out of an infected Mac. Meanwhile, the database gets updated continually, and cleaned computers will gradually vanish from its rolls as they stop calling back home (with the same caveat as given under #1 above).
The presence of software that makes the trojan erase itself
has been mentioned here before, albeit in passing. More specifically, if you check F-Secure's descriptions (see
this post for the links) you'll find MS Office components listed for Flashback.K, and antivirus utilities etc. for Flashback.I. So, to the extent that these F-Secure descriptions are reliable, it's factual.
Thanks for the clarification, but I'm still left wondering:
- Can we be 100% certain that Kaspersky's (or anybody else's) data collection is 100% inclusive...that they haven't missed something somewhere?
- Regardless of 1, why rely on somebody else's computer to tell you whether or not yours is infected when you can so easily make the determination on your own computer?
- All else aside, if your Mac is, in fact, infected, won't Little Snitch invariably alert you by warning you that something is trying to call home (as I've been led to believe is the case with all trojans)?
I saw that earlier, and I just scratched my head wondering what Apple could offer that isn't already out there?
Granted that the source will be as reliable as a source can be, but there've been absolutely no questions raised about the present providers.
This part intrigues me, but it doesn't sound like it would be part of a removal tool:
"In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," Apple wrote on its Web site. "Apple is working with ISPs worldwide to disable this command and control network."
OK, here goes:
1. AFAICT, the UUID test is solid; the platform test somewhat less so. But there is no way to assess infection in a computer that's off, or not connected to the internet for whatever reason. So no, there's no 100% certainty in this test.
2. The UUID check is just another option offered by a commercial entity, albeit a rather unique one that will certainly appeal to a subset of Mac users out there. So no, it's not strictly necessary, but yes, people will use it. Heck, I did, if only just for giggles.
3. Yes, Little Snitch will let you know who's calling home, and you might notice and even recognize malware comm attempts if you don't respond reflexively to the LS dialogs. But I wouldn't bet the bank on that. In reality, however, you will never see those dialogs, because the mere presence of LS will make the trojan abort its infection procedure and erase itself.
As to Apple offering a detection/removal tool, this has even more of the advantage I mentioned above in item #2: an officially sanctioned tool from 'Olympus' itself. That said, I'd like to point out another aspect of the cleanup effort: it has been mentioned that the proliferation of detection/removal tools opens an opportunity for malicious abuse. It's conceivable that such a tool could harbor malware itself. That suspicion/possibility is less likely with an Apple product.
Thanks for taking the time to address my inveterate curiosity.
I remain inherently distrustful of the UUID test, but I get your "subset" point. (I, too, ran it just to see what it would say.)
And I wonder how many people have gotten caught up in the hysteria despite the fact that they're running Little Snitch, which is why I brought it to the forefront in the first place.
I wonder if Apple's tool will be anything more than another curiosity satisfier by the time it's released?
Has there been any feedback from those who may have used the
F-Secure Flashback Removal Tool?
While it looks like it's a bit early for lots of comments to accumulate at the most likely suspects, there are a few in
this MacInTouch Reader Report of today (April 12), under the heading 'Java'. Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.
... Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.
Ya think?!
You can't make that omelette without breaking some eggs, you know, but who wants to risk throwing in Granny's fine bone china (and who knows what else) as well?
Especially her bank accounts and credit card accounts.
Aside: You know, we need an emoticon for "apoplectic". Any ideas? A popped vein in the forehead might be a challenge.
More Java updates from Apple tonight:
- Security update
Java for OS X Lion 2012-003 including automatic plugin configuration and Flashback removal tool, and
-
Java for Mac OS X 10.6 Update 8.
That's only the article HT5242. There is no associated Java download on the Support Downloads website.
EDIT: I just ran my Software Update which confirms that Jave SE 6 2012-003 is available (just not on the Downloads website).
That's correct: the updates are currently available via Software Update only. Presumably Downloads will post them later.
They may be covering their butts by restricting the d/l to Software Update (for the moment) after the last round of confusion. (I don't go that route as a rule, but I guess I will this time.)
Hmmm, I haven't yet found them at Apple's Downloads, but the updates are posted
here (Lion) and
here (Snow Leopard). Looks like the real McCoy.
Your linked MacUpdate page (Snow Leopard) is headed "Update 8," but every doc linked to on the page is headed "Update 7."
On the other hand, the SHA1 check sum posted on that page, which differs from the Update 7 checksum, agrees with the checksum of the d/l I got by clicking on the "Download Now" link, which, I guess, means...something.
I went with Software Update with no ill effects.
Edit: As I was posting, the 1st and 3rd links changed to Version 8, but the 2nd link is still at Version 7.
Edit 2: The freestanding updates just turned up on
Apple - Support - Downloads.
Man, there must be heavy demand for Java SE 6 2012-003.
I'm on a T-base 100 line which normally downloads lickety-split (ie, at many MB/s — in fact, concurrently, I downloaded a 3MB file in less than a half second). It's downloading this sucker at ca 22 KB/s !!!
It's been at it for over a half hour now, and there are still 10 min left to go.
Sheesh.
~~~~~~~~~~
EDIT:
The article HT5242 states that "This Java security update removes the most common variants of the Flashback malware." But after having installed Java SE 6 1.6.0_31-b04-415 (literally uneventfully), no indication was given that it performed such tasks – nothing positive, nothing negative.
Now I ask you: Is that any way to do business?
I also forgot to close my browser (as requested) prior to installation, but the installer didn't chide me for not doing so and didn't balk at installing.
Your linked MacUpdate page (Snow Leopard) is headed "Update 8," but every doc linked to on the page is headed "Update 7."
Except for the MU download link: that one performed as advertised, as did the link to the Lion updater on
its MU page. I made sure of that before I posted those MU links.
I was fully aware of the fact that the Apple links on the MU pages didn't provide access to the new updaters, and neither did a search of Apple's
Downloads, an observation I mentioned in my previous post. Obviously, it was only a matter of time before Apple would post its download links itself.
PS, '
3rd' link?
The MacUpdate page presented a pretty confusing picture at the moment, so I clarified it. ("Visit Developer's Site" + 2 = 3 links.)
These last coupl'a updates have been like a "breaking news" situation.
Apple also released the a standalone version of its
Flashback malware removal tool for those running Lion who only recently removed Java, and consequently couldn't use the latest Java updater incorporating this removal tool.
Meanwhile, Apple also released the a standalone version of its
Flashback malware removal tool for those running Lion who don't have Java installed, and consequently couldn't use the latest Java updater incorporating this removal tool.
I remain confused. I thought one
could not be victimized by this malware unless he first had Java installed. Is that not true?
Or, is this just for those who got infected and then removed Java?
I thought one could not be victimized by this malware unless he first had Java installed. Is that not true?
Or, is this just for those who got infected and then removed Java?
You're right about Java presence and malware susceptibility. And yes, the users who removed Java only recently constitute the target group. Thanks for pointing out this ambiguity in my post. I have (hopefully) fixed that.
Update: the MacWorld article
Apple offers standalone Flashback removal tool points out another reason for the (non-Java based) stand-alone Flashback removal tool: dealing with (mostly older) variants using non-Java based attack vectors.
The Flashback Trojan sometimes spreads through exploits like the Java vulnerability, but in the past it has spread as a fake Flash player update, which is how it got its name.
There's a bit of a personal history with this for me. For years, I've been at war with the Russian Zlob gang, the people who make the W32/Zlob malware and the Mac DNSchanger (aka RSplug, RSplugin.a, or OSX/Zlob) malware. I've been writing articles about how their malware distribution network works on my blog and in other places, and they've been reading my blog, using keywords and phrases from my blog on malware sites, and occasionally mailbombing me.
At the end of last year, police from many countries raided the Zlob gang and made a bunch of arrests in Estonia. All but one of the suspected members of the Zlob gang were arrested; the one who got away, a Russian, fled back to Russia.
The security articles I've been reading suggest that the Mac Flashback Trojan may have been written by the former Zlob gang member who evaded capture. There are coding similarities between Flashback and DNSchanger, the phony Flash installer that was used to install the DNSchanger malware is identical to the one used to install the first variants of Flashback, and interestingly, the same network of affiliates is being paid to spread Flashback. (In Eastern Europe, organized crime groups often pay people to spread malware. They set up affiliate networks of people who aren't directly part of the organized crime gang, who are given copies of the malware coded with an affiliate ID that they transmit when they infect a computer. The affiliates spread the malware however they can--by hacking legitimate Web sites and planting malware on them, by sending out spam, or by setting up fake sites with keywords that generate a lot of traffic--and are then paid a small fee every time an infected computer connects to a C&C server with their affiliate code.)
While it's difficult to be 100% sure, it *looks* like the guy who escaped capture in Estonia is setting himself up with a new crime gang and is responsible for Flashback.
Linking to malware
prevention detection software described
here.
I just received the following [below the dotted line] and have a sneaking suspicion that it's a phishing expedition and that the sender has had his computer hacked.
Snopes provides no intelligence in this matter.
- - - - - - -
Welcome to The New York Times. You have been provided with a complimentary digital gift subscription that will give you 12 weeks of unlimited access to NYTimes.com and NYTimes smartphone apps. To start experiencing everything The New York Times has to offer, just follow the instructions below.
1. Copy and paste nytimes.com/redeem into the address bar of your Internet browser.
2. If you are a registered NYTimes.com user, please log in. If you are not a registered user, please create a free NYTimes.com account.
3. Enter Complimentary Digital Gift Subscription Code 51dd265c****** and fill out the online form to process your subscription.
Please be reminded that only new subscribers are eligible for this offer. If you have any questions, just call our Customer Care representatives at 1-800-591-9233.
FWIW, the NYT does occasionally offer temporary promotional free full access to their web site instead of imposing an access limit of about 5 articles/day for non-subscribing registered visitors, IIRC. If you're interested, but don't trust the email, try the 800 number to verify the offer.
Anyway, to me this looks like a genuine offer, not a phishing attempt, but checking never hurts.
NYT dialed back their free access at the beginning of April:
"Visitors can enjoy 10 free articles (including blog posts, slide shows, videos and other multimedia features) each calendar month on NYTimes.com, as well as unrestricted access to browse the home page, section fronts, blog fronts and classifieds.
"Your free, limited access resets every month: at the beginning of each calendar month, you'll once again be able to view 10 free articles for that month."
The toll-free telephone number seems to be legit; it's the same one given on their website for Customer Service.
Yowzah. That's what I (ultimately) got from my e-correspondent who forwarded the message from someone else who was trying to give away the 'gift'.
Of course, the 'gift' is just NYT's ploy to glom onto new subscribers and/or mine their IP addresses and such.
Fool me once, shame on you.
Fool me twice, shame on me.
Of course, the 'gift' is just NYT's ploy to glom onto new subscribers and/or mine their IP addresses and such.
Fool me once, shame on you. Fool me twice, shame on me.
The NYT and virtually every newspapers in this country is struggling for financial survival. The techniques they are using to garner new online subscribers is little different than previous marketing campaigns targeting paper and ink subscribers. I don't see the 10
free articles a month as any different than those who read the news above the fold of the paper on the newsstand without buying a paper. Neither do I see any difference in selling their email subscriber list to marketers and selling their home delivery lists to the same marketers?
[Not a reply; just tacked on to last post.]
How to Muddy Your Tracks on the Internet
Kaspersky Lab asked by Apple to advise on OS X security And, in another development,
Kaspersky Lab was not asked by Apple to advise on OS X security [u] It appears that the original link has been edited and it is now the same as the second link.
This afternoon Apple released a
security update and a
Flashback removal utility for
Leopard (Intel only). Like the previous version for Snow Leopard/Lion, this updater removes older versions of Adobe Flash Player.
As expected, PPC Macs are ignored. MacinTouch's
Security Reader Report includes an interesting item about this and Apple's policy of dropping support for OS X versions more than 2 iterations old. The latter may leave about half of all Macs unsupported (with regard to security updates) when Mountain Lion is released.
> The latter may leave about half of all Macs unsupported (with regard to security updates) when Mountain Lion is released.
When I read that Apple was going to be upgrading OSX more frequently than before, I wondered how legacy versions would fare.
(As, if not more, important is whether support for iTunes...still supported in Leopard (PPC and Intel versions), will be continued?)
Flame virus set to spread like wildfire It is claimed that Flame is "perhaps the most sophisticated piece of malicious software ever designed".
Part of the problem with flash is that adobe insists on using their custom package installers, so they don't even have the option of placing it inside Software Update like they do with printer drivers. Apple's decision to outright disable flash when there's a new version out seems to be very prudent.
I wish they'd make it easier to see that it's been disabled. It appears that users get one warning and that's it, and there's no menu option or anything to indicate it's disabled or where to go to fix it. And adobe's installer writes its own standard from the ground-up for its behavior, so I've been running into users all week that don't understand that the installer hasn't actually finished installing, usually when it is launched right after download and is refusing to run because safari is (surprise!) still running.
The idea that it is "spreading like wildfire," however, is hyperbole; it's actually one of the rarest and least-spreading bits of malware in the world. It's been confirmed to have infected fewer than 1,000 systems; by way of comparison, the OS X Flashback Trojan infected more than 600,000, and W32/Zlob (my own personal favorite) is known to have infected somewhere between 4 million and 5 million. Even specialized, small-scale malware like W32/Asprox, which infects Windows computers running Web server software, infected about 12,000 systems in a single day.
So by way of comparison, not only is Flame not spreading like wildfire, just the opposite--it's extremely narrowly targeted, affecting only carefully selected computers in key industrial applications in certain very highly specific places.
The analysis I've read suggests that while Flame is certainly very highly sophisticated, and was almost certainly financed at a cost of millions of dollars by a governmental agency (Iran is pointing the finger at Israel, but it's not impossible the US was behind it), it isn't the most sophisticated bit of malware ever designed...that would probably be Stuxnet. Flame doesn't seem to spread by several zero-day exploits. Its main claim to sophistication is that once it has infected a system, its operators can upload different modules to the infected computer for different purposes. These modules, written in a scripting language called
Lua, can perform different functions--acting as a keylogger, intercepting email, taking screen shots, deleting files, and so on--but each of those modules is not, of and by itself, that sophisticated.
The idea that it is "spreading like wildfire," however, is hyperbole ....
Of course it is. Editors love 'overstatement'.
Interesting piece in today's New York Times about
Stuxnet and how it was part of a joint US/Israeli attack on Iran's nuclear enrichment facility, and how it was discovered only after a programming error allowed it to infect computers outside the facility.
To be fair, it may be possible that PowerPC Macs are ignored by the Flashback update and removal tool because, to date, no PPC variant of the Trojan has been seen. PowerPC systems are immune to the attack, as the malware is compiled only for Intel processors.
I agree that the Flashback variants to date weren't compiled to run on PPC Macs, and consequently didn't pose a threat there. Should that change though, I'm not so sure it would make much of a difference to Apple's support policy with regard to security updates, which excludes PPC Macs for various other reasons.
On Ars Technica:
Cryptography breakthrough shows Flame was designed by world-class scientists.
"It's not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "There were mathematicians doing new science to make Flame work."
Here we go again: Java SE 6 2012-004 1.6.0_33 is now out.
To what end, who knows? I thought that the previous version was the 'ultimate'.
And, man, what a flurry of activity on Apple Support Downloads over the past couple days!
I thought that the previous version was the 'ultimate'.
If that's ever true, it's at best a 'temporary monument'. Consider bug and security fixes, plus 'genuine' improvements.
A new wrinkle:
This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.
Earlier this week
F-Secure reported the discovery of new, multi-platform Java backdoor malware affecting certain Macs. The Mac version is a PPC binary, meaning that it will run on PPC Macs and Intel Macs with Rosetta installed (Snow Leopard and earlier, and disregarding possible virtualization/emulation under Lion or Mountain Lion).
Yesterday the F-Secure report was picked up on by Mac sites like
MacInTouch and—in more user-friendly detail—
MacWorld. The new malware relies on some social engineering as you need to approve the installation of a Java applet from a questionable source. It was found on a Colombian website, but it is not yet known if that's the only source.
Two more backdoor variants (Crisis and NetWeirdRC) have been described that target multiple platforms, including Mac OS X and (in the case of Crisis) VMWare virtual machines. Both appear derived from commercial remote access tools. While Crisis is disseminated as a Java archive file (.jar) posing as a Flash Player Java applet, it's not yet clear what the main vector for NetWeirdRC is. There is as yet no indication how widespread either one is, and the current threat level is low.
Right on the heels of the Crisis and NetWeirdRC backdoors, another Java exploit appeared a few days ago, targeting the latest Java (7 v1.7). Because Apple has been running behind with Java updates even before leaving them to Oracle (home of Java) altogether,
most Macs are still running Java 6 v1.6, which is not (yet) affected by this malware. MacWorld's Rich Mogul summarized this latest Java exploit, and lists the
salient details for the Mac user.
I am one of those who previousely installed Java 1.7.0.x
Now, today, MacUpdate has posted Java SE Runtime Environment 7, v 1.7.0_07.
Is this a fix for the earlier vulnerabilities or will installing this make matters worse?
FWIW, I have Java disabled in Safari & Mail, and use Click To Plugin.
Java's version number scheme is confusing. The vulnerable versions included the first 7 (#00>06) updates of Java 7, v1.7. This is the 8th update (#07), and
is said to contain a patch to stop the current malware (Oracle did not yet provide details about the update). Note that the vulnerability is exploited via the browser, and that Java may
* be disabled there. Apple disabled Java in Safari by default in both Lion and Mountain Lion (required for this version of Java), but it can be turned back on.
*) Ideally it should be 'should' rather than 'may' here: the next vulnerability could be exploited tomorrow, and you don't want to step in it by default.
...the next vulnerability could be exploited tomorrow, and you don't want to step in it by default.
I sure didn't imagine to be literally proven right:
Researchers find critical vulnerability in Java 7 patch hours after release.
Java, apparently, is destined to be one of those apps that is so easily hacked, that patches will be a daily event. Grrrrr.
Indeed, for now, it seems the only recourse is to ensure it is fully disabled.
A pox on all their houses…
Oracle Oracles, on the other hand, are most worthy and we shall sing their praises!
Even though I
think I have my Java locked down, I would manually remove v7, if I could find all the right pieces.
Me wonders why some enterprising chap or chapette hasn't developed a Java 7 uninstaller. Alas, I am of little faith re Oracle rising to that occasion.
But one can check to see if Java is accessible by running the
test applet (at the bottom of the page).
Java will be pretty much history when you remove the folder
/System/Library/Java/JavaVirtualMachines/, or its contents (1.x.0.jdk). If you just want to disable Java, you could open
/Applications/Utilities/Java Preferences.app and uncheck any runtime listed on the
General tab. And, for good measure, don't forget to disable it in your web browser.
For details on cleaning out other Java remnants in Lion (a mostly cosmetic exercise), check out the first answer to
this question.
Because the Java 7 vulnerability is still proof of concept, e.g., no actual virus (yet), and I have disabled all Java settings (including browsers), it is not listed as runtime, I use ClickTo Plugin, and I have verified that the Java test applet won't run, I feel quit secure. Well, subject to change.
Of course, that begs the question: Why even have it? That answer, um, I'm still working on it…
Java ... Why even have it?
There are two reasons you may need Java. The first is that you require access to websites whose functionality depends on Java (e.g., certain banks etc.). The second is that you have a need for stand-alone
* Java apps on your Mac. I've listed some of those in
a previous post.
*)
There are also non-Java applications, that use Java for certain tasks or modules only. These may include initial installation and/or certain functionality of the installed program.
Today, unexpectedly close on the heels of Oracle's recent (and already compromised) Java 7 updater, follow two Java 6 updaters from Apple for
Snow Leopard as well as for
Lion and Mountain Lion. We'll see how long these last.
The Java 1.6 updaters Apple issued earlier this week are subject to
similar caveats as
affected the preceding Java 1.7 updater provided by Oracle. The Oracle patch proved to be buggy and still vulnerable to certain exploits, while Apple's 1.6 updaters apparently do not patch the 1.7 vulnerability that the Oracle updater addressed. To be sure, this vulnerability has to date only been exploited in Java 1.7, and NOT yet in Java 1.6, but it could be.
Hence, all suggestions to secure your Java configuration to your needs are still valid and recommended.
And now, a new wrinkle in the cat-and-mouse game:
For PC Virus Victims, Pay or Else
Earlier today
MacInTouch noted a report from
Sophos dealing with current and expected computer security threats. It may be of interest to regular readers of this thread:
-
Security Threat Report 2013
ya we've seen a recent upsurge in "ransomware" and the "fbi warning" trojans on the pc side as of lately. funny stuff. makes for entertaining phonecalls from customers.
For those who like this time of the year to review past issues, here's Rich Mogull's view on
Apple’s Security Efforts in 2012.
If it's entertainment that you seek, watch
this video to the end.
While the iOS world has been relatively clean of malware, it has (had) its share of privacy issues, and so it appears again today. AppleInsider reports that an
iOS 6 bug reenables JavaScript in Safari without user consent. Even though this privacy and security vulnerability doesn't appear to be actively exploited at the moment, it could allow browser fingerprinting of those users who thought they'd stopped that by disabling JavaScript. Not!
Here is some
background information about the latest Java 7 exploit
* of vulnerability CVE-2013-0422, and the
Java 7 Update 11 that patches it. The article also addresses potential issues with the (unrelated) JavaScript and suggests a 'best practice' approach.
*) mentioned
elsewhere in this forum.
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems"
I dunno. I generally put Java and Flash in pretty much the same boat that way.
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems"
I behave as if that were true, by keeping Java turned off and and Flash blocked until I choose to allow it for specific tasks or web sites. But that 'best practice' comment really was about how to deal with JavaScript and
its vulnerabilities. I suppose I could have been more clear about that.
Either Apple's Anti-malware system does not work or the article is inaccurate and misleading. I suspect the latter to be the case.
There are three major Java implementation categories, each with its own characteristics and limitations…
- applications — stand alone programs that run on the computer such as NeoOffice
- applets — that run only within a browser and are not at all the same thing as javascript
- Servlets — that run on a server to provide various functionalities
I have several Java
applications on my Macs including OpenOffice, NeoOffice, MoneyDance, and others used to access specific devices. All of them are working perfectly and I am scrupulous about installing every update that comes along. Therefore, it would appear that although the referenced article is easily interpreted as applying to all three Java implementations the only ones effected by the OS X anti-malware system are applets. (Thank goodness, because it would take me literally hundreds of hours of work to reconstruct all my financial records to pay last year's taxes if Java were unilaterally cut off, not to mention all my documents that are in ODF format.)
As to alternaut's concern about Javascript insecurity goes that becomes an even more difficult problem to solve as each browser has its own unique implementation of ECMAScript. (Although Mozilla's JavaScript was the original both it and Microsoft's JScript are officially two of the many dialects encompassed by the the ECMAScript standard.) So a vulnerability may exist in the dialect, the standard or, perhaps even more likely, in the particular browser's implementation of the standard. I still run across the occasional web sites that only work if you are using a specific version of Internet Explorer or maybe a Mozilla browser.
Oracle patches security issues with Java 7 Update 13, and I believe whatever the groundhog says tomorrow.
Much to my surprise I was installing Adobe Creative Suite CS 6 on my son's computer today and when I launched the first application, Dreamweaver, the first thing it did was install Java. So here is another case where at least Java applications are unaffected by Apple's anti-malware. Whether there are Java applications embedded in DW or the JVM is there for site development, I have no idea.
Here's a real-world exploit of Java vulnerabilities:
Twitter Hacked: Data for 250,000 Users May Be Stolen.
It looks like "damage control" and attempted cover-ups are not restricted to governments.
Google asks journalists to tone down story of "massive" Google Play security flaw. Fortunately for me, I don't have a cell phone of any description but now I know that I will never trust Google. I ditched Chrome awhile back because of my doubts about privacy.
Take your pick from Chrome's lack of privacy to Safari's
sellout to the "trackers"...
Adobe has issued critical
updates for both Reader and Acrobat versions 9, 10 and 11. Until the updates are installed,
it is advisable to disable JavaScript in Reader and (when optional) enable protected view before accessing PDFs on the internet.
seeing as there'll just be another critical security hole next month/week/tomorrow, it's probably smarter to just leave java off.
Absolutely, but note that in my previous post I was referring specifically to Java
Script in Reader. For many users, that may not be too onerous, but we'd be really hurting if that should ever extend to browsers.
well THAT didn't take long...
http://thenextweb.com/insider/2013/03/01...urity-settings/You'd think the hackers would have the common courtesy to wait until the most recent 0-day is patched before announcing
another one.
ya... I think I'll just leave that OFF.
Today the MacInTouch Reader Report on
Security noted an interesting article about
Who Wrote the Flashback OS X Worm? and why. Another worthwhile read linked to is
Everything We Know About What Data Brokers Know About You.
If this guy is who I think he is, he spent some time working with the DNSchanger/Zlob gang in Estonia. He escaped back to Russia when the rest of the gang was arrested about a year and a half or so ago.
That data article is amazing, scary, and it seems that the only way to stop it would be Orwellian and worse than the sickness.
what a wild world we now live in.
I think the best way to stop it wouldn't be Orwellian at all. I would propose several things:
1. For Russia to make computer malware a crime. Right now, writing malware 9even malware designed to steal money) just isn't a crime in Russia. Russian mafia makes more money these days on computer malware than on the normal organized crime trifecta of drugs, prostitution, and extortion; outlawing this activity in Russia would go a long way toward kicking the legs out from under Russian mafia.
2. For Russia to have extradition with the US.
3. For banks and merchant account underwriters to stop processing credit cards for organized crime. A lot of organized crime's revenue stream comes from "ransomware" (malware that encrypts the data on your computer and threatens to delete it if you don't pay a fee) and "scareware" (phony antivirus software that warns you of bogus, non-existent viruses and then keeps bogging your computer down with popup warnings until you pay to "register" the software). Panda Labs estimates that as of 2009, Russian organized crime
was bringing in $34 million a MONTH from fake antivirus malware. Almost all of this money comes from credit card transactions. In 2011, US banks stopped doing business with Russian groups who were collecting money for fake antivirus registrations, but European banks quickly stepped in, often charging 30% or more in fees. The lure of $10 million a month in income was too great to pass up, I suppose. Outlawing credit card processing for criminal activity would do a lot to remove the financial incentive for some forms of malware.
4. Better policing of online ad clicks. The Flashback malware makes money when the virus writers set up Web sites that have ads on them, and then the malware causes infected computers to send bogus "clicks" to the ads. With each bogus click, the malware writers make money. If Google, Doubleclick, and other ad vendors were to implement more proactive monitoring of their ad performance, they could put a stop to it; for example, if a Web site has just one page that's an article in Romanian about artichokes, and somehow it's generating $15,000,000 a month in advertising clicks and 99% of the visitors to the site click the ads, then it doesn't take a rocket scientist to figure out what's happening.
I wasn't thinking so much about the malware thing, more about the data collection by companies that is then sold to other companies. Making a profit from our information seems underhanded to me, but stopping/monitoring the collection of that data is what would be Orwellian.
After reading alternaut's linked article I visited
Rapleaf, which was identified as a company that allows you full access to your records, and after viewing four accounts, one for each of my pertinent e-mail addresses, I found that they think that I'm male...nothing more.
That's only one data collector out of zillions, of course, but it's a nice start.
The article you link to has an interesting comment from an Indian professor about the Chinese hacking 'culture'. The curious (and I'm sure unintended) thing about that comment is that it also seems applicable to similar
spyware activity in India, as exemplified by email-attached spear-phishing malware recently found in Europe.
Perhaps even more than for what it does, this so-called KitM/HackBack/Kumar malware is interesting because it's signed with a valid Apple Developer ID, which bypasses the Gatekeeper security feature in Mac OS X Mountain Lion. The associated 'Rajinder Kumar' ID is another cue to a large cyberespionage campaign that appears to be originating in India, to which KitM has been linked. This campaign has targets of both national interest (Pakistan) and economic interest (Western industries), something so far mostly seen with attacks coming from China.
Sounds about right. The Chinese government doesn't limit its endorsement of hacking to internal matters, either; it actively recruits and pays programmers to create and distribute malware that promotes China's interests abroad, whether that's
targeting pro-Tibet activists worldwide or
attacking US Government sites.
In Eastern Europe, hacking is just as common, though it's almost always organized crime who's doing it and it's almost always done for profit (bank skimming Trojans, botnets, and so on make lots of money for Russian organized crime). In China, the government sees hacking as a way to control dissent at home and gain an advantage abroad.
It's not just china. Governments exist (in theory anyway) to benefit their people. Beyond that, all bets are off, anything is game. That's why we have wars, spies, gitmo, hacking, etc.
I'd imagine hacking is one of the more tame "state-sponsored" antisocial activities done abroad. Every government of reasonable size is doing it, just the same as every sizable government has a network of spies abroad.
"Why are we doing it? It benefits our people. Got a problem with that? If it's benefitting my people, why would I possibly care if you don't like my doing it? I''ll try to be a little more discrete, but I'm sure as heck not gonna stop."
Earlier this week
Heartbleed, a 28 months old
flaw in SSL was patched, that '
could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected'. Do I hear someone muttering 'NSA' ?
There's little a user browsing the web can do about this, as the bug is located in a library used in the Apache and nginx Web server applications (which need to be updated), but it's something that should give one yet another pause commensurate with the importance the web plays in one's life. I'm sure there's more to come, both with regard to info about this particular issue, and others down the line.
As alternaut noted, there's precious little the end user can do until the various servers affected are repaired.
From the BITS blog at The New York Times:
"The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue."
I was pleased to note that the version of OpenSSL that ships with Mavericks isn't vulnerable, so those of us running OS X servers need not freak out.
That's a rather tiny spark of light in a very gloomy situation, though.
Slowly, more information about the Heartbeat bug is becoming available. From the various sources I (fairly arbitrarily) picked two for your perusal (and follow-up, when and where warranted):
-
The critical, widespread He...fo safe-
The Heartbleed BugIt has been noted here and
elsewhere that the SSL flaw didn't affect certain Mac OS X versions, based on the SSL version(s) used there. However, everyone accessing compromised web
servers may still have had sensitive data exposed and should respond accordingly. In addition to keeping track of server update deployment, users may want to update affected browsers and other web apps they rely on. The first (PC-World) article linked to above lists ways to keep track of both update activities.
>
Slowly, more information about the Heartbeat bug is becoming available. (Emphasis added)
Congrats on having a healthier heart than all/most/some of the rest of us.
Edit: Oops! I see that Heartbleed actually is a Heartbeat bug. (Good opening, anyhow!)
Didn't think to document where, but I found
this test, which pronounces all my critical financial sites (and FTM) secure.
Didn't think to document where, but I found
this test, ...
Possibly in PCWorld's article (hotlinked in alternaut's earlier post).
Also of interest might be
Heartbleed-Masstest which lists the 'top' 10,000 vulnerable or OK websites at the beginning of the week.
I wonder what the difference is between "No SSL" and "not vulnerable". Do they essentially mean the same thing?
I'm pretty sure that "no SSL" would mean "vulnerable" to all and any information traveling back and forth, since there would be no secure sockets layer (cryptography) of any sort (ie, no https). Not likely that you'd find such on financial websites inter alia.
"No SSL" means the site doesn't use encryption at all (if you try to go to
https://thenameofthesite you won't get anything). Most sites on the Internet don't use SSL because they don't need to--they don't accept credit card information, for instance.
For example, my site at xeromag.com would sho up as "no SSL" because there's no security certificate there--I don't sell anything where I need to accept sensitive information. On the other hand, my site at franklinveaux.com does have SSL because I have an ecommerce store there.
"No SSL" means the site doesn't use encryption at all (if you try to go to
https://thenameofthesite you won't get anything). Most sites on the Internet don't use SSL because they don't need to--they don't accept credit card information, for instance.
Okay. Thanks. I had wondered because the Canadian Banking Association announced this morning that no Canadian banks were affected. However, this link had some banks as "no SSL" and others as "not vulnerable".
So, new question….if they don't use SSL, would they have their own encryption to assure the traffic between customer and bank is secure?
So, new question….if they don't use SSL, would they have their own encryption to assure the traffic between customer and bank is secure?
Yes. I checked with a major banking group earlier today on just this issue since nowhere on their website was there any indication of whether the bank's secure banking servers had been affected by the Heartbleed bug. Nor had any assurances been posted that their secure servers were immune to same and safe to use.
The bank advised:
"[Bank] has defenses in place to protect our customers so you can do your banking securely and without risk to your personal data. [Bank] uses secure SSL. Our banking sites and customer data are protected.
"Although we don't recommend any specific actions to bank customers as a result of this vulnerability, we always recommend that customers change their passwords regularly (ie, several times a year)."
According to a number of reports in the Canadian press, no major Canadian bank was affected by the Heartbleed bug. See, for example, the coverage in The Globe and Mail (
www.theglobeandmail.com).
Here are some more Heartbleed updates and tools. Among other things, it looks like it may be password changing time soon for lots of folks. Big time...
-
Healing Heartbleed: LastPas...ability-
How to protect yourself in Heartbleed's aftershocks
Heartbleed's been an open sore for more than two years, already, and there doesn't appear to be any indication that it's been exploited.
It's like the announcement, itself, is its springboard!
And this from the Office of the Superintendent of Financial Institutions (OSFI) via the Financial Post:
Heartbleed bug prompts OSFI to check in with Canada’s banks
Heartbleed's been an open sore for more than two years, already, and there doesn't appear to be any indication that it's been exploited.
Hmmmm. And I was thinking that, if they had been collecting information for the past couple of years, it might come in handy. I could contact the bug designers and ask for some of the passwords I've forgot.
... and there doesn't appear to be any indication that it's been exploited.
At least not on a large scale, it seems. I'd like to point out, however, that there is a continuous and sizeable 'background' of internet hacking/theft going on. While much of that can be attributed to one or the other exploit, it doesn't cover everything else, including Heartbleed. After all, any smoking gun would have to unequivocally link abuse of stolen data with Heartbleed. Unfortunately, that's only indirectly possible (i.e., after abuse pattern analysis), because when used the exploit leaves no traces on affected servers (except, possibly, in custom transaction logs). And, as you suggested, there's not much of a pattern yet.
On the other hand, if someone had indeed stumbled on this flaw and exploited it
*, it's not unreasonable to assume that it probably wouldn't have remained a secret for long.
That said, I'd like to remind you that the flaw can be used to access
already recorded data, as this is not affected by any post-hoc patches applied to the relevant servers. Note that this data may have been recorded in the window between the flaw's recent revelation and its patching, and that window may still be open on servers you have dealt with. This explains the now frequently heard advice to check your financial transactions carefully for unauthorized activity.
*) Despite a comment in an earlier post I didn't mention the possibility here that the NSA knew and kept mum about Heartbleed to be able to exploit the flaw, because I figured that would be beyond the pale even for that organization. It seems I was doubly wrong, and
that now appears to have been the case, although it's been denied by the
White House. If you needed proof that the current policies of US intelligence agencies may cause more damage than they prevent, this could be it.
That said, I'd like to remind you that the flaw can be used to access already recorded data, as this is not affected by any post-hoc patches applied to the relevant servers. Note that this data may have been recorded in the window between the flaw's recent revelation and its patching, and that window may still be open on servers you have dealt with. This explains the now frequently heard advice to check your financial transactions carefully for unauthorized activity.
I'll guess that already recorded data that has not yet been used is not in the hands of outwardly malicious persons, because those guys deal in current info rather than stockpile it and have it go bad.
Data gathered in your "window" (my "springboard" period), though, might (will likely?) result in a flurry of activity before users have secured their situations. (
Happily, your linked Mashable doc reports that all the financial Websites I use are unaffected.)
The interesting thing about OpenSSL is that it's used to secure a huge percentage of the world's ecommerce sites, including some of the biggest powerhouses of the New Economy, yet all 400,000-plus lines of code are maintained by only 4 open source programmers who have a total budget of only a few thousand dollars a year.
One of those four people recently said something to the effect of "hey all you businesses spending millions to fix the problems caused by this flaw--since OpenSSL is vital to your business, how come you don't donate any money to maintaining it?"
I've been waiting for e-mails from Websites on which I do business, and the first one only just got to me...an all-clear from SuperMediaStore.com (from whom I bought DVDs).
I've received neither alerts nor all-clears from any of my financial institutions.
Anybody else?
For those who may have missed it,
LastPass HeartBleed Checker may help.
AgileBits has just published their tool, which can also check SMTP & IMAP URLs.
Here's the Link:
HeartBleed Checker
AgileBits has just published their tool, which can also check SMTP & IMAP URLs.
Here's the Link:
HeartBleed Checker Thanks for the post/link. It will be interesting to see what, if any, differences result from the two checkers. I suspect/guess they use the same algorithm.
Or, maybe Schrödinger is at play, and it only matters if one views the results.
It's still with us:
Heartbleed isn’t dead — 300,000 servers are still exposed — but here’s how you can protect yourselfHeartbleed isn’t dead — 300,000 serv...rotect yourself
It’s been quite a while since this thread saw some activity. So here goes: last January the
CIRCL automatic launch object detection for Mac OS X, a free anti-malware utility was updated. The software is based on an idea by
Topher Kessler, and monitors a number of Mac OS X locations known to have received malware files in past occasions. It’s up to the user to allow or disallow such installs, and provides an early warning for potential malware installation.
Other recent updates for free anti-adware/malware utilities include
AdwareMedic,
Bitdefender Adware Removal Tool,
KnockKnock and
ScamZapper.
I have Adware Medic & Scam Zapper installed. Is that sufficient, or do you suggest CIRCL additionally be installed?
Adware Medic actually removes certain adware on an ad-hoc basis, while Safari extension ScamZapper blocks certain browser popups. CIRCL’s ALOD runs in the background and lets you know if files are about to be installed in locations previous malware has installed components, and leaves you the choice to proceed with that or not. Only the latter two may run simultaneously with normal use. So these utilities do different things and can coexist, at least in principle.
The questions that remain include those about how well these apps play with others. Do they slow down your Mac or web browsing or otherwise negatively affect your computing, and if so, is that interference worth it to you? That’s likely both hardware and OS version dependent, and as such difficult to answer generically. For instance, and FWIW, I haven’t yet noticed anything untoward with ScamZapper and ALOD, or otherwise seen reason to uninstall them, running Yosemite on a retina iMac.
Adware Medic has now been rolled into a new expanded product
Malwarebytes. Th UI is the same but the types of undesirable ware it searches for an removes has been expanded.
Thanks for the tip. I decided to give it a try and got a reassuring "Malwarebytes did not find any malware or adware on your system." Of course, this doesn't mean that ongoing vigilance is less, it just means it's nice to have a way to check whether the effort is fruitful.
Adware Medic has now been rolled into a new expanded product
Malwarebytes. Th UI is the same but the types of undesirable ware it searches for an removes has been expanded.
The Mac version is on
this page.
Thanks for catching that Ira.
All versions are on the downloads page.
So what's the current take on mac security with firmware modifying malware? I've been seeing a lot of chat recently about a new proof of concept that can just outright replace the firmware on a mac without the usual authentication, about usb devices that can do it ("badusb"), about airgapped access... what's the current state of affairs on OS X security?
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.
This exploit can be leveraged across Thunderbolt connections (fortunately, not USB connections), provided an attacker can get physical access to a Mac and plug a malicious Thunderbolt device into it. With sudo access, you can take any measures, up to and including a malicious firmware update.
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.
You are making me even more glad I am running OS X 10.11
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.
And this hasn't been patched with a security update?
So is Apple abandoning security update for (current os - 1) ?
More information here:
https://blog.malwarebytes.org/mac/2015/07/privilege-escalation-vulnerability-found-in-os-x/Fortunately, the bug only exists in Yosemite (OS X 10.10), while previous versions of OS X and betas of El Capitan (OS X 10.11) are unaffected.
The bigger problem in this story is the fact that this vulnerability, along with all the necessary information to exploit it, was disclosed by Esser without any effort to alert Apple to the problem. (In his blog post revealing the vulnerability, Esser says “At the moment it is unclear if Apple knows about this security problem or not.â€)
Oh, what a nice guy...
Good info, V1, thanks!
Alas, now I wonder if I should or need to remove MalwareBytes Anti-Malware.
Waddya think?
So is Apple abandoning security update for (current os - 1) ?
It appears that the vulnerability doesn't exist in prior OS versions.
... now I wonder if I should or need to remove MalwareBytes Anti-Malware.
Waddya think?
I may be missing something, but I fail to see the logic of removing MAM in this context. After all, MAM is only the messenger here. Shooting it isn’t going to do much for you, quite probably to the contrary. Remember, MAM is essentially a monitor, until you tell it to do something specific. So far, there is no indication that any of its actions are deleterious in and by themselves (other than to the affected malware, that is). Beyond that, just as surgery may require rehab, that may also apply to malware removal, i.e. reinstalling malware-affected software etc.
The problem was partially, but not completely, fixed in 10.10.4. It is completely fixed in 10.10.5, which is now being seeded to Apple developers.
wheeeee! so now they can patch the patch that patched the patch!
Here's another:
New Zero-Day memory injection vulnerability discovered in OS X Quote:
"As with other exploits for OS X, this does require you download a faulty and malicious program, and then run this program."
As a result, you might be better off waiting for an official fix from Apple, and in the mean time simply observe good computing practices and avoid running any program unless you know exactly where it came from and understand its purpose. By simply doing this, you will be very well protected from this and practically all other exploits for OS X, which similarly require you initially download and run some unknown program.
My my, they certainly do close with quite the broad statement there...
I just checked MalwareBytes-Anti Malware v1.0.2.8, and it checks for Genieo. Well, at least the run routine indicates that it does.
Of course, should such be discovered, the cure/remediation is another issue...
The disclosure of the
KRACK WiFi vulnerability affecting WPA2 WiFi security (read: WiFi using devices) looks like a good occasion to revive this thread. Fixing this vulnerability ultimately depends on software/firmware updates, so keep an eye out for those.
The linked article also contains the following Apple update
Update: Apple said in a statement that all current iOS, macOS, watchOS, and tvOS betas include a fix for KRACK.
Fixing this vulnerability ultimately depends on software/firmware updates, so keep an eye out for those.
Thanks for this.I not only keep up to date but also, when at home, I am tied to an ethernet feed. If I'm away and stuck with wi-fi, I simply do not access my banking; do not use any other sites involving confidential information; do not make any on-line purchases. I use wi-fi at home for my iPad but follow the same rules as when away.
The linked article also contains the following Apple update
Update: Apple said in a statement that all current iOS, macOS, watchOS, and tvOS betas include a fix for KRACK.
Thanks for pointing that out; apparently the article has been updated as new info became available. That said, at this point Apple’s updates are beta stage only and not readily available for the average user: the wait is still for the final versions.
And about as important is the question whether/when Apple will make patches available for its (discontinued) WiFi routers. Of course, non-Apple routers will need to be patched as well.
Keranger: the first “in-the-wild†ransomware for Macs. But certainly not the last. Note that this post is called "sponsored", and that, near the end, there is a link to Bitdefender. Should this be taken with the proverbial grain of salt?
Note that this post is called "sponsored", and that, near the end, there is a link to Bitdefender. Should this be taken with the proverbial grain of salt?
It never hurts to keep that grain of salt in mind, but that being said, this threat is real and people(s computers) do get hit by it, even though the odds may be small. E.g., last week it turned out that
Elmedia software updaters for its Player and Folx software were infected by the OSXProton malware after a hack of the updater server. If you recently updated Elmedia Player and/or Folx, you should definitely make sure you’re not infected. The article I linked to above was published by Malwarebytes Labs, and suggested
Malwarebytes for Mac to deal with the infection. Nothing wrong with that, as long as these things are out in the open for the consumer to decide.
And since we’re on the topic of what to do about such infections, here’s yet another recent link that might come in handy:
What to do when ransomware strikes your Mac.
Security Breach and Spilled Secrets Have Shaken the NSA to Its Core• Leaks of the National Security Agency’s cyberweapons have damaged morale, slowed operations and resulted in hacks on businesses and civilians worldwide.
• Current and former officials say disclosures by a mysterious group that obtained NSA tools have been catastrophic, calling into question the agency’s value to national security.
Earlier this week Patrick Wardle (
Objective-See) published his 100th blog post
All Your Macs Are Belong To Us about the serious flaw underlying the recent "macOS Gatekeeper Bypass (2021)â€, which was fixed by Apple in the macOS 11.3 update. It makes for some interesting reading, to say the least.
That said, note that (the current version of) Wardle’s utility
BlockBlock already provided protection against the current zeroday malware installer exploit(s). In addition to this, he is working on free books under the title
The Art Of Mac Malware, which may be of interest to those of you wanting to know more about this topic.