Home
Posted By: Hal Itosis THE CYBER-SECURITY THREAD - 02/19/10 06:39 PM
 
A recent iPad thread got diverted briefly into an exchange about cyber-security (in the context of maintaining software updates). This inspired YA <excellent post> by tacit.

i think it would be good if we could have one thread to turn to as a resource for such info. Hopefully, this will be it.

In his own online blogs, tacit furnishes a wealth of articles (only three of which i list here):
  1. Polyamory and crime on the Internet -- Dec. 12, 2007

  2. Anatomy of computer crime -- Mar. 26, 2008

  3. More computer crime anatomy -- May 5, 2008


Back in the MFI forums, we were sometimes treated with supplemental threads, such as:
  1. Analysis of virus distribution -- Dec. 13, 2007

  2. Mac virus distributed by Russian Business Network -- Mar. 26, 2008

  3. Well, the Russians are back -- Dec. 27, 2008


As we have learned from the links above, the dangers out there are not limited to pr0n sites or pirate-laden p2p networks... but rather everyday places like google.com, and various "worldpress" forums (who don't update their software and/or take sufficient precautions). The trends tacit taught us about continue today...
  1. Preview to a Possible Future of Rogue AV -- Dec. 2, 2009

  2. Be Careful Clicking on the Google Doodle -- Dec. 15, 2009

  3. Yet Another Reputable Site Asks You to Install Rogue AV -- Dec 18, 2009

  4. Scammers Cashing in on Facebook ‘Un named App’ Hoax -- Jan. 30, 2010

And here's a small item i ran into today: The world is hacked, and it's users' fault -- Feb. 19, 2010

--

Anyway, i hope members will choose to use this thread as a convenient one-stop place where useful security info can be either deposited or easily located.

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/19/10 06:59 PM
For example, this (Mac-oriented) website was quite good (in terms of articles) in the past...

http://blog.iantivirus.com/

...and i believe that's still the case today.

Note however that the name “iAntiVirus” also appears on some sketchy-looking software product, which is *not* related to that blog (afaik).


EDIT: ooops, i guess they're the same?
Hmm, what do you folks think about it?
[the blog was pretty good a ways back.]

Anyway, it is freeware... i just hope it's safe. crazy
[i definitely like ClamXav 2.x myself.]
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/20/10 05:43 AM
Wow! A whole new resource for me to ignore. grin

Seriously though... Thanks for starting this thread; may I suggest to the M Squad that it be made "sticky?"
Posted By: cyn Re: THE CYBER-SECURITY THREAD - 02/21/10 04:47 PM
I split a branch of replies off to a separate thread so this one can stay focused on the subject of cyber security. I might end up moving the new one to FineTunedMac Feedback, but for now at least it's here in the Lounge: Discussion about "THE CYBER-SECURITY THREAD"
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/22/10 04:59 AM
Hmm, anyone ever heard of this?

• Trusteer   (Rapport)

I've poked around and read parts of the FAQ, but if someone could assess its value to Mac users and summarize how we would use it (or whether we should bother with it), i'd be interested to learn more.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/22/10 06:45 AM
tacit, I'm wondering if you missed the question I posed in my original response to this post, namely, which, if any, of your three "how-they-do-its" is of the nature that it can be prevented by an existing or future Apple Security Update?

Or, on the other hand, are they all simply "user beware" type threats?

(I'm trying to put your post into perspective with the rest of the discussion.)

Thanks.


Edit: This was originally a response to tacit's reply in "iPad" (the same "<excellent post> by tacit" that Hal referred to in his opening post of this cyber security thread).
Posted By: Bensheim Re: THE CYBER-SECURITY THREAD - 02/22/10 05:09 PM
Originally Posted By: Hal Itosis
Hmm, anyone ever heard of this?

• Trusteer   (Rapport)

I've poked around and read parts of the FAQ, but if someone could assess its value to Mac users and summarize how we would use it (or whether we should bother with it), i'd be interested to learn more.


Thread about this here

I eventually signed up just to shut them up / stop them nagging me every time I logged in.

Interestingly, it's attached to my ID, not to my computer. How do I know this? Because I went into on-line banking from another computer. No nagging, Rapport already "loaded".

As to whether it's any use or not, I cannot tell from this end.

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/22/10 08:15 PM
Originally Posted By: artie505
tacit, I'm wondering if you missed the question I posed in my original response to this post, namely, which, if any, of your three "how-they-do-its" is of the nature that it can be prevented by an existing or future Apple Security Update?

Or, on the other hand, are they all simply "user beware" type threats?

(I'm trying to put your post into perspective with the rest of the discussion.)

That's hardly the point, nor does it belong in this iPad thread (as presented).

If we both visit some page and click on some link which contains code exploiting some vulnerability for which my OS/browser has been patched and yours hasn't... then your computer will crash (or whatever), and mine won't. It's really really really simple: known weaknesses get patched... and there is zero wisdom involved in not updating. We could argue about whether or not that page actually exists and whether or not we might actually click that link, and conclude that it probably won't ever happen (and so the extra security may not be needed "necessarily")... but that's not a very meaningful discussion.

Supplemental reading:
edit: note that —on those 3 pages there —the phrase “arbitrary code execution” is a euphemism which (more often than not) actually means a cleverly crafted script could run (likely with root privileges, and thus do whatever it wants to).
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/22/10 09:13 PM
> That's hardly the point, nor does it belong in this iPad thread (as presented).

My bad... I should have posted, with a link, in the other thread. I posted to tacit in the thread in which he posted.

And it is the point, because I posed a clarification question, not one about security.

Edit: You're saying then that the situations described in tacit's post are of the nature that's addressed by security updates?
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 02/23/10 12:25 PM
Originally Posted By: artie505
Just to be certain, though, which, if any, of your three "how-they-do-its" is vulnerable to an Apple Security Update?


Any of them.

The people, usually Eastern European organized crime, who distribute malware via compromised Web sites or poisoned banner ads will often rely on known security vulnerabilities in popular Web browsers or plugins in order to download malware.

Once you have ended up on an attacker's site, whether that's by a poisoned banner ad or by clicking on a seeded link in Google or whatever, the site will often attempt an assortment of different exploits. It may try to exploit holes in the Flash player plugin, for instance (that's one I'm seeing a lot of lately--on Macs it just crashes the browser, on Windows it silently downloads and runs malware); ir it might try to exploit known flaws in known browsers (like Internet Explorer flaws); or it might try to exploit something like a RealPlayer security hole. If all of those fail, it will try to trick you into downloading and installing the malware yourself.

Apple security updates will fix flaws in the browser and often will include third-party software or plugin fixes as well. For example, the update that just came out earlier this year fixes flaws in the Mac version of the Adobe Flash plugin. Even though Apple didn't write the plugin, they included the security fix as part of the general security update.

So to answer your question directly, security updates can mitigate Web attacks regardless of the mechanism used to get you onto the attacker's page.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/24/10 09:19 AM
Thanks, tacit, for continually sharing your in-depth knowledge of this subject. smile

Last link in this particular chain...

> It may try to exploit holes in the Flash player plugin, for instance (that's one I'm seeing a lot of lately--on Macs it just crashes the browser, [....]

Will running ClickToFlash, which prevents Flash content from loading, prevent such exploits?
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 02/25/10 05:27 AM
Yes. The exploit works by loading a poisoned SWF file that contains special code which crashes the Flash player (and, on a Windows machine, allows the execution of arbitrary code. Applications which block Flash code from loading will mitigate against this kind of attack.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/25/10 07:11 AM
Thanks! smile
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/01/10 10:33 PM
Eight "zero-day" flaws surface in Apple Safari [i haven't read it yet.]
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 03/03/10 07:20 AM
Thanks for the link. There's not really much to read, but I did find the info that there's "a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors" interesting.

I guess my neck is now stretched 8 notches longer than it used to be stretched. crazy
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/12/10 06:50 AM
Originally Posted By: Hal Itosis

I suppose Safari 4.0.5 may address some of those.

[hello... anybody? wink ]
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 03/12/10 10:24 AM
Quote:
[hello... anybody? wink ]


Dare I say it? wink
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/19/10 10:38 PM
Perhaps not Safari-specific (or "cyber" related even), but...

• Charlie Miller to reveal 20 zero day security holes in Mac OS X

... i guess we'll have to wait and see what the world is permitted to learn.
[in the past, actual "how-to" details have been kept (more-or-less) private.]


EDIT: here's the original article at the "Heise Media" website:
Mac OS X: "safer, but less secure" -- March, 18 2010


EDIT#2: and here are the rules/gameplan for the upcoming (March 24th) event:
Pwn2Own 2010
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/20/10 03:38 AM
Charlie Miller to reveal 20 zero day security holes in Mac OS X

100% of which will require having physical access to the computer and a local account to login to. They usually leave that factoid out until they show them off. When someone comes up with a network exploit, I'll pay more attention.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/20/10 04:04 AM
Originally Posted By: Virtual1
Charlie Miller to reveal 20 zero day security holes in Mac OS X

100% of which will require having physical access to the computer and a local account to login to. They usually leave that factoid out until they show them off.

Not true.

This is the same guy as the last few years, and all previous reports used words to the effect:
• The MacBook was able to withstand external network attacks.
but then later on...
• [ . . . ] with the interaction of a user who surfed to a specially crafted website.

Sorry but, that's not physical access in the sense that the term "physical access" is normally used. If simply visiting a webpage page can infect a computer, then that's a serious problem (imho). Trying to lump that sort of weakness under "physical access" is a prevarication.


More past clips...

Pwn2Own 2009: Safari, IE 8 and Firefox exploited -- March 2009
Quote:
Security researcher Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X, in a matter of seconds. The exploit won him $5,000 and the MacBook. According to CNet Miller said that he used a security hole which he discovered last year that allows a remote attacker to gain control of a machine when a user visits a malicious URL. Last year Miller also cracked Safari in a few minutes and won a MacBook Air and $10,000 in prize money.


MacBook Air first to be cracked at PWN to OWN hack competition -- March 2008
Quote:
Of three laptops to be hacked, a MacBook Air with Mac OS X 10.5.2 was the first to fall victim to crack attempts of participants in the PWN to OWN contest at CanSecWest. The laptops running Windows Vista SP1 and Ubuntu 7.10 remain uncompromised. According to information provided by organisers of the TippingPoint competition, Charlie Miller, Jake Honoroff and Mark Daniel of security service provider Independent Security Evaluator were able to take control of the machine through a hole in the Safari web browser. The vulnerability has supposedly not yet been made public and is still under wraps until Apple is able to provide a patch. In addition to $10,000 prize money, the winners also get to keep the MacBook as a bonus.


Hack-a-Mac - security vulnerability found in Apple's Safari -- April 2007
Quote:
As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, two competitors succeeded in hacking a fully patched MacBook Pro running Mac OS X 10.4.9. They did not, however, penetrate the computer directly, rather they exploited a vulnerability in Apple's Safari web browser. On visiting a website prepared by the hackers, malicious code was injected onto the MacBook and executed with user privileges.

crazy


Originally Posted By: Virtual1
When someone comes up with a network exploit, I'll pay more attention.

Well the local ones are no party either, especially if they give admin->root escalation. Because that's the first place a hacker will head, once they poke through one of these little backdoors in Safari.

But don't worry, i'll keep you posted from now on. cool
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/21/10 07:06 AM
Wow... interesting article (all on one page too):
http://www.sans.org/top-cyber-security-risks/
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/25/10 04:23 AM
Wakey wakey, eggs and bakey...

ZDNet:

Computerworld:
Posted By: kiwichris Re: THE CYBER-SECURITY THREAD - 03/26/10 12:20 AM
interesting article on inside a global cyber crime ring. Wondering should i copy and paste the whole article?

http://tvnz.co.nz/technology-news/inside-global-cybercrime-ring-3431576
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 03/26/10 01:03 AM
Originally Posted By: kiwichris
Wondering should i copy and paste the whole article?

Hi Chris, and thanks for that link. You did the right thing by posting it rather than copying the page's contents into your post. The latter might infringe on copyright, and for that reason is not recommended. cool
Posted By: kiwichris Re: THE CYBER-SECURITY THREAD - 03/26/10 01:24 AM
Thanks Alternaught, I am not sure how long TVNZ leaves web pages and items like that up, hence the query on copy and paste. laugh
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 03/26/10 11:02 AM
My 3 cents worth ...

Back in the MFIF days when this policy was initiated (for exactly the reasons given by alternaut) it yielded the additional benefit that tons/tonnes of articles originating from other sources would no longer have to be stored on MFIF's (and now FTM's) server.
Moreover, nothing disappears from the InterWeb. Even if TVNZ doesn't leave such pages up, usually Googling it will bring up a cached version (ie, Google saves everything — I was even able to dredge up a disgruntled employee's diatribe against a former employer which had been removed by management on kijiji months earlier because it was defamatory).
Posted By: kiwichris Re: THE CYBER-SECURITY THREAD - 03/27/10 03:51 AM
Originally Posted By: grelber
My 3 cents worth ...


Moreover, nothing disappears from the InterWeb.


I was not aware of that, thanks.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/27/10 06:58 AM
Originally Posted By: kiwichris
Originally Posted By: grelber
Moreover, nothing disappears from the InterWeb.


I was not aware of that, thanks.

http://en.wikipedia.org/wiki/Wayback_Machine
http://www.archive.org/web/web.php
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/27/10 03:47 PM
good article, full of interesting details and yet not too geeky for most to read
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/29/10 07:36 PM
Apple Mac OS X - 10.6.3
Snow Leopard operating system.

Apple Security Update - 2010-002

For Leopard Mac OS X 10.5.

Both OS versions share the same security page: http://support.apple.com/kb/HT4077

HELLO...
11 instances of the string “working with TippingPoint's Zero Day Initiative” appears in that kbdoc!!!!!!!!!!!11
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/31/10 10:55 AM
Originally Posted By: Hal Itosis
11 instances of the string “working with TippingPoint's Zero Day Initiative” appears in that kbdoc!!!!!!!!!!!11

Yesterday brought 10 more ZDI-assisted fixes (among others) in QuickTime 7.6.6.

So then... 21 total would seem to cover the 20 mentioned by Miller (hopefully).
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/31/10 05:14 PM
I'm all for encouraging "responsible disclosure", as long as the fixes are timely. It's when someone "responsibly discloses" a bug to the manufacturer, and half a year later it's still not fixed, and so the guy goes public, causing hysteria, and the manufacturer snipes back in a public response, crying about his lack of "responsible disclosure". You lose the right to cry Use Public Disclosure when you drag your feet on it.

When someone fixes things quickly in response, that's how things should work.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 04/15/10 01:35 PM
Originally Posted By: Hal Itosis
Originally Posted By: Hal Itosis
11 instances of the string “working with TippingPoint's Zero Day Initiative” appears in that kbdoc!!!!!!!!!!!11

Yesterday brought 10 more ZDI-assisted fixes (among others) in QuickTime 7.6.6.

So then... 21 total would seem to cover the 20 mentioned by Miller (hopefully).

Yesterday's Security Update 2010-003 mentions Charlie Miller by name (along with "TippingPoint's Zero Day Initiative"), bringing the count to 22 tweaks apparently related to that particular event.


Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/22/10 07:46 AM
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?

Thanks.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 04/22/10 05:10 PM
Originally Posted By: artie505
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?

Pretty much mostly the former.


--

In other news (file under irony): Thousands believed affected by faulty McAfee virus update
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/24/10 08:04 AM
Originally Posted By: Hal Itosis
Originally Posted By: artie505
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?

Pretty much mostly the former.

That's interesting, because:
  1. I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
  2. It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/24/10 08:15 AM
(Responding to this post merely as a matter of convenience.)

Edit: Oops! I was thinking of Panther's 10.3.9.

Sorry!
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 04/24/10 05:52 PM
Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems.

Almost all of the holes I've seen lately involve a standard user logging in and running a program or visiting a web site, and as a result, getting a root shell on the machine (local program) or leaking information. (browser) While these aren't good things, they're much more benign than remote exploits, the things that make for worms.

The majority of the web browser issues are via java or adobe plugins. Too bad safari doesn't properly sandbox those things... they're notorious for giving safari a bad rep for security. (tho quicktime certainly has its fair share... QT itself should also be sandboxed imho)

Also, most of them are of the "denial of service" variety, meaning they cause something to crash. In all but a few cases, these crashes are difficult to exploit to get something useful like a root shell.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 04/24/10 06:13 PM
Originally Posted By: artie505
That's interesting, because:
  1. I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
  2. It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
  1. wrong
  2. right

__


In other news: Cryptographer (and OS security expert) Callas joins Apple
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/25/10 06:02 AM
Originally Posted By: Hal Itosis
Originally Posted By: artie505
That's interesting, because:
  1. I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
  2. It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
  1. wrong
  2. right

Do Hal's "wrong" and "right" contradict your "Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems?"
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 05/14/10 01:30 AM
Tales from the Darkside:

New malware attack laughs at your antivirus software

Windows 7 "Compatibility checker" is a trojan

/posted from my iPod.

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 06/03/10 03:16 AM
Screensavers concealing spyware

Intego blog

/posted from my iPad.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 06/03/10 12:47 PM
Originally Posted By: Hal Itosis

In this context, various posts in MacInTouch's Security Reader Report are relevant. Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party.

Note in this context that Intego retracted an initially published list of 'compromised' software after stating there were multiple instances of this issue when in fact they had found only one. This list has now been published in the recently edited MacUser article you linked to (the list did not appear in the original version of the article, only a link to the Intego press release containing it, the one that was later retracted by Intego). Moreover, if Tetraults observations are correct, the installation of spyware items 'bundled' with the listed packages can easily be avoided.

The reader report also contains posts discussing diagnosis (e.g., searching a suspected volume for 'PremierOpinion'), repair and possible prevention (Little Snitch port monitoring, taking care while installing the 'carrier' software).
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 06/03/10 02:17 PM
Originally Posted By: alternaut
Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party.

Well i agree there... i'm no fan of Intego, i don't use it and i don't recommend that anyone else use it. (ClamXav is more my speed).

Nonetheless, i still find this particular screensaver/trojan rather suspicious (especially in the admin password request department).

Here is Intego's update posted yesterday:
Originally Posted By: Intego
Intego has been monitoring the actions of the different versions it has found of this spyware. It has discovered that, after a certain time, the spyware makes an “upgrade” and installs another application, which is another variant of the same spyware, called PermissionResearch. (It is also possible that further versions of this spyware will upgrade themselves to other variants.) Intego has updated its threat filters today (June 2, 2010) to improve proactive detection of this type of spyware. We strongly recommend that all VirusBarrier X5 and X6 users update their threat filters as soon as possible.


And also: some place called Hardmac has posted the "terms of agreement" between the user and some company called VoiceFive.

idunno... perhaps they don't harvest credit card numbers, but it still smells rotten somehow.

Albeit, very sugar-coated: http://7art-screensavers.com/Mac_OS_X.shtml   (vomit)
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 06/03/10 04:46 PM
I absolutely agree about the less than user-friendly approach of the spyware distributor, aided and abetted by the original software publisher (7Art). Anyone used to simply hit Return during the installation of ‘regular’ software stands a good chance of installing ‘bonus’ material of the spyware kind. Requiring an admin password for software that doesn’t need it (i.e., the screen saver, not the spyware) is bad manners and a clear sign of potential danger to the educated user.

Unfortunately, not everyone is sufficiently alert all of the time, so inadvertent installs will increase with this setup. Since the software involved seems to be exclusively freeware, at least you’re not paying for the VoiceFive privilege. Still, the main reason to mention Tetrault’s experience was to point out that it’s apparently possible to install the main software of a 7Art package while avoiding that of bonus material like this spyware.

Of course, the main importance of this issue in this tabnabbing week is the addition/improvement of yet another route for distributing malware, and in that sense Intego’s alert is appreciated.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 06/10/10 10:46 AM
Think i'll post this news here instead, because (so far) the real culprit seems to be AT&T:

AT&T's Worst Security Breach: 114,000 iPad Owners Exposed

Originally Posted By: Talking Points Memo
Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.

To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites.

The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.

Goatse Security notified AT&T of the breach and the security hole was closed.

Of course —as i googled earlier —most of the hyped-up headlines are worded in such a way (to attract more hits i guess) which sound as if the iPad itself was responsible.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 06/10/10 08:34 PM
AT&T has always had problems like this. Back before the iPhone allowed MMS, when someone tried to text me a picture, I would get a text with an AT&T Web site address instead. By going to the address, I would see the picture.

The AT&T Web site that allowed me to see the MMS pictures had the exact same security flaw. I could manipulate the address bar to see pictures that other people were getting in MMS messages, too! It was trivial to do so--and in fact I discovered it because of a bug in the AT&T system that would only let me see the full-sized picture that had been texted to me if I messed with the address in the address bar.

I never bothered to report it because shortly after I discovered it, AT&T enabled MMS on the iPhone and did away with the need to go to their Web site to see an MMS picture. But it worked *exactly* the same way as the bug that exposed iPad information, so I bet the same Web developer was responsible.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 06/16/10 11:54 PM

Closer to home: About the security content of Security Update 2010-004 / Mac OS X v10.6.4
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 11/01/10 06:25 AM
Ho-hum... may as well toss this one into the mix for good measure:

Initial analysis of trojan.osx.boonana.a

[i've always made sure Java was disabled in Safari anyway, so] what can i say?
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 11/23/10 12:19 PM

About the security content of iOS 4.2

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/10/11 01:54 PM
About the security content of iOS 4.3

About the security content of Safari 5.0.4
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/11/11 02:08 AM
H-Security: Hackers versus Apple - An interview with Charlie Miller and Dino Dai Zovi (5 pages)

ZDNet: Zero Day - Safari/MacBook first to fall at Pwn2Own 2011
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/11/11 01:59 PM
I saw that with the pwn2own contest... did you see, BOTH apple and Google are playing a little dirty here.

The contest requires the contestants to work on "fully patched" machines. There's no grace time, software updates are run just before they start.

Both apple and google released updates immediately before the contest started. It's unreasonable to believe that the entrants in the contest are sitting down, cracking their knuckles, and saying "ok lets look around for a hole". Naturally they're bringing in zero-day exploits they've been polishing for weeks or months. So there's (A) a chance that the new surprise updates will block the exploit, and more importantly (B) a very high chance that an exploit that still works will have to be tweaked due to the binary being recompiled and addresses changing.

I personally don't think that's fair to allow patches the manufacturers are deliberately withholding until a few hours before the contest to be installed. There should be a cutoff of say, one week. Testing the security of something that was "released" an hour ago is not a practical real-world scenario unless you're releasing updates every day. Systems will have an average lag time of weeks usually before available patches are applied, and the contestants should have the opportunity to try to beat a system they've had a little time to work on beforehand.

But I can see the other side of it, it would also be nice to see just how well an unprepared hacker can do against a new binary. That could be very hard to enforce though, how do you tell them they're not allowed to use priorly developed private exploits? It's probably not possible, so all you do by applying last-hour-upates is to take a random pot shot at the contestants, some of which may have worked very hard to find a major hole, one that requires many hours of tweaking to make work properly, that now has changed locations and will require hours of adjustment. (the hole is still there, the target has simply moved, it's no more secure than it was an hour ago, it's just going to eliminate them from the contest due to the added investment in time just introduced)

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/21/11 03:30 PM
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/21/11 04:47 PM
My experience is the (not too steep) cost of SSL certs for HTTPS without browser nags tends to make administrators not think it's a justifiable expense. What's your experiences?

And IT'S ABOUT TIME now to see safari offer an easy immediately available checkbox for 'always trust' on web sites. That previous stupidity of having to open the cert and change trust settings scared users away from it.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/21/11 06:20 PM
Originally Posted By: Virtual1
What's your experiences?

I assume (since i'm not hosting anything) that the "you" there is collective [?].

[i did notice that facebook finally offers https as of a week or two ago]
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 03/25/11 01:38 AM
Fraudulent digital certs issued by Comodo

[more detail at sophos]
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 03/25/11 11:35 PM
This week MacWorld is revisiting a series of articles about protecting your privacy online originally published on February 23. While not exhaustive, the series is a good summary of the issues users would do well to be aware of. Because of this I think it's worthwhile to list them here:

- Avoid identity theft
- Browse the Web safely
- Keep your data safe
- Protect your e-mail
- Secure your network
- Take control of social networking
- What happens to your data?

And while we're on the topic, here are a few other articles in similar vein:

- Digital certificate theft shines spotlight on Safari limitation
- Facebook Tip: Enable encryption to avoid privacy glitch
- Facebook Privacy: Four valuable yet hard-to-find settings
- Facebook quick tip: Three more ways to shore up security
- Holidays: how to shop safely online
Posted By: dkmarsh Re: THE CYBER-SECURITY THREAD - 05/05/11 09:58 PM

Wolf!
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 11/25/11 10:24 PM
crazy

Sophos - The Conficker worm, three years and counting

"At its peak, Conficker infected more than 10 million PCs."

"Flaw was patched, 4 weeks before Conficker began it assault."

"Today, an estimated 3 million computers are still infected."

Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/01/11 03:38 PM
Against the backdrop of today's WikiLeaks releases of documents about the surveillance industry, here are some links covering Android developer Trevor Eckhart's early disclosures about Carrier IQ, the name of the company providing 'embedded analytics' to the telecom industry and that of the hidden spyware rootkit found on many android, Windows and BlackBerry phones, and quite possibly iPhones too.

- Android Security Test
- Carrier IQ Part #2
- How much of your phone is yours?

Perhaps the—for the consumer—singlemost 'incendiary' capability of the Carrier IQ spyware is a full-fledged keylogger, since it's hard to see why private data content (including that transmitted over WiFi networks) is important for the improvement of phone provider 'service quality' and 'network efficiency', the official reason for Carrier IQ's contracted services and the presence of its spyware.

This latter is an important point: it's providers like Verizon Wireless, AT&T and Sprint rather than the phone manufacturers, which hire Carrier IQ and allow it to put the Carrier IQ rootkit on the phones they provide their customers with. To be clear: not all carriers do this; for instance, several European telecom companies deny participating in the CIQ program (although they may use other, comparable services).
Posted By: MicroMatTech3 Re: THE CYBER-SECURITY THREAD - 12/02/11 12:43 AM
This MSNBC story has been updated with some details from Cult of Mac about iOS 5:

AT&T, Sprint, T-Mobile use Carrier IQ, but don't collect personal info.

The story about similar issues in Germany linked at the bottom of the page is worthwhile.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/02/11 01:17 AM

As Lugnut, the first responder to this article said, I just don't believe the statement that the key-logger is not being used. I'm willing to believe it only when this capability has been demonstrably removed from the rootkit. And AFAIAC, that's not the only thing that needs to be changed.
Posted By: MicroMatTech3 Re: THE CYBER-SECURITY THREAD - 12/02/11 03:03 AM
I agree that this topic should be subjected to the empirical method.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/02/11 06:14 PM
Some further developments on the Carrier IQ front:

- Apple ended Carrier IQ support with iOS 5
- Carrier IQ, mobile providers grilled over spyware charges
- Which companies are on the Carrier IQ bandwagon?

The implications of the second article are quite interesting. If the phone manufacturers didn't put CIQ on their phones*, and carriers like Verizon, RIM, and Nokia Europe claim they didn't either, how did it get on there in the cases where it was found? At least it's easy to determine if CIQ is installed on your android phone with Eckhart's Logging Test App v7. Removal is possible with the Pro version of this app; alternatives can be more involved, but all methods require the device to be rooted.

*) So far, HTC is the only manufacturer to admit installing the CIQ rootkit on its phones because US carriers require it. It'd be interesting to see if HTC phones supported by non-US carriers claiming not to participate in the CIQ program also contain the rootkit. As far as known, however, at least Dutch android phones do not seem to carry the CIQ spyware. In contrast, Vodaphone Portugal stated they did use CIQ, as did Sprint and ATT in the US. That said, and as alluded to above, several of the carriers denying the use of CIQ are known to use Deep Packet Inspection.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 01/23/12 07:30 PM
Things that make you go hmmmmmm:

Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/19/12 03:55 AM

[admins: i'm not sure onto which thread to tag this]


A couple of really interesting articles...
§
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/23/12 02:36 AM
confused
  i guess this only applies to people who already have "google accounts" (presumably gmail, Google+, etc.):

>> How to Remove Your Google Search History Before Google's New Privacy Policy Takes Effect <<

^ Whatever the case may be... the (March 1st) deadline is fast approaching.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 02/23/12 10:17 AM
Thanks for the link, Hal. I removed Google Search History but haven't (yet) cancelled my account. I may very well do just that.
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 02/23/12 11:10 AM
And my thanks too. 'Tis greatly appreciated.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/23/12 10:37 PM
Did i guess right?... that only users with some sort of preexisting "google-dom" account need take any action?

Or would it somehow behoove others (e.g., me) in some way, to create a new account now, and follow that procedure?

[i realize that question sounds absurd... but i just want to be certain. smile ]
Posted By: ryck Re: THE CYBER-SECURITY THREAD - 02/23/12 11:17 PM
Originally Posted By: Hal Itosis
[i realize that question sounds absurd... but i just want to be certain. smile ]

Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/24/12 12:16 AM
Originally Posted By: ryck
Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.

shocked

Well that's why google is "worth" billions, that's what they do (though i'd be curious how they tied all that activity back to "you" -- i guess cookie processing is all it takes).

But still... for someone with no previous account... if i go create one now, will there be some old history file (of my various browsers' movements over the years) that they'll then attach to my newly created 'official' account? That would be even freakier. [not sure i want to create an account there just to find out... but it's probably the only way.]

Not worried, just wonderin'.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 02/24/12 01:37 AM
> [not sure i want to create an account there just to find out... but it's probably the only way.]

I'm in the same situation as you, so please post your findings if you do create an account.

(I delete all my Google cookies other than prefs periodically, which seems like it ought to be at least somewhat limiting, at the least.)

Thanks.

Edit: Y'know, I just remembered having received an e-mail (about this very subject) from Google a few days back, and it's now occurred to me to question how they got my Verizon e-mail address; I've got no record or recollection of ever having opened any sort of account with Google...GMail or other.

Anybody got a clue?

Edit 2: Just to convince myself, I entered the address to which the Google e-mail had been sent in their log-in pane, and I found that it was associated with an account, set up a new password, logged in to my account, and found that "History" had been turned off.

Oops! blush I maintain an encrypted disk image (10Mb...I've never been able to get a sparse image to work.) just to store the 8Kb record of my log-in IDs and passwords, and I now remember having created a Google account the day I found out that "History" could be turned off, months ago, but for the life of me, I can't imagine why I didn't leave myself a record of that account. (I now wonder how many other forgotten accounts I've got?)
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 02/24/12 09:18 AM
If you create a Gmail account, log into it, and then use Google, Google will track everything you do and associate it with your Gmail account. Even if oyu log out of Gmail but leave the cookie in place, Google may still track your activity and associate it with your Gmail account.
Posted By: Hal Itosis Re: THE CYBER-SECURITY THREAD - 02/27/12 10:46 PM

Looks like Intego may be drumming up some business.
Or perhaps there's more to it, as i haven't read this yet:

Flashback Mac Trojan Horse Infections Increasing with New Variant
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 02/28/12 12:17 PM
I haven't seen this malware yet. It's interesting that it uses a bogus certificate named "Apple Inc"--that's a nice trick that will likely fool a lot of people.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 02/29/12 08:39 PM
In the spirit of Ghostery here's another neat-looking tool: Firefox add-on Collusion shows who's tracking you online.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 03/08/12 07:30 PM
This may be slightly off-topic, but Viewpoint: How hackers are caught out by law enforcers is an interesting read. It never explains "onion routing", however. Tacit? Anyone?
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 03/08/12 08:32 PM
I thought tacit had discussed this somewhere along the line, but a search of the forums couldn't bring it up.

Check out: www.onion-router.net/

Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 03/08/12 09:25 PM
Thank you. I should have googled that myself. blush
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/09/12 07:37 PM
support tor. run an exit node.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 03/09/12 09:12 PM
¿Qué?
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 03/10/12 10:13 PM
I'm unconvinced that Tor is really as secure as it thinks it is. For one thing, all that a hostile government or law enforcement agency would need to do to eavesdrop on it is to run a large number of entry and exit nodes themselves.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 03/29/12 04:24 PM
Despite the obvious interest of anti-virus utility makers in publishing it, this may be worth to keep an eye out for: Malware infects Macs through Microsoft Office vulnerability.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 03/29/12 08:42 PM
This may be old news, at least according to New exploit uses old Office vulnerability for OS X malware delivery
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/03/12 06:22 PM
More 'old' news: Mac Trojan Flashback is at it again with a new variant, no longer needing an admin password. Plus, some anti-malware utility makers' opinions on Mac vulnerability.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/03/12 11:58 PM
Well, that was quick: Apple just released two Java security updates.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/04/12 09:36 AM
Just what do these trojans do? I can't find any info in the related articles as to what might happen if it infects my Mac — ie, what sort of havoc does it wreak?
Will the Java update remove or render inoperable anything which might have been installed? And if not, what to do?
(After 15 minutes I'm still unable to access Oracle's release notes.)

EDIT:
Finally got the release notes which had no user-friendly information whatsoever.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/04/12 10:03 AM
Flashback malware evolves to exploit unpatched Java vulnerabilities provides some insight into what the trojan in question does.

Quote:
When these programs are then launched, the malicious code attempts to contact remote servers and upload screenshots and other personal information to them.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/04/12 10:20 AM
Thanks. But am I safe? And how might I find that out?
The article you cite (dated 2 days ago) has contradictory statements, one on top of the other:
"... in most cases Mac users should be relatively safe. Starting with OS X 10.7 Lion, Apple stopped including a Java runtime with OS X, so if you have purchased a new system with OS X 10.7.0 or later, or have formatted and reinstalled Lion, then you will, by default, not be affected by this malware.
"However, if you do have Java installed on your system, then for now the only way to prevent this malware from running is to disable Java."

According to my iMac, it came from Apple with both 64-bit and 32-bit versions installed: Java SE 6 v 1.6.0_29-b11-402.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/04/12 11:02 AM
Those statements aren't contradictory; "if you do have Java installed" refers to versions of OS X earlier than 10.7 and to those users who've elected to install Java in 10.7 on their own. (That article has been cleaned up; the first time I looked at it it said that Apple had dropped Java in Snow Leopard as well as in Lion.)

I wonder why your iMac has got both Lion and Java?

> But am I safe? And how might I find that out?

Here's a pretty much useless description of what the trojan does:

Originally Posted By: MacFixIt - CNET Reviews
First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.

If you've installed the update and haven't been doing any questionable browsing lately, you're probably safe.

I hope somebody will be able to expand on that.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/04/12 11:59 AM
Originally Posted By: artie505
Those statements aren't contradictory;
I wonder why your iMac has got both Lion and Java?

That's why (I consider that) they're contradictory.

Originally Posted By: artie505
I hope somebody will be able to expand on that.

So do I.

EDIT:
For what it's worth, my Java SE 6 is now updated to v 1.6.0_31-b04-413.
But/And I'd still like answers to earlier queries.
Posted By: MacManiac Re: THE CYBER-SECURITY THREAD - 04/04/12 02:45 PM
I would hazard a guess that somewhere early on when you were trying out some website such as http://www.speedtest.net (which runs a Java Applet to get its' result) you were prompted to install Java from the Apple support download page and simply forgot that you did that.....

In my case, that's exactly what I did.....and then there are those pesky Java utilities that companies as DLink embed in their control pages for IP cameras and such. I discovered that 10.7.3 actually disabled the Java runtime that I had installed earlier and I had to go find the intermediate update which resolved the security issues at that time -- and now the latest version is the one that we both have installed, 1.6.0_31-b04-413.

That version specifically addresses the risk presented by the Trojan described in the article above. (CVE-2012-0507)

(Edited to add the specific CVE addressed)
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 04/04/12 03:18 PM
Re the latest Java Trojan: I'm a bit surprised that some enterprising chap or chapette has not yet created a (free) app/script or whatever that ascertains if one is infected, and if so, removes the offending code.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/04/12 04:42 PM
Originally Posted By: MacManiac
I would hazard a guess that somewhere early on when you were trying out some website such as http://www.speedtest.net (which runs a Java Applet to get its' result) you were prompted to install Java from the Apple support download page and simply forgot that you did that....

It's possible, but if so, I've long since forgotten that I did.

Originally Posted By: MacManiac
I discovered that 10.7.3 actually disabled the Java runtime that I had installed earlier ....

When I checked my Java Preferences - General earlier I did notice that the the applet plug-in had been disabled. Whether that was a saving grace, I don't know.
The Java Applet Plug-in 14.0.3 is still enabled in my browser (Firefox 11.0).

But it would still be nice to know if there's something lurking in some program somewhere.
Posted By: MacManiac Re: THE CYBER-SECURITY THREAD - 04/04/12 04:59 PM
It's a computer with all the flaws (and benefits) of being made by humans.....of course there's something lurking in some program somewhere!

...and there are folks out there right now searching for just the right "something lurking" in order to find an exploit for same.

...and I personally still have no concerns for the security of my Mac OS and installed software as things currently stand.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 04/05/12 12:05 PM
'Flashback' trojan estimated to have infected 600K Macs worldwide

Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/05/12 04:46 PM
Originally Posted By: Pendragon
Re the latest Java Trojan: I'm a bit surprised that some enterprising chap or chapette has not yet created a (free) app/script or whatever that ascertains if one is infected, and if so, removes the offending code.

Those who cannot update Java with the latest patched versions because they are running Mac OS X versions earlier than Snow Leopard, can do the following before browsing the Web:

- disable Java in your browser (e.g., Safari>Prefs>Security>Enable Java; Firefox, Chrome)
- disable Java on your Mac (use Java Preferences in Utilities to uncheck the boxes in the first column) Caveat: this may make Firefox 11.0 quit incorrectly (see Raj Gurdwara's comment).

Note that you can temporarily re-enable Java on known sites, or for known apps whenever you need it.

Testing for the presence of and removing Trojan-Downloader:OSX/Flashback.I * can be done with Terminal, following the instructions provided by F-Secure. That said, I don't know if these instructions are valid for all current Flashback variants out there (but see below).

*) PS, the (similar) detection/removal instructions for the more recent Downloader:OSX/Flashback.K variant are found HERE. This is the variant that doesn't require an admin password to install. For other variants, see this list.

PS2, the following list with definitions of threat categories may come in handy for those of us who are losing track of the mushrooming details.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/05/12 09:54 PM
Originally Posted By: alternaut
Testing for the presence of and removing Trojan-Downloader:OSX/Flashback.I * can be done with Terminal, following the instructions provided by F-Secure. That said, I don't know if these instructions are valid for all current Flashback variants out there (but see below).

*) PS, the (similar) detection/removal instructions for the more recent Downloader:OSX/Flashback.K variant are found HERE. This is the variant that doesn't require an admin password to install.


The F-Secure protocol for identification and disinfection seems to be valid only for Safari.

I'm way too unsophisticated to make the necessary changes to see if my iMac might be infected via Firefox.

Any other suggestions?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/05/12 11:00 PM
First I recommend you update Java if you have an older version installed; that will block the current malware.

As to detection (and eventual removal) of the trojan's presence in Firefox, I don't know. The Safari instructions look for certain items the trojan installs at certain locations. While you can easily substitute 'Firefox' for 'Safari' in the Terminal command, it's by no means certain (although likely) that the malware-installed items have the same name or are at a comparable location for the response to be meaningful. We'd need confirmation of this one way or the other.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/06/12 12:39 AM
See my earlier posts (#21376 and #21379) in this thread, re Java.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/12 06:23 AM
Java for OS X Lion 2012-002 (which, at the moment, links to the "Java for OS X Lion 2012-001" Apple doc) just turned up, but it's not clear yet what it's all about. (*)

You may find several articles on this MacFixIt - CNET Reviews page, How to remove the Flashback malware from OS X in particular, both informative and helpful.

Edit:The latter linked article includes location/removal instructions for Firefox.

and

(*) For the non-believers. (And:

Originally Posted By: Apple - Support - Downloads
Java for OS X Lion 2012-002
About Java for OS X Lion 2012-002
April 03, 2012 - 66.9 MB

which is also confusing...old date on new release.)
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/06/12 09:21 AM
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

EDIT:
OK, I took a leap of faith and ran the 4 detection commands in Terminal. 'Twould appear that nothing is awry and/or rotten in my iMac. {sigh}
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/12 09:59 AM
Originally Posted By: grelber
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

Yeah, I noticed that the "new" updated Java had the same version number as the "old" one, so I don't blame you for hanging back until Apple updates its doc and clarifies.

Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

Code:
Artie-s-Computer-4:~ artie$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-06 06:39:50.014 defaults[784:903] 
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Artie-s-Computer-4:~ artie$

CAVEAT: Terminal commands are always subject to typos by their posters, so you can accommodate your skittishness by avoiding the "destroy" commands, if your iMac is, indeed, infected, until you know they've been tested. (I didn't look, but you may find confirmation in the comments appended to the article.)

In closing, though... Both being a bit of a gambler and having a current backup, I've run any number of Terminal commands posted here on FTM, as well as many others gleaned from sources such as MacFixIt - CNET, and the worst scenario I've ever encountered was a command not running.

Edit: Crossed in the mail...good for you! I was terrified of Terminal at first, but I've come to realize that it's both benign and enormously useful.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/06/12 10:02 AM
RE Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

That's exactly what I did.

Aside: We seem to running up each other's tailpipes in posting. tongue
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/06/12 10:43 AM
Something is very wacky at Apple.

The other software update which popped up yesterday is:

Digital Camera RAW Compatibility Update 3.12
This update adds RAW image compatibility to Aperture 3 and iPhoto '11.
• Canon EOS 5D Mark III
April 05, 2012 - 8 MB

But it too points to a previous update:

http://support.apple.com/kb/DL1513

Digital Camera RAW Compatibility Update 3.11
This update adds RAW image compatibility for the following camera to Aperture 3 and iPhoto '11
• Nikon D800
March 22, 2012 - 7.50 MB

Somebody ain't looking after the shop. And it's way too late for an April Fool's Day prank.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/12 11:04 AM
Updates have been linked to outdated Apple docs consistently, although not necessarily universally, for a while, now.

But don't y'all worry, 'cuz "It just works!" tongue smirk
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/06/12 02:46 PM
Glad to hear that the Java update issue has been settled (more or less), and that my Terminal guesstimate of the Flashback detection for Firefox was correct. I had run it myself before posting, but since it's a read command a negative result doesn't necessarily mean much.

It's perhaps good to mention again that an additional measure of protection against these variants is afforded by the presence of certain utilities, mostly of the anti-malware or packet sniffer kind. That may not last (and it won't work if you fall for the trojan's request for your password), but at least it's there now for those who are not offered a Java update.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/06/12 08:42 PM
Yu wuz right, re RAW Camera Update 3.12:
Even though it pointed to 3.11 (which, strangely enough, seems to have disappeared from the Support Downloads page), downloading it produced the correct update.

In my case, 7.6MB took 15.5 minutes to download; the last 1MB took 235 sec to download = 4.2 KB/sec.

So, I'm going to wait to get to a high-speed access to download the 'new' Java 2012-002 (if only to see how it might differ from the Java 2012-001 which I installed the other day).
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/12 09:13 PM
I just d/l'ed from the Apple v 001 page (the v 002 page to which I linked earlier), and got a package labeled identified by command-I as "Java for OS X 2012-002," the checksum of which differs from that of v 001, so there's apparently some difference between the two. crazy
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 04/06/12 09:53 PM
Web tool checks if your Mac is Flashback-free.

I suppose (hope) this is ok to use, but until I know more about this gang and their bona-fides, a bit of caution can't hurt.

Please, if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/12 10:05 PM
Why bother?

How to (Added: find and) remove the Flashback malware from OS X has already been tested...its "search" functionality, anyhow - neither of us had need for "destroy" - by myself and grelber among, I assume, many others.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/07/12 12:05 AM
I agree with Artie here: the 3 Terminal commands provided in his link are easy to run (copy & paste!). No need to involve an unknown entity like Dr. Web. In the rather unlikely case that you should prove positive for a Flashback variant, we'll see about the best way forward.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/07/12 12:10 AM
> the 3 Terminal commands [....]

grelber's reference to four commands confused me until I noticed this:

Quote:
In addition to the above commands, you can check for the presence of invisible .so files that past variants of the malware create in the Shared user directory by running the following command in the Terminal:
ls -la ~/../Shared/.*.so
Posted By: MicroMatTech3 Re: THE CYBER-SECURITY THREAD - 04/07/12 12:32 AM
From <<http://www.macintouch.com/readerreports/security/topic4832.html#d06apr2012>> :


David Henderson

I found this email at:
http://prod.lists.apple.com/archives/java-dev/2012/Apr/msg00022.html

Java developers,

Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

<snip>
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/07/12 12:46 AM
Thanks for that. I'll credit it as a semi-reasonable excuse, but only semi, because they could have gotten the word out immediately by including it in the release-note to the Software Update item. (I'm assuming that they didn't...don't run Lion, can't check, and nobody's posted otherwise.)
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/07/12 06:52 AM
Dr. Web, "the same Russian security firm that's been tracking the scope and scale of the Flashback malware's spread worldwide," has just turned up on MacFixIt....

Quote:
In order to do this, it cross-checks your Mac's unique hardware with its own database of machines that have been compromised. If it doesn't find your machine, you're in the clear.

Sorry, but I dunno about that...certainly wouldn't recommend it.

How has Dr. Web accumulated this database?

tacit?
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/07/12 09:00 AM
Originally Posted By: MicroMatTech3
...
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

So ... Does this mean that those of us running Lion and who have installed 2012-001 should not install 2012-002, even though Software Update thinks that we should?
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/07/12 09:11 AM
> We considered creating a delta update for users who already installed 001, [....]

No, it means you should install it.

Rather than take the time to prepare both an update to 001 for those who've already installed it and 002 for those who haven't, Apple simply released 002, which is applicable to both. 002 is a "combo."
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/07/12 09:16 AM
Okey-dokey.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/07/12 09:38 AM
In case you didn't see it, you should be aware of this exchange quoted from MMT3' first linked source:

Quote:
Ira Lansing
Re:
When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."
Anybody else?
Yes, I saw that as well. I thought it might have been because I stopped and started the download a couple of times and thought I had finished but hadn't. When it was completely downloaded it did go through the installation process with no apparent problems that I could see.

I'm running Snow Leopard, and I got the same warning; it came up before the dmg opened.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/07/12 10:27 AM
Ditto, re 2012-001.

EDIT:
But it didn't happen when I just installed 2012-002.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/07/12 10:36 AM
Originally Posted By: Pendragon
... if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.

For what it's worth, there's a dandy little website out there which provides safety/reliability information on other websites: Webutation.net
It touts itself as "Open Website Reputation against fraud & malware".

Review of Dr. Web at www.drweb.com would seem to indicate good things.
Posted By: roger Re: THE CYBER-SECURITY THREAD - 04/07/12 12:12 PM
I think it would be great if the basic info about this and its removal could be split out and stickied, so we could link to it, perhaps somewhere other than the Lounge.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/07/12 12:41 PM
That's pretty much incorporated in artie's post #21433 (and slightly altered by me herein):

How to [detect and] remove the Flashback malware from OS X
Posted By: roger Re: THE CYBER-SECURITY THREAD - 04/07/12 01:21 PM
yes, but I'm trying to drive a bit of traffic here. there is also perhaps more information than a casual Mac user would need in that article.

just thinking out loud.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/07/12 02:54 PM
MacWorld compiled a decent summary of the current Flashback trojan story, arguably the worst malware to hit the Mac so far:

What you need to know about the Flashback trojan.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/07/12 03:31 PM
For those of you who don't like to use Terminal to check for the Flashback.K presence, there are scripts to perform the check for both Safari and Firefox: Quick Applescript to check your Mac for the Flashback infection. This script is partially based on earlier efforts by Hannes Juutilainen and Patrick Gallagher.

A direct download link to the script here appears not possible, but the download is accessible by pasting the following URL in your browser's address bar and hitting Return:

http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zip

or via the link marked 'Flashback Checker Script' immediately above the script window on the first page linked to above.

How to use the script:
- Double-click on script to open Script Editor, then select Run from SE's toolbar.
- Alternatively, you can move Flashback_checker.scpt_1 to the /Library/Scripts folder and access it transparently from the Script menu in the (right side) menu bar.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 04/07/12 05:22 PM
Originally Posted By: alternaut
That link takes me here, a dead end. Can you fix it?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/07/12 05:54 PM
Thanks for the heads-up & sorry for the link failure: my Copy-Paste trial and the initial use of the hyperlink worked OK, but a direct link to

http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zip

is now apparently disallowed, although pasting the URL in your browser's address bar still works. I changed the post above accordingly.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/07/12 08:25 PM
Comments on disabling Java

1. Java in browsers. Perhaps the most important precaution against the latest Flashback trojans for those who cannot update Java (PPC Macs and Macs running on Leopard or older Mac OS X versions), but who still need Java functionality in their browsers to access and use certain web sites, is to disable Java in the browser's preferences during general web browsing. This will block the trojan's main infection vector by preventing Java applet execution.

When Java is needed, as for cross-platform functionality like that in certain secure banking sites etc., Java can be enabled for the duration. It would be prudent to make sure that your Mac is not infected with the trojan before you use such banking sites. It wouldn't hurt to verify with your bank if their site is still secure either.

2. Stand-alone Java apps. A secondary recommendation associated with protection against the Flashback trojans is to disable Java on your Mac entirely, using the Java Preferences utility installed in Utilities as part of a Java install. This will prevent local stand-alone Java (dependent) applications to run on your Mac. If you already disabled Java in your browser(s), however, this will not provide any added protection against the current Flashback trojan variants. That said, disabling Java instead of removing it has the advantage that you will still be able to quickly run any Java dependent software you may need, without having to reinstall Java from scratch.

While many users will not be discombobulated by disabling Java entirely, others could be. You can find out which Java dependent apps you have installed by Spotlight-searching for .jar, and checking which app any such file belongs to, using the path provided at the bottom of the Spotlight results window. It turns out that a surprising number of software titles is more or less Java dependent. The following non-exhaustive listing may help to get an idea. Please note that the presence of a particular item doesn't mean it is particularly important (or even current). It's just a set of examples, some of which you may recognize, particularly the ones in bold.

Adobe products such as Flash, Fireworks and Dreamweaver (GoLive)
aMaze
antlrworks
Apache-Tomcat
Apple Disk Transfer ProDOS
Arachnophilia
Art Of Illusion
ATutor
Barcode4J
Birthday
ClickRepair (and other Brian Davies audio utilities)
CMS Made Simple
CompileAndGo
CrushFTP
Cyberduck
Databrid (installer)
DataCrow
DateStamp Batch Stamper
Decrypto
Duplicate Files Searcher
Eclipse
eCueCardsMac
ekspos
Electronics Optimizer
Elite People Search
Elite Video Downloader
Encyclopedia Brittanica discs
FilePhile
FoundationStone
Gallery
GIFted Motion
GlassFish Server
GoToMeeting
GraphicConverter
Helma
Home Credit Card Manager
Home Loan Interest Manager
HostMonitor
iDiet
ImageJ
Install_MovieFinder
[installers], various
Interactive 3D Surface Plot
IPMonitor
iTunes Lyrics Locator
iWisdom
JaBack
JAlbum
JAME
JarBundler
JavaEmbeddingPlugin
JJSplit
Jmol
JSubFixer
KemetAPI
Log Parser QL
Mac FLV To Mp3 Converter
Mare Internum
Matrex
MJPEG Lossless Rotate
MM3-WebAssistant
MoneyDance
MRJ Adapter
myPhoneDesktop
Myster PR
Nevitium
Newton-II
NM Collector JE
Obba
OpenDS
OpenMocha
OpenOffice (and other open source application suites)
Osmose
PageSucker
Panther Sleek
PDF OCR X
PMan
PowerFolder
Professional Data Security
PSCafePOS
Puzzle Collection
ReFactorIT
Requiem
Saphe
ScenePainter
Sophie
Space Exploration
Speech and Debate Timekeeper
Stanza
StarLogo
StreamRipStar
StreamTastic
sudokumat
SuperAnalyzer
Timekeeper
TiVo Transfer
TurboTax 2010
U3
UnixExplorer
[updaters], various
VidMasta
vSEC CMS U-Series
Wamcom
WebEdition CMS
WebEx
WebMin
Wireless Link Test
Xerver
XMLSpear
YouTube Downloader
Zumocast
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 04/08/12 01:07 PM
Application to check your Mac for, and remove if necessary, the Flashback Trojan. Here.

But how well this works, and if there are downsides/risks in using this critter, well, the reviews are still forthcoming.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/08/12 02:22 PM
On top of your uncertainty is the fact that this utility leaves the PPC Macs out in the cold. Still, it's an improvement over yesterday and easier than the Terminal approach for most users.

PS, supposedly the current version of the free Sophos Anti-Virus for Mac Home Edition will do the Flashback trojan detection and removal job for both PPC and Intel Macs running Mac OS X 10.4 or higher. I'm sure other malware utilities will follow, if they aren't there already.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/10/12 04:36 PM
Gradually, the ins and outs of the latest Flashback malware outbreak are becoming clearer. In the article Security firm offers more Flashback details, free tools Dan Moren of MacWorld summarizes some of the findings so far.

Briefly, Kaspersky Labs, a Russia-based computer security company, managed to reverse-engineer the latest Flashback (aka Flashfake) trojan, and in particular the way a computer infected with it (a 'bot') interacts with its command & control server(s). Like Dr. Web (the Russian computer security vendor who first provided numbers of infected Macs) before them, this allowed Kaspersky to impersonate such a C&C server, and eavesdrop on the ongoing communications between Flashback bots and their C&C servers. Such a monitoring setup is called a 'sinkhole'. Since each bot calling 'home' identifies itself with a code incorporating its unique hardware identifier (UUID, see System Profiler), this allows for a bot count. Depending on the exact UUID format used in combination with OS fingerprinting of the bots, this allows a platform estimate (Macs vs computers running another OS). Hence the conclusion that at least 98% of over 600.000 computers infected are Macs.

Another important issue is where exactly those infected computers picked up the Flashback malware. It appears that this is related to the recent and widespread compromise of sites using WordPress, a popular blogging software. While the details of this subversion are not entirely clear, what happened to visitors of affected blogs is: they were redirected to several malicious sites that hosted malware 'kits' including the Flashback trojan. It turns out that the C&C servers of the subverted WordPress blog sites closely match those of the Flashback trojan, clearly suggesting a link between the two.

Kaspersky is now offering an online Flashback check based on the computer's UUID, another downloadable checker-removal utility (Intel only), plus a set of security recommendations for Mac users.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/10/12 07:10 PM
Something's fishy with that online Flashback check at http://flashbackcheck.com/

I just visited the site and the following came up as part of the home page:
IMPORTANT JAVA UPDATE
We have checked the version of Java installed on your computer and discovered that you are running a vulnerable version. You should update as soon as possible.
We suggest that you use the Mac OS X automatic software update feature.


Given that I've updated my Java SE 6 twice (2012-001 and 2012-002), unless those updates are defective (which we've all been assured they are not), then the Flashback check site might well be a portal to contaminate one's computer with something nasty.

Anybody want to speculate on what's going on?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/10/12 08:51 PM
I can't say exactly what Kaspersky's web site is checking when you visit it, but it may have been your browser's Java plugin rather than Java itself. Plugins have an update cycle all their own. Assuming your Java update went well and is now up to snuff, that may not be true for your browser's plugin or the plugin database. Search for 'Mama LaGrande Chung' on this reader report page for more details and the associated fix.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/10/12 09:48 PM
Well, if they're claiming to check Java (and not the Java plug-in), then it would give one pause as to how reliable anything they have to say is.
I'm taking a big pass on this one.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/10/12 10:10 PM
Can the world really rely on this UUID # check?
  1. What's the liklihood that any one particular infected Mac is included in the database?
  2. Is there any estimate of how many Macs were infected in the earliest days of the trojan's life, prior to its being discovered, reverse-engineered, and having its activity logged, however long that period of time was?
  3. In the face of Terminal commands, and GUIs therefore, that actually detect the presence of the trojan, what's the point of even wasting your time with such a contraption?
And this... I don't remember in which of the many articles I've looked at this was reported, but I did read that the first thing the trojan does is scan a Mac for particular apps, Little Snitch likely being the the most widely distributed one, and passes by machines that are running any of them.

I don't recall that being mentioned in this thread, and I'm wondering whether it's factual?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/11/12 12:36 AM
Dealing with your questions/comments in sequence:

1. I assume you're referring to the database of Flashback infected computers Kasperski compiled with their sinkhole approach. Given the fact that the bots regularly contact home, or can be made to do so with appropriate commands, the likelihood that any particular infected Mac is included approaches 100% in a matter of hours as long as it's running and connected to the internet.

2. An estimate subject to the constraints you list is effectively meaningless. To my knowledge Dr. Web was the first to come up with numbers of infected Macs, using a sinkhole approach similar to the one Kasperski used in their confirmation of these numbers. But this was in early April, and candidate Flashback variants have been around for months.
Another aspect of this is the size of the drive-by network of WordPress (and perhaps other) sites that redirected its visitors to the Flashback infection sites. That had to be in place and sufficient large to be able to quickly build the Flashback botnet we now have (or had, as people are cleaning up). But this number too is an estimate, albeit one that precedes that of the Flashback botnet by a month or more.

3. Your local Flashback detection via Terminal or script is just that: local, and it looks for the actual spoor of the trojan. Kasperski's UUID-test approach does things in a different way, by checking its database of infected Macs (the ones that called back 'home' or the sinkhole) for the UUID you provide. I wouldn't be surprised if this Kasperski tool may still claim (for some time at least) you're infected after you've cleaned the trojan out of an infected Mac. Meanwhile, the database gets updated continually, and cleaned computers will gradually vanish from its rolls as they stop calling back home (with the same caveat as given under #1 above).

The presence of software that makes the trojan erase itself has been mentioned here before, albeit in passing. More specifically, if you check F-Secure's descriptions (see this post for the links) you'll find MS Office components listed for Flashback.K, and antivirus utilities etc. for Flashback.I. So, to the extent that these F-Secure descriptions are reliable, it's factual.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/11/12 06:10 AM
Thanks for the clarification, but I'm still left wondering:
  1. Can we be 100% certain that Kaspersky's (or anybody else's) data collection is 100% inclusive...that they haven't missed something somewhere?
  2. Regardless of 1, why rely on somebody else's computer to tell you whether or not yours is infected when you can so easily make the determination on your own computer?
  3. All else aside, if your Mac is, in fact, infected, won't Little Snitch invariably alert you by warning you that something is trying to call home (as I've been led to believe is the case with all trojans)?
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 04/11/12 09:26 AM
Apple working on Flashback removal tool
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/11/12 09:34 AM
Originally Posted By: jchuzi

I saw that earlier, and I just scratched my head wondering what Apple could offer that isn't already out there?

Granted that the source will be as reliable as a source can be, but there've been absolutely no questions raised about the present providers.

This part intrigues me, but it doesn't sound like it would be part of a removal tool:

Originally Posted By: CNET
"In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," Apple wrote on its Web site. "Apple is working with ISPs worldwide to disable this command and control network."
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/11/12 01:04 PM
OK, here goes:

1. AFAICT, the UUID test is solid; the platform test somewhat less so. But there is no way to assess infection in a computer that's off, or not connected to the internet for whatever reason. So no, there's no 100% certainty in this test.

2. The UUID check is just another option offered by a commercial entity, albeit a rather unique one that will certainly appeal to a subset of Mac users out there. So no, it's not strictly necessary, but yes, people will use it. Heck, I did, if only just for giggles.

3. Yes, Little Snitch will let you know who's calling home, and you might notice and even recognize malware comm attempts if you don't respond reflexively to the LS dialogs. But I wouldn't bet the bank on that. In reality, however, you will never see those dialogs, because the mere presence of LS will make the trojan abort its infection procedure and erase itself.

As to Apple offering a detection/removal tool, this has even more of the advantage I mentioned above in item #2: an officially sanctioned tool from 'Olympus' itself. That said, I'd like to point out another aspect of the cleanup effort: it has been mentioned that the proliferation of detection/removal tools opens an opportunity for malicious abuse. It's conceivable that such a tool could harbor malware itself. That suspicion/possibility is less likely with an Apple product.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/11/12 05:57 PM
Thanks for taking the time to address my inveterate curiosity.

I remain inherently distrustful of the UUID test, but I get your "subset" point. (I, too, ran it just to see what it would say.)

And I wonder how many people have gotten caught up in the hysteria despite the fact that they're running Little Snitch, which is why I brought it to the forefront in the first place.

I wonder if Apple's tool will be anything more than another curiosity satisfier by the time it's released?
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 04/12/12 11:37 AM
Has there been any feedback from those who may have used the F-Secure Flashback Removal Tool?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/12/12 02:10 PM
While it looks like it's a bit early for lots of comments to accumulate at the most likely suspects, there are a few in this MacInTouch Reader Report of today (April 12), under the heading 'Java'. Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/12/12 03:48 PM
Originally Posted By: alternaut
... Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.

Ya think?! tongue shocked
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/12/12 05:53 PM
You can't make that omelette without breaking some eggs, you know, but who wants to risk throwing in Granny's fine bone china (and who knows what else) as well? smirk
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/12/12 06:53 PM
Especially her bank accounts and credit card accounts. tongue

Aside: You know, we need an emoticon for "apoplectic". Any ideas? A popped vein in the forehead might be a challenge.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/12/12 09:52 PM
More Java updates from Apple tonight:

- Security update Java for OS X Lion 2012-003 including automatic plugin configuration and Flashback removal tool, and
- Java for Mac OS X 10.6 Update 8.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/12/12 10:16 PM
That's only the article HT5242. There is no associated Java download on the Support Downloads website.

EDIT: I just ran my Software Update which confirms that Jave SE 6 2012-003 is available (just not on the Downloads website).
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/12/12 10:40 PM
That's correct: the updates are currently available via Software Update only. Presumably Downloads will post them later.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/12/12 10:48 PM
They may be covering their butts by restricting the d/l to Software Update (for the moment) after the last round of confusion. (I don't go that route as a rule, but I guess I will this time.)
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/13/12 02:21 AM
Hmmm, I haven't yet found them at Apple's Downloads, but the updates are posted here (Lion) and here (Snow Leopard). Looks like the real McCoy.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/13/12 02:44 AM
Originally Posted By: alternaut
Hmmm, I haven't yet found them at Apple's Downloads, but the updates are posted here (Lion) and here (Snow Leopard). Looks like the real McCoy.

Your linked MacUpdate page (Snow Leopard) is headed "Update 8," but every doc linked to on the page is headed "Update 7."

On the other hand, the SHA1 check sum posted on that page, which differs from the Update 7 checksum, agrees with the checksum of the d/l I got by clicking on the "Download Now" link, which, I guess, means...something.

I went with Software Update with no ill effects.

Edit: As I was posting, the 1st and 3rd links changed to Version 8, but the 2nd link is still at Version 7.

Edit 2: The freestanding updates just turned up on Apple - Support - Downloads.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/13/12 01:38 PM
Man, there must be heavy demand for Java SE 6 2012-003.
I'm on a T-base 100 line which normally downloads lickety-split (ie, at many MB/s — in fact, concurrently, I downloaded a 3MB file in less than a half second). It's downloading this sucker at ca 22 KB/s !!!
It's been at it for over a half hour now, and there are still 10 min left to go.
Sheesh.

~~~~~~~~~~

EDIT:
The article HT5242 states that "This Java security update removes the most common variants of the Flashback malware." But after having installed Java SE 6 1.6.0_31-b04-415 (literally uneventfully), no indication was given that it performed such tasks – nothing positive, nothing negative.

Now I ask you: Is that any way to do business?

I also forgot to close my browser (as requested) prior to installation, but the installer didn't chide me for not doing so and didn't balk at installing.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/13/12 01:39 PM
Originally Posted By: artie505
Your linked MacUpdate page (Snow Leopard) is headed "Update 8," but every doc linked to on the page is headed "Update 7."

Except for the MU download link: that one performed as advertised, as did the link to the Lion updater on its MU page. I made sure of that before I posted those MU links.

I was fully aware of the fact that the Apple links on the MU pages didn't provide access to the new updaters, and neither did a search of Apple's Downloads, an observation I mentioned in my previous post. Obviously, it was only a matter of time before Apple would post its download links itself.

PS, '3rd' link?
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/13/12 07:56 PM
The MacUpdate page presented a pretty confusing picture at the moment, so I clarified it. ("Visit Developer's Site" + 2 = 3 links.)

These last coupl'a updates have been like a "breaking news" situation.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/14/12 01:55 PM
Apple also released the a standalone version of its Flashback malware removal tool for those running Lion who only recently removed Java, and consequently couldn't use the latest Java updater incorporating this removal tool.
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 04/14/12 04:29 PM
Originally Posted By: alternaut
Meanwhile, Apple also released the a standalone version of its Flashback malware removal tool for those running Lion who don't have Java installed, and consequently couldn't use the latest Java updater incorporating this removal tool.


I remain confused. I thought one could not be victimized by this malware unless he first had Java installed. Is that not true?

Or, is this just for those who got infected and then removed Java?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/14/12 04:43 PM
Originally Posted By: Pendragon
I thought one could not be victimized by this malware unless he first had Java installed. Is that not true?
Or, is this just for those who got infected and then removed Java?

You're right about Java presence and malware susceptibility. And yes, the users who removed Java only recently constitute the target group. Thanks for pointing out this ambiguity in my post. I have (hopefully) fixed that.

Update: the MacWorld article Apple offers standalone Flashback removal tool points out another reason for the (non-Java based) stand-alone Flashback removal tool: dealing with (mostly older) variants using non-Java based attack vectors.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 04/16/12 04:31 PM
Latest Mac trojan spreads through Microsoft Word documents

Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/16/12 06:33 PM
The Flashback Trojan sometimes spreads through exploits like the Java vulnerability, but in the past it has spread as a fake Flash player update, which is how it got its name.

There's a bit of a personal history with this for me. For years, I've been at war with the Russian Zlob gang, the people who make the W32/Zlob malware and the Mac DNSchanger (aka RSplug, RSplugin.a, or OSX/Zlob) malware. I've been writing articles about how their malware distribution network works on my blog and in other places, and they've been reading my blog, using keywords and phrases from my blog on malware sites, and occasionally mailbombing me.

At the end of last year, police from many countries raided the Zlob gang and made a bunch of arrests in Estonia. All but one of the suspected members of the Zlob gang were arrested; the one who got away, a Russian, fled back to Russia.

The security articles I've been reading suggest that the Mac Flashback Trojan may have been written by the former Zlob gang member who evaded capture. There are coding similarities between Flashback and DNSchanger, the phony Flash installer that was used to install the DNSchanger malware is identical to the one used to install the first variants of Flashback, and interestingly, the same network of affiliates is being paid to spread Flashback. (In Eastern Europe, organized crime groups often pay people to spread malware. They set up affiliate networks of people who aren't directly part of the organized crime gang, who are given copies of the malware coded with an affiliate ID that they transmit when they infect a computer. The affiliates spread the malware however they can--by hacking legitimate Web sites and planting malware on them, by sending out spam, or by setting up fake sites with keywords that generate a lot of traffic--and are then paid a small fee every time an infected computer connects to a C&C server with their affiliate code.)

While it's difficult to be 100% sure, it *looks* like the guy who escaped capture in Estonia is setting himself up with a new crime gang and is responsible for Flashback.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/23/12 03:58 AM
Linking to malware prevention detection software described here.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/26/12 09:06 AM
Not exactly 'new' news, but for what it's worth ...

One in five Macs infected with Windows malware: Sophos
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/26/12 09:30 PM
I just received the following [below the dotted line] and have a sneaking suspicion that it's a phishing expedition and that the sender has had his computer hacked.
Snopes provides no intelligence in this matter.

- - - - - - -

Welcome to The New York Times. You have been provided with a complimentary digital gift subscription that will give you 12 weeks of unlimited access to NYTimes.com and NYTimes smartphone apps. To start experiencing everything The New York Times has to offer, just follow the instructions below.

1. Copy and paste nytimes.com/redeem into the address bar of your Internet browser.

2. If you are a registered NYTimes.com user, please log in. If you are not a registered user, please create a free NYTimes.com account.

3. Enter Complimentary Digital Gift Subscription Code 51dd265c****** and fill out the online form to process your subscription.

Please be reminded that only new subscribers are eligible for this offer. If you have any questions, just call our Customer Care representatives at 1-800-591-9233.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/26/12 09:53 PM
FWIW, the NYT does occasionally offer temporary promotional free full access to their web site instead of imposing an access limit of about 5 articles/day for non-subscribing registered visitors, IIRC. If you're interested, but don't trust the email, try the 800 number to verify the offer.

Anyway, to me this looks like a genuine offer, not a phishing attempt, but checking never hurts. cool
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/26/12 10:47 PM
NYT dialed back their free access at the beginning of April:
"Visitors can enjoy 10 free articles (including blog posts, slide shows, videos and other multimedia features) each calendar month on NYTimes.com, as well as unrestricted access to browse the home page, section fronts, blog fronts and classifieds.
"Your free, limited access resets every month: at the beginning of each calendar month, you'll once again be able to view 10 free articles for that month."

The toll-free telephone number seems to be legit; it's the same one given on their website for Customer Service.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/27/12 06:56 PM
Actually, it looks like this is legitimate:

http://jimromenesko.com/2012/03/28/nyts-gift-to-digital-subscribers/
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/27/12 09:31 PM
Yowzah. That's what I (ultimately) got from my e-correspondent who forwarded the message from someone else who was trying to give away the 'gift'.

Of course, the 'gift' is just NYT's ploy to glom onto new subscribers and/or mine their IP addresses and such. tongue

Fool me once, shame on you. mad Fool me twice, shame on me. frown
Posted By: joemikeb Re: THE CYBER-SECURITY THREAD - 04/28/12 11:45 AM
Originally Posted By: grelber
Of course, the 'gift' is just NYT's ploy to glom onto new subscribers and/or mine their IP addresses and such.

Fool me once, shame on you. Fool me twice, shame on me.

The NYT and virtually every newspapers in this country is struggling for financial survival. The techniques they are using to garner new online subscribers is little different than previous marketing campaigns targeting paper and ink subscribers. I don't see the 10 free articles a month as any different than those who read the news above the fold of the paper on the newsstand without buying a paper. Neither do I see any difference in selling their email subscriber list to marketers and selling their home delivery lists to the same marketers?
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/30/12 11:42 PM
Interesting article: Snow Leopard hit hardest by Flashback malware
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 05/03/12 07:40 PM
[Not a reply; just tacked on to last post.]

How to Muddy Your Tracks on the Internet
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 05/14/12 03:32 PM
Kaspersky Lab asked by Apple to advise on OS X security

And, in another development, Kaspersky Lab was not asked by Apple to advise on OS X security [u]

It appears that the original link has been edited and it is now the same as the second link.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 05/14/12 09:17 PM
This afternoon Apple released a security update and a Flashback removal utility for Leopard (Intel only). Like the previous version for Snow Leopard/Lion, this updater removes older versions of Adobe Flash Player.

As expected, PPC Macs are ignored. MacinTouch's Security Reader Report includes an interesting item about this and Apple's policy of dropping support for OS X versions more than 2 iterations old. The latter may leave about half of all Macs unsupported (with regard to security updates) when Mountain Lion is released.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 05/14/12 09:35 PM
> The latter may leave about half of all Macs unsupported (with regard to security updates) when Mountain Lion is released.

When I read that Apple was going to be upgrading OSX more frequently than before, I wondered how legacy versions would fare.

(As, if not more, important is whether support for iTunes...still supported in Leopard (PPC and Intel versions), will be continued?)
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 05/30/12 09:29 AM
Flame virus set to spread like wildfire

It is claimed that Flame is "perhaps the most sophisticated piece of malicious software ever designed".
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 05/31/12 09:31 PM
Part of the problem with flash is that adobe insists on using their custom package installers, so they don't even have the option of placing it inside Software Update like they do with printer drivers. Apple's decision to outright disable flash when there's a new version out seems to be very prudent.

I wish they'd make it easier to see that it's been disabled. It appears that users get one warning and that's it, and there's no menu option or anything to indicate it's disabled or where to go to fix it. And adobe's installer writes its own standard from the ground-up for its behavior, so I've been running into users all week that don't understand that the installer hasn't actually finished installing, usually when it is launched right after download and is refusing to run because safari is (surprise!) still running.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 06/01/12 04:54 AM
Originally Posted By: grelber
Flame virus set to spread like wildfire

It is claimed that Flame is "perhaps the most sophisticated piece of malicious software ever designed".


The idea that it is "spreading like wildfire," however, is hyperbole; it's actually one of the rarest and least-spreading bits of malware in the world. It's been confirmed to have infected fewer than 1,000 systems; by way of comparison, the OS X Flashback Trojan infected more than 600,000, and W32/Zlob (my own personal favorite) is known to have infected somewhere between 4 million and 5 million. Even specialized, small-scale malware like W32/Asprox, which infects Windows computers running Web server software, infected about 12,000 systems in a single day.

So by way of comparison, not only is Flame not spreading like wildfire, just the opposite--it's extremely narrowly targeted, affecting only carefully selected computers in key industrial applications in certain very highly specific places.

The analysis I've read suggests that while Flame is certainly very highly sophisticated, and was almost certainly financed at a cost of millions of dollars by a governmental agency (Iran is pointing the finger at Israel, but it's not impossible the US was behind it), it isn't the most sophisticated bit of malware ever designed...that would probably be Stuxnet. Flame doesn't seem to spread by several zero-day exploits. Its main claim to sophistication is that once it has infected a system, its operators can upload different modules to the infected computer for different purposes. These modules, written in a scripting language called Lua, can perform different functions--acting as a keylogger, intercepting email, taking screen shots, deleting files, and so on--but each of those modules is not, of and by itself, that sophisticated.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 06/01/12 05:02 AM
Originally Posted By: tacit
The idea that it is "spreading like wildfire," however, is hyperbole ....

Of course it is. Editors love 'overstatement'.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 06/01/12 06:04 AM
Interesting piece in today's New York Times about Stuxnet and how it was part of a joint US/Israeli attack on Iran's nuclear enrichment facility, and how it was discovered only after a programming error allowed it to infect computers outside the facility.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 06/01/12 06:08 AM
To be fair, it may be possible that PowerPC Macs are ignored by the Flashback update and removal tool because, to date, no PPC variant of the Trojan has been seen. PowerPC systems are immune to the attack, as the malware is compiled only for Intel processors.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 06/01/12 02:12 PM
I agree that the Flashback variants to date weren't compiled to run on PPC Macs, and consequently didn't pose a threat there. Should that change though, I'm not so sure it would make much of a difference to Apple's support policy with regard to security updates, which excludes PPC Macs for various other reasons.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 06/01/12 02:26 PM
Those interested in some background info on Flame can of course Google for details, but in case you haven't done so yet I have compiled the following shortlist of links to complement the NYT link tacit provided above:

- ‘Flame’ Virus explained: How it works and who’s behind it
- Was Flame virus written by cyberwarriors or gamers?
- Iran: ‘Flame’ Virus Fight Began with Oil Attack
- Flame virus abilities expand with Bluetooth
- The Flame Virus: Spyware on an Unprecedented Scale
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 06/04/12 01:49 PM
Expert [Eugene Kaspersky] Issues a Cyberwar Warning
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 06/08/12 07:05 PM
On Ars Technica: Cryptography breakthrough shows Flame was designed by world-class scientists.

"It's not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "There were mathematicians doing new science to make Flame work."
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 06/12/12 11:32 PM
Here we go again: Java SE 6 2012-004 1.6.0_33 is now out.
To what end, who knows? I thought that the previous version was the 'ultimate'.

And, man, what a flurry of activity on Apple Support Downloads over the past couple days!
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 06/13/12 12:19 AM
Originally Posted By: grelber
I thought that the previous version was the 'ultimate'.

If that's ever true, it's at best a 'temporary monument'. Consider bug and security fixes, plus 'genuine' improvements. tongue
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 06/13/12 12:51 AM
A new wrinkle:

Originally Posted By: Apple
This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 07/12/12 02:22 PM
Earlier this week F-Secure reported the discovery of new, multi-platform Java backdoor malware affecting certain Macs. The Mac version is a PPC binary, meaning that it will run on PPC Macs and Intel Macs with Rosetta installed (Snow Leopard and earlier, and disregarding possible virtualization/emulation under Lion or Mountain Lion).

Yesterday the F-Secure report was picked up on by Mac sites like MacInTouch and—in more user-friendly detail—MacWorld. The new malware relies on some social engineering as you need to approve the installation of a Java applet from a questionable source. It was found on a Colombian website, but it is not yet known if that's the only source.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 08/23/12 06:02 PM
Two more backdoor variants (Crisis and NetWeirdRC) have been described that target multiple platforms, including Mac OS X and (in the case of Crisis) VMWare virtual machines. Both appear derived from commercial remote access tools. While Crisis is disseminated as a Java archive file (.jar) posing as a Flash Player Java applet, it's not yet clear what the main vector for NetWeirdRC is. There is as yet no indication how widespread either one is, and the current threat level is low.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 08/30/12 06:22 PM
Right on the heels of the Crisis and NetWeirdRC backdoors, another Java exploit appeared a few days ago, targeting the latest Java (7 v1.7). Because Apple has been running behind with Java updates even before leaving them to Oracle (home of Java) altogether, most Macs are still running Java 6 v1.6, which is not (yet) affected by this malware. MacWorld's Rich Mogul summarized this latest Java exploit, and lists the salient details for the Mac user.
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 08/30/12 08:12 PM
I am one of those who previousely installed Java 1.7.0.x

Now, today, MacUpdate has posted Java SE Runtime Environment 7, v 1.7.0_07.

Is this a fix for the earlier vulnerabilities or will installing this make matters worse?

FWIW, I have Java disabled in Safari & Mail, and use Click To Plugin.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 08/30/12 10:42 PM
Java's version number scheme is confusing. The vulnerable versions included the first 7 (#00>06) updates of Java 7, v1.7. This is the 8th update (#07), and is said to contain a patch to stop the current malware (Oracle did not yet provide details about the update). Note that the vulnerability is exploited via the browser, and that Java may* be disabled there. Apple disabled Java in Safari by default in both Lion and Mountain Lion (required for this version of Java), but it can be turned back on.

*) Ideally it should be 'should' rather than 'may' here: the next vulnerability could be exploited tomorrow, and you don't want to step in it by default.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 08/31/12 11:07 PM
Originally Posted By: alternaut
...the next vulnerability could be exploited tomorrow, and you don't want to step in it by default.

I sure didn't imagine to be literally proven right: Researchers find critical vulnerability in Java 7 patch hours after release. shocked
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 09/01/12 10:17 AM
Java, apparently, is destined to be one of those apps that is so easily hacked, that patches will be a daily event. Grrrrr.

Indeed, for now, it seems the only recourse is to ensure it is fully disabled.

A pox on all their houses…

Oracle Oracles, on the other hand, are most worthy and we shall sing their praises!

Even though I think I have my Java locked down, I would manually remove v7, if I could find all the right pieces.

Me wonders why some enterprising chap or chapette hasn't developed a Java 7 uninstaller. Alas, I am of little faith re Oracle rising to that occasion.

But one can check to see if Java is accessible by running the test applet (at the bottom of the page).
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 09/01/12 01:59 PM
Java will be pretty much history when you remove the folder /System/Library/Java/JavaVirtualMachines/, or its contents (1.x.0.jdk). If you just want to disable Java, you could open /Applications/Utilities/Java Preferences.app and uncheck any runtime listed on the General tab. And, for good measure, don't forget to disable it in your web browser.
For details on cleaning out other Java remnants in Lion (a mostly cosmetic exercise), check out the first answer to this question.
Posted By: Pendragon Re: THE CYBER-SECURITY THREAD - 09/02/12 10:18 AM
Because the Java 7 vulnerability is still proof of concept, e.g., no actual virus (yet), and I have disabled all Java settings (including browsers), it is not listed as runtime, I use ClickTo Plugin, and I have verified that the Java test applet won't run, I feel quit secure. Well, subject to change.

Of course, that begs the question: Why even have it? That answer, um, I'm still working on it…
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 09/02/12 03:58 PM
Originally Posted By: Pendragon
Java ... Why even have it?

There are two reasons you may need Java. The first is that you require access to websites whose functionality depends on Java (e.g., certain banks etc.). The second is that you have a need for stand-alone* Java apps on your Mac. I've listed some of those in a previous post.


*) There are also non-Java applications, that use Java for certain tasks or modules only. These may include initial installation and/or certain functionality of the installed program.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 09/04/12 05:52 PM
Commentary:
- Time to give Java the boot?
- Why Java would still stink even if it weren't security swiss cheese
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 09/05/12 06:30 PM
Today, unexpectedly close on the heels of Oracle's recent (and already compromised) Java 7 updater, follow two Java 6 updaters from Apple for Snow Leopard as well as for Lion and Mountain Lion. We'll see how long these last.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 09/07/12 01:56 PM
The Java 1.6 updaters Apple issued earlier this week are subject to similar caveats as affected the preceding Java 1.7 updater provided by Oracle. The Oracle patch proved to be buggy and still vulnerable to certain exploits, while Apple's 1.6 updaters apparently do not patch the 1.7 vulnerability that the Oracle updater addressed. To be sure, this vulnerability has to date only been exploited in Java 1.7, and NOT yet in Java 1.6, but it could be.

Hence, all suggestions to secure your Java configuration to your needs are still valid and recommended.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 12/06/12 03:23 PM
And now, a new wrinkle in the cat-and-mouse game: For PC Virus Victims, Pay or Else
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/08/12 05:32 PM
Earlier today MacInTouch noted a report from Sophos dealing with current and expected computer security threats. It may be of interest to regular readers of this thread:

- Security Threat Report 2013
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 12/11/12 04:51 AM
ya we've seen a recent upsurge in "ransomware" and the "fbi warning" trojans on the pc side as of lately. funny stuff. makes for entertaining phonecalls from customers.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/20/12 10:49 PM
For those who like this time of the year to review past issues, here's Rich Mogull's view on Apple’s Security Efforts in 2012.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 12/21/12 12:17 AM
If it's entertainment that you seek, watch this video to the end.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 12/22/12 04:24 PM
While the iOS world has been relatively clean of malware, it has (had) its share of privacy issues, and so it appears again today. AppleInsider reports that an iOS 6 bug reenables JavaScript in Safari without user consent. Even though this privacy and security vulnerability doesn't appear to be actively exploited at the moment, it could allow browser fingerprinting of those users who thought they'd stopped that by disabling JavaScript. Not!
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 01/14/13 06:31 PM
Here is some background information about the latest Java 7 exploit* of vulnerability CVE-2013-0422, and the Java 7 Update 11 that patches it. The article also addresses potential issues with the (unrelated) JavaScript and suggests a 'best practice' approach.

*) mentioned elsewhere in this forum.
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 01/15/13 06:18 PM
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems"

I dunno. I generally put Java and Flash in pretty much the same boat that way.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 01/15/13 06:58 PM
Originally Posted By: Virtual1
The "Best Practices" I keep seeing by the experts on this topic are "java will always have security problems"

I behave as if that were true, by keeping Java turned off and and Flash blocked until I choose to allow it for specific tasks or web sites. But that 'best practice' comment really was about how to deal with JavaScript and its vulnerabilities. I suppose I could have been more clear about that.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 01/31/13 05:50 PM
Apple again blocks latest version of Java through OS X anti-malware system
Posted By: joemikeb Re: THE CYBER-SECURITY THREAD - 01/31/13 10:27 PM
Either Apple's Anti-malware system does not work or the article is inaccurate and misleading. I suspect the latter to be the case.

There are three major Java implementation categories, each with its own characteristics and limitations…
  1. applications — stand alone programs that run on the computer such as NeoOffice
  2. applets — that run only within a browser and are not at all the same thing as javascript
  3. Servlets — that run on a server to provide various functionalities

I have several Java applications on my Macs including OpenOffice, NeoOffice, MoneyDance, and others used to access specific devices. All of them are working perfectly and I am scrupulous about installing every update that comes along. Therefore, it would appear that although the referenced article is easily interpreted as applying to all three Java implementations the only ones effected by the OS X anti-malware system are applets. (Thank goodness, because it would take me literally hundreds of hours of work to reconstruct all my financial records to pay last year's taxes if Java were unilaterally cut off, not to mention all my documents that are in ODF format.)

As to alternaut's concern about Javascript insecurity goes that becomes an even more difficult problem to solve as each browser has its own unique implementation of ECMAScript. (Although Mozilla's JavaScript was the original both it and Microsoft's JScript are officially two of the many dialects encompassed by the the ECMAScript standard.) So a vulnerability may exist in the dialect, the standard or, perhaps even more likely, in the particular browser's implementation of the standard. I still run across the occasional web sites that only work if you are using a specific version of Internet Explorer or maybe a Mozilla browser. mad

Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 02/01/13 09:30 PM
Oracle patches security issues with Java 7 Update 13, and I believe whatever the groundhog says tomorrow.
Posted By: joemikeb Re: THE CYBER-SECURITY THREAD - 02/01/13 09:53 PM
Much to my surprise I was installing Adobe Creative Suite CS 6 on my son's computer today and when I launched the first application, Dreamweaver, the first thing it did was install Java. So here is another case where at least Java applications are unaffected by Apple's anti-malware. Whether there are Java applications embedded in DW or the JVM is there for site development, I have no idea.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 02/02/13 12:29 AM
Here's a real-world exploit of Java vulnerabilities: Twitter Hacked: Data for 250,000 Users May Be Stolen.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 02/02/13 08:42 PM
Punxsutawney Phil didn't scare himself with unexplained light effects, and Apple issued its Java for Mac OS X 10.6 Update 12. I just hope for the best. wink
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 02/17/13 09:35 PM
It looks like "damage control" and attempted cover-ups are not restricted to governments. Google asks journalists to tone down story of "massive" Google Play security flaw. Fortunately for me, I don't have a cell phone of any description but now I know that I will never trust Google. I ditched Chrome awhile back because of my doubts about privacy.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 02/17/13 09:59 PM
Take your pick from Chrome's lack of privacy to Safari's sellout to the "trackers"... shocked
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 02/21/13 06:18 PM
Adobe has issued critical updates for both Reader and Acrobat versions 9, 10 and 11. Until the updates are installed, it is advisable to disable JavaScript in Reader and (when optional) enable protected view before accessing PDFs on the internet.
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 02/28/13 09:51 PM
seeing as there'll just be another critical security hole next month/week/tomorrow, it's probably smarter to just leave java off.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 02/28/13 10:51 PM
Originally Posted By: Virtual1
... just leave java off.

Absolutely, but note that in my previous post I was referring specifically to JavaScript in Reader. For many users, that may not be too onerous, but we'd be really hurting if that should ever extend to browsers.
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/01/13 05:36 PM
http://arstechnica.com/security/2013/03/...acking-targets/

/me gets out the popcorn
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 03/02/13 01:35 PM
well THAT didn't take long... http://thenextweb.com/insider/2013/03/01...urity-settings/

You'd think the hackers would have the common courtesy to wait until the most recent 0-day is patched before announcing another one.

ya... I think I'll just leave that OFF.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/03/13 04:20 PM
Today the MacInTouch Reader Report on Security noted an interesting article about Who Wrote the Flashback OS X Worm? and why. Another worthwhile read linked to is Everything We Know About What Data Brokers Know About You.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/04/13 03:40 AM
If this guy is who I think he is, he spent some time working with the DNSchanger/Zlob gang in Estonia. He escaped back to Russia when the rest of the gang was arrested about a year and a half or so ago.
Posted By: roger Re: THE CYBER-SECURITY THREAD - 04/04/13 02:27 PM
That data article is amazing, scary, and it seems that the only way to stop it would be Orwellian and worse than the sickness.

what a wild world we now live in.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/04/13 11:13 PM
I think the best way to stop it wouldn't be Orwellian at all. I would propose several things:

1. For Russia to make computer malware a crime. Right now, writing malware 9even malware designed to steal money) just isn't a crime in Russia. Russian mafia makes more money these days on computer malware than on the normal organized crime trifecta of drugs, prostitution, and extortion; outlawing this activity in Russia would go a long way toward kicking the legs out from under Russian mafia.

2. For Russia to have extradition with the US.

3. For banks and merchant account underwriters to stop processing credit cards for organized crime. A lot of organized crime's revenue stream comes from "ransomware" (malware that encrypts the data on your computer and threatens to delete it if you don't pay a fee) and "scareware" (phony antivirus software that warns you of bogus, non-existent viruses and then keeps bogging your computer down with popup warnings until you pay to "register" the software). Panda Labs estimates that as of 2009, Russian organized crime was bringing in $34 million a MONTH from fake antivirus malware. Almost all of this money comes from credit card transactions. In 2011, US banks stopped doing business with Russian groups who were collecting money for fake antivirus registrations, but European banks quickly stepped in, often charging 30% or more in fees. The lure of $10 million a month in income was too great to pass up, I suppose. Outlawing credit card processing for criminal activity would do a lot to remove the financial incentive for some forms of malware.

4. Better policing of online ad clicks. The Flashback malware makes money when the virus writers set up Web sites that have ads on them, and then the malware causes infected computers to send bogus "clicks" to the ads. With each bogus click, the malware writers make money. If Google, Doubleclick, and other ad vendors were to implement more proactive monitoring of their ad performance, they could put a stop to it; for example, if a Web site has just one page that's an article in Romanian about artichokes, and somehow it's generating $15,000,000 a month in advertising clicks and 99% of the visitors to the site click the ads, then it doesn't take a rocket scientist to figure out what's happening.
Posted By: roger Re: THE CYBER-SECURITY THREAD - 04/05/13 11:39 AM
I wasn't thinking so much about the malware thing, more about the data collection by companies that is then sold to other companies. Making a profit from our information seems underhanded to me, but stopping/monitoring the collection of that data is what would be Orwellian.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/06/13 12:02 AM
After reading alternaut's linked article I visited Rapleaf, which was identified as a company that allows you full access to your records, and after viewing four accounts, one for each of my pertinent e-mail addresses, I found that they think that I'm male...nothing more. smile

That's only one data collector out of zillions, of course, but it's a nice start.
Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 05/23/13 09:25 AM
Tacit: What's your opinion about Hackers Find China Is Land of Opportunity?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 05/23/13 05:10 PM
The article you link to has an interesting comment from an Indian professor about the Chinese hacking 'culture'. The curious (and I'm sure unintended) thing about that comment is that it also seems applicable to similar spyware activity in India, as exemplified by email-attached spear-phishing malware recently found in Europe.

Perhaps even more than for what it does, this so-called KitM/HackBack/Kumar malware is interesting because it's signed with a valid Apple Developer ID, which bypasses the Gatekeeper security feature in Mac OS X Mountain Lion. The associated 'Rajinder Kumar' ID is another cue to a large cyberespionage campaign that appears to be originating in India, to which KitM has been linked. This campaign has targets of both national interest (Pakistan) and economic interest (Western industries), something so far mostly seen with attacks coming from China.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 05/23/13 06:32 PM
Sounds about right. The Chinese government doesn't limit its endorsement of hacking to internal matters, either; it actively recruits and pays programmers to create and distribute malware that promotes China's interests abroad, whether that's targeting pro-Tibet activists worldwide or attacking US Government sites.

In Eastern Europe, hacking is just as common, though it's almost always organized crime who's doing it and it's almost always done for profit (bank skimming Trojans, botnets, and so on make lots of money for Russian organized crime). In China, the government sees hacking as a way to control dissent at home and gain an advantage abroad.
Posted By: Virtual1 Re: THE CYBER-SECURITY THREAD - 05/26/13 08:06 PM
It's not just china. Governments exist (in theory anyway) to benefit their people. Beyond that, all bets are off, anything is game. That's why we have wars, spies, gitmo, hacking, etc.

I'd imagine hacking is one of the more tame "state-sponsored" antisocial activities done abroad. Every government of reasonable size is doing it, just the same as every sizable government has a network of spies abroad.

"Why are we doing it? It benefits our people. Got a problem with that? If it's benefitting my people, why would I possibly care if you don't like my doing it? I''ll try to be a little more discrete, but I'm sure as heck not gonna stop."
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/09/14 01:27 AM
Earlier this week Heartbleed, a 28 months old flaw in SSL was patched, that 'could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected'. Do I hear someone muttering 'NSA' ?

There's little a user browsing the web can do about this, as the bug is located in a library used in the Apache and nginx Web server applications (which need to be updated), but it's something that should give one yet another pause commensurate with the importance the web plays in one's life. I'm sure there's more to come, both with regard to info about this particular issue, and others down the line.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/09/14 09:25 AM
As alternaut noted, there's precious little the end user can do until the various servers affected are repaired.

From the BITS blog at The New York Times:
"The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue."
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/09/14 06:51 PM
I was pleased to note that the version of OpenSSL that ships with Mavericks isn't vulnerable, so those of us running OS X servers need not freak out.

That's a rather tiny spark of light in a very gloomy situation, though.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/09/14 07:03 PM
Slowly, more information about the Heartbeat bug is becoming available. From the various sources I (fairly arbitrarily) picked two for your perusal (and follow-up, when and where warranted):

- The critical, widespread He...fo safe
- The Heartbleed Bug

It has been noted here and elsewhere that the SSL flaw didn't affect certain Mac OS X versions, based on the SSL version(s) used there. However, everyone accessing compromised web servers may still have had sensitive data exposed and should respond accordingly. In addition to keeping track of server update deployment, users may want to update affected browsers and other web apps they rely on. The first (PC-World) article linked to above lists ways to keep track of both update activities.
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/10/14 01:46 AM
> Slowly, more information about the Heartbeat bug is becoming available. (Emphasis added)

Congrats on having a healthier heart than all/most/some of the rest of us. laugh

Edit: Oops! I see that Heartbleed actually is a Heartbeat bug. (Good opening, anyhow!)
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/10/14 06:32 AM
Didn't think to document where, but I found this test, which pronounces all my critical financial sites (and FTM) secure.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/10/14 08:59 AM
Originally Posted By: artie505
Didn't think to document where, but I found this test, ...

Possibly in PCWorld's article (hotlinked in alternaut's earlier post).

Also of interest might be
Heartbleed-Masstest which lists the 'top' 10,000 vulnerable or OK websites at the beginning of the week.
Posted By: ryck Re: THE CYBER-SECURITY THREAD - 04/10/14 03:29 PM
I wonder what the difference is between "No SSL" and "not vulnerable". Do they essentially mean the same thing?
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/10/14 06:07 PM
I'm pretty sure that "no SSL" would mean "vulnerable" to all and any information traveling back and forth, since there would be no secure sockets layer (cryptography) of any sort (ie, no https). Not likely that you'd find such on financial websites inter alia.
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/10/14 06:59 PM
"No SSL" means the site doesn't use encryption at all (if you try to go to https://thenameofthesite you won't get anything). Most sites on the Internet don't use SSL because they don't need to--they don't accept credit card information, for instance.

For example, my site at xeromag.com would sho up as "no SSL" because there's no security certificate there--I don't sell anything where I need to accept sensitive information. On the other hand, my site at franklinveaux.com does have SSL because I have an ecommerce store there.
Posted By: ryck Re: THE CYBER-SECURITY THREAD - 04/10/14 07:11 PM
Originally Posted By: tacit
"No SSL" means the site doesn't use encryption at all (if you try to go to https://thenameofthesite you won't get anything). Most sites on the Internet don't use SSL because they don't need to--they don't accept credit card information, for instance.

Okay. Thanks. I had wondered because the Canadian Banking Association announced this morning that no Canadian banks were affected. However, this link had some banks as "no SSL" and others as "not vulnerable".

So, new question….if they don't use SSL, would they have their own encryption to assure the traffic between customer and bank is secure?
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/10/14 07:55 PM
Originally Posted By: ryck
So, new question….if they don't use SSL, would they have their own encryption to assure the traffic between customer and bank is secure?

Yes. I checked with a major banking group earlier today on just this issue since nowhere on their website was there any indication of whether the bank's secure banking servers had been affected by the Heartbleed bug. Nor had any assurances been posted that their secure servers were immune to same and safe to use.

The bank advised:
"[Bank] has defenses in place to protect our customers so you can do your banking securely and without risk to your personal data. [Bank] uses secure SSL. Our banking sites and customer data are protected.
"Although we don't recommend any specific actions to bank customers as a result of this vulnerability, we always recommend that customers change their passwords regularly (ie, several times a year)."

According to a number of reports in the Canadian press, no major Canadian bank was affected by the Heartbleed bug. See, for example, the coverage in The Globe and Mail (www.theglobeandmail.com).
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/11/14 01:21 AM
Here are some more Heartbleed updates and tools. Among other things, it looks like it may be password changing time soon for lots of folks. Big time...

- Healing Heartbleed: LastPas...ability
- How to protect yourself in Heartbleed's aftershocks
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/11/14 08:05 AM
Heartbleed's been an open sore for more than two years, already, and there doesn't appear to be any indication that it's been exploited.

It's like the announcement, itself, is its springboard!
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 04/11/14 08:45 AM
And this from the Office of the Superintendent of Financial Institutions (OSFI) via the Financial Post:
Heartbleed bug prompts OSFI to check in with Canada’s banks
Posted By: ryck Re: THE CYBER-SECURITY THREAD - 04/11/14 10:06 AM
Originally Posted By: artie505
Heartbleed's been an open sore for more than two years, already, and there doesn't appear to be any indication that it's been exploited.

Hmmmm. And I was thinking that, if they had been collecting information for the past couple of years, it might come in handy. I could contact the bug designers and ask for some of the passwords I've forgot. wink
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/11/14 02:46 PM
Originally Posted By: artie505
... and there doesn't appear to be any indication that it's been exploited.

At least not on a large scale, it seems. I'd like to point out, however, that there is a continuous and sizeable 'background' of internet hacking/theft going on. While much of that can be attributed to one or the other exploit, it doesn't cover everything else, including Heartbleed. After all, any smoking gun would have to unequivocally link abuse of stolen data with Heartbleed. Unfortunately, that's only indirectly possible (i.e., after abuse pattern analysis), because when used the exploit leaves no traces on affected servers (except, possibly, in custom transaction logs). And, as you suggested, there's not much of a pattern yet.
On the other hand, if someone had indeed stumbled on this flaw and exploited it*, it's not unreasonable to assume that it probably wouldn't have remained a secret for long.

That said, I'd like to remind you that the flaw can be used to access already recorded data, as this is not affected by any post-hoc patches applied to the relevant servers. Note that this data may have been recorded in the window between the flaw's recent revelation and its patching, and that window may still be open on servers you have dealt with. This explains the now frequently heard advice to check your financial transactions carefully for unauthorized activity.


*) Despite a comment in an earlier post I didn't mention the possibility here that the NSA knew and kept mum about Heartbleed to be able to exploit the flaw, because I figured that would be beyond the pale even for that organization. It seems I was doubly wrong, and that now appears to have been the case, although it's been denied by the White House. If you needed proof that the current policies of US intelligence agencies may cause more damage than they prevent, this could be it.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/12/14 12:13 AM
More selected notes:

- Heartbleed Bug: What Can You Do?
- Urgent: The Heartbleed Hit List: The Passwords You Need to Change Right Now
- Observations and commentary: Schneier on Security - Heartbleed
- Possible proof of use of the heartbleed vulnerability before Monday's disclosure: Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/12/14 06:49 AM
Originally Posted By: alternaut
That said, I'd like to remind you that the flaw can be used to access already recorded data, as this is not affected by any post-hoc patches applied to the relevant servers. Note that this data may have been recorded in the window between the flaw's recent revelation and its patching, and that window may still be open on servers you have dealt with. This explains the now frequently heard advice to check your financial transactions carefully for unauthorized activity.

I'll guess that already recorded data that has not yet been used is not in the hands of outwardly malicious persons, because those guys deal in current info rather than stockpile it and have it go bad.

Data gathered in your "window" (my "springboard" period), though, might (will likely?) result in a flurry of activity before users have secured their situations. (Happily, your linked Mashable doc reports that all the financial Websites I use are unaffected.)
Posted By: tacit Re: THE CYBER-SECURITY THREAD - 04/12/14 07:52 PM
The interesting thing about OpenSSL is that it's used to secure a huge percentage of the world's ecommerce sites, including some of the biggest powerhouses of the New Economy, yet all 400,000-plus lines of code are maintained by only 4 open source programmers who have a total budget of only a few thousand dollars a year.

One of those four people recently said something to the effect of "hey all you businesses spending millions to fix the problems caused by this flaw--since OpenSSL is vital to your business, how come you don't donate any money to maintaining it?"
Posted By: artie505 Re: THE CYBER-SECURITY THREAD - 04/14/14 11:25 PM
I've been waiting for e-mails from Websites on which I do business, and the first one only just got to me...an all-clear from SuperMediaStore.com (from whom I bought DVDs).

I've received neither alerts nor all-clears from any of my financial institutions.

Anybody else?
Posted By: Pendragon Last Pass - 04/15/14 11:04 AM
For those who may have missed it, LastPass HeartBleed Checker may help.
Posted By: pbGuy 1PW - AgileBits - Heartbleed Checker - 04/16/14 04:08 PM
AgileBits has just published their tool, which can also check SMTP & IMAP URLs.

Here's the Link: HeartBleed Checker
Posted By: Pendragon Re: 1PW - AgileBits - Heartbleed Checker - 04/18/14 09:49 AM
Originally Posted By: pbGuy
AgileBits has just published their tool, which can also check SMTP & IMAP URLs.

Here's the Link: HeartBleed Checker


Thanks for the post/link. It will be interesting to see what, if any, differences result from the two checkers. I suspect/guess they use the same algorithm.

Or, maybe Schrödinger is at play, and it only matters if one views the results. grin
Posted By: grelber Son of Heartbleed - 05/13/14 01:34 PM
Covert Redirect: Latest open source Web security breach won't be fixed anytime soon
Posted By: grelber Re: Son of Heartbleed - 06/23/14 07:51 PM
It's still with us:
Heartbleed isn’t dead — 300,000 servers are still exposed — but here’s how you can protect yourself

Heartbleed isn’t dead — 300,000 serv...rotect yourself
Posted By: jchuzi Re: Son of Heartbleed - 08/05/14 10:55 PM
Russian Gang Amasses Over a Billion Internet Passwords
Posted By: alternaut Re: Son of Heartbleed - 05/25/15 06:17 PM
It’s been quite a while since this thread saw some activity. So here goes: last January the CIRCL automatic launch object detection for Mac OS X, a free anti-malware utility was updated. The software is based on an idea by Topher Kessler, and monitors a number of Mac OS X locations known to have received malware files in past occasions. It’s up to the user to allow or disallow such installs, and provides an early warning for potential malware installation.

Other recent updates for free anti-adware/malware utilities include AdwareMedic, Bitdefender Adware Removal Tool, KnockKnock and ScamZapper.
Posted By: Pendragon Re: Son of Heartbleed - 05/25/15 07:19 PM
Originally Posted By: alternaut
It’s been quite a while since this thread saw some activity. So here goes: last January the CIRCL automatic launch object detection for Mac OS X, a free anti-malware utility was updated. The software is based on an idea by Topher Kessler, and monitors a number of Mac OS X locations known to have received malware files in past occasions. It’s up to the user to allow or disallow such installs, and provides an early warning for potential malware installation.

Other recent updates for free anti-adware/malware utilities include AdwareMedic, Bitdefender Adware Removal Tool, KnockKnock and ScamZapper.


I have Adware Medic & Scam Zapper installed. Is that sufficient, or do you suggest CIRCL additionally be installed? shocked
Posted By: alternaut Re: Son of Heartbleed - 05/25/15 08:31 PM
Adware Medic actually removes certain adware on an ad-hoc basis, while Safari extension ScamZapper blocks certain browser popups. CIRCL’s ALOD runs in the background and lets you know if files are about to be installed in locations previous malware has installed components, and leaves you the choice to proceed with that or not. Only the latter two may run simultaneously with normal use. So these utilities do different things and can coexist, at least in principle.

The questions that remain include those about how well these apps play with others. Do they slow down your Mac or web browsing or otherwise negatively affect your computing, and if so, is that interference worth it to you? That’s likely both hardware and OS version dependent, and as such difficult to answer generically. For instance, and FWIW, I haven’t yet noticed anything untoward with ScamZapper and ALOD, or otherwise seen reason to uninstall them, running Yosemite on a retina iMac.
Posted By: grelber Hackers exploit Flash vulnerability - 08/04/15 08:34 AM
Hackers Exploit ‘Flash’ Vulnerability in Yahoo Ads
Posted By: joemikeb Re: Son of Heartbleed - 08/04/15 12:47 PM
Adware Medic has now been rolled into a new expanded product Malwarebytes. Th UI is the same but the types of undesirable ware it searches for an removes has been expanded.
Posted By: ryck Re: Son of Heartbleed - 08/04/15 01:42 PM
Thanks for the tip. I decided to give it a try and got a reassuring "Malwarebytes did not find any malware or adware on your system." Of course, this doesn't mean that ongoing vigilance is less, it just means it's nice to have a way to check whether the effort is fruitful.
Posted By: Ira L Re: Son of Heartbleed - 08/04/15 04:25 PM
Originally Posted By: joemikeb
Adware Medic has now been rolled into a new expanded product Malwarebytes. Th UI is the same but the types of undesirable ware it searches for an removes has been expanded.


The Mac version is on this page.
Posted By: joemikeb Re: Son of Heartbleed - 08/04/15 07:47 PM
Thanks for catching that Ira.
Posted By: grelber Re: Son of Heartbleed - 08/04/15 07:51 PM
Originally Posted By: Ira L
The Mac version is on this page.

All versions are on the downloads page. confused
Posted By: Virtual1 thunderstrike revisited - 08/04/15 07:54 PM
So what's the current take on mac security with firmware modifying malware? I've been seeing a lot of chat recently about a new proof of concept that can just outright replace the firmware on a mac without the usual authentication, about usb devices that can do it ("badusb"), about airgapped access... what's the current state of affairs on OS X security?
Posted By: tacit Re: thunderstrike revisited - 08/04/15 10:20 PM
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.

This exploit can be leveraged across Thunderbolt connections (fortunately, not USB connections), provided an attacker can get physical access to a Mac and plug a malicious Thunderbolt device into it. With sudo access, you can take any measures, up to and including a malicious firmware update.
Posted By: joemikeb Re: thunderstrike revisited - 08/05/15 01:34 AM
Originally Posted By: tacit
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.

You are making me even more glad I am running OS X 10.11
Posted By: Virtual1 Re: thunderstrike revisited - 08/05/15 11:54 AM
Originally Posted By: tacit
OS X 10.10 introduced a simple but catastrophic security hole that gives unauthenticated users sudo access without an administrator password. Needless to say, this allows all kinds of mischief.

And this hasn't been patched with a security update?
Posted By: jchuzi Re: thunderstrike revisited - 08/05/15 02:29 PM
Apple to patch actively exploited privilege escalation bug in OS X 10.10.5 - report
Posted By: Virtual1 Re: thunderstrike revisited - 08/06/15 11:57 AM

So is Apple abandoning security update for (current os - 1) ?
https://blog.malwarebytes.org/fraud-scam/2015/07/fake-safari-update-installs-mackeeper-zipcloud/
Posted By: Virtual1 Re: thunderstrike revisited - 08/06/15 02:50 PM

More information here:

https://blog.malwarebytes.org/mac/2015/07/privilege-escalation-vulnerability-found-in-os-x/

Quote:
Fortunately, the bug only exists in Yosemite (OS X 10.10), while previous versions of OS X and betas of El Capitan (OS X 10.11) are unaffected.

Quote:
The bigger problem in this story is the fact that this vulnerability, along with all the necessary information to exploit it, was disclosed by Esser without any effort to alert Apple to the problem. (In his blog post revealing the vulnerability, Esser says “At the moment it is unclear if Apple knows about this security problem or not.”)

Oh, what a nice guy...
Posted By: Pendragon Re: thunderstrike revisited - 08/06/15 04:28 PM
Good info, V1, thanks!

Alas, now I wonder if I should or need to remove MalwareBytes Anti-Malware. confused

Waddya think?
Posted By: dkmarsh Re: thunderstrike revisited - 08/06/15 04:44 PM

Originally Posted By: Virtual1
So is Apple abandoning security update for (current os - 1) ?

It appears that the vulnerability doesn't exist in prior OS versions.
Posted By: alternaut Re: thunderstrike revisited - 08/07/15 05:02 PM
Originally Posted By: Pendragon
... now I wonder if I should or need to remove MalwareBytes Anti-Malware. confused

Waddya think?

I may be missing something, but I fail to see the logic of removing MAM in this context. After all, MAM is only the messenger here. Shooting it isn’t going to do much for you, quite probably to the contrary. Remember, MAM is essentially a monitor, until you tell it to do something specific. So far, there is no indication that any of its actions are deleterious in and by themselves (other than to the affected malware, that is). Beyond that, just as surgery may require rehab, that may also apply to malware removal, i.e. reinstalling malware-affected software etc.
Posted By: tacit Re: thunderstrike revisited - 08/07/15 09:19 PM
The problem was partially, but not completely, fixed in 10.10.4. It is completely fixed in 10.10.5, which is now being seeded to Apple developers.
Posted By: jchuzi Re: thunderstrike revisited - 08/16/15 01:32 PM
New privilege escalation exploit discovered in OS X Yosemite, also affects just-released 10.10.5
Posted By: Virtual1 Re: thunderstrike revisited - 08/17/15 12:19 PM
wheeeee! so now they can patch the patch that patched the patch!
Posted By: jchuzi Re: thunderstrike revisited - 08/17/15 11:17 PM
Here's another: New Zero-Day memory injection vulnerability discovered in OS X Quote: "As with other exploits for OS X, this does require you download a faulty and malicious program, and then run this program."
Posted By: Virtual1 Re: thunderstrike revisited - 08/18/15 01:27 PM
Originally Posted By: jchuzi
Here's another: New Zero-Day memory injection vulnerability discovered in OS X Quote: "As with other exploits for OS X, this does require you download a faulty and malicious program, and then run this program."


Quote:
As a result, you might be better off waiting for an official fix from Apple, and in the mean time simply observe good computing practices and avoid running any program unless you know exactly where it came from and understand its purpose. By simply doing this, you will be very well protected from this and practically all other exploits for OS X, which similarly require you initially download and run some unknown program.

My my, they certainly do close with quite the broad statement there...
Posted By: jchuzi Genieo again - 09/02/15 03:17 PM
New adware scripts mouse clicks to access OS X Keychain, could lead to password theft
Posted By: Pendragon Re: Genieo again - 09/02/15 03:28 PM
I just checked MalwareBytes-Anti Malware v1.0.2.8, and it checks for Genieo. Well, at least the run routine indicates that it does.

Of course, should such be discovered, the cure/remediation is another issue...
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 10/16/17 02:47 PM
The disclosure of the KRACK WiFi vulnerability affecting WPA2 WiFi security (read: WiFi using devices) looks like a good occasion to revive this thread. Fixing this vulnerability ultimately depends on software/firmware updates, so keep an eye out for those.
Posted By: joemikeb Re: THE CYBER-SECURITY THREAD - 10/16/17 07:54 PM
The linked article also contains the following Apple update
Quote:
Update: Apple said in a statement that all current iOS, macOS, watchOS, and tvOS betas include a fix for KRACK.
Posted By: ryck Re: THE CYBER-SECURITY THREAD - 10/17/17 12:47 AM
Originally Posted By: alternaut
Fixing this vulnerability ultimately depends on software/firmware updates, so keep an eye out for those.

Thanks for this.I not only keep up to date but also, when at home, I am tied to an ethernet feed. If I'm away and stuck with wi-fi, I simply do not access my banking; do not use any other sites involving confidential information; do not make any on-line purchases. I use wi-fi at home for my iPad but follow the same rules as when away.
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 10/17/17 01:21 AM
Originally Posted By: joemikeb
The linked article also contains the following Apple update
Quote:
Update: Apple said in a statement that all current iOS, macOS, watchOS, and tvOS betas include a fix for KRACK.

Thanks for pointing that out; apparently the article has been updated as new info became available. That said, at this point Apple’s updates are beta stage only and not readily available for the average user: the wait is still for the final versions.
And about as important is the question whether/when Apple will make patches available for its (discontinued) WiFi routers. Of course, non-Apple routers will need to be patched as well.

Posted By: jchuzi Re: THE CYBER-SECURITY THREAD - 10/26/17 06:29 PM
Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last. Note that this post is called "sponsored", and that, near the end, there is a link to Bitdefender. Should this be taken with the proverbial grain of salt?
Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 10/26/17 11:17 PM
Originally Posted By: jchuzi
Note that this post is called "sponsored", and that, near the end, there is a link to Bitdefender. Should this be taken with the proverbial grain of salt?

It never hurts to keep that grain of salt in mind, but that being said, this threat is real and people(s computers) do get hit by it, even though the odds may be small. E.g., last week it turned out that Elmedia software updaters for its Player and Folx software were infected by the OSXProton malware after a hack of the updater server. If you recently updated Elmedia Player and/or Folx, you should definitely make sure you’re not infected. The article I linked to above was published by Malwarebytes Labs, and suggested Malwarebytes for Mac to deal with the infection. Nothing wrong with that, as long as these things are out in the open for the consumer to decide.

And since we’re on the topic of what to do about such infections, here’s yet another recent link that might come in handy: What to do when ransomware strikes your Mac.
Posted By: grelber Re: THE CYBER-SECURITY THREAD - 11/13/17 07:40 AM
Security Breach and Spilled Secrets Have Shaken the NSA to Its Core

• Leaks of the National Security Agency’s cyberweapons have damaged morale, slowed operations and resulted in hacks on businesses and civilians worldwide.

• Current and former officials say disclosures by a mysterious group that obtained NSA tools have been catastrophic, calling into question the agency’s value to national security.

Posted By: alternaut Re: THE CYBER-SECURITY THREAD - 04/28/21 02:33 PM
Earlier this week Patrick Wardle (Objective-See) published his 100th blog post All Your Macs Are Belong To Us about the serious flaw underlying the recent "macOS Gatekeeper Bypass (2021)”, which was fixed by Apple in the macOS 11.3 update. It makes for some interesting reading, to say the least.

That said, note that (the current version of) Wardle’s utility BlockBlock already provided protection against the current zeroday malware installer exploit(s). In addition to this, he is working on free books under the title The Art Of Mac Malware, which may be of interest to those of you wanting to know more about this topic.
© FineTunedMac