An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 3 of 12 1 2 3 4 5 11 12
Re: THE CYBER-SECURITY THREAD
Hal Itosis #14655 03/10/11 01:54 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009

Re: THE CYBER-SECURITY THREAD
Hal Itosis #14666 03/11/11 02:08 AM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
H-Security: Hackers versus Apple - An interview with Charlie Miller and Dino Dai Zovi (5 pages)

ZDNet: Zero Day - Safari/MacBook first to fall at Pwn2Own 2011

Last edited by Hal Itosis; 03/11/11 02:24 AM.
Re: THE CYBER-SECURITY THREAD
Hal Itosis #14678 03/11/11 01:59 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I saw that with the pwn2own contest... did you see, BOTH apple and Google are playing a little dirty here.

The contest requires the contestants to work on "fully patched" machines. There's no grace time, software updates are run just before they start.

Both apple and google released updates immediately before the contest started. It's unreasonable to believe that the entrants in the contest are sitting down, cracking their knuckles, and saying "ok lets look around for a hole". Naturally they're bringing in zero-day exploits they've been polishing for weeks or months. So there's (A) a chance that the new surprise updates will block the exploit, and more importantly (B) a very high chance that an exploit that still works will have to be tweaked due to the binary being recompiled and addresses changing.

I personally don't think that's fair to allow patches the manufacturers are deliberately withholding until a few hours before the contest to be installed. There should be a cutoff of say, one week. Testing the security of something that was "released" an hour ago is not a practical real-world scenario unless you're releasing updates every day. Systems will have an average lag time of weeks usually before available patches are applied, and the contestants should have the opportunity to try to beat a system they've had a little time to work on beforehand.

But I can see the other side of it, it would also be nice to see just how well an unprepared hacker can do against a new binary. That could be very hard to enforce though, how do you tell them they're not allowed to use priorly developed private exploits? It's probably not possible, so all you do by applying last-hour-upates is to take a random pot shot at the contestants, some of which may have worked very hard to find a major hole, one that requires many hours of tweaking to make work properly, that now has changed locations and will require hours of adjustment. (the hole is still there, the target has simply moved, it's no more secure than it was an hour ago, it's just going to eliminate them from the contest due to the added investment in time just introduced)



I work for the Department of Redundancy Department
Re: THE CYBER-SECURITY THREAD
Hal Itosis #14771 03/21/11 03:30 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009

Re: THE CYBER-SECURITY THREAD
Hal Itosis #14774 03/21/11 04:47 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
My experience is the (not too steep) cost of SSL certs for HTTPS without browser nags tends to make administrators not think it's a justifiable expense. What's your experiences?

And IT'S ABOUT TIME now to see safari offer an easy immediately available checkbox for 'always trust' on web sites. That previous stupidity of having to open the cert and change trust settings scared users away from it.


I work for the Department of Redundancy Department
Re: THE CYBER-SECURITY THREAD
Virtual1 #14779 03/21/11 06:20 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
Originally Posted By: Virtual1
What's your experiences?

I assume (since i'm not hosting anything) that the "you" there is collective [?].

[i did notice that facebook finally offers https as of a week or two ago]

Re: THE CYBER-SECURITY THREAD
Virtual1 #14832 03/25/11 01:38 AM
Joined: Sep 2009
OP Offline

Joined: Sep 2009

Last edited by Hal Itosis; 03/25/11 01:42 AM.
Re: THE CYBER-SECURITY THREAD
Hal Itosis #14845 03/25/11 11:35 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
This week MacWorld is revisiting a series of articles about protecting your privacy online originally published on February 23. While not exhaustive, the series is a good summary of the issues users would do well to be aware of. Because of this I think it's worthwhile to list them here:

- Avoid identity theft
- Browse the Web safely
- Keep your data safe
- Protect your e-mail
- Secure your network
- Take control of social networking
- What happens to your data?

And while we're on the topic, here are a few other articles in similar vein:

- Digital certificate theft shines spotlight on Safari limitation
- Facebook Tip: Enable encryption to avoid privacy glitch
- Facebook Privacy: Four valuable yet hard-to-find settings
- Facebook quick tip: Three more ways to shore up security
- Holidays: how to shop safely online


alternaut moderator
Re: THE CYBER-SECURITY THREAD
Hal Itosis #15436 05/05/11 09:58 PM
Joined: Aug 2009
Likes: 3
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 3



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: THE CYBER-SECURITY THREAD
dkmarsh #19356 11/25/11 10:24 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
crazy

Sophos - The Conficker worm, three years and counting

"At its peak, Conficker infected more than 10 million PCs."

"Flaw was patched, 4 weeks before Conficker began it assault."

"Today, an estimated 3 million computers are still infected."


Re: THE CYBER-SECURITY THREAD
Hal Itosis #19424 12/01/11 03:38 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Against the backdrop of today's WikiLeaks releases of documents about the surveillance industry, here are some links covering Android developer Trevor Eckhart's early disclosures about Carrier IQ, the name of the company providing 'embedded analytics' to the telecom industry and that of the hidden spyware rootkit found on many android, Windows and BlackBerry phones, and quite possibly iPhones too.

- Android Security Test
- Carrier IQ Part #2
- How much of your phone is yours?

Perhaps the—for the consumer—singlemost 'incendiary' capability of the Carrier IQ spyware is a full-fledged keylogger, since it's hard to see why private data content (including that transmitted over WiFi networks) is important for the improvement of phone provider 'service quality' and 'network efficiency', the official reason for Carrier IQ's contracted services and the presence of its spyware.

This latter is an important point: it's providers like Verizon Wireless, AT&T and Sprint rather than the phone manufacturers, which hire Carrier IQ and allow it to put the Carrier IQ rootkit on the phones they provide their customers with. To be clear: not all carriers do this; for instance, several European telecom companies deny participating in the CIQ program (although they may use other, comparable services).


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #19434 12/02/11 12:43 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
This MSNBC story has been updated with some details from Cult of Mac about iOS 5:

AT&T, Sprint, T-Mobile use Carrier IQ, but don't collect personal info.

The story about similar issues in Germany linked at the bottom of the page is worthwhile.


MicroMat Inc
Makers of TechTool
Re: THE CYBER-SECURITY THREAD
MicroMatTech3 #19436 12/02/11 01:17 AM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1

As Lugnut, the first responder to this article said, I just don't believe the statement that the key-logger is not being used. I'm willing to believe it only when this capability has been demonstrably removed from the rootkit. And AFAIAC, that's not the only thing that needs to be changed.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #19437 12/02/11 03:03 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
I agree that this topic should be subjected to the empirical method.


MicroMat Inc
Makers of TechTool
Re: THE CYBER-SECURITY THREAD
alternaut #19453 12/02/11 06:14 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Some further developments on the Carrier IQ front:

- Apple ended Carrier IQ support with iOS 5
- Carrier IQ, mobile providers grilled over spyware charges
- Which companies are on the Carrier IQ bandwagon?

The implications of the second article are quite interesting. If the phone manufacturers didn't put CIQ on their phones*, and carriers like Verizon, RIM, and Nokia Europe claim they didn't either, how did it get on there in the cases where it was found? At least it's easy to determine if CIQ is installed on your android phone with Eckhart's Logging Test App v7. Removal is possible with the Pro version of this app; alternatives can be more involved, but all methods require the device to be rooted.

*) So far, HTC is the only manufacturer to admit installing the CIQ rootkit on its phones because US carriers require it. It'd be interesting to see if HTC phones supported by non-US carriers claiming not to participate in the CIQ program also contain the rootkit. As far as known, however, at least Dutch android phones do not seem to carry the CIQ spyware. In contrast, Vodaphone Portugal stated they did use CIQ, as did Sprint and ATT in the US. That said, and as alluded to above, several of the carriers denying the use of CIQ are known to use Deep Packet Inspection.

Last edited by alternaut; 12/03/11 12:37 AM. Reason: Added Carrier IQ bandwagon link

alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #20249 01/23/12 07:30 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
Things that make you go hmmmmmm:


Re: THE CYBER-SECURITY THREAD
alternaut #20718 02/19/12 03:55 AM
Joined: Sep 2009
OP Offline

Joined: Sep 2009

[admins: i'm not sure onto which thread to tag this]


A couple of really interesting articles...
§

Re: THE CYBER-SECURITY THREAD
alternaut #20802 02/23/12 02:36 AM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
confused
  i guess this only applies to people who already have "google accounts" (presumably gmail, Google+, etc.):

>> How to Remove Your Google Search History Before Google's New Privacy Policy Takes Effect <<

^ Whatever the case may be... the (March 1st) deadline is fast approaching.

Last edited by Hal Itosis; 02/23/12 02:36 AM.
Re: THE CYBER-SECURITY THREAD
Hal Itosis #20806 02/23/12 10:17 AM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
Thanks for the link, Hal. I removed Google Search History but haven't (yet) cancelled my account. I may very well do just that.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: THE CYBER-SECURITY THREAD
Hal Itosis #20807 02/23/12 11:10 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
And my thanks too. 'Tis greatly appreciated.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
jchuzi #20814 02/23/12 10:37 PM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
Did i guess right?... that only users with some sort of preexisting "google-dom" account need take any action?

Or would it somehow behoove others (e.g., me) in some way, to create a new account now, and follow that procedure?

[i realize that question sounds absurd... but i just want to be certain. smile ]

Re: THE CYBER-SECURITY THREAD
Hal Itosis #20815 02/23/12 11:17 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: Hal Itosis
[i realize that question sounds absurd... but i just want to be certain. smile ]

Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: THE CYBER-SECURITY THREAD
ryck #20816 02/24/12 12:16 AM
Joined: Sep 2009
OP Offline

Joined: Sep 2009
Originally Posted By: ryck
Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.

shocked

Well that's why google is "worth" billions, that's what they do (though i'd be curious how they tied all that activity back to "you" -- i guess cookie processing is all it takes).

But still... for someone with no previous account... if i go create one now, will there be some old history file (of my various browsers' movements over the years) that they'll then attach to my newly created 'official' account? That would be even freakier. [not sure i want to create an account there just to find out... but it's probably the only way.]

Not worried, just wonderin'.

Re: THE CYBER-SECURITY THREAD
Hal Itosis #20818 02/24/12 01:37 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> [not sure i want to create an account there just to find out... but it's probably the only way.]

I'm in the same situation as you, so please post your findings if you do create an account.

(I delete all my Google cookies other than prefs periodically, which seems like it ought to be at least somewhat limiting, at the least.)

Thanks.

Edit: Y'know, I just remembered having received an e-mail (about this very subject) from Google a few days back, and it's now occurred to me to question how they got my Verizon e-mail address; I've got no record or recollection of ever having opened any sort of account with Google...GMail or other.

Anybody got a clue?

Edit 2: Just to convince myself, I entered the address to which the Google e-mail had been sent in their log-in pane, and I found that it was associated with an account, set up a new password, logged in to my account, and found that "History" had been turned off.

Oops! blush I maintain an encrypted disk image (10Mb...I've never been able to get a sparse image to work.) just to store the 8Kb record of my log-in IDs and passwords, and I now remember having created a Google account the day I found out that "History" could be turned off, months ago, but for the life of me, I can't imagine why I didn't leave myself a record of that account. (I now wonder how many other forgotten accounts I've got?)

Last edited by artie505; 02/24/12 09:37 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
ryck #20819 02/24/12 09:18 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
If you create a Gmail account, log into it, and then use Google, Google will track everything you do and associate it with your Gmail account. Even if oyu log out of Gmail but leave the cookie in place, Google may still track your activity and associate it with your Gmail account.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Page 3 of 12 1 2 3 4 5 11 12

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.056s Queries: 65 (0.041s) Memory: 0.7239 MB (Peak: 0.9066 MB) Data Comp: Zlib Server Time: 2024-03-28 21:23:07 UTC
Valid HTML 5 and Valid CSS