An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 3 of 12 < 1 2 3 4 5 ... 11 12 >
Topic Options
#14655 - 03/10/11 05:54 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)

Top
#14666 - 03/10/11 06:08 PM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
H-Security: Hackers versus Apple - An interview with Charlie Miller and Dino Dai Zovi (5 pages)

ZDNet: Zero Day - Safari/MacBook first to fall at Pwn2Own 2011


Edited by Hal Itosis (03/10/11 06:24 PM)

Top
#14678 - 03/11/11 05:59 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I saw that with the pwn2own contest... did you see, BOTH apple and Google are playing a little dirty here.

The contest requires the contestants to work on "fully patched" machines. There's no grace time, software updates are run just before they start.

Both apple and google released updates immediately before the contest started. It's unreasonable to believe that the entrants in the contest are sitting down, cracking their knuckles, and saying "ok lets look around for a hole". Naturally they're bringing in zero-day exploits they've been polishing for weeks or months. So there's (A) a chance that the new surprise updates will block the exploit, and more importantly (B) a very high chance that an exploit that still works will have to be tweaked due to the binary being recompiled and addresses changing.

I personally don't think that's fair to allow patches the manufacturers are deliberately withholding until a few hours before the contest to be installed. There should be a cutoff of say, one week. Testing the security of something that was "released" an hour ago is not a practical real-world scenario unless you're releasing updates every day. Systems will have an average lag time of weeks usually before available patches are applied, and the contestants should have the opportunity to try to beat a system they've had a little time to work on beforehand.

But I can see the other side of it, it would also be nice to see just how well an unprepared hacker can do against a new binary. That could be very hard to enforce though, how do you tell them they're not allowed to use priorly developed private exploits? It's probably not possible, so all you do by applying last-hour-upates is to take a random pot shot at the contestants, some of which may have worked very hard to find a major hole, one that requires many hours of tweaking to make work properly, that now has changed locations and will require hours of adjustment. (the hole is still there, the target has simply moved, it's no more secure than it was an hour ago, it's just going to eliminate them from the contest due to the added investment in time just introduced)

_________________________
I work for the Department of Redundancy Department

Top
#14771 - 03/21/11 08:30 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)

Top
#14774 - 03/21/11 09:47 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
My experience is the (not too steep) cost of SSL certs for HTTPS without browser nags tends to make administrators not think it's a justifiable expense. What's your experiences?

And IT'S ABOUT TIME now to see safari offer an easy immediately available checkbox for 'always trust' on web sites. That previous stupidity of having to open the cert and change trust settings scared users away from it.
_________________________
I work for the Department of Redundancy Department

Top
#14779 - 03/21/11 11:20 AM Re: THE CYBER-SECURITY THREAD [Re: Virtual1]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: Virtual1
What's your experiences?

I assume (since i'm not hosting anything) that the "you" there is collective [?].

[i did notice that facebook finally offers https as of a week or two ago]

Top
#14832 - 03/24/11 06:38 PM Re: THE CYBER-SECURITY THREAD [Re: Virtual1]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)


Edited by Hal Itosis (03/24/11 06:42 PM)

Top
#14845 - 03/25/11 04:35 PM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
alternaut Offline

Moderator

Registered: 08/04/09
This week MacWorld is revisiting a series of articles about protecting your privacy online originally published on February 23. While not exhaustive, the series is a good summary of the issues users would do well to be aware of. Because of this I think it's worthwhile to list them here:

- Avoid identity theft
- Browse the Web safely
- Keep your data safe
- Protect your e-mail
- Secure your network
- Take control of social networking
- What happens to your data?

And while we're on the topic, here are a few other articles in similar vein:

- Digital certificate theft shines spotlight on Safari limitation
- Facebook Tip: Enable encryption to avoid privacy glitch
- Facebook Privacy: Four valuable yet hard-to-find settings
- Facebook quick tip: Three more ways to shore up security
- Holidays: how to shop safely online
_________________________
alternaut moderator

Top
#15436 - 05/05/11 02:58 PM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
dkmarsh Offline
Moderator

Registered: 08/04/09
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#19356 - 11/25/11 02:24 PM Re: THE CYBER-SECURITY THREAD [Re: dkmarsh]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
crazy

Sophos - The Conficker worm, three years and counting

"At its peak, Conficker infected more than 10 million PCs."

"Flaw was patched, 4 weeks before Conficker began it assault."

"Today, an estimated 3 million computers are still infected."


Top
#19424 - 12/01/11 07:38 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
alternaut Offline

Moderator

Registered: 08/04/09
Against the backdrop of today's WikiLeaks releases of documents about the surveillance industry, here are some links covering Android developer Trevor Eckhart's early disclosures about Carrier IQ, the name of the company providing 'embedded analytics' to the telecom industry and that of the hidden spyware rootkit found on many android, Windows and BlackBerry phones, and quite possibly iPhones too.

- Android Security Test
- Carrier IQ Part #2
- How much of your phone is yours?

Perhaps the—for the consumer—singlemost 'incendiary' capability of the Carrier IQ spyware is a full-fledged keylogger, since it's hard to see why private data content (including that transmitted over WiFi networks) is important for the improvement of phone provider 'service quality' and 'network efficiency', the official reason for Carrier IQ's contracted services and the presence of its spyware.

This latter is an important point: it's providers like Verizon Wireless, AT&T and Sprint rather than the phone manufacturers, which hire Carrier IQ and allow it to put the Carrier IQ rootkit on the phones they provide their customers with. To be clear: not all carriers do this; for instance, several European telecom companies deny participating in the CIQ program (although they may use other, comparable services).
_________________________
alternaut moderator

Top
#19434 - 12/01/11 04:43 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
MicroMatTech3 Offline


Registered: 08/04/09
This MSNBC story has been updated with some details from Cult of Mac about iOS 5:

AT&T, Sprint, T-Mobile use Carrier IQ, but don't collect personal info.

The story about similar issues in Germany linked at the bottom of the page is worthwhile.
_________________________
MicroMat Inc
Makers of TechTool

Top
#19436 - 12/01/11 05:17 PM Re: THE CYBER-SECURITY THREAD [Re: MicroMatTech3]
alternaut Offline

Moderator

Registered: 08/04/09

As Lugnut, the first responder to this article said, I just don't believe the statement that the key-logger is not being used. I'm willing to believe it only when this capability has been demonstrably removed from the rootkit. And AFAIAC, that's not the only thing that needs to be changed.
_________________________
alternaut moderator

Top
#19437 - 12/01/11 07:03 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
MicroMatTech3 Offline


Registered: 08/04/09
I agree that this topic should be subjected to the empirical method.
_________________________
MicroMat Inc
Makers of TechTool

Top
#19453 - 12/02/11 10:14 AM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
alternaut Offline

Moderator

Registered: 08/04/09
Some further developments on the Carrier IQ front:

- Apple ended Carrier IQ support with iOS 5
- Carrier IQ, mobile providers grilled over spyware charges
- Which companies are on the Carrier IQ bandwagon?

The implications of the second article are quite interesting. If the phone manufacturers didn't put CIQ on their phones*, and carriers like Verizon, RIM, and Nokia Europe claim they didn't either, how did it get on there in the cases where it was found? At least it's easy to determine if CIQ is installed on your android phone with Eckhart's Logging Test App v7. Removal is possible with the Pro version of this app; alternatives can be more involved, but all methods require the device to be rooted.

*) So far, HTC is the only manufacturer to admit installing the CIQ rootkit on its phones because US carriers require it. It'd be interesting to see if HTC phones supported by non-US carriers claiming not to participate in the CIQ program also contain the rootkit. As far as known, however, at least Dutch android phones do not seem to carry the CIQ spyware. In contrast, Vodaphone Portugal stated they did use CIQ, as did Sprint and ATT in the US. That said, and as alluded to above, several of the carriers denying the use of CIQ are known to use Deep Packet Inspection.


Edited by alternaut (12/02/11 04:37 PM)
Edit Reason: Added Carrier IQ bandwagon link
_________________________
alternaut moderator

Top
#20249 - 01/23/12 11:30 AM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Things that make you go hmmmmmm:


Top
#20718 - 02/18/12 07:55 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)

[admins: i'm not sure onto which thread to tag this]


A couple of really interesting articles...
§

Top
#20802 - 02/22/12 06:36 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
confused
  i guess this only applies to people who already have "google accounts" (presumably gmail, Google+, etc.):

>> How to Remove Your Google Search History Before Google's New Privacy Policy Takes Effect <<

^ Whatever the case may be... the (March 1st) deadline is fast approaching.


Edited by Hal Itosis (02/22/12 06:36 PM)

Top
#20806 - 02/23/12 02:17 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Thanks for the link, Hal. I removed Google Search History but haven't (yet) cancelled my account. I may very well do just that.
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#20807 - 02/23/12 03:10 AM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
And my thanks too. 'Tis greatly appreciated.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20814 - 02/23/12 02:37 PM Re: THE CYBER-SECURITY THREAD [Re: jchuzi]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Did i guess right?... that only users with some sort of preexisting "google-dom" account need take any action?

Or would it somehow behoove others (e.g., me) in some way, to create a new account now, and follow that procedure?

[i realize that question sounds absurd... but i just want to be certain. smile ]

Top
#20815 - 02/23/12 03:17 PM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Hal Itosis
[i realize that question sounds absurd... but i just want to be certain. smile ]

Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Carbon Copy Clone on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20816 - 02/23/12 04:16 PM Re: THE CYBER-SECURITY THREAD [Re: ryck]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: ryck
Maybe it's not too far-fetched. I only bothered to look because I long ago had to open a gmail account in order to use Google Analytics (to track usage on my daughter's page).

I have never, ever used the gmail account but I followed the process anyway....more out of curiosity than anything else. What I found was an up-to-date list of the places I visit when on the web...nothing at all related to mail.

Have never used the email account, have never used their browser, and yet..... Hmmmm.

shocked

Well that's why google is "worth" billions, that's what they do (though i'd be curious how they tied all that activity back to "you" -- i guess cookie processing is all it takes).

But still... for someone with no previous account... if i go create one now, will there be some old history file (of my various browsers' movements over the years) that they'll then attach to my newly created 'official' account? That would be even freakier. [not sure i want to create an account there just to find out... but it's probably the only way.]

Not worried, just wonderin'.

Top
#20818 - 02/23/12 05:37 PM Re: THE CYBER-SECURITY THREAD [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
> [not sure i want to create an account there just to find out... but it's probably the only way.]

I'm in the same situation as you, so please post your findings if you do create an account.

(I delete all my Google cookies other than prefs periodically, which seems like it ought to be at least somewhat limiting, at the least.)

Thanks.

Edit: Y'know, I just remembered having received an e-mail (about this very subject) from Google a few days back, and it's now occurred to me to question how they got my Verizon e-mail address; I've got no record or recollection of ever having opened any sort of account with Google...GMail or other.

Anybody got a clue?

Edit 2: Just to convince myself, I entered the address to which the Google e-mail had been sent in their log-in pane, and I found that it was associated with an account, set up a new password, logged in to my account, and found that "History" had been turned off.

Oops! blush I maintain an encrypted disk image (10Mb...I've never been able to get a sparse image to work.) just to store the 8Kb record of my log-in IDs and passwords, and I now remember having created a Google account the day I found out that "History" could be turned off, months ago, but for the life of me, I can't imagine why I didn't leave myself a record of that account. (I now wonder how many other forgotten accounts I've got?)


Edited by artie505 (02/24/12 01:37 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20819 - 02/24/12 01:18 AM Re: THE CYBER-SECURITY THREAD [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
If you create a Gmail account, log into it, and then use Google, Google will track everything you do and associate it with your Gmail account. Even if oyu log out of Gmail but leave the cookie in place, Google may still track your activity and associate it with your Gmail account.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
Page 3 of 12 < 1 2 3 4 5 ... 11 12 >

Moderator:  alternaut, cyn