Website Certification Fraught with Difficulties

An article on The Register discusses problems with a security vendor’s certification of hacker-free web sites not being totally safe. The problem with such certification is that, even with daily checks of sites, it’s very hard to guarantee that any web site remains safe. In this case, the security vendor in question is understating the danger of cross-site scripting attacks (vulnerabilities that can occur when web applications inject malicious code into web pages). (To learn about cross-site scripting, see this Wikipedia page.)

The real problem lies less with such certification than with the fact that web sites can never be certified 100%. The web is too fluid, and vulnerabilities can arise and be exploited very quickly. For this reason, you cannot trust this kind of certification, and must always have client-side protection (ie, protection on your computer) and keep your Mac up to date with the latest security updates. Also, make sure you have software such as VirusBarrier and NetBarrier, to protect you from malware and security risks.

Hackers’ Contest to Create Even More Malware

The annual Defcon hackers’ conference this August is featuring a strange competition. Called Race to Zero, it is described as follows:

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

At first glance, this may seem like a good idea; to try and find weaknesses in antivirus software, in order to spur vendors to detect more malware. But when looking more closely, it turns out to be a very dangerous game indeed.

Security companies have a hard time stopping the proliferation of malware, and researchers attempting to make this even harder can only harm the broader community. In this contest, a large number of hackers will create dozens, even hundreds of variants of existing malware, which will then easily go into circulation. If their hacks are successful, this provides fodder to malware writers to help them tweak their code to further block detection. While the hackers in the contest may have good intentions, the result of their game is likely to lead to an increase of malware.

In addition, one of the contest’s rules shows just how dangerous this game is:

6. Techniques used to perform mutations will not be submitted to antivirus vendors without contestants approval but may be used during our post-contest round-up presentation

What this means is that any contestant can take his technique home, or share it, further spreading the spread of dangerous malware. If, on the other hand, the contest stipulated that all techniques would be shared with antivirus companies, at least those responsible for ensuring end-user security could be aware of them and improve their detection. This sort of conference is generally non-malicious, and hacks are usually found and shared for the good of the greater community. But this strange rule suggests that what has long been the attitude of the white-hatted hacker may be changing.

“We are especially worried that contestants or other participants will use this contest to develop techniques that may release new versions of very dangerous malware,” said Laurent Marteau, CEO Intego. “Encouraging hackers to spend their time writing more dangerous malware is not part of the hacker ethic; it is likely to lead to dangerous results for all computer users around the world.”

Copyrighting Malware

The Register has an article today about virus writers adding copyright notices to their malware. These are professional virus writers, and the copyright notice, the article says, “is designed to prevent the malware from being freely distributed after its initial purchase.” Apparently, this is a problem that is hurting the revenue stream of your friendly-neighborhood malware programmer.

It makes you wonder how they can enforce this, of course. But there’s a way. One of the licenses says, “In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.”

There’s no better threat than that: send the code to security companies so it will be blocked much quicker than when it’s discovered in the wild. There’s no honor among thieves…

Laptop Magazine Loves Internet Security Barrier

In a review of several Mac OS X security products, Laptop Magazine picked its favorite: Internet Security Barrier. As they say in the review, “Hands down, the most comprehensive security suite for Macs is Intego’s Internet Security Barrier X5.” The only negative point they found was “No Windows protection”, but that’s because they must have missed Intego’s Internet Security Barrier Dual Protection suite. So it’s not only the “most comprehensive security suite for Macs”, as the review says, but the DP version’s Windows protection gives the same protection for both platforms.

URL Spoofing Flaw Affects Safari

Secunia has issued an advisory about a URL spoofing flaw they have discovered in Safari, both for Mac OS X and for Windows. As they say, “The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the “user” field before the “@” character.” What this means is that you may go to a web site, via a link, and not be on the correct site; the address may look correct, but may not be, leading you into a phishing net.

The only precaution you can take for now, until Apple fixes this, is to avoid browsing on untrusted websites. If you even visit a website that has a link to, say, PayPal or to your Bank, don’t click that link (unless you trust the originating site), but rather type the URL or use your own bookmark.

How Secure is your Mac OS X User Account?

When you work on your Mac, you think you are protected by your user account’s password. Well, savvy users know this is not the case; it’s easy to boot any Mac from a Mac OS X installation DVD and reset the password of any account. But not everyone worries about hackers carrying around Mac OS X discs with them.

That’s not the only way to reset a password, though. A hint was published on the Mac OS X Hints web site explaining how to do this without an installation disc, but simply from booting into “safe mode” and issuing a few commands. This means that any hacker can access all the files on your Mac, regardless of your password.

We at Intego have long been aware of this kind of problem. We know that Apple’s password protection is not very secure, and, while you can apply an Open Firmware password, there are other ways to protect your sensitive documents. Intego created FileGuard for just this reason. With FileGuard, you can create virtual safes that provide unbreakable protection for all your sensitive files. The passwords you use with FileGuard’s safes cannot be reset by a hack or trick; only you can open the safes you create. And with 256-bit encryption, even the NSA can’t get at your files.

If you have sensitive files on your Mac, don’t entrust them to Apple’s password protection; you really need serious security that will prevent anyone from accessing your files. Use Intego FileGuard for those files that merit such protection.