The Mac Security Blog
Time was, everyone would pick on Microsoft for its poor security. Redmond took note of this, and did some hard work to improve security in both Windows and its applications – especially Internet Explorer and Outlook – and now security experts are finding that Microsoft is doing quite well, security-wise. The new one to point fingers at is Adobe, because of problems with its ubiquitous Acrobat and Flash software.
In an Infoworld article, co-founder and CTO of eEye Digital Security, Marc Maiffret, formerly a staunch critic of Microsoft, now praises the company for its efforts, saying, “Microsoft is getting a lot of things right. They’re not perfect, but their approach to secure code has really come along.” However, when it comes to Adobe, he’s not so positive. “Adobe is still in their infancy in terms of having a solid security process in place,” he says, saying that when security issues arise, “the first thing they do is deny, passing it off as a marketing problem.”
But he also discusses Apple:
Most people in the Apple world have a false sense of security and an elitism. I took some heat recently for saying Apple was way behind Microsoft on security. Look who they just hired for security — Window Snyder, who played a lead role in helping Microsoft turn around their security. That shows the company starting to move past the denial part. It’ll be interesting to see where they go from here.
In the end, this just proves that nothing stays the same forever. Microsoft’s efforts are paying off, and, in part because of this, malware writers are focusing on other vectors, such as Adobe software. As for Apple, well, time will tell.
An article in InfoWorld looks at the recent security vulnerabilities in web browsers that required security updates. While Safari’s recent security update fixed some bugs, and other browsers have issued patches recently as well, it’s important to highlight that the browser is one of the main vectors of attack these days, far more so than viruses, Trojan horses or other forms of malware. One advantage of browser-based – or “drive-by” – attacks is that they exploit vulnerabilities that don’t require user intervention. All a user has to do is load a web page – or have a part of a page load on a hacked web site – to expose themselves to risks. If exploits are there behind the scenes, malicious hackers can do a great deal of damage, going as far as installing software or controlling computers.
This is why Intego combined its malware and network protection features in a single application with the latest version of its VirusBarrier X6 program. Neither tool is sufficient any more to protect users from the dangers of the Internet. With advanced web-threat protection in VirusBarrier X6, users are protected from malicious web pages and the types of exploits they can run.
No matter what, you should always make sure your browser is up-to-date, to ensure that any known security vulnerabilities are fixed.
Facebook has recently changed its privacy settings, allowing a number of websites of Facebook’s choice to access your personal information. And, as has often been the case with Facebook, this is an opt-out change; in other words, the change has been made, and you have not been informed, and to go back, you must make changes to your privacy settings.
A Cnet article looks at this issue and explains how to turn off this new feature. This feature, called Instant Personalization, “shares all your publicly available information (name, profile picture, gender, and “Connections,” another new way for you to publicize all the things you’re interested in) with, right now, three partner sites: Yelp, Pandora, and Docs.com.” But it’s clear that, in the future, this information will be shared with other websites. Because, as author Molly Wood says, “I hold few illusions that Facebook’s business strategy has ever been about anything other than building up a huge user base and then selling ads to those users.”
Google went through a similar problem with its Buzz service, turning on features without even informing users. Facebook has done this in the past as well, usually backing down, then coming back more stealthily to make changes. So if you’re a Facebook user, check out the article linked above to find out how to ensure that your personal information remains personal.
We’ve discovered a new type of phishing e-mail purporting to be from Amazon.com. Unlike previous phishing e-mails which tell the receivers that they need to log into their accounts, this e-mail merely shows products for sale. If the user receiver the e-mail is interested in one of these products, or if they simply click through to Amazon via one of the links in the e-mail, they’ll end up on a phishing site. The e-mail contains a selection of products, none of which stand out especially as being high-sales items (such as iPods, mobile phones, computers, etc.)
We weren’t able to see exactly what happens when one clicks on a link in this e-mail, because by the time we got it the site was already down. It’s likely, however, that you’d be prompted to enter your user name and password before going any further.
But the e-mail is very well-crafted, and should a user be interested by one of the products, they would certainly be tempted to click on a link. Since it’s not your usual phishing e-mail which immediately says you need to reactivate your account, it will draw less suspicion.
It looks like you’ll have to be more careful when clicking links on Amazon e-mails – or any e-mail for that matter. You can always see where the link is going by hovering your cursor over a link for a few seconds to see the link’s URL in a tooltip. And you can also check in your browser’s address bar to make sure that the URL is what you think it is.
Pundits are always ready to discuss whether the latest gadget is “ready for the enterprise,” and an article published by InfoWorld shortly after the release of the iPad said that “some analysts say the iPad deserves an “F” for security readiness.”
But another article published by InfoWorld suggests that the conclusions of the first are just a sign of double-standards, hypocrisy, and “Neanderthal IT.” Author Galen Gruman discusses a “flawed premise” that many “analysts” take for granted, “that mobile devices must meet military-grade security needs or, at least, financial-services-grade security needs.” He points out that laptops don’t meet these standards, and says that “the issue is not security but resistance to change — a reluctance to accept new technologies that are user-oriented.”
The points made in this article are valid, and IT managers should first assess the real needs of their companies before rejecting devices. In most cases, the businesses they run don’t have needs that require iron-clad security, or, at a minimum, devices such as the iPad won’t be used with data that needs to be secure. If employees want to use the iPad for surfing the web, browsing PDFs or checking for non-confidential e-mail, there’s no reason to reject it, just as there’s no reason to reject Android phones or netbooks. It all depends on what the employees are planning to do with the devices.
Malware: OSX/HellRTS.D
Discovered: April 14, 2010
Risk: Low
Description: Intego has discovered a new variant of a malware for Mac, called HellRTS, which, when installed on computers running Mac OS X, opens a backdoor that allows remote users to take control of infected Macs and perform actions on them. Intego identifies this backdoor as OSX/HellRTS.D, a variant of an early Mac OS X malware first spotted in 2004.
HellRTS, built in RealBasic, and a Universal Binary able to run on both PowerPC- and Intel-Based Macs, is able to perform a number of operations if installed on a Mac. It sets up its own server and configures a server port and password. It duplicates itself, using the names of different applications, adding the new version to a user’s login items, to ensure that it starts up at login. (These different names can make it hard to detect, not only in login items, but also in Activity Monitor.) It can send e-mail with its own mail server, contact a remote server, and provide direct access to an infected Mac. It can also perform a number of operations such as providing remote screen-sharing access, shutting down or restarting a Mac, accessing an infected Mac’s clipboard, and much more.
This backdoor requires installation on a Mac, which could be carried out via a Trojan horse, or by exploiting a vulnerability in a program that accesses the Internet (such as a web browser). While Intego has not found any instances of Macs being infected by this in the wild, the fact that this malware is being distributed on a number of forums shows that it will be accessible to a large number of malicious users who may attempt to use it to attack Macs.
Means of protection: Intego VirusBarrier X5 and X6 detect and eradicate this malware, which it identifies it as OSX/HellRTS.D, with its threat filters dated April 15, 2010 or later.