Securing Leopard White Paper

Security researchers at Corsaire have published a white paper about securing Mac OS X 10.5, Leopard. The document discuses user account management, general security settings for Mac OS X, logging and auditing, and using Common Criteria tools. While the document does not go into much depth, it does discuss the main security features that are inherent in Mac OS X.

Hundreds Snagged in MobileMe Phishing Scam

Computerworld reports that hundreds of MobileMe users have been taken in by a sleek phishing scam. Purporting to be from Apple, e-mail messages took advantage of the recent change from .Mac to MobileMe, telling users that they needed to update credit card information. Some 100-200 users were snagged in a single day, giving away credit card numbers, addresses, birth dates, passwords and more.

We reported this on August 12, when the first phishing e-mails were spotted in the wild, but the Computerworld article is a gauge of the success of this “campaign” in just a few days.

Remember that Apple will never send you a message asking you to log in to your account in this manner, and if you have any doubts, you should always log in directly to your account (in this case, by typing www.mobileme.com in your browser).

Office Updates Contains Security Fix; Blocked by Apple Security Update

Microsoft has released updates for its Office suite for Mac, with an update for Office 2004 and another for Office 2008. Both updates contain bug fixes, and include “fixes for vulnerabilities that an attacker can use to overwrite the contents of a computer’s memory by using malicious code.”

However, it turns out that users who have installed Apple’s 2008-005 security update (released on July 31) may be having problems updating Office 2008. It seems that this security update “blocks an AppleScript from displaying a dialog to quit all running Microsoft applications in the current Microsoft Office 2008 updaters.” This post on the Entourage Help Blog explains the problem and the workaround: quit all Office applications before running the updater.

Can Apple Remotely Shut Down iPhone Apps?

Apple has, apparently, included a system in the iPhone that allows for applications to be remotely shut down. The iPhone’s operating system contains a URL for a page that, it seems, may contain a list of blacklisted applications. For now, there’s only a dummy entry on the page, but it’s possible that Apple will add applications to the list if any iPhone applications are found to be malicious.

This is an interesting concept: letting the manufacturer of a device decide which applications you can use. If the applications are, indeed, malicious, this is probably a Good Thing, but what if Apple decides, for some reason, to blacklist applications that it may think are evil but you want to use? Just like the way Apple is removing applications from the App Store without even informing the developers… Some see this as a reason to jailbreak your iPhone, so you can have full control of what you install.

Black Hat Says, “What Apple Talk?”

On August 4, we reported about a security researcher who cancelled a talk at the Black Hat security conference, regarding Apple’s FileVault, saying “he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further.” Charles Edge, the researcher in question, apparently had never had any such talk scheduled. Black Hat officials told CNet that Edge had never submitted a paper for the conference, and that there was to be no talk. Curiouser and curiouser…

As for the other Black Hat talk, the one that was to be presented by Apple employees, that was indeed scheduled and canceled. It is still listed in the conference program, as it was cancelled too late for removal.

Consumer Reports Says Stay Away from Safari!

Consumer Reports’ State of the Net survey shows that a large number of Americans get taken in by phishing and spyware, and 1 in 7 users suffer some sort of malware attack. The total cost to users is over $8.5 billion dollars. But the article especially targets the Safari browser on Mac OS X: “According to this year’s State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should.” Consider using the latest version of Firefox, which has built-in anti-phishing protection.

Phishing is a serious problem, and Intego Personal Antispam helps protect you from phishing by sorting dangerous e-mails into your Spam folder. You should never click a link on an unsolicited e-mail then enter any personal information. If you must go to a website specified in an unexpected e-mail, type its address manually. You can never be too sure.

Consumer Reports discusses seven online blunders that people make, which can cost them money. Have a read through these for tips to keeping your online activities more secure.