Genebook Security - latest & most important news about information security, privacy research, especially social web-realted vulnerabilities and more
Highlighted tags
Contact (bardóczi ákos)
{o.a.}
Back in the good old days, the die-hard Apple fans — embarrassingly outnumbered — would often attempt to debunk the many myths surrounding the platform.
They targeted such notions as “Macs aren’t as fast as PCs,” “Mac files aren’t compatible” and “Macs offer less software.”
Like most of the world, I’ve stopped worrying about such things. The arguments just aren’t relevant anymore. Even the software issue, which still exists by absolute numbers, isn’t worth discussing. Whatever the number of Mac apps may be, a Mac owner has a huge amount of titles to choose from. If you lust that badly after a particular Windows app, you can simply configure your Mac to run it.
But, nosing around on the Apple sites and discussion groups recently (this is what I do for a good time), I was surprised to see one myth still alive and well. It’s the idea that Macs are not more secure than PCs — there are simply so few Macs on earth, they’re not a juicy enough target for the evildoers. This is the famous theory of “security by obscurity.”
This is also pure crap.
Macs were once not only a tiny minority of the world’s computers, they were a fading minority. The platform didn’t generate nearly the buzz it does today. Nor was its every move reported by legions of journalists and bloggers.
If I were a hacker 15 years ago, I’d buy the obscurity argument in a nanosecond. What’s the fun of being a big fish in an invisible puddle.
However, this isn’t then. Apple is now the world’s most successful — and most valuable — technology company. Macs get far more attention than their numbers suggest. They’re all over movies and TV shows. They’re the defacto standard in graphics and design. Although the Mac market share remains far smaller than that of PCs, Mac users number in the tens of millions. And then there’s mobile technology, where Apple either leads in market share or owns a giant chunk of the category. Regardless of market share, Apple leads by far in share of mind. The world’s obsession with Apple only grows bigger every day.
Add to that the fact that Apple has spent tens of millions of dollars proclaiming to the world that Macs don’t get viruses. That was the claim in one of the earliest “Mac vs. PC” commercials (the one where PC couldn’t stop sneezing). It was an open challenge to the world’s hackers. It was Apple’s public “bring it on.”
If you were a hacker seeking glory these days, the Mac has to be one super-tempting target. Being the first person on earth to cause havoc in the Mac world would mean instant enshrinement in the Hackers Hall of Fame. It’s just horribly naive to suggest that hackers have no motivation to attack the Mac. In fact, why would you create malware for PCs, where viruses are a dime a dozen, when you can have the fame and glory that would come with bringing those arrogant Mac users to their knees? Hell, I’m tempted to go try it myself.
Hacker conventions have been held with the express goal of breaking into the Mac. They usually end with a “concept virus,” or the announcement of some newly discovered vulnerability in Mac OS X. Yet somehow none of that ever causes a blip in the Mac world.
Given the total lack of widespread Mac viruses over all these years vs. the hundreds of thousands that exist in PCs, it takes some kind of twisted logic to maintain that Mac OS X is as vulnerable as Windows.
Interestingly, there’s a newer, more absurd myth being born to take the place of security by obscurity. It’s the idea that Macs are actually more vulnerable than PCs. This belief is put out there by security companies out to sell their own software, or security experts eager to prove their unconventional smarts. They have all the reports to prove Mac’s many documented vulnerabilities. The only thing missing are the viruses.
This is not to say Macs are invincible. Clearly any computer can be compromised. Everyone needs to exercise some common sense. But the simple fact is, it’s pure insanity to run a PC without antivirus software and commonplace to run a Mac without it. I haven’t run antivirus software in my Macs since Mac OS X was released, over 10 years ago. I don’t know anyone who has.
The “Mac is vulnerable” crowd does exist and will always exist. They’ll continue to make their claims until one day they can say they were right.
I will only note that there is also a Flat Earth Society waiting patiently to be proven right. We’ll see who gets there first.
{o.a.}
McAfee Researchers Also Foresee Attackers Targeting Shortened URL Services and Internet TV Platforms; Increase in Politically Motivated Hacktivisim
SANTA CLARA, Calif.—(BUSINESS WIRE)— McAfee, Inc. (NYSE:MFE) today unveiled its 2011 Threat Predictions report, outlining the top threats that researchers at McAfee Labs foresee for the coming year. The list comprises 2010’s most buzzed about platforms and services, including Google’s Android, Apple’s iPhone, foursquare, Google TV and the Mac OS X platform, which are all expected to become major targets for cybercriminals. McAfee Labs also predicts that politically motivated attacks will be on the rise, as more groups are expected to repeat the WikiLeaks paradigm.
“We’ve seen significant advancements in device and social network adoption, placing a bulls-eye on the platforms and services users are embracing the most,” said Vincent Weafer, senior vice president of McAfee Labs. “These platforms and services have become very popular in a short amount of time, and we’re already seeing a significant increase in vulnerabilities, attacks and data loss.”
McAfee Labs Threat Predictions for 2011:
Exploiting Social Media: URL-shortening services
Social media sites such as Twitter and Facebook have created the movement toward an “instant” form of communication, a shift that will completely alter the threat landscape in 2011. Of the social media sites that will be most riddled with cybercriminal activity, McAfee Labs expects those with URL-shortening services will be at the forefront. The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.
Exploiting Social Media: Geolocation services
Locative services such as foursquare, Gowalla and Facebook Places can easily search, track and plot the whereabouts of friends and strangers. In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using. This wealth of personal information on individuals enables cybercriminals to craft a targeted attack. McAfee Labs predicts that cybercriminals will increasingly use these tactics across the most popular social networking sites in 2011.
Mobile: Usage is rising in the workplace, and so will attacks
Threats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011 will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk.
Apple: No longer flying under the radar
Historically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.
Applications: Privacy leaks—from your TV
New Internet TV platforms were some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market” thinking by developers, McAfee Labs expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. These apps will target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets.
Sophistication Mimics Legitimacy: Your next computer virus could be from a friend
Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011. “Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector.
Botnets: The new face of Mergers & Acquisitions
Botnets continue to use a seemingly infinite supply of stolen computing power and bandwidth around the globe. Following a number of successful botnet takedowns, including Mariposa, Bredolab and specific Zeus botnets, botnet controllers must adjust to the increasing pressure cybersecurity professionals are placing on them. McAfee Labs predicts that the recent merger of Zeus with SpyEye will produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Additionally, McAfee Labs expects to see a significant botnet activity in the adoption of data-gathering and data-removal functionality, rather than the common use of sending spam.
Hacktivism: Following the WikiLeaks path
Next year marks a time in which politically motivated attacks will proliferate and new sophisticated attacks will appear. More groups will repeat the WikiLeaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement, and will become more organized and strategic by incorporating social networks in the process. McAfee Labs believes hacktivism will become the new way to demonstrate political positions in 2011 and beyond.
Advanced Persistent Threats: A whole new category
Operation Aurora gave birth to the new category of advanced persistent threat (APT)— a targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than pure financial/criminal gain or political protest. McAfee Labs warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous APT attacks that go after email archives, document stores, intellectual property repositories and other databases.
For a full copy of the 2011 Threat Predictions report, please visit the McAfee Labs website at http://www.mcafee.com/us/mcafee-labs.aspx
About McAfee
McAfee, headquartered in Santa Clara, California, is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee secures your digital world. http://www.mcafee.com
NOTE: McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and are subject to change without notice. They are provided without warranty of any kind, expressed or implied.
An investigation by The Wall Street Journal has found that some iPhone and Android apps are spying on users and potentially transmitting personal data to other companies. While both Apple and Google say that they have privacy protections in place for their customers, many apps are able to skirt around them either on purpose or by claiming ignorance as the maker of Pumpkin Maker (a pumpkin-carving app) did — he said that he didn’t know that he needed user permission before sharing the data he collected inside his app. But in speaking to the WSJ, Apple spokesman Tom Neumayr said that “We have created strong privacy protections for our customers, especially regarding location-based data. Privacy and trust are vitally important.”
iPhone apps transmitted more data than the Android apps tested, and two apps in particular stood out: Pandora and TextPlus 4. Pandora (a music streaming app) and TextPlus 4 (a text messaging app) sent the phone’s unique ID number, along with the user’s age, gender and zip code to several different advertising companies. Out of 101 apps tested in the study, the WSJ found that over half sent the ID number out to companies without the user’s consent.
Privacy concerns are often at the forefront of users’ minds and rightly so, but I do think most people understand that companies collect some information and that whatever is collected is actually beneficial to their user experience. Apple itself recently detailed its location collection policies, which it uses to provide location-specific information, to members of Congress after the House of Representatives looked into the company’s privacy policy. And as a personal example, I use the Yelp app quite a bit to discover new restaurants in my area. I do know that they are collecting location information from me, and it is probably being kept in a database somewhere. I also believe that it helps Yelp tailor my (and others’) experience with their app, as they want users to share information with them and so do I — without some of this info the app wouldn’t be all that valuable.
Do I want these app companies sharing my name, age, gender, mailing address, birthdate or sexual preference with ad networks everywhere? Not really, and I do believe we should have the ability to opt out of sharing anything if we so choose. Apps that are doing that without gaining my permission to do so shouldn’t be allowed on the App Store. But a little location-based marketing in the apps that it is needed in does go a long way to making a more positive user experience. Macworld thinks that the concerns raised by the WSJ are overblown. What do you guys think?
Among the information security trends expected next year, PandaLabs predicts increasing malware threats to Mac users.
As Mac market share continues to grow, so will the number of threats, predicted Luis Corrons of PandaLabs.
“Of most concern is the number of security holes affecting the Apple operating system. Let’s hope they get ‘patching’ as soon as possible, as hackers are well aware of the possibilities that such vulnerabilities offer for propagating malware”, Corrons wrote in a Panda Security blog.
But the Apple operating system is not the only one in the sites of malware developers. Corrons predicted that there will be a gradual increase in attacks against Windows 7 in 2011, as cybercriminals improve their malware targeting of that operating system.
At the same time, Corrons predicted that the growth rate of new malware will slow in 2011. He noted that, despite the proliferation of malware, the rate of growth year-on-year has been decreasing. The rate of growth peaked at 100% a few years ago and was only 50% this year, a trend that is expected to continue next year.
The PandaLabs researcher expected the continued use by cybercriminals of social engineering on social media sites. “Cyber-criminals have found social media sites to be their perfect working environment, as users are even more trusting than with other types of tools, such as email”, he said.
Contrary to the predictions of some other information security analysts, Corrons does not expect cell phones to be the targets of massive malware attacks in 2011. “Most of the existing threats target devices with Symbian, an operating system which is now on the wane. Of the emerging systems, PandaLabs’ crystal ball tells us that the number of threats for Android will increase considerably throughout the year, becoming the number one target for cyber-crooks”, he predicted.
“It is true that in 2010 we have seen several major arrests that have hit hard in the world of cybercrime. Yet this is sadly insufficient when we consider the scale of what we are fighting against. Profits from this black market amount to thousands of millions of dollars, and many criminals operate with impunity thanks to the anonymity of the Internet and numerous legal loopholes. The economic climate has contributed to the seriousness of the situation: as unemployment grows in numerous countries, many people see this as a low risk opportunity to earn money, though this does not detract from the fact that it is a crime”, Corrons concluded.
When Apple addressed a congressional inquiry on privacy in July, the company claimed that it couldn’t actually track a particular iPhone in real time, as its transactions were anonymous and thoroughly randomized. Bucknell University network admin Eric Smith, however, theorizes that third-party application developers and advertisers may not have the same qualms, and could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone’s UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam’s Club, though a few were secured with SSL. Though UDIDs are routinely used by apps to store personal data and combat piracy, what Smith fears is that a database could be set up linking these UDIDs to GPS coordinates or GeoIP, giving nefarious individuals or organizations knowledge of where you are.
It’s a scary idea, but before you direct hate Apple’s way, it’s important to note that Cupertino’s not necessarily the one to blame. iOS is arguably the best at requiring users to opt-in to apps that perform GPS tracking; transmitting the UDID and account information together publicly is strictly against the rules; and we’d like to think that if users provide their personal information to an application developer in the first place, they’d understand what they’re doing. Of course, not all users monitor those things closely, and plaintext transmission of personal details is obviously a big no-no.
Smith’s piece opens and closes on the idea that Apple’s UDID is like the unique identifier of Intel’s Pentium III processor, which generated privacy concerns around the turn of the century, and we wonder if ths story might play out the same way — following government inquiries, Intel offered a software utility that let individuals manually disable their chip’s unique ID, and removed it from future CPUs.
In the wake of privacy concerns, Apple has moved to fix its recently released FaceTime application for the Mac to block access to a potential security hole.
The flaw resided in the fact that anybody with access to the computer on which FaceTime was installed could change the password to the related Apple ID without knowing the current password. When launched, FaceTime automatically logs you into the associated account; from there, going to the app’s Preferences pane, clicking on your account, and then clicking View Account would allow you to enter a new password and confirm it without ever having to enter the current password.
While the FaceTime application itself has not been updated, Apple has blocked access to that account information—currently, clicking on the View Account link will take you to an empty page before bouncing you back to the previous page.
Of course, this is hardly a permanent fix for the security hole, since presumably people will eventually want to access their account details from inside the app, but it should at least block any nefarious pranksters or snoopers in your home or your office for the time being.
