Latest in Phishing

Image credit:

How to take Mac security seriously


Damien went into detail about the "hacker challenge" story and, as he explained, it's much ado about nothing— for now. Clearly, this Mac security thing is only going to get more important. Even Headline News had a largely exaggerated report on the Bluetooth exploit found a while ago... So what is the average Mac user supposed to do? It's all well and good if you're a sysadmin and you can do stuff like lock down a server, but if you just bought your iBook and you are now cowering in a corner because you're afraid to even open the thing (knowing that you will automatically "catch" something), what then? Read on, as I have some stories and advice for you.

First it is important to note that the most likely vector of any computer attack is human. And keep in mind the difference between a vector of attack (like the SSH "hack" mentioned by Damien), and a payload, which would be a true virus or Trojan. A worm is a vector, but it might deploy a payload. Make sense? Anyway, the point is humans are the weakest link in the whole chain, yet also the most important in stopping any attack. It is this central fact that makes almost all OS'es equal in terms of security. You are only as good as the people who use a system, and those who set it up. Case in point: phishing.

Phishing is a huge problem, and easy to set up. You get an email claiming some guy is your long-lost relative, and he needs some money to get out of jail. If he gets out, he'll double your money. Or, even easier to trick (but harder to set up) is the fake URL scam, where it looks like Paypal or ebay (common targets) is sending you a letter about your account. This is the true phishing scenario, played out millions of times a day on the internet. Just click on the link to "verify" your account info, or it will be deleted. Unfortunately, the link will take you to a spoofed site, and you'll be typing your sensitive info into a trap designed to steal your passwords and credit card numbers. These are spins on classic grifters' tricks, and phishing scams aren't very well guarded on OS X. Microsoft and Mozilla are trying to attack this problem with tools in their browsers (or in email clients) that will alert you to spoofed websites. So what can you do on OS X? First, check out the US government's guide to avoiding phishing scams. Second, make sure you're using something to filter spam, as this will often catch a lot of generic phishing scams. If you use Firefox, Netcraft has a toolbar that will supposedly guard against phishing, but I haven't tried it. It essentially checks URL's for you. Third, use common sense. Would ebay really send out an email to an account and NOT use their username? Of course, the common sense cure is the hardest one to invoke...

One more thing about the human vector: it's all about education. You have to teach people the rules of the road, yes? Well you'll have to educate yourself or others on some basic security precautions, especially if you are the cautious type. One common concept is to never share passwords. Also, most people would recommend you don't use the same password for everything you do. And since we're talking about passwords, don't forget to change them often, and use combos of letters, numbers, and uppercase/lowercase where appropriate. If you want a freeware tool for making passwords, there's Pazzle. With Keychain, I have a bad good habit of just setting a great password, but instantly forgetting it. Let's just hope I back up my Keychain database on a regular basis, eh? Oddly enough, Wayne State has a quick little ditty on setting passwords, and of course Wikipedia has the whole history plus some ideas too. Without exposing my own tricks, I can say that if I have to remember it, I'm more likely to use l33t type spelling for relatively common stuff. Maybe not the most secure in the world, but more secure than "Fluffy" or "PHilton." And did you know OS X includes a password helper, to help create good passwords? It's all here on this Tiger Tips page. Essentially you click the little question mark (or key, as in FileVault it was a question mark, but sometimes it's a key, as in the pic on the Apple page, go standard GUI!) and a tiny dialog pops open to help you make a password. Pretty slick.

Tiger introduced a ton of very necessary security features too (aside from the password helper). Stuff most people don't think about is now included, like Kerberos support in VPN, secure virtual memory, and a certificate assistant. A lot of these things are hard to find to the uninitiated, which I guess is good, since most folks won't use them. So instead, let's go over some more basic things you can do to protect yourself (after the jump).

As Damien pointed out, this "OS X Hacked in Less than 30 minutes" contest and ensuing article are a bit a joke since a door to the outside world was opened up for the "hackers" to use. Since OS X ships with all network services disabled (including the two most popular attack vectors, SSH and Apache), most Mac OS X users don't have to worry too much about attack vectors from the outside world, but instead should worry about attacks that originate locally on their computers, via an email attachment or questionable file download.

However, If you're really worried about true hacker attacks (meaning, someone is deliberately trying to get into your machine from the Internet), there are several things you can do to quickly protect yourself. None involve third party apps, and they are all located in your System Preferences.

stealth1. Go to the Sharing panel, and turn on the Firewall. Click the tab named "Firewall" and click Start if it isn't already running.
2. Going one step further, click on the Advanced... button in the Firewall tab in Sharing, and turn on Stealth Mode. This makes it much harder for anyone to find your machine to even begin hacking it. If you are the detailed type, turn on logging, where you can later examine the firewall logs to see if, in fact, anyone has been trying to get into your machine. You can also disable UDP, which is great, except that UDP might be needed for some functions in some apps. I know that Office v.X used UDP to auto-discover any illegal copies on other machines within a network, but this "feature" could be turned into an exploit. My best recommendation is to just use Stealth. It's fun.
3. Now go to the Security panel, and at least enable the secure virtual memory feature. Since I work in a school lab environment, I like to also password-protect my iBook upon waking and from screen saver. Disabling any auto-login is good if you're worried about those human vectors (because stealing a computer physically is much easier than hacking it, which means you may want to invest in a physical computer lock too).
4. The big new feature in the Security panel is FileVault. This encrypts your data in your Home folders... And yes, it is very secure and cool. But, it can be problematic. If somehow you get locked out entirely, there's really nothing that can bring your data back, because it is quite thoroughly encrypted. I have heard some folks have had trouble with FileVault too, as some apps don't play nice (like QuickBooks).

It was funny to me that the Headline News piece I mentioned used the threat alert from Symantec as their source. Now why would Symantec, Sophos, or Intego want to raise such an alarm? Possibly because they sell the very products designed to keep you from harm? Symantec, being spurned by Apple after the move to UNIX, is the worst on this one. Never mind Apple had the patch out there— it's going to destroy the Mac platform! Here, buy a million-year license to our Windows apps instead! Still, there will eventually be viruses and trojans and worms to hit the mac. Real ones, and ones that can't be fixed by Apple before they become a problem. Not a question of if, but when. So what do you do about that one?

1. Back up your data. It's very simple. Backing up your data to a secure location will ensure that you don't lose said data. But how many of you have backed up today? That's what I thought.
2. Apply patches and updates regularly. Yes, these are the basics. But maybe someday the average user will "get it."
3. Really think about what you're doing. Is downloading that application from the Republic of We Just Got Here 10 Minutes Ago a brilliant idea? Maybe not. If you're downloading stuff, use someone like VersionTracker or Macupdate, where users can complain if something is amiss. Also, as much as it bugs me, that little nag when you are about to finish a download in Safari is there for a reason (as is the couple of nags you get when installing Widgets): think again before you are OK with these downloaded items.
4. Never grant admin rights (by typing your password) to something you're not 100% sure about. Did a window just pop up out of nowhere asking permission to do something? That's fishy.
5. Be careful when you get attachments. Without going into details, you should suspect junk in your email. Not just junk mails, or YouTube videos, but just junk in general. As we've seen before, seemingly innocuous PNG files can be dangerous.

Keep in mind you are only as safe as you allow yourself to be. If you download warez on a regular basis, or never filter your email, you're asking for trouble. However, if you play by the rules, you're a whole lot more likely to be secure.

And finally, if you truly are concerned about viruses and malware, feel free to invest in the fine products out there. While I may knock the Chicken Little attitude of Symantec, it's probably better to be safe than smug. Fact is, as Apple's products gain market share, something bad could happen quickly. The guys and gals at these companies are actually working every day to track down malware in all shapes and sizes. So benefit from their work and install something that makes you feel more secure. I wouldn't go overboard and buy everything, but something is better than nothing. Unless of course, the something you do is dumber than doing nothing (like putting Virex on Tiger). I learned that from The Six Dumbest Ideas in Computer Security, which is worth a read once you've got your tinfoil hat on...

From around the web

ear iconeye icontext filevr