phishing
Latest
Does QuickTime pose a security risk?
The whole QuickTime/MySpace security hole that was discussed this week on TUAW has given rise to a general concern about QuickTime's vulnerabilities. The QuickTime bug apparently allowed a worm to infect MySpace user profiles and redirected traffic to a phishing site, where passwords were harvested. An Information Week article suggests the security flaw could extend well beyond Myspace to both Mac and Windows users. The problem seems to stem from QuickTime's JavaScript support and a bug that allows malicious JavaScript code to affect browsers. The article states that although Apple has provided an Internet Explorer patch, it has yet to issue a general QuickTime fix across all platforms.
Lik-Sang phishing scam
Trick or treat. It appears that some internet scammers are trying to cash in on Lik-Sang's recent closure. PSP Hacks reports that a very legitimate-looking e-mail is being sent around: As of today, Lik-Sang.com will not be in the position to accept any new orders and will cancel and refund all existing orders that have already been placed. Furthermore, Lik-Sang is working closely with banks and PayPal to refund any store credits held by the company... Our records indicates you can retrieve an additional $ 9,99 USD refund in your PayPal account. In order to successfully retrieve the refund please confirm your existing PayPal account on this page... The links provided may look normal, but they'll lead you a phishing trap, where they'll steal your PayPal account info. Ouch. That's uncool. Of course, you could stay theoretically protected from pages like this by switching over to the new Internet Explorer 7 or Firefox 2.
1Passwd - password/form manager lets Firefox use the Keychain
*Oh snap!* Agile Web Solutions has created a password and form manager extension for both Safari and Firefox that fixes one of my biggest gripes about Mozilla's flagship browser: it can store website passwords in Mac OS X's Keychain Access application. For those who haven't stumbled upon the wonders of the Keychain: it's a system-wide secure password manager that most other Mac OS X apps can use to store logins for things like websites and FTP access. 1Passwd is an extension that, amongst other features, lets Firefox join the Keychain party party so you can have one secure, centralized area for managing (and backing up) your logins. This also means that if you have a .Mac account, any passwords you enter into Firefox will sync between your Macs. But 1Passwd doesn't stop at handle just your login information. Check out the full feature list to see everything else it can do for both Safari and Firefox.If beer could be sent virtually through PayPal, I'd send Agile Web Solutions a twelve pack; this brings Firefox one step closer to being a true Mac OS X browser. 1Passwd is currently in a third beta release, and those who opt to test the beta and offer their email addresses will receive a discount off its (somewhat steep) $29.95 price.
How to take Mac security seriously
Damien went into detail about the "hacker challenge" story and, as he explained, it's much ado about nothing— for now. Clearly, this Mac security thing is only going to get more important. Even Headline News had a largely exaggerated report on the Bluetooth exploit found a while ago... So what is the average Mac user supposed to do? It's all well and good if you're a sysadmin and you can do stuff like lock down a server, but if you just bought your iBook and you are now cowering in a corner because you're afraid to even open the thing (knowing that you will automatically "catch" something), what then? Read on, as I have some stories and advice for you.First it is important to note that the most likely vector of any computer attack is human. And keep in mind the difference between a vector of attack (like the SSH "hack" mentioned by Damien), and a payload, which would be a true virus or Trojan. A worm is a vector, but it might deploy a payload. Make sense? Anyway, the point is humans are the weakest link in the whole chain, yet also the most important in stopping any attack. It is this central fact that makes almost all OS'es equal in terms of security. You are only as good as the people who use a system, and those who set it up. Case in point: phishing.Phishing is a huge problem, and easy to set up. You get an email claiming some guy is your long-lost relative, and he needs some money to get out of jail. If he gets out, he'll double your money. Or, even easier to trick (but harder to set up) is the fake URL scam, where it looks like Paypal or ebay (common targets) is sending you a letter about your account. This is the true phishing scenario, played out millions of times a day on the internet. Just click on the link to "verify" your account info, or it will be deleted. Unfortunately, the link will take you to a spoofed site, and you'll be typing your sensitive info into a trap designed to steal your passwords and credit card numbers. These are spins on classic grifters' tricks, and phishing scams aren't very well guarded on OS X. Microsoft and Mozilla are trying to attack this problem with tools in their browsers (or in email clients) that will alert you to spoofed websites. So what can you do on OS X? First, check out the US government's guide to avoiding phishing scams. Second, make sure you're using something to filter spam, as this will often catch a lot of generic phishing scams. If you use Firefox, Netcraft has a toolbar that will supposedly guard against phishing, but I haven't tried it. It essentially checks URL's for you. Third, use common sense. Would ebay really send out an email to an account and NOT use their username? Of course, the common sense cure is the hardest one to invoke...One more thing about the human vector: it's all about education. You have to teach people the rules of the road, yes? Well you'll have to educate yourself or others on some basic security precautions, especially if you are the cautious type. One common concept is to never share passwords. Also, most people would recommend you don't use the same password for everything you do. And since we're talking about passwords, don't forget to change them often, and use combos of letters, numbers, and uppercase/lowercase where appropriate. If you want a freeware tool for making passwords, there's Pazzle. With Keychain, I have a bad good habit of just setting a great password, but instantly forgetting it. Let's just hope I back up my Keychain database on a regular basis, eh? Oddly enough, Wayne State has a quick little ditty on setting passwords, and of course Wikipedia has the whole history plus some ideas too. Without exposing my own tricks, I can say that if I have to remember it, I'm more likely to use l33t type spelling for relatively common stuff. Maybe not the most secure in the world, but more secure than "Fluffy" or "PHilton." And did you know OS X includes a password helper, to help create good passwords? It's all here on this Tiger Tips page. Essentially you click the little question mark (or key, as in FileVault it was a question mark, but sometimes it's a key, as in the pic on the Apple page, go standard GUI!) and a tiny dialog pops open to help you make a password. Pretty slick.Tiger introduced a ton of very necessary security features too (aside from the password helper). Stuff most people don't think about is now included, like Kerberos support in VPN, secure virtual memory, and a certificate assistant. A lot of these things are hard to find to the uninitiated, which I guess is good, since most folks won't use them. So instead, let's go over some more basic things you can do to protect yourself (after the jump).
Blizzard Warns of Password Scams
Tseric has made a post in the general forums advising players to be wary of e-mails requesting their account information. So if you get an e-mail asking you for personal information in exchange for a Warcraft rebate, remember that Blizzard employees will never ask you for your password. And if in doubt, you can always contact Blizzard support to confirm.
