Lauren Ashburn and Howard Kurtz on whether Katie Couric can crack the case of the Manti Te’o/imaginary girlfriend hoax. Read More….
Apple could be experiencing an ‘Adobe moment’ over its handling of the Flashback Trojan, with security companies and experts heaping criticism on the company for its slerotic response.
On the basis of figures from two sources, Russian companies Dr. Web and Kaspersky Lab, between 600,000 and 700,000 Mac computers have been infected by a piece of malware that uses drive-by and social engineering techniques to burrow into their systems.
The fact of infection is not apparent to the user as with most Trojans the malware is really a backdoor stub that downloads other software under the control of a remote server. In principle, this opens Mac users to a range of possible attacks, including one of the most feared, keylogging.
Apple’s response – or lack of it – has a number of layers, starting with the way it handles patches for Java vulnerabilities, in the case of the most recent version of Flashback hits users with CVE-2012-0507, used by the Blackhole Exploit Kit to hit users via compromised websites.
Java’s overseer, Oracle, patched this flaw in February but Apple only added this to its security fix cycle on 3 April, leaving anyone looking to exploit the flaw with several weeks to do so.
In fact, according to Dr Web, the domains used as command and control for the newest versions of Flashback exploiting CVE-2012-0507 were only registered on 25 March, so swifter action could have dented the botnet.
Apple stuck to its traditional update cycle and, with the apparently rapid infection levels made public around the same time as the official patch, the company found itself looking flat-footed.
It took Apple until 10 April to say anything particularly meaningful about with the support forum statement “Apple is developing software that will detect and remove the Flashback malware,” about as far as it went as the community was forced to visit the sites of security companies better known to Windows users to get hard information.
“While it’s encouraging to see Apple taking steps to eradicate the Flashback Trojan, they’re late to the party,” complained Zscaler ThreatLabZ security research VP, Michael Sutton.
“Unfortunately, Apple has a long history of putting blinders on when it comes to dealing with security researchers,” says Sutton, a reference to a clutch of smaller but equally poorly-handled incidents dating back as far as 2006.
The sentiment chimes with Roger Thompson of security testing outfit, ICSA Labs.
“Not only did they apparently fail to communicate with Dr. Web when first informed of the infection, their attempts to take down a command and control (CC) domain also harmed the work being done by Dr. Web to sinkhole the CC traffic.”
“It [Flashback] means that Mac malware is not just a reality, but is now a genuine problem,” he says, echoing sentiments being expressed across a range of security experts and vendors.
In short, Apple remains stubbornly complacent on the basis of assumptions that sounds strikingly similar to the travails of Adobe over numerous exploits targeting its software four years ago.
With Flash and Reader at the top of the arsenal of targeted software being used to compromise Windows PCs, Adobe tried to sit out the storm before finally embracing change and through 2009 and 2010, modifying its patching design and cycle.
“We’re not a security company and this is not our probelm,” seemed to be the attitude, an obsolete misunderstanding of the nature of contemporary software development.
Interestingly, at the time some described Adobe’s struggles as being a “Microsoft moment”, a reference to the OS giant’s failure to grasp the sudden and huge spike in attacks on Windows XP and the company’s Office suite during 2002.
Microsoft eventually buckled up, instituted a huge security reform programme that saw the adoption of its now-model Software Development Lifecycle (SDL), and today serious Microsoft OS and app vulnerabilities are much rarer and certainly quickly more quickly patched.
The pattern is one that Apple should pay attention to. As Microsoft reduced the number of serious flaws in its software, criminals looked elsewhere, settling on another commonly-installed vendor, Adobe. As Adobe and Sun/Oracle’s Java have tightened up, the same forces have spied a new frontline of poorly-protected Apple users relyng on an independent patch cycle, and so the world continues turning.
To sceptics in the Apple community, the security industry has its self-interest at heart and perhaps they have a point. Antivirus sales look to be decreasing somewhat in the PC world in the face of acceptable free products, not least Microsoft’s own Security Essentials, and a slow waning of interest in established operating systems.
The appearance of Mac malware is good for business, or would be if some vendors such as Sophos didn’t offer free products. These products represent good value given the still relatively low level of malware threats to Macs. Others will prefer to pay to get support.
Flashback is the important moment when Apple users were put on notice that they are not, after all, that different to PC users, just fewer in number.
“The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything,“ says ICSA’s Thompson.
“What, then, does this all mean to an end user, and what should they do about it? Folks, it’s time to install an anti-virus program. There will soon be a name for Mac users who are not running AV – victims.”
View full post on National Cyber Security » Computer Hacking
If anyone knows about the effect the Internet can have on a person’s reputation, it’s Matt Ivester.
Ivester is the founder of JuicyCampus.com, a website that was intended to serve as a message board across college campuses, but morphed into a controversial, anonymous gossip site.
Before JuicyCampus shut down in 2009, the website came under fire from student government associations and colleges across the country — and was even the subject of investigations by two attorneys general.
Now, Ivester is taking lessons he learned from JuicyCampus and is educating students about becoming good cyber citizens.
Ivester hopes his newly-released book, “lol…OMG! What every student needs to know about online reputation management, digital citizenship and cyberbullying” will become a resource for students as they navigate new digital situations in college and beyond.
The “lol” refers to students doing things they think are funny and posting them online and the “OMG” refers to the moment when teens realize those actions are having unanticipated negative reactions in life, Ivester says.
A “lol” moment may be posting an inappropriate photo on Facebook and the “OMG” moment may come years later, when you miss out on job opportunities because potential employers see it online.
This Data Privacy Day, Ivester is encouraging teens and college students to manage their online reputation and protect their privacy.
In a teenager’s world, privacy means getting your parents to stay out of your bedroom.
But online, privacy can have a broader definition.
“Social networking has expanded the definition of ‘privacy.’” Ivester says.
“Teens are much more comfortable with information shared online, but that still means they need to figure out what types of information they’re sharing.”
Posting photos to Facebook during a drunken night out or having a fight with your friend on Twitter may not seem harmful – until a would-be employer or landlord sees them.
“There are a lot of potential consequences I don’t think students are thinking about,” Ivester says.
Here are some ways Ivester suggests students manage their privacy online:
Ivester recommends taking certain actions on Facebook: turning on the profile review, which allows you to approve certain pieces of content – like tagged photos – before they’re associated with your profile and limiting your old posts, which takes content that may have been public in the past and automatically makes them visible to only your friends.
“There’s probably no reason for anything to be public from five years ago, and it’s probably more harmful than good,” Ivester says.
Note: You can download a copy of “lol…OMG! What every student needs to know about online reputation management, digital citizenship and cyberbullying” for free between January 27 and January 30, 2012. Learn more here: http://www.lolomgbook.com/#!vstc5=ebook
View full post on National Cyber Security
LIGATT: Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment.
View full post on Twitter / LIGATT