A client shows that Macs are not as safe as you think

A common misconception among Mac users is that their Apple products are immune from malware and security issues often seen in Microsoft products. A decade ago, this was pretty much true. Mac OS had a streamlined approach to security that was difficult to crack, but more importantly, Apple users were massively dwarfed by Microsoft and weren’t worth the time to target. Hackers wanted the easy score, not something they actually had to work at. Unfortunately, many Mac users still believe they’re impervious to threats, but they are ignoring two major changes in the computer landscape.

1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.

2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!

Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.

Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.

What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”

Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.

Sophos Apple Resources:

Download Sophos’ free Mac anti-virus software.

1 in 5 Macs has malware on it. Does yours?

Are Macs safer than PCs?

 

June Updates and Patch Report

It’s “Patch Tuesday” week again, so let’s summarize several of the more important updates and patches.

Microsoft

Did you know there were two sets up updates this month? The normal Tuesday updates came out as expected, but before that, there was a special update to make sure this week’s updates were trustworthy. What happened is that Flame made the news and a part of the malware was designed to take advantage of a flaw with Microsoft certificates. So, to fix it, Microsoft had to release an update… but since that certificate was part of the update process, it had to be released early.

If you did not apply the update when it first came out, you’ll probably be okay. However, this is yet another example of why it’s important to stay on top of these. If you fall behind, not only are you unprotected against current threats, but you also cannot trust the updates that are waiting in the wings. If you are worried about falling behind, it may be time to consider patch management software.

The second round included updates for Remote Desktop, Internet Explorer and .Net. The IE one is being exploited, so update your workstations and laptops ASAP. Also, if you are one of the many companies exposing Remote Desktop to the internet, this is a very good example as to why that isn’t the best strategy. The flaw made public this week allows people to access those systems without logging in. If you are accessing RDP directly over the internet, it’s time to stop. There are some extremely simple and cost effective (some even free) VPN solutions out there. Please use them.

More details are here and here.

The Always-Expanding Hack List

If you regularly use LinkedIn, Last.fm, Twitter and/or eHarmony, it’s time to change your passwords. It’s also time to trust the users of those sites a little bit less. When a password breach occurs, not only is your data at risk, but so are all of your social connections. If one of your friends had a weak password, someone could log into their account and view all the information you share with them. While there’s nothing we can do directly in response to these attacks other than change our passwords, we really need to start putting more pressure on these sites to ensure they are protecting our data with better than minimal standards. If you are in the position of storing customer data, you might want to review your own processes, too. It’d be better to do that before a breach.

Adobe

Adobe has released an update for … ColdFusion. If you’re not using ColdFusion, you don’t have to worry about Adobe patches this month. Also, if you’re running ColdFusion 10, you’re good. Kind of a shocker, I know.

If you’re running an older version of ColdFusion, read the details here.

VMware

It’s out … it’s finally out!  If you’re running vSphere 5, you can read the hardening guide.  This is a guide to both hardening AND assessing VMware infrastructures. Basically, all the auditors now have guidance, so expect them to get more annoying about it. Also, expect your assessors to have more documentation backing up why certain changes should be made. A good plan would be to actually make them! It’s usually going to make sense for you and the time you spend arguing would be better spent fixing issues.

I know that making some changes to a virtual environment can affect a lot of servers, but guess what happens if a flaw in your system is abused? I am firmly of the mind that a planned outage is much better than an unplanned one. Please harden your infrastructure.

Apple

Sadly, Apple did not release an IOS hardening guide. Instead, they just lifted the curtain a little bit and gave us a peek inside with the IOS security specs. If you are writing policies around mobile devices and have to support Apple, you should probably read this. It will also help you assess MDM solutions.

PHP

If you’re running PHP, you should know it’s being attacked.  Keep it updated and if you can, seriously consider layering PHP-Suhosin, Mod_Security2 and AppArmor around it. PHP is good for developers, but it’s also good for attackers. If you want to use it for the former, you have to accept the risk from the latter.

MySQL

Please excuse the tech speak here. If you are running MySQL and it was compiled with GCC using SSE, people can likely log into your system with the wrong password. Details are here. This issue is known to affect Ubuntu 64bit, OpenSUSE 64bit, Debian Unstable 64bit, Fedora and Arch Linux. Luckily, the more commonly used Ubuntu 32bit, Red Hat Enterprise Linux and the official binaries from MySQL are not affected.

In general, you should apply the patch immediately when available. You should also only expose your MySQL interface to the applications that need them and to the DBA’s network. Most real world problems involving this vulnerability involve people who chose to make MySQL accessible over the internet. Like RDP, there are almost no good reasons to do this … so don’t.

May Updates and Patch Report: Part 2

It’s interesting how you can go through an entire week of work and think that nothing significant happened in the security world. Now that I am trying to write these updates on a weekly basis, I’m paying a bit closer attention. While we won’t have huge patch-focused updates unless it’s the same week as a patch release, it doesn’t mean nothing has been going on. So, without further ado here are this week’s updates and patch report. If you missed last week’s, read it here.

 

Microsoft

EMET 3.0 has been released. What is EMET you ask?

EMET stands for “Enhanced Mitigation Experience Toolkit” and is basically a tool that allows you to protect Windows applications from attack. We’re used to applying patches for things like this, but sometimes a problem is more complex than people think and patches are a long time coming. EMET allows you to shift from a reactive to a proactive stance. This is a different way of protecting your systems and will take some work to get started. However, if your operational guidelines have matured to the point you have identified allowed applications and are either using application control or imaging, this can provide a nice additional layer of protection. With this new version, you can also identify attempts to exploit vulnerabilities, which can give you preliminary warnings of attack.

 

Google

Google has released a new version of Chrome. This new version adds a few features and patches several security bugs. If you are running Chrome, it should have automatically updated. If you want to verify the update has gone through, go to Tools->About and make sure you’re running version 19 or higher.

 

Apple

Apple has released a new version of QuickTime. This version patches seventeen problems and affects the application on both Windows and OSX. If you use it, patch it.  Details are here.

 

Android

Trail of Bits published an interesting article on the relative security merits of Android versus iOS. The heart of their argument is Android phones aren’t updated as often as the iPhone and the Android marketplace is more flexible and this brings additional malware risk.

While this is true, it is also true the reduction of controls allows for faster development. Additionally, the deployment of Android updates is the job of the carrier, not of Google. Blaming Google for the carriers’ unwillingness to deploy updates to older phones is, I think, unfair. The real problem is carriers make more money when people buy new phones, so the longer they support the old phones, the less money they make. Apple has embraced this economic reality by convincing people to throw away their devices and buy new ones every year or so.

So here’s the truth.  If you are concerned about malware you have three options:

1) Use iOS and trust Apple to protect you. Do not jailbreak anything and live with what you get.

2) Use Android and run an anti-malware agent. I like Sophos Mobile Security (beta) and Lookout. On my phone, at least, they even seem to play well together. Don’t install apps willy-nilly.

3) Use Android, run an anti-malware agent (as above), root it and install firewall and adblockers. This makes you more vulnerable to malware, but gives you additional protection to (somewhat) make up for it. Optionally install your own ROM.

You do have to be more vigilant, but if that’s not a problem for you, you can actually get a more secure device than you can with IOS, as you are in charge of your updates and you don’t have to wait for it to fit within a company’s lifecycle.

 

sudo

A very interesting bug in sudo was discovered. There’s no point in my describing it here, as they did such a good job on Sophos Naked Security. Definitely go there and read about it.

 

RealPlayer

RealPlayer has a brand new update. It patches three vulnerabilities in different levels of the product. However, the fourth vulnerability “why are people still using RealPlayer?” remains unpatched. :)

Apply the fix or remove the software.  The latter is generally a better choice.

 

HULK

A new denial of service tool is out. Known as the HTTP Unbearable Load King or “HULK,” it is different in that it takes greater care to make sure requests are unique. With a traditional DDoS tool, you can often find a traffic pattern to filter out and mitigate the attack. However, the more different each request is from one another, the harder this is to do. This tool raises the bar for DDoS protection.

If you are running a DDoS protection tool, take a look at the tool and check it against your protection system.  If it bypasses it, complain to your vendor so they fix the problem.

If you are not running a DDoS protection tool and are comfortable accepting the DDoS risk, just sit back and chuckle over the fact the most stealthy DDoS tool is known as The HULK.

 

That’s it for this week.  If you have any questions, please drop us a note.

May Updates and Patch Report

It’s been a little while since I’ve written one of these posts. I had, in recent months, gotten overwhelmed by the amount of updates out there and the fact the advice really hadn’t changed. If you’re not going to read the entire post, just follow these two rules of thumb:

1) Apply patches to all applications on all systems as soon as you possibly can.

2) If you skip rule 1, be prepared to reinstall the OS and all apps on any system at any time.

That’s it.  Now, let’s get into some recent happenings:

 

Microsoft

Last week, Microsoft released several updates with many of them being critical. Workstations, once again, are affected by Office updates. If abused, a special file could cause these applications to take over your system.

But wait, there’s more!

Two sets of patches focus on the .NET framework and patch against code execution as well … so you don’t actually have to download a file to be placed at risk. However, unlike the Office problem, this flaw affects both workstations and servers. Getting even better, if you install the server in “server core” mode, this flaw also allows for elevation of privilege. This means that a successful attack can not only remotely take over a system, but it can break out of the permissions you set to lock things down.

Of course, given how nice these flaws are for attackers, it is not surprising that they are being exploited.

For more details, please see the reports from Sophos and SANS.

 

Apple

Apple has also released updates for many aspects of their operating system. The first set of patches focuses on Java. Over the last few weeks, an OSX+Java-focused attack called Flashback has run amok. This attack leveraged a flaw in Java that was fixed on February 14th… but not patched by Apple until April 3rd. Lucky for us, this malware was good at spreading, but not so good at being evil.

In the set of patches that came out, there were also several that focus on Safari and the disk encryption subsystem. The disk encryption problem basically exposed the encryption password (in certain cases) to people that look for it. Of course, a disk encryption solution that leaks the password is like keeping your house locked by leaving the key on the window sill. It’s just my opinion, but that’s perhaps not the best security solution.

More details on the Apple patches can be seen at ComputerWorld and Sophos.

 

Adobe

Several Adobe updates came out to address specific issues. The patched products include Flash Player, Illustrator, Photoshop, Shockwave Player and Flash Pro. Sounds good, right?  Well…

As it turns out, the Flash Player and Shockwave Player updates are free and fix the problems.  The patches for Illustrator, Photoshop and Flash Pro are free… but fix the problems by informing you that CS6 is available and that CS5 is no longer supported. Now, while it is within the rights of any company to stop supporting their products, one might argue that releasing a “security patch” that asks you to pay money and upgrade to fix the problem (assuming your hardware will run CS6) crosses the line.

There is a rumor in the industry that Adobe is backpedaling and will release updates to CS5, but they’re not out yet.

You can get the Flash player update here. Odds are that you don’t need Shockwave, so just uninstall it. Then, cross your fingers and hope that the patches for CS5 come out before your system is completely taken over and your bank account emptied to Eastern Europe. :)

This might also be a good time to check that your anti-malware software is updating and provides decent application hardening. Here’s a tip… if your anti-malware software came with your workstation, it’s probably not sufficient protection for modern attacks.

 

PHP

PHP has been updated to fix a problem in php-CGI. The php-CGI mode is available to provide better isolation for sites that run multiple virtual hosts. In this case, however, it did introduce a potential flaw. If you host multiple PHP sites on a server, please read this vulnerability report and test your system. If you’re vulnerable, apply the patches available here.

 

Bitcoin

If you were playing with the “new online currency” bitcoin and storing them in Bitconica, you probably lost money this week. A compromise of their production servers resulted in a loss of $90,000. Two months ago, a similar theft resulted in a loss of $225,000.  Some details are here.

Here’s the thing. If you are using a traditional currency, there is significant oversight on the part of the government that backs it and the banks that use it to make sure that bad things don’t happen. In a peer-to-peer currency like Bitcoin (even ignoring the lack of cryptographic analysis), there is no central governing body. Without this sort of body, the currency has no externalities and is 100% market driven. Thus, the currency will be protected by the least-accessible effort and breaches like these will continue to occur. Basically, the cost of acceptable losses is built into the currency itself and not dictated by a government. There’s nothing wrong with this, but it is a different model. Think on this before you hop on the Bitcoin train.

 

That’s it for now. I am going to do these more often for you, so they should be a bit shorter from here on out.  If I don’t cover something that you think is important, please leave us a comment and I’ll get to it on the next cycle.

Adventures in QA … Gotta love debug switches!

Debug switches … they’re useful for diagnosing and fixing stuff, but horrible for anything else.

RJS Software is first and foremost a writer of IBM iSeries and Microsoft-based software. We have a rich programming background and a wonderful crew of seasoned programmers … some of whom started back in the punch cards days of the 1960′s and 70′s.  But as good as our programmers are, we still have errors in our code from time-to-time that find their way into a customer’s hands.

Let’s be realistic, when you write hundreds of thousands of lines of code, it’s inevitable that something will slip through the cracks. Luckily, our QA team catches the obvious stuff, but occasionally a small bug will slip past their keen eyes. These bugs are the ones that only appear within a unique situation employed by a unique customer. And with those, 99.9% are completely innocuous, but it’s the 0.1% we’re always concerned about catching and fixing immediately before a real problem occurs.

Similarly, such is the case with Apple.  About three months ago, they released an update for OS X Lion version 10.7.3. Shortly after, a German IT administrator discovered a bug while reviewing the var/logs/secure.log file. He noticed that his password was being passed plain text in the secure.log file, which caused him to immediately post the error in Apple’s forum. Unfortunately, the thread was largely ignored until last week when a security researcher ran into the very same problem. He started digging and discovered the bug was the result of a debug flag that was left enabled and writes passwords plain text. It’s not actually a bug at all, it’s simply a debugging option that is performing exactly as it was designed to. But as we ourselves find, sometimes those tiny errors that aren’t supposed to be present in the production build, somehow make it past a QA team. It happens to us … it even happens to Apple.

For most Mac home users, this doesn’t really mean anything to you. This particular debug option is designed for the HomeDirMounter service and most home users are not using server-assigned home directories/server-mapped shares. The folks this is a show stopper for, however, are corporations and schools that deploy Macs in large scale where server-assigned home-share mapping is routine business.

The good news is if you haven’t migrated to OS X Lion 10.7.3 from 10.7.2, you’re in good shape. The debug flag isn’t enabled in 10.7.2. For those who have migrated, the soon-to-be released 10.7.4 version will have this debug flag disabled.