Wednesday, January 4, 2017

Ongoing Crazy Security Issues Nothing Much And Too Much To Say

Ongoing Crazy Security Issues Nothing Much And Too Much To Say


--

INTRODUCTION

There are a great many computer security issues going on these days. The increase in ongoing security issues over this past spring and summer could be called an ongoing explosion of mushroom cloud proportions. The number of ongoing issues is quite literally overwhelming. As a computer security watcher, researcher, analyzer, commentator and teacher, Im intimidated by having so much to comprehend.

Should I be writing about all of this within the context of this my Macintosh Security blog?

Because of my manifesto for this blog, my answer is no. I wish to write here only about directly dangerous issues to Apple computer users. I also wish to write articles that provide useful information, summaries and teaching Apple computer users. I have no interest in being redundant to other peoples blog work on the Internet, except in an effort to bring their work to the attention of others. I also focus what I write here at average Apple computer users. My goal is to take the complicated and translate it into information that can be both comprehended and used by average Apple computer users. Let folks like me comb through the, frankly chaotic, world of geek level information and summarize it down into something readable by mere humans.


WHAT TO SAY WHEN THERES NOTHING MUCH AND TOO MUCH TO SAY

Without directly helpful information to share, despite the exploding mushroom cloud of ongoing computer security issues, I say nothing. I do this because I despise FUD! Needless FEAR, UNCERTAINTY and DOUBT are worthless. Theyre used a methods of manipulation and propaganda. These nasty tools are used to drive we humans into a state of despair and desperation, what I call Desperation Mode whereby we will blunder our way into actions that suit the manifestos of the scum humans who are manipulating them. I have zero interest in playing these self-destructive, disrespectful games.

Therefore, when the only affect of my writing would be to create FUD, I dont write. Im very happy to rip the mask off off FUD! Im pleased when I can point out and satirize FUD. But I never see a point in messing up others by making my own FUD.

However, I believe it is useful to at least point out whats going on in the background while I wait for something useful to provide here in the blog. Theres nothing much to say, but heres whats cooking:


WHAT COOKING ON THE APPLE COMPUTER SECURITY STOVE?

Its difficult to create a priority list regarding these subjects. Whats more important? Whats a more imminent problem? So Im not going to bother. Im simply going to list them as I see fit in the moment.


Oracles Internet Browser Java Plug-in:

Java remains the single most dangerous software you can run via the Internet. If you dont need to, then dont. Uninstall the Java Plug-in. Only install the Java plug-in if you run into a website that requires you to use it. Even then, use Java security features in your web browsers as well as Java security add-ons. Apple has made the most recent versions of Safari extremely save against abusive Java code. Its not perfect. Using the features can be intimidating and dysfunctional. But they are entirely worth using. I strongly suggest reading up on Safaris new Java control preference features as well as similar features in other browsers. I may provide my own write up about these settings in the future.

One good change I can point to is Oracles ongoing efforts to babysit Java by informing users when their installed version of the Java Plug-in is out-of-date. This is no substitute of the sandboxing of Java, as was originally intended by Javas creators Sun Microsystems. Buts its better than letting nasty little brat Java run around without a nanny to swat it when its being naughty.


Adobes Reader, Flash, AIR and Shockwave software:

Adobes Internet freeware remains the second most dangerous software you can run on the Internet. If you dont need to use it, then dont. Instead, uninstall it. Only install Adobes freeware if you run into website that requires you to us it. Even then, use Adobe plug-in security features in your web browsers as well as Adobe plug-in security add-ons. At this point, these features are no longer intimidating or dysfunctional. In general, they work quite well and are entirely worth using! Read up on the Adobe plug-in control preference features available within web browsers if you have questions about what theyre doing.

I personally cannot stand the invasiveness of Adobes update notification and installation features. Instead, as an advanced Mac user, I keep up with available updates on my own. Doing the same is a lot to ask of average Mac users. Therefore, it may well be best to allow Adobes root level Launch Agent to run on your system so it can help keep you up-to-date. Its up to the user to choose what to do. Adobes update notification is available in their installers if youd like to use it.


Heartbleed Bug:

Ive written up a couple articles about the dangerous and ongoing problems with old implementations of OpenSSL. This problem is going to live on for years, not kidding. Its entirely curable! However, oblivious, careless and lazy server administrators arent bothering. Therefore, this problem periodically does damage. There are now convenient hacker tools to take advantage of Heartbleed. They are scripted. You get them running, walk away, come back later and analyze the successfully harvested data. There are also analysis tools to help hackers patch together the 64-bit chunks of harvested data into a completed puzzle. If that puzzle contains exploitable user data, it is either exploited by the hacker or posted online for sale to crooks. The exploitable data can include anything from your mothers maiden name to a victims card numbers and PIN.

Every single Internet server containing the Heartbleed Bug has now been documented. If an Internet server administrator does not know if their server is exploitable, they should be fired or sued in civil court. I strongly expect such lawsuits to begin appearing this coming year. Its all about responsibility.


Bash Shell ShellShock Bugfest:

This is, for the moment, a dangerous problem for those running OS X servers that are directly exposed to the Internet. If youre behind a router, you are probably safe in the short term. I know full well that eventually there will be PWNing (owning, taking over or zombieing) of routers and OS X client users. Ill address those exploits if or when they become evident. For now, only OS X Internet servers are at risk.

Describing this problem is a challenge because in and of itself it is turning into a mushroom cloud of security flaws. Ill simply say that Bash (Bourne-again shell) is a UNIX shell used by OS X, OS X applications and OS X users to access CLI (character line interface) applications that are installed in the OS X system. It is old, poorly vetted, incredibly insecure software. Oddly, its numerous security flaws were unknown, at least in public, for many years. Over the past few days, the report of one single security bug in Bash has lead to the revelation that Bash has an undetermined plethora of security bugs. So far, I know of two security updates for Bash that have been made available over the past few days. But they do NOT solve the ongoing revelations of further security flaws.

The result is that Bash itself is not fit for use on servers exposed to the Internet. The result, at the moment, is a debate and study of either:

1) Playing whack-a-mole by daily patching Bash as each new security flaw is discovered.
OR
2) Using an adequate replacement of the Bash shell.
OR
3) Taking affected servers OFF the Internet until a full and final solution is developed.

Meanwhile: Bash Internet exploit tools have already been made available to hackers, and theyre being used.

Replacing Apples installed version of the Bash shell is a huge PITA unless you understand exactly why and what youre doing. I cannot recommend bothering with it unless youre an advanced user who knows how to use the CLI to run their Mac. It is such a huge PITA the I have consistently run into Mac computer geeks who have posted WRONG and INCOMPLETE instructions for replacing Apples Bash shell. When the geeks cant get it right, no way should average Mac users touch it.

Thankfully, as I indicated above, no average Mac users need bother to worry about the Bash shell security flaws affecting their computer. Only OS X server administrators need worry about it, for now. This may well change! If the Bash problems arent solved in a hurry, there will no doubt be related attacks on average users routers and Trojan horses to abuse their Macs, if not outright PWN them. Thats a worry for another day, if it happens at all. Meanwhile, we sit and wait for the experts to thrash through the Bash source code and clean up the potentially catastrophic mess buried therein.

There are piles of ongoing, constantly going out-of-date articles about the Bash ShellShock bugs. Keeping up will drive you nuts. If youre that kind of person, be sure to read only the most up-to-date articles AND be sure to read from a variety of sources. Thats the only way to know whats actually going on at-the-moment. Bash analysis is constantly revealing new problems. New exploits are constantly showing up on the net.

Heres one very good overview, for today anyway, of the Bash ShellShock bugfest, posted by Intego:

http://www.intego.com/mac-security-blog/shellshock-vulnerability-what-mac-os-x-users-need-to-know/


Retail POS POS Device Malware:

"POS" has two meanings relevant to this problem. The first meaning is Point Of Sale regarding devices that are used to collect customer payment data, be they Chip and PIN card readers or magnetic strip card readers. (To be clear, if a POS device has this problem, using Chip and PIN solves nothing-at-all. Dont be fooled by claims to the contrary). The second meaning is an deliberate punning obscenity which Ill leave you to translate. I use this obscenity because these devices are an obscenity of bad technology.

This is another curable security problem that lazy, stupid, cheap retailers are NOT patching. The stupidity involved is stunning and beyond comprehension. From my point of view, this catastrophe fits perfectly into my concepts of bad biznizz. These are companies who literally dont give a rats about their customers, to say the least, to state the obvious. They dont know how to run their businesses. They are distinctly anti-capitalist in their attitudes and their obliviousness. Id like to be kind and say that these companies may only, innocently, be ignorant of the technology theyre using to enable their businesses. But that is NOT the case. They know exactly what technology theyre using and they are making the choice to IGNORE the requirements of owning and using that technology.

Ive previously written about the source of this problem. My quick summary is this:
1) These devices user Windows XP Embedded as their operating system.
2) Windows XP exposes all collected data in-the-clear (having no encryption) in RAM on these machines.
3) Hackers on the Internet search for and find routes by which they are able to BOT (aka PWN) all the POS devices networked within victim company. They also BOT at least one node server computer within the same network.
4) The malicious malware hacking onto these machines sits in wait, watching all the data revealed in RAM, then sends that data off to a server node within the network of the infected companies. The collected data is then sent over the Internet to the hacker bot wranglers out on the Internet.
5) The collected data is then analyzed. Personal data is extracted. This data includes everything read into the retail POS devices, including card numbers and PIN numbers. (Yes, this includes Chip and PIN card data).
6) This personal data is then either used or sold on the Internet to crooks.

After the initial catastrophic revelations of this problem, (thank you Target, Neiman Marcus, ad nauseam), security updates were provided by Microsoft to update these archaic Windows XP Embedded devices. The updates did NOT solve the problem of in-the-clear exposure of personal data in RAM. They wont be able to solve that problem! But these patches have at least been swatting at each specific variant of malware being used to PWN these POS devices.

Except, a great many companies are NOT updating their POS devices. This is inexcusable. This is irresponsible. This constitutes customer abuse, as future court cases will no doubt prove. And of course, this is bad biznizz. The biggest recent new revelation of PWNed POS devices and the subsequent sales of customer personal data over the Internet, has come from the willfully stupid company Home Depot. The latest figure I have read is that Home Depot literally gave away 56 MILLION customer card accounts. Unforgivable.

New revelations of retail POS POS device PWNing are happening at an incredible rate. These revelations are not stopping. The number of worthless companies who are ignoring this problem is incomprehensible. Everyone loses, from the companies to the banks to the disrespected customers. The only winners are the hacker crooks. And yet this problem is NOT abating.

Obviously, this problem has no direct impact on Apple computer users. It does impact every credit and debit card user, many of whom are Apple computer users. Therefore, its relevant here at this blog. Expect more of this curable security nightmare well on into the future.

The ultimate solution to in-the-clear data in RAM is end-to-end encryption. Were going to be hearing references to this concept also well on into the future until such time as it become the DEFAULT in the retail industry. And again: Chip and PIN cards do NOT solve this problem. They have nothing to do with it. Magnetic stripe cards have nothing to do with it. Insecure POS devices and bad biznizziz are the problem.


And so forth...

The above are the big ongoing problems. There are smaller problems as well, the most prominent of which is:

ADWARE. My colleague Thomas Reed is brilliantly covering the adware problem and has created a detection and removal tool AdwareMedic which I highly recommend! Ive been a beta-tester for Thomass adware tool and have been thoroughly impressed. If youve been the victim of adware, head over to Thomas The Safe Mac website for both documentation and the solution. Bravo Thomas!

Thomass The Safe Mac website covers many Apple computer security issues that I dont. Id check out Thomass site side-by-side with mine. Thomas maintains what we both consider the definitive list of both old and new Mac malware. Because Thomas and I belong to a great group of malware researchers and writers created by Mark Allen, the creator of the terrific ClamXav anti-malware, many of us on the Internet are coordinating our work and publications. Youll find all of these colleagues listed on the right side of this page under Friends of Mac-Security. I recommend the work of all of them.

For malware detection and removal I recommend that all Mac users check out and support ClamXav. Its donationware, free to download and use, well worth every installing on every Mac. It finds and removes the vast majority of not only Mac malware, but also Windows and Linux malware. Its a gem of the Mac community. ClamXav is available from the Apple App Store. I strongly suggest instead downloading it directly from Marks ClamXav website as that version includes efficient, non-invasive real-time malware scanning. This feature means you can automatically scan every file you download from the Internet. If you wish, you can aim ClamXavs real-time specifically at your Downloads folder, a terrific way to catch Trojan horses and break social engineering by malware rats. (Unfortunately, at this time Apple does not allow real-time scanning in apps offered at the App Store).

There are a number of excellent commercial anti-malware programs. My personal favorites are from Intego and Sophos. Many people prefer anti-malware from F-Secure and Avast. (I would have put Kaspersky AV in this list. But Eugene Kasperskys outrageous Mac security FUD mongering on his blog this week killed my enthusiasm dead. What a shill! What a Symantec-clone!)

[Update 2014-10-28: I added Avast to the preferred list above. My apologies for not putting it there in the first place. A good friend of mine considers Avast to have the best free anti-malware application available. My blunder: Confusing it with another free anti-malware app that was infesting victims with adware.]

There are also some awful anti-malware programs. I personally suggest staying away from, Symantecs Norton™ AntiVirus , PCTools iAntiVirus, and MacKeeper. Ive found these applications to generally be inadequate, buggy, out-of-date or outright abusive to users.

For detecting both legal and illegal spyware, any of the recommended commercial anti-malware programs can be useful. The MacScan shareware application specifically targets spyware. However, I have never been impressed by the thoroughness of its scans. Therefore, if you believe it might be useful, be sure to test it before buying it.

As usual, the very best overall advice I can offer is to:

1) Make A Backup! Its the #1 Rule of Computing. If you dont backup, you deserve what you get.
2) Keep Up-To-Date! This is particularly important for Apple software.
3) Before You Update OS X, be sure to:

  • Repair your boot volume.
  • Repair your boot volumes permissions.

(Yes, repair your permissions. Its not crucial, but it can be extremely useful).


Thus ends todays mind dump.

I hope you find this useful, versus merely mind-numbing.

:-Derek


Go to link Download

Posted by at
Labels: , , , , , , , , ,