Category Archives: Mac OS

Disable Java not Bob’s Java Jive (or JavaScript)

This is not Java


 
It is a common misconception that there is a strong relationship between Java and JavaScript, many people even use the two words interchangeably. In fact this similarity is based entirely on a technology name change from LiveScript to JavaScript by Netscape,who developed the technology back in 1995. This name change was widely seen as a marketing ploy at the time. In the long term it has been responsible for much confusion.
 
Java is not JavaScript is not Java. It’s not even the World Famous Bob’s Java Jive. With the recent zero-day vulnerability in Java that has come to light this week, understanding that this distinction exists has become crucial to your online security.
 
A vulnerability in the most recent version of Java means that attackers can fool you into visiting a malicious or compromised web site and, without any interaction use the vulnerability to install malicious code onto your computer. It has already been used to install a well known backdoor, giving criminals remote control over the infected machine and been incorporated into several attack tool-kits, both professional and criminal.
 
The fact that Java is a cross-platform environment means that it is relatively simple to create attack code for most major operating systems.
 
You are vulnerable to these attacks if you have Java 1.7.anything installed. This version is the most current and default version for Microsoft Windows computers. If you are using MacOS, the latest version of Java available through Apple’s Software Update is 1.6.0.33 and is not vulnerable. However, if you have been keen to keep yourself patched against past vulnerabilities by staying up-to-date (normally very good advice), then you may have visited java.com where Oracle is serving up the latest, vulnerable, version to MacOS users as well.

 

In the absence of a patch for this widespread and already abused vulnerability, the best advice is simply to disable Java in your web browser and this is where the distinction between Java and JavaScript becomes key, otherwise you may very well end up disabling the wrong thing and remaining at risk.

 

To disable Java in Internet Explorer:
 
In the Tools menu of Internet Explorer, select Manage Add-Ons and disable Java™ Plug-in SSV Helper and Java 2™  Plug-in 2 SSV Helper
 

To disable Java in Firefox (MacOS & Windows):
 
In the Tools menu select Add-ons and disable the Java Deployment Toolkit, Java™ Platform and/or Java Applet Plug-in

 

To disable Java in Google Chrome:
 
Select the Wrench icon in the top right of the Chrome browser window, choose Settings and right at the bottom choose Show advanced settings. Find the Privacy section and click the Content Settings button. Find the Plug-ins section and click the Disable individual plug-ins, look for Java and hit the Disable link. That one is well-buried!

 

To disable Java in Safari for MacOS:
 
In the Safari menu, open the Preferences dialogue box and select Security. untick the box Enable Java
 
To disable Java in Safari for Windows:
 
Click the Gear wheel in the top right of the browser window and choose Preferences, select Security and untick the box Enable Java.
 
JavaScript is a whole different security conversation, but for the purposes of this current vulnerability it is irrelevant.
 
Image credit: Homini:)’s Flickr Photostream under creative commons.
 

Phishing for Apples in the Cloud

Apple customers in the UK and Australia are being targeted in a convincing-looking phishing scam with a cloudy twist.
 
Criminals are sending out targeted emails promising a “Discount Card” as a “reward to long-term customers“. This non-existent card supposedly offers £100 or $100 of credit at any Apple store, for the low-low price of just £9. As you can see below, the email contains enough location and currency specific information to make it more credible.
 

Phishing mail out to steal your personal info


 
Of course the card does not exist and will never be delivered. Instead of a link to a phishing site, the mail contains an html attachment, again convincing looking, using Apple style sheets. The criminals ask for a slew of personal and financial information including name, address, drivers licence number, date of birth, credit card number, expiry date, security code and sort code. Quite enough for some serious financial fraud.
 

Submit!


 
Instead of this stolen information being directly uploaded to a criminal or compromised server, the big blue Submit button POSTs the data to a server in Amazon’s EC2 cloud as shown below with dummy data. Once the data has been successfully sent to the criminal server, the browser is redirected to the official Apple web site.
 

Captured traffic from the phishing attack


 
This cleverly crafted and targeted attack may well be enough to fool the unwary, and it’s abuse of commercial cloud infrastructure will make it much more likely to overcome URL blocking security mechanisms.
 
I have informed Amazon of this abuse of their services, but in the meantime remember, there’s no such thing as an “Apple Discount Card”.
 
Never respond to unsolicited email, never open files attached to unsolicited email and never enter personal data on anything other than an SSL encrypted web site (one where the address starts with “https://“). If you do receive an email making you an offer you can’t refuse, do not follow links in the mail, but contact the vendor directly either by typing in their web address or using the good old telephone.
 

How to check if you are a victim of Ghost Click

Ghost in the Machine

used by permission from flattop341 Flickr photostream


 

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.
 
This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.
 
If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.
 
First you will need to discover what your current DNS server settings are:
 
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the  Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.
 
On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
 
You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.
 
If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.
 
Ongoing updates on this threat can be found on our Operation Ghost Click landing page.