CounterMeasures - A Security Blog � Social Engineering

’tis the season to be squatting

Rik Ferguson — Wed, 14 Dec 2011 16:06:36 +0000

In the run up to Christmas criminals are abusing the opportunity to prey on online shoppers with tired eyes and weary fingers. Many thousands of misspelled versions of popular retail destinations have been registered by criminals in the hope that the unwary consumer will land there by accident. Customers of popular online retailers such as John Lewis, Debenhams and Argos have all been targeted.

Image from Joe Shlabotnik's Flickr stream under creative commons

The criminal websites are often copies of the legitimate website, copies that aim to pass off counterfeit goods, redirect the visitor through money-spinning advertising links or to harvest personal and financial information if a “purchase” is made. In other instances the misspelled domain names can lead to objectionable content or even to websites loaded with exploits that aim to infect the victim machine with information stealing malware or to recruit it into a botnet, a network of compromised machines under the remote control of a criminal.

Typosquatting has been around almost as long as the world-wide web, in fact US legislation dating back to 1999, the Anticybersquatting Consumer Protection Act, contains a specific clause (Section 3a) aimed at combatting this phenomenon. In the past individual companies have been known to spend large amounts of money in bringing cybersquatters to justice. Lego, for example, have previously spent more than half a million US dollars pursuing cybersquatters through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) going after such domain names as legoworskhop.com in and effort to protect their brand.

However in this most recent outbreak of typosquatting, we are not talking about domain names which simply include the names of well-known brands, rather those that prey on our lack of attention to detail. In the rush to get the online Christmas shopping done, how sure can you really be that you were shopping at the legitimate debenhams.com rather than the typosquatted debanhams.com, or marksandspencer.com rather than marsandspencer.com or markandspencer.com (I would recommend *not* visiting these by the way.

This year and last, British law enforcement have been doing their best to crack down on dodgy online shopfronts, however efforts to suspend illegitimate domain names can only ever represent a game of whac-a-mole in the fight against evil online traders. Criminals can register vast reserves of domain names in advance and, when one gets shut down, simply activate another as required.

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

1. 4.4.1 .co.uk; or

2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters”

Until regulation is tightened and international cooperation is improved then well-intentioned law-enforcement initiatives will only be treating the symptom not addressing the cause.

In the meantime, be careful where you click and if you are planning on some serious online shopping sessions you may be wise to create yourself some bookmarks to popular online shopping sites rather than relying on your typing skills standing up to the Christmas rush.

On that note here are 5 great tips for shopping safely online from Trend Labs.

Verified by Visa?

Rik Ferguson — Thu, 01 Dec 2011 15:18:43 +0000

used under creative commons from johnsnape's Flickr

In 2001 Visa introduced a security protocol they called 3DS, short for 3 Domain Secure in an attempt to reduce the incidence of credit card fraud in online purchases. 3DS is better known by the names used by the various card issuers when they implement the system “Verified by Visa“, “MasterCard Secure Code“, “J/Secure” (JCB International) and “SafeKey” (American Express). the trouble is that 3DS doesn’t really present any barrier at all, to even the average fraudster, at least in the way that is is implemented by card issuers that I tested.

In the FAQ published by Visa they say “Verified by Visa protects your card against unauthorised transactions, giving you complete confidence when shopping online“. Later in the same FAQ they also state “If you forget your password you can easily reset it” and therein lies the problem. The following relates to implementations by the credit card issuers I was able to test, not necessarily to the entire 3DS system.

The problem stems from a very basic design flaw. If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…

What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase.

Second step in password reset

Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.

So what should be improved? There’s nothing new or amazing here, just some really basic steps that need to be incorporated into the process.

Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.

Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address.

Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message.

Oh, one more thing, it would be really great if I could use special characters in my password, please.

Sony (not) hacked

Rik Ferguson — Wed, 12 Oct 2011 13:45:25 +0000

Enter your password

News reports today are characterising an attack against the Sony PlayStation Network (PSN) and Sony Entertainment Online (SOE) as “another hack” or “Sony hacked again“. However, according to a blog post from Sony’s SVP and Chief Information Security Officer, that simply isn’t the case.

The attack against PSN accounts belonging to Sony subscribers went like this… Person or persons unknown, built or obtained a database of username and password pairs which they attempted to use to log into the PSN and SOE. The “overwhelming majority” of access attempts using these pairs of credentials failed, in fact less than 0.1% were successful. For this reason Sony suspect that the credentials used were not stolen from Sony directly, either now or in past intrusions. The database in question was most probably email and password pairs that have been obtained elsewhere but were being used in a brute force attack against Sony, in the knowledge that users have the unfortunate habit of reusing passwords across multiple services.

When Sony detected this irregular activity against its servers it immediately locked out all of the affected accounts and is informing the affected users that they need to change their passwords. Only a small fraction of that 0.1% showed evidence of irregular activity before Sony locked them down, meaning that the damage was successfully contained.

In reality this story should not be characterised as a failure over at Sony, but rather a success. Through their own monitoring systems they detected anomalous behaviour, acted quickly to contain the damage and locked out the accounts affected. They are also obliging the affected users to change their service passwords to better secure themselves in the future. Of course given the past intrusion at Sony, there is every possibility that the data does relate to that stolen from Sony earlier but also indicates that the mass password reset policy it instituted after the event served to render the majority of that data unusable.

After all it is not, as Sony have learned to their cost, whether you get attacked that is important, it’s how you deal with it. The lesson for Sony customers is not that Sony hasn’t learned lessons, it is rather that we as users still have some important lessons to learn.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

Making the most of Facebook privacy – Part I

Rik Ferguson — Tue, 11 Oct 2011 11:07:29 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

Since the long list of new features recently unveiled has begun to be rolled out for all Facebook users; I have been receiving ever-increasing amounts of questions from friends, colleagues and Countermeasures readers concerned with how their online privacy may be affected. So I have put together this guide to Making the Most of Facebook Privacy in 2011. I refer to the forthcoming Facebook feature “Timeline” a lot in this post, but don’t be fooled these settings are available right now, even if you haven’t enabled Timeline yet.

Don’t Get Facejaked

So initially, let’s get to the recommended settings for locking down your Facebook security without having a negative effect on your enjoyment of the social network. Follow the three steps in this earlier blog article to help protect your account from unauthorised access, so-called “facejacking”.

Lock Out Leakage

With that out of the way, let’s go on to tweak your account and privacy setting to better protect the content you share and control the audience with whom you share it. Let’s look at “Account Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook Account Settings

App & Adverts

In this menu you should review the individual permissions that you have allowed the Apps that you have installed. Have a first pass through this list and remove any apps you no longer use. Then review individual permissions by clicking the Edit link next to each remaining App. Some permissions are required for an App to work but many optional permissions can be revoked here. At the same time, ensure that the App itself is not giving out too much information by changing the setting “Who can see posts and activity from this app” to “Friends” unless you have specific Apps that you wish to grant greater visibility.

Finally, in the Facebook Adverts section, change the Third party advert settings and Edit Social Advert settings to No one. The default setting here is Friends.

Protect Your Privacy

The changes to Facebook have radically changed the ways in which we can share content with our friends, friends of friends and the general public. There are two main ways to configure this privacy; when you post through the Facebook interface or when you post through a device or App that doesn’t allow per post privacy settings. To configure these settings select Privacy Settings which is accessed through the same drop down menu as above.

Facebook Privacy

The Default Privacy setting only applies to posts made through an interface or App that doesn’t support inline sharing controls. I recommend setting this to Friends, the default setting again is Public.

In the next part of this blog series, I detail some of the more specific settings for controlling how you share information and perhaps more importantly, how information is shared about you.

Part two of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

The Facebook kidnap & robbery

Rik Ferguson — Fri, 29 Jul 2011 10:05:38 +0000

In what appears to be a well-planned and pre-meditated crime the safe in a Carrefour supermarket was emptied by criminals with the help of a Facebook friendship.

At the beginning of February, the manager of the supermarket made an interesting new friend on Facebook, a girl by the name of Katrien Van Loo. The relationship blossomed and pretty soon, the victim was invited over for a cosy dinner for two, presumably to further his acquaintance with his new-found friend. This was on the 15th of February this year. Police are now releasing images in an appeal for witnesses. The Belgian Police report is here.

When the victim arrived at ten-thirty that evening, he discovered that he had in fact been lured to an empty building with the bait set by this fake Facebook profile. He was quickly overpowered by two men who gagged and blindfolded him and forced him to hand over the keys to his own apartment.

While one of the criminals stayed with the victim, the other took the stolen keys and visited the unfortunate supermarket manager’s home. He found the keys to the supermarket and left the building and while doing so was filmed on closed-circuit cameras in the building.

Suspect in Belgian burglary from CCTV footage

Shortly after midnight, the vault of the store was emptied by a third accomplice, he was also caught on camera. The suspects can be seen in video footage prepared by the Belgian police. Suspect in Belgian Facebook burglary. It is worthy of note that both suspects are left-handed.

If you recognise these suspects, or have any information regarding this crime, the Belgian authorities would love to hear from you. You can call the local toll-free number 0800 / 30.30.0 or use this online form.

If you are a Facebook user, remember, anyone can be anyone online. Never admit unknown people to your circle of trust; you jeopardise your own safety and privacy as well as that of the friends who may be posting on your wall. If you ever decide to meet a stranger, don’t repeat this guy’s mistakes. Do it first in a public place and do not go alone. Trust should be earned, not given.

If you receive a friend request from someone you don’t recognise there are a few things you can check. Do you have any friends in common? If you do not, this should raise a suspicion flag. If you can see any info on the person do you have anything else such as schools or workplaces in common? Does the profile have a photo and if so is it one that you recognise? If you cannot see any info, mutual friends or photo, it’s a definite no-no.

Even if this stuff all checks out and you are still suspicious, begin by simply sending a message to the person, asking how they know you or how they found you on Facebook. If it turns out to be a speculative friend request, my recommendation would be to ignore it and go out for a beer instead.

What the Hack is going on?

Rik Ferguson — Thu, 16 Jun 2011 14:51:28 +0000

Used under creative commons from brittgow Flickr

With all the recent news stories of successful hacking attacks of some very prominent organisations, this seems like an entirely reasonable question. The litany of victims is impressive including such luminaries as Google, RSA, Visa, MasterCard, Citibank, Epsilon, the US Senate, the UK National Health Service, Fox, Sony (of course) and just last night the CIA website was targeted with what a Distributed Denial of Service Attack. The amount of prime time coverage these various activities are getting is prompting several questions. Is this hacking group stuff something new? Is this cyber-espionage or even cyber warfare? What impact will this have on me and the future of the internet?

The idea of a hacking group is certainly not a new phenomenon, in fact they began to flourish in the early eighties, the early days of home computing, acting as a forum for members to share information, learn and compare skills. Early groups bore names such as Legion of Doom, Cult of the Dead Cow or Masters of Deception and specialised not only in the nascent internet hacking scene and are responsible for the birth of hacktivism, but also in the perhaps dying are of phreaking (abuse of public telecommunications networks). The nineties saw the rise of a different kind of hacking group, L0pht Heavy Industries who operated more as a research organisation, providing software tools for penetration and security testing and issuing advisories. This group also famously testified to the US Congress that they could take down the entire internet in under 30 minutes back in 1998. L0pht later merged with @stake, who were eventually acquired by Symantec.

Now in the noughties we have witnessed the rise of Anonymous, and more recently LulzSec. Anonymous as a collective is something that began on message boards like the infamous 4chan, for the purposes of attacking the Church of Scientology, and has with generous media coverage evolved into a bigger deal. Instead of being a relatively closed group, Anonymous instead actively sought the participation of the general public when they began their actions in support of Wikileaks. Tens of thousands of volunteers are downloading tools which enable them to participate in the global assault on businesses with whom they feel personally aggrieved. The latest versions of this tool includes functionality which means the user can hand of control of their weaponised computer to a central authority (Anonymous) to better direct and control the attacks. Lulz Sec on the other had maintain the tradition of the closed group, and according to their own web site have no motivation but anarchy,

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year“.

Of course similar groups have emerged around the world in places as far flung as Pakistan and India, where there is fierce competition between the groups. In Romania groups such as HackersBlog have hit various companies. In China and Russia, many hackers are believed to act as proxies for their governments.

It’s not all about the hacking for fun and kudos gangs, organised criminal groups have been with us for many years now, and the last 12 months or so has seen a marked increase in the frequency of attacks on online aggregations of information, such as Sony, Epsilon or Citibank for the purposes of theft of information for financial reward. One single attack, if successful can yield such a vast amount of saleable or otherwise abusable personal data, that I’m only surprised the attacks took so long to gather pace.

Another phenomenon that has risen to prominence recently is purported nation-state activity. Again, despite recent press coverage this is also nothing new, the Titan Rain attacks for example date back to 2003 where the finger was firmly pointed at China for the theft of large amounts of information from military and governmental targets, gh0stnet in 2007 was similarly blamed on China, as were the Aurora attacks the following year. This year has already seen similarly motivated attacks on RSA, the European Council, the French Finance Ministry, the Canadian government, Lockheed Martin and of course Stuxnet.

So many technological and cryptographically advances have their roots in the centuries old art of espionage, we should really not be surprised to see national foreign intelligence services making use of cutting edge tools and techniques to further their national or economic interests.

None of this represents a global online meltdown, or the end of the internet economy or national security as we know it. Like everything else in this world we can trace a simple process of evolution at work here. Security companies, individuals and enterprises must evolve to keep pace and just maybe learn some of the lessons that some of these guys have been teaching us for years now. Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.

Mac malware: Same shizzle, different dizzle.

Rik Ferguson — Fri, 27 May 2011 12:18:14 +0000

You may have read in the press recently about the Mac Defender scareware that is affecting many OSX users, to the extent that Apple have even promised to deliver a removal tool and a fix to their customers. Trend Micro’s Smart Surfing for Mac has been protecting against this threat from the outset, both by detecting and blocking the malicious files, but also importantly by blocking access to the criminal websites being used to propagate this threat. You may be surprised to hear though that Mac Defender is not the first “scareware” application targeting Mac users and trying to trick them into parting with their cash and their credit card details.

Malware for Mac OSX is nothing new, and the increasing popularity of the platform is driving criminal interest. In addition to Mac Defender (May 2011), there are already several threats in the wild that affect Mac OS X, the Leap worm (Feb 2006) that propagates through iChat , the RSPlug Trojan (Oct 2007), that drops DNS changing malware, the MacSweeper & IMunizator (Jan & Mar 2008) scareware, Jahlav (Dec 2008) another DNS changing malware, Krowi (Jan 2009) responsible for the first Mac OS botnet and HellRTS (April 2010) another Trojanised installer, this time for iPhoto which gives attackers remote control over the infected computer.

MacSweeper, IMunizator and now Mac Defender are typical scareware Trojans. In 2008 they were delivered by malicious advertisements and in 2011 criminals have adopted the tried and tested tactics so successful in the world of Windows, Blackhat Search Engine Optimisation. Booby trapped web pages are created, designed to show up in the first page of search results for popular terms. Simply clicking the link to one of these pages is enough to start the infection process. The latest version has even worked out a method to bypass the requirement for the user to type an admin password in order to install. Affected users are presented with a professional look application and informed that multiple security issues have been discovered on their computer. Subsequently they are duped into buying a completely bogus piece of software to “fix” those issues, a tactic with which Windows users will be only too familiar. RSPlug and Jahlav have both been known to pose as video codec installers, another tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business that is now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign. Also important is the fact that these malware examples are not single discrete files, they represent entire families of malware, where new variants are continually being released to defeat signature based detection.

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple themselves may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

For many years now Mac users have believed themselves to be invulnerable to malware, and have been encouraged in this belief by Apple themselves on more than one occasion, or ”Safeguard your data by doing nothing“. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived potential to the cybercriminal. It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected only increases the attractiveness.

So secure we don’t need security?

Rik Ferguson — Wed, 25 May 2011 13:52:32 +0000

With the launch announcements of various Google Chrome netbooks, the focus of the press and security companies alike is beginning to take a closer look at the security promises made and also at some of the more, um… media friendly statements such as “users don’t have to deal with viruses, malware and security updates”.

Let’s have a look at some of the security features of Chrome OS:

1 – Get out of my playpen. Each process runs in its own sandbox, effectively this means that if an application is malicious or compromised it is unable to interact with or otherwise affect other applications or processes on the system.

2 – Always up-to-date. Automatic updating, patches or feature updates will be downloaded and installed by default, this is a mandatory process designed to stop the user from opting themselves out of security.

3 – Always start with a clean slate. When Chrome OS is started up, it will check the integrity and validity of system files and if it detects any anomaly or unauthorised change, the system will revert to the known-good state, effectively neutralising any suspect activity at every reboot. The separation of user files and system files makes this a simple and effective process.

4 – (Almost) No desktop applications. Every application in Chrome OS will run inside the browser, discrete desktop applications will simply not exist; all apps are effectively web apps. The OS does afford the possibility of browser plug-ins locally so the end user still has some influence over the operating environment. These plug-ins of course will be sandboxed. Google has recently made a Software Development Kit available for the creation of Chrome “Native Apps”

5 – Nothing to see here. No user data is stored locally on Chrome machines. All user data is stored in the cloud and encrypted, theoretically data theft by malware or intrusion is made more complex.

So, what do I think? Well, the existence of the SDK seems to demonstrate that the “sterile environment” of an out-of-the-box Chrome netbook, may be about as long lived as an untouched Android device. Of course the sandboxing technology is designed to ensure that even a bad native app can’t misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few), while the Google sandbox is effective, it is not impenetrable and to rely on it for 100% security would be short-sighted.

As regards the notion of the operating system always reverting to a known good state at reboot and the security afforded by encrypted data being stored in Google’s cloud, well surely that’s just moving the goalposts for the bad guys. For much of today’s malware, one of the primary goals is persistence. This will be much more difficult (see how I hesitate to say impossible) in the Chrome environment, so the motivation will shift. If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud, after all I’ve got your keys now, I don’t need your PC anymore. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised.

While I applaud the impressive advances in security that are apparent in Chrome OS, to a certain extent we are seeing marketing history repeat itself. How often did the mantra that MacOS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into MacOS?

Criminal activity extends far beyond file-based threats, encompassing social engineering, phishing, social networks and email borne threats. The palette is continually expanding and the techniques are continually evolving, to assure your customers that they will not have to deal with online cybercrime, simply by switching OS is foolish to say the least.