Internet Security for Your Macintosh and iPhone: A Blog for the Rest of Us

Just say NO to Flash

Tue, 2 Mar 2010 13:58:47 -0800

You may have been hearing recently about how Steve Jobs has criticized Adobe’s Flash software and refused to include it with the iPhone. Lots of reasons have been given, and some of them may even be true. But, from our perspective here, we’ve been preaching against Flash simply from a security perspective for a couple years now, with at least six entries in this blog alone.

It seems we’re getting a lot of company lately. Not only has Steve allegedly called it “a buggy Mac crasher” (with “buggy” being the cause of most of the security vulnerabilities in the world), but now TUAW has joined the chorus:

...one of the features I used most often was "Disable Plugins" -- which was really another way of saying "Disable Flash," and I do that these days in Safari using ClickToFlash.

They’re even channeling security guru (and big-time Mac hacker) Charlie Miller:

When it comes to browser security, Charlie Miller says that it's all about Flash. More specifically, avoiding Flash.... “The main thing is not to install Flash!”

For years one of our mantras here (and in the book) has been “Just say NO to FTP.” Well now it’s also “Just say NO to Flash.”

Internet security for your iPad?

Tue, 23 Feb 2010 16:01:50 -0800

Just as we got done renaming the book and this blog to “Internet Security for Your Macintosh and iPhone,” along comes the iPad. Don’t worry, the name is not going to change again, but the issue remains: what about Internet security for your iPad?

Of course no one really knows what an iPad is. Even as long-time Mac and iPhone developers, we certainly haven’t seen one. But it looks very likely that, from a security perspective, an iPad will be pretty much a very big, way cool iPhone. Which is to say, there will be only a very limited set of security issues, mainly around its use in larger organizations (see TidBIT’s recent “Prepare Your Enterprise for the iPad” article on this subject). For most of the rest of us, we should be able to feel just as good about iPad security as we do about iPhone security. And that’s pretty darn good!

See the book for all the details, but basically Apple has done an excellent job of limiting the iPhone’s exposure to items that plague Internet-connected computers (especially of the Windows variety, but even Macs to a lesser extent). Through application sandboxing and other iPhone OS techniques, it looks like there will be very little to worry about from an Internet security perspective on the iPad. But we should all of course wait and see to be sure.

And while you’re waiting, please check out our latest application, available concurrently on both the Mac and iPhone platforms. Art Authority is a major new addition to our “Envi” line of iPhone products, which in turn are based on our Mac Envision Web-image browser.

And of course stay tuned for the iPad version of that too :)

iPhone worm validates book advice

Tue, 10 Nov 2009 14:38:14 -0800

The first reported iPhone “worm” has validated a key piece of advice from the updated version of “Internet Security for Your Macintosh and iPhone” (a part of our new DoorStop 2.3 security product line). The worm only attacks jail-broken phones with SSH installed and the default password unchanged. As such, it’s unlikely to affect many people, but may be an indication of things to come.

The main point for readers of this blog is simply what we stated in the book:

Jailbreaking is the worst thing you can do for iPhone security. DON’T DO IT!

Clear enough, we hope. (If you use an iPhone and don’t know what jail-breaking is, you should have the book!)

Microsoft touts virus statistics

Mon, 2 Nov 2009 12:09:18 -0800

When the score is something like 236,000 to 7, you can expect the side that’s winning to really brag about the score. But, when it comes to viruses, it’s usually the 7 that’s considered winning. So why is Microsoft touting the fact that it’s the 236,000? Good question.

In a recent Microsoft Malware Protection Center blog entry, Microsoft provides all sorts of interesting details about data that has come back from their recently introduced Microsoft Security Essentials product. The fact that Microsoft felt it had to ship this free product that it claims “provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software” is telling in-and-of itself. The data that comes back from the product makes it pretty clear why the product is needed:

1.5 million downloads of the software in the first week
500,000+ machines with infections (over 1/3 of all machines!)
4 million distinct “detections” of malware (8 per infected machine)
6 different “threat families” with over 10,000 infections in each of three countries (U.S., Brazil and China)
Half of the threats detected on Windows XP, 1/3 on Vista and still 1/6 on Windows 7.

What does all this data mean, besides that there are an absurd number of viruses on all Windows platforms, and why is Microsoft bragging about it? Good questions. We’re pretty sure it means you should Get a Mac!

Facebook virus is a sign of the times

Thu, 29 Oct 2009 14:04:32 -0700

A new Facebook “virus” combines a number of security threats together, some of which apply to Mac users and some of which don’t. As reported by USA Today and many other publications, there are actually two different but similar attacks. Here’s how they work:

Previously-compromised Windows machines, acting in botnets, send out massive waves of phishing emails that look like they came from Facebook. (Yes, it is quite a vicious circle these days, with compromised Windows machines leading to more and more attacks and compromised Windows machines. Thanks a lot Microsoft!)
The phishing emails convince naive Facebook users (nearly a tautology) to go to a fake site that looks like the real Facebook pages. Users enter their Facebook password, thus giving the attacker full access to their real Facebook account. Mac users are just as vulnerable to phishing attacks of this sort as anyone else. (Just as much as Microsoft, Facebook is also responsible for the success of these attacks, since they actually encourage their users to click on links in emails that appear to be from them).
The fake site then also instructs the user to install and run a trojan horse that will sit in their machine and look to steal their banking information. This very evil trojan horse is currently a Windows-only application (but a similar one in theory could run on the Mac).

Social networking sites like Facebook and Twitter are become more popular, and more and more novice users are signing up. Combine these facts with the more established companies like Microsoft and Apple really focusing on security, and you can see why these types of attacks are becoming more and more a sign of the times.

They’re here

Mon, 26 Oct 2009 07:14:22 -0700

They’re here, as promised! As of today, we’re shipping a major set of upgrades to our DoorStop line of Macintosh Internet security products. As you can imagine, we’ve got a lot to talk about, and don’t entirely know where to begin.

Beginning at the beginning, we’re upgrading all the products to version 2.3. From the full DoorStop X Security Suite, to its individual components (DoorStop X Firewall, Who’s There? Firewall Advisor, ISFYM eBook), to this blog.

Version 2.3 focuses on the two biggest events in the Macintosh world since the previous major release (almost two years ago!): Snow Leopard and the iPhone. All 2.3 products specifically support Snow Leopard (10.6) in two different ways: (1) they run and are fully compatible with that OS, and (2) their built-in information and advice, including the eBook, have been fully updated for Snow Leopard.

All products also support the iPhone (and iPod touch) in sense (2). That is, they provide iPhone-focused information and advice about keeping you, your Mac, and your iPhone secure on the Internet. In fact the eBook, and even this blog, have been renamed to include “and iPhone” in their title. The book integrates the iPhone throughout, and also adds a full new chapter on iPhone-specific Internet security issues.

There’s lots more to talk about too. For instance we’re adding a Twitter stream to the product line, for cases where even this blog isn’t real-time enough. As with all the products, its focus will be on securing you, your Mac and your iPhone on the Internet. We’ll certainly be talking a lot more about that here soon. For now please just check it out and start to “follow” us there if you’d like.

Other specific features are being added to each of the products as well. All-in-all, we’re very happy with the new releases, and hope you will be too. There are of course free, fully functional 30-day evaluation versions available on our Web site, and special upgrade pricing for anyone who purchased any of the products this year.

Finally, there are some currently unannounced surprises to come too (what would an announced surprise be anyway?). Think iPhone apps :) So if you don’t have any other reason to stay tuned to this blog (and to follow the Twitter stream), there’s a good one for you.

Talk to you again soon.

DoorStop update status update

Thu, 15 Oct 2009 12:31:28 -0700

We’ve been receiving some questions about the status of the new DoorStop X security products we mentioned previously. So we wanted to provide a quick update update:

The updates to version 2.3 planned for this month are totally on schedule. Since October 31 is a Saturday, and Halloween to boot, we are shooting for having the products out no later than the 30th. And hopefully even before then.

As promised, the updates will include full support for Snow Leopard, including information and advice about new Snow Leopard security features and issues. Plus there will be a few added surprises too :) So stay tuned.

Operation Phish Phry

Thu, 8 Oct 2009 10:31:44 -0700

The FBI has arrested or charged up to 100 people in connection with their “Operation Phish Phry.” The suspects, in the U.S. and Egypt, are accused of a massive phishing scheme against customers of the Bank of America and Wells Fargo. Today’s Washington Post has a good article on the operation.

An interesting fact quoted by the article is this:

“Some 49,084 unique phishing Web sites were set up in June, the second largest number recorded in a single month, according to the Anti-Phishing Working Group, a industry consortium.”

Be afraid. And very very careful.

Verizon offers Mac security suite

Tue, 6 Oct 2009 08:31:00 -0700

At the same time as Intego is offering its new security bundle, nationwide ISP Verizon has introduced a version of its Internet Security Suite for Macs. Previously available only for Windows machines, the Suite includes anti-virus, personal firewall and parental control components. The company’s associated Online Backup & Sharing Service is also now available for Mac users.

The company clearly sees a marketing opportunity for Mac users, saying "Mac users are an important and growing segment of the broadband community, and Verizon is becoming more and more focused on providing them with services that enhance their online experiences.” Verizon charges $6 per month for the Internet Security Suite (for up to 3 machines), which is free for 30 days to new customers.

The introduction of the Suite has resulted in ongoing discussions, including an excellent Information Week article entitled “Is Mac Security Software Necessary?”

Although such security offerings mean more competition for us Mac-specific Internet security vendors, they’re clearly a good thing for the Macintosh community as a whole.

Interesting security bundle launched

Fri, 2 Oct 2009 14:02:07 -0700

Mac security vendor Intego has announced the availability of a very interesting bundle of Mac security products. Bundles like this have been popular among Mac software vendors recently, but this is the first one devoted to Macintosh security.

The Mac Security Bundle, available through October 31, contains 12 security applications for $50, 90% off the price of the programs individually. Only two of the programs (Virus Barrier X5 and Net Barrier X5, a personal firewall) seem to be specific to Internet security; the others are more general computer security or privacy applications. All the applications support Snow Leopard (Mac OS X 10.6).

Alas no one from Intego contacted anyone here at Open Door to see if we wanted to participate. In particular, the bundle seems to be lacking any sort of comprehensive documentation, like our book. The bundle is an interesting option nonetheless. Our DoorStop X Security Suite is also, in and of itself, a great mini-bundle for those specifically focused on Macintosh Internet security. It does compete with two of Intego’s main products, so they can’t be blamed too much for not contacting us.

And of course we too also have good Snow Leopard stuff coming real soon now :)

The Snow Leopard built-in firewall

Mon, 31 Aug 2009 07:49:58 -0700

Almost two years ago now, one of our most significant blog entries was entitled “The Leopard built-in firewall.” Referencing what many others were saying, it provided details of the many serious problems with the new OS’s new firewall model.

At the time we said “Long term, [the new firewall model] has potential. Short term, it just hasn’t worked well at all.” A quick security update addressed some of the Leopard firewall’s fundamental problems, but many of them have remained.

Snow Leopard’s firewall changes, like many of its other changes, are a “fine-tuning” attempt to implement more of that potential. And they do seem to represent minor improvements. We’ve put up a Web page on our site with screenshots detailing some of the changes:

It’s now obvious how to turn the firewall on and off
You can "Automatically allow signed software to receive incoming connections" (or not, which is a safer option -- more on this later)
You can block almost all incoming connections, even to built-in services like File Sharing. There’s still no way to block certain services that Apple considers essential (which probably are in many, but not all circumstances).

These three new options add important flexibility. Removed was the option to turn on and off logging, which seems to now be always on. There’s no real need to ever turn it off, so this simplification is a good one. More important, the log now includes one critical item we’ve flagged as missing for two years: the destination port on access attempts. The firewall still, however, does not seem to log all access attempts, so the log is only slightly more useful than before.

All-in-all, Snow Leopard’s built-in firewall is a definite improvement on Leopard’s, just as Snow Leopard in general seems to be an improvement on Leopard itself. But it still has a long way to go before it realizes its full potential.

Snow Leopard product announcements

Fri, 28 Aug 2009 07:05:32 -0700

In concert with Apple’s shipping of Snow Leopard today, Open Door has made a set of announcements regarding our security products and Snow Leopard. In summary:

All the current products in our DoorStop X Security Suite have been tested and work with the Golden Master version of Snow Leopard.
These products do not yet have information and advice specific to Snow Leopard.
New releases of the products, with Snow Leopard-specific tuning and other new features, are planned for the October timeframe. Upgrades to these products will be free for anyone purchasing them from now on.
This blog is the place to turn for Snow Leopard Internet security advice until (and even after) those new releases are available. For instance, Snow Leopard’s built-in firewall is significantly different from, and general improves upon, Leopard’s. Stay tuned.
Additional details are available on our Web site

Snow Leopard this Friday

Mon, 24 Aug 2009 14:33:47 -0700

Beating their own September goal, Apple announced that Snow Leopard (Mac OS X 10.6) will be available this Friday, August 28. As detailed previously, Snow Leopard is mainly a set of refinements to Mac OS X 10.5, Leopard.

A few quick items as far as security:

By Friday, Open Door Networks plans to have a statement on our Web site as to how our current DoorStop X security products work with Snow Leopard (hint: they do) and as to future plans for those products.
Snow Leopard does have a security Web page, but it’s mostly old stuff from Leopard. The main exception is a statement that “The 64-bit applications in Snow Leopard are even more secure from hackers and malware than the 32-bit versions. That's because 64-bit applications can use more advanced security techniques to fend off malicious code.” The detail page further elucidates this statement with “First, 64-bit applications can keep their data out of harm's way thanks to a more secure function argument-passing mechanism and the use of hardware-based execute disable for heap memory. In addition, memory on the system heap is marked using strengthened checksums, helping to prevent attacks that rely on corrupting memory.” Sounds good anyway. These will certainly be items to explore in the near future.
Although not on the security page, the new Safari 4, included with Snow Leopard, has a number of security features. An interesting one: Apple specifically alludes to, but does not call out by name, addressing the many security issues associated with the Flash plug-in, when it says: “It turns out that the number one cause of crashes in Mac OS X is browser plug-ins. So Apple engineers redesigned Safari to make plug-ins run separately.”

iPhone flaw detailed one day, fixed the next

Fri, 31 Jul 2009 11:37:17 -0700

At the Black Hat security conference in Las Vegas, the previously-mentioned serious iPhone vulnerability was detailed by researchers yesterday, and fixed today by Apple via a new version of the iPhone OS (3.0.1). Pretty impressive on both ends.

Unless some serious problem is found with the update, updating right away seems like a really good idea, since now that details of the flaw are out, enterprising hackers out there will no doubt soon be trying to take advantage of it.

Comic security

Thu, 9 Jul 2009 10:24:51 -0700

The July 7 PC and Pixel comic is dead-on (so to speak) with its point about how physical security is so much more important than all the complex, software-based measures that we take to protect our computers from Internet attacks. Its message directly mirrors chapter 3, “Physical Security” from the book.

“PC, I think you must increase the security on your computer and stuff...”

“Don’t worry, I’ve just changed my encrypted password along with a new firewall, yesterday.”

“Actually I was thinking of a better deadbolt.” [picture of a busted-in door and a living room in shambles]

First real iPhone security issue?

Fri, 3 Jul 2009 16:01:10 -0700

MacWorld and others are reporting what may be the first real iPhone Internet security issue. Actually not Internet directly, but instead the SMS messaging system used widely for “texting” short messages between phones.

As noted here over a year ago, our analysis of the iPhone’s security mechanisms led us to believe that is was so secure that there was very little we could do to enhance that security. To date that analysis has been proven completely right, but things could be changing a bit.

The new issue is a theoretical one for now. Noted Mac security “researcher” Charlie Miller claims to be able to crash the SMS app by sending it bogus data. He believes the crash may lead to a serious vulnerability, allowing an attacker to execute any code the attacker wants to on the iPhone. In other words, the standard “may lead to unexpected application termination or arbitrary code execution.” Miller has yet to produce such an exploit, and has informed Apple of the flaw.

As quoted in MacWorld, Miller does an excellent job of making it clear that the iPhone in general is a very secure platform, echoing our previous comments. Items he points out include:

The iPhone’s stripped-down version of Mac OS X presents fewer options for attackers, removing applications and features such as Flash and Java
It includes hardware protection for data stored in memory
It can only run software that has been digitally signed by Apple
It requires apps to run in a sandbox, which isolates them from other apps and limits their access to phone capabilities.

So, even if this one vulnerability does prove to be real, it’s pretty clear that, all-in-all, Apple has done an excellent job with iPhone Internet security.

First word on Snow Leopard security

Wed, 10 Jun 2009 20:58:24 -0700

In concert with WWDC, Apple has updated the Mac OS X security page, adding references to Snow Leopard (for which additional details, including a ship date of September, are being providing at the conference). There’s actually nothing that seems Snow Leopard specific, but the page is an excellent summary of important Mac OS X security measures. It also contains an interesting statement about anti-virus software. Key points include:

“built-in defenses help keep you safe from viruses and malware without the hassle of constant alerts and sweeps” (a clear swipe at Vista, similar to the “Cancel or Allow” TV ad).
Stay up to date. Automatically. (Software update)
Easy to customize (referring specifically to security features)
Don’t go phishing (a reference to Safari 4.0’s new anti-phishing features)
Surf safely (mainly Password Assistant, which really doesn’t help with surfing much)
Security without the hassle (probably the Mac’s biggest advantage: “Every Mac ships with a secure configuration so you don’t have to worry about understanding complex settings. Just turn your Mac on and start working.”)

Finally, the very interesting “Security Advice:”

The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.

May offer additional protection? Hmmm. It seems Apple is a bit conflicted on this one.

The month in review

Mon, 1 Jun 2009 13:21:26 -0700

Today being the first of June, it seems that a quick security review for the month of May is in order. We’ve been so busy here getting ready for WWDC-related items (which will hopefully include a whole bunch of Snow Leopard details), that we seem to have pretty much missed this month entirely!

Mac OS X 10.5.7 came out, along with Security Update 2009-002. Containing almost 50 different fixes, the Security Update failed to address one of the only real vulnerabilities out there, an apparent flaw in Java that could be exploited through a malicious Web site.

President Obama announced the creation of a “cybersecurity coordinator” (czar) position along with the release of a major cybersecurity report (actually more a white paper). About time someone in the White House got a clue!

Apple came out with another “Get a Mac” TV ad devoted to Internet security. Similar to one from a couple years ago, the “Biohazard Suite” ad again touts the Mac’s major advantages as far as (lack of)viruses go.

And, in the late-breaking news arena, Apple today came out with QuickTime 7.6.2, which addresses the usual host of bugs (on both Windows and Mac) that can “lead to an unexpected application termination or arbitrary code execution.” Literally all 10 listed bugs have this phrase in their “impact” line. There also seems to be one such fix in the new iTunes 8.2, for Windows and Mac OS X 10.4 (but apparently not 10.5).

Bogus botnet claims

Fri, 17 Apr 2009 14:15:04 -0700

A few outfits are claiming that the first Mac “botnet” has been discovered in the wild. In an ironic analogy to viruses and anti-bodies, more “objective” sites are de-bunking those claims.

Among others, ZDNet is claiming that Symantec researchers have uncovered an active Mac botnet, where Macs have been taken over for use in organized nefarious activities, including denial of service attacks. Viewing the “original” Symantec research actually requires a paid subscription, which should tell you something right there.

ZDNet states that Symantec claims that the botnet originated in bogus pirated copies of iWork ’09 and PhotoShop CS4. Again, if this claim is true, it’s hard to feel sorry for anyone actually running this software, since they would pretty much be “getting what they paid for.” Also, such a group would likely be so small it would, at best, qualify as a micro-botnet.

Among other de-bunkers, Brian Krebs of the Washington Post (who we’ve accused here of, at minimum, being a dup in various other crying’s of “wolf”) has a useful post on his blog about this whole situation:

I noticed several items referencing news about the "world's first Mac botnet." As I read on, it became clear this was neither news nor a first.

He goes on to talk about how nothing being disclosed today is really news at all, dating back to 2006 in some cases. Clearly there’s PR value in promoting FUD (fear, uncertainty and doubt) in the Mac space, where little of it has existed before. This fact is also quite telling, in a not-good way.

As the Mac becomes more popular, not only will it, in all likelihood, be subject to more real attacks, but both those attacks and non-real ones will continue to be played up more by the media. So we’re likely to see a geometric growth in the number of articles talking about Mac security “failings.”

The end result of this exaggerated reporting will be that it may well be hard to know when the first serious “failure” has really happened. Hopefully we can help with that in this blog :) In that vein, here’s another fairly decent, mainly-factual and informative article on the whole botnet subject from Macworld: First Mac OS X botnet activated

CanSecWest strikes again

Fri, 20 Mar 2009 12:33:02 -0700

For the third time in as many years, a Mac has been compromised at the CanSecWest security conference. With the prize once again being a MacBook, it’s no surprise that the Mac was a popular target. As reported in ComputerWorld, last year’s winner, Charlie Miller, was at it again, taking full control of an up-to-date Mac running Safari by simply having it go to a malicious Web site of his design. The hack took all of a few seconds to unfold.

Another hacker, “Nils” took down Windows computers via Internet Explorer, Firefox and Safari, in equally short amounts of time. So it seems the state of the security world right now all-in-all is not very good, with reasonably-well-known holes all over the place. And running Mac OS X really doesn’t seem to help any more, at least as far as this method of attack. Viruses and other pieces of malware, however, remain another story.

With all the phishing schemes out there, we already need to be paranoid about which Web sites we go to. With actively malicious sites now becoming more common too, we need to be even more paranoid (if that’s possible). And even legit Web sites, with weak security, in theory can be compromised and turned into malicious ones, giving us yet another thing to worry about!