Internet Security for Your Macintosh: A Blog for the Rest of Us

Recent security happenings

Tue, 13 May 2008 08:14:52 -0700

You may (or may not) have noticed that it’s been a while between entries here. A record time, in fact. There are two good reasons for this long interval:

There’s been very little news in the Mac security world
OK, we admit it, we’ve been very busy working on a top-secret iPhone project, which we just submitted to the Apple Design Awards contest.

Both of these reasons are, as we said, “good.” In the security world, no news is certainly good news. And we’re optimistic that our iPhone product is going to greatly enhance our current product line, although perhaps in a way that some will find surprising.

The last few days have brought a couple pieces of interesting security news:

Leopard’s Back to My Mac system, which we’ve written about extensively here, was used in an interesting way to recover a stolen laptop (so interesting that many newspapers, including the New York Times, actually ran articles). Although we’ve recommended against use of Back to My Mac unless you really know what you’re doing, we’ve also always said that the risk of machine loss due to theft and other related “physical” issues is way higher than the risk of attack over the Internet. So, in a strange sense, Back to My Mac seems to be an insurance policy against really stupid thieves stealing your computer and putting it, unmodified, back on the Internet!

A recent paper provides very interesting details about the latest spike in “brute-force” SSH (remote login) based “dictionary” attacks. As we’ve said in the past, enabling SSH is highly risky, and should only be done if you’re sure you have a very, very good password.

The wait is over

Thu, 17 Apr 2008 09:00:35 -0700

Just a couple days after our bemoaning the relatively long wait for a fix to the recent CanSecWest Safari vulnerability, Apple has now released Safari 3.1.1, which claims to fix that very bug. According to the release notes:

Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.

Charlie Miller was the researcher at CanSecWest who won the MacBook Air by using the vulnerability to take over the machine. Clearly this is not one of those “theoretical vulnerabilities,” so this particular fix should certainly be installed quickly on all machines using Safari 3.1. Mr. Miller did the right thing by not disclosing the actual bug until Apple had it fixed, but now that it’s fixed its details will no doubt come out, and unfixed machines will be at risk.

It took Apple about 3 weeks after notification to issue the fix. To us here, that feels like a awfully long time. A lot can go wrong in the 3 weeks. But in the overall scheme of things, maybe it’s not really that long after all.

Still here and still waiting

Tue, 15 Apr 2008 09:32:24 -0700

In case you’re wondering why you haven’t heard anything from us here for a while, it’s because there really hasn’t been much to say. Normally no news is good news in the security arena, but in this case there’s at least one area where we were actually expecting some news: the MacBook Air break-in from CanSecWest.

Very little has leaked out since this serious vulnerability was exploited at that security conference (and immediately disclosed to Apple). It’s well known to be a Safari 3.1 vulnerability, but not much more. Rumors abound that the flaw was fixed a while ago in the open source project that is the basis for Safari, but no specific fix or update from Apple has been announced (Apple did fix various QuickTime vulnerabilities that could be, but probably aren’t, related). On the other hand, Adobe quickly fixed the flaw in its Flash Player that allowed a Windows Vista laptop to be similarly compromised.

Guess we’ll just have to keep waiting for a while.

MacBook Air is big loser at CanSecWest

Fri, 28 Mar 2008 07:43:32 -0700

Although details are sketchy, it looks like the MacBook Air, and perhaps Apple in general, were the big losers yesterday at the CanSecWest security conference. As we mentioned, Mac OS X, Windows Vista and Ubuntu Linux were pitted against each other at the conference, with machines running each available for hackers to attack. Apparently the MacBook Air fell first, as reported by many publications including the Washington Post.

Since the winner had to sign a non-disclosure agreement (assumedly so Apple can be notified of the flaw), it’s hard to say where the vulnerability lies, but the most likely candidate is some component invoked through Safari (last year, in a similar contest, the component was QuickTime). It seems the winner was able to take over the machine by having Safari view a “malicious Web site,” which contained special-crafted code that took advantage of the flaw and enabled additional code to be run in such a way that it could do bad things on the machine.

Neither the Windows machine, nor the Ubuntu machine, fell victim to the same type of exploit. As we said yesterday, stay tuned (including to the blog of one of the contest’s sponsors)...

Pwn-2-own, round 2

Thu, 27 Mar 2008 08:51:57 -0700

It’s time once again for the annual CanSecWest security conference, going on right now in Vancouver. At last year’s conference, a MacBook (and cash) was offered as a prize to anyone who could exploit a Mac OS X security hole to take over (“pwn”) that MacBook. And there was, after many attempts, a successful exploit. The “pwn-2-own” contest is back again this year, with a twist.

The twist is that Macs aren’t the only target. There are three machines available for “pwnage:” a MacBook Air running OS X Leopard 10.5.2, a Fujitsu laptop running Windows Vista Ultimate SP1 and a Sony Vaio running Ubuntu Linux 7.10. Rules are similar to last year, with the first day having the strictest requirements (no user interaction allowed -- the exploit must be completely remote).

It will be quite interesting to see the results of this innovative new version of the contest. In particular how the still-relatively-new Leopard system holds up. Also if the MacBook Air’s Remote Disc features is somehow involved. Stay tuned...

Anti-virus tidbits

Tue, 25 Mar 2008 08:00:33 -0700

This week’s TidBITS has an interesting and well thought-out article entitled “Should Mac Users Run Antivirus Software?” It’s a good question, and they supply a good set of answers. A bit surprisingly, the gist of the article, written by security expert Rich Mogull, is “usually, no.”

Rich makes a number of good points. He starts off by saying that he feels Mac OS X is not intrinsically more secure than the current version of Windows, but that it is much less subject to viruses nonetheless, for financial reasons. That is, it is much more economical for hackers to go after Windows due to its much larger installed base.

Rich also points out that any anti-virus software is at best 85-95% effective, so it will always miss a number of viruses anyway. It also uses a number of resources on your computer, and can slow things down quite a bit (he doesn’t point out that there are also known instances of the anti-virus software being an attack target itself).

While pointing out that things can certainly change as the Mac continues to get more popular, Rich specifically recommends anti-virus software in only a limited number of cases:

If you engage in “risky behavior,” which includes not just visiting “Web sites you might want to avoid at work,” (porn!) but also “installing strange software from non-standard locations, failing to filter for spam, installing any random social networking plugin you find... online gambling, hacker research, illegal file sharing... browsing media-heavy sites other than brand names like YouTube, or downloading software posted to forums or lesser-known sites.”
If you let children use your Mac unmonitored. You should also be sure they’re using a non-admin account.
Exchanging a large number of files with Windows users.
Using your Mac in an enterprise with anti-virus policies.
Running Boot Camp or Windows virtualization software. In this case you should be sure to install Windows anti-virus software.

Rich does an excellent job of pointing out, near the end of the article, that things are likely to change if we’re not careful. Windows Vista is turning out to be relatively secure, so there are now two things working against the Mac from a security perspective: the Mac is getting more popular, and the installed base of Windows machines is getting harder to hack. Between these two, we all need to be more diligent about security, and we need to encourage Apple to advance some of the recent security measures it started incorporating into Leopard. Only through measures like these can we “avoid resource leaching desktop antivirus in the long term” he concludes.

Security update 2008-002

Tue, 18 Mar 2008 17:39:36 -0700

Apple has just shipped Security Update 2008-002 (for Tiger and Leopard), along with an additional security update for Safari (for both Mac and Windows), to version 3.1. Both are available through Software Update, and probably worth installing expeditiously after the usual day or two waiting period to make sure there’s nothing seriously wrong with the updates.

Neither update includes anything that seems critical, but there are certainly the usual set of theoretical holes that it’s good to see Apple closing.

MacBook Air Remote Disc security overview

Tue, 18 Mar 2008 08:00:05 -0700

As promised, we’ve spent some time reviewing the new MacBook Air’s Remote Disc feature from a network security point of view. It’s confusing and a bit worrisome.

Remote Disc actually consists of three distinct pieces, each implemented quite differently: “DVD or CD Sharing,” which we overviewed and raised questions about previously, “Remote Install Mac OS X,” which lets you run the Mac OS X Installer remotely, and “Remote Migration Assistant” which lets you migrate an account from a remote Mac to the MacBook Air. Each has its own “challenges.”

It’s hard to tell how DVD/CD Sharing is different from Personal File Sharing. Both let a machine with an optical drive share the files on whatever volume is in that drive with the MacBook Air over the local network. Internally, however, DVD/CD Sharing is quite different from Personal File Sharing. It seems to share the volume more as a disk image than as a set of files. Perhaps some installer applications work better this way. DVD/CD Sharing can also run on Windows, which Personal File Sharing does not do.

Beyond general confusion, the main problem with not using Personal File Sharing, however, is that DVD/CD Sharing doesn’t use File Sharing’s Apple Filing Protocol (AFP). AFP is well understood and vetted from a security perspective, whereas DVD/CD Sharing is not. AFP also provides a number of important security features, like names and passwords, which DVD/CD Sharing does not. And worse yet, DVD/CD Sharing does not seem to use a standard network port, or even the same port every time. Instead, it uses a dynamically-chosen high-numbered port, starting at 49152. This port usage makes it very difficult to protect (or allow access to) this security-flawed feature with a firewall. For instance, at least under Tiger (Mac OS X 10.4), if you have the built-in firewall (or a third-party firewall like our DoorStop X) active on the remote machine, DVD/CD Sharing will be blocked. And there isn’t even a single port you can open up to unblock it. You have to open a wide range of ports, or shut down the firewall entirely, both of which are very bad things from a security perspective. (As a potentially mitigating factor, DVD/CD Sharing supposedly only works over your local network, not the Internet, but there’s no easy way to confirm this fact).

In the unlikely event you’re able to master the security ramifications of DVD/CD Sharing, most of what you learned won’t apply to the other two pieces of Remote Disc: Remote Install and Remote Migration Assistant. Remote Install is an impressive tour-de-force that enables a MacBook Air to run the standard Mac OS X Installer from the optical drive of another Mac or Windows machine on the same network. To do this, you actually boot the MacBook Air over the network, using the Installer DVD sitting in the drive of that remote Mac or Windows machine (which is running a program called “Remote Install Mac OS X”). You can then do all the standard things that installer lets you do, including installing or upgrading OS X on the Air, running Disk Utility to re-format the Air’s disk, or resetting its password.

Remote Install does not seem to expose the same range of security issues as DVD/CD Sharing, but it does have one similar problem which can result in not just a security exposure but also a serious bug. Like DVD/CD Sharing, Remote Install requires you to again open a wide range of ports through the firewall in the remote machine, because it again uses a dynamically changing port number (in addition to static port 7799). If its chosen dynamic port is blocked (as it is by default through the Tiger built-in firewall and DoorStop X), the remote booting process will proceed for some time and then the MacBook Air will get a kernel panic. That’s right, smack in the middle of booting, a scary, multi-lingual screen will tell you that you need to restart your computer by holding down the power button! Not good.

The final piece of Remote Disc is Remote Migration Assistant, which is used to move your settings and files from another Mac over to the MacBook Air. Usually this operation is done over Firewire, but the MacBook Air doesn’t have Firewire, so Apple chose to do it over your local network. Similar to Remote Install, you run an application (this time called simply “Migration Assistant”) on a remote Mac on your network (there’s no Windows support for this piece). You run the same application on the MacBook Air, telling the Air version to look out on the network for the remote version. Similar to the other two pieces of Remote Disc, Remote Migration Assistant uses another, different, dynamically changing port for much of its operations. For total inconsistency, however, this time it seems you have to open that large dynamic port range in the firewall on the MacBook Air itself, not on the remote machine (although Leopard’s built-in application firewall on the Air doesn’t seem to require you to do this). Remote Migration Assistant also uses port 500 (on both machines), which is part of IPsec and VPNs (which securely encrypt all your data as it moves over your local network, a good thing but perhaps overkill for this particular application).

OK, had enough? I know we have here. There’s still a lot more to explore and explain, for instance ways of dealing with all these issues with the minimum of security compromise. But this entry is already approaching record length, so we’ll save those for next time.

iPhone SDK initial evaluation

Tue, 11 Mar 2008 08:59:04 -0700

Last week Apple unveiled the much-anticipated iPhone SDK (software development kit), which will enable software developers, such as Open Door Networks, to create and distribute applications that can run on the iPhone. We’ve been hard at work ever since evaluating that SDK, both from a security and an opportunity perspective. Our conclusion: the SDK is a bit too secure for our tastes!

Apple has done an excellent job with the SDK. So excellent that it looks like there may well be scant opportunity or need for Open Door security software on the iPhone. The two go hand-in-hand. In particular we feel (and remember, this is a very preliminary evaluation) that the SDK provides just the right tradeoff between opening the iPhone up too much (and thereby exposing it to the same set of security issues as any other Internet-connected general-purpose computer) and too little (thereby greatly limiting the potential of developers to supplement and enhance the platform).

As an example, an SDK-developed application cannot access the full iPhone (Mac OS X) file system. It can only access files that are local and relevant to it. But most iPhone applications only need this local access; anything more would introduce additional security risks. Likewise iPhone applications can not perform any operations that require what on the Mac would be called administrative access. They run pretty much in their own “sandbox,” which is fine for 95% of the potentially useful applications out there. Yes, maybe 5% of the useful applications (including ones Open Door would tend to do) may be un-writable, but the system will be 95% more secure than if those 5% were allowed. As much as we hate to admit it, this seems like a good tradeoff.

As further compensation for this 5% limitation, the SDK contains an amazing amount of functionality. Developers get easy access to almost all general (Mac OS X) operating system features, including network services such as Bonjour. We also get access to most iPhone-specific features like the multi-touch screen, accelerometers, camera, and device auto-location, and great tools such as an excellent looking Mac-based iPhone simulator and debugger. This great stuff is all the more reason that Open Door continues to look hard for an area in which we can add value via the SDK. It just might be that we need to look a bit outside our traditional security area. But who knows -- the jury is definitely still out right now. What is clear is that Apple has done an amazing job with the SDK.

Open Door, security, and the race for president

Mon, 3 Mar 2008 15:20:03 -0800

In a strange confluence of language, politics and Internet security, Open Door Networks’ president (and book/blog co-author) Alan B. Oppenheimer was quoted in a New York Times Magazine article, “Bird-Dog Minute,” about the 2008 U.S. presidential campaign. And it’s not just any New York Times article. It’s an article by Pulitzer prize-winning political columnist William Safire. The timely article juxtaposes Alan and Open Door with the likes of Hillary and Bill Clinton, Barack Obama and Ronald Reagan. “It’s my 15 sentences of fame,” Alan was heard to remark.

In all seriousness, the second half of the article is interestingly about how the term “fire wall” (Mr. Safire insists on writing it as two words) has come to be “the hot new word” in presidential primary politics. Referring briefly to its first citation in 1799, the article devotes most of a paragraph to the word’s modern-day history, as conveyed by Open Door’s president (italics are from the article):

Fire wall, first cited in 1799 as a literal wall between houses to prevent the spread of fire, gained new popularity in 1991 in computerese. “Fire walls were dedicated pieces of hardware that were placed between the Internet and organizations’ networks to ward off attacks,” says Alan Oppenheimer of the security firm Open Door Networks. As “personal” fire walls became necessary, in 2002 Microsoft and Apple began building them into operating systems; “wireless networking made fire walls even more critical, since access can come not just from the Internet but from your neighbor.”

For those interested in the back-story to these sort of things, there’s not really much to it. Mr. Safire’s assistant contacted Open Door Networks looking for an expert in the history of computer firewalls. Figuring he was probably as qualified as anyone else (and honored to have been chosen), Alan sent back a page-long overview, from which was extracted (a few weeks later) the above paragraph.

One snippet from the article is particularly timely, with make-or-break primaries coming up tomorrow. Referring to Hillary Clinton, the article quoted a source as calling out “Ohio and Texas and Pennsylvania, which are the three big fire walls she’s counting on.” I guess we’ll know very soon now if those firewalls did their job!

IPv6 strikes again

Wed, 27 Feb 2008 08:44:50 -0800

It’s been a while, but another security flaw in the little-used IPv6 protocol set has opened up a security hole in Mac OS X. As documented here previously, IPv6 is the “next generation” of Internet protocols, but is currently used mainly in just a few research environments. As documented by CERT, a flaw in the open source implementation of IPv6 used in Mac OS X “may allow an attacker to cause a vulnerable system to crash.”

To date, it’s pretty clear the security risks of IPv6 have significantly outweighed its benefits as far as “the Rest of Us” are concerned. In particular, last year Apple shipped its new AirPort Extreme base station with a default but undocumented configuration that exposed the machines connected to it to a public IPv6 Internet. Apple quickly corrected this problem.

At some point a day will come when IPv6 proves useful to us normal Mac users. Until that day however, you should disable IPv6 access to your Mac, either through your firewall if it supports doing so (our DoorStop X Firewall does, although the Mac OS X built-in firewalls do not), or through the Network System Preference panel.

Mac security: a measured response

Tue, 19 Feb 2008 08:11:07 -0800

It’s good to see a measured and well thought-out response to developments in the Mac Internet security space. Such a response was recently published in a Baltimore Sun article. Entitled “Sophos selling Mac vulnerability” the article addresses recent seemingly self-serving claims by Internet security software vendor Sophos PLC.

As the article, by David Zeiler, summarizes, Sophos sells Internet security software. Mainly for Windows machines, but also for Macs. They recently have been emphasizing the “rise of malware for Apple Mac computers,” both through their comprehensive Security Threat Report (with subhead “Mac users targeted by financially motivated hackers for the first time”) and through a poll on their Web site where people voted that the Mac will be more targeted in the future. No big surprise there.

The Baltimore Sun article condemns Sophos’ tactics while at the same time pointing out that the company is not entirely wrong. Using a great analogy, it compares Sophos’ statements to those of an auto mechanic telling you your car needs repairs “just to be on the safe side”:

No harm done exactly, but then again you didn’t really need it -- not yet, anyway. That’s how I feel about security software for the Mac. I have yet to see any hard evidence that Mac users truly need anti-malware protection.

The article summarizes some of the recent Mac malware proofs-of-concept, making it clear that there are warning clouds on the horizon. It also importantly talks about key things we Mac users should do right now, including using a personal firewall, installing Apple’s security updates, and exercising “vigilance and common sense.” Very measured, and very useful.

Here at Open Door, as readers know, we sell Macintosh security software too. Hopefully readers have also come to realize that we try to be measured in our analysis of the Mac Internet security world. It’s good to see at least someone in the press acts the same way!

Boring is good

Tue, 12 Feb 2008 07:53:53 -0800

When it comes to security updates, boring is good. The latest security update, 2008-001, is boring. The update, included with the Mac OS X 10.5.2 (Leopard) update, and also available for Mac OS X 10.4.11 (Tiger), contains little of great interest or concern. That’s the way it should be.

A good example is a fix for the Service Location Protocol (SLP). SLP is actually no longer used in Leopard, and the fix for Tiger addresses an issue raised over a year ago by the Month of Apple Bugs project. Why Apple chose to fix this problem now is a good question, but that fact that they took over a year and no one really worried is a good indicator of how boring the fix is :)

The update only contains 11 items, compared to, for instance, the 50 in security update 2007-003. Of those 11, only a couple are really worth worrying about. These are the usual “maliciously crafted URL” vulnerabilities, where in theory a “maliciously crafted Web site” could wreak havoc with your machine. Beyond that, not much. Which is a good thing.

Blog-iversary statistics

Mon, 11 Feb 2008 08:31:57 -0800

As part of our two-year blog-iversary, we’ve compiled some interesting and telling statistics about the 153 entries we’ve published over the past two years. We took each entry and assigned it to at most two categories, with all but 19 entries actually only assigned to one category. The categories were of course quite arbitrary, but we feel the information in meaningful nonetheless:

And here’s the raw data and some added explanation:

General (general Internet security issues) 29
Microsoft 22
Purported (purported attacks, vulnerability, malware, etc.) 14
Open Door 14
WiFi 13
Leopard 12
Tiger 11
QuickTime 9
Apple (Apple Computer itself, as opposed to the Mac specifically) 8
Mac security (Mac-specific security issues) 8
iPhone 7
Other 25

It will be interesting to see how this data is different after the next two years!

Blog-iversary

Fri, 8 Feb 2008 09:41:33 -0800

Today is the two-year anniversary of the start of this blog. Happy Blog-iversary to us! Our first blog entry, made soon after the introduction of Intel-based Macs at Macworld Expo 2006, was entitled “Intel Macs and Internet security.” It asked the still very relevant questions “Does this mean the new Macs will now be subject to all the security problems that Windows machines have?” and “Does this mean the new Intel Macs will be less secure than the PowerPC Macs were?”

Our answers of “No” to the first question, and “most likely” to the second one have been proven quite correct so far. The Mac clearly remains much more secure than Windows, with few ongoing serious security problems. In fact, the Mac’s excellent security is usually quoted as one of the main reasons for its resurgence over the past two years. The malware score remains around 236,000 to 7, with the Mac well entrenched on the “losing” side.

At least some of those “7” pieces of real Mac malware, however, have come to exist due in part to the Mac’s use of Intel processors. As we predicted, those processors have allowed a few hackers (usually calling themselves “researchers”) to leverage the Intel-hacking expertise they developed hacking Windows in creating their Mac malware. For instance, the CanSecWest hack was a good (or bad) example of this leverage.

Alas, with the Mac’s increasing popularity and media attention, and with the allure of other popular Apple devices, in particular the iPhone, it’s pretty likely that we’ll see more such Mac malware over the next two years than we have over the past two. And some of these pieces of malware may even be more than simply proofs-of-concept, so we do need to continue to be concerned and vigilant. However, on our four-year blog-iversary, we’re still guessing the score is going to be something like 736,000 to 87. Here’s hoping anyway!

Macs need security too?

Wed, 6 Feb 2008 08:15:37 -0800

The title of an article in this week’s PC Magazine raises the hope that someone there “gets it” when it comes to Macintosh Internet security, but the article itself alas proves the opposite. The only thing going for “Macs Need Security Software, Too” by Lance Ulanoff, is its title. The rest of the article is pretty clueless.

The subhead of the article gets it off on the wrong foot: “Face it, Apple computer lovers, you need protection just as much as the Windows users down the hall.” Although in the specific area the article goes on to emphasize (phishing), this statement may be correct, it’s certainly not when it comes to other forms of malware.

The opening line of the article itself echoes the title, but the words “security software” are in fact a link to, of all things, Microsoft’s Live OneCare product, a subscription-based anti-malware system for, yes, Windows users! You would think the article could have at least linked to a product (or, better yet, a list of products) that ran on the Mac!

The article then presents its central (and actually correct) point, that Mac users are just as vulnerable to phishing and other “social engineering” attacks as Windows users are. It recommends users run Internet security software suites to help protect against these attacks, and then links to an extensive list of Windows-only suites.

The article concludes with “let me say it again, but with a twist: Mac users are not invulnerable.” So its title and last line are correct, and everything else in between is pretty much useless. Too bad.

Oh, and by the way, if the title of the article sounds familiar, try Googling something like “apple security” and check the “sponsored links” on the right hand side!

MacBook Air brings new Sharing service

Fri, 1 Feb 2008 07:59:42 -0800

The MacBook Air, announced at Macworld, is now shipping. The included “Remote Disc” software adds a new service to the Sharing System Preferences of other machines on your network. Not much is known about “DVD or CD Sharing,” but the MacBook Air User’s Guide makes it clear that this is one of the methods by which a Mac (or Windows machine) makes its optical drive available to the MacBook Air over your local network.

After installing special software (included with the Air) and activating “DVD or CD Sharing” on the “other computer” (which, if a Mac, must be running Mac OS X 10.4.10 or later), that machine’s remote optical drive appears in the Finder sidebar on the MacBook Air. It can then be accessed just like any other local disk or shared machine.

Some interesting questions include:
How is the service implemented? Does it use TCP or UDP, and what port number(s)? How can you safely limit access to the service (via either the built-in firewall, which is quite different depending on if it’s on 10.4 or 10.5, or a third-party firewall)?
Will the service only make the drive available to MacBook Airs, or will there be a Leopard upgrade that makes it available to other Leopard Macs as well?
Do other remote optical drive features, like migration assistant and remote booting, work differently (from a network perspective)?

Internet security for your picture frame?

Wed, 23 Jan 2008 11:53:53 -0800

It was just a matter of time before viruses and other forms of malware started attacking consumer devices. In fact Apple, always on the cutting edge, shipped an iPod with a virus over a year ago. And now an infected picture frame has been shipped. MSNBC and others are reporting that Best Buy had to pull an Insignia digital picture frame from its shelves because the device had been manufactured with a virus.

Insignia has issued an alert about the problem. In the alert they imply that, if you hook the picture frame up, via USB, to a Windows PC (which is one of the main ways you would get pictures onto it), the PC could become infected with the virus. They claim up-to-date anti-virus software (which all PC users should certainly have, right?) will block the virus and even disinfect the picture frame. Macs, they claim, cannot be infected by the virus.

As more and more consumer devices have computers behind them, and as Internet-based malware becomes a bigger and bigger deal, Internet security for these devices will certainly become a bigger issue as well. Although this virus did not come directly from the Internet (more likely, indirectly via the manufacturing process), it certainly could have. Actually, it’s really just a matter of time...

Macworld security happenings

Mon, 21 Jan 2008 08:00:47 -0800

There was not a whole lot going on at Macworld from a security perspective, but there certainly were of few highlights in addition to the talk by Open Door’s president, Alan.

In terms of Internet security vendors, Intego was there with their standard castle-like green booth. SecureMac also had a booth. New, larger vendors included McAfee and LANDesk. Conspicuous by their absence was previous leader Symantec, whose Mac offerings have, to some extent, fallen into disrepair.

There were also a number of vendors showing “secure storage” solutions including RAID, encryption and “storage area network” products. And one vendor was showing a finger-print scanner solution for the Mac.

Beyond these items, Apple’s announcements included a couple key potential security items that merit further investigation. Time Capsule is a remote storage system mainly for use with Leopard’s Time Machine, but also potentially for use, via AFP and SMB, as a remote disk, similar to the one included with the 802.11n AirPort Extreme Base Station (on which Time Capsule is based).

Most interestingly (and complexly), the MacBook Air’s remote optical disc feature provides at least three areas where network security concerns need to be explored (on each of two platforms, since it also runs on Windows). In response to questions posed at the Apple booth, these areas seem to be: remote software installation, remote booting (mainly to allow reinstallation of the OS on the Air if needed) and remote migration assistant.

We plan to explore all three of these areas in the weeks ahead.

Macworld cometh

Thu, 10 Jan 2008 08:22:37 -0800

It’s that time of year again. Macworld Expo begins Monday in San Francisco, with Steve’s big keynote on Tuesday. Open Door will have representatives there, although no booth this year. We’ll be on the lookout for security-related products and information, and report back as best we can (the show actually even has a blogger’s lounge).

Right now, from a security perspective, the main thing to know about Macworld Conference and Expo is that Alan Oppenheimer, Open Door’s founder and president, and co-author of the book and this blog, will be presenting at the conference. Actually co-presenting, along with Marshall Clow from Idio, The two will be giving a talk entitled simply “Keeping Safe on the Internet.”

The talk will hopefully be as straightforward as it sounds, since simple is good when it comes to security. It’s actually based directly on the “Internet Security Top 10” associated with this blog. If you’re at the talk (Thursday 3:30pm), stop by afterward and say hi.