Don’t Panic!
A report early today in Macintouch (search for “Linux.RST.B”) claimed that a Mac had been infected with a virus that ran a “foreign process” that was probing the user’s local network as well as the broadband network to which the machine was connected. The report contained incriminating items such as a file named “” (implicated previously in certain Unix-based viruses) and the domain (an IRC network -- IRC is very popular with hackers).
The report, however, was suspect in a number of other ways.  In particular, it was third-hand (at least), quoting a Macintouch reader as having read a conversation about the compromise on a security mailing list.  A follow-up on Macintouch (kudos to the Macintouch people for timeliness) further indicated that the original conversation was in fact posted to a different list before being forwarded to the security mailing list!  More importantly, that follow-up also indicated that a critical line from the original list had been left out entirely:
There are many morals to this story, but the most important one is DON’T PANIC. Most (but not necessarily all) reports of this type will prove to be either false or at least nowhere near as bad as they might first seem.  And the more levels of indirection there are in a report, the more likely it is that that report will contain inaccuracies.
OTOH... We don’t know yet for sure that this is how the machine was compromised. “Don’t panic” doesn’t mean “relax.”  Relaxing prematurely over a report like this would be worse than panicking.  There are still a number of questions here, even if the follow-up report is accurate. How was the password intercepted or maybe otherwise compromised?  Was SSH (Remote Login) from anywhere on the Internet really enabled into the machine? Shouldn’t admin access have been necessary to implant such a process (or was such access perhaps enabled for the daughter)?
Finally, when it comes to security, it can never hurt to restate what may seem obvious. Especially when it comes from our book :)  For instance, before entering a password into a Web site, make sure the site is secure (ISFYM, chapter 5, “Safe Surfing”).  Don’t use the same password for different services, especially critical ones such as logging into your machine (chapter 4, “Managing Passwords”).  Don’t enable powerful services like SSH (Remote Login) unless absolutely necessary (chapter 8, “The Sharing Preferences Dialog”) and then only with appropriate firewall protection (chapter 12, “Personal Firewalls”).  And monitor your machine carefully for signs of an attack or compromise (chapter 13, “Analyzing and Responding to Security Threats”).

We all know that Macs are much less vulnerable to Internet attack than Windows machines. But that certainly doesn’t mean they’re invulnerable, as we’ve seen here.  So don’t panic, but do be vigilant.
Monday, February 13, 2006