Is MacDefender Malware a Sign of the Macpocalypse?

There is a new world order. MacDefender, and subsequently MacGuard, demonstrate that the inherent security by obscurity of the Mac is fading, and that attackers are looking at the bigger picture.

The security mantra of Mac users revolves around the fact that it's not Windows. Look at the comment thread of almost any post online about a new vulnerability, or new malware attack impacting Windows, and inevitably you will find a Mac user gloating about how they don't have to deal with those issues.

The trend in attacks targets the user, not the platform, so Mac OS X security is increasingly irrelevant
While that is true, it is misguided to believe that the reason stems from Mac OS X just being too secure for attackers to breach. Not being the preferred target is nowhere near the same as being impervious. Just because Cadillac Escalades or Chevy Silverado pickups are stolen more than the Ferrari 458 Italia doesn't mean the Ferrari 458 Italia can't be stolen. It means that there are way more Cadillac Escalades and Chevy Silverados in the world.

Read more »


Can You Trust Your Data to Google Wallet?

Google made good on predictions that it would unveil an NFC mobile payment system at a media event today--sharing details of the new Google Wallet. The idea of completing purchases with a swipe of the smartphone is compelling, but it seems like using your smartphone as a wireless wallet is an invitation for having your credit card data compromised.

Google has partnered with Citibank to include native support for Citicard credit cards, but Google was smart enough not to paint Google Wallet into a corner with just one card. Google Wallet also include a Google payment option that can be pre-filled using funds from any credit card.

Make sure you protect your credit card data in your Google Wallet
So, you put all of your credit card data into the Google Wallet one way or another, then you are all set. Leave your wallet at home. This is 2011 and now you can just make purchases with a tap of your smartphone.

Read more »


Hotmail Targeted by Zero-Day Attack

Hotmail accounts were recently targeted by an attacking against a zero-day vulnerability in the Microsoft Webmail system. The attack is more insidious than some because it executes without user intervention when a malicious email is opened.

Most attacks require some additional action on the part of the user. Malware often comes in the form of a file attachment, or URL link embedded within an email. Those attack vectors are successful enough, but at least some users are conditioned enough at this point to know not to open file attachments or click on links. But, a threat like this one--that just works as soon as a message is viewed--can be a significantly bigger threat.

A zero-day attack targeted Hotmail accounts.
Researchers at Trend Micro detected the threat, and dug in to learn more about what makes it tick. According to a Trend Micro blog post, when a specially crafted message is viewed the malicious script executes automatically. The script then steals email messages and contact information from the Hotmail account.

Read more »


No Rapture, But Watch Out for Apocalypse Attacks

I didn't expect to get a ticket to the rapture, but judging from the lack of abandoned vehicles it seems that the rumors of the end of the world were a bit exaggerated. However, even though the world did not come crashing to a halt today, don't let your guard down just yet. Now comes the rapture spam and apocalypse phishing attacks.

Following the revelation (pun intended) that the rapture has been unavoidably delayed, ESET's David Harley wrote a blog post assuring customers that ESET--or at least the less devout members of ESET that remain if the rapture does come--will maintain normal operations and keep an eye out for any potential threat--real or apocalyptic.

It is a virtual guarantee that attackers will use the rapture and apocalypse in phishing attacks.
Harley explains, "We'll certainly continue to look out for the poisoned SEO (search engine optimization) that usually attaches itself to news-friendly (even sensational..) items like this, and the fake security software towards which it generally tries to lure its victims."

Read more »


Three Ways to Secure Macs at Work: Lessons from 'MacDefender'

For a long time, one of the strongest points for using Apple computers in your business as opposed to a Windows-based PC has been the suggestion that the Mac platform is somehow inherently more secure

It's a talking point of Macolytes everywhere, and even Apple got into the game with its "Mac vs. PC" series of commercials. And for the most part, it's been supported by the ridiculously low number of malware attacks that Mac users have endured compared with Windows users.

But with "MacDefender" malware making the rounds, the Mac doesn't seem quite so invincible right now. Malware on the Mac is not an entirely new phenomenon. There have been other cases, mostly proof-of-concept, in the past. And security software vendors have been sounding the alarm for some time about the potential for Mac malware. But then, that's what security vendors do.

Read more »


Bugs and Fixes: Adobe gives Users Privacy Controls; Skype Patches Extremely Dangerous Vulnerability

Credit: Adobe
This month Skype released a long awaited patch for a vulnerability that is extremely dangerous and could allow an attacker to remotely gain control of a system. Adobe released privacy controlls earlier this month, allowing you to control how much privacy you want. Microsoft also released a tiny Patch Tuesday.

Skype Publishes Updates For Skype For Mac Users

Last month Skype and Pure Hacking, a group of hackers in Australia, found a vulnerability in Skype for Mac 5.x which could cause Skype to crash when an attacker would send a specially crafted message. This vulnerability, according to Pure Hacking, can allow an attacker to remotely gain control of a shell, an interface feature for an application.

Read more »


Dropbox Speaks Out on Data Security Controversy

Dropbox has been making headlines this week, but not the kind of headlines that companies like to make. A complaint filed with the FTC accuses the cloud data storage provider of deceptive and misleading practices regarding just how secure customer data is. But, Dropbox takes exception to the claims and is speaking out to defend its security policies and terms of service (Tos).
Dropbox readily admits that it has altered the terms of service, but it rejects the idea that the terms were changed to backpedal on security or move the line in the sand as it relates to Dropbox data protection.

Dropbox encryption straddles the line between data protection and a simple user experience.
No, according to a new Dropbox blog post, the ToS is not fundamentally different than that of any other online entity--Google, Skype, Twitter, etc.. Dropbox says the ToC was modified to clarify some points and make it easier for Dropbox customers to understand--especially when it comes to explaining the specific circumstances under which Dropbox might disclose information to law enforcement. "We felt our old TOS language was too broad, and gave Dropbox rights that we didn't even want."

Dropbox also stresses that customer data is not just handed over to law enforcement at the drop of a hat. First, there is only an average of one such request per month--out of 25 million customers. Second, Dropbox has a stringent vetting process to ensure that any such data request is legally sound, and in the event that a request doesn't stand up to legal scrutiny Dropbox will stand up for the rights of the customer and protect the data.

Read more »