Posted by: David Harley | March 21, 2014

Words to the wise

A handful of articles that might be of interest to OS X users (mostly from ESET – that doesn’t mean no-one else is writing about Macs, but obviously ESET material is likelier to cross my radar):

And if you’re not too tired after following all that advice, you might find an article on Better Mac Testing? How OS security can make AV testing harder by Lysa Myers and myself of interest – actually the first in a series based on our paper for Virus Bulletin last year: Mac Hacking: the way to better testing?

David Harley
Small Blue-Green World

Posted by: David Harley | March 18, 2014

And in more cheerful vein, Mavericks security tips

Rob Waugh, for ESET, offers Five tips to help control your privacy on Mac OS X, pointing out that ‘Apple’s Mac OS X Mavericks has some very neat privacy features built in – from a “Guest User” account which restricts people to using Safari when borrowing your Mac to a panel which prevents apps using your location’.

David Harley
Small Blue-Green World

Posted by: David Harley | March 18, 2014

Azimuth* believes iOS 7 has lost the compass

At least, a paper Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG, presented by Tarjei Mandt at CanSecWest, concludes that ‘an unprivileged attacker can recover arbitrary PRNG [PseudoRandom Number Generator] outputs on devices running iOS 7.’ Mandt believes that the early random PRNG in iOS 7 allows an attacker to bypass mitigations of vulnerabilities previously considered to be unexploitable. The findings are summarized in Azimuth’s blog here and an Infosecurity Magazine article here.

David Harley
Small Blue-Green World

http://en.wikipedia.org/wiki/Azimuth 

Posted by: David Harley | March 2, 2014

Android and malware

John Gruber was less than impressed by Sundar Pichai’s take on Android’s balance between security and ‘freedom’, speaking at the Mobile World Congress: Malware Is Freedom.

He also cites a couple of reports that indicate that a very high percentage of mobile malware is Android-specific, and points to an article giving more context to Pichai’s remarks.

Since I get much of my income from an industry that Google considers to be populated by charlatan scammers, I couldn’t possibly comment.

David Harley

Posted by: David Harley | March 2, 2014

Apple’s iOS security paper

Not to be confused with Apple’s Secure Coding Guide, flagged here a few weeks ago. iOS Security is specifically about how security technology and features are implemented in the iOS mobile platform.

There are sections on system security, encryption and data protection, app security and network security, Internet services and device controls.

An article in Macworld by Marco Tabini also refers.

David Harley
Small Blue-Green World

Posted by: David Harley | March 2, 2014

AMTSO adds Android feature testing tools

[Also posted to the Anti-Malware Testing blog.]

With a very muted fanfare, AMTSO has adjusted and expanded its web page for anti-malware feature settings by splitting it into two pages: the main page now links to  ”Feature Settings Check for Desktop Solutions” and ”Feature Settings Check for Android based Solutions“.

The Desktop Solutions page still links to the following tests:

  1. Test if my protection against the manual download of malware (EICAR.COM) is enabled
  2. Test if my protection against a drive-by download (EICAR.COM) is enabled
  3. Test if my protection against the download of a Potentially Unwanted Application (PUA) is enabled
  4. Test if protection against accessing a Phishing Page is enabled
  5. Test if my cloud protection is enabled

The Android links are as follows:

  1. Test if my protection against the manual download of malware is enabled
  2. Test if my protection against a drive-by download is enabled
  3. Test if my protection against the download of a Potentially Unwanted Application (PUA) is enabled
  4. Test if protection against accessing a Phishing Page is enabled

I haven’t looked at the new links, as I don’t have an Android device to test them with.

Feature testing is about checking whether your security product has specific features available and activated, and isn’t really related to the comparative testing that AMTSO mostly focuses on. Still, a lot of people seem to find tools like the EICAR ‘test’ fileuseful and reassuring.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Snow Leopard waves goodbye to support?

Gregg Keizer for Computer World:  Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks. Well, Apple has never had Microsoft’s patience with the upgrading of obsolescent operating systems, even though upgrades are often highly dependent on hardware suitability.

  • Windows XP: released 2001, support ending in April 2014.
  • Snow Leopard: released 2009…

Just saying. Some would argue that maintaining XP for so long has meant that people haven’t been upgrading to more secure systems.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

A little more rain on Apple’s parade

[Maybe the tweet about security vultures sounded harsher than intended. Apart from the fact that I quite like vultures (at a distance), I'm as 'guilty' as anyone else when it comes to criticizing what I see as Apple's mistakes. Apologies to Johannes and Kurt: hope they won't take offence.]

I told you Apple isn’t having a good week: Johannes Ullrich of the Internet Storm Center claims that Apple’s security reputation is a myth, according to Andre Mayer for CBC News.

Apple’s reputation for software security a ‘myth’: expert

Well, if there are people out there who still believe that Macs and iGadgets can never have a security problem of any sort, I suppose you could call that a myth. If it means that Apple security is some kind of illusion or delusion, I can’t agree. Apple has made major contributions to the general raising of security standards built into operating systems in general by the efforts it makes to maintain the integrity of OS X and iOS. Does anyone really think that Microsoft and Apple don’t each keep a close eye on the other’s security initiatives? That doesn’t mean that neither company has ever made a mistake, or prioritized commercial advantage over the welfare of its users. That’s just the marketplace.

That said, Kurt Wismer believes that there are questions to be answered about the kind of coding practices that led to the goto fail mess: goto fail, do not pass go, do not collect your next paycheck. I can’t say I disagree with him.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Fireeye’s PoC monitoring app on iOS

Apple is not having an altogether fun time at the moment, with the ‘goto fail‘ still ringing in its ears. Meanwhile, FireEye reports that it’s been able to build a Proof of Concept (PoC) app that can record touch/press events on an iGadget running iOS 7 and send those data to a remote server. It doesn’t have to be a jailbroken device, either, apparently. The blog article does describe a workaround, though.

Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation

HT to Aryeh Goretsky for drawing my attention to a Neowin article that comments on the FireEye article.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Mac Users: now those birds are really angry…

Graham Cluley for ESET*: Mac malware spread disguised as cracked versions of Angry Birds, Pixelmator and other top apps.

Says it all, really. There are several earlier but still very relevant blogs at SecureMac, though, and dropper analysis here.

David Harley
Small Blue-Green World

*Yes, I do some work at ESET. No, they don’t have anything to do with this site.

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.

Join 32 other followers