I can’t copy and paste anything but it explains how the latest intel “Security” addons aren’t secure at all….they make it trivially easy for your system to be hardware rooted..making it impossible for you to regain control of your system.
Intel Small Business Advantage is a security nightmare | SemiAccurate.
…………….. let’s look closely at the facts around the Flashback Trojan causing all this consternation, and clear up what it is versus what it is not, and put the results of the incident in perspective.
Yes it’s true that some 600,000 Macs are confirmed to have been infected. The claim, first made by Dr. Web, an outfit I had never heard of, has since been corroborated by Kaspersky Labs, whose research and analysis capabilities are well-respected. More than half of the compromised machines are in the U.S., 95,000 in Canada, 47,000 in the U.K., and 41,000 in Australia.
The trojan targets a vulnerability in software that is not even an Apple product: Java. You’ll recall that Java is add-on software created by Sun Microsystems and now the property of the software giant Oracle. Rather common, it is no longer shipped as a default add-on to Apple’s Mac OS X beginning in 2011, when Apple first shipped Lion.
Through this hole in Java, certain Web sites are serving up malicious Java applets. Once inserted on the machine, the software then prompts the user to enter the password they use to run the machine. It attempts to trick the user by appearing as an update to Adobe’s Flash video and animation software.
If the user doesn’t fall for the trick, it tries something else. Here again it checks to see if there are any Microsoft Office applications on the machine, or Skype. If there are, it deletes itself.
Then it does something interesting. It scans the contents of the Mac’s hard drive to determine if certain applications are present, and if they are, it deletes itself. Among those applications are security tools such as Little Snitch, a networking security tool, or Packet Peeper, another security tool. It also deletes itself if it sees the user has installed XCode Mac developers tools, and any kind of anti-virus software.
Presuming it finds none of them, it proceeds to contact a command-and-control server for the purpose of downloading and installing more malware. That malware is being used to commandeer the Macs and generate Web traffic to boost revenue for some pay-per-click ads on Web sites, making money for someone who’s behind the scheme. Nothing surprising there.
Apple has issued a fix to Mac OS X that closes the hole in Java, and you can protect yourself by running Software Update from within your machine’s System Preferences. Today would be a good day to do that if you haven’t already. Once you’ve done this you’re no longer vulnerable to the attack.
If you’re among the 600,000 already compromised you can turn to third parties to help you remove it. F-Secure has some instructions here for determining if your machine is affected. If you’re comfortable running some commands in the Mac’s terminal program, there are also some good instructions here at ArsTechnica.
So what does all this say about the state of security on the Mac? Nothing that wasn’t true already. No system is perfectly secure, and this, along with MacDefender, amounts to exactly the second security incident worth mentioning to hit the Mac in about a year. The number of machines affected is less than 1 percent of the 63 million Macs currently in use around the world.
The conventional wisdom has often held that Macs are targeted by malware less often than Windows machines because of their relatively small market share. This still has some merit, but the fact is that Windows is also where the vulnerabilities are. Historically, Mac OS X has been substantially less vulnerable to this sort of thing than Windows.
Does that let Apple off the hook entirely? No, though to its credit, Apple had a fix ready within a week of learning of this vulnerability. That’s not exactly a pokey response, especially when the problem lies not directly within Apple’s software, but in Oracle’s.
via What’s This? A Mac Virus? No Actually It’s a Weakness in Java. – Arik Hesseldahl – News – AllThingsD.
Let’s get one thing straight. The media, as usual, is not only blowing this out of proportion but also not keying on the right part of the problem. This is not a Mac issue but a java problem. Java had and exploit(java itself has become an exploit…much like activex..but worse) that apple didn’t patch as quickly as oracle(the developer of java). Keep in mind that OSX Lion does not contain java so only folks who forever whatever reason can’t or won’t run the latest Lion release were the only ones vulnerable. Frankly I banished java from my network a looooong time ago…as the amount of websites that require it for proper operation aren’t enough to even bother with. How to NOT get infected? uninstall Java..never install it in the first place.
Security vs convenience. They are inversely proportionate. Current smartphones.. especially Iphones are very porous. Easy solution..everything runs over wpa2 and ssl or both. this requires work though and folks are adverse to this. In short you are going to have to manage your smartphone just like you manage your computers. Smartphones are a bigger problem for your data than modern computers are as smartphones have not caught up to the security levels of pc/servers yet.
As a security professional who gets paid to hack into high-value networks, Mark Wuergler often gets a boost when his targets use smartphones, especially when the device happens to be an iPhone that regularly connects to Wi-Fi networks.
That’s because the iPhone is the only smartphone he knows of that transmits to anyone within range the unique identifiers of the past three wireless access points the user has logged into. He can then use off-the-shelf hardware to passively retrieve the routers’ MAC (media access control) addresses and look them up in databases such as Google Location Services and the Wireless Geographic Logging Engine. By allowing him to pinpoint the precise location of the wireless network, iPhones give him a quick leg-up when performing reconnaissance on prospective marks.
“This is interesting on a security level because I’ll know where you work, I’ll know where you live, and know where you frequent,” Wuergler, who is a Senior Security Researcher for Miami-based Immunity Inc., told Ars. “If the last access point you connected to was your home, for example, I’ll know right where to go to get to you later or get to your data. If I’m an attacker that wants to break into your company, this becomes a disclosure that an attacker isn’t going to pass up.”
The exposure of MAC addresses extends not only to iPhones, but to all Apple devices with Wi-Fi capabilities, he said. It means that whenever the wireless features are enabled and not connected to a network—for instance, during a brief encounter at a Starbucks—they broadcast the unique identifiers, and it’s trivial for anyone nearby to record them. Wuergler speculates the behavior is a feature designed to automate configuration for networks users regularly access.
snip…..
In many respects, Stalker is a dramatic example of the risks posed by today’s smartphone, which was designed with speed and utility as its chief selling points.
“It’s widening all of the attack vectors that I can use against you,” Wuergler said. “All of the conveniences that are being extended to you are also being extended to an attacker, just making it easier for identity thieves and corporate attackers.”
He said the best advice for people concerned about smartphone security is to limit the kinds of personal information they entrust to their devices. Users can also benefit by turning off their device’s Wi-Fi as much as possible.
“I do use my phone on wireless networks, but I don’t store a lot of personal data on my phone,” he said. “If you put your personal data on there, you don’t even need to be connected to a wireless network for me to be able to break into your phone.”
via Loose-lipped iPhones top the list of smartphones exploited by hacker.
If you are only doing books then the kindle and nook work great…but they are only for either Amazon(kindle) or Barnes and Noble(the nooks). I would recommend you go with a full function tablet if you want to do anything more. You can get amazon apps for all things Amazon and Barnes and noble apps for those vendors as well. You also then have the Android market(something the Kindles and Nooks do NOT have access to) to flesh out the rest of whatever you want to do. Right now the Samsung galaxy tab, Motorola xoom, and the Asus transformer (transformer prime) are the front runners.
Time for me to start recommending routers with dd-wrt and NO WPS capabilities. If turning it off doesn’t turn it off then security is non-existent for wireless network. Ick.
The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again.
Having demonstrated the insecurity of WPS, I went into the Linksys’ administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn’t get the memo, and the Linksys’ WPS interface still responded to its queries—once again coughing up the password and SSID.
The tool also managed to repeatedly cause the router to stop responding to other computers on the network, essentially creating a denial of service attack—a great thing to remember for the next time my neighbors have a loud, all-night Call of Duty session.
In a phone conversation, Craig Heffner says that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they’ve tested. “On all of the Linksys routers, you cannot manually disable WPS,” he said. While the Web interface has a radio button that allegedly turns off WPS configuration, “it’s still on and still vulnerable.”
I figured it was a matter of time before this was exposed. The pins are usually 8 digits which it has been known for quite some time that you need at least 12 sufficiently random characters for any kind of protection against brute force attacks. Of course the lack of a lockout system makes it even more trivial.
WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs | threatpost.
Not too long after the market punished the Hard Disk industry for dropping warranties before the industry is now moving to cratering hard disk warranties again. I bet they are going to be introducing a new technology for manufacturing hard disks and they are dropping the warranties until the industry works the bugs out. Be forewarned and check the length of the warranty of any hard disk you buy. If it isn’t at least 3 years i would not buy it.
Some desktop and notebook barebones drives will have their warranties slashed from 5 years to 1 year.
Last week, Western Digital revealed that it was cutting the warranty on its Caviar Blue/Green and Scorpio Blue drives from three years to two years. Now, it looks like Seagate just couldn’t stand by and let Western Digital have all fun when it comes to cutting hard drive warranties.
The Register is reporting that Seagate is upping the ante by slashing some warranties from five years down to one year. Here are some of the “highlights” of the warranty cuts:
Constellation 2 and ES.2 drives: 5 years reduced to 3 years
Barracuda and Barracuda Green drives: 5 years reduced to 1 year
Barracuda XT: 5 years reduced to 3 years
Momentus 2.5-inch (5400 and 7200rpm): 5 years reduced to 1 year
Momentus XT: 5 years reduced to 3 years
This link aggregates all of techcrunchs coverage with decent linking to outside sites about this too.
Crapware on a pc or mac is easy to combat….format the machine and use your own, known good image. Phones however are a new frontier of badness for the enterprise and anyone with need for data security. Folks wonder why I’ve advocated locking smartphones out of sensitive networks…this is why. I’ve figured this for a while…now it’s been proven. There are quite a few links in this story..please read them. The video that’s blown the lid off this is right here.
You just can’t make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.
Like the Master Control Program in the 80s science fiction classic, “Tron,” CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, “we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” third party analysis of Carrier IQ begs to differ.
Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application “is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the ‘secure’ Internet.” Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at$180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now “deeply sorry for any concern or trouble” that the letter may have caused Eckhart.
From an enterprise perspective, this is massive. It’s the Jerry Sandusky of mobility. It is an insane breach of trust.
[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]
Enterprises have long put up with “app crap” on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.
We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.
All of a sudden, Steve Jobs’ perspective about who should control mobile device firmware doesn’t seem to be such a bad idea.
Carrier IQ has no relationship, at all, with the enterprise. They’ve said that “we do not sell Carrier IQ data to third parties” or “provide real-time data reporting to any customer.” But once you generate the data, it’s there for the taking.
This year’s Data Breach Investigations Report, co-sponsored by the US Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it’s time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.
Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.
The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ’s reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.
Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It’s not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me this morning that “some deployments of Carrier IQ by the carriers have an ‘off switch’ that smartphone owners can trigger,” but that he’s also seen reports that it simply doesn’t work.
Carrier IQ: Mobile App Crap Must Stop – Security – Mobile Security – Informationweek.
