View Full Version : Security News

01-15-2003, 12:21 PM
Malicious DHCP response on OS X can grant root access
Wednesday, November 26, 2003 @ 2:25pm
Out of date now, if you have patched and updated your system.

Carrel.org has posted details of an important Mac OS X Security Advisory--more than 45 days after notifying Apple of the problem: the advisory notes that a Malicious DHCP response can grant root access under Mac OS X 10.2 and Mac OS X 10.3:

" A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings. What does this mean to the average user: Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section 'Workarounds' for immediate actions to protect their machines."
DHCP Vulnerability (http://www.carrel.org/dhcp-vuln.html)

Important Mac OS X Security Advisory

Malicious DHCP response can grant root access

Affected Software
Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

What does this mean to the average user
Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.

Answers to Frequently Asked Questions

Is my machine safe if I have the root account "turned off"?
No. The account attacking can be uid 0 and have any other name in the universe that is a valid account name.

Is my machine safe if I have all remote access services "turned off"?
No. This exploit allows malicious people full control of where things are mounting on your system. They can mount malware anywhere. Including places that can virtually guarantee executiong of their target code. For example, and attacker could cause their evil data to be mounted in place of crontabs and have their fake root's crontab point to an evil executable mounted there or somewhere else.

Why did you release this when you did?
This was an exploitable remote root vulnerability. After Apple reneged on the Nov. 3rd release date I gave them 2-3 weeks. After the 2-3 weeks were up, I asked for the status and they said "December". Meanwhile, users are left exposed and independent rediscovery seemed fairly likely. And maybe by someone less scrupulous than myself. I felt I was being strung along and that the issue may never get properly addressed so I set a hard deadline at that point. They didn't meet it, and I issued my advisory.

It would not be fair of me to let Mac users hang out in the breeze for more than 2 months on an issue of this magnitude. You may disagree, but I have no regrets about my actions and feel that I was more than fair to Apple Computer and its users.

Vendor Patch
Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.

There are a variety of avenues to avoiding this vulnerability...
Disable any network authorization services from obtaining settings from DHCP:
in Directory Access, select LDAPv3 in the Services tab, click "Configure...", uncheck "Use DHCP-supplied LDAP Server"
in Directory Access, select NetInfo in the Services tab, click "Configure...", uncheck "Attempt to connect using broadcast protocol" and "Attempt to connect using DHCP protocol"
in Directory Access, uncheck LDAPv3 and NetInfo in the Services tab, if you don't intend to use them

Turning off DHCP on all interfaces on your affected Mac OS X machine can also keep you from being affected.
For added security, be sure to disable any unused network ports:
turn the AirPort card off or remove it, if it is not being used.

Configuration Awareness
If a user should need any of these settings turned on due to the network and authorization system they are currently using, they should be aware that they could fall prey to a malicious individual using the techniques outlined in this advisory. Steps to mitigate this concern could be as simple as manually configuring the directory server settings on the affected machine.

Technical Details
By default, the affected versions of Mac OS X attempt to negotiate DHCP on all available interfaces. In the event that an Airport card is installed but there is no network nearby, they also default to associate with any network that might appear and then use DHCP to obtain an address. The system will also use DHCP provided fields, if available, to connect to an LDAP or NetInfo server on the network.

The default settings in "Directory Access" on affected systems will cause the system to place the network LDAP or NetInfo server ahead of the local user info for any given account, and will implicitly trust the LDAP or NetInfo server to provide correct information. Furthermore, nothing in the system prevents a login as a user with uid 0 (zero) with any login name. For example, an LDAP or NetInfo source with an account username "bluemeanie", uid 0, would be perfectly valid and usable for login at the login window and on any network provided service, including ssh (which is turned on by default in certain versions of the affected software).

In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)

By taking advantage of these default settings, a malicious individual could potentially take full control of a Mac OS X workstation or server without even having to make a physical connection to the machine. With a good antenna the malicious individual wouldn't even have to be in the same building.

While the further examples in this advisory deal exclusively with LDAP, this vulnerability is equally exploitable using a malicious NetInfo server.
Author, Credit, Redistribution and Copyright Information
This advisory was written by William Carrel. Redistribution of this text, in whole or in part, with proper credit given is permitted on or after 17:00 UTC, November 26th, 2003. Any other redistribution of this advisory without the explicit consent of the author is not permitted. Copyright 2003, William Carrel
Page graphics and layout 1997-2003 William Carrel. All rights reserved. <HR></BLOCKQUOTE>

CERT FAQ: Home Network Security (http://www.cert.org/tech_tips/home_networks.html)
MacIntouch: Security (http://www.macintouch.com/security-mon.html)
Access Monitoring and SSH (http://www.macintouch.com/security-mon.html)
SNORT (http://seiryu.home.comcast.net/henwen.html
Sourcefire (http://www.sourcefire.com/)
Denver post: how secure are you? (http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html)
Techworld Security (http://www.techworld.com/security/news)
MacInTouch Security (http://www.macintouch.com/security.html)
Whitehat Security (http://www.whitehatsec.com/news.html)
CERT: Currently Active (http://www.us-cert.gov/current/current_activity.html)
O'Reilly Security (http://security.oreilly.com/)
Intrusion Prevention and Active Response (http://www.oreilly.com/catalog/193226647X/desc.html)
Panther In A Nutshell (http://www.oreilly.com/catalog/macpantherian)
Running OS X Panther (http://www.oreilly.com/catalog/runmacxpanther/index.html)
Learning Unix for Mac OS X Panther (http://www.oreilly.com/catalog/lunixpanther/)
Network Security Hacks (http://www.oreilly.com/catalog/netsechacks/)
Security Warrior (http://www.amazon.com/exec/obidos/ASIN/0596005458/)
Mac OS X Panther Hacks (http://www.oreilly.com/catalog/0596007183/)
Unix on Panther (http://www.oreilly.com/catalog/lunixpanther/index.html?CMP=IL7015)
Mac OS X Security (http://www.amazon.com/exec/obidos/tg/detail/-/0735713480/)
Maximum OS X Security (http://www.amazon.com/exec/obidos/tg/detail/-/0672323818/)
Mac OS X Power Tools (http://www.amazon.com/exec/obidos/tg/detail/-/0782141927/)
Mac OS X Tasks in 10 Steps (http://www.amazon.com/exec/obidos/tg/detail/-/0764542389/)
Mac OS X Unleashed (http://www.amazon.com/exec/obidos/tg/stores/detail/-/books/0672322293/)
Sharepoint Users Guide (http://www.oreilly.com/catalog/sharepoint/)

01-23-2003, 10:27 AM
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR> WhiteHat Security reports a TRACE security flaw affecting most web servers (although the status of Mac-compatible servers is not clear):

TRACE security flaw (http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt)

WhiteHat Security, Inc. a Santa Clara, California based company that specializes in Web Application Security, has discovered a serious security flaw affecting all web servers world wide. From months of extensive research and testing, WhiteHat has found a way to exploit a flaw in the way all web servers communicate.

?ä Using this vulnerability, an attacker could create a web site that steals User Passwords to access E-commerce sites, Online banks, and Web based e-mail systems from every user that visits that page. This web page could be e-mailed to people to extend the number of people attacked.

?ä "While researching this issue, we discovered that a vast majority of commercial web sites have this vulnerability," stated Jeremiah Grossman, Founder and Chief Executive Officer of WhiteHat.
?ä The vulnerability exploits a flaw in the TRACE method which is used to debug web server connections. This is a rarely used portion of the HTTP protocol but is turned on by default in all major web servers. TRACE is part of the HTTP protocol specification, making it somewhat difficult to remove. <HR></BLOCKQUOTE>

02-01-2003, 02:29 PM
ComputerWorld: Virus (http://www.computerworld.com/securitytopics/security/virus/)

Sharepoint Users Guide (http://www.oreilly.com/catalog/sharepoint/)
Troubleshooting OS X (http://www.thexlab.com/book/troubleshootingmacosx.html)
Online, electronic, CD, pdf. Excellent resource. $15

NIDS taken to the level of prevention strategies for the next generation
Intrusion Prevention and Active Response (http://www.oreilly.com/catalog/193226647X/desc.html)

Not just Mac OS X but still critical. NIDS taken to the level of prevention strategies for the next generation Intrusion Prevention and Active Response (http://www.oreilly.com/catalog/193226647X/desc.html)

05-12-2003, 01:20 PM
Companies still fighting rogue WLANs

The fight goes on against unauthorized access points as companies work to prevent WLAN clients on home systems from injecting Trojan horses into business networks.

ComputerWorld: Wireless AP risks (http://www.computerworld.com/mobiletopics/mobile/story/0,10801,81026,00.html)

05-18-2003, 02:42 PM
CERT: Home Security (http://www.cert.org/homeusers/HomeComputerSecurity/)

Basic steps and precautions to protect your home system.

Some of the topics covered:
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR> Introduction
Thinking About Securing Your Home Computer
Things You Ought To Know
What Should I Do To Secure My Home Computer?

Task 1 - Install and Use Anti-Virus Programs
Task 2 - Keep Your System Patched
Task 3 - Use Care When Reading Email with Attachments
Task 4 - Install and Use a Firewall Program
Task 5 - Make Backups of Important Files and Folders
Task 6 - Use Strong Passwords
Task 7 - Use Care When Downloading and Installing Programs
Task 8 - Install and Use a Hardware Firewall
Task 9 - Install and Use a File Encryption Program and Access Controls <HR></BLOCKQUOTE>

Checklist, pdf manual, etc.

- G.

06-01-2003, 08:30 AM
Second line of defense: Distributed firewalls (http://www.cnn.com/2000/TECH/computing/06/06/firewall.defense.idg/index.html)

06-06-2003, 06:48 AM
Bugbear.B - Highlights:

Initial analysis indicates that this virus also attempts to disarm local security software, such as anti-virus or firewall software. It may also be able to spread via network shares, as was the case with the earlier Bugbear.A strain. Furthermore, it installs a key-logging trojan component and enables an unscrupulous hacker to take control of the infected machine and download a file containing the user's keystrokes, including information entered on websites such as passwords or credit-card details for example.

06-08-2003, 12:45 PM
Some new books on security for OS X worth considering (links to Amazon):

Maximum Mac OS X Security (http://www.amazon.com/exec/obidos/tg/detail/-/0672323818/qid=1055104476/br=1-15/ref=br_lf_b_15//104-2664682-9049504?v=glance&s=books&n=3759)

Mac OS X Security (http://www.amazon.com/exec/obidos/tg/detail/-/0735713480/qid=1055104476/br=1-13/ref=br_lf_b_13//104-2664682-9049504?v=glance&s=books&n=3759)

06-08-2003, 01:18 PM
I know there are threads on 'virus" and 'security" as well as "firwalls" and 'worms" ... but they aren't here under Networking and Security

Sobig worm (http://www.computerworld.com/securitytopics/security/story/0,10801,77598,00.html) making the rounds via email and installing itself into the Windows registry it seems.

Here is part of the 'payload' of this worm:
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>The worm arrives in e-mail messages from a single sender, big@boss.com, and is stored in attached executable files with names such as Sample.pif, Untitled1.pif and Movie_0074.mpeg.pif, according to F-Secure.

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

Although the new worm doesn't appear to steal sensitive information from the computers it infects, F-Secure said antivirus companies warned that the worm connects to a Web site hosted by Yahoo Inc.'s GeoCities, from which it tries to download and execute other files.

The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a Trojan program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hypponen, manager of antivirus research at F-Secure.

GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center in Pittsburgh, according to Hypponen. Yahoo wasn't immediately available to comment on the Sobig worm.

The worm first came to the attention of antivirus companies last Thursday and began spreading slowly, Hypponen said. In recent days, however, it has spread more rapidly. As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating "large infections" and putting it in a category with well-known predecessors such as the Klez worm. <HR></BLOCKQUOTE> See the article for more about it. This one requires it be opened, and is easy to filter out, but it is spreading quite a bit, meaning people are (ignorantly) opening these email messages! And because it uses your address book, it could appear to come from someone you know.

06-22-2003, 08:58 AM
As far as I know, the stock OS X ftpd (the listener for FTP connections) only supports padded cells for anonymous connections.

It takes some setting up, even so, as you need to:

1. Define the ftp user in the passwd table (easiest with NetInfo Manager, not the Accounts System Preferences interface). This is an account on your system with the "short" username ftp.

2. Equip the ftp user's home directory with stripped down OS X root files (devices, its own passwd file, writable & read-only subdirectories).

3. Create and edit /etc/ftpd.conf if needed (the service's configuration file).

The reason for step 2 is that the defenses you need are provided in FTP sessions using a facility called chroot, which makes the FTP client see the ftp user's home directory as if it was the root directory of the OS. Nothing escapes from a chrooted process other than the kernel's responses to system calls (a deeply technical point, and not all that important to our discussion), so there is no directory above the chroot-point (the ftp user's home directory) exists as far as the ftpd running the user's connection on your server can tell. So any device-interface files, /etc/passwd and /etc/group files to provide owner and group names on file lists, and so on, need to be plumbed into the "right" locations inside the ftp user's home directory.

I went looking for the old Washington University of Saint Louis (wustl) FTP server package last year, and apparently it's fallen by the wayside. It was a seriously studly ftp server that could be configured to do chroot access control for authenticated users as well as anonymous users. I'd love to find a replacement for it. All the setup as above (and more) would be required for the wustl-ftpd, but hooo-baby you could make it do whatever you needed it to.


06-23-2003, 08:42 AM
Jazzbo- thank you so much for your reply. Unfortunately I'm afraid your instructions are above my level of competence. For instance, for step 1 in Netinfo Manager I can't seem to find a ftp user name or a password table. But I do see an sshd in local/users and under Properties I find passwd and _writers_passwd.

I'm a longtime mac user but this G4 is my first exposure to unix and so far my attempts at mucking about under the hood have ended in disaster. That said however, I really need to get this set up right and I'm game to try if anyone has the time to walk me through it.

I found this site for WU-FTPD Development Group: http://www.wu-ftpd.org/ and this for the version 2.6.2 daemon itself: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-current.tar.gz Again it's all a little too deep for me.

I notice that in your post you don't mention SSH and SFTP. My understanding is that these are newer, totally different and more secure protocols. Or is it all the same thing?

06-23-2003, 01:46 PM
Yep, you're right, sftp can also handle the task, but we still have to learn how to create the 'ftp' user and its chroot environment for anonymous padded-cell transfers.

The special bit about wustl's ftpd was that one could do chroot's on authenticated connections as well as anonymous. Near as I can tell, no other ftp server supported that. The biggest problem with the wustl ftpd is that it's no longer being actively supported; I've also never seen a port to OS X, let alone current releases of OS X.

The 's' in sftp means that the TCP connection is run in an encrypted channel between the client and the server, so snooping is far too expensive for most hackers/crackers to bother with. It'll be fine for anonymous ftp access, but we still need to figure out how to construct the ftp user's "home" directory, which contains the only directories and files visible to the anonymous user. I'll start some research work of my own and see what I find.

Perhaps some other reader with a bookshelf of Mac OS X admin books can come up with the procedure for us -- actually, if you're going to head down this path, you ought to have that "right" book on your bookshelf! The right book and this exercise of setting up your anonymous ftp server will teach you a lot of good stuff about the Un*x underpinnings of your OS X machine (and I will also get to learn how to set up anonymous ftp on OS X).


06-27-2003, 07:12 AM
Thanks for the replies guys. I downloaded PureFTP 1.0.10-PPC(OSX) package and ran the installer but I haven't figured out how to make it go yet.

The link to Pure led me to FINK which is pretty interesting. I installed the FinkCommander utility and tried to use it to download the AxYFTP client which, it promises, has a nice GUI, but I got an error message. I'll keep trying.

From what I can discern from the PureFTP website it looks like it might be just the ticket for me-if I can just find the start button. (Hey 10 years of Mac's point 'n click has made me soft- I'm used to the computer doing all the thinking! http://macgurus.com/infopop/emoticons/icon_smile.gif Aside the those damn dummy books any suggestions for a good book on Unix for neophytes?

06-29-2003, 08:40 AM
Did you make sure to stop `FTP Access' from the Sharing preferences? If not, both FTP servers will attempt to bind to the same port (21) and lukemftpd will get there first because it will start when the computer starts up if it is enabled in System Preferences.

About xinetd:

System Prefences uses xinetd to start and stop internet services. xinetd is basically made up of a main config file (/etc/xinetd.conf) and individual config files for each service located in the directory /etc/xinetd.d. For instance, the FTP server's config file is /etc/xinetd.d/ftp. This file is just a plain text file that explains if the service should be enabled and how to start it (Stuff like where the ftp daemon is located, what user to run as, and what flags to use when starting up).

For example, my xinetd configuration for FTP is:
<pre class="ip-ubbcode-code-pre">{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/libexec/ftpd
server_args = -l
groups = yes
flags = REUSE

The basic gist is FTP should not be running (disable = yes), but if it were to be enabled it would use the server located at /usr/libexec/ftpd with the flag -l.

Of course, if you want to go about editing this file, be sure to make a backup as suggested in the installation post.

For testing purposes, you'll be fine just stopping the default incarnation of FTP, starting up pure-ftpd like you already have and trying to connect again.

06-29-2003, 10:18 AM
Turned off ftp in system preferences. Opened terminal and:

[banana:/usr/local/sbin] banana% sudo pure-ftpd &
[2] 630
[bonobo:/usr/local/sbin] banana% Password:****
****: Command not found.
[banana:/usr/local/sbin] banana%

Hmmm. That's not what it did last night.

[banana:~] banana% ftp 0
ftp: connect: Connection refused

Obviously I am doing/not doing something. But I think if you'll just pass me that big hammer I can fix it.

06-29-2003, 12:25 PM
Okay, almost there.

<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR> banana% sudo pure-ftpd &<HR></BLOCKQUOTE>

This command doesn't quite work. Even though you are in the directory where the executable exists, /usr/local/sbin is not part of your PATH so you need to specify the exact location. The best thing to do is give the full path: [B]/usr/local/sbin/pure-ftpd &.

This is where a startup script or xinetd eventually makes life easier. If you take the xinetd route, you can even forget about the command line after you backup and edit the /etc/xinetd.d/ftp file.

Hope this is helping you and not driving you nuts. http://macgurus.com/infopop/emoticons/icon_wink.gif

[This message was edited by cadaeibf on Mon June 30, 2003 PT at 6:02.]

07-02-2003, 06:13 AM
Well I don't know where to begin. Somewhere somehow in this process, finagling with terminal incantations and unix gobbledegook, I managed to give this creature here on my desk such a headache that it couldn't take it anymore. It went down in smoke and refused flat out to boot up again. It had the folks at CDW scratching their heads (a real good support crew there- 24/7- no waiting!) Repair and diagnostics all came back saying everything was OK but it still hung every time before it ever got to the log on screen. But anyway, long story to short, I had to reinstall and now everything is back to normal (except for this kernel panic thing when I wake it from sleep but I think that's another topic.)

So I went through the configuration process again, enabling xinetd mode, and had no problem until:

Restart xinetd to affect the changes:
[banana:~] banana% kill -HUP `cat /var/run/xinetd.pid`
331: Operation not permitted

I decided to let that one go and soldiered on. In NetInfo I created a subfolder "ftp" in "/services" and added the three properties- name: ftp, port: 21, protocol: tcp. Then:

sudo kill -HUP `cat /var/run/netinfo_local.pid`
sudo kill -HUP `cat /var/run/lookupd.pid`

That went without a hitch. Now I turn on FTP Access in the Sharing panel and go to my other machine and fire up the FTP client, Transmit, and glory oskey I'm in!

But I still can't see the directory. The window in Transmit which shows the remote host is blank. Here's an abridged transcript of the session:

331 User george OK. Password required
230-User george has group access to: staff
230 OK. Current restricted directory is /
215 UNIX Type: L8
REST 1234
350 Restarting at 1234. But we're in ASCII mode
350 Restarting at 0
257 "/" is your current location
227 Entering Passive Mode

My sense is that it just needs a little tweek. (george has his own user directory set up.)

Another funny thing I noticed is that when I attempted to connect with another client, Fetch, is that those lines [REST 1234, 350...But we're in ASCII mode, ...Restarting at 0] changed to

500 Unknown command.

Would MACB be macbinary? What determines whether it connects in ASCII or Binary?

I really appreciate all the help I'm getting here.

07-02-2003, 08:18 PM
Hey Jazz: Thanks for explaining all that. You anticipated several questions. Very interesting.

As for georgie's directory...the problem is that I can't list the contents at all. It's the empty set "/". Perhaps it has made the home directory the root by default, but denied access by making the whole thing invisible. I feel like I need to somehow tell the daemon exactly what directories george can access.

I tried to follow the instructions on the link (http://www.pureftpd.org/README.Virtual-Users) that cadaeibf suggested for creating virtual users but the terminal just returns "command not found" every time. (The commands are for Linux/OpenBSD or FreeBSD.)

I think I need to see about taking a unix night class at the local CC! http://macgurus.com/infopop/emoticons/icon_confused.gif

[This message was edited by funicular on Thu July 03, 2003 PT at 4:17.]

07-03-2003, 08:20 AM
cadaeibf- Here's my ftp config:

disable = yes
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/pure-ftpd
server_args = -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1
groups = yes
flags = REUSE

As you can see the -A switch is on so we must be in george's home directory.

Individual users need to have their own directories, however, it would be nice to be able to also let them share a common directory. Or have access to such folders as I might designate. Would that be possible? Can one like put an alias in their home directory to point them to files outside of the chroot parameters?

07-03-2003, 10:00 AM
*Nothing* escapes from a chroot other than system calls (asking the kernel for something). When chrooted, the kernel treats the chroot directory as if it's / (the system root directory), so there's no way to get outside it using file-path references.

So it basically rules out the shared-directory within the user directory.

However, one can chroot to other than the home directory of the user. In fact, one can chroot above the users' home directories, especially if you move users of this type out of the default /Users/username default home directory location.


So let's theorize....

---- Set up an alternate /Users directory and move georgie ----

Say you create a directory named /ftpUsers and, as you create users in Accounts (or directly in NetInfo Manager, though you've got just a little more manual labor to do at that point), they'll all come in with home directories like /Users/georgie. By the way, for your own testing, create an account of your own that's going to have the same permissions as your ftp users, and carry out all the changes below for that account, too.

1. In NetInfo Manager, change georgie's home directory to /ftpUsers/georgie
1a. Open the users table
1b. Click "unlock" and authenticate
1c. Select georgie
1d. Scan down to the sub-entry for the home directory
1e. Change it from /Users/georgie to /ftpUsers/georgie
1f. Press Return to enter the change
1g. Command-S and save the change
1h. Run the top menu-bar item: Management->Restart Local NetInfo Domains

2. Move georgie's files from /Users to /ftpUsers
2a. Launch Terminal (don't scream in terror!!! :-)
2b. sudo mv /Users/georgie /ftpUsers
2b.1. Answer the password prompt with your own password
2c. exit (you're done)

---- Set up a shared read/write directory under /ftpUsers ----

In Finder, make a folder called "Shared" (or whatever suits) inside the /ftpUsers directory. Then, Command-I this Shared folder and, if you want it fully read/write enabled, turn on all of its read/write/execute bits.

---- Reconfigure pure-ftpd to chroot to /ftpUsers ----

Without the docs, I'm not sure how to do this. I guess that the -A flag needs to be deleted. How you tell pure-ftpd to chroot to /ftpUsers is undoubtedly in there somewhere!


Other things we can do, with more NetInfo and Terminal work, but not overly complicated work:

- Define a special group just for these users and put them into that group
- Change a Shared folder to be writable only to group members
- Set up a Shared folder to cause all files loaded by the users to be group writable
- Set up a Shared folder that's only group writable, not readable (drop box)
- Reset your ftp users so they can't login over a Terminal connection
- Get rid of the users' subfolders in their home directories
- Put a link in each users' home directory to a read-only copy of a ReadMe doc
- Add a folder of Reference files that are readable but not writable to the users

and so on and so on! All the above hinges on successfully pulling off the three missions, above (switch ftp-only users to /ftpUsers, set up shared directories under /ftpUsers, reconfigure pure-ftpd to chroot to /ftpUsers).


07-03-2003, 09:30 PM
Here are the last lines of a connection transcript:

Cmd: PWD
257: "/" is your current location
227: Entering Passive Mode (192,168,1,100,171,203)
Could not read reply from control connection -- timed out.
Passive mode refused.

Any clues there? It seems like the list command isn't being acted on. I notice that it doesn't seem to make any difference if the -A switch is on or off.

07-04-2003, 10:27 AM
That sounds like passive mode is disabled in the ftpd. (Passive mode mildly increases the security exposure of the server; non-passive mode mildly increases the security exposure of the client.)

Is there a switch setting (a dash-flag) that allows or disallows passive mode in the startup of the pure-ftpd?


07-04-2003, 07:00 PM
Happy Independence day everyone! Well I finally got it to work by using the -N argument:

NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box
that doesn't support applicative FTP proxying, or if you use port
redirection without a transparent FTP proxy, use this

I don't know what a NAT is but we've got a router here so I'm guessing that's the problem. But I only get through with Fetch 4.0.3 (from the OS9.1 machine on a dialup connection) and it still hiccups on the PASV command:

257 "/" is your current location
500 Unknown command
PORT 66,242,174,242,191,108
200 PORT command successful

Fetch 3.0.3 has no problem at all. It never sends PASV.

Transmit 1.7 gets in but won't go beyond PASV (500 Unknown command) and Explore just returns a connection failure. Anarchie 2.0.1 works fine and the transcript looks just like Fetch 4.0.3. I seem to have lost my copy of Netscape.

Interestingly, I can also ftp into my own machine with Transmit 2.5.1 but not with Fugu.

Another day I'll experiment with the -P argument: "Force the specified IP address in reply to a PASV/EPSV/SPSV command." It might be a better way to go.

07-06-2003, 06:03 AM
The differences kind of depend on how far you want to dive into file system operations. But essentially an Alias is an Apple thing and a symbolic link (symlink) is a Unix thing.

The basic gist is:

A symlink is just a pointer to another file or directory; if you move or rename the file/drirectory that the symlink points to, then the symlink breaks.

An Alias will work in the Finder but not from the command line (Generally speaking. There are exceptions). But an Alias stores additional information about the original file that allows it to maintain the link if the original file is moved or renamed.

So, say you had the three FTP users all set up chrooted into their home directories of "/Volumes/HD/Users/username" and your iTunes directory something like "/Volumes/HD/Users/funicular/iTunes". What you could do is place a symlink to your iTunes folder inside the homes of george and georgia, but not gerald.

In Terminal:

<pre class="ip-ubbcode-code-pre">sudo ln -s /Volumes/HD/Users/funicular/iTunes /Volumes/HD/Users/george/funiculars's\ iTunes</pre>

This creates a symlink in george's home called "funicular's iTunes". (The backslash is not a typo; it is needed to interpret the space in the name of the symlink.) To get the full path to your iTunes folder you can just drag it from the Finder onto the Terminal.

ln is the command for creating links and the -s flag specifies "symbolic". The correct syntax is "ln -s [existing-source] [new-target]". For more info, do a man ln.

Most clients should be able to negotiate symlinks w/o a problem.

07-06-2003, 06:51 AM
You need to escape the quote symbol, too:

<pre class="ip-ubbcode-code-pre">sudo ln -s /Volumes/HD/Users/funicular/iTunes /Volumes/HD/Users/george/funiculars\'s\ iTunes</pre>

Good write-up,

01-20-2004, 11:45 AM
I tried closing 6777 on my router - didn't work. Was easy to block outbound traffic using firewall software - but I like one place for all computers - unless I want to test a filter or fix on one computer and leave the others free running. Not sure why the router wouldn't take the "Add" on the port rule.

Usually you "allow" outbound traffic. In this case, you want to block traffic on that port.

I have a couple links to web lists of what Apple uses, and what port is associated with what service I should check.

06-03-2004, 01:18 PM
In a Full-Disclosure posting, Tom Knienieder warns about a gross NetGear backdoor security hole (http://lists.netsys.com/pipermail/full-disclosure/2004-June/022274.html) in the company's WG602 wireless access point (designed for Windows computers):
The webinterface which is reachable from both interfaces (LAN/WLAN) contains an undocumented administrative account which cannot be disabled.
Any user logging in with the username "super" and the password "5777364" is in complete control of the device.
This vulnerability can be exploited by any person which is able to reach the web interface of the device with a web browser.


11-15-2004, 07:19 AM
Desktop search engines threaten network security
SSL not so much secure sockets layer as suspect sockets layer.

By Tim Greene, Network World Fusion

New PC indexing tools such as Google's Desktop Search pose security risks to businesses that use SSL remote access, experts have warned.

The search tools copy material accessed during SSL sessions and make it available to unauthorised people who later use the same PC, bypassing the measures in place to purge cached session data. These so-called cache-cleaning agents wipe out temporary files created during SSL sessions, but they don't wipe out the copies made by the search tools.

"You could end up caching and indexing files you don't want cached and indexed on machines outside your control," says Dan Harman, remote access administrator for real estate developer Lewis Group, which uses SSL remote-access gear made by Whale Communications.

One touted benefit of SSL remote-access technology is that any machine with a Web browser can be used to access a corporate network securely. The downside is that the PCs might not be owned by the corporation, so any number of unauthorised users could have access to them. "This tends to negate user authentication," says Rick Fleming, CTO of Digital Defense, a vulnerability assessment company.

Besides Google's product, such search engines are made by Blinkx, Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said to be on the verge of having them, too.

SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop for SSL sessions that is destroyed when the session closes, prevents files downloaded during the session from being viewed by Google Desktop Search.

To solve the problem for its customers, Whale has a software upgrade that detects whether Google Desktop Search is running on a remote PC. If so, access to the corporate network is denied or restricted. The company is developing similar "upgrades" to address nine other desktop search engines, says Whale CTO Noam Ben-Yochanan.

Google Desktop Search makes it easier to find data on PC hard drives and doesn't address these security concerns, a Google spokesman says. Customers can manually turn off Desktop Search or put it on pause during SSL remote-access sessions to avoid having the sessions cached by the search engine, he says.

Ben-Yochanan says he installed Google Desktop Search on a PC, opened an e-mail attachment, altered the document, sent it as an attachment then deleted the file from the hard drive. Desktop Search retained a copy of the original attachment and the modified version.

Fleming says such tools pose similar threats to shared PCs on corporate LANs. So a person working a late shift could access all the data accessed by the person working during the day, including personal human resources data or Internet banking information, he says.

Similarly, if a network administrator uses a random desktop to reconfigure a firewall, a desktop search engine will record those settings and the password used to gain access, Fleming says.

It also makes it easier for attackers to search machines they have taken over, says Fred Felman, vice president of marketing for Zone Labs.

12-20-2004, 06:58 AM
Flaw found in beta version could allow third parties to access users' search result summaries. Google Desktop (http://www.infoworld.com/article/04/12/20/HNholeingoogle_1.html)

By Scarlet Pruitt, IDG News Service
December 20, 2004

Researchers at Rice University have discovered what they say is a flaw in the beta version of Google's (Profile, Products, Articles) Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.

03-10-2005, 07:14 AM
NIDS taken to the level of prevention strategies
Intrusion Prevention and Active Response (http://www.oreilly.com/catalog/193226647X/desc.html)

04-01-2005, 07:59 AM
It's not an April Fool's Joke;

the SANS Internet Storm Center (http://isc.sans.org) covers a nasty type of Internet attack that can affect Macs as well as other operating systems, DNS poisoning: (http://isc.sans.org/diary.php?date=2005-03-31)

Looks like we got us another DNS server trying to poison DNS caches:

If you run a larger network, we recommend to block all traffic to this host.

Ê A quick check with 'dig' shows that this server advertises itself as authoritative for '.com', and returns the same IP for all queries to .com domains.

Ê For the particular report we have, the original domain that caused a query against this DNS server was intelliview.com.

Ê Once your cache is poisoned, all requests to .com hosts are redirected either to or You will see a minimal search engine-like page and an advertisement for www.privacycash.com (DO NOT CLICK)....

04-01-2005, 12:34 PM
Unix Authors Rush to Patch Telnet Flaw

Buffer overflow in the Telnet protocol could yield control of Unix systems to an attacker.

Unix Authors Rush to Patch Telnet Flaw
By Larry Seltzer
March 31, 2005

Several high-profile distributors of the BSD version of the Telnet protocol have rolled out patches for a critical bug that could cause system-hijack attacks.

The bug, which was reported by iDefense Inc., is a remotely exploitable buffer overflow that could allow the execution of arbitrary code with user privileges.

A successful attacker would have to convince the user to launch a Telnet session with a malicious server.eWeek Telenet buffer flaw (http://www.eweek.com/category2/0,1738,1595546,00.asp)

There are errors in the instructions which could render sudo useless.
- MacIntouch, April 9th 2005.

04-08-2005, 09:56 AM
OSX Root Compromise

OSX can be root compromised by a trojan application. The trojan
application does not require explicit user authentication to elevate its
privileges to root, nor does the root account need to be enabled. The
Trojan application must be run from an account that is in the admin group,
which is the default for the first account created and the context in
which most users run. Once executed, the trojan application must only
wait until the user leverages the sudo utility, either at the command line
or by another application that leverages sudo to elevate it's privileges.

A demonstration app is available at

The issue has been reported to Apple. Apple does not feel this is an issue
as "Administrators should not run arbitrary software." While it is true
that users should be cautious of running untrusted code, this answer is
unacceptable. Administrators are required to authenticate actions to the
core operating system. This vulnerability allows applications to bypass
this requirement by "piggy-backing" off an unrelated authorization event.

Versions Affected: OSX 10.3.x confirmed, OSX 10.2 probable

There are 3 factors that allow this to be possible:

1) sudo is by default, configured to allow a 5 minute password time out.
This means that subsequent use of sudo, within this grace period does not
require a password for authentication.

2) sudo is by default, configured to be global, meaning its session is
not tied to a tty but rather to only the user and time.

3) sudo writes its entries to /var/log/system.log, which, by default, is
readable by anyone in the admin group.

All the trojan application needs to do is monitor the /var/log/system.log
file for sudo entries for the user who executed the trojan. Once an entry
is found, that is within the timeout grace window, the trojan can then
elevate it's privileges to root by simply executing sudo "anycommand".

Any of following changes to sudo will correct the problem.

To redirect sudo logs to /var/log/secure.log (which has the appropriate
permissions and is a more appropriate log for authentication components),
add the following lines to the /etc/sudoers file, in the "Defaults"

Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log

To remove the password grace period which will force the user to
authenticate every time sudo is called, add the following line to the
/etc/sudoers file, in the "Defaults" section:

Defaults:ALL timestamp_timeout=0

To limit sudo password grace period to individual ttys, instead of global,
add the following line to the /etc/sudoers file, in the "Defaults"

Defaults:ALL tty_tickets

Redirecting sudo's logging and containing sudo sessions to individual
ttys, in the authors opinion, provides the best balance of functionality
and security.

Please ensure that you use the visudo tool to edit the /etc/sudoers file.
This utility will check your syntax, keeping you from corrupting your
file. By default, visudo uses vi as its editor.


05-02-2005, 06:07 AM
Google mistype security nightmare

Latest scam throws Trojans at your PC.

A malicious website is preying on people who mistype Google into their Web browsers.

Anyone who accidentally types "googkle.com" [do NOT attempt this - Ed], an easy-to hit misspelling of the domain name, will find themselves on the receiving end of a nasty cyber-jacking, or "Google-jacking" as perhaps it should be more accurately termed.

The site will automatically install a wide range of malware on to the userÕs computer, mostly Trojan-based backdoors, proxies, downloaders, and droppers. Adding insult to digital injury, it also infects a PC with adware. The website will infect Windows PCs using any browser, so this is not simply a problem for Internet Explorer users.

Unearthed by anti-virus company, F-Secure, anyone unlucky enough to find themselves visiting this site will first encounter two pop-up windows which link to the websites ntsearch.com and toolbarpartner.com [again, do NOT visit these sites - Ed]. This starts a chain of infection through which a blizzard of files are downloaded and installed from these and at least one other website.

Once a PC has been infested with this malware, access to named anti-virus companies - Kaspersky, McAfee and Symantec - is also blocked, so users canÕt even update their protection. It is not known how many of the malware programs would be blocked by the current versions of leading anti-virus software suites, but it is wise to assume that anyone who has not recently performed an update could be at risk.

One of the Trojan programs is described by F-Secure as attempting to steal online banking information, so the whole scheme appears to be based on financial gain rather than nuisance hacking. The site is believed to be the work of Russian criminals. The domain is listed as being owned by a Sergey Gridasov who gives St Petersburg as his address.

This type of infection scam is not a new phenomenon and has become a common trap for visitors to some porn websites. Since most people donÕt usually browse such websites, using a misspelled version of the most visited website on the Internet has to count as a dastardly innovation.

Expect more variations on this trick.

06-13-2005, 06:32 AM
A Logiguard press release (http://press.arrivenet.com/tec/article.php/652285.html) highlights a potential vector for potential Internet attacks - update poisoning :

By adding entries directly into the hosts file, this spyware breaks through firewalls and other anti-virus protection and poisons update functions by pointing notable DNS (domain name service) names back to other inappropriate IP addresses, according to IT professionals.

Any type of desktop application which uses regular updates is at risk, including Windows. States Tom Pimienta, Director of Technology at LogiGuard: "I always feared such re-direction might be possible... next thing you know you're downloading what you think are Windows updates but they're not because the website you are downloading from is bogus!" This redirection of updates could wreak havoc on your computer.

06-21-2005, 05:48 AM
Wireless networks have to be secured, encrypted communication, blocked, and properly setup. CNN made mention of the probem where most users do not go to the "trouble" to secure their systems, and many cafes, hotels, or others using wireless may or may not be 100% secure.

Drive-By Download Sites Chauffeur Spyware
June 20, 2005, By Paul F. Roberts
eWeek (http://www.eweek.com/article2/0,1759,1829174,00.asp)

Increasingly, spyware is making its way onto users' systems through so-called drive-by-download sites using nefarious methods that circumvent disclosure.

One example is iFrameDollars.biz, which claims to be a Web site affiliate company just for drive-by sites, using a model similar to aboveboard affiliate networks such as Commission Junction and LinkShare.

In exchange, they are sent a small piece of HTML code containing the iFrame exploit, which the site owners are expected to attach to their pages. Web surfers who visit those pages using vulnerable versions of Windows or Microsoft Corp.'s Internet Explorer Web browser have iFrameDollars.biz's programs silently installed.

An administrator at the site, who uses the name "Alex Zemlickas" and claims to be from Lithuania, forwarded a copy of the iFrame exploit distributed by the iFrameDollars.biz affiliates to eWEEK.

An analysis by iDefense Inc. of that exploit revealed a hostile link that triggers a second exploit and installs X.chm, a Trojan-Downloader program, according to Ken Dunham, director of malicious code at iDefense, a computer security intelligence company in Reston, Va.

The downloader, in turn, pulls 111 applications onto the client computer, including other downloaders and Trojan back-door programs, not to mention MediaTickets, an adware program owned by Clickspring LLC, of Brookline, Mass., Dunham said.

Advertisers are leery of marketers' methods.

In addition to distributing malicious code and adware through its affiliates, iFrameDollars.biz mines click-through traffic from systems compromised by the group's exploit and uses pop-up messages to tempt users into buying nonexistent software programs, taking a cut of any sales.

The iFrameDollars.biz crew isn't above using its network of compromised machines to distribute spam or to steal personal information from users, either, Dunham said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright (c) 2005 Ziff Davis Media Inc. All Rights Reserved.
* Botnet hunters searching for zombie controls (http://www.eweek.com/article2/0,1759,1829347,00.asp)

* Spyware Floods In Through BitTorrent
* Company Settles 'Spyware' Lawsuit for $7.5M
* BigFix Tools Manage Anti-Spyware
* Google Needs to Step Up in Spyware Fight
* Do Google Ads Help Fund Spyware?

06-21-2005, 05:51 AM
Spyware Danger Meets Rootkit Stealth (http://www.eweek.com/article2/0,1759,1829744,00.asp)

Cool Web Search showed up in 8 percent of all spyware scans by Webroot. The program has traditionally not been hard to detect, but has been very hard to remove once it is installed, pushing it to the top of the spyware pantheon, Moll said.

"Once you get it, you can't get rid of it, and that's proven to be a real heartache for people," he said.

The new spyware variants are a sign of the increasing sophistication of malicious code authors, and of spyware makers, according to Roger Thompson, director of malicious content research at Computer Associates International Inc.

Rootkits are programs that give remote attackers administrative access to compromised machines. Using a rootkit, an attacker can peruse a compromised machine's hard drive, set up or change user accounts, add, delete, or modify files, and communicate with other machines on a network or the Internet.

The programs often lurk in the background and are difficult to detect, even when they are known to be installed on a system.

Thompson said that new variants of the Cool Web Search spyware, detected in recent weeks, can hide configuration settings in the Windows registry and disguise their presence by hiding rootkit files in alternate data streams.

06-21-2005, 05:55 AM
If you think that only executable can carry spyware or adware, you are in for a rude shock. If you haven't patched your Windows Media Player or Real player, you can download a movie file in those format (.wmv, .rm, etc.) that will infect your pc just as good as an executable. I also guarantee you that there are many people using BitTorrent right now that haven't patched their video player.

06-22-2005, 06:03 AM
I tried with the latest Safari, Firefox 1.04+ and OmniWeb 5.1.1 B2, and all of them were vulnerable.

Secunia reports an browser vulnerability (http://secunia.com/advisories/15492/) affecting the Macintosh. In addition to Internet Explorer, reported here, the problem also appears to affect other browsers (see test page).

Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes.

The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.

Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.

Result - You are vulnerable, if a JavaScript dialog box appears in front of the Google.com web site without displaying information about its origin.

The vulnerability has been confirmed in version 2.0 (412). Prior versions may also be affected.

Do not browse untrusted web sites while browsing trusted sites.

Vulnerability Test Page (http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/)

Multiple Browsers Frame Injection Vulnerability

08-12-2005, 02:18 PM
URL Security in OS X:

08-17-2005, 06:29 AM
Zotob Infiltrated CNN - VRT Rules Detect All Variants

Jennifer @ Wed August 17 04:01:35 2005 GMT

The Zotob worm variants are continuing to gain momentum and popularity, even being covered by CNN after an attack hit their own network. The Sourcefire VRT has continued to stay on top of this activity and verified that all variants are currently detected by the original rules released on August 12, 2005. These rules have now been released to Registered Snort Users at http://www.snort.org/pub-bin/downloads.cgi#VRT.

Red Herring: Zotob Virus Strikes Windows
Jennifer @ Tue August 16 17:45:18 2005 GMT

The Zotob worm is making the news and Matt Watchinski, director of the Sourcefire Vulnerability Research Team, was quoted as an expert in an article featured in Red HerringÕs online magazine posted on August 15th. The article discusses the most recent Internet worm to strike Microsoft Windows, Zotob, and the impact it is having on global networks.

In the article, Watchinski highlights an existing trend of reduced time from vulnerability to exploitation. ÒThe really interesting thing here is how quickly an exploit to take advantage of the hole was created and released,Ó Watchinski is quoted as saying.

The article goes on to discuss the spread of Zotob and variations that are already in the wild. For the full article, please visit Zotob Virus (http://www.redherring.com/Article.aspx?a=13175&hed=Zotob+Virus+Strikes+Windows) www.redherring.com

08-17-2005, 07:03 AM
Snort Technical Guide Available
Jennifer @ Fri May 6 20:32:58 2005 GMT

JP Vossen, Senior Security Engineer for Counterpane Internet Security, has written a Snort Technical Guide.

"Arguably one of the best network intrusion-detection systems (NIDS) is the free and open source Snort package. It has a large and active community, and is backed by the commercial company Sourcefire, making Snort a strong contender in the NIDS market. The package itself is free. All that's required is some hardware to run it on and the time to install, configure and maintain it. Snort runs on any modern operating system (including Windows and Linux), but some consider it to be complicated to operate. The goal of this guide is to take some of the mystery out of Snort."

Topics include:

Why Snort makes IDS worth the time and effort
How to identify ports
How to deal with switches and segments
Where to place IDS sensors
What OS to use for Snort sensors
How to determine how many interfaces a sensor needs
How to modify and write custom Snort rules
How to define Snort's configuration variables
Where to find Snort rules
How to automatically update Snort rules
How to decipher the Oinkcode
How to verify that Snort is operating

This guide is available at

08-19-2005, 08:42 AM
SSH and Remote Login:

For those who wants to know a trick:
If you have the black screen, the GUI or Finder is not responding and nothing happens you can "properly" shut down the system like it should be by using a SSH connection from a client Mac:

You have to activate "Remote login" in systempreferences>sharing first.

1. Open terminal from the client Mac
2. type in: ssh username@computer
For example: ssh Nicolas@DualG5 <---- instead of DualG5 you can use the IP address too.
3. When you use SSH connection for the first time, you will see a popup window "The authenticity of the host ... Are you sure you want to continue connecting (yes/no)?" answer with yes.
4. Then you have to type in the userpassword form the you want connect to.
5. if the SSH connection is established you can now look for running processes by typing "ps aux"
then "kill -9 processIDnumber"
to restart the Mac "sudo shutdown -r now"
to shut down "sudo shutdown -h now"

Disable ssh password login under Tiger

Given the increase in scripted attacks to guess ssh passwords...

I decided to disable passwords altogether, and move to public key authentication.

I edited /etc/sshd_config as follows:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

That worked fine until one day, I tried logging into a Tiger machine from an account which lacked the required public key, and discovered I could still get in with just a password. It seems 10.4 has added another flag to disable:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no

What is curious about UsePAM is that in the comment it says that no is the default, so it should not have been necessary to uncomment it. Yet, in my own experience, I had to explicitly disable it to prevent password authentication. Note: don't forget to restart your Remote Login after saving the changes.

[robg adds: This earlier hint (and some great associated comments) covered disabling password-based ssh access, also in light of the number of brute force attacks being seen. Interestingly, I hadn't yet redone this hint for 10.4, so I checked the log files today. My machine is still getting pounded by scripted attacks; literally hundreds per hour ... looks like it's time to re-enable the protections from these hints and comments!]

somewhere out there, there's an SSH brute-force exploit script (I run no real "servers" at home, just Remote Login and Personal Web Sharing, but that's blocked at my router). Just from reading the log files, it's pretty obvious that the script is trying common user names, and probably common passwords for the root account. Needless to say, this didn't make me feel very comfortable at all, even though my passwords are secure.

While OS X may not be vulnerable to viruses and malware, it's still quite vulnerable to external attacks from zombied machines running scripts such as this one. So I used the fact that my machine was being probed as an incentive to learn more about increasing the security of my Remote Login sessions. What I found out was that, though SSH is quite secure, there are some simple things you can do to make it even more secure (though there is a downside, as you'll see).

how to Disable root access via SSH. At the time (10.0.1!), I had followed the hint and blocked root SSH logins. Somehwere between 10.0.1 and 10.3, including a machine migration, I lost it and had never put it back. This really should be disabled by default, but it's not ... so the first step to further securing Remote Login is to re-block root logins. The instructions in the original hint are still basically true, but somewhat non-detailed, so here's a step-by-step walkthrough.

macosxhints (http://www.macosxhints.com/article.php?story=20050815135941513)

Essential: How to Restore logging of SSH logins under Tiger (http://www.macosxhints.com/article.php?story=20051012162448301)
SSH Helper

11-07-2005, 06:15 AM
Windows versions of Flash Player 6.x and Flash Player

Vast security risk from Flash hole

By Matthew Broersma, Techworld

Macromedia has warned of a critical bug in its Flash Player - one of the most widely used pieces of software on the desktop - that could allow attackers to take over a system.

eEye, the security research firm co-credited with discovering the bug, said it had demonstrated "reliable exploitation" using the bug in the Internet Explorer browser, but other browsers are also said to be just as open to attack. Macromedia also credited Sec Consult with the discovery.

The flaw affects all Windows versions of Flash Player 6.x and Flash Player and earlier, but has already been addressed in Flash Player 8 (, according to eEye. Macromedia recommended upgrading to Flash Player 8 but also released an update to Flash Player 7 fixing the bug. Flash Player 8 isn't supported by older operating systems such as Windows 95 and Windows NT.

The bug is due to missing validation of the frame type identifier read from a SWF file, which could be used to force the player to use attacker-supplied values as function pointers, according to eEye. Exploitation via a malicious SWF file could allow an attacker to execute malicious code with the same privileges as the user running Flash Player.

01-25-2006, 09:27 AM
GPGMail 1.1.1 - PGP For Apple Mail (http://www.versiontracker.com/dyn/moreinfo/macosx/10049)
Caem (OS X) (http://www.download.com/Caem-OS-X-/3000-2149_4-10193583.html)
Java Anonymous Proxy X 1.037 (http://www.macupdate.com/info.php/id/8042)
Proxify (http://proxify.com/)
Easy ways to access Proxify (http://proxify.com/ingress.shtml)
NetShade (http://raynersoftware.com/netshade/)
Tor (http://tor.eff.org/)
Tor FAQ: Default Ports (http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DefaultPorts)

So, here are a few (some rather iffy, some want a fee) Mac OSX programs to get started (the Times article has links to some PC programs).

You might ask: How good is this stuff? Are they difficult to set up and use? Do they slow down web surfing and emailing?

I use Privoxy for years (to the point where I don't know what it would be like without it or firewall, or snort).

I've been told that PGP is exactly what it says it is: pretty good privacy, meaning it takes a very sophisticated computer program a considerable amount of time to decrpyt. The others are mostly new to me.

Privacy (http://www.nytimes.com/2006/01/25/technology/techspecial2/25privacy.html?_r=1)

02-22-2006, 02:57 PM
Basic Mac OS X Security (http://www.macgeekery.com/tips/security/basic_mac_os_x_security)

SANS: Basic flaw in OS X (http://isc.sans.org/diary.php?storyid=1138)
Shell scripts and browser vulnerability (http://www.macfixit.com/article.php?story=2006022111410554) - Mail AppleDouble MIME also.

04-21-2006, 07:08 AM
Unfixed Mac OS X security holes
Security Protocols (http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233)

A security professional says he has been dissecting various Mac OS X applications, and has submitted a slew of security vulnerabilities to Apple's product security team.

The vulnerabilities, which were reportedly submitted to Apple at the beginning of 2006, afflict Mac OS X 10.4.5, BOM ArchiveHelper, Safari 2.0.3, and Mac OS X 10.4.6.

Apple recently released a firmware update for Intel Macs that addressed a security vulnerability in Java for Tiger, and offered Java Standard Edition 5.0 the following day, which also repaired a number of security issues.

The company to date has chosen not to repair the vulnerabilities discovered by Security-Protocols.com, however, which has posted seven advisories for the weaknesses already discovered.

"From what I have been told, they 'will be fixed in the next security release,'" Tom Ferris wrote, researcher for Security-Protocols.com.


Abuse Mach on OS X (http://uninformed.org/index.cgi?v=4&a=3)

06-22-2006, 09:46 AM
Apple Safety tips for handling email attachments
and content downloaded from the Internet.

11-21-2006, 11:46 AM
Mac OS X/Safari DMG vulnerability reported: Turn off automatic opening of "safe" files to prevent (http://www.macfixit.com/article.php?story=20061121111106235)

FrSIRT (the French Security Incident Response Team) reports (http://www.frsirt.com/english/advisories/2006/4629) on a newly demonstrated flaw affecting versions of Safari in Mac OS X 10.4.8 and prior...

12-04-2006, 11:04 AM
Unexplained high level of network activity on local host? (http://discussions.apple.com/thread.jspa?threadID=749165)

12-04-2006, 05:59 PM
MySpace worm uses QuickTime for exploit (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005607&intsrc=hm_list)
- steals log-in credentials and sends out adware-promoting spam

December 04, 2006 (IDG News Service) -- The social networking site MySpace.com is under what one computer security analyst called an "amazingly virulent" attack caused by a worm that steals log-in credentials and spreads spam that promotes adware sites.

The worm works by using a cross-scripting weakness found about two weeks ago in MySpace and a feature within Apple Computer Inc.'s QuickTime multimedia player.

The exploit starts with a user who visits a MySpace profile infected with an embedded QuickTime movie. The movie loads JavaScript code that overlays a row of menu options on a MySpace profile with a bogus menu.

A QuickTime function, called the HREF track, can direct the player to use JavaScript commands to load Web pages into a browser frame or window.

The JavaScript feature in QuickTime has legitimate uses, "but there are a lot of legitimate uses for technology that can be misused," said Ross Paul, a senior product manager at security software firm Websense Inc.

If an option in the bogus menu is clicked, the user is directed to a fake log-in page hosted on another server, where the person's log-in details are captured.

Websense has posted a screenshot of the fake log-in page.

MySpace's "seemingly random tendency" to expire user sessions or log out users makes it less noticeable to victims that an attack is under way, according to a Nov. 16 advisory by the Computer Academic Underground.

Additionally, the worm places an embedded QuickTime movie on the user's profile, which will then repeat the infection process for anyone who visits the profile.

The worm has another malicious function. Once a profile is infected, the worm sends spam to other people in the user's contact list.

Those spam messages contain a file that appears to be a movie but instead is a link to a pornographic site that also hosts adware from Zango Inc., Boyd said. Zango, formerly 180 Solutions Inc., settled last month with the U.S. Federal Trade Commission for $3 million over complaints that it didn't properly ask the consent of users before its adware was installed.

Boyd said he has heard anecdotal stories of users removing the worm's JavaScript manually from their profiles, but the worm reappears after some time if one of their friend's profiles is infected. Several variants of the worm have also appeared, he said.

While some of the Web sites hosting the malicious QuickTime movie have been taken down, others have appeared, Boyd said.

The Firefox 2.0 browser was flagging some of the bogus log-in sites as phishing sites, Boyd said. However, phishing sites can be active for several hours before they are flagged, he said.

MySpace officials had no immediate comment today.More about how this operates.
The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Google employee Evan Martin even broke down the worm's AJAX code on his personal Web log (http://www.livejournal.com/community/evan_tech/150019.html).

"Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue," Jeremiah Grossman, co-founder and CTO of WhiteHat Security (http://www.whitehatsec.com/), told BetaNews. "The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues."

Cross-site scripting Worm (http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391)

02-16-2007, 06:33 AM
JavaScript code leaves routers open to attack
by Cyril Kowaliski (ckowaliski@techreport.com) - 12:56 am, February 16, 2007 Users who connect to the Internet through a router and have yet to change the device's default password may be vulnerable (http://news.com.com/Hack+lets+intruders+sneak+into+home+routers/2100-7349_3-6159938.html?tag=nefd.top) to a new type of JavaScript attack, according to Symantec and Indiana University researchers. As CNet reports, a JavaScript code embedded in a malicious web page can exploit a user's browser to log into a router with default login settings and change DNS IP addressses. Through a custom DNS server, a user attempting to visit a major site like GoogleÑor worse, a bank siteÑcould be redirected to a malicious site able to harvest passwords or other personal information. Symantec researcher Zulfikar Ramzan tells CNet that he has already tested the attack with consumer routers from D-Link, Linksys, and Netgear, and that it's even possible to craft a single page that can attack all vulnerable routers. Ramzan feels that it's "just a matter of time before phishers start using [this attack]."

02-26-2007, 07:15 AM
The Dissection of a Rootkit

DATE: 23-FEB-2007
By Lisa Vaas (http://www.security.ithub.com/author/Lisa+Vaas/471.aspx)

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a program's software kernel with modified code, are expected to continue to grow in frequency in 2007.

While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsoft's new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable (http://www.security.ithub.com/article/CA+Predicts+More+Attacks+on+Experienced+Users/199597_1.aspx) to their sophisticated techniques.
F-Secure (http://www.f-secure.com/) Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

03-02-2007, 08:35 AM
Keeping PDF info private (http://www.macworld.com/weblogs/macosxhints/2007/03/pdfnoshare/index.php)

By Rob Griffiths (http://www.macworld.com/info/contact/form.php?e=Rob%20Griffiths&t=e)

You may not realize it, but every time you save a PDF in OS X, youÕre potentially sharing at least a bit of personal information: your name.

ThatÕs not all that gets encoded, either. OS X records the page size, page count, encryption status, creation and modification dates, title (which might include the original filename and application used), content creator, and something called the PDF Producer.

You can see all of this information in the Get Info box (Tools -> Show Info, or Command-I) in Preview. For instance, hereÕs the box from a PDF created from a Word document on my machine:

Anyone I send this file to will be able to see this same information, just by pressing Command-I in Preview.

Instead of using Save as PDF in the PDF drop-down menu, scroll down a bit further and choose Compress PDF.

If youÕre planning on sharing your PDFs, and youÕre worried about sending personal data around, then Compress PDF is the better option in the Print dialog box.

So whatÕs the caveat, you might ask? the PDF created with Compress PDF is, very ironically, larger than the one created by Save as PDF.

You might try further shrinking the PDFs using ColorSync, as described in this article (http://www.macworld.com/2004/03/features/panthersecretsdeclassified/?lsrc=mcrss-0304) (scroll down to Tip: Use Colorsync To Shrink PDF File Sizes). However, in my testing, I couldnÕt ever shrink the resulting PDF as small as the Print to PDF version.

03-08-2007, 07:50 AM
Firewall Deployment Hit List:

1. If you have a network and don't have it firewalled, get it done as soon as possible.

2. Use a firewall device or software to provide your firewall service. Don't use some other device that may provide some hint of security. The capability can be built into a server or a router or something else, but make sure what you are getting is a firewall.

3. Protect each individual device in your network, or that might be used on your network, with device level security tools.

4. Make sure you properly "wall off" applications from unintended external and internal use.

5. Think of security is an ongoing process, not something you do once and can forget about. Make sure you are installing patches for your network as they are made available. Consider investing in an annual security assessment from a reputable IT consultant or solution provider.

6. Look to an IT consultant, or solution provider, to help you with your implementation. They have the expertise to guide you through the process and ensure that you are able to protect yourself and balance that with making sure you have the ability to run your business.

03-11-2007, 11:42 AM
Feb Thu 15th 2007 11:04am <hr height="5"> There is a newly discovered security vulnerability in virtually all home routers, that could allow a malicious agent to take control of the router if the user does not change the password that was set by the factory. A malicious Web site can use Java and JavaScript to gain control of the router from within, by using the router's Web interface. Once control of the router is established, the agent can redirect Web traffic and eavesdrop on your Web browsing, possibly stealing valuable information such as passwords and financial information. This also opens up other avenues for attacking your computer.

The problem appears to apply to ALL operating systems and all Web browsers, no matter how secure they may be otherwise. It is not a browser security problem per se. The vulnerability is created by the user not changing the default router password.

* To avoid this problem, it is essential to change the password on a new router before you use it. Be sure to choose a secure password that cannot be guessed.

* Although no specific browser vulnerability is known, for additional security you might want to set your Web browser not to store your router passwords.

* If the router has already been compromised, changing the password may not undo the damage. Your router firmware could have been changed, and your computer could also have been compromised.

You can post discussion on this here. (http://forums.mozillazine.org/viewtopic.php?t=520706) The original technical article is here. (http://www.cs.indiana.edu/pub/techreports/TR641.pdf)

03-13-2007, 08:19 AM
How to surf anonymously without a trace

Preston Gralla

March 12, 2007 (Computerworld) The punchline to an old cartoon is "On the Internet, nobody knows you're a dog," but these days, that's no longer true.
It's easier than ever for the government, Web sites and private businesses to track exactly what you do online, know where you've visited, and build up comprehensive profiles about your likes, dislikes and private habits.

And with the federal government increasingly demanding online records from sites such as Google and others, your online privacy is even more endangered.

But you don't need to be a victim. There are things you can do to keep your surfing habits anonymous and protect your online privacy. So read on to find out how to keep your privacy to yourself when you use the Internet, without spending a penny.

What they know about you

Whenever you surf the Web, you leave yourself open to being snooped upon by Web sites. They can track your online travels, know what operating system and browser you're running, find out your machine name, uncover the last sites you've visited, examine your history list, delve into your cache, examine your IP address and use that to learn basic information about you such as your geographic location and more. To a great extent, your Internet life is an open book when you visit.

Sites use a variety of techniques to gather and collate this information, but the two most basic are examining your IP address and placing cookies on your PC. Matching your IP address with your cookies makes it easier for them to create personal profiles.
If you'd like to see what kind of information sites can gather about you, head to these two sites, which peer into your browser and report what they find.
Privacy Analysis of Your Internet Connection (http://www.privacy.net/analyze/) gathers and displays basic information, such as your operating system, screen resolution, what site you previously visited, general system setup and so on.
BrowserSpy (http://gemal.dk/browserspy/) delves even deeper into your system and even reports on whether you have certain software on your system, such as RealPlayer and Adobe Acrobat, including version information.The Cloak (http://www.the-cloak.com/) is one such service. It lets you customize exactly how anonymous you want to be and what surfing technologies you want to leave on or off. It goes beyond providing anonymity and can protect you in other ways -- for example, by turning off Java and JavaScript or even blocking banner ads. As you can see in the nearby screenshot, you can configure all that yourself before you start to surf.

To use an anonymous proxy server with your browser, first find an anonymous proxy server. Hundreds of free, public proxy servers are available, but many frequently go offline or are very slow. Many sites compile lists of these proxy servers, including Public Proxy Servers (http://www.publicproxyservers.com/page1.html) and the Atom InterSoft proxy server list (http://www.atomintersoft.com/products/alive-proxy/proxy-list/). To find others, do a Google search.

What else you can do
There are other ways to help protect your anonymity online. If you're worried that your searches may be used by search engines or government agencies to invade your privacy or create a profile about you, see Seven ways to keep your search history private (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012082).

If you want to be able to send e-mail anonymously so that no one can find out that you sent it, you can use an anonymous remailer such as the Web-based Anonymouse's AnonEmail (http://anonymouse.org/anonemail.html) or the downloadable QuickSilver (http://quicksilvermail.net/).

There are also plenty of for-pay anonymity services, such as the Anonymizer (http://www.anonymizer.com/), and the Anonymizer's new Nyms service (http://www.anonymizer.com/consumer/products/nyms/), which uses utilizes disposable e-mail addresses to protect your true e-mail identity.

Finally, for a very good all-around resource about how to protect your privacy online, check out the Electronic Privacy Information Center's Online Guide to Practical Privacy Tools (http://www.epic.org/privacy/tools.html). It has plenty of links to software and sites to help protect your privacy.

Preston Gralla is a contributing editor for Computerworld, and the author of more than 35 books, including Windows Vista in a Nutshell (http://www.amazon.com/Windows-Vista-Nutshell-Desktop-Reference/dp/0596527071) (O'Reilly Media, 2006).

03-14-2007, 04:46 PM
MacIntouch QuickTime 7 Report (http://www.macintouch.com/readerreports/quicktime7/)

Important: Starting with QuickTime 7.1.5, you can no longer issue javascript:// URLs or call JavaScript functions from within a QuickTime movie. This feature was removed from QuickTime for security reasons. Tucked away in an update to an old developer document on QT/JavaScript interaction:
Executing JavaScript Functions From QuickTime (http://developer.apple.com/documentation/QuickTime/Conceptual/QTScripting_JavaScript/bQTScripting_JavaScri_Document/chapter_1000_section_4.html#//apple_ref/doc/uid/TP40001526-CH001-ExecutingJavaScriptFunctionsFromQuickTime)

This is a response to the exploit (http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708) that hit MySpace a few weeks back and was indeed a MOAB bug.

More info is available with a quick search for "quicktime 7.1.5" on the Apple support website:
About the security content of QuickTime 7.1.5 (http://docs.info.apple.com/article.html?artnum=305149)

One of the numerous external reports:
Phishers Attack MySpace with QuickTime Exploit Worm (http://www.eweek.com/article2/0,1895,2067683,00.asp).

JavaScript Flash by default allows the player access to the microphone and webcam unless you tweak the security settings. From a security/privacy standpoint that bad policy. (It seems much more motivated in avoiding requiring the user to turn it on and avoid support calls about why the cam program doesn't work.)

Access in recent versions of Flash Player changed to the point at which the security settings in the page can limit what the flash environment can do.
Using JavaScript with Flash Player (http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_04160%22)
Still a bit dubious default values, but there is some hope to locked to some extent.
Javascript gives you access to all of the DOM objects and potentially a subset of the cookies in your open browser.

JavaScript HTML DOM Objects (http://www.w3schools.com/js/js_obj_htmldom.asp)
Some media needs to know what previous URL's I've been to before getting to the page which displays the movie?

Javascript in a web browser window is somewhat transparent. I can 'view > source' on the window and see whatever contrived code is present (or referenced). Quicktime movies don't appear to provide for ready inspection whatever else they have embedded besides media (which is what I, and I suspect most people, expect to be the sole content).

<!-- item end --> <!-- item begin --> The remove of ability of QT movies to call JavaScript functions is just a kne-jerk response to the month of Apple bugs. It isn't. It was a big security hole in QT that lets people execute Javascript on your machine without you being aware of it (when you preview an MP3 say).

This problem was initially revealed in Dec 2006 when it was used to steal huge numbers of passwords (http://blog.washingtonpost.com/securityfix/2006/12/myspace_video_worm_pimps_adult_1.html) on the MySpace web site.

You can see how to do it (http://www.gnucitizen.org/blog/backdooring-quicktime-movies/). The multiple security fixes in QT 7.1.5 are documented here (http://docs.info.apple.com/article.html?artnum=305149) with one fix dealing with two javascript related issues: one from MySpace and one from the Month of Apple Bugs web site (MOAB-03-01-2007).

CVE-2006-4965 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4965)
CVE-2007-0059 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0059)

Seems like a good fix for a poor design.

03-16-2007, 06:51 AM
Google's blog software hijacked by scammers
By John E. Dunn, Techworld

Google’s blogger.com (http://www.blogger.com/start) is being hijacked to spread malware through fake blogs, a security vendor has warned.
According to Fortinet, Genuine-looking blogs on topics as wide-ranging as “Star Wars, school, furniture, Christmas, cars and girlfriends” are now being created to host a variety of script-initiated malware.

It would be impossible for visitors to spot the danger of these sites, which now number in the hundreds, the company said. Although they look genuine, it appears that all the sites have been specially crafted to fool visitors.

Fortinet gives examples (http://www.fortiguardcenter.com/advisory/FGA-2007-04.html) of the sites, including one for a supposed fan of the Honda CR450 motor car, which attempts to infect visitors with the Wonka Trojan. In another, the fake blog redirects visitors to a store front purporting to be Pharmacy Express, a phishing site that has turned up in many spam emails distributed by the Stration worm.

"These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted," Google said in a statement to CNET.

The fake blog scam is another example of social networking sites – the Internet’s big growth area – being exploited for gain.
In recent times, MySpace and YouTube have all been used to host or redirect to malware.

03-16-2007, 10:33 AM
<table style="width: 362px; height: 60px;" class="table" border="1" bordercolor="#eeeeee" cellpadding="2" cellspacing="0"><tbody><tr><td rowspan="2" class="td3" align="center" bgcolor="#ffffff" width="42">http://www.osnews.com/images/icons/33.gif (http://www.osnews.com/topic.php?icon=33)</td><td class="td3" background="/images/green.png" bgcolor="#d4d5d8" width="568"> Operating System Vulnerability Scorecard</td></tr> <tr><td class="td3" bgcolor="#f9f9f9" width="568"> Linked by Thom Holwerda (http://www.osnews.com/editor.php?editors_id=11) on 2007-03-16 17:02:28 UTC, submitted by Shawna McAlearney (smcalearney@cxo.com)</td></tr></tbody></table>

Starting today, I plan on posting a monthly vulnerability scorecard (http://blogs.csoonline.com/node/184) for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions (http://blogs.csoonline.com/methodology_sources_and_assumptions_for_monthly_vu lnerability_scorecards)." Note that these results speak only of fixed vulnerabilities; the author aims (http://blogs.csoonline.com/january_2007_operating_system_vulnerability_scorec ard#comment-1367) to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this (http://blogs.csoonline.com/exactly_how_biased_am_i), by the way.

03-20-2007, 05:54 AM
http://macslash.org/images/topics/bug.png (http://macslash.org/search.pl?topic=14) According to ComputerWorld (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013702&intsrc=hm_list), there is a new trojan horse making the rounds on MySpace. This one exploits a flaw that has already been patched in QuickTime 7.1.5 and attempts to steal passwords and other personal information.
Helsinki-based security vendor F-Secure Corp. ticked off the pieces the Trojan horse steals: MySpace username, FriendID, MySpace Display Name and other user passwords. The data is uploaded to a server at the domain Profileawareness.com, which is a members-only forum that "provides working methods of tracking exactly who visited your MySpace profile." This is an important patch to apply whether or not you frequent MySpace.

03-20-2007, 06:54 AM
B. Securing servers

Securing a computer system is always a tradeoff; to make it more secure, you disable services, making it less useful, and you carefully examine details of those services you leave running, making it more expensive to set up and maintain.

Servers however are easy to secure; they are special-purpose machines, and need only offer a very limited range of services. So the bulk of the effort consists solely in disabling everything else.

First, find out everything that's running on your server.

List the processes, or better list the network ports that have servers listening on them. The commands to do this vary from one OS to another; under Unix processes can be listed with ``ps'', and open network ports can be listed with ``netstat''.

A better tool, which lists open network ports together with which process is listening on each one, is ``lsof'', available from

Second, disable everything but the specific processes required to serve the content for which the machine is in use. For example, a web server should not be listening on any of the network ports for other services besides http (TCP port 80) or https (TCP port 443). For remote administration and content updates, use a remote login and file copy program with good encryption, such as ssh

Third, install packet filtering.

Packet filtering comes with recent Linux releases, and is available for most other OSes.
IPFilter http://coombs.anu.edu.au/~avalon/ip-filter.html (http://coombs.anu.edu.au/%7Eavalon/ip-filter.html) works with most versions of Unix.

Packet filtering gives you two benefits.

First, it allows you to once again block off everything that doesn't need to be remotely accessible; this provides a second line of defense, in case any of the services you disabled should be inadvertently re-enabled.

And second, it allows a machine to provide fine control over access to services. For example, a web server may need to run, or to access, a database server. That database server should not be accessible by random strangers over the Internet, but it needs to be accessible to the web server.

This sort of control can be enforced by packet filtering.

03-29-2007, 05:42 AM
Computer & Internet Security News
29 March 2007
Phishing threats triple (http://www.techworld.com/security/news/index.cfm?newsID=8402)
By Gregg Keizer, Computerworld

Online identity theft threats tripled in the first two months of 2007 as attackers shifted to simpler, more effective tactics, according to Cyveillance. The risk monitoring company compiled data from its internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200 percent over the December 2006 figure. A single-day spike mid-month came close to 140,000 such sites.

"The traditional phishing technique is being replaced by putting a URL in the email," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."

Phishing attacks have shifted from the usual emails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an email message and count on users' gullibility.

"It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."

Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.

Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of anti-phishing software. "The phishing detection business has gotten good - ours included - and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a web site.

The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."

Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitors found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.

"We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.

03-29-2007, 12:24 PM
Jürgen Schmidt The hole trick - How Skype get round firewalls Heise Security (http://www.heise-security.co.uk)
Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world . . . . . Network administrators who do not appreciate this sort of hole in their firewall and are worried about abuse, are left with only one option - they have to block outgoing UDP traffic, or limit it to essential individual cases. UDP is not required for normal internet communication anyway - the web, e-mail and suchlike all use TCP. Streaming protocols may, however, encounter problems, as they often use UDP because of the reduced overhead. Astonishingly, hole punching also works with TCP. After an outgoing SYN packet the firewall / NAT router will forward incoming packets with suitable IP addresses and ports to the LAN even if they fail to confirm, or confirm the wrong sequence number http://www.heise-security.co.uk/articles/8248

04-06-2007, 08:10 AM
Google Desktop for Mac (http://desktop.google.com/mac/) is out.

Install it? Maybe not. (http://ansemond.com/blog/?p=78)

"Google Desktop (http://desktop.google.com/mac/) on the Mac silently installs an Input Manager (http://ansemond.com/blog/?p=78) whose function appears to be to load bundles of code into applications targeted by Google. The Input Manager is installed in a location where it will be loaded into every application run by any user of the Mac. The fact that it loads other code on demand is worrying as it could be used for malicious purposes. Moreover, it is odd that Google installs this software without requesting the user's permission given the recent controversy (http://daringfireball.net/2006/01/smart_crash_reports) on this very topic. Hopefully Google will fix the issues outlined in the article in upcoming revisions of their software."

Daring Fireball:
Guide to What Gets Installed by the Google Desktop Installer

that means the only apps that are targeted by these “mods” are Safari and Camino. I don’t know what they’re supposed to do; none of the Google Desktop documentation seems to say. The gist seems to be GoogleModLoader is more or less like SIMBL — a meta-hack framework for input manager patches that ostensibly target specific applications.
/Library/Google/Google Desktop/ — This is where the index files are stored. On my test system, they’re about 60 MB for a system with about 70 GB of data on disk.
/Library/LaunchDaemons/ — Two files for launchd (http://developer.apple.com/macosx/launchd.html) here: com.google.Desktop.Daemon.plist and com.google.Desktop.StatsUploader.plist
/Library/PreferencePanes/ — GoogleDesktop.prefpane is the System Prefs panel that lets you configure the options for Google Desktop.
/System/Library/Frameworks/CoreServices.framework/Versions/A/ Frameworks/Metadata.framework/Versions/A/Support/Spotlight/ — This one is baffling to me. My understanding is that it’s a major no-no for third-party software to install anything in the /System/Library/ hierarchy other than kernel extensions. Google creates this “Spotlight” folder, which contains a binary file named “mdimport”. I presume this is how Google Desktop piggybacks on Spotlight for file system notifications using the same exclusion rules as Spotlight.

05-09-2007, 10:20 AM
Securing Mac OS X Guide.

White Paper update is here for Tiger:


06-14-2007, 07:49 AM
New type of image spam hides in e-mail wallpaper

Pump-and-dump scammers behind innovation; malware attacks could be on the way

By Jon Brodkin (http://www.networkworld.com/Home/jbrodkin.html), Network World, 06/13/07
<!-- CONTENT GOES HERE--> A new type of image spam (http://www.networkworld.com/news/2006/110806-image-spam.html?t5) found this week is able to bypass many filters by presenting a message as wallpaper (http://www.networkworld.com/topics/messaging.html) within an e-mail, according to the vendor Secure Computing.

<!--silo end--> Image spam uses text embedded in an image to foil traditional spam filters (http://www.networkworld.com/topics/spam.html) that catch spam by scanning messages for key words and by using other text-based techniques.
Normal image spam is delivered as an attachment or loaded into an e-mail via a url, says Paul Henry, vice president of strategic accounts for Secure Computing (http://www.networkworld.com/news/2007/051507-secure-computing-email-scores.html).

But a new type of image spam Secure Computing found this week takes advantage of e-mail stationery, which consists of an HTML template. When used legitimately, the template might contain a company’s logo and the sender’s name and contact information, just like a piece of letterhead paper.

Many antispam programs are trained to ignore these backgrounds, or wallpaper, because they are often used to send real e-mails, according to Secure Computing. The new spam e-mail, which promotes a pump-and-dump stock scam, puts the text within one of these stationery backgrounds, the vendor says.

06-19-2007, 05:11 AM
New Web Exploit at 10,000 Machines and Growing, Security Company Warns

By Ryan Singel June 18, 2007 | 1:54:50 PM
Categories: Hacks and Cracks

More than 10,000 web sites have been infected with a malicious script that redirects visitors to a site installing malware through unpatched browsers, and the number is likely to rise as only 1,100 were infected on Friday, according to Trend Micro, which describes the infestation as the largest attack attributable to a single Trojan downloader.

The attack started in Italy and largely targets little used web pages whose security is likely lax. The sites are hacked to include a malicious IFRAME tag, which redirects visitors through a computer in San Francisco, to one in Chicago, which attempts to install various forms of malware, including keyloggers, according to Trend Micro.

Users should make sure their systems and browsers are fully patched, according to Trend Micro network architect Paul Ferguson, though he said the old advice of avoiding untrustworthy corners of the internet seems not be holding anymore.

"Now almost every time you fire up your web browser, you are going in the bad part of town," Ferguson told THREAT LEVEL.

The attack is the largest Trend Micro has ever seen of its type, but expects to see more of these in the future.

As for cleaning up the mess, Trend Micro is looking to shut down the sites that users are being re-directed to, but suspects that the hackers will just find a new target server and update the redirecting address on the compromised boxes.

"We have thousands of pages serving this malicious redirect and it's hard to identify and contact all these websites," Ferguson said. "It's getting to point we are going to have to blacklist half of the internet."

Security Fix's Brian Krebs has more on Mpack, the exploit toolkit, being used in this attack, which targets multiple vulnerabilities in software including Internet Exploere, Quicktime, Firefox and Opera.

Symantec Security Response Weblog: How MPack behaves (http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html)

06-21-2007, 06:04 AM
Apple Shuts Down IPv6 Security Hole

Apple has slammed the door shut on denial-of-service attacks and a security bypass that Type 0 routing headers in IPv6 let in. The company on June 20 put out an update, Mac OS X 10.4.10, that addresses the problem by disabling support for the headers.

This vulnerability has been left wide open in IPv6 even though it was well-known and shut down in IPv4; by default, all routing engines now turn it off.
This particular type of packet header can be used to crazily bounce network packets back and forth between hops on their route, clogging up bandwidth and potentially causing a DoS.

Back in April, two researchers, EADS Corporate Research Center research engineers Philippe Biondi and Arnaud Ebalard, showed that when you can specify where your nodes route packets, you can create a loop—for example, from hop A to hop B to hop A to hop B—that exponentially jacks up Internet traffic, thus causing a DDoS (distributed DoS).

The ability of users to route their own packets—a procedure optimized automatically in today's IPv4 Internet—allows not only DDoS attacks, but also the ability to bypass security. Researchers say the vulnerability is easy to fix with RH-sensitive filters.

At the time of the CanSecWest demonstration, Bob Hinden, chairman of the IPv6 working group at Internet Engineering Task Force, told eWEEK that the group wasn't seeing this "ingenious" exploit in the wild.

Still, nobody was losing time in fixing it, he said. "The implementer community is rapidly enabling fixes, and the standards body is rapidly trying to change it so it can't be used in a bad way," Hinden said at the time.
Is the Macintosh computer platform becoming a more inviting target for hacker attacks? Click here to find out.

Apple said in its security advisory that the issue doesn't affect systems prior to Mac OS X 10.4.

The update is available for Mac OS X 10.4 through Mac OS X 10.4.9 and Mac OS X Server 10.4 through Mac OS X Server 10.4.9. It can be obtained from Mac OS X's Software Update pane under System Preferences or via Apple's Software Downloads site.

06-27-2007, 10:39 AM
Security appliance:

Yoggie Gatekeeper Personal

Yoggie Security Systems has squeezed a hardware firewall for Windows into a USB key sized form-factor. The "Yoggie Pico" runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, a powerful Intel processor popular in smartphones and high-end consumer devices.

How does it work?

The original Gatekeeper sported a pair of RJ-45 jacks that allowed it to be connected in-line between the network and a PC running any OS, similar to traditional hardware firewalls. Alternatively, it could be connected via its full-speed (12Mbps) USB port, and used in conjunction with low-level Windows drivers that "hi-jack traffic at layers 2-3, below the TCP/IP stack, and route it to USB," Touboul explained.

Drivers for Linux and MacOS X are planned, he confirmed.

Stack components, according to Touboul, include:
Parent control system
Transparent email proxies (POP3; SMTP)
Transparent web proxies (HTTP; FTP)
Intrusion detection system
Intrusion prevention system
Adaptive security policy
Multi-layer security agent (Patent pending)
"Layer-8" security engine (Patent pending)

Gatekeeper will run applications including the following:

Stateful inspection firewall
VPN client
Intrusion detection and prevention
Four transparent proxies: HTTP, FTP, POP3 (Pro model only), and SMTP (Pro model only)
Antivirus, antispyware, antispam (Pro model only), antiphishing (Pro model only)
Yoggie "Layer 8" security engine (patent pending)
Yoggie multilayer security agent
Content filtering
White and black lists
Yoggie health monitoring
Web management and monitoring said to provide "real time, constant, consistent and un-paralleled visibility into distributed laptop platforms, regardless of location"


The Yoggie Pico will ship the first week of June, priced at $180 with a year's subscription to updates, according to the company. Subscriptions will cost $30/year thereafter. Distribution channels are being finalized, but will include big-box retailers like CompUSA and Fry's (Outpost.com), Touboul said. Dexxon Digital Storage, Inc. (DDSI) will handle distribution in North America.

Also available for $200 will be a "Pro" version targeting the enterprise market. It adds VPN features, and is designed to fetch firewall updates from a local enterprise server rather than Yoggie's central servers.


Windows Firewall Squeezes into USB Key

Linux-powered PCI card guards PCs from friendly fire, Windows worms


06-29-2007, 09:53 AM
Security experts warn on 'hydra' attack
Computerworld (http://www.techworld.com/security/news/index.cfm?newsID=9335&pagtype=all)

A new round of greeting card spam that draws users to attack sites relies on a sophisticated multi-pronged, multi-exploit strike force to infect machines according to security professionals.

Captured samples of the spam have all borne the same subject line - "You've received a postcard from a family member!"-- and contain links to a malicious website, where JavaScript determines whether the victim's browser has scripting enabled or turned off.

"If JavaScript is disabled, then they provide you a handy link to click on to exploit yourself," said a SANS Institute's Internet Storm Center (ISC) alert. Some users turn off scripting because it is a frequent attack vector; browsers with JavaScript enabled are simply fed a two-part package of downloader and malware.

The quick browser status exam in this attack is somewhat similar to one used in a different exploit tracked by Symantec since Tuesday, but the two are not connected, said Oliver Friedrichs, director of Symantec's security response group. "They're using two different toolkits," said Friedrichs, "but they're both prime examples that exploits against browsers are more and more prevalent."

Thursday's greeting card gambit tries a trio of exploits, moving on to the second if the machine is not vulnerable to the first, then on to the third if necessary.

The first is an exploit against a QuickTime vulnerability, the second an attack on the popular WinZip compression utility and the third, dubbed "the Hail Mary" by ISC, is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft patched last October.

ISC said several anti-virus vendors had tentatively pegged the executable malware - the file offered to users whose browsers have JavaScript disabled - as a variation of the Storm Trojan, an aggressive piece of malware that has been hijacking computers to serve as attacker bots since early this year. According to ISC's warning, computers already compromised by Storm - aka Peacom - are hosting the malware, and the attackers are rotating those machines' IP addresses in the spam they're sending.

"Every Storm-infected system is potentially capable of hosting the malware and sending the spam, but only a few will be used in any given run," said the alert, "depending on how many emails they want sent and how many web hits they're expecting."

Hackers haven't abandoned the practice of attaching malware to email, then counting on naive users to open the file, said Friedrichs. But malware hosting sites are the trend.

"It's much more difficult to send a full malicious file," he said, because of users' learned reluctance to open suspicious files and filtering and blocking tactics by security software.

"This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president with Aladdin Knowledge Systems Inc., a security company known for its eSafe anti-virus software.

"There's not a single server, there are multiple exploits [and the email] has no attachments. This will be very difficult to detect."

Two days ago, a Symantec honeypot captured a similar website-hosted attack that had an arsenal of multiple exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running IE or Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spits out a QuickTime exploit.

06-29-2007, 10:15 AM
MySpace hit by new phishing attack (http://www.techworld.com/security/news/index.cfm?newsID=9337&pagtype=all)

Phishers have been using compromised MySpace accounts to attack web surfers.

Two components comprise the attack. It attempts to install malicious botnet software on victims' computers, and it also uses these infected computers to try to steal MySpace credentials in a phishing attack.

Computers that are compromised by the attack become infected with malicious botnet software known as "flux bot," which makes them unwitting participants in the phishing scam. After the malicious Web site attempts to install the flux bot code, it then presents victims with a fake MySpace.com log-in page, which tries to extract their MySpace.com user name and password.

07-17-2007, 06:27 AM
Photoshop CS2 and CS3 updates to address security vulnerabilities Release date: July 10, 2007
Vulnerability identifier: APSB07-13
CVE number: CVE-2007-2244, CVE-2007-2365
Platform: All Platforms
Affected software versions: Photoshop CS2 and Photoshop CS3

Critical vulnerabilities have been identified in Photoshop CS2 and CS3 that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious BMP, DIB, RLE, or PNG must be opened in Photoshop by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update their installations with the patches provided below, and Adobe encourages all customers to be cautious before opening any unknown file, regardless of which application they may be using.

Also Flash has some issues those can be corrected by installing the new Flash-Player version:

07-23-2007, 01:53 PM
The iPhone’s biggest security pitfall: All applications run as root (http://www.iphoneatlas.com/2007/07/23/the-iphones-biggest-security-pitfall-all-applications-run-as-root/)

Posted 23 July 2007 @ 10am (http://www.iphoneatlas.com/2007/07/23/the-iphones-biggest-security-pitfall-all-applications-run-as-root/) in Security (http://www.iphoneatlas.com/category/security/)
<script type="text/javascript"> <!-- ord=Math.random()*10000000000000000; document.write('<script type="text/javascript" src="http://ad.doubleclick.net/adj/ttm.iphoneatlas/article;tile=1;sz=300x250,336x280;ord=' + ord + '?"></scr' + 'ipt>'); //--> </script> <noscript>http://ad.doubleclick.net/ad/ttm.iphoneatlas/article;tile=1;sz=300x250,336x280;ord=123456789? (http://ad.doubleclick.net/jump/ttm.iphoneatlas/article;tile=1;sz=300x250,336x280;ord=123456789?)</noscript>
A few weeks ago, Rixstep (http://rixstep.com/1/1/20070701,00.shtml) posted a piece titled simply “Effective UID: 0,” pointing out the fact that (as revealed by iPhone crash reports — see this article (http://www.iphoneatlas.com/2007/07/20/special-report-troubleshooting-iphone-application-crashes/) on deciphering) expressing concern the iPhone runs most (all?) of its applications/processes as root (superuser, UID 0). This means that they enjoy full system rights — a huge concern with regard to security, since any compromised application has the highest possible privilege level.

07-25-2007, 06:56 AM
BIND 9, or Berkeley Internet Name Domain 9, is among the most widely used software packages used on DNS (Domain Name System) servers. When a user types a Web address into a browser, the request goes to a DNS server, which finds the corresponding numerical IP (Internet protocol) address and locates the Web site.

For security purposes, when a browser queries a DNS server, a random 16-bit transaction ID is used to verify the response from the server. However, according to Amit Klein, chief technology officer at security vendor Trusteer Ltd., the transaction ID is not random at all.

"On the contrary, this transaction ID is very predictable," he wrote in a paper describing the problem this week.

The vulnerability in BIND 9 could allow an attacker to force the DNS server to return an incorrect Web site to a user, a trick known as DNS cache poisoning, or pharming. The problem exists in all BIND 9 releases when the software is being used in a caching server configuration, Klein wrote.

Other security watchers confirmed the problem. "This is very much a feasible attack," wrote Johannes Ullrich, chief technical officer of the SANS Internet Storm Center. "Best to patch your BIND server soon."

ISC advised users to install an upgrade for BIND 9 (http://www.isc.org/index.pl?/sw/bind/bind-security.php) from its Web site.

The problem is particularly worrisome since desktop security software is not effective at preventing this style of attack, Klein wrote. The attack does not directly involve a user's computer or the DNS server, but rather data that is cached on the server.

NetworkWorld (http://www.networkworld.com/news/2007/072507-users-urged-to-patch-serious.html)

07-27-2007, 12:01 PM
The addition of an exploit to the Metasploit hacking framework had boosted the threat posed by an unpatched bug in Samba, the open-source file- and print-sharing software included with the Apple operating system.

Although the vulnerability was disclosed May 14 and patched that same day by the Samba community, Apple has not updated Mac OS X with a fix.

"Samba is used in virtually every mixed environment where there are Macs and PCs, and the threat profile is much higher now that an exploit has been added to Metasploit."

Apple has not updated Samba within Mac OS X since March 2005. Samba, which is also used by most Linux distributions to file- and print-sharing with Windows systems, is turned on in Mac OS X when users activate the Windows Sharing feature.

08-03-2007, 07:30 AM
Researchers warn that rootkits aren't the only threat
Other stealth techniques are equally effective -- and more imminent

Rootkits may be getting most of the attention within the security community. But it's important not to overlook other, equally effective antiforensic techniques that malware writers have at their disposal for hiding their code from detection, according to a security researcher at the Black Hat 2007 conference.

Process injection
The technique involves the injection of malicious code into another legitimate running process on an end user's system.

The technique can be used to bypass firewalls on client devices and other security defenses, because the process that has been injected with the malicious code would appear largely normal, he said.

Similarly, "a cleverly named process is often enough to fly beneath the radar and avoid immediate detection."

The idea is to inject a malicious process in a system and hide its presence by using slight variations on commonly running processes; the Svchost.exe and spoolsv.exe processes make the best targets because there are usually several of them running in memory.

"One more will often go unnoticed."

Execute malicious code directly from memory
Doing this greatly enhances its stealth because it means the code never has to reside on the hard drive where it might be detected, Harbour said.

The first exploit involved launching a process in a suspended state and then overwriting it with malicious code.

An attacker could launch notepad.exe in a suspended state and then overwrite it with sol.exe, causing a game of Solitaire to be presented to the user even though views in the task bar would make it appear that notepad was running, he said.

Such techniques are simpler to use and more commonly available than rootkits and therefore present a more imminent threat to companies.

08-09-2007, 02:27 PM
Even the hackers are nervous
By John Borland EmailAugust 09, 2007 | 2:53:22 PM
Categories: CCC

The people who know best say it's not safe out there on the Internet.

In a series of talks at the Chaos Communication Camp here in Germany today, researchers and virus experts outlined the recent growth in the numbers of viruses and Trojans (up 34 percent since the same time last year), the evolving sophistication of attacks, and – perhaps most strikingly – the increasing professionalism of the malware business.
. . . . .
Most antivirus firms rush products out on tight deadlines, without the extremely sensitive debugging process that such critical software ought to have, he argued. That left virtually all security software open to attacks that take advantage of those bugs, opening a painful paradox for systems administrators.

Indeed, even while filing this piece, my antivirus software has notified me of a buffer overflow attack on my computer, something I'd never seen before yesterday. More pop up every time I go online here, following a brush with a Deep Throat Trojan shortly after getting on the network here yesterday.

08-17-2007, 07:26 AM
August 17, 2007 (Computerworld) (http://www.computerworld.com/) -- A security researcher at SecureWorks Inc. (http://www.computerworld.com/action/inform.do?command=search&searchTerms=SecureWorks+Inc.) has uncovered a cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviors.

The stolen data includes bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and reinfected as they visited several leading online job search sites, including the popular Monster.com.

Don Jackson, the SecureWorks researcher who found the collection, said it was the largest single cache of data he discovered from the Prg Trojan, a piece of malware first seen in the wild in June.

That server is one of 20 similar servers worldwide that are collecting and storing data stolen by Prg. Twelve of those servers -- including the one with the large data cache -- are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford and Mercedes, Jackson said.

A user clicking on one of the malicious ads is taken to an exploit page that "fingerprints" the user's browser and then serves up between one and four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.

A number of Prg variants are known to operate in part by opening up Port 6081 on victims' computers and listening for connections there. Some experts suggest that concerned parties looking to cut Prg off at the knees might start by (http://www.computerworld.com.au/index.php/id;1785855381;fp;2;fpid;1) blocking inbound and outbound traffic on 6081.

"This Trojan (PRG) is a very good example of a man-in-the-middle attack as it is designed to intercepts requests to encrypted web sites and SSL encryption offers no protection for machine as in SSL transactions the encryption occurs between the machines transporting data but not the end node," Biviano said.

"Wnspoem and the PRG Trojan were all based on this construction kit which enables people to define the properties of the Trojan, how it infects and even what it does."

"It is really taking the tricks learnt in the past and applying them to modern day motives". According to ISS, the construction kit is readily available online and is designed for rapid deployment of new Trojan variants using a variety of different packaging schemas.

"The PRG Trojan itself seems to have the ability to sort through files, sniff data out of HTTP/HTTPS headers (logins, etc) as opposed to actually keylogging, so it can detect "virtual keyboard" inputs, pasted text etc," an ISS spokesperson said.

An organization can block port 6081 activity by using strict firewall rules as well as ingress and egress filtering.

09-23-2007, 02:10 PM
Why I am concerned about security, firewalls, etc.

I saw one "drive by download" even as I was using OS X and a web site triggered an .exe file to my hard drive.
Getting one pop-up I don't want is one too many.
I was prompted at one site for an "enter userid and pswd" that didn't look normal or exactly right.
identity theft can take years out of a person's life, and their bank account.
I found Little Snitch 'interesting' but not that well designed as Intego NetBarrier or AVG firewall. I read security news every AM, and have for the last 25+ yrs. And have talked to some of the early AV writers for Mac back in late '80s. But I come from a more IT type background probably than you.

As a moderator on a web site, sometimes I want to check a site, and I don't want to be as vulnerable with 'just' the bare minimum.

The next stage (in malware) seems to be using built in virtualization enabled in today's cpus (like Intel Penryn) to create and run in a VM. The code never goes out of memory and out to disk. And, VMware's server versions are vulnerable.

No you can't "win" and AV or anything that is 'reactive' rather than pro-active isn't fool-proof. Heuristics, better.