Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mac Security; Anonymity with Tor; Web Vandals v. Phishers; Paypal Phish Conditioning

Published: 2005-05-22
Last Updated: 2005-05-22 22:56:22 UTC
by Cory Altheide (Version: 1)
0 comment(s)

OS X Update, Mac Security



Apple's was released earlier last week. Among other things, this update fixes the oft-reported security issue surrounding the auto-install of widgets. I am of the opinion that the bulk of this vulnerability lies with the default configuration of Safari, which auto-runs "safe" file types once they are downloaded.



If you are running a Mac, go turn this off. Right now. (Safari -> Preferences -> General) I'll wait.



While I'm beating the drum of Mac security, let me point you to some other good source of Mac-sec information. First and foremost, we've got the extremely detailed
for OS X. After following this guide, your Mac should be reasonably secured against threats internal and external, foreign and domestic. The NSA guide is geared towards Panther, but most of the document should still apply to Tiger.



Enabling
is covered in the NSA guide, but I think it deserves special mention, since in Tiger it is now actually useful, thanks to Tiger fixing the . Prior to this, an adversary with physical access to your Mac had a decent possibility of recovering your login password (which is used to unlock the encrypted FileVault volume) from swap. Since on-disk encryption is designed to protect sensitive data from adversaries with physical access, this meant that FileVault was more of a "disk access governor" than a security measure. Thankfully, this is no longer the case, so you can rest easy the next time you lose your $3000 PowerBook. While you're out 3K, at least your data is safe.



On non-server versions of OS X, the GUI firewall configuration utility leaves quite a bit to be desired. The GUI is really just a simplistic frontend to
. There is a pretty good Mac-oriented overview of ipfw .

I'm not certain if this issue has been or can be fixed by Tiger as I'm on my Panther machine right now, but there is a long-standing problem in the OS X world related to
. These holes are usually opened up by third party application installers, and allow simple malcode like the to elevate privilege on the system. Periodically checking your system for directories with vulnerable permissions is recommended.



For Mac security news and links, one of my favorite sites is
. It's the antithesis of an Apple site - no flash, no glitz, just info and links - which is why I think I enjoy it so much. There are a couple of books on the subject as well, if you prefer dead-tree media: Mac OS X Security and Maximum Mac OS Security. Mac OS X Security is a good read, and covers a lot of what I've talked about here and then some. I can't comment on the latter as I haven't read it, but if the title is any indication, it should be phenomenal. ;)



Tor Anonymous Network Reaches 100 Nodes



I generally try to avoid "announcements" in diaries, but bringing attention to
is a worthwhile end. Tor is an onion routing network supported by the EFF and managed by the . If you're not familiar with the concept of onion routing, it's explained very well .


To summarize, Tor is a fairly speedy anonymity network which you can tunnel arbitrary TCP connections through. While the bulk of Tor users are undoubtedly using it for anonymous web browsing, nearly any application that can use a SOCKS or HTTP proxy can be run through Tor, as evidenced by the
. I've been tunneling IRC and AIM through it recently and have had no issues. Web surfing gets a little strange when Google keeps switching languages based on the location of your last hop out of the Tor network, though. If you're concerned about your privacy online, give it a try.



Web Vigilantes v. Phishermen



According to a recent
web-site defacers have taken up virtual arms against phishing sites. As a resident of fabulous Las Vegas, Nevada, I can't help but think of listening to long-time Vegas residents wax nostalgic about how much nicer, safer, and cleaner the town was when the Mob ran the place.



Paypal Phishing Conditioning?



ISC reader TJ O'Grady reported receiving a legitimate password reset verification from Paypal. As he had not requested any reset, he contacted Paypal via telephone and was told that they were having technical difficulties and that he shouldn't worry about the email.



A few hours later, he received an Paypal phishing email suggesting that he log into his account as their had been unusual activity.



Have any other ISC readers experienced a similar combination of emails? Is TJ's circumstance simply a coincidence or have Paypal phishers begun a social engineering process of conditioning their marks into complying with later requests?



John Says Thanks!



Handler John Bambenek would like to thank everyone who submitted feedback in response to his
and apologizes for not responding to each of you individually.



That wraps up today's diary, kids! Until next time, I leave you with the following:



"It is difficult for a fool's habits to change to selflessness. In confronting a matter, however, if at first you leave it alone, fix the four vows in your heart, exclude self-interest, and make an effort, you will not go far from your mark."



======================

Cory Altheide

caltheide@isc.sans.org

======================
Keywords:
0 comment(s)
Diary Archives