1 2 3 Previous Next 34 Replies Latest reply: Jan 28, 2012 3:35 PM by davidh Go to original post
  • 15. Re: Malware reappearing in apple.safari.com cache.db
    softwater Level 5 Level 5 (5,370 points)

    Thomas A Reed wrote:



    As I understand the evercookie, the data is stored in a variety of places.  Then, when you revisit the site that set that cookie, a script recreates any of that data that has been deleted, using copies in other locations.  If you were never to revisit the site, you'd never see any of that happen.



    You're overlooking the fact that some cookies work across multiple sites and domains owned, operated or managed by the same people/group/organisation, and you may not even know that they belong to each other.



    Thomas A Reed wrote:


    Cookies present more of a privacy concern than a security concern.  I personally am not interested in worrying that some site might track what pages I have visited and when.


    Then it is you who does not understand the dangers of cookies. Tracking your behaviour across multiple sites can reveal a lot about you, just as can trawling through someone's refuse. You might not think you're giving anything away, but patterns of behaviour over time eventually lead to everything being known about you and are the main technique of identity theft.


    Your blaise attitude might be fine for you, but it's not something I'd recommend as a general policy.


    From: Webopedia

    Cookies normally do not compromise security, but there is a growing trend of malicious cookies. These types of cookies can be used to store and track your activity online. Cookies that watch your online activity are called malicious or tracking cookies. These are the bad cookies to watch for, because they track you and your surfing habits, over time, to build a profile of your interests.

  • 16. Re: Malware reappearing in apple.safari.com cache.db
    thomas_r. Level 7 Level 7 (27,925 points)

    I'm not overlooking that, it just makes no difference to the point, which is that cookies CANNOT contain code that is executed independently.  Cookies are DATA ONLY.  If someone uses cookies to track you across multiple sites, there are obvious privacy implications, but that does not change the fact that they are not malware.


    As to the privacy issues with cookies, that is outside the scope of this discussion, and would be better debated elsewhere.

  • 17. Re: Malware reappearing in apple.safari.com cache.db
    etresoft Level 7 Level 7 (24,270 points)

    You might be getting stuck by Lion which always re-load the last window configuration. Launch Safari again. This time, hold down the option key when you to to Safari > Quit Safari.

  • 18. Re: Malware reappearing in apple.safari.com cache.db
    softwater Level 5 Level 5 (5,370 points)

    Oh do stop playing semantics to save face, Thomas.


    The point is that these kind of persistent cookies are a problem and are undesirable. I'm not sure how to get rid of them apart from the link I suggested earlier. Or is that "off-topic" too?

  • 19. Re: Malware reappearing in apple.safari.com cache.db
    thomas_r. Level 7 Level 7 (27,925 points)

    I am not playing semantics, I'm answering the question.  The OP claims this is malware, and that this "malicious code" is going to spam all his contacts.  That is not true.  Period, end of story.  Unless you wish to discuss that particular issue, we're done here.  You can debate the danger these cookies pose to privacy with yourself if you wish.

  • 20. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    Why would you bother posting unhelful, self satisfying responses?  You either have a solution or you don't.

  • 21. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    OK, so you tell me this is not possible but this is in fact what happened.  I completely erased the harddrive and reinstalled Mac OS X Lion.  I opened Safari and there were 3 cookies.  The offening cookie, apple.com and mzstatic.com.  During the erasure procedure there is a declaration that some media etc cannot be erased.  My frustration is that there are a lot of loose ends with Mac OS.  I have found log files that include passwords, reinstalled operating systems to find the malware cookie or whatever is hinding in my cache.db still there.  The worst part is no one seems to be willing to accept that this is a real threat.  The nice thing about Windows was that everything is visible and, because of its inherent flaws, you have two armed guards standing at the door (by that I mean security software).  Threats are taken seriously and dealt with.  I feel with Mac OS you about to experience a storm of attacks that you are unprepared for.  As the iPhone and iPad are the defacto rulers of the device world Apple is drawing interest from all sorts of nefarious intent.  Its not good enough to say  "we're safe becasue no one is shooting at us".  Your popularity will begin to draw attention and there aren't many safeguards in place.  There are lots of site out there describing flaws, describing methods to use debugging to point out weaknesses etc.  All I am trying to do is to relay my experience so you can be aware of it.

  • 22. Re: Malware reappearing in apple.safari.com cache.db
    Kurt Lang Level 7 Level 7 (31,990 points)

    I completely erased the harddrive and reinstalled Mac OS X Lion.

    Then it is completely impossible for any unwanted cookies to return unless you revisit the offending site where you got it in the first place, or restore the rest of your Time Machine data, which will of course reintroduce the offending files.


    There is no software of any kind anywhere in the world that can survive an erasure of the file table and then magically reappear in the newly installed OS. You have to be reintroducing somehow.


    Killing the evercookie in Safari.

  • 23. Re: Malware reappearing in apple.safari.com cache.db
    thomas_r. Level 7 Level 7 (27,925 points)

    The thing is, all that you've said is just anecdotal...  you haven't provided any real details, so we just have to accept your word that your interpretation of events is correct.  And it doesn't sound like you have much technical knowledge when it comes to the Mac.  (Not meaning that as an insult, just a statement.)  That means that your interpretation of events is very questionable.


    How we can explain what you have seen, I don't know, because of the lack of details.  I don't know what error you're referring to with regard to media being unable to be erased, but it seems obvious that the reinstall did not go off without a hitch, so it cannot be claimed to be clean.  The Mac OS certainly does not log passwords to log files, but you may have had some bad software installed that did.


    Regarding the "two armed guards" on Windows, it's important that you understand that they're more like myopic ninjas.  When they see something bad, they come down hard on it...  but they don't always see it.  Modern AV software recognizes at best 90% of all malware.  I've got two trojans in my collection that are recognized by only 36% and 50% of the AV engines VirusTotal tests with, despite having been first spotted in early fall of last year.


    Also, it's important to understand that the Mac OS has built-in anti-malware protection!  And, though it has its own limitations, like all anti-malware, it at least recognizes all the malware in my collection.  You could easily do far worse.


    The Mac OS is actually quite secure out of the box.  It is, after all, a Unix system, and Unix has been resisting attacks for a very long time.  The biggest security issue for any Mac is between the chair and keyboard.  If you are interested in learning more about security and your Mac, there are many people here who can help, if you let us.  If you choose not to, well...  good luck maintaining security with Windows!

  • 24. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    Unfortunately Lion indicated when erasing that certain files cannot be erased.  I have no investment in this.  I'm just reporting my experience trying to get someone who knows about MAC's to help me get to the bottom of it.  I agree.  There is something somewhere that is reintroducting the files containied in the apple.safari.com/cache.db.

  • 25. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    I am not insulted at all.  I am new to MAC and have been trying to understand how it works by reading posts, studying the cause and effect relationships and trying to get an understanding of how things work.  That is why I came to this post.  I thought I would have to endure the scorn of some and the ridicule of others but in the end what I want to know is how to use the system effectively and avoid problems.  I am teachable.  All I can tell you was the nature of the file I found in the cache.db and its contents.  How it actually got there, why it continued to return and the implications are completely new to me.  What attracted me to MAC originally was the hardware.  I was tired of component failures from HP, DELL, ACER etc. and the downtime I had to go through to get back up and running.  I thought at the very least I would end up with a better windows machine.  I would like to know more about MAC and security and I am not standing in your way.  I am very puzzled by my experience.  In any event I removed all partitioned, erased the disk again (save what Lion says I can't) and the file seems to be finally gone.  I am starting again (although MAC still asks if I want to start windows when restarting even though its not there anymore).


    Please let me know what steps I can take to avoid future security risks.  I recognize that there are environmental hazzards like onbeforeclose event java scripts and evercookies, that despite their obvious potential for abuse are going to be with us for a while.  As long as Google persists in paying commision to unsavory webmasters we will see more and more clickjacking schemes and more usesless sites filling up the web. Anything I can do to shore up defences would be appreciated.    

  • 26. Re: Malware reappearing in apple.safari.com cache.db
    thomas_r. Level 7 Level 7 (27,925 points)

    Start by reading the Mac Malware Guide I referred to earlier.  I wrote it, so I'm tooting my own horn a bit, but I think it's a pretty good reference.  I've worked very hard on it.


    Regarding things like malicious JavaScripts (which also encompasses the mechanism that makes evercookies work), note that there's really not much they can actually do.  Some people get bothered by the potential privacy issues that these things make possible, others don't.  If you're in the former category, either turn off JavaScript in Safari, or use Firefox along with the NoScript plugin for more granular control over which sites are allowed to run JavaScripts.


    As for other issues, many people will recommend a firewall, but chances are good you don't need one.  See Do I need a firewall?  (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)  You should also make sure not to open up any network services by turning them on in System Preferences -> Sharing unless you need to.  If you need to, they pose no security risk at all on your own home network (provided it's locked down with a password) and can be pretty easily secured on open networks.


    To protect your data against an attacker with physical access to the machine (such as a thief or a dishonest friend or co-worker), encrypt any data that is sensitive.  Your account password can be reset and any data accessed fairly easily.  You can encrypt groups of files using encrypted sparse disk images made with Disk Utility, or you can encrypt the entire hard drive with FileVault (in Mac OS X 10.7).  The keychain is a secure place to keep stuff as well, as long as you don't leave the computer unattended with the account logged in and the keychain unlocked.  Resetting your account password will NOT reset the keychain password, regardless of what some people will tell you.  (I've tested it.)


    Beyond that, just keep in mind good general security practices...  use good passwords, don't use the same password for everything, don't click links in e-mails, don't trust any web site that says it has "scanned your hard drive" and found viruses, be cautious what you do on open wireless networks, etc.


    If there's something left unanswered after all that, please ask!

  • 27. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    I think we are pretty much on the same page.  I am more concerned with clickjacking and homepage forgeries than I am about someone trying to steal my identity.  Its the growth of passive clickjacking and homepage forgeries to bilk money out of advertisers that seems to be the biggest threat from my point of view.


    Anyway, I appreciate your help.  To begin with, I would like to stop the endless firewall warnings "Deny netbiosd data in from 192.168 etc. etc. I think maybe Bonjour is very noisy or something.  As well the Stealth Mode connection attempt to UDP etc. etc.


    Setting up the MAC to behave quiety and not get confused by its own calls would be helpful.


    Any thoughts?

  • 28. Re: Malware reappearing in apple.safari.com cache.db
    thomas_r. Level 7 Level 7 (27,925 points)

    I'm not sure what the netbiosd stuff is, but those stealth mode connection attempts sound a lot scarier than they actually are.  Stealth mode connection attempts usually occur when a packet has taken too long to return and the computer has stopped listening for it.


    But, I really think using a firewall on a Mac is serious overkill except in very specific uses - like a Mac server that is constantly exposed to direct access from the internet and has a lot of services open.  There's no currently known way for a hacker without physical access to get access to your Mac out of the box, with no services open in System Preferences -> Sharing and with the firewall off.  And if you open up a service, you've got to poke a hole in the firewall anyway, or it won't work.  Really, just turn off the firewall, it's not helping you.

  • 29. Re: Malware reappearing in apple.safari.com cache.db
    MAC ATTACKED Level 1 Level 1 (5 points)

    I considered that.  But for better or worse it seem to me that turning off the fire alarm doesn't stop the fire.  If my Mac is sending unnecessary messages I would like to find out how to get it to stop.  However innocuous the messages might be, I would rather do it right and maybe learn something about the operating system in the mean time.


    I do appreciate your feedback and assistance