Defense: Malware targeting Mac's

Thomas A Reed wrote:

That causes problems for some apps, which won't run on anything but an admin account or on the account they were installed on.

Then the programs need to be reinstalled for "All Users" which most do now by default or reinstalled for the new Admin account. Since the previously Admin is now a General User, it's not a issue. If the program needs Admin/Root access the user should be made aware of that fact and understand they just elevated privileges to a most dangerous level.

Linux has a security key that displays in the menu bar that one has opened a "sudo window" which any code run during that time can have Root level access. Of course OS X has no such warning.

And it's not a guarantee of security - a user who gets in the habit of authenticating to admin to install stuff from their Standard account is no safer than the user who gets in the habit of authenticating to install from their Admin account. This is a good general suggestion, but may not work for everyone and provides practically no real security against "social engineering" by itself.

The only guaranty of security is unplugging the power from the computer and tossing the machine into a pit of molten lead.

The user is rarely installing/uninstalling or making such drastic changes to their machine that entering their Admin name/password is such a burden. Those rare folks who do reside in that realm or even for a short duration, log into the Admin User from the start and competent enough to know the difference anyway.

Again, using things like these won't protect you by themselves. How do you know if a site is trusted and should have JavaScript turned on? And most folks are finding this malware via trusted sites that have had malicious JavaScripts "sneaked" into their code, through malicious ads or search engine optimization poisoning. How can you know if your trusted site is affected? And, given how much this malware has been jumping around over the last week, I seriously doubt Ad Block Plus can keep up.

Well your LESS protected without them. So far the NoScript "web cop" Add-on has protected Firefox users from the MacDefender trojan by not allowing Javascript to run by default.

Even if a trusted site has the malware and one turns off NoScript for that site, then Public Fox (with a password block on downloads) stops any automatic download from occurring.

Ad Block Plus defends against advertising which has been used as a malware vector. It provides the option to whitelist favorite sites which trust has been established by the user.

Again the reasoning here is to provide a "security guard" approach, nobody gets in without approval.

I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10

That is not a realistic suggestion for the average person, who will have neither the desire nor the knowledge to run Linux.

Well note that I placed a condition on that advice, "if one likes surfing the backalleys of the Internet" as all browsers are venerable to some extent from direct website intrusions. So another "compartmentalization" level is required for sites that are prone to that sort of behavior which use images or warz as click bait.

And mind me saying Thomas, it's rather presumptious of you to dictate what another would like or not like. 😉

Remember Apple opened the door to multiple operating systems running on their hardware, the PPC days are long gone, a brave new world is here where one can run all the major operating systems on one machine.

Heck, Steve Jobs even used Linux on his Pixar renderfarm, I bet his MacPro runs everything under the sun just like my 17" Quad does.

Apple is the second largest grossing corporation in the world next to Exxon, professional IT people like myself use Mac's now because of their ability to run all major operating systems. It's looking rather sad showing up to the job dragging a ugly bulky Dell when one can have a slim sexy looking silver MacBook Pro.

So no need to get fan boy defensive any longer. 🙂

Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually. And some have been alerted to the presence of malware by the automatic appearance of the installer. I'd still agree, though, but would add that you should keep your Downloads folder cleaned out, so that any suspicious items that turn up will be easily recognized, and not mistaken for something you downloaded earlier.

As to Click2Flash, I think nobody should be on the web without it! I don't trust Flash as far as I could throw Adobe.

This should have been #1! AV software has struggled to keep up with all the variants of MacDefender, malware sites move on sometimes an hour-by-hour basis and malicious code sneaks into trusted sites. In all, no automated defense tool will protect you from a new threat... only your "wetware" can do that!

Well at least we agree on something, I actually don't approve of anyone using Safari AT ALL, because of it's lack of a NoScript option and failing every Pwn2Own contest.

But there are those who will, by stubborness or brand loyalty, will continue to use Safari so I recommend at least a partial security solution.

And since the MacDefender trojan uses Javascript, not Flash, Click2Flash offers little protection, just another preventative measure against other attacks.

etresoft wrote:

You don't need to do any that stuff. The latest Mac malware that is going around still needs to ask your permission to install itself. Just type "⌘ q" and you're done.

Computer security is skating not to where the puck is, but where it's going to be.

WZZZ wrote:

Not sure that AdBlock Plus protects that much. I understood that all the stuff it blocks still loads, it's just kept off the screen. Not 100% sure of this, but when malicious hacks on third party advertising appeared for the NY Times a few years ago, I don't think ABP kept them from loading and users with ABP were still vulnerable.

My reasoning with Ad Block Plus is more along the advertsing being hijacked to display what appears to be a OS X Window or scan progress like one see's on Windows to invite a click response to go to a malicious site.

Another inconvenience for running Standard is that system.log is not accessible except by running the su command and then sudo for the Console executable. Anything sudo needs to run first with su for the admin account.

Still minor relative to 99% time certain files and folders are protected from unknown altteration.

I think ds store's recommendations are sound, but probably somewhat on the too complicated, or much too complicated, side for many users, NoScript included. But, even my wife who hated it at first, doesn't complain about NS too much anymore. I think she understands its value. But it does take a bit of getting used to.

Complicated for most users that will just ignore it and install anything, not backup their files, just like they do on Windows.

For them it's best perhaps that they get a dumbed down iPad, then we IT professionals can concentrate on people we can help, instead of those we can't help.

Be surprised, most of the web doesn't need scripts running as much as people THINK it does. And since NoScript can be made to allow those common use sites to be "allowed" lets the user adjust their own preferences and convenience level, instead of running hog wild with everything turned on and allowing anything to do anything at anytime.

However for those looking to surf a little safer and have the chops to make the changes, it's good advice I think, until Apple pulls their web browser security up and sandboxs Safari, with a big popup window when a download occurs just like Firefox does, not some tiny thing that disappears behind another window or downloads so fast you can't see it on ultra fast connections with small file sizes.

Thomas A Reed wrote:

It's not that simple. I have personally encountered apps that simply won't work properly except on one account. Some versions, at least, of Photoshop Elements are among that list... unless you're running an admin account, you don't have access to places that they need to make changes on a frequent basis, and thus they don't work right. Running a Standard account is a good idea, but not always practical for everyone.

Hehe, Photoshop Elements, this is the same Adobe that makes Flash right? 😀

If they can't understand the real world uses of their software that Admins need to lock down the Application's folder as not to drag their product off to be copied/deleted, then Steve Jobs was right to call them "lazy" 😀

Don't judge by your own experience. I know people who are constantly downloading and installing games, fun apps, etc and would think nothing of entering their admin name and password. For such people, running a standard account would not be significantly safer, since they'd just authenticate everything anyway.

Well if they install something that compromises their Mac, then they go no one to blame but themselves.

But, with entering admin password at least they got that chance to decide.

My point is, security guards are not infallible, and if you rely on them entirely, you'll eventually be in danger. One should not install security measures and then just forget about it.

Well we shouldn't be having to worry about security actually if Apple paid more attention to their browser.

With regard to the average user not wanting or being able to install Linux, I don't think it takes any presumption whatsoever to be able to say that. If you believe the average user would be interested in installing Linux on their Macs, you clearly do not understand the average user.

I do understand the "average user", I clean their machines and see what they have been doing.

And the last time I checked, the Bootcamp forums still have a lot of action going on, that's considerably more difficult than simply installing a guest os in a virtual machine program.

for those who don't understand my advice, it will fly over their heads like neuroscience fly's over mine. 🙂

As to the name calling... I don't see how saying that some of your suggestions are unrealistic or not as secure as you imply makes me a "fan boy."

Well it appears your bias is showing when I suggest a solution that's anything not Apple that's all.

But on the other hand you wrote:

Thomas A Reed wrote:

Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually. And some have been alerted to the presence of malware by the automatic appearance of the installer.

So technically speaking, people who are competent enough to install Firefox and the Add-ons I suggested shouldn't be using Safari at all right?

We all get tricked, I almost got nailed downloading a fake Linux distro from a cloned site when my WOT popped up and screamed bloody murder.

So you see, having many safeguards in place does make a considerable difference in protecting one's on line security.

One must maintain a well rounded security policy, just "unchecking Safari safe files" is not going to cut it.

So far I don't see that well rounded security happening with Safari, however since Firefox has significant Windows exposure, it already has these safeguards in place.

etresoft wrote:

People on the internet have been trying to spread disinformation that Macs can be hacked "in seconds". It's all a pack of lies - nothing more.

Well that's not exactly true.

Just Google: "safari pwn2own seconds" and see the articles for yourself and the date.

Apple rolled out a security update a month after the contest, those who are still using a unpatched Safari are vulnerable.

So for a month there all Mac's were exploitable, and given what researchers say that Webkit has lots of vulnerabilities, it might still be a ongoing problem.

Realistically speaking, until a browser stands up to repeated hacking attacks without failure, then it's a secure browser.

None of them do, but some are more secure than others or can allow less things to run all the time, reducing the exploit vectors.

Why one needs to also run as a General User, in case their browser gets pwned it has limited privileges.

Barney-15E wrote:

A vulnerability is just a vulnerability until it is actually expoloited.

That vlunerablity must also be multiplied by a probability of it actually being exploited to become a risk.

Currently the vulnerability can be infinite, but there is still zero probability, so the risk is zero.

When the probability of being exploited gets to be somewhere greater than zero, it will be something to worry about.

People's machines are being exploited and the vulnerability is Safari not asking the users permission before initiating a download.