Tag Archives: security

Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog

Leave a reply

Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog.

When it comes to installing things on your Macs I often times advocate a rather carefree attitude. One thing that has always been true, and this article just nails home the point, is that even the most secure system can fall if the person holding the keys is tricked or cheated into opening the door.

I have said to many people whom I’ve given computer advice, if you have doubts, please contact me and I can look at it and give you advice. It’s free, and I’d rather help in the vein of “An ounce of prevention is worth a pound of cure.”

Superpass Password Hasher

Leave a reply

Superpass Password Hasher.

This site has a rather novel approach to dealing with passwords. I see this a lot in both my personal and professional life, especially when people lose their computers. The question looms ‘Did you… ?” and usually the answers aren’t very good at least from a security standpoint.

One of the biggest things that people can-and-should do is keep individual passwords for every single site they access. Most people could approach this via tools like my beloved 1Password but this may be another approach that might also work. It uses an encryption staple called a hash to generate a multi-character password based on some simple password, a salt (which is used to increase the randomness that is added to the encryption routine) and the domain you are working with. It’s quite elegant in that it offsets the need to store individual passwords because it, supposedly, relies on stable domain names to provide password reproducibility. Each time you enter your simple password, and the domain name hasn’t changed, you should get the same hash over and over again. I still think that 1Password is still the best choice for everyone, but this might be a good starting place especially if cash is tight and you can’t swing a 1Password license.

UPDATE: After trying this out I discovered that it only really works well on plain sites like Google.com. If you go to any other sites, like Apple or nytimes.com the code breaks down on Safari. I couldn’t get it to even work on Firefox 13 on the Mac, so perhaps this isn’t as robust as I had hoped. The idea is still good, however. For what it’s worth.

It's silly, and you should stop doing it.

Leave a reply

Email confidentiality footers annoy me. I see them frequently on many emails that I get and I think of them as meaningless text that really should be ignored. That an email is somehow a private exchange of information is laughable. Email is sent in plaintext using an open protocol and on the wire it’s all unencrypted.

What really brings this to the forefront is when I see these meaningless bits of mental flotsam and jetsam clogging up my email box because someone set a vacation autoresponse and their membership on a email list is causing them to constantly reply with a “I’ll be out from…” email with this stupid block of text at the bottom asserting that the email is the property of blah blah blah.

Writing email has the same security protections as writing a postcard and tying it to a bird and letting it fly off. Your assertion that your communications are somehow proprietary or classified is utterly hilarious.

If people really wanted to make this not so utterly irrelevant, they should use public-key encryption or at least something like ROT–13 encryption so that the text isn’t readily apparent and takes some work to decode. Sending plaintext with this silly block at the bottom just musses up the display and doesn’t mean anything to anybody. So stop it.

Dropbox Lied to Users About Data Security, Complaint to FTC Alleges | Threat Level | Wired.com

Leave a reply

Dropbox Lied to Users About Data Security, Complaint to FTC Alleges | Threat Level | Wired.com.

Read the above article, it’s quite good and covers the problems that many geeks have with Dropbox. I have to admit that I’m quite fond of finding ways to “Have my cake and eat it too” and in the spirit of that saying it’s important to highlight a core issue that needs to be covered: If you don’t manage your own security, you don’t have any.

Every service is vulnerable to a search and seizure order as long as it’s hardware exists within the United States. Any company that claims that they protect your data even from this basic assumption is lying to you. You can help them by helping yourself. The people who run Dropbox certainly have aims to secure your data, otherwise nobody but a scant few would be willing to store their data in the cloud. This situation is only half-way to what is really required to make a service like Dropbox a real charmer. It comes down to security and I’ve written about it at length before. The end user has to meet Dropbox for the other half of the way. Dropbox encrypts their data using AES-256 and they have a master key that they use along with yours so that they can maintain a backdoor in case of a search and seizure order to fulfill. Protect yourself by using any number of applications, ranging from TrueCrypt, iCrypt, openssh, to encrypted DMG files. If you create one of these encrypted files to store your private information then send it to Dropbox, even if they have to divulge the file to the authorities all they can provide them is another AES-256 encrypted file that they don’t have a key to. When the authorities try to pry open the file, all they’ll see is noise, because they don’t have your key.

It’s really quite easy when you think of it, Dropbox is at most 50% secure. You can provide another 50% making your use of Dropbox 100% secure. It all comes down to going that little extra inch with any of the tools covered above. I can’t help but really love encrypted DMG files as they are the most convenient to use with Macs. You just double-click on the DMG file, enter in your password, and the volume is mounted as if it were a drive on your computer. All the files are plain and easy to use. Ejecting the drive after you are done using it closes it and the data lives 100% secure in the cloud.

Getting bent because Dropbox only gives you 50% security is rather dumb. Anyone at all has to assume that it maxes out at 50% irrespective of what Dropbox claims. If you are smart and secure your own effects, then you’ve nothing to worry about and can get over this silly thing without a single thought. Makes sense to me.

1Password Bug

2 Replies

I ran into this little nasty earlier today. First to set the scene:

  • Mac OSX 10.6.6
  • 1Password Version 3.5.3 (build 30812)

I got an email from Trapster.com informing me that my account may have been compromised. Since I started using 1Password I’ve been making unique 16-character passwords for each individual site, so if a hacker gets my password for one site, he may own that, but nothing else. So I opened up 1Password and my highlight was on another entry related to another item. I went to the search field, typed in “trap” and found the entry for Trapster. I edited it, clicked on the password generator and made a new 16 character password. I clicked the “copy” button in the Password Generator dialog box and 1Password decided to replace the password for the previous highlighted item with the generated password that I meant to go into Trapsters entry. I did this three times just to make sure I wasn’t losing my marbles.

The way around this is to not use the search feature at all. If you browse and highlight the Trapster entry and put in a new password that way, everything is fine.

I just thought I would blog about this to help anyone who might have run into this bug on their own, it isn’t your mind, it’s the program. I’ve forwarded the bug report to the people who write 1Password, we’ll see what response we get.

Peril is the New Black

Leave a reply

On my daily slog through the grand stream of news, and it flows like a mighty river, I came across an article regarding how the Android mobile phone operating system has its first trojan horse. It’s a rite of passage for operating systems, to be exploited, the authors hard work lampooned by some clever other who finds a way to trick users to perform some really comically bad tasks on their device, often without them even being aware. This particular trojan horse is an otherwise innocuous Android app that does something simple, like wallpaper changing or something, but in reality what it does surreptitiously is send SMS messages to pay-for-SMS sites, the guess is that the trojan horse is sending SMS traffic to the right people so the writers of the trojan horse benefit financially from the trojan horse and it’s spread.

When I saw this story, I immediately started to re-compare the iOS system that Apple uses and the Android system that Google uses. Along with this I can’t get Cory Doctorow or Richard Stallman out of my head. These two were the ones who lambasted Apple for their closed approach to software, closed device, a curated application creation process and restricting what the device can and cannot do. Both Mr. Doctorow and Mr. Stallman have railed at length, declaring that the only real computing platform is one that is utterly open and utterly free. I have to register that I respect both of these men, as much as I respect Steve Jobs at Apple, but to their point I feel I must point out a thin sliver of bullshit. While having a system that is perfectly open and perfectly free is very attractive, it is also wide open to the nasty aspect of computer science, the malware authors and their creations.

If we lived in a perfect world without the people who created these bits of malware such an open system would be an utter utopia, it would be level, easy, efficient, and wonderful. We do not live in that sort of world. This is where I differ from Mr. Doctorow and Mr. Stallman. What system do I prefer, which one would I want my family to use? It has to be iOS from Apple. That applications are curated by Apple is partially the value, the other is that the devices are firmly locked so that there is no possibility for a certain kind of clever creativity. The devices work according to a logical plan set forth by Apple and nobody is allowed to stray from the path. This grates against the tenets of Free Software, that if you own a thing you should be able to do whatever you wish to the thing. I respect usability and the non-expert nature of users too much to accept that this is a good thing for the consumer. It’s a good thing for the clever like Mr. Doctorow and Mr. Stallman, but these devices weren’t built for them, they were built for regular folk. Having the walled garden, the curated applications, and having Apple as a firm overseer to everything that is done with these devices is an absolute value that only enhances iOS. You accept that some things won’t ever appear on an iOS device for the protection that the overseers provide. Regular folk don’t care to be clever with their technology, they want their technology to be rational, useful, safe and looked after.

Android’s trojan horse is huge. It illustrates this exact point that I am trying to make. If my family were using Android and downloaded this app and used it, they would have an SMS bill to pay and the maliciously clever app writer would make off with their limited resources. I would rather have them living in a gilded cage of Apple’s making than the wild west of Android because I know that they would be happier in-the-cage than out-west.

People come to me and they ask me quite often for guidance on which platform they should adopt, Apple’s iOS, Google’s Android, and the other two, which would be Palm’s WebOS and Microsoft’s Windows Mobile. The latter two don’t even exist to me, Microsoft has been dead to me for several years now, and Palm spent most of their time waffling into a ditch. The real competition, the real money is between iOS and Android. Before I had respect for the Android system and my only beef with it was that it was way too new and that older devices may not support updated versions of the Android OS and the risk that people could be trapped with an older piece of software because they couldn’t afford to break their two-year committment to the carrier. Now I can say, with a clear argument, that iOS is superior to Android simply because it is safer. What would I have my loved ones use? I’d rather they all use an iOS device from Apple. It’s not only the right choice, but it’s the only choice.