Here's more good info on security from Jim Hamm: " Here is an article on how to improve the security of your Apple ID."
Java and Security Risks
Prez Art Gorski finds info we need to read and heed. "In a recent update to Mountain Lion, Apple has removed the Java plug-in used in the Safari web browser. In the future, if you absolutely need Java in Safari, you will have to go download it yourself from the Oracle website.
"The question is: Do you REALLY need Java in Safari. For the vast majority of Mac users, the answer is NO. So this probably won't affect you.
"Why has Apple taken this step? Security! See the following interesting article.
Facebook's Latest Privacy Scare
See this article, forwarded by John Carter, on Facebook and their changes of privacy settings. At the bottom of the article look at their five links to further information on this vital topic.
Want Internet Privacy?
Do you want privacy and security when you send something via the Internet? John Carter sends this link to a tutorial on PGP (Pretty Good Privacy). It’s 14 pages, printed out. He states, “The only thing that is absolutely secure is whatever you encrypt yourself that requires a key at the other end to decrypt.”
Java Fix Doesn't Work (Updated 8-31)
We start out with the latest warning on Java, received at 3:20 pm Friday, 8-31. Jim Hamm brings us up to date. (Then read the rest of this for the background of this huge issue.) "Now this is amazing. A few hours after Oracle issued a patch for the security flaw in Java, another exploit has been found. This has been forwarded to Oracle, but since Oracle never comments on these security breaches they didn't say anything. It doesn't appear the hackers have found this opening yet, but after they read this article, they'll probably start trying. "Although our risk of hacking might be small, I think it's best to disable Java. I did so a long time ago and haven't missed it yet." You saw this here on 8-27. Here's a warning from Jim Hamm, "If you've still got Java enabled in your browser, now's a good time to disable it. Another vulnerability with Java has surfaced. Take a read on this. In Safari, Java can be disabled in Preferences > Security > uncheck enable Java." With another notice of a potential malware risk from Java 7 Jim sends this link. The last paragraph in the article states, "Mac owners can disable the Java plug-in from within their browsers, or remove Java 7 from their machines. To do the latter, select 'Go to Folder' from the Finder's 'Go' menu, enter '/Library/Java/JavaVirtualMachines/' and drag the file '1.7.0.jdk' into the Trash." Here's a quick test to see if Java is disabled in your browser, from our eagle-eyed Jim Hamm. He tells us, "Just click here and if the box comes up empty, you're okay — Java is disabled." And, Jim sends the latest: "Here's an article describing how Oracle knew about the Java vulnerability to a malware attack since early April. And, moving right along at a snail's pace, Oracle doesn't plan a fix till October. Given Oracle's slow response to acknowledging and fixing malware attacks, it's a wonder any developer use Java at all." We were surprised to see a fix announced here this afternoon, (Thursday, August 30). Keep us informed on the latest and we'll pass the word along! ! A hot topic: this just out an hour ago, (8-31) and recommends you turn Java off or delete it.
Half-Baked Cloud: Read This
"Before you sign up for the new Google Drive," Prez Art Gorski gets our attention, "have a look at this review." Three paragraphs down you'll find a privacy warning spelled out.
Gatekeeper in Mountain Lion
"One feature coming in OS X 10.8, Mountain Lion, is Gatekeeper — an enhanced security feature," announces Jim Hamm. He elaborates, "Recently, Macs have been attacked by malware, and we'll probably see more attacks in the future. Additional security protection is always welcome. Here are some comments about Gatekeeper. From AppleInsider and from Apple.com
Here Jim goes on to quote from John Gruber of DaringFireball, posted 2-16-12. "My favorite Mountain Lion feature, though, is one that hardly even has a visible interface. Apple is calling it 'Gatekeeper.' It’s a system whereby developers can sign up for free-of-charge Apple developer IDs which they can then use to cryptographically sign their applications. If an app is found to be malware, Apple can revoke that developer’s certificate, rendering the app (along with any others from the same developer) inert on any Mac where it’s been installed.
"In effect, it offers all the security benefits of the App Store, except for the process of approving apps by Apple. Users have three choices which type of apps can run on Mountain Lion:
1. Only those from the App Store
2. Only those from the App Store or which are signed by a developer ID
3. Any app, whether signed or unsigned
The default for this setting is, I say, exactly right: the one in the middle, disallowing only unsigned apps. This default setting benefits users by increasing practical security, and also benefits developers, preserving the freedom to ship whatever software they want for the Mac, with no approval process.
"Call me nuts, but that’s one feature I hope will someday go in the other direction — from OS X to iOS."
Privacy & Security? HTTPS & VPN
Earlier we heard from Jim Hamm, (posted on 3-28 as "Need to Use an Unsecured Wifi Hotspot") and now he helps us with clarification. Jim wrote to the developers of Cloak, which is VPN (Virtual Private Network), "If 'HTTPS' is all one needs to be secure, why have a VPN function at all?"
HTTPS is Hypertext Transfer Protocol over Secure Socket Layer. It encrypts and decrypts the page requests.
The reply Jim received explains more about HTTPS and VPN. The following is quoted from Dave Peck, founder of www.GetCloak.com
1. HTTPS helps your browser verify the identify of the server it's talking to. For example, HTTPS can help the browser decide whether it's really talking to your bank. (This is why, if you ever see a warning about certificates when connecting to a site, you should stop immediately.)
2. Once the identity of the server is verified, HTTPS sets up an end-to-end encrypted connection between you and the server. So to continue the example, HTTPS lets you have a secure communications channel directly with your bank that nobody can listen in on.
So HTTPS, and the protocol it is built on (TLS), is awesome. And... if everyone used HTTPS/TLS then yes, there would be no reason as an individual to use a VPN like Cloak. There would still be plenty of reasons for small and medium businesses to use VPNs. ----
Unfortunately, we don't live in this world, at least not yet. Not everyone uses HTTPS or SSL/TLS (in fact, most web sites don't) and, further, even sites that do use HTTPS often use it badly, or inconsistently. Things seem to fall into four buckets:
1. Sites that don't use HTTPS at all. This is, sadly, the majority of sites. When you're on a network you don't trust (like at a coffee shop, airport, hotel, or at a conference) anybody can see what you're doing.
2. Sites that use HTTPS badly. Usually this means they don't use HTTPS everywhere. Prime examples of this would be Facebook and Amazon.com. By default, when you log in to Facebook and Amazon, you log in with HTTPS. It might seem that this protects your username and password, but this isn't quite the case. After you log in, Facebook and Amazon kick you back to HTTP pages. But wait! How do they know who you are on those HTTPS pages? They know who you are because they've cookied you with an non-secure cookie. For the duration of your session with those sites, that cookie is as good as your username and password. Anybody can log in as you and do whatever they want as you. This is what the hacker tool Firesheep was built to exploit, and unfortunately it is all too common -- Firesheep works on nearly 100 different web sites.
3. Native apps! These days, lots of stuff is done outside of the browser. Does the Twitter App for Mac use HTTPS or TLS? Who knows! We see a lot of problems here these days, and a lot of opportunities for Cloak to make things better.
4. Sites that use HTTPS well. Your bank, and PayPal, probably fall into this category. For these sites, Cloak doesn't make a difference.
I would like nothing more than to wake up one day and discover that Cloak is not necessary. But given that only one of four buckets is actually truly secure, I think we're easily five years off from that day. That said, one can never truly predict in the world of technology. -----
I should explain, in case it isn't clear, that Cloak isn't an end-to-end solution for security. When you use HTTPS, you get end-to-end encryption: just you and (say) your bank. When you use Cloak, you get encryption from your laptop or iDevice to our servers. From there, things are decrypted. But we host our own servers on networks with great peering agreements and extremely strict security policies. Our networks are trustworthy, whereas presumably the networks "out there" in the wild, like at coffee shops etc, are not. It's only if you truly cannot trust the Internet at all that HTTPS and TLS are your only options. ---
Bottom line for all of this: I believe that we still live in a world where Cloak can provide real value; I hope that technologies like HTTPS and SSL will ultimately become so prevalent that tools like Cloak won't be needed anymore. I think we're many years off from that day."
Thanks to Jim for getting this information for PMUG.
Is Your TV Watching YOU?
"New HDTVs now have both the hardware and software capability to monitor both sound and video!" announces John Carter. He elaborates, "Do you want to your new TV to have Skype capability? If so, then would it be possible for the TV itself to get hacked and someone could be spying on you?Read the news here." Take a look, then pass it on.
Here's More on Security & Privacy
Ward Stanke passed along more info when he spoke at yesterday's PMUG meeting than his printed handout showed. Be sure to check out Mozilla Firefox because it gives you good choices for security and privacy. Look at 1Password for a utility to create and store unique passwords. See it at https://agilebits.com/onepassword/mac .
Look here about opting out of ads that are tailored to your Web preferences and usage patterns: http://networkadvertising.org Their policy is that all NAI member companies set a minimim lifespan of 5 years for their opt out cookies.
Take a look at this interesting possibility: http://pobox.com/ You can use a custom email address that you'll own for life.
Scroll down for Ward's handout reproduced in this newsblog.
Secure Your Online Identity
Basic advice to secure your identity and online presence comes to us from David Passell who suggests we'd be interested in tools and tricks that could be implemented immediately. Look here.
Security & Privacy: Yours and Theirs
"Digital Spies," the feature article in the January Popular Mechanics exposes high-tech espionage: hacked, tracked, attacked. It also advises how to protect your personal data in an article, "Removing Yourself from the Internet."
Apple Security Under Attack: The View from Windows
"One has to ask that without regard to the reported statistics from a Windows security expert that OS X has more vulnerabilities than Windows, why is it that there are more successful attacks on Windows than on a Mac?" It's John Carter catching our attention first thing this morning. He declares, "Keeping the Mac world informed by staying up late."
Now, John gets down to the facts. "The game is about numbers. There are more Windows machines that can virtually provide a greater return on successful attacks. Suppose the ratio of Windows to OS X is 80 to 1. If there are 1000 Macs to be hacked then there must be 80,000 Windows to be hacked. Let’s assume that the vulnerability ratio is reversed, that OS X has 80 times the vulnerability of Windows. To put it in virtual numbers, OS X has 80 ways to be attacked and Windows has only 1. Let’s say that for every successful attack on any machine you earn $1 as a reward. No matter how many ways you attack a machine, once it is attacked you get $1 and the machine is shut down - nothing more to be gained. Attacking all Macs earns you a maximum of $1000. There are 80,000 Windows, therefore you can earn $80,000 by shutting down all those machines. Let’s also assume that each time you successfully attack a machine, an update closes that door but the next day you find another one has taken its place. This means that every day you can earn either $80,000 or $1,000 or both. Which one would you go after, and would you bother trying for the additional $1,000 if the effort to do so was the same for both?
"In terms of rewards, the number of vulnerabilities doesn’t matter. What matters is how much of a return you can get on the number of attacks you attempt.
"Most big businesses are using Unix as their primary interface to the world, and once you get into a big business the return on your investment is greater depending on whether you want to shut the business down temporarily or acquire its secrets. OS X is based on Unix, therefore the vulnerability of Unix machines, by definition, is as great as that for the Mac. And since big business offers a greater reward on successful attacks, they are a better target than personal Macs.
John goes on to explain in detail, "Even if every Mac is shut down, the number is still far less than if every Windows machine is shut down. Still, 100 percent is the same regardless of the actual numbers involved. But remember, the game is about numbers, not percentages. In a given day, if 60 of the 1000 Macs were hacked and 60 of the 80,000 Windows were hacked, percentages would tell you that Windows is safer. The hackers don’t care - they got what they went after, and there are greater numbers offering greater rewards to go after Windows and big business.
"If you want to know how many attempts are being made every day on your computer (hackers trying to find a way in), there are tools for that. You can keep hackers from getting into your computer with the right tools, but only you can prevent your fingers from clicking on the wrong link. If you have a Mac, the chances of getting a virus that way are far slimmer than if you have Windows.
"So let’s say that a hacker does get into your Mac. He does a quick survey and finds your address book, your email, your passwords, and your financial files. Pretty good. Maybe. One way to protect yourself against this kind of robbery is to encrypt the folders that contain your address book, your email, your passwords, and your financial files. You should use a different password than your login password to access the encrypted files, and do not put the encryption key anywhere on the computer - but on a piece of paper filed away in your desk. If the encryption key is strong enough, the only real damage the thief can do is wipe your computer clean. But you have a clone to restore from, don’t you? Another possibility is that the thief can install an app to capture your key strokes and hope that you won’t find it. This is called spyware. To date, there are only two known spyware apps for the Mac (to my knowledge), and the chances of getting them are rare, and I suspect the only reports about them are just from a company that wants to sell you their anti-virus/spyware program.
"For a run-down on the ways you can protect your Mac, read this. You might even want to go a bit deeper in protecting your Mac by reading this."
And, now the grand finale from John, "My conclusion is you are safer owning a Mac than owning Windows even if you do none of the tips described above."
You Can Block All Ad Spying
Here's some interesting info from Prez Art Gorski. He writes about Ghostery, "This Safari plug-in (double-click on it after download to install) will allow you to block all ad spying services. To configure that option, go to a website like Macworld where Ghostery will show you the list of services spying on you, then right click on that to go to the Ghostery settings. In there, you can block all of them."
Note the tiny "ghostly" icon in the heading when I bring up this PMUG Newsblog for the following screen shot.
Lion Vulnerability Discussed
This Cult of Mac article declares Mac with a firewire port running OS Lion can be hacked within minutes. It goes on to say, "It's easy to secure your Mac by turning off 'automatic login' setting and shutting down the computer totally instead of putting it to sleep." Read the details.
More on Safari Security
Jim Hamm finds an article about the new Security and Privacy columns in Safari.
Password Protection
Wondering about passwords, we queried David Passell. Here's his take:
"The password method I was speaking of finally bubbled to the surface. Of course MS Word, Open Office, and Pages allows you to password protect a single document, check HELP. However, I wanted to password protect a whole folder full of stuff. Like I would put it in Dropbox, but nobody else could see it (I don't know whether they could delete it though--something I don't like about Dropbox.)
Anyway what I did was:
1. Start Disk Utility
2. Select FILE > disk image from folder
• Window opens
3. Find the folder full of stuff you want to protect.
4. Click on it
• A window opens and you will see the [folder name].dmg
5. If you click on the arrows to the right of "compressed" (the default) you will have choices, but you can leave it where it is.
6. Click on arrows to the right of "encryption" and you will be able to choose 128 bit or 256 bit encryption. 128 should be adequate.
7. Click SAVE button on the lower right of the window and you will see
8. Type in a password and then again to verify it. Note that as you type in your password a graph will tell you whether it is a strong or weak password. One punctuation mark seems sufficient to raise it from Fair to Good.
9. Now you will have a [folder name].dmg folder. You could put it in dropbox and nobody but you could open it.
10. To open the folder double-click it.
11. Enter the password and OK and if you didn't make a mistake (I usually do at least once) you will see
12. Now if you click on the disk drive symbol you can access what is there.
NOTE: If you did not uncheck "save in keychain" it will open on your own machine without typing in a password.
13. When you are through EJECT the drive symbol.
Thanks, David, for your input.
Let's Hear About Lion
The news today is full of information and comments on Lion. Jim Hamm sends this article on Lion security that introduces us to ASLR (Address Space Layout Randomization) and "security sandboxes," and this article on how to access your Library folder in Finder. He comments that Method 2 works fine.
Jim also wants us to see this from the New York Times. Their last paragraph summarizes what they're trying to explain, "The Lion upgrade, in other words, is classic Apple: innovative to some, gimmicky to others, big leaps forward, a few stumbles back. It may never be the king of the jungle. But once the world’s software companies have fully Lionized their wares, and once Apple exterminates the bugs, Mac OS X 10.7 might be something even more exotic: a fast, powerful, good-looking, virus-free, thoroughly modern operating system."
More news: Lion will be available via USB drive for $69 from the Apple store in late August.
Important Security Updates for Safari
"Apple patches 48 Safari bugs to deflect drive-by attacks." This got my attention just now. Computerworld goes on to say that Safari 5.1 also adds new features and updates for Snow Leopard and Leopard. These are considered "critical." Take a look for yourself.
A Look at Google+ . . . Updated
Here's a Computerworld look at the many features of the new Google+ which declares it will replace email, Facebook, Twitter, Skype, blogging, RSS, Gmail and email newsletters. The writer says that spammers can't copy, retain and sell your email address. He says the term "social networking" is not an adequate term for Google+. Jim Hamm sent us this info. Just now (7-12) this PCWorld article tells about security risk issues involving an app that allows Firefox and Chrome users to view Facebook data within Google+.