"One has to ask that without regard to the reported statistics from a Windows security expert that OS X has more vulnerabilities than Windows, why is it that there are more successful attacks on Windows than on a Mac?" It's John Carter catching our attention first thing this morning. He declares, "Keeping the Mac world informed by staying up late."
Now, John gets down to the facts. "The game is about numbers. There are more Windows machines that can virtually provide a greater return on successful attacks. Suppose the ratio of Windows to OS X is 80 to 1. If there are 1000 Macs to be hacked then there must be 80,000 Windows to be hacked. Let’s assume that the vulnerability ratio is reversed, that OS X has 80 times the vulnerability of Windows. To put it in virtual numbers, OS X has 80 ways to be attacked and Windows has only 1. Let’s say that for every successful attack on any machine you earn $1 as a reward. No matter how many ways you attack a machine, once it is attacked you get $1 and the machine is shut down - nothing more to be gained. Attacking all Macs earns you a maximum of $1000. There are 80,000 Windows, therefore you can earn $80,000 by shutting down all those machines. Let’s also assume that each time you successfully attack a machine, an update closes that door but the next day you find another one has taken its place. This means that every day you can earn either $80,000 or $1,000 or both. Which one would you go after, and would you bother trying for the additional $1,000 if the effort to do so was the same for both?
"In terms of rewards, the number of vulnerabilities doesn’t matter. What matters is how much of a return you can get on the number of attacks you attempt.
"Most big businesses are using Unix as their primary interface to the world, and once you get into a big business the return on your investment is greater depending on whether you want to shut the business down temporarily or acquire its secrets. OS X is based on Unix, therefore the vulnerability of Unix machines, by definition, is as great as that for the Mac. And since big business offers a greater reward on successful attacks, they are a better target than personal Macs.
John goes on to explain in detail, "Even if every Mac is shut down, the number is still far less than if every Windows machine is shut down. Still, 100 percent is the same regardless of the actual numbers involved. But remember, the game is about numbers, not percentages. In a given day, if 60 of the 1000 Macs were hacked and 60 of the 80,000 Windows were hacked, percentages would tell you that Windows is safer. The hackers don’t care - they got what they went after, and there are greater numbers offering greater rewards to go after Windows and big business.
"If you want to know how many attempts are being made every day on your computer (hackers trying to find a way in), there are tools for that. You can keep hackers from getting into your computer with the right tools, but only you can prevent your fingers from clicking on the wrong link. If you have a Mac, the chances of getting a virus that way are far slimmer than if you have Windows.
"So let’s say that a hacker does get into your Mac. He does a quick survey and finds your address book, your email, your passwords, and your financial files. Pretty good. Maybe. One way to protect yourself against this kind of robbery is to encrypt the folders that contain your address book, your email, your passwords, and your financial files. You should use a different password than your login password to access the encrypted files, and do not put the encryption key anywhere on the computer - but on a piece of paper filed away in your desk. If the encryption key is strong enough, the only real damage the thief can do is wipe your computer clean. But you have a clone to restore from, don’t you? Another possibility is that the thief can install an app to capture your key strokes and hope that you won’t find it. This is called spyware. To date, there are only two known spyware apps for the Mac (to my knowledge), and the chances of getting them are rare, and I suspect the only reports about them are just from a company that wants to sell you their anti-virus/spyware program.
"For a run-down on the ways you can protect your Mac, read this. You might even want to go a bit deeper in protecting your Mac by reading this."
And, now the grand finale from John, "My conclusion is you are safer owning a Mac than owning Windows even if you do none of the tips described above."
You Can Block All Ad Spying
Here's some interesting info from Prez Art Gorski. He writes about Ghostery, "This Safari plug-in (double-click on it after download to install) will allow you to block all ad spying services. To configure that option, go to a website like Macworld where Ghostery will show you the list of services spying on you, then right click on that to go to the Ghostery settings. In there, you can block all of them."
Note the tiny "ghostly" icon in the heading when I bring up this PMUG Newsblog for the following screen shot.
Lion Vulnerability Discussed
This Cult of Mac article declares Mac with a firewire port running OS Lion can be hacked within minutes. It goes on to say, "It's easy to secure your Mac by turning off 'automatic login' setting and shutting down the computer totally instead of putting it to sleep." Read the details.
More on Safari Security
Jim Hamm finds an article about the new Security and Privacy columns in Safari.
Password Protection
Wondering about passwords, we queried David Passell. Here's his take:
"The password method I was speaking of finally bubbled to the surface. Of course MS Word, Open Office, and Pages allows you to password protect a single document, check HELP. However, I wanted to password protect a whole folder full of stuff. Like I would put it in Dropbox, but nobody else could see it (I don't know whether they could delete it though--something I don't like about Dropbox.)
Anyway what I did was:
1. Start Disk Utility
2. Select FILE > disk image from folder
• Window opens
3. Find the folder full of stuff you want to protect.
4. Click on it
• A window opens and you will see the [folder name].dmg
5. If you click on the arrows to the right of "compressed" (the default) you will have choices, but you can leave it where it is.
6. Click on arrows to the right of "encryption" and you will be able to choose 128 bit or 256 bit encryption. 128 should be adequate.
7. Click SAVE button on the lower right of the window and you will see
8. Type in a password and then again to verify it. Note that as you type in your password a graph will tell you whether it is a strong or weak password. One punctuation mark seems sufficient to raise it from Fair to Good.
9. Now you will have a [folder name].dmg folder. You could put it in dropbox and nobody but you could open it.
10. To open the folder double-click it.
11. Enter the password and OK and if you didn't make a mistake (I usually do at least once) you will see
12. Now if you click on the disk drive symbol you can access what is there.
NOTE: If you did not uncheck "save in keychain" it will open on your own machine without typing in a password.
13. When you are through EJECT the drive symbol.
Thanks, David, for your input.
Let's Hear About Lion
The news today is full of information and comments on Lion. Jim Hamm sends this article on Lion security that introduces us to ASLR (Address Space Layout Randomization) and "security sandboxes," and this article on how to access your Library folder in Finder. He comments that Method 2 works fine.
Jim also wants us to see this from the New York Times. Their last paragraph summarizes what they're trying to explain, "The Lion upgrade, in other words, is classic Apple: innovative to some, gimmicky to others, big leaps forward, a few stumbles back. It may never be the king of the jungle. But once the world’s software companies have fully Lionized their wares, and once Apple exterminates the bugs, Mac OS X 10.7 might be something even more exotic: a fast, powerful, good-looking, virus-free, thoroughly modern operating system."
More news: Lion will be available via USB drive for $69 from the Apple store in late August.
Important Security Updates for Safari
"Apple patches 48 Safari bugs to deflect drive-by attacks." This got my attention just now. Computerworld goes on to say that Safari 5.1 also adds new features and updates for Snow Leopard and Leopard. These are considered "critical." Take a look for yourself.
A Look at Google+ . . . Updated
Here's a Computerworld look at the many features of the new Google+ which declares it will replace email, Facebook, Twitter, Skype, blogging, RSS, Gmail and email newsletters. The writer says that spammers can't copy, retain and sell your email address. He says the term "social networking" is not an adequate term for Google+. Jim Hamm sent us this info. Just now (7-12) this PCWorld article tells about security risk issues involving an app that allows Firefox and Chrome users to view Facebook data within Google+.
Considering Dropbox
Whether or not you've made friends with Dropbox it's a good idea to familiarize yourself with it. Here's some very important information, just released by Dropbox on 7-1-11, notifying me by email on 7-2-11 at 7:49 pm. By this time there were so many complaints and comments posted there it would take 114 pages to print it. The blog explains TOS, (Terms of Service), privacy policy and security. By continuing to use Dropbox you automatically agree to the new TOS which takes effect 7-15-11.
Learn About Facebook
If you or your kids are users of Facebook Jim Hamm found this link to a 4 page tutorial that he says might be helpful.
Apple Releases Security Update Today
Alerted first by a PCmagazine article, the official info comes from this Apple Support site. The security update 2011-003 is 2.1 MB and takes less than 2 minutes to download. It was released earlier today, May 31, for OS X v. 10.6.7.
What do you know? David Passell writes to brag that his update took less than a minute!
More About: Keep in Mind About Your Computer Security . . .
A good reminder comes from Allen Laudenslager. He sends this CNN article, declaring that it might help give a little clarity on the MacDefender malware issue. The article, entitled, "New Malware Revives Mac vs. Windows Security Debate" states that Microsoft recently pointed out that 1 in 14 downloads on Windows are malicious. And the fact that there is just one piece of Mac malware being widely discussed illustrates how rare malware still is on the Mac platform. The writer concludes, " . . . the moral of this story is to be wary that Mac malware is in the wild, and be cautious about installing sketchy software from unfamiliar sources."
This evening several news reports discuss the malware. AppleInsider, states that Apple will release an update to Mac OS X to automatically find and remove the malware. The article concludes, "The scam site is also unable to install the malware without the user supplying an administrative password. Even so, hundreds of users have been duped by the scam, although the outbreak appears to be more of a nagware annoyance than a serious security problem."
First thing this morning, (5-25) Allen passes on this Apple Support information which lists the authorized steps to take to remove the malware if you happen to inadvertently download it. Once the Mac OS X software update is here we'll have "no more concern about the only widespread Mac malware that we have to worry about" because it will automatically find and remove the MacDefender malware and its known variants.
Joining in with helpful info now is Art Gorski, recommending this from MacWorld.
This afternoon (5-25) we found this in ComputerWorld: "Mac users running Safari can stop avRunner from automatically opening its installer screen by unchecking the box marked 'Open 'safe' files after downloading' at the bottom of the General tab in the browser's Preferences screen." Read the whole article.
Here's the 5-26 article from Computer World with more details.
What else are PMUG members saying about malware, security, anti-virus issues? On the right side of this newsblog scroll to the Labels list and look up those keywords, and any other keywords you're interested in researching. Our PMUG members do a good job of finding out -- and passing along -- all kinds of Mac information.
Security Settings for Safari
Thanks to Jim Hamm who writes, "Here are some comments about security in Safari from a member of a Mac forum I belong to. These are the settings he recommends. I’ve not tried or read about the last item in his list: FlashToHTML5. I’ll have to learn more about this, and why/if to use it.
Safari - Block Pop-Up Windows
Safari - Preferences - General - Open "safe" files after downloading (uncheck)
Safari - Preferences - Autofill - Using info from my Address Book card (uncheck)
Safari - Preferences - Autofill - User names and passwords (uncheck)
Safari - Preferences - Security - Fraudulent sites (check)
Safari - Preferences - Security - Location services (uncheck)
Safari - Preferences - Security - Web content (uncheck all for most security, but check as you need capability)
Safari - Preferences - Security - Accept cookies (check only "Only from sites I visit")
Safari - Preferences - Security - Ask before sending a non-secure form from a secure website (check)
Safari - Preferences - Extensions - AdBlock (add this extension to block most ad content)
Safari - Preferences - Extensions - FlashToHTML5 (add this extension to convert Flash to HTML5 when possible)
"The biggest setting to change is the Human Setting. Think about links before you click them. Hover over them to reveal their true destinations before clicking on them. Watch for non-secure (http://) links that ought to be secure (https://)--anything that deals with money, like banks, checkouts, etc. Look for the green secure/trusted indicator in the URL bar.
"Watch for links that include multiple 'http' strings -- these initially look like they go to the first domain listed, but actually go to the last one listed (http://www.trustedbank.com.http://evil-domain.net/blah/blah). DON'T click these. If a bank asks you for your account login information in email, via a link sent in email, it's fraudulent. If clicking a link causes a 'Enter your system administrator password' prompt, think long and hard before typing it in. I think you get the idea."
How to Check It Out
With scams and suspicious things in the news we can thank Art Gorski for passing along his experience. He writes, "Just yesterday I got an email from PayPal asking me to agree to a new set of terms and conditions to continue to have a PayPal account.
"If I didn't have a PayPal account this would obviously be spam I could just delete. However, I do have a PayPal account.
"This could still be an attempt to lure me into trouble, so I carefully examined the email. The Reply-To address looked OK, it ended in 'paypal.com' and not in something dangerous like 'paypal.com.ru.' I used the 'View > Message' menu in Mail to show the message as 'Raw Source.' This makes it thoroughly ugly, but will reveal all the website links hidden in the message as they really are. All of these looked OK.
"But still, I'm paranoid about 'social engineering' scams that try to get you to give up your username and password, and PayPal is a potentially very damaging one if you lose your credentials to a hacker.
"So in the end, I trashed the email and just used my normal Safari bookmark to log in to PayPal. Sure enough, the website asked me immediately to agree to new terms and conditions, so I handled it from there, since I knew it was safe to do so."
Watch Out For This
Just spotted this article from ComputerWorld about fake security software on Mac. You'll want to be knowledgeable about this threat. Apple discussions has more than 20 entries on this, with the most recent dated today, 5-2-11.
Jim Hamm sends us this from The Unofficial Apple Weblog with specifics for finding and deleting -- as well as preventing -- the MacDefender app. The article tells us to uncheck "Open 'safe' files after downloading" in Safari Preferences. And the writer closes with, "For those of you who haven't been hit by the MacDefender app, take care while downloading images for the next few weeks."
Adobe Critical Update
Adobe calls it a "critical update" and you'll want to read about it here. Thanks to Jim Hamm for alerting us this afternoon. Go to Adobe here to see what version you already have installed. Then go to this help page to specify settings you want for privacy, storage, security, notifications, playback settings, and peer-assisted networking panel. Are you giving permission for companies to access your computer's microphone and camera?
Privacy Features in Today's Update
Earlier today we found out that Apple plans to add a new privacy feature to Safari that keeps online advertising networks and other tracking tools from monitoring user activity. We posted this and we thanked David Passell for this info.
Later this afternoon after reading what MacObserver said up came notification for Security update 2011-002 for Leopard and Snow Leopard, iPhone, and Safari. Read all about it, and keep up with these great improvements.
Summary of Internet Security
This report from ArsTechnica declares that social networking sites are a huge target for malware. They also mention that URL shortening services mask the actual URL. Smartphones are attracting malware. Thanks to Jim Hamm for keeping us informed.
Security Issues with Thunderbolt
A very disturbing scenario regarding Thunderbolt comes to us from Jim Hamm. Be sure to check this report. Farther down that page find links to info on other serious security concerns.
Info on Security Issues
The latest issue (February) issue of Popular Mechanics addresses "the war on privacy." Page 56 tells briefly about Super Cookies. Trying to track down specifics I looked at this PCWorld article, then an article from Adobe about these LSOs, Local Shared Objects, which are also known as flash cookies. Here's Adobe's seven page document outlining their policies on their legal rights and practices. Elaine's take on this, "The invasion of gadgets which spy on us is not a thought to be easily dismissed; we might well take time to consider how we are affected."