Apple makes late entry into whack-a-mole game

From Good Morning Silicon Valley.

After weeks of dodging the issue of a recent widespread malware outbreak, Apple has changed course and is addressing affected customers’ concerns.

On Tuesday, Apple finally posted instructions on its support site on how to avoid or remove the malicious program, and said an Mac OS X update in the coming days will remove it or block it from installing in the first place.

The MacDefender malware, one of the few to actually target Mac operating systems, is a phishing program that fools users into thinking they are downloading anti-virus protection when it’s actually going after credit-card information. ZDNet estimates between 60,000 and 125,000 Mac users have been affected in the past month, and in an eyebrow-raising report quoted an Apple tech support insider who said they were expressly forbidden from helping callers remove the malicious program. That supported leaked internal documents that Gizmodo published last week which, among other things, told customer service reps: “AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.”

While support from Apple is a welcome development, the company’s initial reaction is disturbing from a customer-service standpoint. Just as disturbing to many Mac users is the realization that their OS’s, so long considered safe from most Internet viruses, are not immune after all.

This is beginning to look like a pattern. Remember the clueless way Apple handled the problem with the iPhone 4 antenna and then the controversy about the ‘bug’ which enabled iPhones to accumulate and store unencrypted location data on the devices? The problem Apple has is that its reputation for effortless design superiority now leads to corporate paralysis whenever events threaten to undermine the image.

And of course there is the problem that as the Mac becomes more and more successful, the juicier a target it presents for malware.

UPDATE: The Apple advisory note is already out of date.

Ed Bott says “File that memo under, ‘Too little, too late.'”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part is a downloader. In the original version, this asked the user to enter his or her administrator password. The new version works on the assumption (generally correct) that most Macs are single-user machines –which means that the user has the requisite privileges and so the malware bypasses the admin-password dialogue. The software then installs an application named avRunner, which launches automatically and installs the second part, which is similar to the original Mac Defender. The installer then deletes itself from the user’s Mac, so no traces of the original installer are left behind.

So Apple is now embarked on the same game of whack-a-mole that Microsoft has had to play for years. The evidence so far suggests that Steve Jobs & Co aren’t experienced players. Maybe they need help from Redmond, where they know more about this than anybody else.

SONY hack launched from Amazon Cloud

Wow! Amazing Bloomberg report.

For three pennies an hour, hackers can rent Amazon.com Inc. (AMZN)’s servers to wage cyber attacks such as the one that crippled Sony Corp. (6758)’s PlayStation Network and led to the second-largest online data breach in U.S. history.

A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers, the person said.

The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon’s cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. (NFLX) to Eli Lilly & Co. (LLY) Last month’s attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009.

“Anyone can go get an Amazon account and use it anonymously,” said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City, California-based company that helps customers manage data internally and through cloud computing. “If they have computers in their back bedroom they are much easier to trace than if they are on Amazon’s Web Services.”

Journal of the cyber-plague years

My piece in today’s Observer.

In 1971, Bob Thomas, an engineer working for Bolt, Beranek and Newman, the Boston company that had the contract to build the Arpanet, the precursor of the internet, released a virus called the "creeper" on to the network. It was an experimental, self-replicating program that infected DEC PDP-10 minicomputers. It did no actual harm and merely displayed a cheeky message: "I'm the creeper, catch me if you can!" Someone else wrote a program to detect and delete it, called – inevitably – the "reaper".

Although nobody could have known it 40 years ago, it was the start of something big, something that would one day threaten to undermine, if not overwhelm, the networked world…

So were the Israelis behind the Stuxnet worm?

According to the NYTimes, it’s beginning to look that way.

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.

Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009…

More detail here.

The worm that’s turning

This morning’s Observer column

In the normal course of events, a Siemens Simatic Programmable Logic Controller PLC would not be of interest to anyone other than a hardcore industrial process engineer. It’s a small, dedicated computer used to control the operations of specialised machinery in a wide range of manufacturing industries. Since June, however, the Siemens controllers have become a topic of intense interest to people like journalists and policymakers who, in normal circumstances, have difficulty controlling a microwave oven.

How come? The reason is the Stuxnet worm, a piece of computer malware as malicious software is called, that has caused a huge stir in the mainstream media…

Now the French government is advising people to stop using IE

Well, well. Even I’m surprised by this.

Following in the footsteps of Germany last week, France is now advising its population to use an alternative browser pending a patch for an Internet Explorer vulnerability.

The French Computer Emergency Response Team (CERT) published an advisory on Friday January 15 stating “pending a patch from the publisher, CERT recommends using an alternative browser.” In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6.

Last week the German Federal Office for Security in Information Technology (BSI) issued a similary advisory urging its population to stop using IE. According to the BSI the flaw will, put simply, “perform reconnaissance and gain complete control over the compromised system.” The BSI noted that even running Internet Explorer in Protected Mode isn’t enough to stop the flaw. Microsoft issued further insight into the vulnerability this morning in a company blog posting. The software giant confirmed the exploit is only effective against Internet Explorer 6.

Wonder if French and German users will pay any attention to this.

Hooray! I’ve won

Latest spam message:

We wish to inform you that you are one of the winners of
STATE EDUCATIONAL STUDENT AWARD July 2009,your e-mail address won and
Therefore you have been approve for a lump sum of (900.000.00 Usd)
Nine Hundred Thousand Dollars to support your Education through the
internet Wedsite .This promotional program takes place every year,and
is promoted and sponsored by eminent personalities like the Sultan of
Brunei,Billgate of Microsoft and other corporate organizations.

N/B: This is to IMPROVE THE LEVEL OF EDUCATION WORLDWIDE AND TO
ENCOURAGE THE USE OF INTERNET AND COMPUTERS WORLDWIDE.

PAYMENT PROCESSING FORM FILL IT AND SEND IT TO THE BANK FOR CLAIM .

(1) My Name is ……….i came from……..i hereby apply to claim
my prize that i won, as winner of the STATE EDUCATIONAL STUDENT
AWARD,i am requested to claim my prize of…… which my school email
id was among winners of the year July 2009.
(2) AGE………..(3) SEX…………(4) COUNTRY…………
(5) PHONE NUMBER ………(6) OCCUPATION:………..

Contact the bank and call them:
Name: ALI HASSAN
Email: fund_transferofficedept@yahoo.com
Email: trustbankplc@rocketmail.com
PRO ACCOUNT Officer In charge.
Phone:+234-704-0960-772.

Can’t wait!

Er, who falls for this crap? Somebody must.

Spam, spam, spam

According to the latest report (pdf format) from MessageLabs, 90.4% of all email is spam. The percentage is unchanged from last month. Other highlights from the report:

• Viruses – One in 269.4 emails in June contained malware (an increase of 0.06% since May)
• Phishing – One in 280.4 emails comprised a phishing attack (unchanged since May)
• Malicious websites – 1,919 new sites blocked per day (an increase of 67.0 % since May)
• 58.8% of all web-based malware intercepted was new in June, an increase of 24.6% since May
• The Cutwail Botnet bounces back
• 83.2% of all spam was sent via botnets in June
• Image spam continues, accounting for 8-10% of all spam in June
• Instant Messaging malware increases – 1 in 78 IM-based hyperlinks point to malicious websites

Tech Review reports that a team of researchers at the Georgia Institute of Technology has come up with a potentially more efficient approach to identifying spam. The researchers analyzed 25 million e-mails and discovered several characteristics that could be gleaned from a single packet of data and used to efficiently identify junk mail. For example, legitimate email tends to come from computers that have a lot of ports open for communication, whereas bots tend to keep open only the SMTP port. They also found that geographical mapping of IP addresses helps. Spam, it turns out, tends to travel farther than legitimate email.

Twitter puzzles

This tweet by Rory Cellan-Jones sent me to Twittercounter, which produced this chart:

Suggests that something strange is going on. Compare, for example, with the chart for my account, which accurately reflects data coming from email notifications from Twitter.

Hmmm… Is a spambot signing up ‘followers’ of Rory?

LATER: Now he’s back to his original track.

Which suggests that there’s something wrong with Twittercounter?

Moral: put not your faith in these statscounting services.

What’s going on in your browser window?

If you want a measure of how far we’ve moved from the days of simple HTML, then just install the NoScript add-on for Firefox. It detects every script that a site is running within the page and asks you to make a decision about whether to allow it or not. It’s an eye-opener. The image shows what happened when I opened a normal page from the Wall Street Journal.

The sad fact is that there’s so much AJAX-like stuff out there that running NoScript is a bit of a pain. The old adage about the price of liberty being eternal vigilance needs updating. The price of online security is endless hassle.