Check out [ZenBurger.com](http://www.zenburger.com) and [their shop](http://www.cafepress.com/zenburger) for a serving of irreverent comment and excellent t-shirts.
Or if mainstream monotony is more your bag then check out [these INXS t-shirts](http://tsprint.com.au/inxs). (This is Coretech’s first secure, online shop with live payment gateway – makes us very proud young techos.)
Archive for category News
Cool T-Shirts.
Mar 22
***WARNING***
Extremely Nerdy Mac Security Stuff Follows – it is however important to read if you are a Mac user.
I’ve playing around with the proof of concept security scares – mainly the safari executing shell scripts thing and the Inqtana Bluetooth thing.
First the Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit:
Synopisis
There is still a viable attack vector for malware on OS X. Attachments or downloads can launch arbitrary code on your machine when you open them. User intervention is required to launch the disguised file but the admin password is not required unless the malware contains code that requires admin privileges.
Good Info [here](http://isc.sans.org/diary.php?storyid=1138&rss), [here](http://www.heise.de/english/newsticker/news/69862), and how this also affects Apple Mail [here](http://www.heise.de/english/newsticker/news/69919)
You can download a working demo to test with [here](http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip)
You can also get a demo emailed to you for testing Apple Mail [(in German!)](http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=apple)
The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and have Safari opening “safe” files, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user.
If Safari is set to not open safe files but you unzip the file and then double click on the resulting jpeg – then the exploit still works and a shell script is executed. This is bad. This demo attack only lists files in a folder but even if you are not an admin user the script could do things like delete all your files.
OK just going to do the same test after running Apple Security Update 2006-001 – this update (which “came out” tonight) fixes 15 security holes and should be run on all 10.3.9 and 10.4.5 systems, including OS X Server.
I installed the update, turned on “Open safe files” in Safari preferences and downloaded the above demo once more..
I got a warning this time: “The safety of this file cannot be determined. Are you sure you want to download ìHeise.jpgî?” Clicked on Download button, file downloaded and the zip file decompressed leaving a file called Heise.jpg. Double clicking on this file causes Terminal to launch and the contents of my home folder to be displayed.
So – the good news is that the shell script did not launch even with Open safe files selected. I also got a warning (that most users will ignore).
The bad news is that a file that looks like a JPEG picture launchs a shell script when opened -In my opinion this is still a viable attack vector for delivering a destructive payload.
If you turn off “Open safe files” and manually unzip the file using terminal you see this:
adam% unzip Heise.jpg.zip
Archive: Heise.jpg.zip
inflating: Heise.jpg
creating: __MACOSX/
inflating: __MACOSX/._Heise.jpg
The Hiese.jpg file is a shell script and the ._Heise.jpg file in the newly created __MACOSX folder is a binary metadata file (aka Resource fork) that tells OS X to use Terminal to open the Heise.jpg file. Because of the .jpg extension however, the finder displays this file as a picture that will be opened by Quicktime.
This is the crux of the problem – the attacker gets to choose what application opens the file while the user thinks that it will be opened by another application based on the icon displayed.
Email attack vector.
If the disguised script is sent as an attachment encoded in the AppleDouble format then double clicking on the file in Apple Mail will launch the shell script. Most (all) OS X email clients send attachments in this format and it handily allows for resource forks to be sent with files. Apple Mail automatically analyses these resource forks and will honour them. Again the icon displayed is based on the .jpg extension but Apple Mail will open the file in terminal because the resource fork metadata tells it to.
NOTE that after installing the Apple 2006-001 Security patch Apple Mail now displays a warning dialogue when you try to open the file saying that it contains an application and is may not be trusted – this is a step forward.
Summation.
To be sure of what you’re running when you open a file – copy any attachments to a folder and then unzip them in the Terminal to see what you are unzipping.
Check what application will launch when you open a file by clicking once on the file and getting info (Get Info under the file menu) if it says “Open With: Terminal” – don’t open it.
You can also drag the file onto TextWrangler, TextEdit etc to see if the file you’ve downloaded is a shell script or not.
Code for the Apple Mac OS X / Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit is [here](http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php)
More info on todays Apple security patch [here](http://docs.info.apple.com/article.html?artnum=303382) and [here](http://www.frsirt.com/english/advisories/2006/0791)
Secondly, the Inqtana Bluetooth Worm.
Synopsis
Fixed with a few of last years Apple security updates.
OSX/Inqtana-A is a worm for Mac OS X that spreads by copying itself to other computers via a bluetooth connection. The worm copies 3 files; w0rm-support.tgz, com.openbundle.plist and com.pwned.plist
When the worm is run it will create folders named Users/de and Users/javax containing a number of JAVA library files
Summation
RUN Software Update you goose!
Small Angry Man.
Mar 22
First I stumbled across [this sworn testimony](http://www.buzzflash.com/alerts/04/12/images/CC_Affidavit_120604.pdf) (pdf file) from a software programmer who, in 2000 was asked by by Tom Feeney, then Speaker of the Florida House of Representatives, to ìdevelop a prototype of a voting program that could alter the vote tabulation in an election and be undetectableî. He developed the programme. Read his affidavit if you’ve the time – it reads like a plot for a Tom Clancy novel.
This lead me on to a [story](http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/19421.html) that the internal logs of at least 40 touch-screen voting machines (used in Palm Beach County in the Nov 2004 US election) reveal that votes were time and date-stamped as cast two weeks before the election, sometimes in the middle of the night!
It gets worse. Several dozen of the voting machines had no votes cast on the election day at all, many were powered off during the election day – all up the voting machine logs contained approximately 100,000 errors. And that’s just for one county in Florida.
Don’t get me started on the [Ohio](http://www.truthout.org/docs_05/010605Y.shtml) vote machine problems of negative vote counts, wrong candidates selected etc etc.
It is worth noting that an [analysis](http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=371211) at DemocraticUnderground.com shows that incidents of “electronic vote switching” from Kerry to Bush outnumber incidents going from Bush to Kerry by a ratio of greater than 12:1. Apparently the odds of that happening are 1 in 1,783,106,652,071,710,000. That’s quite a large number.
Dang – this is really starting to piss me off, and then I read [this.](http://www.huffingtonpost.com/peter-soby-jr/whistleblower-charged-wit_b_16411.html) Essentially, two years ago a guy working for a legal firm discovered documents which provided evidence that Diebold was using illegal, uncertified software in California voting machines. The documents also showed that Diebold’s California attorneys had told them they were in breach of the law for using uncertified software, but Diebold continued to use the uncertified software anyway. This guy (Stephen Heller) did the right thing and went public. Weeks later thousands of voters were unable to cast their votes in the 2004 elections in California. Diebold were decertified and sued by the Californian attorney general, they settled out of court ($US2.6m) and are once again providing voting machines to 17 counties in California. And Stephen Heller? Well two years later he’s being prosecuted in the Californian Supreme court for commercial burglary. So Diebold cheat, use uncertified software and disenfranchise thousands of voters and the whistleblower might go to gaol. [LA Times story here.](http://www.latimes.com/news/local/la-me-diebold22feb22,1,7096292.story?ctrack=1&cset=true)
So Bush stole the election?
So big companies roll the little guy and get rewarded?
So a [gun-wielding deaf man with man-boobs](http://governor_general.blogspot.com/2006/02/heavy-handed-heavily-armed-awb.html) gets paid a million dollars to forget everything?
So what? At least we’re all “relaxed and comfortable” and anyway lies like children overboard, weapons of mass deception etc etc don’t affect our stock portfolio or real estate values.
My name is Adam and tonight I’m angry.
Time to write more stern letters of disillusioned passion.
Take it easy all – and remember that to hear lies and say nothing is to support them.
I have finally found a solution to the recently discovered vulnerability with Mac OS X.
Just to remind you – the vulnerability is that a virus, masquerading as a normal document, can execute commands (run shell scripts) using your terminal application.
The solution consists of a shell script called A Bit More Secure Terminal (abmst) that you can download [here](http://www.ugsoft.de/intl/abmst/demo/addr-mac.html)
1. Download and install abmst.
2. Launch your Terminal utility and open “Preferences…” under the Terminal menu.
3. Select the radio button next to “Execute this command (specify complete path):”
4. Enter exactly the following underneath this line (the space is important):
/usr/local/bin/abmst-en /usr/bin/login
Now whenever something tries to run a shell script in your terminal abmst will ask you if you really want to run the command and give you the option not to. I have tested this and it works well.
“Today we have an invisible governor-general, universities corrupted by their scrabbling for money, an underfunded ABC and a CSIRO where those who are genuinely concerned about global warming are expected to bite their tongues.
According to the latest polling, a majority of Australians accept that they are being governed by a divisive and mean-spirited leader, but apparently they no longer care. It’s a “Whatever it takes” world we live in now. If it takes lies to stay in power or bribes to sell our wheat, no matter.
We cling to our tenuous prosperity as though Howard were its only begetter and as if money really can buy us happiness (despite the clear evidence to the contrary, as Martin Seligman’s research shows).”
The above written by [Richard Walsh](http://smh.com.au/news/opinion/only-a-meaner-nation-could-turn-kerry-packer-into-a-secular-saint/2006/02/23/1140670202991.htm), who ran ACP for 12 years and was a director of PBL.
Couldn’t have put it better myself.
Randy B. Singer is the author of The MacAttorney Newsletter. The
MacAttorney Newsletter is a FREE electronic newsletter sent out via
e-mail for attorneys, law students, and legal professionals to keep them
informed about the latest Macintosh news, events, products for law office
use, and special promotions for attorneys.
At this writing there are well over 5,500 law firms subscribed to The
MacAttorney Newsletter!
To subscribe, send e-mail to: randy@macattorney.com
With the word: “Subscribe”
in the SUBJECT line of the message.
There is a huge Web site with a list of software for attorneys who use
the Macintosh computer at:
The Law Office Software List for the Macintosh Computer
[http://www.macattorney.com](http://www.macattorney.com)
Hi All,
Yesterday another proof-of-concept piece of malware was announced:
[http://secunia.com/mac_os_x_command_execution_vulnerability_test/](http://secunia.com/mac_os_x_command_execution_vulnerability_test/)
REMEMBER THIS IS A PROOF OF CONCEPT – IT IS NOT YET MALEVOLENT.
However it does show a working attack vector that may exploited by spotty 14 year old uber-geek-lords.
Sooo with the latest outbreak of these two little applications that prove you can compromise Mac OS X – what should you do to stay safe, alert and only marginally alarmed?
FIRST: In Safari, select “Preferences…” under the “Safari” menu. In the window that then appears select the “General” icon at the top left and make sure that the checkbox next to “Open “safe” files after downloading” is NOT checked.
SECOND: Don’t download files from untrustworthy sources, such as peer to peer filesharing networks like LimeWire, or sources such as Hotline. (Yeah right – whatever.)
THIRD: If you attempt to open a downloaded file, and you are asked for your administrator password, DON’T GIVE IT! Files (i.e. documents, graphics, spreadsheets, MP3’s, etc.) don’t ask for passwords. However, malicious applications masquerading as files do ask for passwords.
FOURTH: Your client files and work product are irreplaceable data. You cannot afford to lose them. You should back up all of your data to keep it safe. Everyday, or more often.
FIFTH: Buy Intego Internet Security Barrier X from Coretech. The product that we use and most recommend. It looks for and handles all known Mac malware. It works seamlessly and causes no performance slowdowns or software incompatibilities. It includes automatic updating, so that you are protected as soon as possible when a new threat arises, and it has a pretty cool interface too.
SIXTH: For a more complete sense of security and well-being, do not use the owner account of your machine. Rather, create a new account that has administrator rights and then take the administrator rights off your existing account.
Here’s How (Tiger only):
NOTE That Coretech accepts no responsibility whatsoever for any problems or data loss that may result from anyone following these guidelines – if you’re at all concerned please call us on 02 9016 4475 and book a service call.
You have been warned.
1. From the Apple menu, choose System Preferences.
2. Click the Accounts icon.
3. Click the New User button, and follow the prompts to create a new user. I have called this new user Admin User with a short name of adminuser.
(Under 10.4 the add user button is a small + symbol underneath the list of users. You may have to “Click the lock to make changes.”)
4. Select the user you just created from the accounts list on the left of the window.
5. Select the “Allow user to administer this computer” checkbox.
6. Now select your original user and de-select the “Allow user to administer this computer” checkbox.
7. Quit System Preferences and log out (under the Apple menu).
8. Log in as your usual account.
Now all your documents and applications will still be available as per normal.
Note that when you want to install anything you will be prompted for an administrator name and password – use the new account name and password you’ve just created.
Many Thanks to Randy B. Singer of the MacAttorney’s Email list for his kind permission to use some of his most excellent newsletter.
We’ve updated quite a machines with 10.4.5 with no problems.
You have been cleared for take off.
Some sites (macfixit) are reporting problems after running the 10.4.4 to 10.4.5 updater. They recommend using the combined updater instead.
Other sites and mailing lists are reporting a smooth and pain-free upgrade.
Our advice, as always is to never be the first nor last person to try a new medication. Please standy for further input…..
Mac OS X Malware
Mar 22
A new malware programme that attacks Mac OS X has appeared. Called (by some) Ooompa-Loompa (aka OSX/Oomp-A) it doesn’t appear to be too dangerous and requires user input to be installed. It appears in the form of a file called “latestpics.tgz” purporting to be images of the new OS X 10.5. It’s icon makes it look like a jpeg file. It’s sole purpose appears to be to self-propogate via iChat but there may be other undiscovered payloads.
In short – do not open any file called “latestpics.tgz”.
In length see:
[http://www.ambrosiasw.com/forums/index.php?showtopic=102379](http://www.ambrosiasw.com/forums/index.php?showtopic=102379)
and
[http://www.macrumors.com/pages/2006/02/20060216005401.shtml](http://www.macrumors.com/pages/2006/02/20060216005401.shtml)
from the first link above::
You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to “open” it
…and then for most users, you must also enter your Admin password.
You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you decompress the file and then open it.
Handy Phone Test Numbers
Mar 22
Check out this [Access Communications](http://www.accesscomms.com.au/testnumb.htm) site for some handy line testing numbers here in Oz.
Some examples:
1800 80 1920 – tells you the number you’re calling from. Works on all australian carriers.
12711 – tells you your default long distance carrier.