Tuesday, May 31, 2011

Apple Orders Technicians to Feign Ignorance About Mac Malware

from DailyTech.com

Jobs and company hope to keep customers ignorant of the truth

image: derangedshaman.com

Apple, Inc. (AAPL) long had the good fortune (from a certain perspective) of not being very popular with consumers and thus gaining security through obscurity.  With millions of Macs in the wild and Apple sitting pretty in fourth place in PC sales, though, the company is seeing an increasing number of malware attacks.

I. The Customers Want the Truth?  They Can't HANDLE the Truth!

In response to these attacks Apple has reportedly implemented a policy which is equal measures bizarre and baffling -- it's telling technicians to adopt a "don't ask don't tell" policy with regards to customers complaints about malware, feigning ignorance on the topic.

An Apple Store Genius (store technician) leaked internal documents to ArsTechnica.  One memo reads:
Apple Internal Use Only - Issue/Investigation in Progress - Confidential Information - Do Not Disclose Externally
Customers may call AppleCare to report and issue with malware (trojan) software known as Mac Defender or Mac Security, or because they are concerned that their Mac could become infected.  The name may vary as new variants are released onto the internet.  This malware is installed from malicious websites.
Products Affected
Mac OS X 10.6, Mac OS X 10.5, Mac OS X 10.4
A second memo adds:
    • Do not confirm or deny that any such software has been installed.
    • Do not attempt to remove or uninstall any malware software.
    • Do not send escalations or contact Tier 2 for support about removing the software or provide impact data.
    • Do not refer customers to the Apple Retail Store.  The ARS does not provide any additional support for malware.
The disgusted Apple employee is quoted as stating, "Frankly, it's Social Engineering at it's finest.  In some respects, I feel a little bad for the people hit by this, but at the same time, I can't help but be frustrated that people inherently trust everything they're prompted to do on their machines. The beauty of Mac OS X is its security model. That people blindly enter a password is going to be the undoing of it."

(The employee's comments allude to that Apple's OS requires users to verify installations using a feature similar to the UAC found in Windows 7.)

II. How Widespread is the problem?

Andy says that in the past about 0.2 percent of service Macs were suffering from some kind of malware -- "most always DNS trojans."  Now that number soared to around 5.8 percent, mostly thanks to MacDefender -- a trojan that DailyTech previously reported on.

The employee states, "There's been a very real uptick in the number of malware instances we've seen."

"With regard to how the company is dealing with it, the answer is not very well," he adds. "As you know, OS X requires an admin user to authenticate and OK the install for pretty much anything that's not drag and drop. The response has been a case of 'they installed it, so it's not our problem.' Until something that makes use of a zero-day exploit hits, I really doubt that we're going to do anything, technology wise, to address this."

But is the OS X security model really superior to Windows 7?

Famed Mac security expert Charlie Miller, who won multiple years for the fast Mac hack at Pwn2Own, comments, "Mac OS X is no more secure than any other operating system. It has vulnerabilities, and it will let you download and run malware. The difference is that there simply isn't that much malware written for it. The bad guys have focused all their energies at Windows, which makes up the vast majority of the computers out there. However, as market share for Macs continues to inch up, that equation is going to change and bad guys will begin to focus in on Macs, if that hasn't already started to happen. And as I mentioned above, Macs are no more inherently secure than Windows, so when the bad guys decide to go after them with gusto, it'll get ugly fast."

Other hackers have also commented that OS X 10.6 ("Snow Leopard") has inferior security to Windows 7.  To boot, Apple doesn't provide users with free antimalware software likeMicrosoft Corp. (MSFT) does.

III. How Long Can Apple Keep up the Charade?

In recent months botnet-forming worms and trojans have targeted OS X.  Most of these pieces of malware have been amateurish efforts, though, or works in progress.  Nonetheless it remains a very real possibility that Apple could one day see a serious attack.

The question remains how long Apple can continue to manage to deceive its customers and obfuscate the fact that its platform has malware on it, and that the threat is growing.

But the line still seems to be working on the most gullible of Mac users.  For example in our coverage of the MacDefender infection one pro-Apple commentator and self proclaimed "expert", "TonySwash" wrote:
In the real world actual and successful malware attacks on Macs are virtually unknown, and if there are any at all the number is vanishingly small.
The really embarrassing thing is not that Windows get's (sic) all that malware, that's just the result of piss poor design decisions going back decades, what's really shameful is the way that some Windows fans choose to deal with this reality. They deny it. It's not Microsoft or Windows faults (sic), it's everybody's problem, or if it's not everybody's problem then its (sic) some sort of perverse reflection of Windows strength (sic).
Eventually Apple may have to face the music, though, particularly if customers take legal action against it for feigning ignorance, now that corporate documents have revealed that Apple is well aware of the attacks on its platform.

There's plenty of things you can fault Microsoft and the Windows platform for, but one thing you can say in their favor is that at least when they encounter malware they try to help customers and counter rather than claiming their products are "magic" and have no problems.

Ugh, more of the same.   I guess Apple isn't smart enough to turn things around and try to help.  The very least they could do is acknowledge the problem and assure their customers that they're working on a fix, even though it will probably fail or be circumvented.

Thursday, May 26, 2011

Apple standard procedures won't work with security

from cnet.com

On May 24, Apple posted a support forum entry on how to avoid or remove the MacDefender malware that's been plaguing an unknown number of users since early May. And I'm glad they did. But the support forum is way overdue, and Apple's standard method of responding to user issues--ignore them until they won't go away and then issue a response when the outcry gets too loud--simply won't fly where user security is at stake.
Mac users are a juicy, unprotected target for hackers, phishers, and scammers, and Apple needs to drop the impenetrable fortress act and help them raise the drawbridge.
Mac Defender installer
Mac Defender installer (Credit: Sophos Security)

MacDefender and its malicious software variants have been landing on Macs since at least May 2, when Intego and Sophos first reported on a massive SEO poisoning scheme that had Windows and Mac users alike clicking on malicious links and becoming infected with a Trojan program.
My colleague Ed Bott's attempts to bring the MacDefender issue to light were a fascinating saga all their own. Bott faced massive backlash from Apple users who insisted there was no malware problem--or if there was, it paled in comparison with the security nightmare that is Windows (their words, not mine). Fanboys accused him of inventing the whole tale. And John Gruber of Daring Fireball denounced the MacDefender concerns and said Bott was "crying wolf."
Nevertheless, the problem persisted, and the support calls increased. And then a source inside Apple support told Bott that Apple had issued new instructions for support reps to follow when handling MacDefender cases. Those instructions? Don't help them.
The full text of the instructions are here. Support reps were told not to tell customers infected with MacDefender how to force quit Safari, remove items from the start-up process, or how to force quit the Mac Defender process--and not to refer those customers to forums where they might actually find help. Support reps were also instructed to dodge "general" questions that might lead to resolutions if they knew the customer was calling about MacDefender. Why? Because the customer (the victim of this malware, to be clear) was trying to ask "obvious questions to skirt our policy."
So, when Apple--more than three weeks after this malicious software appeared in the wild--got around to posting a support forum on how to remove or avoid MacDefender, it was also nearly a week after Google reportedly killed a lot of the poison links that were infecting people in the first place, a week after CNET and others posted instructions on how to remove MacDefender, and at least one support memo too late to demonstrate a serious commitment to customer security.
As both Mac defenders (if you will) and critics alike point out, this behavior is Apple's standard operating procedure for dealing with problems of imperfection. MacBook discoloration and whining? Deny or ignore for weeks, then eventually fix the problem. Cracks in MacBooks? Never happened. Defective display reports on iMacs that cropped up in 2007? Ignore for years and continue to ship problem displays until 2010, when you say they've been fixed. The "raster shift" problem with eMacs? Ignore, deny, and quietly fix case-by-case. iPhone 4 death grip issues? Tell everyone they're holding the phone wrong, then eventually hold a press conference and offer free bumpers.
From the perspective of, say, John Gruber at Daring Fireball, this approach represents a commitment to decisive action that leaves the customer hanging for a brief, uncomfortable period, then ultimately results in a satisfactory outcome. From my perspective, it represents a commitment first and foremost to not admitting fault, canny observation of which way the media winds are blowing, and action only after outcry has reached a sufficiently intolerable din.
But whatever the reasoning behind this silence-then-solution pattern, it won't work as a response to security issues. Phishing attacks, Trojans, even viruses are not hardware problems that can be fixed in future revs or by the helpful Genius Bar--and by all accounts, these attacks are becoming ever more common and there's every reason to believe Macs will be increasingly a target, according to Sophos researchers.
And why shouldn't they be? After all, Mac users are uniquely trained not to be security aware, thanks to all those years of being told that Macs don't get viruses. When it comes to falling for phishing attacks and cheerfully installing malware (after all, what Mac user should be afraid to install software? Macs don't get viruses!), Mac users are like sheep ready to be led to the slaughter. And today's phishermen are sharpening their hooks.
This is not an attack on the security of the operating system--any OS is hackable, for one thing, and phishing attacks rely less on zero-day vulnerabilities and more on the complacency of an unsuspecting victim. Mac users? Pretty unsuspecting. Heck, when a friend of mine told me, two weeks ago, about a storm of porn pop-ups plaguing his Mac, I said, "it sounds like a virus, but it can't be. It's your Mac!"
If Apple's future response to security issues is to take weeks to respond, instruct support reps to obfuscate or refuse to help customers, or continue to act like an unsinkable Titanic of security, they'll only put users more at risk. Hackers will happily take advantage of any delays in response.
In fact, while researchers believe the initial MacDefender Trojan was, perhaps, a proof of concept, by May 25 it had evolved into a variant that, according to this article, didn't need an administrator password to install itself, bypassed system folders, and installed itself in your user account folder. That's a much more dangerous piece of software than it was when it started, and a pretty scary precedent.
Let's hope the next Trojan to come along doesn't get such a helpful window of opportunity. No one is immune from attack, not even Mac users. And Apple needs to take care of its customers (who include me!) without its own support reps having to act like anonymous whistleblowers to get the word out. Security is a whole new game on the Mac--time to think different.
That last line says it all for me.  Mac users need to learn about security before it's too late, not stick their heads in the sand.

Monday, May 23, 2011

AppleCare staff told not to care about Mac malware infection

Apple is advising its AppleCare support representatives not to remove the new Mac Defender malware from users’ systems or even to confirm or deny that a machine is infected, according to a confidential memo obtained by Ed Bott of ZDNet.

The memo, dated May 16, 2011, instructs AppleCare support staff how to react if a Mac users calls about possible infection of the Mac Defender malware, which displays a web pop-up telling a user that his or her Mac has been infected by a virus and to install bogus anti-virus software. If the user installs the software, the program loads porn sites on the computer.
Bott, who was the first to spot complaints about the malware in Apple’s support forums, said that he counted 200 posts from users asking for help to remove the bogus software.
According to the Apple memo, there are two resolution paths that AppleCare representatives can take when users call about Mac Defender. If the user says he or she has not yet installed the bogus software, representatives are instructed to suggest that the user quit the installer and delete the software immediate.
“AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not”, the memo says.
If the user says he or she has already installed the software, Apple provides support staff with a number of guidelines.
“Important: Apple does not provide support or assistance in removal or diagnosis of malware. If the customer’s Apple product is eligible for support, advisors should determine that the Apple product is working properly by isolating the issue and ruling out issues with Apple product”, the memo states.
Apple advises support staff to make sure Mac OS X is up-to-date and all available security updates have been installed, direct the customer to the Help document “What is Malware?”, and then explain to the customer that “Apple does not make recommendations for specific software to assist in removing malware.”
Then, Apple provides four “important” bullet points for the support staff:
  • Do not confirm or deny that any such software has been installed.
  • Do not attempt to remove or uninstall any malware software.
  • Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.
  • Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.
Apparently, AppleCare really doesn’t care about helping Mac users with malware on their machines. Apple did not returnInfosecurity’s phone call asking for comment on the memo and the Mac Defender malware.
Karel Obluk, chief scientist at internet security company AVG, was willing to comment: "After the recent discovery of a malware toolkit for Apple's OS X, it's clear that usage of the platform has reached a critical level, at which it has become a profitable target for malware developers. This marks a watershed in OS X's user experience, after which users will have to be more vigilant about their security online, and will need to take actions to protect themselves against online threats.”
Obluk added, "For Apple, it's time to admit that there are threats to OS X users, and to start educating its customers on how to avoid them. Avoiding the issue is an unacceptable abdication of its duty to its customers."

That's nice, ignore the problem and it should go away. No, they offer NO HELP AT ALL!  Even Microsoft would help for a  nominal fee.  Couldn't they, at least, suggest AV software?  They can't even talk about it, that's reeeeeeally odd even for Apple.

Friday, May 20, 2011

New Mac Malware!

A new piece of malware has caused an uptick in Apple customers reporting infected machines, renewing a timeless debate on the state of Macintosh security versus Windows.

The trojan horse is called Mac Defender. It’s a web pop-up containing a spoof message that tells customers their machines are infected by a virus and they must install anti-virus software. If customers agree to install the software, the program sporadically loads porn websites on their computer.

ZDNet writer Ed Bott was first to spot a long thread of complaints in Apple’s support forums related to Mac Defender, with at least 200 posts of customers reporting they’ve been infected by the malware.

“I’ve done similar searches in the past … [and] I have never found more than one or two in-the-wild reports,” Bott wrote. “This time, the volume is truly exceptional.”

Furthering his case, Bott in a follow-up article quoted an AppleCare technician who claims that phone calls to AppleCare support have grown four to five times recently, and the majority of the calls are related to Mac Defender.

Customers and technology observers have debated for years whether the Mac is truly more secure than a Windows PC.

The general consensus among security researchers is that there’s nothing about the Mac that makes it inherently more secure than Windows — indeed, the Mac platform has been easily penetrated in the Pwn2Own hacking contest in years past. But Windows has always been a juicier target for malicious hackers because it has much larger market share than the Mac.

As a result, when customers switch from a Windows to a Mac, they’re often under the impression that they’re switching to a more secure, sterile environment where they won’t need to install expensive, resource-hogging anti-virus software. While it’s not true that the Mac is more secure, the platform is generally “safer” because fewer people target it, security researchers have told Wired.com in the past.

Bott’s discovery renews this debate: A new piece of malware seems to be fooling more Mac customers than past examples. So does this change the scenario? Should Mac customers install anti-virus software by default like most Windows customers do?

Charlie Miller, a security researcher who has repeatedly won the annual Pwn2Own hacking contest by hacking Macs and iPhones, told Wired.com he doesn’t think so.

Miller noted that Microsoft recently pointed out that 1 in 14 downloads on Windows are malicious. And the fact that there is just one piece of Mac malware being widely discussed illustrates how rare malware still is on the Mac platform, he said.

And while 200 posts complaining about Mac Defender in Apple’s support forums may seem like a lot, that’s still a small fraction of the millions of Mac customers in the world.

While Mac Defender does show that the problem is getting worse and people should be more wary about malware, it doesn’t necessarily mean that every Mac user today should rush to buy anti-virus software, Miller said.

Ultimately, it’s up to the customer because there’s a trade-off involved. Anti-virus software will help protect your system from being infected, but it’s expensive, uses system memory and reduces battery life.

“Mac malware is still relatively rare, but is getting worse,” Miller said. “At some point soon, the scales will tip to installing antivirus, but at this point, I don’t think it’s worth it yet for most people.”

In looking into the effects of Mac Defender, Wired.com’s sister publication Ars Technica did a thorough investigation on the state of Mac malware, speaking with 14 Mac support specialists.

“The truth is hard to tease out,” ArsTechnica’s Jacqui Cheng wrote. “Partly because Mac OS X still makes up a comparatively small percentage of the global OS market share, and partly because Apple itself is a secretive company, it’s not easy to find out whether malware on the Mac is indeed becoming more common, or it’s simply being reported on more often.”

The results were all over the map, with most certified Mac support specialists logging a low number of malware reports. But some Apple Genius Bar technicians noticed an uptick in malware instances, thanks to Mac Defender.

Though the conclusion is unclear, the moral of this story is to be wary that Mac malware is in the wild, and be cautious about installing sketchy software from unfamiliar sources. Mac Defender may be the first wake-up call for people who believed that Macs don’t get viruses.

This is what I've been talking about.  The Malware is out there for Mac as well.  It's also reasonable to believe that there are some Mac computers out there that have Malware or are acting as Bots and the impact on the computer may not be enough for the untrained user to notice.  And they may never know if they don't have security software.

Friday, May 13, 2011

New iMac Drives Not Meant to Be Replaced, And I Hate It

from www.gigaom.com
Don’t replace the hard drive in your new 2011 iMac , or the fans will scream like a banshee as they spin up to full-speed and the Apple Hardware Test (AHT) will fail. The issue is that the factory-installed Apple hard drives have a built-in thermal sensor that is connected to the logic board by a proprietary SATA power cable that includes additional pins for the sensor. The Apple drives have custom firmware to send the temperature information to the logic board through this custom connector. Replacing the drive with one that does not run Apple’s custom firmware, or disconnecting the thermal sensor entirely, will unleash the whirling dervishes that are normally held in reserve for when you foolishly decide to run Flash video in Safari.

he fans-gone-wild issue and the failed AHT warning is a result of the logic board losing communication with the sensor. Thermal sensors have been included in Macs for as long as I can remember to help the system adjust fan speed to maintain acceptable temperatures. If these sensors do not report any temperature information, the firmware will turn the fans up to full to prevent a core breach in the warp engines, and/or red-hot CPU’s flowing like molten slag all over your pretty blue logic board. It’s a precautionary measure to prevent an overheating problem. The AHT warning is there to tell you which sensor has failed so you can replace it.
What makes this sensor different is that it is integrated into the custom hard drive. A lot of the earlier thermal sensors were stick-on affairs that attached to the hard drive or other locations with tape. I presume that Apple asked manufacturers to bake them into the drives to reduce both additional component costs and assembly steps.
The iMac is the hardest piece of Apple kit to work on yourself on by a long shot. The Mac Pro is designed to be easily opened. MacBooks and MacBook Pros provide easy access to the hard drives and RAM. The new Mac mini has a twist off access panel. Even the old Mac minis are not that bad as long as you have the right putty knife. It’s certainly not as bad as the old iBook (about 50 screws to get at the hard drive!), but it’s the worst of the current Macs. I don’t even think most people need access to the other components inside the machine, but access to the hard drive is important. The old iMacs were designed so that you could remove the back and get quick access to the drives. The aluminum iMacs were designed to open from the front so that you have to remove the glass panel (it pulls off with suction cups) and the LCD screen behind it to get to the drives.

The worst part is that you often put it all back together only to find a piece of hair or lint or a stray thumbprint on the back of the glass. Takes me straight back to the days when I ran a frame shop and would turn a framed photo back over after papering the back only to find a small piece of dust emerge from the dark suede mats, staring at me from under museum glass like a blazing signal fire warning of imminent customer dissatisfaction or framer’s rage. That glass on the front of the iMac is likely responsible for more referrals to Apple’s generous mental health programs than any other item that has ever sat on a Genius Bar.
It does make for a very pretty iMac though.
Which is, I suppose, the reason why Apple has kept roughly the same iMac design for so long (since 2007). Maybe the drive could be relocated from where it is now, smack dab in the center of the machine, out to the edge where it could be accessed with a removable panel. But you can’t add an access panel for the drives to the top or bottom because that has to be kept open for the convection cooling airflow to pull air in at the bottom and vent out the top. So maybe, the side opposite the optical drive. But that would mess up the unibody look of the iMac with no visible seams in the aluminum (just the RAM slot at the bottom). Okay, so maybe adding easy hard drive access is too much of a design sacrifice, but now even if you manage to get at the hard drive, you can’t replace it.
I understand that there's a secondary bay but not being able to simply replace a hard drive?  

Wednesday, May 11, 2011

Why The !@&% Doesn’t It Do That?

from www.MacObserver.com

In 2008, MobileMe had some problems out of the gate, and according to a new “Inside Apple” piece that Fortune magazine will publish later this week, that resulted in a sharp reprimand from Apple CEO Steve Jobs, an immediate change in executive leadership for the project, and changes in the team’s membership.

According to the magazine’s sources, Mr. Jobs called the MobileMe team into a town hall meeting in one of Apple’s auditoriums after the service launched with problems and garnered unflattering reviews from noted tech commentators like Walt Mossberg of The Wall Street Journal.

Mr. Jobs reportedly asked the assembled engineers and other MobileMe team members, “Can anyone tell me what MobileMe is supposed to do?” When one of those employees then volunteered a satisfactory answer, Mr. Jobs followed up with, “So why the fuck doesn’t it do that?”

He then spent some 30 minutes berating the team, telling them that they had “tarnished Apple’s reputation,” and that they, “should hate each other for having let each other down.”

He added, “[Walt] Mossberg, our friend, is no longer writing good things about us.”

According to Fortune, this sort of straight talk and personal accountability is at the heart of how Apple does what it does. The magic we see as users is due in part to the reality that, “[Apple] is a brutal and unforgiving place, where accountability is strictly enforced, decisions are swift, and communication is articulated clearly from the top.”

Fortune is also cleverly using a piece about the inner workings of Apple to promote its iPad app. The article is part of the May issue, and will be pushed out to iPad (and Kindle) on May 11th. The iPad app is free, and users can buy the May issue for US$4.99. Print subscribers can access the iPad edition for free.

Fortune also posted a related video interview with former Apple engineer Andrew Borovsky on what it’s like to work inside the company.

Wow, with all the accountability, strict rule enforcement and iron fist of Steve Jobs demanding perfection, it's incredible how something like the iPhone still came out with a defect.

Sunday, May 1, 2011

Funny Pic

Thought this way funny (and pretty accurate). Click for bigger image.