Review by Steve Hardwick

No Starch Press, November 2011, 320 pp., $49.95

In a recent survey by Veracode in December 2011 found that more than 80 percent of approximately 10,000 web applications examined failed security testing. This data shows that web applications provide a fertile ground for hackers to launch their malware. Obviously web developers still have some work to do to make their applications secure. The Tangled Web by Michal Zalewski is targeted toward web application developers and security professionals that have a solid understanding of the web and browser operations at an operational level. The author will go into fairly technical details assuming that the reader has the necessary skills to understand the technology discussed.

After an introductory chapter outlining some security fundamentals, the book is split into three parts. The first part covers browser and web technologies. Specific attention is paid to vulnerabilities and how they became to be part of the infrastructure. The second part covers browser security and highlights some of the ways to mitigate the inherent holes in the current technology. The final portion covers some of the new vulnerabilities that are expected to come in the near future. With a couple of exceptions, most chapters are concluded with a security engineering cheat sheet. This gives a summary of the topics covered in the chapter and serves as a guide to implementing some of the technology discussed. It provides a useful quick reference to the books contents after the reader has completed their read through and can be used as a design aid on future projects.

Part One goes into some depth on the various technologies used by browsers, both their inherent operating infrastructure and the services used over the web. Attention is paid to areas of the technology that are open to exploitation. In many cases the author outlines how some of the weaknesses came into being and provides a good view into the difficulty of building this technology. Part One is broken down into chapters that cover the different pieces of the browser function. Both internal processes, HTML and CSS parsing for example, are covered plus external processes, HTML and URL parsing, are reviewed. Two chapters cover additional programming capabilities of the browser i.e. JavaScript and plug-ins.  Throughout this section many examples are given on how the vulnerabilities can be exploited. This gives the reader a better understanding on how a hacker would go about using these weaknesses. In some cases a chapter has a limited discussion of the topic due its wide complexity. The author does include references to other works that cover the topic in greater detail and then focuses on key areas that are relevant to web security.

Read the rest of this entry »

Customers, vendors, users and hawkers are putting their cards, demos, data sheets and gimcrack giveaways in order this week after four days of Macworld 2011. Attendance was up 10 percent, we’re told, and the number of exhibitors is on the rise, too.

Although the number of vendors selling solutions, apps and hardware is below the gaudy days when this show spanned both North and South Moscone halls, plus Moscone West for sessions, a rough survey of the 2011 show revealed a bigger share of business-ready help: in apps, in hardware, in Mac software and in advice. Macworld 2009, Apple’s last, had more of everything except business: especially iPhone cases and iPod accessories. Those were still on display last week, along with a wave of iPad holders.

But 2011 was the year when Apple business users could find a Macworld supplier a-selling with no effort at all.

Two years ago, the Enterprise Software Alliance was about the only booth where Windows-friendly Mac software for business was showcased. This year a veteran firm from the Windows virus battlefields, ESET, was selling antivirus and giving away security training. The company said it has muscled antivirus maker Intego out of Apple’s retail store slots with NOD Antivirus 4. It’s called the Business Edition of antivirus for endpoints — what you’d call Macs, but now ESET uses the enterprise-savvy terminology, and perhaps technology, too. Read the rest of this entry »

The Mac has gained its first integrated security assessment tool for vulnerability scanning, penetration testing, and security checklist compliance. Saint Corp. has released SAINT Professional version 7.6, the company’s first to include a native Mac OS X installer. Company officials said this edition includes the full functionality of the SAINTscanner, SAINTexploit, and SAINTwriter as one integrated user interface for administration.

“SAINT Corporation is very proud to provide Apple support to the growing community of security and compliance professionals using the Mac,” said Billy Austin, SAINT’s Chief Security Officer. Security pros, or businesses which need security tools, can now take full advantage of SAINT’s compliance checklists including templates for the following:

• Payment Card Industry (PCI)
• FISMA
• HIPAA
• USGCB
• FDCC

In addition to the native Apple installer as a .DMG file, the 7.6 product release features penetration testing coverage for Cisco network devices, SAP, and a new web application exploit for SQL Authentication bypass. Read the rest of this entry »

Absolute Software has announced that it will provide what it calls “enterprise-caliber” management software for the new iOS 4 Apple devices such as the iPhone. The company, which sells a solution for business computer asset management called Absolute Manage, will move core components of that software to the new Apple mobile OS.

Although the iPhone was roundly hooted at when Apple introduced its first enterprise features — such as the ability to handle Microsoft Exchange mail on the iPhone’s Mail client — the phones have become a staple of business users around the world. IT managers have learned they can’t keep iPhones out of company networks, so they’re resigned to admitting them and are now employing them as IT tools.

Absolute Manage has a single feature that can sell it to any company using Apple’s mobile products. An administrator can wipe a computer or phone’s data off the device if it’s been stolen or lost. iOS 4 devices (which could be any 4G or 3GS phone) can also be locked with a remote command in an emergency, or have their passcode cleared for data protection. Read the rest of this entry »

Apple has pushed out an update to the Snow Leopard version of the OS that adds new security guards against malware. It’s the first release in 10 months that improves this sort of hacker barrier.

If only the new iPad could be so lucky to be so well protected. We’ve been using the tablet since its release, but nary an update is to be downloaded to advance the device’s security.

The 10.6.4 version of Snow Leopard, which is a 17-minute download on a middle-fast DSL line, introduces new protection to prevent back door attacks on Macs through the iPhoto software that ships with every system. A new feature called XProtect gets an update that keeps hackers from installing malware by fooling users into thinking iPhoto is at work, when damage is being done.

An update of a Mac’s operating system for security reasons — that’s a good idea. But Apple doesn’t have a practice of identifying security holes they patch with a new release. And sometimes a new OS version will make software stop running on a Mac. This is why backups are a vital complement to any security updating. Read the rest of this entry »

In its public beta version, Chrome was just an experimental browser, at first without even bookmark management. In spite of Infoworld declaring “Firefox is dead” this year, at least that browser for the Mac is years beyond experimental status. But as of this week, Chrome for the Mac is out of beta test and into a full release, the first of many. It’s promised to be fast, open and secure. A business user might consider Chrome as their window to the Web.

Picking a browser is like choosing a home repair store. You develop a habit of using one and stop thinking about the alternatives. Chrome is definitely a faster browser than Firefox in our use, delivering a payoff in the “time is money” formula. If you browse a lot, Chrome could be an upgrade. (Safari’s performance is much closer to Chrome’s)

But Chrome’s got some steps to catch up in other areas. In the Mac version we downloaded this week, some Web sites aren’t working completely. Our TypePad account editor (where we publish the 3000 NewsWire blog) won’t let us resize graphics for posts in Chrome. The editing features at the Constant Contact email site also won’t perform with Chrome for the Mac, either.

This puts Chrome in a category with the iPad: very fast and slick for consumption of information. Not so good for creating messages and more. As for the death of Firefox, that obituary shouldn’t be written yet. 350 million users won’t expire overnight. Read the rest of this entry »

Halfway into a million-file scan, it's another two-plus hours to a clean bill of health

You want your Mac security tools to behave like Columbo, or Inspector Plodder from the play Sleuth. Not the fastest of detectives, but one that will not miss a detail. So it goes with the newest VirusBarrier X6 anti-virus and firewall product from Intego. You can set it and go, but you might as well go far away at first. Its initial inspections will take awhile.

On our 2.83 GHz iMac with 4GB of memory, that was more than four hours to do a full scan of our 150 GB of occupied hard disk. Full scan is a choice that the VirusBarrier setup prods you toward once you complete the easy install. Too bad that it’s so easy to send the tool into such thorough paces. VB X6 skips over the “check my malware file for updates” stop, so you notice that your file is “35 days out of date” amid a lengthy scan. We’d lead a user into NetUpdate, the VB checker for updated files, before starting a scan. This is also an “install and force a restart” program, not among our favorites.

A complete scan can be a once-in-a-great-while event, however. VB X6 has got one-0ff scan options for fresh files, or scan the folder, or whatever you want to drag onto nifty interface. The inspector is thorough enough to try to catch malicious scripts, the latest ploy in penetrating you Mac’s defenses. We were glad to see attention paid to a very long list of intrusion techniques like this. Drive-by attacks come out of scripts. You have to hope the malware file gets freshened up plenty to believe VB gets the job done. There’s good reason to believe it’s about 30 days or so between updates. Read the rest of this entry »

It’s not tough to make a case today for better Mac security than what Apple delivers out of the box. Even though your business systems ship with a first-level firewall, they don’t arrive with any anti-virus software. Apple insists in clever ads that Mac security is not the problem that users find on PCs. That is true, but not because of the Mac’s superior designs. Unix, deep inside the system’s heart, is just as vulnerable as Windows. (Some say even more so; Unix security patches from HP for its business servers are a regular delivery.)

The Mac enjoys an easier time in security because Apple’s product is a less juicy target. Malware and viruses are designed to make money for criminals, and the number of PCs out there running bareback is 10 times the number of Macs. Security by obscurity only works until it doesn’t. It’s just a matter of time, sad to say, before the criminals fan out and try to rob your system of power or privacy or both.

Anti-virus software (AV) is not just the paranoid geek’s tool anymore. The last virus we detected came off a Web page, and we last had data corrupted in 1997. But things have changed since Apple moved to Unix underneath it’s OS. Oh, and there’s that thing called the Internet, plus the Flash videos you may use to gather research (like from the Wall Street Journal’s site, now that they’re owned by Fox.) Flash, and Adobe’s Acrobat PDF files, are a big target for malware today.

You have more than one choice for a commercial AV tool for your systems (that wasn’t the case in ’97). What you buy probably should provide both firewall and virus protection. Two leading companies offer very different value propositions in their AV software. MacScan commits to a fixed price, while another supplier uses a subscription fee+purchase price model. Read the rest of this entry »

Excel poses for its close-up at Macworld

Microsoft has released the 11.5.7 update to its Office suite, aimed at the users of Office 2004. You should download this update to protect your Mac from being hacked by compromised Word, Excel or PowerPoint files. Even the Mac has security flaws, but more common are the hacker entry points through things like Office or Adobe’s Flash. (If you aren’t up to date on the Microsoft security releases, 11.5.7 won’t load up. You can check your status in the Updater Logs folder inside your Microsoft Office 2004 folder. Microsoft also has prior updates available for download, to catch you up.)

Microsoft was one of the few big-name vendors at this year’s Macworld Expo, but it didn’t have new software to roll out this month in conjunction with its show appearance. The Redmond Giant was talking up the forthcoming release of Microsoft Outlook for the Mac. (Talking only, since no demos were presented at the Microsoft booth.) Outlook will be a replacement for Entourage, which still has advocates within the Mac expert community. One advantage of Entourage, noted in a Macworld panel, is its smooth interface with Microsoft Exchange servers, operated at countless companies who handle their own e-mail. Outlook will be inside the Office 2011 suite, and it’s not yet clear if it will be sold standalone. Entourage never was. Read the rest of this entry »

Editor’s Note: Our certified security expert Steve Hardwick reported on a insidious style of hacker attack, one that can infect Macs as well as the Windows world where he works everyday. Here at Bites HQ we use the Intego Software suite (NetBarrier and VirusBarrier) for anti-virus protection. Intego just rolled out X6 versions to protect against newer-style attacks. We’ll see once we complete our testing what’s been added.

Meantime, be careful where you browse in the course of your business. Steve got attacked while shopping for business travel at Expedia. You should always look extra closely at any dialog box on the Mac that advises you to update for security reasons. Apple’s software will never use this language, just advise you an available software update.

By Steve Hardwick, CCISP

Should you be worried about a Web drive-by attack? First off, what is it?

Most Internet users are not familiar with the concept of a Web drive-by attack. The one I recently encountered was scary because of its simplicity and how it preys on security fears. It also underlines how easy it is to create attacks that are targeted to specific operating systems. Mine took place in Windows, but it would be easy enough to target the Mac OS, too.

To be able to infect a computer in a drive-by, the hacker has to trick the end user into loading a piece of malicious code. In the past this was done using e-mail attachments and other applications that were used for file transfer. However there is a growing threat where your Web browser (Firefox, Safari) is used to trick you into downloading and running the virus code. Here is a walkthrough on what I recently encountered as it gives a good understanding of this type of attack. (For anyone who wants a much more in-depth explanation, Virus List is great site to visit.)

I was going to various sites, trusted sites that I have used in the past without any problems. As I arrived at Expedia.com, one of my favorite travel sites to look at air fares, the following screen popped up. When I saw it, my first thought was that I had a virus on my system.

The screen displayed on top of the browser looked identical to Microsoft Forefront Client Security interface, which is the antivirus software (A/V) installed on my PC. Even the progress bars moved on the display and the virus list was populated. To all intents and purposes it looked and felt like I had a bad case of several viruses on my system. After the virus list had been completed I got the two more screens.

Fortunately I am well-versed in security products. As soon as I was asked to run a program outside of my A/V application the alarm bells started to ring. I also noticed that the file had been downloaded to my PC from a Web site I did not recognize. This is not usual behavior for an anti-virus program. So I decided to hit cancel. When I tried to close any screen I saw the screen above.

Now I was definitely concerned.

Read the rest of this entry »