I am refering to the recently wide-spread “Flashback Trojan” that has infected an estimated 600,000 Apple brand PC’s and laptops in recent weeks.  Yes, Apple has been forthcoming in its information releases and has issued 3 Java updates in the past 9 days in order to combat and remove this threat.  Flashback as of today has been reduced to an estimated 140,000 active infections through these measures, but some variants of the Trojan are not so easily removed.

Flashback works through Java scripting; some variants have the ability to create a counterfeit signed Apple certificate, prompting the user to install it.  But once installed, Flashback works to capture personal data including passwords to banking and e-commerce sites, and transmit its findings to the cloud.

Like most security issues, the most basic flaw is a false sense of security.

Bad things, man.

Apple has released several fixes to help users remove and block Flashback.  Some include Java Plugin updates that turn off Java as a Plugin in the Apple browser Safari, restricting the ability to run any Java scripts automatically.  A setting that can be manually changed by the user later.  Other Java patches are designed to identify and remove the malicious code Flashback is created by, and close the security holes that allow the code to be executed.

But if there is one thing we have learned from the Microsoft experience with viruses it is, those that write the malicious code are a persistent bunch.  Why?  Because writing a small amount of code is not too time consuming and if it gets them the right information, it can be incredibly, although very illegally, profitable.  The bad-guys are also usually a few steps ahead of the good-guys as well.  As Apple releases these fixes, you can bet new malicious code is being created and tested to subvert these fixes and possibly even disable or modify them.  So is this the end of the road for Flashback and other Mac designated viruses?  Personally I believe it is only the beginning.

What made Flashback a quick success?  One contributing factor is undoubtedly so much of the Apple user population maintaining a, “It can’t happen to me,” attitude about viruses and security.  After all, we’ve been hearing it for years: viruses are a Microsoft thing, and Macs CAN’T get viruses.  Not that there just aren’t viruses written for Macs.  Those that stand far to the Apple side of the Mac vs. PC debate have literally been lulled into the misconception that Mac O/S has some magical, you can’t execute malicious code on me, properties that no other software designers have found the fairy dust to.

Now we see just what a falacy that is, and I’m sure 600,000 Apple users can relate their frustrations.

As I pointed out before in my article (link)about virus proliferation through out the technology community almost a year ago, a lot of the lack of viruses in the Apple side of the community is just a numbers game.  But now as those numbers are increasing toward more and more home and business users using Apple products for business utilities beyond video and graphics, there will no doubt be an increasing interest by would-be cyber criminals to target unsuspecting and unprepared Mac users.  It is estimated that in the United States as of 2011, Apple now owns approximately 11% of the desktop and laptop market-share, and globally they have eclipsed 5% world wide for the first time.  But that still means that almost 95% of the world runs Windows as their primary desktop platform.

Are the cyber theives going to go after 5% or 95%?  You know the answer.  But as that Apple number grows it will become more and more attractive of a target, even being the minority.  Especially considering most Apple users will still operate under the false assumption that they don’t need real security as long as they’re sitting behind the glowing white logo on the lid.

A better policy would be to be proactive, install a reliable security software on your Apple Mac device and make sure your own network is secured from external attacks.  Be prepared before the bad-guys get one step ahead of the Apple developers again.

I can assure you, they will.

Fool Me Once… is a post from: @ Blog

A few key items to note as you read through the article – they give some good information about what you can do when you receive text spam:

1. Forward the offending message to 7726 (SPAM – alphanumerically) along with the phone number it was received from.
2. Report the spam to the FCC.  Yep – that’s a link to their page on Text Spam.
3. Ask your wireless carrier to block messages from the Internet.
4. Ask your wireless carrier to block the phone number the spam came from.

If I can add in my own 5th point, which should really be a first point – never respond to, answer or follow a link from a text message from an origin that you don’t recognize.  As with most things, a little common sense goes a long way in covering your rear-end and avoiding information theft and scams.

Text Spam might not be a huge problem now, but it can become one quickly.

Now maybe text spam isn’t affecting your life or your community as negatively as a mailbox full of credit card offers or the telemarketers that still call you despite your number being on a no-call list.  However, here in North America our wireless industry is still relatively immature compared to wireless services in most developed Asian countries.  As pointed out in the article, in China they have had unlimited texting plans for much longer than North American service providers have offered them, and right now a good one-third of all text messages received in China are of the spam or phishing variety.

I do find it humorous that the article states that the big two in America, Verizon and AT&T Wireless, claim they are doing all they can to stop spam, despite taking such actions actually has a negative revenue affect on their bottom lines.  The data being sent costs them little to nothing, where as people still on limited text plans (since the major carriers plans in themselves tend to be way more expensive than options in other countries) end up paying more because of spam received, and the technology required to adequately and accurately detect and remove spam texting would cost them quite a bit. 

Don’t expect your wireless carrier to have an effective solution to text spam any time soon, and as text message spam becomes increasingly easier to send the volume of spam will grow.  The best action for us is to take the steps listed above and start fighting it now instead of relying on the historically not proactive and only interested in profits wireless companies to combat it from their side.

How is Text Spam Affecting You? is a post from: @ Blog

“Using laptops and free Wi-Fi connections, criminals are stealing identities and using the names of legitimate taxpayers to file fraudulent online tax returns. They’ve raked in billions, buying luxury cars, expensive jewelry and plastic surgery, police said.

“It’s like the federal government is putting crack cocaine in candy machines,” said Detective Craig Catlin of the North Miami Beach, Florida, Police Department. “It’s that easy.”

First, thieves obtain Social Security numbers and other personal information from insiders at hospitals, doctor’s offices, car dealerships or anywhere the information is stored. Then, they file an online tax return using the real taxpayer’s name and a fictitious income. In most cases, the criminals buy a debit card so the IRS can issue the refund on that card, although some thieves have also gotten their returns on actual Treasury checks.

The thieves know that the IRS does not verify the employer W-2s sent with the return until after the refund is issued.”

So basically, the Federal Government has a huge hole in its technology system that can allow for petty criminals to defraud the government of thousands of dollars at a time.

Just like that.

Easy.

"...I'm here to tell you how to manage your businesses, information and finances better; just like the government does!"

The hole doesn’t stem from improper implementation of technology alone; it is a policy issue that allows for the technology to be taken advantage of.    In other words, the folks in charge of regulating things such as banking mandates, HIPAA regulations, the SEC, the FAA and other complex technology driven systems that are supposed to protect your identity, your personal information and your money, have themselves created a system that with a simple identity theft can transfer thousands of your tax dollars to a criminal before the IRS even realizes that it’s happening.

This exposes a couple things.  Mainly, all of the relevant issues that fall beneath the category of, “the biggest security concern with any technology based system is the human factor.”  One – the bad guys are always a step ahead.  Two – the people that design these systems are arrogant enough in most cases to be shocked by these lapses in security and rarely see them coming.  Three - the users of these technology systems in general don’t care an assume everything will work and remain secured regardless of what they do.  Four – people on the whole are good natured, well meaning and very trusting of authority figures.

The other big issue this exposes is some of the basic failures and fallacies of many of our current “watch dog” programs.  If the watch dogs can’t secure their own dog house, how are they going to watch over yours?  And according to this article, even small-time thieves have been able to eat the dogs’ lunches right under their nose.

Businesses – and the government is a business – implement automated systems in order to improve services and reduce costs.   Who out there in America really thinks the IRS provides good services?  And if there is anyone that thinks the government is doing a good job at reducing costs, please say hello to the hookah smoking caterpillar for me the next time you talk to him.  Now seeing the security failures of their current system, how much money has been and is going to be lost by the current security issues?  How much is it going to cost to fix it?  And what is the impact on those that have had their identity stolen and have been issued a fraudulent refund check?

What a mess.

But in the government’s usual money-grab approach, they short-sighted this and wrote bad policy to go along with technology solutions.  Unfortunately they think the policies they have written and expect other businesses to follow will secure YOUR information and make your lives better, but most likely it is just as ineffective and off the mark.

Good luck, America.  We’re going to need it.

Maybe it’s Time to Take a Step Back is a post from: @ Blog