Is Windows more secure than Mac?

I always loved Apple commercials for the Mac, it was always fun to see the new jab they would take a Microsoft.  I specifically got a chuckle out of the claims the Mac is so super secure and Windows was plagued with security issues.

In reality though, Mac OS has more vulnerabilities on a month to month basis than Microsoft Windows.  I brought up this in a previous post Apple Joins the Army and referenced an article with the exact statistics.  If I remember correctly, the average monthly vulnerabilities on the Mac platform was five times higher than Microsoft Windows.

I was reading this article today about Marc Maiffret, an ex-hacker who turned professional.  Featured in People Magazine’s 30 People under 30, he is definitely someone to listen to.  I immediately thought of Kevin Mitnick but that’s another story.  Marc is a co-founder for eEye Digital Security and now works as Chief Security Architect at FireEye.

He goes on to mention that he believes Microsoft does a better job auditing their code than Apple.  I would take this further in the fact many Mac users do not take security serious and many do not run any third party security products.  Until recently, many security vendors did not create products for Mac OS.  Apple commercials would you lead you to believe the Mac is super security and not vulnerable to hackers, viruses, and other forms of malicious software.

Apple has two things in their favor regarding security.  Mac OS is based on Unix, and inherits a lot of security developed over the many years.  The second reason I think is more significant, no one used to care about hacking the Mac OS outside of academic reasons.  As of December 2009, Microsoft Windows had over 92% market share compared to Mac OS at just over 5%.  Hacks built for the Windows OS can reach a larger user base and yield an exponentially higher ROI to hackers.

Although I am a big fan of Firefox (albeit far from perfect) Microsoft made impressive improvements with the security of Internet Explorer.  Ever since Bill Gates released his Trustworthy Computing memo in January 2002, Microsoft has shown significant attention to security.

Keylogging: Malware or Legitimate Tool?

Long considered to be malware and a threat to privacy and security, keylogging software has been found on Microsoft Internet Explorer 8 and Google Chrome. However, these keyloggers were not placed there by hackers—the companies put them there on purpose.

Google and Microsoft added keyloggers to their browsers in an attempt to improve searches for their users. Keylogging allows the browser to determine common or most likely searches based on the user’s past usage. They also store user log-ins and passwords for the user’s convenience, track activity to help determine the cause of errors, and employers use keyloggers to track employee productivity. While this is all very useful for the companies doing the tracking, it makes anti-malware protection more complicated, because the malware filters like Kaspersky cannot simply delete all keyloggers as they have up until this point.

Cyber criminals use keylogging to capture and record each keystroke you make to steal personal information like user IDs, passwords and anything else they can use to steal your identity. However, some companies are now using keylogging for more legitimate purposes.

In order to determine the best course of action regarding keyloggers, Kaspersky Labs, an industry leader in anti-malware protection, is seeking legal counsel. While they do not want to accuse legitimate companies of wrongdoing, they still want to provide the best and most comprehensive anti-malware protection on the market. If it were up to Eugene Kaspersky, CEO of the company, users would not stand for these privacy-invading programs to be present on their browsers and request the companies to remove them. “That would save us a lot of work, and we already have plenty to do,” he told Computer Weekly. Google is already reacting to the public’s aversion to keylogging by promising to keep the information anonymous, but Microsoft has made no such announcements as of yet.

What it all comes down to is this: is the convenience provided by keylogging worth compromising the security of your computer?

Breaking Captcha for $.75 /hr

CAPTCHA – that annoying security measure that many online service providers use to make sure you are a human and not some spam-bot, has spawned an entire IT sub-industry of service providers whose only goal is to break it. CAPTCHA and similar techniques attempt to foil automatic account creation by forcing users to identify a distorted image, usually depicting some string of text. The idea is that Optical Character Recognition (OCR) software isn’t strong enough to overcome the distortion and reliably identify the characters, but humans generally are. Naturally, as soon as this type of protection gained widespread use, hackers started developing ways to defeat it. It was only a matter of time before people figured out ways to monetize these techniques.

Dancho Danchev, writing for ZDNET, has uncovered some emerging trends in the thriving CAPTCHA-solving business. First, the spammers were using the techniques to quickly create large numbers of accounts on free email services like Gmail, Yahoo, and Hotmail, and using them to send spam and commit fraud. Since the emails originate from such mainstream service providers, blacklisting the domains is out of the question. Soon enough, 3rd party providers started offering CAPTCHA solving as a service for hire, and engaged in online selling of large blocks of free email accounts for use by spammers.

Like most malicious activity on the internet these days, the business model and technology surrounding this illicit endeavor is evolving rapidly, and borrowing heavily from the legitimate IT industry. Using the latest technology, re-using and sharing code and algorithms, and following the teachings of “best practices” has greatly enhanced the efficiency of these groups. Add to that the power of outsourcing the work to some of India’s premier data-processing teams, and you have a real growth industry.

These companies are recruiting. With ads that promise flexible schedules and challenging work from the comfort of your home, they are attracting a large contingent of technically savvy workers. In India particularly, the CAPTCHA breakers reportedly earn up to 10 times their legitimate data processing wages. There and elsewhere, some participants may not even be aware that they are engaged in a nefarious undertaking, because the services are marketed as “password recovery” and other legitimate-sounding services.

As Dancho says in one article, “No CAPTCHA can survive a human that’s receiving financial incentives for solving it.” With an army of dedicated solvers, the future of text-based CAPTCHA as a protection mechanism seems bleak.

Massachusetts Enacts New Privacy Regulations

Businesses Must Develop Security Plan
Effective January 1st of 2009, new laws went into effect in Massachusetts governing the safe handling of private data by “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” Massachusetts General Laws Chapter 93H (93H) requires all such businesses or individuals to develop and maintain a comprehensive information security program applicable to any records containing personal information. “Personal information” is defined as a person’s first and last name or first initial and last name in combination with any of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Exempt information is anything that is lawfully obtained from public records.

The security program must cover a number of topics, including identifying one or more people responsible for assuring compliance, risk identification and mitigation, employee training, disciplinary actions for non-compliant employees, limiting access to information, and monitoring and auditing activities, among others.

The regulations further mandate that computer systems used by any person or agency that collects or maintains private information must meet a number of criteria. For example, user access must be controlled and secure passwords have to be enforced. User access to data must be limited to the minimum necessary to perform assigned job duties. Additionally, all personal information that is to be transmitted across public networks (if “technically feasible”) or stored on laptops or other portable devices must be encrypted. All data that is transmitted wirelessly has to be encrypted as well.

Finally, the rules stipulate that “reasonably up-to-date” protections must be in place, including firewalls, security patches, and malware protection agents. Such agents should be configured to receive updates automatically.

State Government Has To Comply, Too
Subsequent to the passing of this legislation, last September, Massachusetts Governor Deval Patrick signed a new Executive Order mandating that all State agencies (executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices) adopt and implement the same security measures as stipulated in 93H. All state employees are directed to take “immediate, affirmative steps to ensure compliance with this policy…”

The Bottom Line
This basically means that all businesses and state offices that use or store personal information must develop an information security plan. Since this includes any company that accepts credit cards as payment, nearly all businesses larger than road-side produce stands will be affected. For publicly-traded companies, this won’t be much of a burden since they already have to comply with similar regulations like the Sarbanes-Oxley Act. For many others this will present new challenges, and some may find these challenges prohibitive. Outsourcing part or all of their IT processes and the related security requirements can take some of the burden off small to mid-sized businesses, as long as they remember to require 3rd party service providers to certify that they are compliant with 93H.

Full Disk Encryption – A Security Measure Necessity

In February, Pfizer, the world’s leader in biomedical and pharmaceutical research, reported stolen a laptop computer which carried classified information for 800 contractors as well as current and past employees. The individuals in question may be subject to identity theft.

The information on the laptop computer included names, credit card numbers, various addressees, phone numbers and hotel loyalty program numbers and other information.  It did not appear any social security numbers or PIN codes were revealed.

The laptop computer, stolen by burglars from the home of a contractor arranging travel and meeting plans for Pfizer, was password protected.  Many operating systems store application data in numerous locations on your computer.  Full-Disk encryption is the only means to protect your entire hard-drive.

Full disk encryption benefits outweigh those of regular file or folder encryption and vault encryption.

Full-Disk Encryption:

  • Swap space and temporary folders are files which could reveal confidential information, but now can be encrypted along with most all other data, with full disk encryption
  • Pre-boot Authentication (PBA) which keeps the operating system from booting until the right password is entered
  • If you need it there is data destruction by ridding of the cryptograph key

In light of publicized lap-top thefts and security breaches, it is important for all users to enlist full data encryption solutions to protect all confidential data on their machines. This is the precise reason that the United States Government is in the process of comparing different FDE solutions in order to choose and implement the best one. If you have confidential data in high risk locations consider full disk encryption to protect your data.

Spam is Back in Full Force

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.