New Mac threats?

On 7/11/08 4:19 AM, "Kirk McElhearn" <kirkmcelhearn.com> wrote:

>>> I think you should stop obsessing about the word "virus".
>>
>> I'm not "obsessing" over the word so much as asking and looking for
>> clarity
>> and facts in the writings on the subject.
>
>
> Well, my message wasn't addressed to you in particular...
>
> Just wondering, do you "dial" your phone?

Not as much as I used to. Now I just call people

--
John C. Welch

On 11 Jul 2008, at 09:37, Paul Atroshenko wrote:

> I looked up PHP attacks and one site had this to say:
>
>
> “Multiple vulnerabilites have been identified in PHP, which could be
> exploited by attackers to execute arbitrary commands, bypass
> security restrictions, or disclose sensitive information. These
> issues are due to errors in the "session", "zip", "imap", "sqlite",
> "shmop", and "wddx" extensions, and within the "sapi_header_op()",
> "str_replace()", "*print()", "mail()",
> "ibase_{delete,add,modify}_user()", "odbc_result_all()" and
> "zend_hash_init()" functions, which could be exploited by malicious
> people to compromise a vulnerable web server, bypass "safe_mode" and
> "open_basedir" restrictions, and disclose sensitive information.”
>
> Does this apply to Macs, or only PCs?

well, yes, vulnerabilities exist in PHP, but have any active exploits
been released to target them? (If not, they will be before too long).

In _theory_, it could affect a mac that had web sharing switched on
and an active PHP process available to the web server.

All this stuff in in OS X, but it is not active by default, so the
threat level to the ordinary desktop user is so close to zero to be
indistinguishable.


--
Barry

>No viruses? Phew, what a relief. But what about threats from
>"Trojans, PHP attacks and other malware"?
>
<snip>
>I looked up PHP attacks and one site had this to say:
>
<snip>
>Does this apply to Macs, or only PCs?

Neither ... it applies to web servers running PHP.

<http://en.wikipedia.org/wiki/PHP>

That *could* include MacOS machines, but the non-server versions of
MacOS do not have a web server (apache) or PHP installed or running
by default to my knowledge.


We have had customers whose Macintosh web servers were running PHP
and mySQL become hopelessly compromised via PHP exploits and
SQL-injection attacks. Just because something is running MacOS X
doesn't make it somehow magically immune from attack or compromise.
PHP is PHP, whether it is running on Linux, Windows, or a Macintosh.

To reiterate what Mr. Welch keeps repeating, this has nothing to do
with "viruses"... this isn't even "malware"... this is just
exploitable code running on a computer. Getting exploited in this
fashion sometimes leads to malware being installed, but more commonly
your compromised host just becomes used as a launching pad for
nefarious activity: FTP/"warez" servers, IRC relays, DoS Attack
platform, etc... usually all of the above.



--chuck goolsbee
digital.forest, Inc.
http://support.forest.net

On Fri, Jul 11, 2008 at 1:19 AM, Kirk McElhearn <kirkmcelhearn.com> wrote:
>
> Just wondering, do you "dial" your phone?
>

This is an interesting point. As someone that actually used a rotary
dial phone when I was younger I think I can speak to this. Does anyone
really use the term "dial" anymore? It's usually "I'm going to call
Jane/Pizza Hut/tech support." Even terms like "speed-dial" I haven't
heard in ages. It's been a long while since I've even hand entered a
phone number. When someone calls from a phone number I don't know and
I want to save the number I just create a new contact. When someone
that once used a phone you actually had to dial mostly thinks in terms
of people or places rather than numbers the term itself is, if not
dead, at least on life support.

--
Michael

On 7/11/08 12:47 PM, "Kirk McElhearn" <kirkmcelhearn.com> wrote:

> It's called "register". When you use different terms in different
> contexts according to the level of language. You say "virus" in a
> general context to a general audience; you say "PHP injection attack"
> to a specialist who understands it. The same as doctors simplify their
> language for patients.

You say that like the tech talking to the non-tech can magically divine what
the non-tech means. They can't. That would require "Telepathy" and that is,
as of yet, impossible. So when non-technical people say "I have a virus" and
that's not really what's going on, then you get problems.

I'm well aware of the linquistic concepts behind your points, even sans
sarcasm.

However, *at some point*, someone, somewhere, has to use a term correctly,
or why bother with anything beyond "It's sick, make it better, don't ask me
for further clarification, because "it's sick" is all you're getting"?

When someone writes an article for publication talking about things like
malware attacks, I find *absolutely* nothing wrong with expecting that
person to take a LITTLE more effort than 'none' to use, and, (here's a
bizarro concept), maybe even have a sidebar explaining the difference so
that the readers of the article who did NOT know the difference might
possibly LEARN something.

No, what am I saying? That's crazy talk. Technical people shall just have to
develop telepathy so we can finally know what is meant by "I've got a
virus". That's the only logical solution.

But hey look, I'm certainly right again.

--
John C. Welch

On 11-Jul-2008, at 02:37, Paul Atroshenko wrote:
> “Multiple vulnerabilites have been identified in PHP, which could be
> exploited by attackers to ...

> Does this apply to Macs, or only PCs


This applies to ANY machine running php and a publicly accessible
webserver. This means it applies to a very small percentage of Macs,
a very small percentage of PCs, and a very large percentage of
webservers.

--On July 11, 2008 9:47:55 AM -0700 Kirk McElhearn <kirkmcelhearn.com>
wrote:

> It's a shame that so many people on the Mac platform thing they are
> "low life-forms". Security companies do an awful lot to protect your
> Macs, even if you don't use their software, by helping find
> vulnerabilities.

The problem I have with many of these companies is that they usually
announce their findings in sensationalistic yet vague press releases. No
actual info just "look what we found! it's the end of the world! Buy our
stuff!"

Reminds me of used car salesman.

Of course at the other end are the application developers who downplay
every press release. "Nothing to see here...." Or they're like Apple and
don't say anything.

On 7/11/08 at 1:37 AM, patroshhotmail.com (Paul Atroshenko) wrote:

>No viruses? Phew, what a relief. But what about threats from
>“Trojans, PHP attacks and other malware”?

These are only a problem for the unwary user. Someone who pays
no attention to what they download or the source, is willing to
double click anything they download and supply the required
password without a thought as to why a password is being asked
for. With reasonable levels of caution, a bit of checking using
appropriate tools and staying current on possible threats using
forums like this one, there is no problem.

On Jul 11, 2008, at 1:37 AM, Paul Atroshenko wrote:

> Is there anything in the Mac environment similar to AVG and Spybot?
> Or should we all assume that the Mac is still invulnerable?

No one who is all knowledgeable about computers will say that the
Macintosh is invulnerable. But the next actual virus (as opposed to
malware) for OS X will be the first. Windows has quite a few viruses
and other sorts of malware, something over 180,000 !:
http://vil.nai.com/vil/default.aspx

When the first actual Macintosh virus appears, Macintosh users will
probably panic, and Windows users will probably gloat, but there will
still be only one, and there will still be many tens of thousands for
Windows. There is just no reason to get all panicky over the malware
situation if you use a Macintosh. Even if a virus were to appear,
the chances are excellent that it would be contained fairly quickly.

There are a bunch of AV programs for the Macintosh. Three just hit
the market fairly recently:
iAntiVirus $29.95 New!
http://www.iantivirus.com/

Here is a link to a story on MacNN about the
program iAntiVirus.
http://www.macnn.com/articles/08/06/28/iantivirus.beta.released/

FileDefense New!
http://www.subrosasoft.com/OSXSoftware/index.php?
main_page=product_info&products_id=204

Avast New!
http://www.avast.com/
http://www.avast.com/eng/avast-antivirus-mac-edition.html

Virex
<http://www.networkassociates.com/us/products/mcafee/antivirus/
desktop/virex.htm>

Norton Anti-Virus
<http://www.symantec.com/nav/nav_mac/index.html>

Sophos Anti-Virus
<http://www.sophos.com/products/es/endpoint-server/sav-mac.html>

Intego Virus Barrier X
<http://www.intego.com/virusbarrier/>

Authentium ESP Antivirus for Mac OS X
http://www.authentium.com/

ClamXav
http://www.markallan.co.uk/clamXav/index.php

Zebra Scanner (for Trojans only)
http://home.wanadoo.nl/denheyer/webpaginas/ZebraDocumentation.html

Drive Vaccine
http://www.horizondatasys.com/product_page.html?page_id=1#1
http://www.horizondatasys.com/231847.ihtml

MacShield
http://www.centuriontech.com/products/macshield/

Some users may not consider the last two products to actually be anti-
virus software. But they are marketed as such.

Zebra Scanner is free, but I'm not sure how useful it is to the
average user.

The only AV program, of the above, that is free, like AVG and Spybot,
is ClamXav. The problem with this program is that it seems that no
one is writing Macintosh malware definitions for it. You can search
its database here for the known Mac Trojans, like "Opener" or
"Renepo," and see if anything shows up. (Nothing will.):
http://clamav-du.securesites.net/cgi-bin/clamgrok
In addition, the ClamAV folks (ClamXav is a Macintosh port of ClamAV,
which is a UNIX program), don't, as far as I can tell, belong to the
organization that commercial AV software developers belong to where
they share newly discovered threats. So it is unclear whether
ClamXav will ever be updated to look for any Mac-specific threat that
arises, no matter how malicious and prevalent.

If you feel that you must have an AV program, you may want to check
out Intego's Virus Barrier. I've been using Virus Barrier for years
now, and it has been well-behaved and problem free. However, it has
also been just about totally unnecessary.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

> Just wondering, do you "dial" your phone?

Not as much as I used to. Now I just call people

Hey, not me! I still "drop a dime" (it's not an obsessive thing, it's just..., you know)

:-)

On Jul 12, 2008, at 2:20 PM, Kevin van Haaren wrote:

> The problem I have with many of these companies is that they usually
> announce their findings in sensationalistic yet vague press
> releases. No
> actual info just "look what we found! it's the end of the world!
> Buy our
> stuff!"

Actually, I agree with Kirk. It's true that some of the AV
companies' press releases sound somewhat overblown, but I WANT an AV
company that is incredibly aggressive about looking for and finding
new threats, which quickly comes up with definitions to neutralize
them, and which lets me and everyone else know about it clearly and
promptly.

I can judge for myself if I think that they are over-reacting. (Of
course, it is mostly irrelevant if I already own their product. I
just get the latest AV definitions via push technology.) I assume
that, like every other company, that they want to sell their
product. And I think that's just fine and I can deal with that. But
I also think that the AV companies do a great service to the
computing community.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

> Well, my message wasn't addressed to you in particular...
>
> Just wondering, do you "dial" your phone?
>
>
> Kirk

YES ! Kirk, I 'Dial my phone' constantly with a click of the mouse;
Turn Up the Volume on iTunes the same way; 'Sail to Bowen Is.' on a
diesel engined ferry... It goes on forever. AND whenever we notice
that communication has not worked out we have to change the phrase to
ensure that nobody gets overcharged; killed or defamed. ;-:-)

George

At 14:20 -0700 UTC, on 2008-07-12, chuck goolsbee wrote:

[... PHP attacks]

> it applies to web servers running PHP.
>
> <http://en.wikipedia.org/wiki/PHP>
>
> That *could* include MacOS machines, but the non-server versions of
> MacOS do not have a web server (apache) or PHP installed

True for Mac OS ;) but Mac OS X machines most definitely do. But Apache
(System Prefs->Sharing->Personal Websharing) is disabled by default and when
enabled it still takes 'manual' editing of /etc/httpd.conf before PHP is
available.


--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>

At 01:19 07/11/08 -0700, John C. Welch wrote:
>should you tell a tech/consultant you have hired to fix your computer that
>you have "a virus", when you actually have a PHP injection attack problem,
>they are going to waste a significant amount of time

If I tell a tech/consultant that I have a virus, then failure of the
tech/consultant to pin down what I really mean is incompetence. Heck, it
could be that my computer is unplugged, that some app is dancing in the
dock, etc. Part of a consultant's job is to determine what the client
needs, which may be quite different from what the client says.

>There is a reason for using correct terminology if one knows the
>difference, and that is, it makes issues involving those terms come to a
>proper resolution *much* faster.

Sure, but the operant word in that statement is "if". Trying to get all
users to understand technical distinctions is tilting at windmills. And it
is better to educate users about threats than to try to force those
technical distinctions down non-technical people's throats. (That the
article starting this thread had little educational value is unrelated to
what it meant by "virus".)

Edward
--
Art works by Melynda Reid: http://paleo.org

On Jul 12, 2008, at 5:20 PM, chuck goolsbee wrote:

>> No viruses? Phew, what a relief. But what about threats from
>> "Trojans, PHP attacks and other malware"?
>>
> <snip>
>> I looked up PHP attacks and one site had this to say:
>>
> <snip>
>> Does this apply to Macs, or only PCs?
>
> Neither ... it applies to web servers running PHP.
>
> <http://en.wikipedia.org/wiki/PHP>
>
> That *could* include MacOS machines, but the non-server versions of
> MacOS do not have a web server (apache) or PHP installed or running
> by default to my knowledge.
>

It's certainly installed (/usr/sbin/httpd) in 10.5.4

g5% apachectl -v
Server version: Apache/2.2.8 (Unix)
Server built: Mar 4 2008 21:37:02

and the php module is there

g5% locate libphp
/usr/libexec/apache2/libphp5.so

It's not turned on in /etc/apache2/httpd.conf, though

pbg4% grep php /etc/apache2/httpd.conf
#LoadModule php5_module libexec/apache2/libphp5.so

You turn on apache using System Preferences -> Sharing -> Web
Sharing. So in order to make yourself vulnerable to PHP exploits, you
at least have to make a change using a text editor.

--
Paul Schinder
schinderpobox.com

On 12-Jul-2008, at 15:20, Randy B. Singer wrote:

> Avast New!
> http://www.avast.com/

I use Avast! on my wintendo machine. It works very well, is free,
doesn't seem to interfere with anything, updates itself seamlessly,
did I mention it was free? and has caught a couple of trojans embedded
in some downloaded games.

> http://www.avast.com/eng/avast-antivirus-mac-edition.html


That link does not work, however.

<http://www.avast.com/eng/avast-mac-edition-product-details.html>

It appears that the free home use licenses available for Avast! 4 on
the PC are not available for Avast! Mac.

On 12-Jul-2008, at 15:20, Fritz Mills wrote:
> Hey, not me! I still "drop a dime" (it's not an obsessive thing,
> it's just..., you know)

I will still use various forms of 'here's a nickel, call someoen who
cares" or "drop a dime" even though, as far as I know, pay phones
where never a nickel or a dime in my conscious life. I remember them
being a quarter for a long time, and then they started to vanish.

These phrases, however, are more idiomatic than anything. Even though
I never paid a nickel for a phone call, the phrase is "Here's a
nickel..." and seemingly always has been.

As for 'dial' I don't say "I'm going to dial the phone' but then I
never said that. I will say, "I don't like this mobile phone, it's
difficult to dial new numbers with" or "Oh, I'm sorry, I must have
misdialed."

We did have rotary dial phones when I was growing up; and my father,
with his overly wide fingers, never liked the touch-tone phones so he
still had a rotary phone up into the late 90's.

On the other hand, thinking back, it's been an awfully long time since
I actually punched in digits to any phone. My mobile is synced with
my address book in OS X. When I am going somewhere new, the phone
number is generally on the GPS and the call is a single button away.
New numbers I generally get people to send them in email to add to my
address book or send them directly to the phone. When I'm at home, I
use Skype to call out, and the number never has to be keyed -- at
worst, copied and pasted.

> You say that like the tech talking to the non-tech can magically divine what
> the non-tech means. They can't. That would require "Telepathy" and that is,
> as of yet, impossible. So when non-technical people say "I have a virus" and
> that's not really what's going on, then you get problems.
>
> I'm well aware of the linquistic concepts behind your points, even sans
> sarcasm.
>
> However, *at some point*, someone, somewhere, has to use a term correctly,
> or why bother with anything beyond "It's sick, make it better, don't ask me
> for further clarification, because "it's sick" is all you're getting"?

Rather unfortunately, that's the level I frequently have to work at. My
family have anointed me the Mac guru of choice, and so I often have to field
questions like "My iphoto doesn't work; what's wrong?" When pressed for more
details, they'll often expand with such lucid and helpful clarifications as
"It won't come up." I'm then left to infer what is meant.

I agree with Kirk's observations about register (but then, I would; we both
learned, I believe, about such matters from Keith Richards), and I think
it's worth bearing in mind that while we do vary registers depending on
context (indeed, it almost approaches the level of code-switching at time),
the point of jargon is not simply to serve, as it clearly does to a certain
extent in fora such as this, as a shiboleth, but also to provide an
efficient and expedient means of conveying fact with precision and accuracy.

An agreed-upon set of terms is very useful. About ten years ago I had a
colleague at the Japanese university where I was teaching at the time badger
me to help her with her computer. She was notoriously potty, but eventually
she wore me down. "I've shokika-ed the head," she told me. "?" I replied,
quite speechless. "I've shokika-ed the head." This was not helpful. Finally,
she explained to me, with the patience of one addressing a slightly simple
child, that she'd learned that the Japanese for "reinitialise" was "shokika"
(she was, incidentally, Australian; that may explain much), and "the head"
was what *she* called the hard disc, because the default name of that volume
was "Macintosh HD." As clear, quite frankly, as about nine feet of lead with
the curtains drawn in front of it. Had she simply said "I've reinitialised
the hard disc," much time and several hours in a straitjacket could have
been saved.

I suspect that part of the problem is that computer literacy beyond "I've
downloaded the pictures from my camera" (which inevitably gets the reply
"No, you've *imported* the pictures; "download" specifically refers to a
file transfer from a server to your local computer ‹ not every file transfer
is a "download. You've learned a new computer word, and that's very special,
but it doesn't mean that you have to use it for *every* thing that your
computer does, any more than, having learned the word "engine," you would
use it to refer to every part of your car, including the wheels.") is deemed
irretrievably geeky and dweebish, and is, as a result, stigmatised in an
"Oh, no, I don't get the technicalities; I just want to use it" kind of way.
Being able to do home DIY is entirely reasonable, and indeed quite manly and
reputable. Car mechanics is slightly more geekish, but is still acceptable.
Knowing about computers is considered a necessary evil, as are people who
know about them. But actually talking about them ‹ well, that's just beyond
the pale.

No, telepathy is not possible. But massive levels of inference are, and,
failing that, oodles of experience and a willingness to say "Go and put the
coffee on; I'll take a look at it."

Steve

On Jul 12, 2008, at 2:20 PM, Michael Krzyzek wrote:

> Even terms like "speed-dial" I haven't
> heard in ages.

In Washington State, Qwest bills it as "Speed calling" (in particular
on the line where I have it is is "Discounted Speed Calling 8). And
yes, I should cancel it, but one of the rules for successfully dealing
with telcos is "never gratuitously call to make a change, because your
entire service may get messed up"). At $1 per month, it's better to
leave it alone.

I'd do it on line, but my on line account currently has a service
listing that in no way matches what I have (and what I have is the
same as what it was when I created the account except that DSL has
been added. and it was right initially).

   --John

In terms of semantics for what it's worth I have sometimes used Gremlin, it
has a nice haunting feel about it and it is of course all pervasive. And at
the
end of the day it is the usage that gives a word its meaning.

Cheers