Mac Security, Landsharks, Social Engineering, and Situational Awareness

Posted by Thelonious Mac on

The Landshark is a devious species.

There is a new social engineering scheme out there for attacking Macintosh OS X. If Safari (or any browser you’re using for that matter) suddenly pops open a dialog that says that your computer has been compromised in some way, ignore it. Under no circumstances should you do what it asks you to do. Do not allow it to download software. If you’ve already downloaded the software, do not install it.

These attacks are extremely common for Windows and you’ve probably seen them from time to time on your Mac. They allege that your computer’s security has been breeched and that you need to allow a scan of your computer. This however, is the first one that actually carries a payload for attacking the Mac, that I am aware of.

It carries a Trojan Horse “…Unlike a virus, or worm, a Trojan is a program that YOU install, and YOU give permission to run. You may not realize you’re doing it because they can be tricky, impersonating normal operations….” Keep in mind, when the Trojans opened the gates and pulled the horse full of Greek Soldiers inside, they had no one to blame save for themselves. The gates were fine.

This is the Landshark of security attacks. If you put 5 extra strong deadbolts on your door and the landshark shows up, knocks on your door, and says “Candygram,” or “Avon Calling” or whatever and you open the door, YOU WERE THE THING THAT GOT HACKED. Not the door, not the locks. By the same token, if you go to a website and it convinces you to download a security scanner for your computer, you got hacked. Not your Mac, not your PC. This is called “social engineering.”

“Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using complex technical cracking techniques.” – Wikipedia

Macs and PCs have become increasingly difficult to hack directly. The weakest point in security is and always has been the squishy thing just above the keyboard. This is the world you live in now. Attacks via hostile websites are the number one way computers are compromised. Even if you run security software, if you open the kimono, you’re gonna get fracked.

“…A study by Google researchers analyzing fake AntiVirus distribution found that up to 90% of all domains involved in distributing fake antivirus software used social engineering techniques…”

Bogus Security Scan Files don't even exist on Mac

This “Apple Security Center” attack tries to install “MACDefender.” A website will attempt to trick you into downloading it and Safari or Firefox or whatever, will dutifully ask you if you really want to download it, giving you another chance to activate that brain of yours. Once downloaded, if you attempt to install it, OS X will give you one last chance to come to your senses. It will tell you that the item you’re about to open came from the Internet. If you say yes, and type in your password, it gets installed. From that point on you will notice that your computer has developed a strange predilection for taking you to porn and other unsavory websites. It could be worse though. For all you know, the version you download might have a keystroke monitor in it and as you log into your bank, it records your username and password and transmits that to China.

These attacks also come via email. By now, no one should have to tell you to not click on links in email messages, especially from unknown sources.

Trust me. You did not just win an iPad.

It looks awfully real

MACDefender is targeting Mac users through a process called “SEO Poisoning.” SEO is “Search Engine Optimization.” SEO is the practice of learning how search engines work and gaming the system to get your website pushed to the top of certain search results. It’s already a tacky practice but using it to push malware sites to the top of popular searches is despicable. You can’t even trust search engine results anymore.

You should NEVER EVER EVER let a website work on your computer. Avoid those “We can make your computer go faster” websites. They cannot.

Only download Anti-Virus software from reputable companies. The only one I trust right now is ESET. I believe ESET Cybersecurity for Macintosh is evolving into the best security software for the Mac, but I generally keep it turned off. The threat level is still too low to warrant the additional overhead.

http://www.eset.com/, is their address. Buy it and install it if it makes you feel better. Remember though, it can’t compensate for your behavior.

I also tend not to give clients the administrator password to their own computers. . I give them a standard account instead. I write the administrator’s username and password down and seal it in an envelope and stick it in a drawer to force them to think about why they need it. I even work in a non-privileged account on my own computer. You can become numb to being asked over and over for your password. Having to remember a different username and a complex password is a good way to jumpstart your brain on occasion. Also Safari has an option under general preferences for opening safe files. Make sure it is turned off.

Understand that as you are the primary target of malicious attacks on your computer, you are consequently the primary defense. The best thing you can do is pay close attention to what is going on. Rule out online security scans. That is simply not an option. Rule out online computer repair. Assume it’s a trick. Yes there are some real versions of these things however if you cannot tell the difference, assume they are all bogus. Develop an intuition about things. You might type in your password when setting up an account with a service, or when logging into the service, but that service is never going to send you an email and ask what your password is.

Don’t install pirate software, especially software downloaded from the Internet. That’s just asking for it. Even things like pirated music can be disguised. Consider that people who are willing to provide you with ill-gotten intellectual property are not ethical to begin with.

POOR SITUATIONAL AWARENESS

There is a concept known as SA or Situational Awareness. It is taught to people in dangerous, hostile, and safety critical environments. It is taught to people like spies, Army Rangers, Navy Seals, inner-city school children, and Nuclear Reactor employees.

“…Situation awareness (SA) involves being aware of what is happening around you to understand how information, events, and your own actions will impact your goals and objectives, both now and in the near future.

EXTREMELY POOR SITUATIONAL AWARENESS

 Inadequate SA has been identified as one of the primary factors in accidents attributed to human error (e.g., Hartel, Smith, & Prince, 1991; Merket, Bergondy, & Cuevas-Mesa, 1997; Nullmeyer, Stella, Montijo, & Harden, 2005). Thus, SA is especially important in work domains where the information flow can be quite high and poor decisions may lead to serious consequences (e.g., piloting an airplane, functioning as a soldier, or treating critically ill or injured patients)…”

These days, using the Internet is a grown up activity notwithstanding all the LOLCATS. A healthy dose of Situational Awareness is a good thing. Remember, during the Windows era, they pretty much only attacked Windows. In the post-Windows-era, it’s open season on all of us.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s