Apple's announcement that it will provide a fix for the MacDefender family of fake antivirus scams and the rising concerns about mobile security in general dominated IT security news for the week of May 23.
Several security firms, including ESET, Intego and Sophos,
raised the alarm beginning earlier this month about the proliferation of fake
antivirus programs specifically targeting the Mac OS platform.
These scareware programs worked in the same way as the PC
variants, with users being told their computers were infected with numerous
viruses. Users were scammed into entering a credit card number to buy bogus
security software that did nothing after being downloaded.
Multiple versions emerged, with names such as MacDefender and
Apple Security Center, each one looking like legitimate Mac software, and some
are more sophisticated than others. ZDNet's Ed Bott published documents and
transcripts that indicated that Apple was specifically instructing its support
employees to not help users with MacDefender or to give any information about
how to remove the software.
"Cyber-criminals will continue to target Mac
users because they are currently a 'soft target'," Graham Cluley, senior
technology consultant at Sophos, told eWEEK. Mac users have been told so often
that Macs don't have viruses that they are now highly vulnerable
finally broke its silence
this week, posting a support document with
instructions on how to remove the rogue application if the user has downloaded
it. Apple also promised to roll out an update to Mac OS X that would
automatically detect and remove known variants of the scareware.
Users appear to be a little bit more aware about Mac
security, as an unscientific Facebook poll of 968 people found that 89 percent
would tell their friends to install an antivirus on the Mac.
Now if only that level of awareness would seep into the
mobile device arena. A recent study from McAfee
and Carnegie Mellon University
found that even though 95 percent of
surveyed companies had mobile security policies in place, 66 percent of
employees weren't aware of them.
Users weren't running any kind of security software, weren't
backing up data more than once a week and were storing sensitive information,
both personal and work-related, on their mobile devices. Businesses need to be
using location-tracking tools to track down lost devices and enforce security
policies to control what kind of software can be installed on mobile devices,
the survey found.
Following up on last week's news where a team of security
researchers found that an authentication flaw allows attackers to access Google
services from Android
devices, it came out this week that login cookies are
also quite vulnerable.
A security researcher demonstrated "cookiejacking
where he could use a game to trick users into exposing the contents of their
cookie files, giving attackers the information needed to access user accounts.
Cookiejacking exploits a zero-day vulnerability in Internet Explorer. Another
researcher found a way to use
to access people's accounts on the professional networking
site without a password.
There was a very depressing finding from a vendor survey
this week. According to the GlobalSign
survey, companies were focusing more time on being regulatory-compliant than
they were with making sure they had strong security measures in place. Being
compliant did not protect them from data breaches, with nearly one-third claiming
they had experienced a records data breach within the past two years.