Mac Rogue AV, Mobile Security Lead Week's Security News

Apple's announcement that it will provide a fix for the MacDefender family of fake antivirus scams and the rising concerns about mobile security in general dominated IT security news for the week of May 23.

Several security firms, including ESET, Intego and Sophos, raised the alarm beginning earlier this month about the proliferation of fake antivirus programs specifically targeting the Mac OS platform.

These scareware programs worked in the same way as the PC variants, with users being told their computers were infected with numerous viruses. Users were scammed into entering a credit card number to buy bogus security software that did nothing after being downloaded.

Multiple versions emerged, with names such as MacDefender and Apple Security Center, each one looking like legitimate Mac software, and some are more sophisticated than others. ZDNet's Ed Bott published documents and transcripts that indicated that Apple was specifically instructing its support employees to not help users with MacDefender or to give any information about how to remove the software.

"Cyber-criminals will continue to target Mac users because they are currently a 'soft target'," Graham Cluley, senior technology consultant at Sophos, told eWEEK. Mac users have been told so often that Macs don't have viruses that they are now highly vulnerable to attack.

Apple finally broke its silence this week, posting a support document with instructions on how to remove the rogue application if the user has downloaded it. Apple also promised to roll out an update to Mac OS X that would automatically detect and remove known variants of the scareware.

Users appear to be a little bit more aware about Mac security, as an unscientific Facebook poll of 968 people found that 89 percent would tell their friends to install an antivirus on the Mac.

Now if only that level of awareness would seep into the mobile device arena. A recent study from McAfee and Carnegie Mellon University found that even though 95 percent of surveyed companies had mobile security policies in place, 66 percent of employees weren't aware of them.

Users weren't running any kind of security software, weren't backing up data more than once a week and were storing sensitive information, both personal and work-related, on their mobile devices. Businesses need to be using location-tracking tools to track down lost devices and enforce security policies to control what kind of software can be installed on mobile devices, the survey found.

Following up on last week's news where a team of security researchers found that an authentication flaw allows attackers to access Google services from Android devices, it came out this week that login cookies are also quite vulnerable.

A security researcher demonstrated "cookiejacking," where he could use a game to trick users into exposing the contents of their cookie files, giving attackers the information needed to access user accounts. Cookiejacking exploits a zero-day vulnerability in Internet Explorer. Another researcher found a way to use LinkedIn cookies to access people's accounts on the professional networking site without a password.

There was a very depressing finding from a vendor survey this week. According to the GlobalSign survey, companies were focusing more time on being regulatory-compliant than they were with making sure they had strong security measures in place. Being compliant did not protect them from data breaches, with nearly one-third claiming they had experienced a records data breach within the past two years.