[LINK] Mac porn hackers lay booby trap

Mon Jun 15 21:00:55 AEST 2009

Mac porn hackers lay booby trap
Asher Moses
June 15, 2009 - 11:53AM
SMH
http://www.smh.com.au/news/digital-life/laptops/articles/mac-porn-hackers-lay-booby-trap/2009/06/15/1244917969969.html

Security experts have discovered two new pieces of malware targeting 
Apple computers, putting paid to the company's claims that Mac users do 
not have to worry about viruses and security software.

The attacks - dubbed OSX/Tored-A and OSX/Jahlav-C - were discovered in 
email messages and on popular internet porn sites. The porn site attack 
directs users to download a "missing Video ActiveX Object" in order to 
view a pornographic film, but instead victims are hit with a virus 
enabling attackers to control their computer.

Graham Cluley, a computer security expert with Sophos, which discovered 
one of the attacks, said Mac users had become complacent after years of 
not having to worry about malware threats.

"As we've demonstrated before, and as we'll no doubt explain again, the 
Mac malware threat is real," he said.

"Hackers are deliberately planting malicious code on websites, and using 
social engineering tricks to fool you into installing it onto your 
computer."

Last year, Apple updated one of its support advisories, recommending 
customers run anti-virus software. After a torrent of negative online 
articles about the issue, Apple removed that page, arguing that Macs 
provide protection against security threats right out of the box.

Ira Winkler, president of the US Internet Security Advisors Group, wrote 
in a recent article that Apple should be investigated by US authorities 
for claiming in advertisements that Windows PCs are vulnerable to 
viruses and Macs are not.

He noted Apple had not issued an update to plug a serious Mac software 
hole six months after the hole and a fix was discovered.

"How can Apple get away with this blatant disregard for security?" he said.

"Its advertising claims seem comparable to an automobile manufacturer 
implying that its cars are completely safe and its competitors' cars are 
death traps, when we all know that all cars are inherently unsafe."

Winkler said although cyber criminals targeted Windows far more than 
Macs due to the greater number of potential victims, Apple could no 
longer rely on "security through obscurity".

Earlier this month, security consultant Rich Mogull wrote on his blog 
that Apple was struggling to protect users against malware and other 
online threats. He suggested a number of improvements such as appointing 
a chief security officer and establishing a security response team.

"Based on a variety of sources, we know that Apple does not have a 
formal security program, and as such fails to catch vulnerabilities that 
would otherwise be prevented before product releases," he wrote.

On a website devoted to security features of the next update to its Mac 
OS X operating system, Snow Leopard, Apple says built-in technologies 
provide malware protection out of the box, but advises "antivirus 
software may offer additional protection".

Cluley did not believe Apple was being honest with that description: 
"Seeing as the [porn site] attack ... is not taking advantage of any OS 
vulnerabilities and just exploiting human weakness, I think Apple would 
be wise to change that 'may' to a 'will definitely'."

-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au