Earlier this week, we reported that the first iPhone worm had been created. It was called “ikee,” and all it did was change the default wallpaper on devices to an image of Rick Astley with “ikee is never going to give you up” printed across the top. It was relatively harmless, if annoying, and the hacker responsible claimed that it was more of a warning than anything else.

Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week.

The new worm, dubbed “iPhone/Privacy.A” by digital security firm Intego, affects only jailbroken iPhones, and grabs things from your device like address book contacts, text messages, photos, music, video, calendar entries and email messages. Basically, almost anywhere it can look for sensitive data, it will. The virus doesn’t seem to be able to access information stored by other applications on your iPhone, like password managers, but if you’re affected, the only safe course of action is a full wipe and restore.

Theoretically, according to iPhone security researcher Charlie Miller speaking to Computerworld, attacks based on the same exploit could do more than just mine data. Running up your phone bill, sending out bulk text messages and spamming your contacts are all well within the realm of possibility. Miller goes on to describe how easy it would be for a hacker to infect a device:

This could easily be installed on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data.

In order to secure your device against this kind of attack, there are a few options. First, change the default SSH password if you haven’t already. So far, that appears to be the easiest way to foil attempts to infiltrate your jailbroken device. The best way to prevent this and any kind of future attack along the same lines, however, is to not jailbreak your device in the first place, or to restore it to factory settings if you’ve already jailbroken. Of course, for many who use their devices with carriers who don’t officially offer the iPhone, that isn’t an option.

Miller suggested that Apple may want to consider re-engineering its security measures to account for jailbroken devices, but as that would mean tacitly acknowledging and even accepting a practice it stridently disapproves of, I think the best bet for jailbreakers is just to shut down all SSH access, if possible.

Safari version 4.0.4 is now available, the 30MB update promising improvements to “performance, stability, and security.”

Regarding security, the update addresses several potential “maliciously crafted” attacks–are there such things as benevolently crafted attacks? One uses a color profile, which is inventive, if evil. Others use XML, shortcut menus, or the user’s desire to visit web pages or FTP sites of questionable virtue.

Sadly, as the Mac gains greater popularity, the mantra of “security through obscurity” becomes less and less reassuring. This is one area where Microsoft Windows and Internet Explorer may end up having an actual advantage over OS X and Safari, Windows having been forced to exist in a state of siege for so long.

As for improvements to stability and performance, it’s not just the usual boilerplate text included with the update this time. Besides supposed stability improvements for third-party plug-ins, the search field, and Yahoo! Mail, Safari 4.0.4  has “improved full history search performance for users with a large number of history items.” I’m one of those users, and I would cringe when going to “Show All History” and using the realtime search box. The first few letters would stall Safari every time, not so much now.

Safari 4.0.4 also improves JavaScript performance. Running the SunSpider JavaScript Benchmark, Safari 4.0.4 is 1.08 times as fast version 4.0.3 overall, with “significant” increases in many tests.

Finally and most importantly, Safari 4.0.4 does not break ClickToFlash. Upgrade (and restart) away.

Microsoft issued updates for Office 2004 and 2008 covering security issues for both versions, as well as an XML conversion tool. The Office 2008 update also includes a number of minor fixes to enhance stability.

Regarding security, both updates address vulnerabilities “that an attacker can use to overwrite the contents of your computer’s memory with malicious code.” Opening a “specially crafted” Word or Excel file could grant the attacker the same user rights as the local user, including administrative rights if applicable. The XML Conversion Tool was also updated to address this issue.

The 12.2.3 update for Mac Office 2008 update also focuses on stability. In Word, general crashing issues have been addressed. The update also fixes the annoying text-spacing bug when opening some Windows Office documents. For Excel, crashing issues when using PivotTables has been addressed. PowerPoint also addresses stability. Apparently, Entourage is stable enough, though there is a new junk mail definition file. Finally, Microsoft Document Connection for the Mac gets several minor upgrades and fixes.

While this minor update is welcome, many Mac Office users are waiting for information about, if not an actual release of, Outlook for the Mac. In August, we learned Mac Outlook will be out by Christmas 2010, will be built from the ground up using Cocoa, and will have many features we desire, but since then nothing. How about an update on that?

The first iPhone worm has been discovered. It comes to us via Australia, and appears to be limited to that country for now, although it has the potential to spread. It also stars Rick Astley, so to speak. The work changes the iPhone’s wallpaper to an image of the 1980s pop singer, who’s enjoyed a recent resurgence thanks to the Rick-rolling Internet phenomenon.

The worm has the ability to break into jailbroken iPhones only. Even if you’ve jailbroken, you still aren’t vulnerable unless you’ve also installed SSH, and not changed the default password after doing so. As a result, only a small fraction of the larger iPhone community is probably susceptible to the “ikee virus,” as it is called in its own source code.

Still, it shows that as the platform matures and becomes more widespread, it also becomes the target of more malicious attacks. Most hackers, like any businesspeople, are interested in the bottom line, and part of that involves targeting the largest group of people possible. With millions of users worldwide, the iPhone is definitely an appealing mark. ikee’s creator, a hacker calling himself “ikex,” cites a different explanation for this particular worm’s creation:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn’t anyone RTFM anymore?

In the case of this worm, which only changes the background wallpaper to the Astley photo with the slogan, “ikee is never going to give you up” across the top, Graham Cluley of SophosLabs suggests it’s really only an experiment:

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

While not dangerous in and of itself (it actually sort of provides a service by reminding users to take precautions), it could open the door for similar programs with less innocuous payloads. Hopefully, jailbreak users will learn from the experience and be prepared if someone more sinister tries to do the same thing again.

It’ll be interesting to see whether Apple latches onto this as a means to further decry the evils of jailbreak. If it leads to more serious exploits, it definitely would constitute a good reason to stay on the straight and narrow. In either case, expect to see more security concerns surrounding the iPhone as it continues its commercial success.

Security firm Symantec is warning computer users about a new Mac-specific Trojan that deletes files on the user’s hard drive, according to Techworld.com. It has dubbed the piece of malware “OSX.Loosemaque,” and uploaded a YouTube video of how it goes about its nefarious purpose.

Basically, it’s a Space Invader clone wherein when you kill an alien, a file in your home folder is deleted. It looks like it’s evil — and designed to perform such a task without the knowledge of the Mac owner on which the program resides. But it isn’t. It’s an art project that clearly advertises its purpose and nature to all who would wish to use it.

The game, dubbed Lose/Lose, is the brainchild of Zach Gage, who created the program as part of an online art installation and released it for public download in September. It’s intended purpose is not to dupe unsuspecting gamers, but to pose questions about the relationship between killing in video games and real-life moral issues. Gage says as much in a statement on his web site:

By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions. As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives.

Even if a user were to download the game from a different, less well-intentioned place, the game itself warns users right when it opens, stating that “Killing in Lose/Lose will likely result in files on your hard drive being deleted. You have been warned.” Of course, that doesn’t mean that an intelligent programmer couldn’t remove or change said message, and redistribute the game themselves with the intent of causing harm.

That’s what Symantec’s worried about, and why the firm decided to issue its warning about the so-called Trojan. Of course, the company took the opportunity to recommend installing security software as a means to protect against this kind of dangerous artistic expression, seeing as that’s the business it’s in.

Should you worry about this game or threats derived from it? Not unless you are one of the slim few whose retro Mac gaming addiction is so acute that you feel the need to hunt around the digital frontier in suspicious and shady locations looking for independent games of questionable quality and without any sort of legit distribution channels. Or if you happen to be a devoted patron of the arts, and therefore can’t resist the urge to download software you know full well will harm your computer and destroy your files, all for the sake of the artistic effect it has. In either case, anti-virus software won’t help.

Think affiliate programs are solely the province of SEO firms and experts? Think again. There’s such a thing as a malware affiliate program, and a very recent one targets Mac users specifically. It’s a sign that cyber-crime is beginning to target Apple more aggressively than it has in the past.

ZDNet.com reports that a group called the “Partnerka,” which consists of Russian spam and malware affiliates, have begun to focus on the Mac. Their tactics involve using social engineering tricks (read: preying on human weakness) to install fake codecs and scareware programs (the kind that pressure you into installing and paying for bogus single purpose anti-malware software).

The plans and methods of the “Partnerka” were revealed at the Virus Bulletin Conference 2009, where Sophos Labs researcher Dmitry Samosseikko talked about a site called Mac-codec.com which has since been taken down, that offered a bounty of 43 cents for each successful installation of malicious software on a Mac computer. According to Samosseikko, that’s a high price, and indicates that the Mac malware game is becoming more attractive to online crime organizations.

Even though the site is gone, the threat is not. These malware schemes work because they offer something many Mac users might be looking for. Partnerka’s Mac-codec.com was offering video players and fake video codecs that attempt to draw in people trying to playback video they’ve downloaded somewhere on the web. Previous DNS-changing trojan malware attempts depended on porn video lures.

Focus on the Mac platform might be growing for online criminals, but most malware plots still require you to make the first move. To help protect yourself from fake and harmful codecs, use Perian and VLC, and if your video still won’t play back, just give up altogether. No video content is worth the theft of your private data, after all.

Do you disguise your MacBook as a security measure? A couple of computer case makers think it’s an effective strategy.

Mitemite’s Newspaper MacBook Sleeve is a computer bag made from plasticized fabric and designed to thwart computer theft by camouflaging your MacBook Pro as a folded newspaper. The sleeve measures 37.7cm x 27.5cm x 3.4cm and is available masquerading as any of five different newspapers in various languages (including the Herald Tribune in English).

The sleeve incorporates a removable zip/metal chain handle and sells for €60 or roughly $86 plus shipping.

The MiteMite sleeve is getting some competition from a Rome, Italy, based artisan firm called ItaliaCraft which is also offering a newspaper motif sleeve for the MacBook Air.

The custom made ItaliaCraft sleeve is woven in slightly off-white non-bleed cotton/linen blend fabric pre-washed by the craftsperson, with black linen padded backing and double-stitched with high quality German thread and with all inner seams serged flat. No wool is used in order to limit static electricity.

The ItaliaCraft sleeve can also serve as a comfort pad when you’re using the computer on your lap. Free monogramming is also offered.

The price is $62.00 and international flat rate shipping is available for as little as $8.

I expect this ploy might actually work. Nobody steals old newspapers or pays much attention to piles of papers in general. When my daughter was at university, her apartment was broken into and robbed. She lost her digital camera and several other minor valuables, but the most valuable item in the apartment, her then-new white G4 iBook, which happened to be stacked in a pile of papers in plain sight, went unnoticed by the thief, which was cause for a bit of mitigating satisfaction.

Potential flaws in the strategy might be greater risk of misplacing the sleeve with MacBook in situ, or the more horrific possibility of an over-zealous cleaner-upper including the faux newspaper with a pile of real newspapers headed for recycling or the landfill. I think I recall someone reporting something like that happening with one of the early MacBook Airs, and it wasn’t even in a camouflage case — just buried in a pile of papers that got chucked.

Cheaper alternatives, although not as elegant or protective, would be to carry a MacBook Air in a FedEx box or envelope, one of those kraft button & string closure portfolio envelopes, or even a pizza box, although the latter would pose an even greater hazard of being mistaken for actual garbage.

What do you think? Brilliant idea or gimmick?

Just over a month since Safari 4.0.2 made its way into Software Update, Safari 4.0.3 has arrived for Mac and Windows. The update weighs in at 40.5MB and will require a restart.

In addition to the boiler plate “improvements to stability, compatibility and security,” Safari 4.0.3 purports to address:

• Stability improvements for webpages that use the HTML 5 video tag
• Fixes an issue that prevented some users from logging into iWork.com
• Fixes an issue that could cause web content to be displayed in greyscale instead of color

Additionally, security content includes several fixes relating to visiting a “maliciously crafted website” where unexpected arbitrary code execution hijinks may ensue. For those like myself who use Top Sites, without this update it is possible for a “malicious website to promote arbitrary sites into the Top Sites view through automated actions.” This could be used to facilitate a phishing attack, or possibly get you in trouble with a spouse if porn thumbnails starts showing up in your Top Sites.

Days after the SMS vulnerability was reported, in which a single character could be used to crash or even take over an iPhone, Apple has released a single-purpose update.

The Knowledgebase Article makes it sound as potentially bad as it is.

Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution

Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.

All iPhones were vulnerable to attack, regardless of OS version. The only defense from having your personality rewritten or being possessed by a ghost was to shut the phone off, which was hardly practicable. While it’s always nice to see Apple give credit to the those who discover an exploit, it’s unfortunate it took the researchers going public to get the company to move on this issue.

Cybersecurity researchers Charlie Miller and Collin Mulliner claim they can bring down your iPhone by sending it just a single “unusual” character, according to Forbes, which first published news of the exploit earlier this week.

A single square character or a series of “invisible” messages can be used to confuse an iPhone, leaving it open to hackers. The exploit affects all models of iPhones, running all versions of the iPhone OS. The only way to protect the phone from attack is to shut it down.

“Someone could pretty quickly take over every iPhone in the world with this,” said Miller. After running the exploit, a hacker has control over any of the iPhone’s features. According to Forbes, this includes “dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.”

Unlike previous exploits, this one doesn’t require the user to do anything, and can strike at any time. The only prerequisite is that the iPhone is connected to a cellular network. Miller and Mulliner say they informed Apple of the exploit “more than a month” ago, but so far, the company has not issued a patch to close it. Forbes adds that Apple didn’t respond to “repeated calls” seeking comment.

“I’ve given them more time to patch this than I’ve ever given a company to patch a bug,” Miller told Forbes. “As a researcher, I can only show [Apple] the bugs. It’s up to them to fix them.”

Miller is no stranger to exposing security flaws in the iPhone. In 2007, he identified a browser exploit that also gave hackers similar control over a user’s iPhone. Miller and Mulliner are expected to publicize details of the latest flaw today at the Black Hat digital security conference in Nevada.

When June 17 comes around, iPhone customers will definitely want to upgrade to the latest iPhone 3.0 software to take advantage of huge improvements with Apple’s oft-discussed MobileMe service.

iPhone 3.0, Where Are You?

If you are like me, losing things (it happens to all of us) is unfortunately common. While I haven’t lost my iPhone yet, I’ve had it happen to many friends. With the 3.0 software, Apple has introduced a new feature called Find My iPhone which will allow MobileMe customers to log into me.com via any Internet-enabled computer and remotely locate their phone via the iPhone’s built-in GPS (or through cell phone triangulation on the original iPhone).

Additionally, users can now remotely display a message on their iPhone with the intention of alerting whomever may find their treasured mobile device. In case the screen isn’t attention-getting enough, users also have the ability to play a sound that will override the iPhone’s silent setting to make it easier to find a lost or misplaced phone.

Sometimes, however, bad things happen and you may not be able to retrieve your iPhone. In this case, Apple provides a solution that will allow a user to remotely wipe everything on their device, preventing the nefarious person who has acquired your iPhone from being able to do any real damage. In one click on the MobileMe web site, all of your personal information, including addresses, phone numbers, photos, email and more are deleted from your iPhone. If you eventually find your iPhone after you’ve wiped it, simply plugging it back into your Mac or PC will allow it to restore from its latest iPhone backup.

iDisk Now On iPhone

In other news, Apple announced that iDisk support will be coming soon to the iPhone. A free application will be available on the App Store that will allow you to browse content from your iDisk. You can also share content from your iDisk to friends and family via email, all from your phone. Since the iPhone features built-in support for a variety of formats, including Microsoft Office and iWork documents, you can browse these as well. Editing these documents, however, is not supported at this time.

Public iDisk folders are also supported, both in terms of allowing you to browse other public folders as well as other users uploading content to your own public folder, which you can then browse from your phone.

These features are iPhone 3.0 OS and MobileMe dependent. Find My iPhone & Remote Wipe will be available on June 17 and iDisk support will be available at a later, unannounced, date.

iTunes 8.2 became available for anyone and everyone with a Mac, not just developers, late yesterday. A pre-release version of the update has been available to registered iPhone developers since the release of iPhone OS 3.0 beta 4 a few weeks ago, and is required for those hoping to run the 3.0 software on their Apple handheld devices. The release at this time strongly suggests that iPhone OS 3.0 will go live very soon, possibly immediately following the WWDC keynote speech taking place next week.

Aside from adding support for the upcoming firmware revision, the iTunes 8.2 update also brings the usual stability enhancements and bug fixes, including a security patch involving “itms:” links used to open iTunes locations from the web. Parsing the URLs could lead to a stack overflow or arbitrary code execution, which would allow an attacker to completely take over the iTunes process.

QuickTime 7.6.2, which became available alongside the iTunes update, also patches security flaws…10, in fact, all of which involve crashes or arbitrary code execution resulting from viewing malicious content.

A third update, GarageBand 5.0.2, improves the artist lesson purchasing experience, and allows access to installed jam packs in the loop browser. As with most Apple updates, it also includes various security fixes and bug squashes.

The iTunes update has arrived a little early, considering Apple has yet to release or announce the official release date of iPhone OS 3.0, but it’s probably just being smart about a major software update and spacing things out so that its servers can better handle the load when the millions of iPhone users rush to download the firmware revision at the same time. Hopefully, by staging releases, it will avoid the kind of frustrating experiences that accompanied the release of iPhone firmware 2.0 last year.

Some users are already reporting issues with the new updates, including odd behavior from iPhones running the latest firmware beta and iTunes 8.2 final, and a bug wherein a considerable number of songs went missing from one person’s library.

I actually have yet to install the iTunes 8.2 update. While the other updates show up for me without issue, I can’t get Software Update to find the iTunes update. I thought maybe this was because I had the latest pre-release version already installed, but others with the beta seem to have been able to install. My MacBook, which hasn’t been updated with the latest test build, detected and installed the new version without problem. Let us know if you’re having any issues with any of these updates.

It may not have the charitable underpinnings of the One Laptop Per Child (OLPC) initiative, but Ivan Kristic couldn’t have asked for a better follow-up job than at Apple. Cupertino just snatched up Kristic following his time at OLPC, where he was the architect behind the Bitfrost security specification. He wrote about his new job in a post on his personal blog Monday, and began work at Apple on the same day.

Bitfrost was responsible for password protection, prevention of data loss, hard drive encryption and security updates for the OLPC, which, while not a specific target for hackers, did take an innovative approach to security that Apple could be very interested in learning more about. Somewhat like Google’s Chrome browser, Bitfrost runs every active program on a computer in its own virtual OS instance. As a result, a virus or malware in one program can’t hop to another, or infect the computer’s core files and spy on sensitive data.

The new hire could mean that Apple is looking for ways to safeguard its reputation for better security not just now, but in the future, too. Recent advertising efforts show that it considers its lack of security issues one of its primary selling points. At the same time, Apple must be aware that if its user base continues to grow, hackers will become more and more likely to target OS X vulnerabilities, and that reputation could quickly evaporate.

An innovative, compartmentalized approach to security like the one used by Bitfrost could go a long way to making sure Apple is perceived as a security leader even if user numbers shift in their favor. Don’t expect new measures to be implemented anytime soon, though. Kristic is probably coming on board now in order to work on solutions that will be implemented in whatever OS installment takes shape after Snow Leopard, which is probably at least another couple years off.

You can’t have pizza without cheese, socks without shoes, a sandwich without bread, or a complete week without hearing about the freshest iPhone apps.

Before I present you with a hand-picked selection of the latest iPhone releases to hit the App Store, as is tradition, we’ll take a moment to review notable news and take stock of the week that was.

For iPhone supporters, the week seemed to start on somewhat of a downer as news broke that RIM’s BlackBerry Curve is the belle of the ball, surpassing the iPhone in popularity. Plus, darkening the mood a little more, it seemed that the developers gathered for our Monday App Store Roundtable were, understandably, none too pleased at the App Store’s review system.

By Tuesday, the week began to pick up with speculation that Apple may adjust their app approval policy upon the release of the iPhone 3.0 update this summer. In short, there’s a possibility that “adult-only” apps will appear in the App Store; perhaps tasteless topless images will become the new novelty fart sound maker?

Also this week,Bento, the personal database application for desktop, was released on the iPhone. David Appleyard was on hand to provide an excellent overview of the app. Although I use Evernote for collecting info on the move, users who need to go beyond lists and start making databases will find Bento to be an indispensable tool.

Midweek mirth was provided courtesy of Apple, when someone on the Cupertino campus inadvertently approved a listing for QuickPWN — the iPhone jailbreaking tool — in the official web app directory.

The other notable rumor of the week concerns a possible feature coming to new MacBooks in the future. Based on a job posting straight from Apple, it’s looking likely that the next Macbook will have integrated 3G. Although 3G may be the death knell for USB sticks touting the same functionality, on the flip-side it means less peripherals and more connectivity for Macbook-users.

Moving on to the picks, this week I’ve been looking at Offmaps, GadgetTrak, Kids vs. Zombies Lite and Battalion.

Offmaps ($2.99)
Having Maps on your iPhone is all well and good, but when you’re out and about without a data-connection, the app is essentially useless. For frequent travelers (or even iPod Touch users) Offmaps compliments Google Maps perfectly. The app allows you to download specific maps directly to the iPhone, even allowing the user to set the zoom level — useful for those looking for a high level of detail. A worthwhile companion to the embedded Maps app, and surprisingly cheap given the excellent functionality.

GadgetTrak (Free)
This seems to have been released back in August last year, and while I try to feature the latest apps, it’s occasionally worth rewinding a moment if I’ve missed something worthwhile. GadgetTrak is incredibly similar to Caught You! Both of the apps create a dummy icon on your iPhone which, in the event of your device being stolen, a thief will hopefully click. The dummy app then e-mails your iPhone’s GPS coordinates to you. Unfortunately, Caught You! seems to have gone AWOL from the App Store — I’ve checked both U.S. and UK stores, and it’s no longer available — as such, it’s worth checking out GadgetTrack as an alternative (and free) tracking tool.

Kids vs. Zombies Lite (Free)
Recommended to me by Larsonian, via the comments section of last week’s App Store Picks, I thought I should take a look at this game. In the midst of a zombie apocalypse, you take control of three kids who happen to be armed to the teeth. In terms of gameplay, it’s a coin-op-esque shooter, wrapped in gorgeous cartoony 3D graphics, with a sprinkling of the undead. Each of the characters have different attack abilities — close combat, long range and explosives — plus, you’re able to visit the Hardware Store and upgrade the weaponry for even more effective zombie devastation. Check out the free Lite version first and, if you enjoy destroying the living dead, upgrade to the full version for only two bucks.

Battalion (Free)
If you’re looking for a 3D shooter with a retro vibe, then check out Battalion. The game was originally developed for the Cave Automatic Virtual Environment, aka CAVE (I love a good recursive acronym), and found the player becoming a movie-style giant monster, literally stomping around a town and taking on the might of the military. The controls are incredibly tough to get used to, combining a mixture of tilting, tapping, double-tapping and even dragging, however, after an initial learning period, it’s good fun (and a strangely effective stress reliever). While this version is certainly not as immersive as the original virtual reality Battalion, you get to choose from one of four cute but angry B-movie monsters. Recommended for those looking for a free and fun new game.

We’re all done for the app picks this week. In keeping with our usual schedule, I’ll return next week with more news from the week and picks from the App Store.

In the meantime, what apps have you been using this week?

Security scares seem to be coming up all too frequently for Mac users these days. First, there was the devastatingly fast hacking of a Mac thanks to a Safari exploit at PWN2OWN, and now the first-known botnet to exploit OS X appears to have been activated, according to two security researchers at Symantec. If true, it means the sense of security and superiority that so many Mac users maintain over their PC-using counterparts might be coming to an end.

The botnet is a result of users having downloaded and installed pirated copies of iWork ‘09 way back around the time of its initial release. Accompanying those pirated versions was a trojan called iServices, a variant of which was also packaged with a pirated copy of Adobe Photoshop CS4. iServices remained dormant until just recently, when it was implicated in at least one Denial of Service (DoS) attack. Though the install base of the trojan is at present not large enough to pose a major threat, the researchers warn that this is likely only the beginning.

Symantec researchers suspect that software piracy will only trend upwards as the economic crisis continues, which is a very good thing for opportunistic hackers. The easiest way for them to distribute their malicious code is via pirated programs, since they aren’t QA’d or regulated in any real, consistent way. And if Macs continue to increase their presence, hackers will begin more and more to target OS X users, because it makes financial sense from their standpoint to do so.

In response to the report, network security firm McAfee, another anti-virus maker, spoke up. They claim that there’s nothing new about the iServices trojan that wasn’t already apparent and active in January, and that it represents only a low level of risk now, just as it did then. In other words, they think Symantec is blowing things out of proportion. Not that they’re saying you should just relax and pretend nothing’s wrong. Far from it.

Instead, the solution offered by both the Symantec team and McAfee is the one you’d likely suspect: install anti-virus software in order to protect your computer. And it may be the best solution, although after years of running both Windows and Mac machines without any virus protection that wasn’t built into them, and with no major issues to report at this time, I’d say that safe and intelligent browsing (i.e., don’t download risky pirated files) is still your best bet for avoiding these kinds of attacks, Mac or not.

The recent Conficker virus scare had me warning relatives to protect their PCs, while also simultaneously gloating about how lucky I am to not be affected, since I’m a Mac user. You could say it bordered on the obnoxious, and you’d be right.

But it looks like I may have to eat some humble pie now that a bug has been found in VMware Fusion that could potentially allow malicious code to be run on your Mac using a virtualized Windows machine as a conduit. Obviously, Windows is still the weak link here, but it doesn’t make your Apple machine any less vulnerable.

Luckily, the flaw was discovered by Immunity Inc. exploit researcher Kostya Kortchinsky, and not by some malicious hacker eager to steal your credit card information. The vulnerability allows the virtual machine display function to read and write code in the host operating system, including OS X. Kortchinsky demoed the flaw using a Vista machine running a guest OS of Windows XP, but said the flaw is just as easy to exploit in OS X running Fusion, though they hadn’t yet actually run live tests of such a scenario.

Not one to be caught slouching, VMware has already responded with an update to Fusion, version 2.0.4, to fix the bug and block the exploit. It’s a free update for all Fusion 2 owners.

Even if Windows is actually the conduit for the malicious code in this case, this is a good reminder that Macs are not invulnerable to attack, despite what we may sometimes think. There’s a variety of security software out there to consider, but as always, smart and safe usage is your best bet for avoiding most ills.

Until very recently, Tor was always something I heard about online but never used. I never considered myself enough of a “hardcore” geek to really pursue it, but it turned out to be much simpler to use that I thought. So for those of you that were like me consider this a crash course in Tor for the Mac.

What is Tor?

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

As its icon implies, Tor acts like an onion in the way that your online traffic is protected. If someone wanted to track your online activities while running Tor they would see only the layers and layers of relays run by volunteers worldwide. Due to the large number of relays, the original source of the traffic (you) is virtually invisible.

Although people are quick to associate Tor with illegal online activity, many other people and organizations use Tor for legitimate, and often life-saving, activities. For example, journalists in certain countries where honest reporting is punishable by prison or death can use Tor to publish their stories anonymously. According to torproject.org:

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Hopefully you can begin to see the advantages of having a service like Tor and the hundreds of people who volunteer their computers for relays to help protect the privacy of the rest of us. Visit the overview page of torproject.org for a great set of illustrations created by the Electronic Frontier Foundation (EFF) on how Tor works.

A Brief Warning

Having educated myself over the past few weeks on how Tor works, I should take a moment to tell you that Tor is not magic. Once you drag Tor into your Applications folder you are not suddenly protected from the world. You will need to establish some new habits and tweak your software (Firefox) in order for Tor to work correctly. Please read these warnings before you start using Tor to ensure that you have everything configured correctly. The last thing I want to see is for one of our TAB readers write a blog post critical of their government and find themselves in jail because they thought their Internet traffic was anonymous.

That being said, setting Tor up correctly is not that difficult. Is my mom going to be able to use Tor? Probably not. But my wife, who uses our Macs only for iPhoto, email and Facebook, would be able to set up and use Tor without a problem. This means if you’re savvy enough to have found this post, you have enough skills to run Tor. So, let’s talk about how to get started.

Getting Started

Visit the download page and install the latest stable version of the Tor bundle. The bundle includes Tor, Vidalia (GUI for Tor), Torbutton (Firefox extension), and Privoxy (filtering web proxy) — all pre-configured to work together.

This neat little package is why Tor is simple to use. If you had to download and install each of these pieces individually, this post would be 10x as long.

The next step is to configure your applications to work with Tor. As I mentioned above, it’s not enough to install the Tor package — you’ll have to spend an extra 5 minutes getting your applications ready. For most of you, the main application you’ll be using with Tor is your browser. Installing the Tor bundle will also install a Firefox plugin that will allow you to easily turn on/off Tor with the click of your mouse. That’s all there is to it.

You can also run other applications with Tor such as your IM client — anything that supports HTTP proxies. Simply change your proxy settings to point to localhost port 8118 and Privoxy (in your bundle) will do the rest.

Once you’ve configured your applications, visit check.torproject.org to see if Tor is installed and working properly. If for some reason it’s not working, start by making sure that Vidalia is running and that you have clicked the “Tor Disabled” button in the lower-right corner of Firefox to enable Torbutton. If Tor is still not working, then your most likely culprit is a firewall. See this FAQ for firewall configuration information and this FAQ for general tips for getting Tor to work.

If you’ve received a clean bill of health from check.torproject.org then you’re free to browse anonymously. See? That wasn’t too painful was it? However, since the network depends on volunteers to make the service stronger and more secure I recommend reading the Relay Configuration Guide and making the necessary changes to allow others to use a portion of your bandwidth to stay anonymous.

It’s a good thing we’re on friendly terms with New Zealand, because one of the residents of that green, hilly island recently acquired 60 pages of sensitive U.S. military data. Total cost of national secrets? $15. Which would’ve been great if that’s what the man who bought it was in the market for, but he was actually just looking for a working MP3 player, which Ars Technica reports the used iPod was not. Data found on the iPod included the personal information of military personnel, and details about mission briefings and deployment.

The purchaser of the used iPod, Chris Ogle, has been looking through the information, and even tried calling some of the numbers listed. Some of the calls actually connected with the correct individuals, indicating that the information is not, in fact, out of date. He also says he’s made the U.S. Department of Defense aware of the mix-up, but has yet to receive any word back from them. Maybe they’re hoping that if they stay real quiet this will all go away.

This is a fairly sensational example, but the fact is that many people don’t think about making sure their personal data is really gone from their iPod before selling it or trading it on the secondhand market through sites like eBay, Kijiji, and craigslist. Your iPod, just like a computer hard drive, contains data that can be recovered unless you go out of your way to make sure it can’t. Proper data erasure is even more important now that the iPod Touch can retrieve and store emails and other sensitive information.

If you have an older iPod that still supports disk mode, then you’ll want to use Disk Utility to completely reformat the drive, and then Restore the iPod using the latest firmware available for that model. Check out this useful tutorial describing exactly how to do that in detail for more info. You can also do a secure erase from Disk Utility, but for any of this to work you have to enable Disk mode on the device.

If you have an iPod touch, you could just do a Restore, which will wipe all your data, but to be extra safe, you may want to try formatting the iPod a couple different ways. First, go to Settings > General > Reset and choose the “Erase All Content and Settings” option. Once you’ve done that, proceed with a normal Restore when you connect the device to your computer, but set it up as a new iPod, instead of restoring from a backup.

That may still leave bits of information on your device, so here’s another method to try that involves writing over sensitive info with filler material and then erasing again, as described by Macsimum News:

1. Change passwords for all mail accounts that are synced to the iPhone or touch.
2. Make sure the device can no longer open the mail accounts.
3. Do an erase/restore of the iPhone or iPod touch, preferably using another computer or at least another account than the one the device was synced with.
4. Sync as many songs/videos of a non-compromising nature and nothing else to the newly restored device as will fit.
5. A good tool I recommend using to fill the drive up with data (songs/videos), is PhoneView. You can directly access the disk on your iPhone to totally fill it up.
6. After you have filled the drive up, do another erase/restore.
7. Repeat steps 4/5 with different content and erase/restore again. The more times you do this, the more times the data will be overwritten, thus having a less chance of recovery.

There you go, now you can make sure that if there’s a leak of sensitive information about your country’s military, it won’t have come from you.

Depending on how closely you stick to the word of the law, you may or may not be aware of the potentially dangerous trojan called “OSX.Trojan.iServices.A” unleashed on some of the Mac community last week via a pirated copy of iWork ‘09. The trojan, discovered by Mac security software company Intego, allows the distributor of the malicious software to access and modify the affected system remotely, performing actions such as adding files. Such a vulnerability is potentially fatal to an operating system.

According to Intego’s numbers, more than 20,000 people have downloaded the affected file, a number which also says something about Apple’s ability (or desire?) to curb piracy of its proprietary software. Instructions on how to rid your computer of the virus in case you are among that unlucky 20,000 can be found here, but they can’t take away your shame.

This week, another round of infections has appeared, this time targeting a different, but similar group of pirates. The victims are users who downloaded a pirated copy of Adobe’s popular photo editing program, Photoshop CS4. Again, the people responsible for finding and broadcasting the existence of the trojan are Intego. This one is aptly dubbed “OSX.Trojan.iServices.B”, and actually comes from the serial generator that packages with the Photoshop installer, and not the installer itself. The CS4 trojan presents the same risks as the iWork ‘09 version. Intego reports 5,000 downloads to date.

With two such high-profile virus detections coming so closely on each other’s heels, the question inevitably arises: Is Mac’s status as a highly secure option to Windows in danger? Clearly, Mac users are beginning to present a more attractive target to hackers, because the platform itself is becoming more popular. Not only that, but Mac users may be even more susceptible than others, since they traditionally haven’t had to worry much about malicious attacks.

No doubt the conspiracy theories that security companies cause and cure viruses will also crop up, especially with two such similar detections from the same source in such a short period of time. The reaction might be especially strong, considering how secure most Mac users believe their computers to be.

Really, as it stands, the only people at risk are those trying to pirate software, so it’s not really a case of “Is the OS less secure?”, so much as it is one of “Are Mac users security savvy?”. Pirated software distributed via Torrents has always been a high-risk area, but those running a Mac OS have had the luxury of being less guarded about those types of threats because the malicious code they contained was generally written to attack Windows machines.

The time may have come to star learning more smart surfing practices, but I think the general Mac-using populace can hold off on putting their computers on lock-down. Unless, that is, they plan on pirating like crazy, in which case, shields up.

If you have Safari, on either Windows or OS X, you could be open to malicious attacks whereby users can gain unauthorized access to files on your hard drive.

That’s according to a new tech note from developer Brian Mastenbrook, who has taken matters into his own hands while we wait for an official fix from Apple. And good thing, too, since this vulnerability is apparently nothing to sneeze at, as attackers can easily get their hands on sensitive information stored in cookies, emails, etc.

Even if you don’t use Safari as your primary browser, you could still be at risk, if you haven’t selected  a different default feed reading application. That means you, OS X users. If you’re a Windows user and you don’t use Safari as your default browser, you should be in the clear.

Here’s the fix for OS X users:

1. Open Safari and select Preferences… from the Safari menu.
2. Choose the RSS tab from the top of the Preferences window.
3. Click on the Default RSS reader pop-up and select an application other than Safari.

There’s currently no indication of when Apple will issue a fix, but they are aware of the problem, so keep an out for a Software Update coming soon.