This Week's Sponsor:

Kolide

Ensure that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.


Short URLS Suck, OS X & iOS Malware To Become More “Sophisticated” According To McAfee

McAfee Logo

McAfee Logo

When short URLs first arrived on the scene, I was rather excited at the prospect of simply using a good looking “designer” URL to vainly share links on Twitter. Short URLs provide brand reassurance: MacStories, Engadget, Gizmodo, TechCrunch, and other sites now sport custom short URLs that verify the links we share lead back to our site. However, links from Bit.ly, CloudApp cl.ly links, and Twitter’s t.co links have become nothing more than a nuisance. If I use a service like TinyGrab, I know their short URLs will most likely lead to a snapshot someone has taken of their material. With more anonymous (everything) URL shorteners, there’s no way to verify its trust without using software that allows you to preview the long URL before you click through. We’ve seen their validity ruined plenty of times on Twitter through various attacks such as the cross-site request forgery attack that amused us for a few hours earlier this year, but I’ve simply lost trust in these “brands.”

While I didn’t need McAfee to be skeptical of weird Twitter users asking me if I want a free iPad, they predict short URLs will continue to annoy the tech savvy as the computer-illiterate continue to click through short URLs to whatever tomfoolery exists on the other side. McAfee’s other big claim: OS X could be the next target for malware kiddies.

I’ve always been skeptical of Android applications. I don’t trust software developers to keep my information private, so I heavily restrict what I download. There isn’t that appearance of safety (it’s the same feeling as shopping for Windows software). Honestly, I’ve never been as skeptical on iOS because I trust most of the apps that we review here on MacStories are served to us with good intentions. If they’re Apple approved, top apps in the App Store must not be sharing our private info right? That could be a false assumption.

Threats on mobile devices have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business environments, combined with historically fragile cellular infrastructure and slow strides toward encryption, McAfee Labs predicts that 2011 will bring a rapid escalation of attacks and threats to mobile devices, putting user and corporate data at very high risk.

Historically, the Mac OS platform has remained relatively unscathed by malicious attackers, but McAfee Labs warns that Mac-targeted malware will continue to increase in sophistication in 2011. The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.

Depending on how we define security, we’ve seen apps like Pandora unwillingly send some of our private data over the airwaves. I think the biggest risk on iOS devices is whether or not you can trust mainstream companies to give you something (for free) that isn’t being sneaky in the background. On the other end of security, we’ve seen Apple scramble to patch a PDF hole that could allow an attack to compromise your system, and jailbreaking your iOS devices can open up other avenues of hurt if you’re not careful.

I think what McAfee says is valid: I’m under the impression that recent Mac owners purchased a Mac because of one of its selling points: the Mac is seemingly impervious to malware. It’s not like Mac owners purchase a system because they know about all the great software that’s available to us. We fall into a worrisome comfort-zone because we aren’t shit-riddled with attacks like Windows users are. While pirated copies of iWork are historically an avenue for Trojan shenanigans (and Apple includes very basic methods for detecting the most common perpetrators), it’s rare that we’re ever mainstream targets for attack - only a few need to be worried if they’re doing something sketchy.

Apple’s marketshare is no longer ignorable, but I’m not so certain OS X or even iOS will turn into Windows overnight, if at all. I don’t deny that people who can afford Mac hardware and software aren’t prime targets (and probably more susceptible targets) than their Windows counterparts, but I summarize my personal theories with one last quote:

Malicious content disguised as personal or legitimate emails and files to trick unsuspecting victims will increase in sophistication in 2011. “Signed” malware that imitates legitimate files will become more prevalent, and “friendly fire,” in which threats appear to come from your friends but in fact are viruses such as Koobface or VBMania, will continue to grow as an attack of choice by cybercriminals. McAfee Labs expects these attacks will go hand in hand with the increased abuse of social networks, which will eventually overtake email as a leading attack vector.

If I was someone who was writing malware, I’d skip the operating system and go straight for the heart of your most personal activities. In a way, I can target Mac and Windows users in one fell swoop. The first thing people do is open their web browser, log into Facebook, and chat with friends. It’s way too easy for me to friend you, and you’ll click on my request out of curiosity to see who I am. Could I be that old senior-high friend you sorta knew? And as soon as you accept my request, I’ll have access to everything: your birthday, your personal email, your likes, your dislikes, your favorite music, where you grew up, where you went to school, where you work, where you live, your phone number, your dog’s name, your friends’ names, and more. As soon as I have access to that, I can plug your info into a mailing list for spam, start looking at what websites you use most, and use your personal information to guess answers to security questions to get into your other accounts that way. Even on Twitter, if I follow you long enough I’ll eventually build a profile just around you. Software will further automate that process for me.

I’d say we’re relatively safe at the operating system level, and that it’s the web you should be worried about. Be skeptical of everything, be vigilant in detecting warning signs so you don’t click into anything you shouldn’t, and stay safe. McAfee’s latest report is a good overview of what criminals will be eyeballing in 2011: some other worry signs include criminals using Geolocation services to track your every move, insecure technologies on new mediums (such as TV) leaking information, and large scale politically motivated attacks against companies or government resources.

[Business Wire on McAfee Labs via TechCrunch]

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.