Californian Security Researcher Tom Ferris has found another seven security flaws in Mac OSX.

They mostly involve the handling of images and decompression of zip files.

He expects that they will be addressed in the next Apple security update.

A St Louis Post-Dispatch article on the flaws urges caution , “Avoid opening strange or unusual e-mail attachments, and beware of Web links embedded in unsolicited Web correspondence.”

As many people pointed out during the excitement of the last round of security flaws, this has been pretty sensible advice since, like, forever.security, exploits, zip files, mac osx, images, attachments, mail.app, apple mail

Two interesting links in the war against phishers and online scammers.

Metrowest Daily News carries an interview with Michael Lamont, a software engineer who has attempted to play along with 419 Nigerian scam artists (“I am an official for Nigerian Oil. I have $140 million. Give me your bank account details and you can have 10%”).

Others have done this before (see the 419 Eater and 419 Baiter web sites), but I was interested to read the statistics about victims and the estimated total financial damage, and to learn that the Nigerian Government “blames Westerners’ greed for their losses”.

Another creative response to Phishing scams (deceptive hyperlinks in emails designed to trick you into revealing financial or personal information) is covered by C|Net News.

It has published an article about RSA Cyota, a company that fights phishing by flooding the scammers’ web sites with bogus user names and passwords so that legitimate information is harder to determine. A spokesperson for RSA Cyota explains:

The technique is called dilution: We generate a list of bogus credentials and feed the Web site with false usernames, passwords and credit card numbers. The fraudster may have obtained 30 genuine credentials out of 300–we are trying to make it less worthwhile and more risky for the fraudster.

Of course, Mail provides some protection against phishing attacks, so careful users can protect themselves.

Recent research on why phishing works (PDF ) , published by Harvard Postdoctoral Fellow Rachna Dhamija, suggests that the majority of users are not careful.mail.app, apple mail, spam, phishing, security, email, fraud

The recent security flaws in Mac OS X have produced a range of responses. But in a lengthy article, IT columnist and Unix administrator John Welch sets a new high point.

It’s not enough to be (extra) careful about opening attachments in emails that you are unsure about. More drastic action is required:

If you are using Apple’s Mail, I’d consider switching to another mail program, at least temporarily. The problem with Mail is that it allows you to open a file with a single click, and there’s no warning from the application to give you a second chance to cancel that action. Neither Thunderbird nor Microsoft Entourage allow for this, so you might want to think about switching until Apple fixes that.

Oddly, later in the article he suggests: “Just take the common-sense steps that we all should be taking anyway, and you’ll be fine.”Mac osx, security, vulnerability, mail.app, apple mail, thunderbird, entourage, attachments, scripts

A tasty assortment of links on the recent security excitment, which also affects Mail.app.

Well-done

Secunia rates the Safari vulnerability as “extremely critical”, a rating the company gives when “successful exploitation does not normally require any interaction and exploits are in the wild.” Secunia is a provider of IT-security services.

Anti-virus company Intego has analysed the Leap-A (“Oompa-Loompa”) Trojan horse. After exhaustive testing, the company reported that “the best protection against this Trojan horse and its variants is Intego VirusBarrier X4″. CEO Laurent Marteau says, “it is clear that antivirus software on a Macintosh computer is as essential as wearing a seat belt in a car”.

Medium

ZDNet Australia carries an interview with Paul Ducklin, Sophos’ Asia-Pacific head of technology. ” “There is not a clear and present danger like there is with Windows but the same risks apply”, he says.

Eric Bangeman on Ars Technica thinks that “the malware may be less destructive, more difficult to find, and less prevalent than on other platforms. But it’s there, and it’s not going to go away.”

Medium-rare

At Wired, Leander Kahney is keeping his cool: “These Mac security holes are a storm in a teacup,” he says.

The Daring Fireball puts it all in perspective. John Gruber writes: “It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.”

Stephan Schwab is also fairly relaxed: “Of course this unwanted interference is annoying and it’s far better to let the user decide when to execute something, but it’s not a security threat of any magnitude.”Trojan horse, exploits, virus, mac OS X, security, apple, safari, scripts

The Washington Post has posted a long interview with a young “hacker” who runs a “botnet” or network of hijacked PCs.

He claims that his network, a small one, consists of 13,000 computers in 20 countries and earns him on average USD 6,800 a month from the advertising companies whose adware he installs.

He tells the Washington Post: “All those people in my botnet, right, if I don’t use them, they’re just gonna eventually get caught up in someone else’s net, so it might as well be mine.” Nice.

You can also read some interviews with the botnetter’s victims.

[Via Slashdot]Internet, botnet, bots, adware, hackers, security

Worried about the security of your email? Don’t like the idea of usernames, passwords and personal emails being sent in clear text across the Internet between your computer and mail server? Read and send email in places where people might sniff you?

If your email server supports connection over SSL (sometimes called POPS and IMAPS), you can use that. Apple Mail supports SSL for both POP and IMAP accounts. (Did you know that .Mac accounts support SSL connections? I didn’t. But I tried it out just now and it is working).

If you don’t, then securing your email traffic with a SSH tunnel might be a good answer for you. There is a long and detailed tutorial on how to do this for Mail.app using SSH Tunnel Manager, a free OS X utility, on the StopDesign blog.

Even if you have no intention of doing anything like this ever, it is still an interesting read.