I haven't seen a security response from Apple regarding the Leap-A
trojan.

When, where and how is Apple going to respond?


Hugh

In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
Hugh Gibbons <party@myhouse.com> wrote:

> I haven't seen a security response from Apple regarding the Leap-A
> trojan.
>
> When, where and how is Apple going to respond?

It is a low risk, low circulation Trojan. Propagates through social
engineering. Apple had a security advisory about that approach in 2004.
Don't open files on the internet unless you are sure of the source. If
a file comes from the internet check Get Info to see if there is an
inconsistency between the icon and the contents (a files with a .jpg
icon that isn't a .jpg is suspicious). Don't open any pictures in an
iChat session (check your preferences) without asking the sender whether
they really sent it.

What did you expect Apple to do as a first response? Anything they do
quickly will make the Macintosh less user friendly.

--
http://www.ericlindsay.com

In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
Hugh Gibbons <party@myhouse.com> wrote:

> I haven't seen a security response from Apple regarding the Leap-A
> trojan.
>
> When, where and how is Apple going to respond?

It is a low risk, low circulation Trojan. Propagates through social
engineering. Apple had a security advisory about that approach in 2004.
Don't open files on the internet unless you are sure of the source. If
a file comes from the internet check Get Info to see if there is an
inconsistency between the icon and the contents (a files with a .jpg
icon that isn't a .jpg is suspicious). Don't open any pictures in an
iChat session (check your preferences) without asking the sender whether
they really sent it.

What did you expect Apple to do as a first response? Anything they do
quickly will make the Macintosh less user friendly.

--
http://www.ericlindsay.com

In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:

> In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> Hugh Gibbons <party@myhouse.com> wrote:
>
> > I haven't seen a security response from Apple regarding the Leap-A
> > trojan.
> >
> > When, where and how is Apple going to respond?
>
> It is a low risk, low circulation Trojan. Propagates through social
> engineering. Apple had a security advisory about that approach in 2004.
> Don't open files on the internet unless you are sure of the source. If
> a file comes from the internet check Get Info to see if there is an
> inconsistency between the icon and the contents (a files with a .jpg
> icon that isn't a .jpg is suspicious). Don't open any pictures in an
> iChat session (check your preferences) without asking the sender whether
> they really sent it.
>
> What did you expect Apple to do as a first response? Anything they do
> quickly will make the Macintosh less user friendly.

And if you if your system asks you for an admin password, ask yourself
"Is this something that it should be doing right now?" before you enter
one.

--
Quando omni flunkus moritati
Visit the Buffy Body Count at <http://homepage.mac.com/dsample/>

In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:

> In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> Hugh Gibbons <party@myhouse.com> wrote:
>
> > I haven't seen a security response from Apple regarding the Leap-A
> > trojan.
> >
> > When, where and how is Apple going to respond?
>
> It is a low risk, low circulation Trojan. Propagates through social
> engineering. Apple had a security advisory about that approach in 2004.
> Don't open files on the internet unless you are sure of the source. If
> a file comes from the internet check Get Info to see if there is an
> inconsistency between the icon and the contents (a files with a .jpg
> icon that isn't a .jpg is suspicious). Don't open any pictures in an
> iChat session (check your preferences) without asking the sender whether
> they really sent it.
>
> What did you expect Apple to do as a first response? Anything they do
> quickly will make the Macintosh less user friendly.

And if you if your system asks you for an admin password, ask yourself
"Is this something that it should be doing right now?" before you enter
one.

--
Quando omni flunkus moritati
Visit the Buffy Body Count at <http://homepage.mac.com/dsample/>

In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:

> In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> Hugh Gibbons <party@myhouse.com> wrote:
>
> > I haven't seen a security response from Apple regarding the Leap-A
> > trojan.
> >
> > When, where and how is Apple going to respond?
>
> It is a low risk, low circulation Trojan.
> Propagates through social
> engineering. Apple had a security advisory about that approach in 2004.
> Don't open files on the internet unless you are sure of the source.

Yes, I know it's low risk, but it exposes a vulnerability that can
be better exploited by copycats. The fact that it requires positive
action by the recipient certainly lowers the risk of spread. However,
the fact that a program can masquerade as a graphic is a serious
security issue. The user ends up executing a program when he thinks
he is just opening a document (graphic). When you open a graphic or
any other document, you assume, and it should be a valid assumption,
that this will only result in running trusted code that you have
installed on your computer. Code should only run with explicit approval
of a system administrator.

Regarding being sure of the source, I have a story along those lines.
In my job, I use a computer running Windows XP. I had asked a co-worker
to get me a quote, which is a regular part of his job. Not very much
later, I got an email from him titled "your quote" or something similar.
I absolutely knew the source of this email, and I had excellent reason
to believe it was actually what I had requested. As it turned out, it
contained a worm, which infected my computer and spewed out a few hundred
emails before I shut it down, and it spread all over my workgroup.

The co-worker from whom I got it received it from a vendor who had
requested a quote earlier that day, and he opened it for the same
reason I did.

So I don't see social engineering attacks as a low risk. They can
be a very high risk.

> If
> a file comes from the internet check Get Info to see if there is an
> inconsistency between the icon and the contents (a files with a .jpg
> icon that isn't a .jpg is suspicious). Don't open any pictures in an
> iChat session (check your preferences) without asking the sender whether
> they really sent it.
>
> What did you expect Apple to do as a first response?

The first step should have been to warn their userbase before it
hit the press.

> Anything they do
> quickly will make the Macintosh less user friendly.

Most likely, yes. But there need not be any serious inconvenience for
the user. I don't think users mind being asked for permission before
running a new program. (Mac users are used to this, since every
legitimate app they install requires admin permission.) The
inconvenience would be mainly for developers and system designers.

In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:

> In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> Hugh Gibbons <party@myhouse.com> wrote:
>
> > I haven't seen a security response from Apple regarding the Leap-A
> > trojan.
> >
> > When, where and how is Apple going to respond?
>
> It is a low risk, low circulation Trojan.
> Propagates through social
> engineering. Apple had a security advisory about that approach in 2004.
> Don't open files on the internet unless you are sure of the source.

Yes, I know it's low risk, but it exposes a vulnerability that can
be better exploited by copycats. The fact that it requires positive
action by the recipient certainly lowers the risk of spread. However,
the fact that a program can masquerade as a graphic is a serious
security issue. The user ends up executing a program when he thinks
he is just opening a document (graphic). When you open a graphic or
any other document, you assume, and it should be a valid assumption,
that this will only result in running trusted code that you have
installed on your computer. Code should only run with explicit approval
of a system administrator.

Regarding being sure of the source, I have a story along those lines.
In my job, I use a computer running Windows XP. I had asked a co-worker
to get me a quote, which is a regular part of his job. Not very much
later, I got an email from him titled "your quote" or something similar.
I absolutely knew the source of this email, and I had excellent reason
to believe it was actually what I had requested. As it turned out, it
contained a worm, which infected my computer and spewed out a few hundred
emails before I shut it down, and it spread all over my workgroup.

The co-worker from whom I got it received it from a vendor who had
requested a quote earlier that day, and he opened it for the same
reason I did.

So I don't see social engineering attacks as a low risk. They can
be a very high risk.

> If
> a file comes from the internet check Get Info to see if there is an
> inconsistency between the icon and the contents (a files with a .jpg
> icon that isn't a .jpg is suspicious). Don't open any pictures in an
> iChat session (check your preferences) without asking the sender whether
> they really sent it.
>
> What did you expect Apple to do as a first response?

The first step should have been to warn their userbase before it
hit the press.

> Anything they do
> quickly will make the Macintosh less user friendly.

Most likely, yes. But there need not be any serious inconvenience for
the user. I don't think users mind being asked for permission before
running a new program. (Mac users are used to this, since every
legitimate app they install requires admin permission.) The
inconvenience would be mainly for developers and system designers.

In article <dsample-0BA041.17075826022006@news.giganews.com>,
Don Sample <dsample@synapse.net> wrote:

> In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
> Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:
>
> > In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> > Hugh Gibbons <party@myhouse.com> wrote:
> >
> > > I haven't seen a security response from Apple regarding the Leap-A
> > > trojan.
> > >
> > > When, where and how is Apple going to respond?
> >
> > It is a low risk, low circulation Trojan. Propagates through social
> > engineering. Apple had a security advisory about that approach in 2004.
> > Don't open files on the internet unless you are sure of the source. If
> > a file comes from the internet check Get Info to see if there is an
> > inconsistency between the icon and the contents (a files with a .jpg
> > icon that isn't a .jpg is suspicious). Don't open any pictures in an
> > iChat session (check your preferences) without asking the sender whether
> > they really sent it.
> >
> > What did you expect Apple to do as a first response? Anything they do
> > quickly will make the Macintosh less user friendly.
>
> And if you if your system asks you for an admin password, ask yourself
> "Is this something that it should be doing right now?" before you enter
> one.

Media reports I have read (nothing from Apple yet) do not indicate that
the system asks you when you doubleclick on the offending icon. Does
it? If so, I would say there's no serious security issue.

In article <dsample-0BA041.17075826022006@news.giganews.com>,
Don Sample <dsample@synapse.net> wrote:

> In article <NOSPAmar2005-E883FF.07385427022006@freenews.iinet.net.au>,
> Eric Lindsay <NOSPAmar2005@ericlindsay.com> wrote:
>
> > In article <party-ACD7B1.13195726022006@news-fe-01.texas.rr.com>,
> > Hugh Gibbons <party@myhouse.com> wrote:
> >
> > > I haven't seen a security response from Apple regarding the Leap-A
> > > trojan.
> > >
> > > When, where and how is Apple going to respond?
> >
> > It is a low risk, low circulation Trojan. Propagates through social
> > engineering. Apple had a security advisory about that approach in 2004.
> > Don't open files on the internet unless you are sure of the source. If
> > a file comes from the internet check Get Info to see if there is an
> > inconsistency between the icon and the contents (a files with a .jpg
> > icon that isn't a .jpg is suspicious). Don't open any pictures in an
> > iChat session (check your preferences) without asking the sender whether
> > they really sent it.
> >
> > What did you expect Apple to do as a first response? Anything they do
> > quickly will make the Macintosh less user friendly.
>
> And if you if your system asks you for an admin password, ask yourself
> "Is this something that it should be doing right now?" before you enter
> one.

Media reports I have read (nothing from Apple yet) do not indicate that
the system asks you when you doubleclick on the offending icon. Does
it? If so, I would say there's no serious security issue.

Hugh Gibbons <party@myhouse.com> wrote:
> When, where and how is Apple going to respond?

Why should they? Just don't be a dumbass about what files you open.

Hugh Gibbons <party@myhouse.com> wrote:
> When, where and how is Apple going to respond?

Why should they? Just don't be a dumbass about what files you open.

<jes.t.er@hexduxhmp.org> wrote in message
news:EO-dncQNO8gy5pHZRVn-qw@comcast.com...
> Hugh Gibbons <party@myhouse.com> wrote:
>> When, where and how is Apple going to respond?
>
> Why should they? Just don't be a dumbass about what files you open.

Microsoft got it in the neck for not jumping on that particular problem.
They introduced a way to mark particular files as unsafe depending on how
they entered the system (via web download, or from email, etc.), and prompt
you before you open them. You can, of course, disable that warning on a
per-file basis.

I think that makes perfect sense. That would nip this problem, and indeed
any other similar problems, in the bud.

dave

<jes.t.er@hexduxhmp.org> wrote in message
news:EO-dncQNO8gy5pHZRVn-qw@comcast.com...
> Hugh Gibbons <party@myhouse.com> wrote:
>> When, where and how is Apple going to respond?
>
> Why should they? Just don't be a dumbass about what files you open.

Microsoft got it in the neck for not jumping on that particular problem.
They introduced a way to mark particular files as unsafe depending on how
they entered the system (via web download, or from email, etc.), and prompt
you before you open them. You can, of course, disable that warning on a
per-file basis.

I think that makes perfect sense. That would nip this problem, and indeed
any other similar problems, in the bud.

dave

In article <EO-dncQNO8gy5pHZRVn-qw@comcast.com>, jes.t.er@hexduxhmp.org
wrote:

> Hugh Gibbons <party@myhouse.com> wrote:
> > When, where and how is Apple going to respond?
>
> Why should they? Just don't be a dumbass about what files you open.

You must not have read the other entries in this thread. How is one to
know what files are safe? History in the Microsoft world tells me that
social engineering easily gets around such control strategies.

In article <EO-dncQNO8gy5pHZRVn-qw@comcast.com>, jes.t.er@hexduxhmp.org
wrote:

> Hugh Gibbons <party@myhouse.com> wrote:
> > When, where and how is Apple going to respond?
>
> Why should they? Just don't be a dumbass about what files you open.

You must not have read the other entries in this thread. How is one to
know what files are safe? History in the Microsoft world tells me that
social engineering easily gets around such control strategies.