While I’d like to keep this a Mac-oriented site, I can’t help but chuckle at how fast technology gets cracked. Case in point: Several days ago, Microsoft launched their Windows Genuine Advantage program which ensures that only real, licensed copies of Windows can receive updates. Pirated copies of Windows will only be able to get patches up to the launch of the WGA program, but will be left behind from future updates. Not anymore.

It’s always a bad idea to tout your product as uncrackable. Doing so is nothing more than a big, blinking, neon sign attracting talented individuals to try their best to break it. I can’t think of a piece of technology yet that hasn’t been cracked in some way. Anyone? Xbox, PSP, TiVo, and software activation of all sorts have been cracked…

I take back what I said about hacking not being the best way to get rid of phishing/scam websites — it’s a great way! Why the sudden change? Here’s my experience…

Earlier today, I got a standard PayPal phishing email with the subject “Your account will be suspended!”, claiming that my account would be removed shortly if I didn’t fill in my PayPal information. This is an extremely common ploy, and PayPal reminds you never to follow through with these kinds of emails. Out of curiousity, I copied the link they so desperately wanted me to click, and pasted it into my browser. I examined it closely to make sure my email address wasn’t encoded into the URL in some way, and hit Return to load the page. While the address started out with a valid-looking domain, it was actually an eBay banner link which was modified to redirect me to a fake server further down the link (and out of view in a standard browser window). A page loaded which looked exactly like the PayPal homepage, but you can be sure it wasn’t.

Judging by the “/~test/” in the address in my browser, I could see that the scam site was located on a server under a user’s account. To see what else was there, I removed the PayPal scam directories from the address, and went to the user’s folder, and no further. I couldn’t believe what I stumbled upon.

Before my eyes was a page labeled “PHP Shell 1.7,” with a command line, execute button, and output area. Knowing full well what this was – a PHP script which executed the given instruction at the command line of the server it resided on – I typed “ls” and hit Execute Command. The contents of the user’s folder were displayed in the text field below the command, just as if I were sitting at a keyboard connected to that machine. I knew what was next. I took another look at the scam address from the email, and used the PHP Shell to change directory to the actual folder where the scam files were located. Using a simple ‘tar’ command, I gathered all the files into one, and grabbed the whole lot (for further investigation, as well as a backup…just in case). After that, I did a simple “rm -r PayPal” to delete the entire scam website. Revisiting the link in the phishing email returned a 404 Not Found. I tried to remove the single PHP Shell script itself, so other users of the site aren’t at any possible risk, however it had permissions which denied my removal attempt (otherwise, I would happily post the link to the site).

While my efforts were hardly what I’d consider hacking, if what I did helped save one person from having their information stolen by marfa_b3l34@yahoo.com (the email address to which the stolen PalPal information would be sent), I feel it was it was worth it. That’s just one phishing site among thousands, though. The real solution is to educate people about the malicious intent of scammers, and to give them the knowledge to simply ignore fraudulent emails.

“Angered by the growing number of Internet scams, online “vigilantes� have started to take justice into their own hands by hacking into suspected fraud sites and defacing them.

These hackers have targeted fake websites set up to resemble the sites of banks or financial institutions in recent weeks, and have inserted new pages or messages. Some say “Warning - This was a Scam Site,� or “This Bank Was Fraudulent and Is Now Removed.�

While I can’t say that hacking is the best way to go about shutting down phishing sites, it’s probably the quickest way to stop them from gathering unsuspecting users’ information. It’s nice to know there are some people out there willing to do something about it, even if it means breaking in. Read the rest. [via]

Yesterday, an article on Slashdot about Dashboard widgets got my attention. It has been discovered that widgets pose a possible threat to users’ systems, as they are automatically run when downloaded. A specially crafted web page can direct your browser to download a widget, and Safari’s default behavior is to decompress the .zip archive. The Finder recognizes the .wdgt extension of the newly unzipped file, and launches the widget. In most cases, this makes for a very user-friendly Dashboard experience. However, user-friendliness almost always comes at a cost. Any code contained within the widget gets run, and that’s where the threat comes in. Some code gets run on the target system without any action on the user’s part, other than loading a web page in Safari.

Widgets do have a security layer provided by Apple, and it is built into the Info.plist files within each widget. A standard widget has no access to the internet, the command-line, files outside the widget bundle, Java applets, browser plugins, or widget plugins. In short, without your permission, a widget is effectively in its own sandbox and can do nothing harmful. When a widget needs access to one or more of these resources, it asks for your permission upon launch. When you click “Accept”, the widget can do whatever it needs.

From a security-oriented point of view, I think the main problem with the widget security layer is that the would-be “attacker,” a widget with bad intentions, defines its own security limitations. Mentioned above, each widget’s security is controlled by the Info.plist file written by it’s author and stored inside the widget bundle. A better solution might be to present the user with a dialog that details what resources the widget is requesting, allowing the user to decide what the widget should be allowed to do. This problem is made worse by an overly simple security interface. Different levels of security controlled by one “Accept” button. If the widget is going to define it’s own security limitations and the user will only see one button for any or all of them, why have more than one level of security? A single “AllowFullAccess” key in the Info.plist file would suffice. Future versions of Dashboard may see a security preference where users can control the level of access they would like widgets to have. This may be a bit of a problem, though, because not all users are aware of what a widget needs to do it’s job, and they really shouldn’t have to know. A solution lies somewhere between what the user knows about the inner workings of a widget and what security allowances are necessary for the widget to function. At best, the user needs to be able to easily control what a widget can do without knowing how it works. This is the type of situation in which Apple’s wizards excel, and I look forward to an elegant yet effective solution.

So what can you do to protect yourself right now? The front line for stopping harmful widgets from automatically installing themselves is to change your Safari download settings, as Safari expands widget archives upon download. In Safari’s “General” preferences tab, uncheck “Open ‘Safe’ files after downloading.” With this unchecked, all widgets and files that download and would normally be auto-opened are simply saved to your default download location in their respective format. While you can still “infect” yourself by opening the archive and running the widget, nothing happens automatically without your permission. Turning off the opening of “safe” files may cause you to go through one more step after downloading something, but your computer’s security is worth the time it takes to switch out of Safari and examine a file before you run it.

The second thing you can do to help protect yourself is learn where widgets are stored in Mac OS X. While widgets can be run from any location via a double-click, they aren’t listed in the Widget Bar (which is activated by clicking the plus symbol in the lower-left of Dashboard). Widgets listed there are kept in the main Library folder inside the Widgets folder, at /Library/Widgets/ inside your boot drive. Optionally, widgets can be kept in separate folders for each user, under your Home folder, then following the same structure above. You can add or remove widgets from either folder, and the Widget Bar will be updated. Stephan.com, the origin of the widget security threat report, claims that “the Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out.” From my own testing, though, I find that the Widget Bar gets updated as soon as you add or remove widgets and activate it again. Alternatively, you could use Widget Manager to control all the widgets you use.

Finally, you can also learn how to stop an active widget in its tracks. By opening Activity Monitor, in the /Applications/Utilities/ folder, you can see all current processes running on your machine. If you type “dashboard” into the “Filter” search field at the top, you will filter the process list to only dashboard widgets (and whatever else may happen to have “dashboard” in its title). Using the list of widgets, you can click on one and click the red “Quit Process” button, then “Force Quit,” and that widget will be stopped, regardless of what it was doing. While not the best solution, it’s a fairly simple way to end an annoying widget that just won’t quit.

Dashboard widgets are a great addition to Mac OS X, and I would hate to see them become a source of spyware-type problems for users, but the fact remains that they are a rather large opening for such a thing to happen. Widgets allow anyone to write custom Javascript, Cocoa, or shell scripts to do almost anything they want on your computer. While most will use it to create slick-looking and useful widgets, the possiblity for creating harmful ones is there, and your best defense is being aware of the situation and acting in accordance.

Update: Several other sites commented on the widget problem:
The Unofficial Apple Weblog: The Problem With Widgets (Part 1, Part 2)
Macworld:News: Dashboard: Widget (In)Security
Macworld:News: ‘Zaptastic’ widget demonstrates Dashboard exploit
The Mac Observer: Developer Demonstrates Dashboard Exploit