Mac Security Book

Phishing has quickly become a multi-billion dollar industry. Criminals are "laughing all the way to the bank", and when they get there it could be your bank account they empty. Don McAllister from ScreenCastsOnline made a great movie detailing the benefits of using the [1Passwd Password Manager for Mac](http://1password.com) and how it can protect you from phishing attacks. Here's the section of the movie detailing Phishing: Here is [the full movie](http://1passwd.com/home/show_movie).

We've all seen the explosion in spam email, phishing emails trying to steal our identity, and other spoofs used to trick us. In fact, just last week [Engadget](http://www.engadget.com/) falsely reported on the [iPhone being delayed](http://www.engadget.com/2007/05/16/iphone-delayed-until-october-leopard-delayed-again-until-januar/) because of a fake email that *appeared* to original from Apple. The root cause of all these problems is the fact that current email systems have no method of verifying where messages come from. This appears to be about to change. A proposed standard has recently been approved: [DomainKeys Identified Mail (DKIM)](http://dkim.org). DKIM is an inelegant name for something that is actually pretty cool. When sending emails, companies will need to sign each message so that the receiver can verify that the message is legitimate. Any emails with an invalid signature can be flagged in your inbox or silently deleted before even reaching you. I doubt DKIM by itself will be able to stop spam from reaching your inbox, but it should be very effective against phishing and other spoofing emails. Inventor Mark Delany describes this as [One small step for email, one giant leap for Internet safety](http://yodel.yahoo.com/2007/05/22/one-small-step-for-email-one-giant-leap-for-internet-safety/). Mark mentions that this technology took **3 years** to become a *proposed* standard, so I wouldn't expect your inbox to be cleaner anytime soon. Hopefully by 2010 we have this all sorted out.

David Chartier featured the 1Passwd Password Manager in this week's The Unoffical Apple Weblog podcast.

You can see the TUAW post to watch the full movie.

I've mentioned 1Passwd before here on Mac Security Book because of its anti-phishing and anti-keylogger features. It's great to see others taking notice. In fact, even MacWorld mentioned 1Passwd and its anti-phishing benefits in the April issue.

Slashdot had a very interesting article about the Flaw in Firefox's Password Manager that can allow criminals to steal your user id and password by simply having you view a web page. The exploit works because Firefox automatically fills login forms with your user id and password without your knowledge. This allows an attacker to craftily create a web page that contains a login form, but it **doesn't appear on the page**. Since you can't see the form, you don't realize that Firefox filled it, and you unknowingly submit your user id and password to the criminal. There is a [proof-of-concept](http://www.info-svc.com/news/11-21-2006/rcsr1/) to show you how easy it is to have your password stolen. If you use Safari and its AutoFill feature, you will find that Safari does not divulge your password on the proof-of-concept page. This is because Safari is smarter and doesn't automatically fill forms that are hidden. You might be tempted to feel safe when using Safari, but you would be making a grave error.

Try this Safari AutoFill scam and see for yourself.

NetworkWorld had an interesting article about how [Secret questions are not foolproof](http://www.networkworld.com/newsletters/dir/2006/1211id1.html). We've all seen these websites that ask for your Mother Maiden name, or some other supposedly secret piece of information, in order to "verify" your identity. I'm surprised websites even employ this idea anymore with how easy it is to find this information. I never fill in these questions, and used to randomly whack the keyboard, or use a password generator. If you have a [good automatic form form filler](http://1passwd.com), however, you can configure it to fill in these questions and answers for you with random data: Of course those aren't my actual questions and answers, so don't go trying them anywhere :)

TidBITS released a new book in their Take Control series: Take Control of Passwords in Mac OS X, written by Mac veteran Joe Kissell. I contacted Joe way back in the summer asking him for his feedback on 1Passwd 1.0, and asked if he would be interested in reviewing 1Passwd on TidBITS. I was ecstatic when he said he had already heard of 1Passwd and planned on including it in his upcoming book. Take Control of Passwords covers the entire spectrum of password management on Mac OS X. There is a chapter about third-party Mac password managers and includes a discount coupon for 1Passwd.

I always chuckle when I read articles that mention you should change your default admin passwords on your wireless routers. Of course you should change this password; if you decide to keep the default password you might as well hire Officer Barbrady to protect your city. Even if you decide to run with a completely open network, you should at least secure the admin password so nobody can (easily) sabotage your network for others.

There are so many options available to Mac users when looking for a password manager. It can be confusing to know what is the best one for you. To figure this out, you need to know what you want the password manager to do for you. I just completed the Mac Password Manager website where I discuss the various password manager applications available on Mac OS X and highlight the strengths and weaknesses. Most password managers are designed and sold with the promise of improving your security. Sadly only a few password managers can make you more secure while also saving you time.

Constantly working to stay ahead of criminals is like a game of "Spy-vs-Spy". If you don't have fun playing the game, you can start feeling defeated and stop reenforcing your defenses. Once this happens, you start playing Russian Roulette with your online information. I had a lot of fun writing the [Mac Keylogger Protection](http://mackeyloggerprotection.com) website that went online last week. The site aimed to talk about a poorly understood problem in a fun and entertaining way, while at the same time providing real defenses against keyloggers. In that same vein, [Mac Phishing Protection](http://macphishingprotection.com) discusses the phishing dilemma that is plaguing most web users today. Mac Phishing Protection aims to educate everyone about how to protect themselves against phishing while trying not to bore them into a trance. It's not easy making security topics fun, but I did my best by adding Lego criminals, Stephen Colbert references, and even a picture of what we'd all like to do to a phisher if we saw them in person!

Last month I discussed that [keyloggers on Mac](http://macsecuritybook.com/2006/09/mac_keyloggers_alive_and_well.html) are a real threat that should be taken seriously. There are many measures you can take to protect yourself, but education about the existence of keyloggers is the first step. The Mac Security Book has sections that discuss each of the defenses available against keyloggers, but I decided that this knowledge was important enough to setup a website dedicated to [protecting your Mac from Keyloggers](http://mackeyloggerprotection.com). Check out the site and let me know what you think. Eventually there will be a feedback section on the website itself, but until then feel free to comment on this post.