In-Depth

In Brief

Automated bots crawl Internet for spyware, and the NSA talks about securing Mac OS X installations

• By Mathew Schwartz
• 01/19/2005

Webroot Unrolls Anti-Spyware Bots

How can drive-by downloads be stopped? The prevailing method is when users trip over adware, spyware, or other malware, then alert security companies; those companies may find the malware on their own. Either way, security experts release a warning and design a way around the problem.

How about turning the tables? That’s what anti-spyware vendor Webroot Software Inc., based in Boulder, Colo., is trying to do, by sending automated bots to comb Web sites for malware.

“Unlike other security research techniques which rely on ‘honeypots’ and other passive, threat-data-collection methodologies, this system is designed specifically for the active pursuit of spyware,” plus, of course, whatever else it turns up, says David Moll, the CEO of Webroot.

In a small trial run in October 2004, bots found over 20,000 sites that deploy known spyware via drive-by downloads, and even turned up new types of spyware. By next month, Webroot says it will be using 100 bots to track spyware and adware online, each bot processing about 10 URLs a second. When a bot finds spyware, it also logs the URL and relevant HTML, helping researchers better understand the malware’s origin and how it works.

“We estimate that one hour of automated research is the equivalent of 10 work-days of manual research,” notes Richard Stiennon, vice president of threat research at Webroot. All that helps the end goal of “visiting millions of sites per day and finding spyware before it reaches the computing public.”

- - -

NSA Tackles Mac Security

The National Security Agency released a security configuration guide for Apple’s Macintosh operating system version 10.3.x (OS X “Panther”). The guide covers local installations of Panther and not Mac OS X Server or Mac OS X networks.

The NSA says “security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines,” noting “the guides contain recommended security settings” yet aren’t a substitute for “well-structured policy or sound judgment.” In addition, the NSA isn’t endorsing OS X. “NSA does not favor or promote any specific software product or business model. Rather, NSA is promoting enhanced security.”

Based on the guide, one issue security administrators must deal with when securing Macs is password-changing policies. The guide skews toward allowing users to set their own passwords without administrative oversight. Yet “as there is currently no way in a Mac OS X standalone system of enforcing strong passwords or of forcing the user to periodically change his password, this could result in passwords on a system never being changed, and being easily guessable,” the guide notes. “This is especially true for locally-administered laptops, which will likely have little administrative oversight.”

The only way to maintain strong passwords would be through a security policy, combined with administrators restricting users’ ability to change their password. Users would have to meet with information-security personnel on a regular basis to have the password changed. As “this method is labor-intensive for the system administrator,” notes the guide, maintaining it could be onerous.

For portable OS X devices, the guide also strongly advocates the use of strong passwords, since Mac’s FileVault, built-in hard-drive encryption software “uses the user’s login password as a key” for its encryption.

To secure OS X, the NSA advises a fresh install. “Although secure configuration of an existing Mac OS X installation is possible, securely configuring a fresh installation is much simpler.” It also recommends not installing iTunes, iMovie, or iPhoto, as these applications have “Internet connectivity features that may introduce additional security risk.”

Finally, here’s a post-installation tip from the NSA: “Permissions on files can sometimes become set incorrectly, especially during a software installation,” so it recommends running the “fix disk permissions” process in Panther’s Disk Utility program.

Link to NSA’s Mac OS X Security Configuration Guide:
http://www.nsa.gov/snac/