MacInTouch Reader Reports

Security: Experiences

Older entries...

Jul. 25, 2015
Jul. 27, 2015
Jul. 28, 2015
Jul. 29, 2015
Jul. 30, 2015
Jul. 31, 2015
Oct. 2, 2015
Oct. 21, 2015
Nov. 3, 2015
Nov. 4, 2015
Nov. 5, 2015
Nov. 6, 2015
Nov. 9, 2015
Nov. 10, 2015
Nov. 11, 2015

Newer entries...

Previous Page...

Jul. 25, 2015

item.213640

Joe Gurman

But note that the mywot.com rating page for botcrawl states,

"WOT has detected unusual behavior on the scorecard and new rating has been disabled."

It's not unheard of for malware makers to spam ratings sites to make their accusers appear to be the criminals.

The bottom line is probably that people who don't know the software intimately before purchasing probably should stick to the App Store or something like it.

item.213609

Al Varnell

Joe Gurman recommended a botcrawl.com site for information about SmileBox. That site has a poor reputation with many users, according to WOT

https://www.mywot.com/en/scorecard/botcrawl.com

compared to that of 2-spyware.com

https://www.mywot.com/en/scorecard/2-spyware.com

Jul. 27, 2015

item.213681

Stephen Boyle

Just wanted to share something that my co-workers and I found out regarding the CalDigit Thunderbolt RAID Utility that we see as a major security issue.

We noticed that on a couple servers that when in Terminal it would not prompt for a password when using sudo. Going through the motions of figuring out why that would be we traced it down to an added line in the /etc/sudoers file that was put in by the CalDigit installer:

%wheel ALL=(ALL) NOPASSWD: ALL

This line effectively allows all users in the "wheel" group to run all commands without requiring a password. In addition to this the CalDigit installer added the currently logged in admin user to the wheel group:

/Local/Default/Groups read wheel
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
GroupMembership: root admin

When contacted about the security issue this is the response that was received:

Hi Stephen,

Thank you so much for pointing that out to us. We actually have a beta version of RAID utility that would ask for password when processing sudo

http://www.caldigit.com/support/T4/CalDigit_TB_RAID_utility_10_9_X_1.0.22__withAdminPriviledge.pkg.zip

If you want, you can give it a try, or you can just do the way you are doing now - to disable the line and type in the password when needed.

Please let us know if you have any questions or feedback toward this issue.

Best Regards,

-Leslie

Although we have not tried a fresh install of the utility afterwards, the install of it over the current version does not undo the original changes it made.

Just thought I would share. Thanks.

item.213663

MacInTouch Reader

I had a recent battle with OSX Crisis, a Hacking Team creation.

I've found Kaspersky to be the most aggressive/effective anti-malware suite - but for performance reasons I've switched to ESET.

Webroot seems pretty good on zero-day stuff on PC - I tried it on Mac but couldn't judge whther it was worth it or not.

Nothing gets rid of Crisis, short of replacing your drive and having the Apple Store put the system on. And start fresh. Don't touch your old files. And even that's not a sure thing. It's truely diabolical. It can definitely get into the boot loaders, so using the recovery partition is futile.

[For what it's worth, I found the links below while troubleshooting some difficult problems today. -Ric Ford]

item.213697

David Grant

[Re. OSX Crisis, a Hacking Team creation...]

Pretty scary stuff. Unfortunately my skill level isn't up to checking my Mac using the tools linked to. Can anyone point me to one that doesn't require as much pre-knowledge?

Thanks

item.213696

David Charlap

Stephen Boyle wrote:

... an added line in the /etc/sudoers file that was put in by the CalDigit installer:

%wheel ALL=(ALL) NOPASSWD: ALL

...

I really hate it when software companies take such a slipshod approach with their installers. While removing sudo password from a trusted-account group (like "wheel" or Apple's "admin" group) is convenient and reasonable for some installations (especially where normal day-to-day work isn't done by users in those groups), it is completely unreasonable for a software product to make such a decision for your system without even notifying you that such a change was made.

If their app must run as root for some reason, then let sudo ask for the password.

If there is a reason why asking for a password might be bad (e.g. maybe it needs to run from a script), then you can add a less-insecure line into /etc/sudoers. For example, a line like:

%wheel ALL = NOPASSWD: /usr/local/bin/myAppService

would allow users in the "wheel" group to run /usr/local/bin/myAppService without a password, but without changing the password-requirement status of any other command. This way any potential security issues created by the line would be limited to those in myAppService. There would be no concern about a wheel user running something else as root without a password.

Jul. 28, 2015

item.213716

Jim Oase

While browsing just after installing OS X 10.10.4 Combo, a page popped up that said Flash Player needed to be updated... then downloaded a file adobe_flashplayer_e2c7b.dmg.

Please beware this file looks good but did not follow OS X procedures. When cancel is pressed a series of products are popped up, apparently for installation, with each click on Cancel until the last item being something about CleanMac.

Trying to contact Adobe for confirmation of this update turns out to be an impossible process or extremely well hidden. So I have no idea of what Adobe says.

Jul. 29, 2015

item.213814

Andy Law

If Robert is asking for help in removing the Flash Player from his system then he should head to the Adobe help page for that purpose...

https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

I don't have Flash on either of my main machines now and I've not missed it at all. If there is a video that I need/want to watch, usually setting the browser User Agent string to pretend I'm using an iPad is sufficient to get things playing.

item.213766

Colleen Thompson

Jim Oase was confronted with

... a page popped up that said Flash Player needed to be updated... then downloaded a file adobe_flashplayer_e2c7b.dmg.

Please beware this file looks good but did not follow OS X procedures. When cancel is pressed a series of products are popped up, apparently for installation, with each click on Cancel until the last item being something about CleanMac.

Trying to contact Adobe for confirmation of this update turns out to be an impossible process or extremely well hidden. So I have no idea of what Adobe says.

I suspect Adobe would tell you it's a fake, because it certainly sounds like one. I would never install Flash (assuming I wanted to install Flash at all) from a popup; I would not install anything from a popup. Rather, go to Adobe.com, find the current hiding place for the link to install Flash Player, and download it from there. Alternatively, if you already have Flash installed, there should be a System Preference pane for it which includes an Update panel.

item.213769

David Charlap

Jim Oase wrote:

While browsing just after installing OS X 10.10.4 Combo, a page popped up that said Flash Player needed to be updated... then downloaded a file adobe_flashplayer_e2c7b.dmg.

If you're ever in doubt, refuse the installation, then go download an installer from the publisher's own site.

For Adobe Flash, the official download page is

https://get.adobe.com/flashplayer/

If you download from here, the installer (for Safari and Firefox) is named "install_flash_player_osx.dmg".

Since the name you got is different, I would assume it's a piece of malware. Delete it. Then go and install some ad-blocking software to try and stop the infection vector (stuff like this often arrives via ads. The companies serving ads are not very good at preventing advertisers from distributing malware.)

Block ads from all sites except for those that you specifically want to support (like MacInTouch.) I use AdBlock Plus (adblockplus.org) for the systems I manage.

item.213782

Robert Sorrels

I have increasingly encountered these fake "Update Flash" pages. In some cases it will spawn as many as 3-4 different pages insisting that Safari is not up to date and is in danger. Since I know for a fact that Flash updates only come via Adobe's Flash manager, I kill them as quick as possible. Note that these are often reputable sites in fact the most recent had a retrospective of one of Brazil's greatest photographers. I'm not sure if the web site owners don't know, if they are co-cospirators, or just what is going on.

More to the point, there is no doubt that Adobe Flash is the most successful malware in computer history. I keep looking for a way out of it, but so far everything I've tried has cut me off from information I need. Has anyone managed to cut Adobe's shackles?

item.213795

Bill DeFelice

An Apple Consultant found this out back in February so it's been in the wild for some time. He documented it in his blog:

Be careful where you step

The other day I typed whitepages.com into my Safari browser. I was greeted with a notification that my Adobe Flash Player is out of date and that I should download the latest version.

Something didn't feel right. The icon accompanying the notice looked like a white LEGO brick with a sad smiley face. Would Adobe or Apple use that icon? Why wasn't it the red Adobe Flash Player icon? So I looked at the web page address and it wasn't what I had typed. I must have made a typo and I was redirected to a page I had never seen before. I realized I was being scammed. I had two choices... click on a Download Flash button or an OK button. Well, I didn't want to download anything from this page so I clicked on the OK button.

I should have quit Safari because something downloaded even though I thought I was dismissing the message. I checked my Downloads folder and sure enough, there was a downloaded file named adobe_flashplayer_e2c7b_Setup.dmg. Needless to say I trashed it immediately.

Jul. 30, 2015

item.213839

Wynn Pickelsimer

The Adobe Flash Trojan horse just popped up on my Mac Pro running 10.6. I recognized the name from the previous post and tried to do a force quit. I think my Avast antivirus caught it before I could react though. Avast alerted me that it had stopped an attempted infection. I checked my download folder and could not find the file. Anyway, I was on Ancestry.com at the time and this agent just appeared out of nowhere! I guess Mac users do need to be more cautious about malware and viruses in the wild.

Jul. 31, 2015

item.213876

Tom G

I sent my dad a warning about the drive-by Adobe Flash Trojan. Unfortunately I was a day late: he got the pop-up yesterday and tried installing it on Yosemite.

He said something messed up during the attempted install and he got suspicious and stopped it. In doing a search, the malware package edits the host file to point to fake Google search sites in the Netherlands and also installs a pop-up ad server. I had him run Etrecheck and also check the hosts file and both are clean, so it looks like he dodged a bullet.

As an aside, I basically serve as customer support for two sets of non-computer-savvy parents. For the record (and even considering this recent issue) the smartest thing I ever did was get them both to switch from Windows to Macs. If you think this stuff is bad on the Mac side, the Windows side is an absolute freakin' nightmare of pain and woe. It's so much easier to keep a Mac clean, or to clean it when issues pop up.

I've had positive experiences with the new Malwarebytes Anti-Malware for Mac. This was previously under a different name, I forget what it was before they bought it. But it still works well.

item.213907

Victor Leuci

David Charlap
...
For Adobe Flash, the official download page is

https://get.adobe.com/flashplayer/

Two other ways to update:

1. If you save the dmg file, you can reopen it and it will update you to the latest version (you will need to download a dmg file every time the first number changes, e.g. when 17.xxx moved to 18 I had to download a new dmg).

2. If using Firefox, go to add-ons, then click on the link to check if add-ons are up to date, then click on the link provided -- it will take you to the URL David provided. Firefox will provide links for all your add-ons, not just Flash.

Oct. 2, 2015

item.217007

MacInTouch Reader

I'm the victim of a recent and extensive data breach involving a Los Angeles-based health care provider. The hacked company's solution was–as is effectively always the case–to contract with a third party monitoring company which provides free "protection" for a limited time.

I've been through 2 attacks since this breach. The latest involved a counterfeit ID and an attempt to access my savings account at a distant bank branch. Only the suspicions of an alert teller prevented a sizable withdrawal.

Per the specific instructions of the monitoring firm, I reported the attempt immediately and included an assigned police officer's name along with the incident file number. My phone message... that's right, the company was closed at 7PM PDT... wasn't returned for 8 days. The representative suggested I change all account numbers and their related passwords and PINs. A simple and logical action that I had actually performed in person at a local bank branch the morning after the attack. (Thanks for nothing).

I've diligently generated specific passwords for each online account, regardless of whether its financial, email, retail or social. These passwords are changed every 6 months. I'm using 2 tier security wherever available.

None of these elaborate measures mean a damn thing if the corporations do little or nothing to protect their own data infrastructures and assets. Their first concern is public relations, always accompanied with broad statements of concern; reinvigorated measures designed to prevent future attacks; and comforting affiliations with monitoring companies, I'm fairly certain, provide... well, nothing.

Oct. 21, 2015

item.218145

MacInTouch Reader

Today Norton Antivirus vulnerability protection blocked "OS Attack: GNU Bash CVE-2014-6271".

I looked up the attacking IP, and it resolves to Trustwave, an internet security company in Chicago. I was not visiting their Web site, and it's interesting they would do that.

Nov. 3, 2015

item.218829

Steve Dagley

MacUpdate appears to be serving up Adware laced installers (from the Malwarebytes Blog):

Has MacUpdate fallen to the adware plague?

As mentioned in the comments of the linked article, Skype downloaded from MacUpdate now comes down clean, but they are still bundling the adware installer with other apps – 1Password, VueScan, and BetterTouchTool are ones I just encountered. That the Skype install that got the initial attention has been reverted to a clean download while others remain tainted does not speak well for the intentions of the people running MacUpdate.

item.218841

MacInTouch Reader

In the past few years I regulary downloaded software updates from macupdate.com. Today I have downloaded a new version (3.1) of the great freeware uninstall utility AppCleaner from MacUpdate. To my surprise ClamXav was instantly triggered and warned of a contaminated download. I warned other users on MacUpdate, together with a second user who experienced the same thing - but our comments were removed within minutes.

I also contacted MacUpdate support and got the following answer from an employee called Ryan:

"I apologize for the trouble. The AppCleaner download doesn't contain Malware, instead it uses a new Installer that we're testing."

The installer from the developer's website didnt't interfere with ClamXav. I looks like MacUpdate is using a modified installer that tried to install additional software on my system. I asked this question to MacUpdate support but didn't get an answer so far.

Nov. 4, 2015

item.218863

MacInTouch Reader

I've not used MacUpdate since they insisted on using their app for updating, along with some annoying emails spam on bundles (I've tried to unsubscribe to no luck, so I spam filter it).

This subject annoys me that they would roll their own installer with some undisclosed "feature" that trips ClamXAV. Best to just find the app's dev site and get it direct.

BTW, MU discussions/comments section reads like some extortionist dev platform (people aren't giving honest reviews, are too critical or require some moderation, or criticize the app dev). It has gotten bloated, over-saturated with ads and skewed star reviews.

item.218877

Jeff Schaffer

A couple of readers posted comments about MacUpdate installers carrying stowaway code and potentially malware. I've been using MacUpdate regularly to keep my work and personal machines up to date. This information is alarming! Although my work machine has Symantec Endpoint protection installed, which hasn't reported anything alarming, my personal machine does not.

What's the best way to determine whether anything unpleasant has been installed on my Mac? For the future, it seems not renewing my MacUpdate subscription is a good start!

item.218878

Jeremy G

In reply to a "MacInTouch reader" re. MacUpdate downloads, I had a similar experience trying to download a new version of VueScan from that site -- my virus alert went off and the download was stopped.

I thought that the VueScan author, Ed Hamrick, would want to know, and he told me that I should download the software from his site, inasmuch as he does not control third-party sites. I followed his advice succeessfully, with no drama.

I've also recently noticed MacUpdate preventing me from downloading some software because part of the "redirection" was to tracking sites or other such that I have generally blocked (none having to do with the salient software or the software company).

'Twere a great shame should MacUpdate not quickly address its problems. I have long used MacUpdate as a "trustworthy" site, but I'd have no use for it at all as a potential malware server.

item.218893

Al Varnell

There's a update to the MalwareBytes article on this. If you are a paid subscriber to MacUpdate and are logged in at the time, you will not get the installer version that contains adware. As a currently paid member, I have never been able to download an installer, but I will not renew next year if this keeps up.

item.218903

Steve Dagley

In response to Jeff Schaffer's question on how to determine if you got anything unpleasant installed via MacUpdate, the modified installers I encountered are all showing as 1.8MB on disk (the actual byte count differs) regardless of the size of the intended download (8.1MB for VueScan 9.5.28, 8.4MB for BetterTouchTool 1.36, and 38.1MB for 1Password 5.4.1).

They are also named in the form "appname Installer.dmg" rather than the name format used by the app developer (e.g. "1Password Installer.dmg" instead of "1Password-5.4.1.zip", "VueScan Installer.dmg" instead of "vuex6495.dmg" )

item.218909

Steve Dagley

Apparently the installer wrapper "feature" on MacUpdate doesn't happen if you're a paid member and logged in to your account. Here's the full update from the Malwarebytes Blog entry on this issue:

Update (Nov. 3, 2015): It turns out that this is now a “feature” of MacUpdate. If you are a paid member of MacUpdate and are logged in, you won’t see the adware installers. If you are not logged in, you will see them. This is evidently configurable in the profile preferences on a paid MacUpdate account, though not having such an account, I can’t provide specifics.

I’ve also been told that the MacUpdate Desktop app will download the real app rather than the adware installer, though I’m unclear as to whether that only applies to a paid copy of MacUpdate Desktop.

item.218932

Bill DeFelice

I'm not a paid member of MacUpdate but have purchased several offered software bundles, as recent as a month ago.

In regards to updates: I've found instead of clicking over the rating stars to download an update I'll control-click on the name of the listed app to bring that page into a new window and then click on the download link shown on that page. In my experience it usually provides a installer as provided by the developer/author and not the one requiring the MacUpdate app. I'll often build or re-build clean images and I strongly prefer using the upgrades/updates as provided by the developers.

If MU ever requires the use if their app to download updates I know that would mark the end of my use of their site. As others have mentioned, the reviews are borderline useful as it sometimes seems as polluted as some of those restaurant review sites. I prefer to ask my colleagues and other uses about software instead when I don't have access to MacInTouch.

Nov. 5, 2015

item.218979

Frederic Puhan

This morning I walked into my home office to discover, to my horror, that someone was remotely controlling my Mac! I enable screen sharing so that I can do so when I'm away from the office, but I've never given away my credentials to someone else.

I watched for a brief minute in disbelief, and then instinctively clicked on the screen sharing icon in the menu bar and disconnected the remote user. I should have written down the IP address, but I was reacting, not thinking. Later, I opened the /var/log/system.log and scanned for an IP address that began with 197 -- and found it! A whois query led me to a dead end, but an IP lookup by geo location suggested the originator was from Egypt!

Apparently my machine is a target -- either by bots or by a network of intruders. Here are the latest entries from system.log I just pulled:

Nov 5 11:04:38 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 46.237.234.230 :: Type: VNC DES
Nov 5 11:05:14 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 64.61.162.180 :: Type: VNC DES
Nov 5 11:05:38 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 188.25.0.88 :: Type: VNC DES
Nov 5 11:05:45 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 192.237.160.73 :: Type: VNC DES
Nov 5 11:05:53 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 190.33.142.170 :: Type: VNC DES
Nov 5 11:05:53 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 58.137.42.55 :: Type: VNC DES
Nov 5 11:07:38 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 192.237.160.73 :: Type: VNC DES
Nov 5 11:07:44 Xman.local screensharingd[2639]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 190.33.142.170 :: Type: VNC DES

So, I have hardened my password security, and will be looking potentially for a VPN solution I can run on a non-server Macintosh.

This is a word of warning and caution to all who enable screen sharing in their Macs...

item.218954

Gary Kellogg

I have been a MacUpdate subscriber for a long time and trusted them the extent that I use MacUpdate Desktop to track and download app updates. The posts here definitely called that all into question, so I wrote them a letter outlining my concerns and here is what was sent back:

Hi Gary,

This is a new way were approaching a select few of of our apps by adding special offers to the downloads. This process is still in its testing phases and is subject to change. Thank you for the feedback as it helps us out a lot. I do want to mention that this is in only 24 of our 40,000 apps. We are bundling additional offers into the downloads for those select few, not adware or malware as others believe. In fact, most of the stuff we offer are other apps that we sell on our website. It is not adware or malware as others are making it out to be.

If you're a paid member at MacUpdate, you can go to the Preferences tab of your profile and deselect the "Show Banner Ads," then click "Apply All Changes." This will turn off the banner ads that are on our website, as well as the special offers that appear in a few of our downloads. The download links only show you offers and nothing is installed without your permission. You're able to decline the offers if you do not wish to have them.

If you're a user of MacUpdate Desktop, you can perform one-click installs, which eliminates the special offers. If you're not a member of MacUpdate Desktop you can learn more about it and become one here: http://www.macupdate.com/desktop

Please let us know if you have any further questions.

Cheers,

[name withheld by Gary]
Content/Support
MacUpdate

It so happens that I renewed just prior to this latest flap so I guess I can check some settings and rock on for awhile.

On another related note MacUpdate carries apps such as uTorrent which have been free for years but which recently began to deliver adware payloads on their own. This will almost certainly lead to confounding and conflating MacUpdate's new initiatives to MacUpdate's detriment.

In my view, MacUpdate's approach of parsing their language regarding what they are describing as a "testing phase" will fall on deaf ears. If they take that path, then users such as myself, who valued them for their unpolluted curation of updates, will abandon them straightaway on the theory that, "It's better to throw out the whole batch of pepper than to try and pick out the pieces of fly s**t." If a continued "clean" MacUpdate is not financially viable, then users need to look for updates from within apps etc. I suppose.

item.218958

Samuel Herschbein

Years ago MacUpdate was so good it put VersionTracker out to pasture. It was easy to keep my clients and myself updated. I was a happy camper, I gladly paid.

I stopped paying when I stopped getting my money's worth. Their updated Desktop app caused more problems than it solved. Their website required more clicks to navigate than in the past. Download links 404ed far too often and were not quickly fixed.

I read MacUpdate's RSS only to let me know apps have been updated. Now that MacUpdate is installing adware, I won't download from their site. I'll either click the link to go to the developer's site or use my bookmarks.

It's sad that a once great resource is making themselves irrelevant through bad decisions and sloppy work.

Nov. 6, 2015

item.219016

Todd Miller

This morning I walked into my home office to discover, to my horror, that someone was remotely controlling my Mac! I enable screen sharing so that I can do so when I'm away from the office, but I've never given away my credentials to someone else. I watched for a brief minute in disbelief...

By the look of your logs, VNC was turned on in your Sharing/Computer Settings tab. Don't do that. Keep VNC off. You can always log in to your Mac with just remote access. Also, make sure you have a strong password....as it clearly shows you were subject to a dictionary attack.

Or, turn off sharing completely and get something like TeamViewer.....

item.219049

Stephen Hart

Todd Miller wrote:

"By the look of your logs, VNC was turned on in your Sharing/Computer Settings tab."

Just to clarify:

System Preferences > Sharing > Remote Management > Computer Settings > VNC viewers may control screen with password:

item.219040

Steve B

Is all Mac screen sharing accessible from the outside? Can it be setup only to work with your local network? Thanks.

item.218993

MacInTouch Reader

A couple of months ago, I was reviewing logs in the Console app to try to troubleshoot some problem or another. I came across the monthly.out log, which I reasoned was produced by "periodic monthly" which runs on the first of the month. Never having reviewed it before, I did.

"periodic monthly" does two things: rotates the fax logs and performs login accounting. The login accounting section showed, along with root and the logins I have established and use, a significant number of weirdly named logins, for example, jjjrrrvvv, eeehhhkkk, rrrhhhbbb, bhenhaverammulticsy, cemcvnivrn, and many others, none of which were logins that I had created, and all of which were completely unknown to me.

I reasoned that unknown actors had cracked my WiFi network's WPA2 password and were jumping onto the network. I changed both the password and the network name, and for the last two months, have had no recurrence of these weird logins. I suppose as a general security maintenance task, I will change these, well, "periodic"-ally.

item.219002

Timothy Ramsey

ClamXav has identified malware in some of these MacUpdate installers. I believe ClamXav more than the claims from MacUpdate. The malware message from ClamXav happens randomly I assume because of the variation in what is contained in these installers.

I also note that the installer in question is delivered in a sneaky manner. You click on a link labeled as the update for an app. It shows a size, say 64 MB, associated with the expected updater. Instead you get a 1.6 MB installer loaded with crapware installers. Some of these are managed in a sneaky manner also. One offers to replace your home page and search engine with Yahoo. The only way to not do this is found by clicking an "advanced" button. Opting out is advanced?!

These installers may only be being used on a few applications (no way to tell) but they are very common applications like Skype and Firefox.

I have used MacUpdate for years and am disappointed to see a useful and respected site taking this path. Unless this course is reversed I will become a former user.

item.219013

Jeremy G

FWIW, Gary Kellogg, MacUpdate's statement that

"We are bundling additional offers into the downloads for those select few, not adware or malware as others believe. In fact, most of the stuff we offer are other apps that we sell on our website. It is not adware or malware as others are making it out to be."

is challenged, at least in my case, by the fact that my attention was drawn to peculiarities by Ghostery and by Avast. Ghostery blocks known trackers, and I should not have to allow them to download a program from the site. Avast is anti-virus software, and if it tells me that a download is infected, I am hardly likely to second-guess that. Nor am I willing to waste the time needed to discover whether a particular instance is one of MacUpdate's genial and benificent 24 out of 40,000 or something more sinister. There are other ways to track and maintain software than just MacUpdate.

item.219024

John Fallon

I really liked the idea of Macupdate; being able to see all out-of-date apps at a glance with the desktop app. I've been a paid member for a few years.

Now it's not worth the risk. Virtually every application checks for updates when you start it up; those updates come from the developer.

Macupdate was an excellent discovery tool, if you were looking for a MySQL interface or the like. I don't need to pay to discover new adware.

item.219042

MacInTouch Reader

I downloaded AppCleaner from MacUpdate without signing in. When I opened the dmg file, inside was an installer for MacUpdate. When I downloaded AppCleaner after signing in, I received a zip file which, when opened, had the AppCleaner application. When I wrote to MacUpdate I received the same response as did Gary Kellogg.

Too bad about MacUpdate. They have lost my trust.

item.219045

Ryan Edgecliff

This discussion about MacUpdate has made me appreciate Ric Ford's approach to funding MacInTouch even more. Thank you Ric for not using trackers, adware, and other opaque, furtive methods of generating revenue.

Now off to change my Amazon bookmarks to the MacInTouch affiliate URL!

item.219047

Phillip Bays

If you're a paid member at MacUpdate, you can go to the Preferences tab of your profile and deselect the "Show Banner Ads," then click "Apply All Changes." This will turn off the banner ads that are on our website, as well as the special offers that appear in a few of our downloads.

I do not find a Deselect Banner Ads in my preferences profile.

item.218984

MacInTouch Reader

A potential alternative for MacUpdate, I like, especially with the demise of Versiontracker, is GetMacApps.com. From the LifeHacker:

llifehacker.com/get-mac-apps-makes-downloading-apps-and-setting-up-a-ne-511616307

Something to consider

item.218990

David Zatz

I agree with the general consensus on macupdate, with one exception: I never thought they were better than VersionTracker. Their searches were not usually as good, they had 404s much more frequently (and did not seem to address them often if at all), and in general I went to them because they ended up as the only game in town when VersionTracker sold out to the rubbish masters - who had, at one point, been a good reputable site but chose to do misleading ads ("download here" should mean "download the program you want here"), lots and lots of them, and ever-dwindling actual content vs computer-or-idiot-generated fluff.

Thank Heaven for MacInTouch. I will miss you while you are away.

item.219080

Jeremy G

One might also try "SoftPedia", listed as a tracked site on the MacSurfer site.

Nov. 9, 2015

item.219068

Gary Kellogg

John Fallon's observations about in-app updaters were spot on. One of the things I will miss most about MacUpdate is its value as a discovery tool for new apps to replace ones that stopped development, became obsolete, etc. As more subscribers leave, the value of this "crowd sourced" wisdom will also diminish.

For those who have used MacUpdate for years, I recommend having a look at your apps and their automatic update mechanisms. If the updates have been reliable, then just automate them. For those few apps (I have a handful myself) for which I would like to wait until their updates are proven stable, then either check manually to update them on a weekly or monthly schedule or, if present, use the option to download updates but not install them. That's the way I am going to wean my way off of MacUpdate until or if they revise their present course.

I hate it when businesses or sites do this kind of thing. It's like patronizing a comfortable restaurant and finding the same menus but some of the food recipes have changed with no notice.

item.219070

Phillip Bays

If you're a paid member at MacUpdate, you can go to the Preferences tab of your profile and deselect the "Show Banner Ads," then click "Apply All Changes." This will turn off the banner ads that are on our website, as well as the special offers that appear in a few of our downloads.

I do not find a Deselect Banner Ads in my preferences profile.

OK. I found it. I was looking in the desktop app rather than the web site profile.

item.219053

M Young

Is all Mac screen sharing accessible from the outside? Can it be set up only to work with your local network? Thanks.

If you have a globally-routed IP number, then yes (or if you have port forwarding configured on your router). I use Little Snitch to only allow screen sharing connections from our workplace network. From home, I log into my employer's VNC to screen share with my work Mac.

item.219094

MacInTouch Reader

My experience with MacUpdate is as an application developer, not a downloader. This post addresses another issue with all sites such as MacUpdate. In my view, it is always better to download directly from the developer's site.

tldr: MacUpdate had a very old copy of my app, but they now keep the listing up-to-date.

Several years ago, someone complained on my app's website about a freshly-downloaded copy of the app which was crashing. It turns out that the user had downloaded the copy from MacUpdate and that it was several years out-of-date and included kexts that were not compatible with the latest version of OS X at the time. (The user had turned declined the app's offer to check for updates.)

I looked on the MacUpdate site and, indeed, the version of my app that they claimed was "current" was at that point several years old.

I contacted the MacUpdate people, was given access to update the listing for "my" app, and was asked to update it whenever I update the program. I replied that it was their job to update the listing, not mine, and that they were being paid to do so by their subscribers or advertisers and I wasn't, so I would not be updating my listings.

Since then, the listing has been updated (by them) in a timely manner. As a courtesy, they send me an automated email each time they do so, so I can review the listing.

item.219096

MacInTouch Reader

There may be more to Frederic Puhan's experience. When we left off with Frederic, hackers were remote controlling his Mac. Others have pointed out that Screen Sharing (VNC) is enabled and should be disabled in System Preferences, Sharing.

Unfortunately, that is not all that Frederic should consider.

I wonder whether Frederic's Mac is connected directly to the Internet and has a public IP address? If so, then Frederic's Mac is directly accessible from the Internet. This is a possibility if Frederic's Mac is connected directly to an older DSL or cable modem, and nothing else in the house uses the Internet connection. While not a panacea, a NAT/Router would normally block inbound connections in those circumstances. NAT/Routers are often called "routers". They often come built-in to the "modem" which connects to the Internet service (DSL / Cable / Fiber / Satellite /whatever). Most often they include WiFi.

If Frederic's Mac is already behind a NAT/Router (with a private IP address), then that implies that someone has opened VNC ports on the router to grant Screen Sharing access from the Internet. If so, then he needs to check the settings on his router. Obviously some ports are open. Why? That is not good if Frederic is not aware of it. Perhaps someone was helping him remotely in the past. The worst case scenario is that his router was hacked from the outside. Is the router's firmware up to date? Some routers are so old that the manufacturer's are no longer supporting them with security updates.

Finally, the VNC protocol itself limits passwords to eight characters or less. An eight-character password is not secure, even if the password is random. I don't know Frederic, but is it possible (likely?) that the VNC password succumbed to a simple dictionary attack?

How to find out if your Mac is behind a NAT router, do the following:

1. Open System Preferences, then click on the Network icon.
2. On the left side, you will see various interfaces.
3. One by one, click on the left side interfaces that show a green dot.
4. Write down the IP address that is listed on the right side. It will be in the form "x.x.x.x" or "xxx.xxx.xxx.xxx" or something in between.
5. Repeat for the other interfaces with green dots. There may only be one.
6. Check to see whether your IP address(es) are in the form:
10.x.x.x
192.168.x.x
or somewhere between 172.16.x.x - 172.31.x.x (rare).
If they fall in the above ranges, then your Mac is behind a NAT/router. Check for NAT/Router firmware updates. More important, you must figure out why the VNC (and probably other) ports are open. Ask a technically skilled friend to help.

7. If the IP addresses do not fall in the above ranges, then your Mac is connected directly to the Internet. I suggest that you buy a NAT/Router, such as an Apple AirPort. If you are buying it from Amazon, remember to use the MacInTouch Amazon link, which automatically donates to MacInTouch.

Notes for the picky:
Yes, I am ignoring IPv6.
Yes, a NAT/Router is not a panacea, as I said before. Still, it will shield Frederic and others if they inadvertently enable services on their Mac without understanding the implications.
Yes, I can think of other explanations, but I hope I have identified the most likely issues.

item.219099

MacInTouch Reader

I have said this before, but I will say it again. Avoid all aggregate download websites. That includes MacUpdate, VersionTracker, CNET (and Downloads.com), Softpedia, Tucows, TomsGuide, whatever. BEWARE of website domains that incorporate the product name, but have no affiliation with the developer, for example: "mygreatapplication_download.com".

Sometimes those aggregate websites are useful for reviews or finding alternative products, but never download from them. NEVER.

Always take the time to identify the true developer's website and get the product from it. ALWAYS.

As others have pointed out, the aggregate download websites often add adware, malware, or other unwanted products to their installers. Remember that when you type your admin password for an installer, you are giving it privileges to write files anywhere on your system. (Okay, El Capitan prevents some of that, but the installer can still add applications that automatically startup when you login, for example.)

item.219083

MacInTouch Reader

Re:

"periodic monthly" does two things: rotates the fax logs and performs login accounting.

In addition to that log file, there is the "appfirewall.log" file. I often see things like this in there:

Nov 6 18:35:58 host-XX-YY-ZZ-ABC.xyz.blahblab.net socketfilterfw[181] <Info>: Stealth Mode connection attempt to TCP 2 time
Nov 6 18:38:34 host-XX-YY-ZZ-ABC.xyz.blahblab.net socketfilterfw[181] <Info>: Stealth Mode connection attempt to UDP 1 time
Nov 6 18:40:06 host-XX-YY-ZZ-ABC.xyz.blahblab.net socketfilterfw[181] <Info>: Stealth Mode connection attempt to UDP 4 time
Nov 6 18:40:06 host-XX-YY-ZZ-ABC.xyz.blahblab.net socketfilterfw[181] <Info>: Stealth Mode connection attempt to TCP 1 time

So, someone is knocking on the door, a lot.

I have the firewall turned on and set to not acknowledge any outside attempts to get in ("stealth mode").
At least, I hope that's what it's all about.

item.219112

Jim Prete

Figured out the issue... Apple has moved to OpenSSH, and OpenSSH has a command - -G - that was not present in previous versions of SSH under Mac OS X.

Finally found the answer on this web site:

http://www.openssh.com/cgi-bin/man.cgi/OpenBSD-current/man1/ssh.1?query=ssh&sec=1

The rootkit scanner was using the method of calling SSH with the -G option to determine if the install was infected. An invalid or unknown response would indicate no infection; any other response was considered infected.

OpenSSH uses the -G command to causes ssh to print its configuration after evaluating Host and Match blocks and exit.

This caused the scanner to indicate an infection.

All appears okay with El Capitan

Nov. 10, 2015

item.219084

MacInTouch Reader

My OS X 10.8.5 Mac, not doing anything online, just had a Little Snitch alert. Why in the world would automountd need to access my downloads folder on an outgoing connection? Although different, this is the second strange alert to hit my system in a few weeks, with the last one being that security company in Chicago trying to exploit a weakness in Terminal BASH:

Process: /usr/libexec/automountd
Process Owner: System
Server: Hostnames
downloads
198.105.244.74, 198.105.254.74
Port: 111 (sunrpc)
Protocol: 17 (UDP)

item.219135

MacInTouch Reader

"use Little Snitch to only allow screen sharing connections from our workplace network"

What is the name of the application that needs to be limited by Little Snitch to local network only to make screen sharing safe from internet attacks? Thanks!

item.219138

Johann Beda

Gary Kellogg asys

One of the things I will miss most about MacUpdate is its value as a discovery tool for new apps to replace ones that stopped development, became obsolete, etc. As more subscribers leave, the value of this "crowd sourced" wisdom will also diminish.

I agree. One place that I have been using a fair bit recently is https://alternativeto.net/ which lists user generated information about various applications on a variety of platforms. As with anything of this nature, their business model might not last forever, but until they go the way of the Dodo, they are useful.

item.219141

Ryan Edgecliff

A fast way to check if any ports are open to the Internet is to use ShieldsUp at grc.com . It scans up to the first 1056 TCP ports on your machine and reports if each port is Open, Closed, or Stealth (does not respond to pings).

item.219161

Robert Rosenberg

6. Check to see whether your IP address(es) are in the form:
10.x.x.x
192.168.x.x
or somewhere between 172.16.x.x - 172.31.x.x (rare).
If they fall in the above ranges, then your Mac is behind a NAT/router. Check for NAT/Router firmware updates. More important, you must figure out why the VNC (and probably other) ports are open. Ask a technically skilled friend to help.

7. If the IP addresses do not fall in the above ranges, then your Mac is connected directly to the Internet.

The 192.168.x.x check is not always correct. I have a friend who is assigned a 192.168.2.x address by their ISP (Bell South) so they do not have their own NAT/Router but there seems to be one at the ISP Headend. They are protected in any case, since I placed a Linksys router between her machine and the modem. This was not only for extra protection and isolation but to giver her WiFi access for her Kindles and my Laptop when I visit.

item.219206

David Charlap

Robert Rosenberg wrote:

"The 192.168.x.x check is not always correct. I have a friend who is assigned a 192.168.2.x address by their ISP (Bell South) so they do not have their own NAT/Router but there seems to be one at the ISP Headend. ..."

Some ISPs give out private addresses (10/8, 172.16/12 or 192.168/16). These addresses are not routable across the Internet. Users who were assigned these addresses are having all their traffic translated to some public IP address before it leaves the ISP's network.

What this means, in terms of security, depends on how the ISP's network is configured. Depending on their network configuration, that address might be no more secure than a public address, or it might be equivalent to running your own NAT router at home.

For example, they might have static 1:1 mappings between private addresses and public addresses, passing all traffic in both directions for all ports. This is (as far as you're concerned) no more secure than a public address.

They might assign one public address per customer, and create multiple private addresses on that address, corresponding to all the DHCP sessions initiated from your hosts. This should be functionally equivalent to running your own NAT router.

They might be pooling customers - assign several (hopefully not all!) customers to a single public address, and assign private addresses (either one per customer or one per host). This will be like using a NAT router as far as Internet traffic is concerned, but (depending on what kind of internal firewalls they have configured) it might allow other ISP customers sharing your public address to access hosts on your LAN.

Unfortunately, you really have no way of knowing the details of their internal configuration, and this configuration could change without notice. In other words, even if your ISP assigns you a private address, you should act as if it is public and set up appropriate firewalls between your LAN and the ISP.

item.219180

MacInTouch Reader

Robert Rosenberg writes,

"The 192.168.x.x check is not always correct. I have a friend who is assigned a 192.168.2.x address by their ISP (Bell South) so they do not have their own NAT/Router but there seems to be one at the ISP Headend. They are protected in any case, since I placed a Linksys router between her machine and the modem. This was not only for extra protection and isolation but to giver her WiFi access for her Kindles and my Laptop when I visit."

If that's actually true, that's going to break a lot of stuff. They need to stop doing that. The 192.168.*.* block is reserved for private use.

Start with contacting ARIN, https://www.arin.net

item.219189

MacInTouch Reader

Re MacUpdate... I dislike another "marketing tactic" they, as well as numerous online vendors use: automatically signing you up to their emails even if you buy one item and forced to create an account.

"You are receiving this offer because you are a MacUpdate member or signed up for MacUpdate Special Offers emails. Add us to your address book or white list to ensure reliable delivery.
--->Manage your email list preferences "

Thankfully at the bottom, there is a TRUremove link. Done. Nothing personal MacUpdate (I did buy once from you, but I never sign up for email blasts).

Nov. 11, 2015

item.219173

M Young

What is the name of the application that needs to be limited by Little Snitch to local network only to make screen sharing safe from internet attacks? Thanks!

If you are familiar with Little Snitch, then you need to make rules for the background process (a non-GUI program or process) "screensharingd.bundle".

I believe you could make the rule from scratch, but I usually just use the initial alert from Little Snitch and edit that to work. I set a rule to deny all connections on port 5900 and then a second rule to allow connections to that port from a specified range of IP addresses. Note, this is useful only if you connect to your host Mac (the one you want to screenshare with) from the same range of addresses each time. This doesn't help if you are on the road using a hotel's wifi network.

Before my employer set up a VPN, I used to connect via SSH using key-based authentication. Then I would establish a tunnel for screensharing. But that is the subject for another post...

item.219268

Robert Rosenberg

Re:

"The 192.168.x.x check is not always correct. I have a friend who is assigned a 192.168.2.x address by their ISP (Bell South) so they do not have their own NAT/Router but there seems to be one at the ISP Headend. ..."

Some ISPs give out private addresses (10/8, 172.16/12 or 192.168/16). These addresses are not routable across the Internet. Users who were assigned these addresses are having all their traffic translated to some public IP address before it leaves the ISP's network.

This is what is happening with her connection. The 192.168.2.x address travels on Bell South's private network (LAN) and eventually exits to the Internet as 70.145.x.x (as shown by the Received headers on her email messages).

item.219276

Michael Fussell

This evening, ClamXav highlighted the fact that the latest Onyx installer that I downloaded from MacUpdate contained another installer that presumably had nothing to do with Onyx. How disappointing! The Mac side is getting somewhat closer to the Windows side where someone is always trying to fool you into using their product. Update Adobe Reader on the Windows side and you may have Macafee anti-virus program installed as well unless you carefully unclick a certain box. Downloading AVG without installing other programs is difficult.

It takes a long time to build a reputation but you can destroy it in an instant. I guess MacUpdate is only useful for indicating the possibility on an update arriving on the scene. Otherwise go to the developer for the actual update.

item.219279

MacInTouch Reader

Michael Fussell's recent experience with a MacUpdate download happened to me too today. Full marks to ClamXav (developer Mark Allan, ho ho) which identified PUA.OSX.InstallCore, googled as some sort of adware or malware, in this site's installer for an AppCleaner update.

My mild objection to this in the app's user discussion section was rapidly deleted by MacUpdate.

I guess they have to run a business that makes a profit but I'd rather not contribute to it if they continue with this sort of caper. Michael advised about using MU as a software update search tool but downloading the actual update from the developer's website looks pretty good to me!

item.219285

Derek Beatty

I'll take a slightly contrary point of view on the bundling of things into software installers, at least in one case: Given the number of exploits against Adobe software, perhaps it's good to see security software bundled into their installers.

item.219288

MacInTouch Reader

That's now three incidents of error that I know of on the part of MacUpdate...AppCleaner, OnyX and VueScan. These are all really good applications, just don't download them from MacUpdate. Also, I have found that MacUpdate is not always current on updates, sometimes posting them well after the release date.

Next Page...


MacInTouch Amazon link...

Talk to MacInTouch     Support  •  Find/Go