Remember hearing that one of the new features of iPhone OS 3.1 was an anti-phishing capability for Safari? Jim Dalrymple over at The Loop wondered if it was working properly, and asked Apple what was going on. The response?

"Safari's anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren't any additional data fees," Apple spokesman, Bill Evans, told The Loop. "After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone."

What this apparently does is allows Safari to completely download the anti-phishing database, which is necessary before the feature will work. It also appears that you'll need to update the database on occasion in the same way -- charge your iPhone with Safari up and the screen off.

As always, TUAW urges you to practice safe computing, so enabling anti-phishing in this odd Apple-approved manner is highly recommended.

[Thanks to LoopInsight.com for digging into this]

Several TUAW readers have contacted us about a MobileMe phishing scam. These readers are getting an email that looks surprisingly official (see below). When they click on the Log In button, they're going to a page that has already been shut down. That might not always be the case.

Earlier this week, PC security app vendor Trend Micro announced a new product aimed at Mac users. Smart Surfing for Mac (US$69.95 per user per year) provides antivirus, anti-spyware, anti-rootkit, and web threat protection, and also has a two-way firewall built in.

This, of course, brings up the old debate for Mac users. On the one hand, our 10% of the personal computing market is virtually free of the virus and malware attacks that plague the Windows world. On the other hand, should you be concerned enough to consider purchasing protection that might be overkill?

Some of the features of Smart Surfing for Mac could be very useful for users who might otherwise be in danger of certain nefarious schemes. For example, it blocks visits to dangerous websites and has anti-phishing capabilities. While I know enough to check the real URL of links in emails by simply hovering my cursor above them, there are a frightening number of people who don't do this and who are at real risk of phishing scams. Parents might like Smart Surfing for Mac for their kids, as it restricts access by content categories, controls IM access, and also lets you block certain websites.

Are products like Smart Surfing for Mac expensive overkill, or are they cheap insurance against the remote chance of actually getting hit with a Mac virus, malware, or a scam? Let's hear your opinion in the comments section!

Consumer Reports, in its annual internet security survey, recommended that Mac users avoid Safari because of its lack of phishing protection. Instead, they recommend users install Firefox 3 or Opera 9.5 as their default browsers, since both will warn users before displaying the contents of sites known to be source of scams and personal information theft.

Jeff Fox, technology editor at Consumer Reports, noted that "e-mail is the weak vector on the Mac," meaning that most successful phishing attacks on Mac users arrive via email.

"Windows users are used to being paranoid about not clicking [links in phishing emails]," he said. "Mac users aren't, even though they say, 'Antivirus software, who needs it?'"

As we've mentioned before, 1Password does a great job of adding phishing protection to Safari. Also, always be extra-wary of clicking links in emails from people you don't know.

[Via Computerworld.]

Phishers -- in their sinister attempts to bilk you out of your time, money, and personal information with bogus emails -- are becoming more and more clever. Luckily, with a little critical thinking and up-to-date software, you can keep yourself safe.

Typically, to avoid falling victim to phishing, check the URL that the email is asking you to click. Does it look right? One popular façade for phishing attempts is PayPal, and there's a new technique that makes it look like the request is coming, securely, from paypal.com. For the technical among us, it exploits a flaw in one of PayPal's screens that allows a phisher to include a redirect URL in an address that begins with https://www.paypal.com. Sneaky. Thankfully, Firefox blocks it on the rebound.

Also, emails that ask you to verify or enter account information (that you've already entered) have a high degree of poopiness about them. Reader Allan noted that because Apple is in the process of switching people to Mobile Me, some phishers are using the confusion to send people emails asking them to enter new billing information for the new service. That, of course, isn't necessary, and if you get that kind of email, you should delete it.

Another good way to protect yourself is to use an up-to-date browser. Firefox includes protection against known phishing sites, and warns you about them before letting you proceed. Safari, currently, does not, but 1Password does, and it works seamlessly with Safari. Installing one of these options is especially important for parents and grandparents that may not be as familiar with these attacks as their kids.

Lastly, there's a great overview at macphishingprotection.com, which notes, "Phishers win even if you make only one mistake." Truer words never spoken.

Thanks, Allan, Fernando and Aviv for the heads-up!

Macworld is reporting that phishers are using the iTunes Store as a way to get personal information, using emails similar to those that purport to be from banks or auction sites.

Andrew Lochart, from security company Proofpoint, Inc., says the emails indicate that users must correct a problem with their iTunes account. The email links to a phony web page asking for the user's credit card number, social security number, and mother's maiden name.

In Macworld's interview, Lochart suggested that iTunes was chosen as an attack method not only because of its popularity, but also because of a young user base that shows "a certain level of trust or openness when their post their name and age and school on MySpace."

Have you received one of these emails? Let us know!

It's been six months between major upgrades to browser credentials manager and all-around swell pal 1Password, and the Agile team has not been napping; the new version 2.6 offers anti-phishing tech courtesy of integration with PhishTank.com, compatibility with SSB fave Fluid, and a more streamlined password-changing option to avoid the proliferation of old credentials.

Single-user licenses of 1Password are $34.95 and 3-license family packs are $49.95 (otherwise known as $35 and $50; can we agree that pricing downloadable items as if they were sportscars or boxes of detergent, while psychologically valid, is darned silly) and upgrades from 2.5 to 2.6 are free of charge for most users. MacHeist II bundle owners are covered for this upgrade, however those who got a free license via Macworld's Mac Gems promotion will have to cough up the dough for the new version.

There's been some talk about PayPal blocking Safari from using its services, and I'm among those concerned about it... even if only from a convenience standpoint. Originally the news was gleaned from statements by PayPal Chief Information Security Officer Michael Barrett regarding browsers without phishing protection -- which most assumed included our beloved Webkit-based compass. But in a brief addendum to a post at the Wall Street Journal last week it was reported that -- while Paypal will be blocking older browsers (IE4-era) and older operating systems -- Safari is safe from the cut.

I'm relieved, at least from the previously mentioned convenience standpoint. I prefer Safari as my surfing browser¹ and I frequently use PayPal. It's too bad that there are still a good number of sites that, while not blocking Safari, just plain don't work with it yet. Add to that some of the great plugins available for Flock/Firefox and you'll almost always find me with multiple browsers open. In much the way that the iPhone is preventing Gargoylism* by consolidating peripherals, I'm hoping for a day when I open just one browser in the morning. I'm getting a little teary-eyed thinking about it.

¹Since I know it will be bandied about in the comments, I'd like to offer these reasons for preferring Safari: It's faster (in general). It's more elegant (or prettier, either way it's subjective). It's AppleScriptable (which I make daily use of). And it's more elegant (redundant, but worth mentioning again).

I've seen some very convincing PayPal phishing sites in recent years. I've also worried many times that friends and relatives less savvy in the ways of the phisher may inadvertently hand off a password or two and blame me – the one who talked them into a PayPal account to begin with – for the draining of their life savings. Thankfully PayPal shares my concern for said friends and family members and has published a guide to "Safer Browsers." Apple's Safari web browser, however, was not included in the list of recommended browsers.

This is not all that surprising, at least to anyone who's followed Safari security concerns. Despite having improved in certain areas, such as IDN spoofing, Safari still lacks some fundamental security features found in Internet Explorer (7+), Firefox and Opera. Features such as Extended Validation certificates are heavily promoted by PayPal, despite the warnings of critics who feel that many targets of phishing scams don't notice the green background in the URL field until it's too late -- if at all. Plugins like Saft do their bit, adding a few security features too. But until Safari catches up with IE and Firefox in the area of security, it's not likely that PayPal's list is going to include the otherwise spectacular browser.

[via Macworld]

The whole QuickTime/MySpace security hole that was discussed this week on TUAW has given rise to a general concern about QuickTime's vulnerabilities. The QuickTime bug apparently allowed a worm to infect MySpace user profiles and redirected traffic to a phishing site, where passwords were harvested.

An Information Week article suggests the security flaw could extend well beyond Myspace to both Mac and Windows users. The problem seems to stem from QuickTime's JavaScript support and a bug that allows malicious JavaScript code to affect browsers. The article states that although Apple has provided an Internet Explorer patch, it has yet to issue a general QuickTime fix across all platforms.

*Oh snap!* Agile Web Solutions has created a password and form manager extension for both Safari and Firefox that fixes one of my biggest gripes about Mozilla's flagship browser: it can store website passwords in Mac OS X's Keychain Access application. For those who haven't stumbled upon the wonders of the Keychain: it's a system-wide secure password manager that most other Mac OS X apps can use to store logins for things like websites and FTP access. 1Passwd is an extension that, amongst other features, lets Firefox join the Keychain party party so you can have one secure, centralized area for managing (and backing up) your logins. This also means that if you have a .Mac account, any passwords you enter into Firefox will sync between your Macs. But 1Passwd doesn't stop at handle just your login information. Check out the full feature list to see everything else it can do for both Safari and Firefox.

If beer could be sent virtually through PayPal, I'd send Agile Web Solutions a twelve pack; this brings Firefox one step closer to being a true Mac OS X browser. 1Passwd is currently in a third beta release, and those who opt to test the beta and offer their email addresses will receive a discount off its (somewhat steep) $29.95 price.

Damien went into detail about the "hacker challenge" story and, as he explained, it's much ado about nothing— for now. Clearly, this Mac security thing is only going to get more important. Even Headline News had a largely exaggerated report on the Bluetooth exploit found a while ago... So what is the average Mac user supposed to do? It's all well and good if you're a sysadmin and you can do stuff like lock down a server, but if you just bought your iBook and you are now cowering in a corner because you're afraid to even open the thing (knowing that you will automatically "catch" something), what then? Read on, as I have some stories and advice for you.

First it is important to note that the most likely vector of any computer attack is human. And keep in mind the difference between a vector of attack (like the SSH "hack" mentioned by Damien), and a payload, which would be a true virus or Trojan. A worm is a vector, but it might deploy a payload. Make sense? Anyway, the point is humans are the weakest link in the whole chain, yet also the most important in stopping any attack. It is this central fact that makes almost all OS'es equal in terms of security. You are only as good as the people who use a system, and those who set it up. Case in point: phishing.

Phishing is a huge problem, and easy to set up. You get an email claiming some guy is your long-lost relative, and he needs some money to get out of jail. If he gets out, he'll double your money. Or, even easier to trick (but harder to set up) is the fake URL scam, where it looks like Paypal or ebay (common targets) is sending you a letter about your account. This is the true phishing scenario, played out millions of times a day on the internet. Just click on the link to "verify" your account info, or it will be deleted. Unfortunately, the link will take you to a spoofed site, and you'll be typing your sensitive info into a trap designed to steal your passwords and credit card numbers. These are spins on classic grifters' tricks, and phishing scams aren't very well guarded on OS X. Microsoft and Mozilla are trying to attack this problem with tools in their browsers (or in email clients) that will alert you to spoofed websites. So what can you do on OS X? First, check out the US government's guide to avoiding phishing scams. Second, make sure you're using something to filter spam, as this will often catch a lot of generic phishing scams. If you use Firefox, Netcraft has a toolbar that will supposedly guard against phishing, but I haven't tried it. It essentially checks URL's for you. Third, use common sense. Would ebay really send out an email to an account and NOT use their username? Of course, the common sense cure is the hardest one to invoke...

One more thing about the human vector: it's all about education. You have to teach people the rules of the road, yes? Well you'll have to educate yourself or others on some basic security precautions, especially if you are the cautious type. One common concept is to never share passwords. Also, most people would recommend you don't use the same password for everything you do. And since we're talking about passwords, don't forget to change them often, and use combos of letters, numbers, and uppercase/lowercase where appropriate. If you want a freeware tool for making passwords, there's Pazzle. With Keychain, I have a bad good habit of just setting a great password, but instantly forgetting it. Let's just hope I back up my Keychain database on a regular basis, eh? Oddly enough, Wayne State has a quick little ditty on setting passwords, and of course Wikipedia has the whole history plus some ideas too. Without exposing my own tricks, I can say that if I have to remember it, I'm more likely to use l33t type spelling for relatively common stuff. Maybe not the most secure in the world, but more secure than "Fluffy" or "PHilton." And did you know OS X includes a password helper, to help create good passwords? It's all here on this Tiger Tips page. Essentially you click the little question mark (or key, as in FileVault it was a question mark, but sometimes it's a key, as in the pic on the Apple page, go standard GUI!) and a tiny dialog pops open to help you make a password. Pretty slick.

Tiger introduced a ton of very necessary security features too (aside from the password helper). Stuff most people don't think about is now included, like Kerberos support in VPN, secure virtual memory, and a certificate assistant. A lot of these things are hard to find to the uninitiated, which I guess is good, since most folks won't use them. So instead, let's go over some more basic things you can do to protect yourself (after the jump).