Java breaches and other security news
It’s time to disable or even remove Java from your Mac, and use a virtual private network for Wi-Fi.
Special to The Seattle Times
Apple security is in the news again, only this time with a different focus. A vulnerability didn’t just potentially expose Mac users to trouble. Computers within Apple itself were compromised.
The culprit? Java, the third-party development environment designed to let developers write apps that can run on any platform. Unfortunately, malicious hackers continue to find weaknesses in Java (and Flash) that are leading to disruptions. In this case, it was the Java Web plug-in used by browsers.
The company says no data left Apple, and it identified the malware and issued a quick fix to patch the hole. But the problem does affect Mac users outside the Apple wall. Be sure to run Software Update (found under the Apple menu) to get the latest version of Java supplied by Apple.
However, there’s a better solution: It’s time to disable or even remove Java from your Mac.
When you run Apple’s Java update, the company is doing half the job for you by disabling Java in Safari. The recent breach occurred when employees accessed an iOS development Web page that had a maliciously crafted Java applet; Web pages are common attack vectors.
If you usually run Google’s Chrome as your browser, type chrome://plugins in the address bar. Then scroll down to Java(TM) and click the Disable link. Or, if you use Firefox, go to the Tools menu and choose Add-ons; click the Plugins button, find Java Applet Plug-in, and then click the Disable button.
My colleague Rich Mogull, a computer-security expert, now recommends removing Java entirely because of its vulnerabilities and level of damage an attacker can cause by exploiting them. He elaborates why and how to do it in an article at Macworld.
I can’t yet do that because I rely on CrashPlan (www.crashplan.com) to back up my Mac’s data, and CrashPlan’s application is currently built in Java. But I’ve disabled the Web plugins.
Cloak. This talk of security reminds me of a product I saw at Macworld/iWorld last month. Cloak (www.getcloak.com), developed in Seattle, secures wireless Internet connections by establishing a VPN (virtual private network). Any nefarious owner of a Wi-Fi hot spot, or even someone in the same cafe as you who is scanning traffic, can’t decrypt the data you send and receive.
VPNs for the Mac aren’t new; many companies require secure connections for employees working from home, and companies like WiTopia (www.witopia.net) offer accounts that you can set up in OS X’s Network preference pane or by using the company’s software.
What I like about Cloak is how unobtrusive it is. I’ve set it up so that it automatically secures the line when I connect to an untrusted network, such as a coffee shop’s Wi-Fi hot spot that doesn’t require a password. Cloak’s menu bar icon turns blue and a notification appears to indicate it’s running.
By default Cloak trusts password-protected Wi-Fi networks, but I disabled that option since many places I frequent do use passwords (which are posted at the register).
But more impressive to me is Cloak’s OverCloak mode on the Mac. One problem with VPN services is that they take a few seconds or minutes to start up, during which time email, Twitter, Messages, and other applications make network connections — bypassing the very need for a VPN. OverCloak locks down your Mac’s network and allows only essential data (DNS, HTTPS, and SSH). Once Cloak has established an encrypted connection, it releases the lock.
The Cloak application is free for OS X and iOS. A Basic Plan costs $8 per month for 20 GB of data transferred, and a Pro Plan costs $15 for 50 GB of data transferred. A free 30-day trial gives you 5 GB of data.
Jeff Carlson and Glenn Fleishman write the Practical Mac column for Personal Technology and about technology in general for
The Seattle Times and other publications. Send questions to firstname.lastname@example.org. More Practical Mac columns at seattletimes.com.