Mac OSX Security

Information about Mac OSX Security

Published on August 20, 2007

Author: Sharck

Source: authorstream.com

Content

Mac OS X Security:  Mac OS X Security A Brief Look At The Dark Side Ian Kaufman March 2005 We’ve Been Hacked! Or have we?:  We’ve Been Hacked! Or have we? Recently, 3 machines were compromised How did we find out? IRC traffic caught going to the machines No evidence of root compromise detected Same account/password across all 3 machines via Netinfo Database - check out the CPP document about securing Netinfo! http://www.lbl.gov/ITSD/Security/systems/mac_guidelines.html This was not an OS X specific problem! The password was guessed, was not a 'good' password Passwords – How Strong Are They?:  Passwords – How Strong Are They? Fortunately, OS X has a built in password checker – the Keychain! Create a new Keychain, and in the password dialog box, click the 'i' button Password Checking part II:  Password Checking part II A dialog box will come up showing how weak/strong your password is, and make suggestions on how to strengthen it HFS+ Security Problems:  HFS+ Security Problems HFS+ stores info in multiple forks Non-Carbonized OS 9 apps use a data fork (which contains the executable or binary data) and a resource fork (icons, dialogs, sound) OS X is based on UNIX which only uses single forked files – data only Modern OS X apps dump the resource fork and use either a .rsrc file (Carbon) or store the resources as separate files (Cocoa) HFS+ vs. UNIX:  HFS+ vs. UNIX On a UFS volume, OS X stores any resource fork as a separate file prefixed by a '._Fork' or '..namedfork' When viewed at in the command line, it appears as a subdirectory called /rsrc, but are invisible to 'ls' unless specifically targeted As a result of all of this, server daemons that open file streams can be fooled into opening the respective file resource and/or file forks, opening up the underlying source code of the server side documents to remote users HFS+ Security Fixes:  HFS+ Security Fixes Apple released a security patch for Apache 1.3.29 to fix this Implemented a mod_rewrite rule to httpd.conf: andlt;Files 'rsrc'andgt; Order allow,deny Deny from all Satisfy All andlt;/Filesandgt; andlt;DirectoryMatch '.*\.\.namedfork'andgt; Order allow,deny Deny from all Satisfy All andlt;/DirectoryMatchandgt; More HFS+ fixes:  More HFS+ fixes 4D (WebSTAR Web Server V) is also vulnerable, you can get instructions on how to secure the server at http://www.4d.com/products/hfs_sec.html Any service of this type might be vulnerable, so if you run a dedicated webserver – use UFS Anti-Virus Software: Yes or No:  Anti-Virus Software: Yes or No Currently, there are no known Mac OS X viruses in the wild (yet!) This most likely will change as OS X rises in popularity and deployment Windows viruses can be transferred in attachments, some macros can travel cross-platform Anti-Virus Software – cont’d:  Anti-Virus Software – cont’d It’s free from the lab and has little overhead Might be a DOE/OA requirement in the future? Bottom line – Why not? Better safe than sorry  FileVault – the good:  FileVault – the good FileVault has strong encryption – AES 128 bit Encrypts and decrypts on the fly without you noticing If you have a lot of info you want guarded, this is a good idea If your laptop gets stolen, your data is pretty much secured FileVault – the bad!:  FileVault – the bad! If you have limited RAM and/or deal with a lot of CPU intensive tasks, the performance hit becomes noticeable Don’t lose your key/password - no way to decrypt the files! The only way to decrypt a user’s files if s/he loses the password is the Master Password. Some backup apps do not deal with FileVault well – the smallest of changes can cause the entire image to be backed up Tricky to ssh into FileVault protected account or if you use File Sharing and the account is not already logged in at the console. All that exists is an encrypted sparseimage. FileVault – the options:  FileVault – the options For most users, this is overkill (and potentially risky) Cannot guarantee the sanctity of data that resided on the disk prior to enabling FileVault – any data that was deleted may still be resident One solution – encrypt files as needed with PGP or GnuPG Another built in solution is to use the Keychain Keychain Notes and Encrypted Disk Images:  Keychain Notes and Encrypted Disk Images Keychain can let you write encrypted notes – whole text documents can be encrypted this way Or keep important items in a single file/directory, and create your own encrypted disk image Spyware – Is it on my system?:  Spyware – Is it on my system? Finding spyware in open source code is like looking for a needle in a haystack Most spyware will probably be found in Library andgt; StartupItems, Library andgt; Scripts, Library andgt; Extensions at both the system level and in your homedir Regularly do process accounting – use OS X’s Activity Monitor, write/find a shell or perl script or find some nice GUI approach Spyware – con’td:  Spyware – con’td Tools are out there to help detect spyware that may be already installed on your system Intego’s NetBarrier and Allume’s (originally Aladdin) Internet Cleanup can see suspicious outgoing activity. Internet Cleanup has bad reviews though Little Snitch (shareware) – http://www.obdev.at/products/littlesnitch note, the Opener malware/OS X Trojan Horse specifically disables Little Snitch Firewalls:  Firewalls Mac OS X uses IP Firewall (ipfw) Not exactly the easiest one to write rules for OS X’s GUI interface is very limited – and only deals with TCP connections, not UDP Xupport 2.3 ipfw GUI http://www.computer-support.ch/Xupport/ BrickHouse 1.2b12 – ipfw GUI (shareware) http://personalpages.tds.net/~brianhill/brickhouse.html the latest version is found at http://www.versiontracker.com sunShield 1.5 – ipfw GUI (freeware) http://www.sunProtectingFactory.com/sunShield Firewalls – cont’d:  Firewalls – cont’d FirewalkX – standalone (shareware) http://www.pliris-soft.com/products/firewalkx/index.html IPNetRouterX 1.0.4 – standalone http://www.sustworks.com/site/prod_ipnrx_overview.html Look up or find out what port numbers you might actually use – block things you have no need for, restrict things the world should not have access to More Firewalls:  More Firewalls For a list of Apple specific ports: http://docs.info.apple.com/article.html?artnum=106439 Xupport lets you easily modify Apple’s built in firewall, and can get more advanced – it can even deal with UDP ports. Plus, it has a list of known Apple and known IETF ports and examples built in! Xupport Screenshots - Settings:  Xupport Screenshots - Settings Xupport Screenshot - Simple:  Xupport Screenshot - Simple Xupport Screenshot - Examples:  Xupport Screenshot - Examples Uniform Resource Identifier (URI):  Uniform Resource Identifier (URI) Not just OS X, but not fun either Crackers can set up web pages that can mount a disk image and then uses the ‘help’ protocol to trick the Help Viewer into executing a script from the disk image By default, disk images will automatically be mounted – embedded code runs with whatever privileges the logged in user has Apple released a patch for Help Viewer, but it doesn’t entirely fix the problem URI Solution:  URI Solution Get Rubicode’s RCDefaultApp http://www.rubicode.com/Software/RCDefaultApp Not only will it let you redefine how some URIs are handled by default, but it also gives you a friendly one stop GUI to perform filetype associations Conclusion and Questions:  Conclusion and Questions Remember, OS X is UNIX/BSD based – and heavily populated with Open Source software – any vulnerabilities that affect them can very well affect OS X In the immortal words of Sgt. Phil Esterhaus (the late Michael Conrad) from Hill Street Blues: 'Let’s be careful out there.' Sources and Links:  Sources and Links Toporek, Chuck, etc., Mac OS X Panther In A Nutshell, O’Reilly, June 2004 McElhearn, Kirk, 'Protecting Data in Panther', Macworld June 2004 Anbinder, Mark H. etc, 'Mac Security: Fact and Fiction', Macworld March 2005 CapMac Forums 'Mac and Spyware surveillance', http:/capmac.org/phpbb2/viewtopic.php?t=2131 Sources and Links con’td:  Sources and Links con’td Lavigne, Dru 'BSD Firewalls: IPFW Rulesets', http://www.onlamp.com/lpt/a/831 Gruber, John 'Disabling Unsafe URI Handlers With RCDefaultApp', http://daringfireball.net/2004/05/unsafe_uri_handlers NetSec Security Operations Center http://www.net-security.org/vuln.php?id=4032 De Kermadec, Francois 'A Security Primer for Mac OS X', http://macdevcenter.com/pub/a/mac/2004/02/20/security.html Special Thanks:  Special Thanks Special thanks to Dan Cheng and Marilyn Saarni for their topic suggestions Thanks to Gene Schultz and Jim Mellander for their support Thanks to the LBNL-MUG for keeping the topics hot And thanks to Tom DeBoni for his gracious lending of his Powerbook

Related presentations


Other presentations created by Sharck

rockets
07. 11. 2007
0 views

rockets

Rock Cycle
20. 09. 2007
0 views

Rock Cycle

Parsons IDEXPO 2005 09 27
20. 08. 2007
0 views

Parsons IDEXPO 2005 09 27

frost action presentation
20. 09. 2007
0 views

frost action presentation

nissan
29. 09. 2007
0 views

nissan

env
18. 10. 2007
0 views

env

PlenaryVIChan
11. 10. 2007
0 views

PlenaryVIChan

history ppt
27. 11. 2007
0 views

history ppt

Fin603 Fall2005 Week9
02. 11. 2007
0 views

Fin603 Fall2005 Week9

honeyd litao
07. 10. 2007
0 views

honeyd litao

NAIS Overview Neil Hammerschmidt
20. 08. 2007
0 views

NAIS Overview Neil Hammerschmidt

stewart cloer
20. 08. 2007
0 views

stewart cloer

High Frequency RFID Jim Burgess
20. 08. 2007
0 views

High Frequency RFID Jim Burgess

Swine Working Group
20. 08. 2007
0 views

Swine Working Group

European Imperialism
20. 08. 2007
0 views

European Imperialism

10 Southeast Asia 05
28. 12. 2007
0 views

10 Southeast Asia 05

Nadal
31. 12. 2007
0 views

Nadal

gre
01. 10. 2007
0 views

gre

Robotics Presentation 2005 copy1
07. 01. 2008
0 views

Robotics Presentation 2005 copy1

Epidemiology
06. 08. 2007
0 views

Epidemiology

first year presentation
06. 08. 2007
0 views

first year presentation

equality law update
06. 08. 2007
0 views

equality law update

dating violence 1304
06. 08. 2007
0 views

dating violence 1304

ells
06. 08. 2007
0 views

ells

Lecture 2 Igneous Rocks
20. 09. 2007
0 views

Lecture 2 Igneous Rocks

bh usa 01 Greg Miles
20. 08. 2007
0 views

bh usa 01 Greg Miles

Investigación de VIH ICGES
22. 10. 2007
0 views

Investigación de VIH ICGES

evettsleicester
26. 10. 2007
0 views

evettsleicester

conduct a defense by pl
26. 02. 2008
0 views

conduct a defense by pl

Finland
06. 08. 2007
0 views

Finland

freed 3 7 07
06. 08. 2007
0 views

freed 3 7 07

Contractor School briefing
11. 03. 2008
0 views

Contractor School briefing

BATLAS22 SP1
26. 03. 2008
0 views

BATLAS22 SP1

Persakhirtahun
26. 03. 2008
0 views

Persakhirtahun

SatelliteManagement
04. 10. 2007
0 views

SatelliteManagement

Zeppospres
27. 11. 2007
0 views

Zeppospres

Rising Sun
07. 04. 2008
0 views

Rising Sun

Dimitri HIV sexnets dfazito
30. 03. 2008
0 views

Dimitri HIV sexnets dfazito

TP 1
09. 04. 2008
0 views

TP 1

geog323 lecture4 globalization
10. 04. 2008
0 views

geog323 lecture4 globalization

Business Plan Workshop Final
13. 04. 2008
0 views

Business Plan Workshop Final

UAV2004
07. 10. 2007
0 views

UAV2004

UCSB
17. 04. 2008
0 views

UCSB

KRHD ABC 40 TV
05. 10. 2007
0 views

KRHD ABC 40 TV

JRA1 Proch report Sept05
18. 03. 2008
0 views

JRA1 Proch report Sept05

s vogels
17. 04. 2008
0 views

s vogels

GoldRushApril2006 update
22. 04. 2008
0 views

GoldRushApril2006 update

chapter three
04. 01. 2008
0 views

chapter three

LECTURE24
07. 01. 2008
0 views

LECTURE24

documen prog inf
19. 06. 2007
0 views

documen prog inf

dispgin
19. 06. 2007
0 views

dispgin

Disassembling ForFun2
19. 06. 2007
0 views

Disassembling ForFun2

Disassembling ForFun
19. 06. 2007
0 views

Disassembling ForFun

DFVI Prasentation 01012007
19. 06. 2007
0 views

DFVI Prasentation 01012007

Dennett Netz
19. 06. 2007
0 views

Dennett Netz

Da Wa Vision DOAG SIG OLAP
19. 06. 2007
0 views

Da Wa Vision DOAG SIG OLAP

cybers talking study
19. 06. 2007
0 views

cybers talking study

DODAF COI
19. 06. 2007
0 views

DODAF COI

dbase250
19. 06. 2007
0 views

dbase250

ESCI101 09 Rocks
20. 09. 2007
0 views

ESCI101 09 Rocks

spm pres jun jul
03. 10. 2007
0 views

spm pres jun jul

02 gmw
15. 10. 2007
0 views

02 gmw

inet2002
20. 08. 2007
0 views

inet2002

1191
20. 08. 2007
0 views

1191

sbmdyr00 block
20. 08. 2007
0 views

sbmdyr00 block

Sector
09. 10. 2007
0 views

Sector

Improving Student Services
16. 06. 2007
0 views

Improving Student Services

IDS and your network
16. 06. 2007
0 views

IDS and your network

I106 Deploiment Office 2007
16. 06. 2007
0 views

I106 Deploiment Office 2007

Hassell EDITED
16. 06. 2007
0 views

Hassell EDITED

Harness AD
16. 06. 2007
0 views

Harness AD

gshelly 0206
16. 06. 2007
0 views

gshelly 0206

ghost
16. 06. 2007
0 views

ghost

05 j irwin2
16. 06. 2007
0 views

05 j irwin2

01292007
16. 06. 2007
0 views

01292007

icz report
11. 10. 2007
0 views

icz report

2 deformation I
20. 09. 2007
0 views

2 deformation I

AussoisApr05 Petersen
20. 09. 2007
0 views

AussoisApr05 Petersen

AGU Turquety dec15
29. 10. 2007
0 views

AGU Turquety dec15

Food Insecurity
06. 08. 2007
0 views

Food Insecurity

escolania
22. 10. 2007
0 views

escolania

inversiones CAF
22. 10. 2007
0 views

inversiones CAF

MMFR 2005 02
15. 11. 2007
0 views

MMFR 2005 02

VFD Funding Group
28. 02. 2008
0 views

VFD Funding Group

EEX Kick off 2007 v2
03. 10. 2007
0 views

EEX Kick off 2007 v2

01 Love
16. 06. 2007
0 views

01 Love

Hitchhikers Guide to Avalon
16. 06. 2007
0 views

Hitchhikers Guide to Avalon

ponencia robert
14. 11. 2007
0 views

ponencia robert

DH N Review prozess
19. 06. 2007
0 views

DH N Review prozess

Implementation Panel
20. 08. 2007
0 views

Implementation Panel

HIS101 Lecture13
14. 12. 2007
0 views

HIS101 Lecture13

MAPPING ICT4D PROJECTS
20. 09. 2007
0 views

MAPPING ICT4D PROJECTS

IE7 Vistassa
16. 06. 2007
0 views

IE7 Vistassa

YangWooKo 86slides SMSEC
20. 08. 2007
0 views

YangWooKo 86slides SMSEC

Processing Travis Choat
20. 08. 2007
0 views

Processing Travis Choat

deq ogs gimdl RCIM
20. 09. 2007
0 views

deq ogs gimdl RCIM