ENGS 69 - Whoopis.com
Transcription
ENGS 69 - Whoopis.com
ENGS 69: Engineering Secure Computer Systems Macintosh Security Basics Thayer School of Engineering, Dartmouth College Winter 2002-2003 Marion Bates Investigative Research for Infrastructure Assurance Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 1 1 Macintosh Security Basics What we’ll cover: Basic system security for MacOS (mainly v. 9.x) and Mac OS X, including: • File Sharing (from both client and server perspectives) • Network/Internet client security (“safe surfing”) • Firewalls, viruses, email • OS X basics, bonuses, and pitfalls We’ll start with MacOS 9, since OS X inherits from 9. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 2 2 A little bit of history. MacOS < OS X has no command line. “Where’s the DOS?” There isn’t one. Control vs. simplicity Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 3 MacOS versions prior to OS X have no command line. The “GUI” you see IS the actual OS, not just a user interface on top of an underlying OS structure. This may seem obvious, but people have asked me “Where’s the DOS?” There isn’t one. So, WYSIWYG for real. Depending on your point of view, this can be extremely comforting, or extremely frustrating. Or both. 3 There can be only one. Historically, single-user systems Multi-user addons: AtEase, Multiple Users But, no over-the-network console login Timbuktu Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 4 Macs were historically always single-user systems. Things like AtEase (and more recently, Multiple Users, which comes with the OS) allow for different users with different levels of access privileges (kinda like the Win98 login). But there is no over-the-network console login. You can’t remotely connect to your Mac as though you’re sitting at the actual keyboard. (Well, there is Timbuktu...we’ll talk about that later.) 4 Macs can serve Some built-in server functionality • File Sharing • Printer Sharing • Personal Web Sharing With 3rd party apps, FTP/Gopher server, etc. Remote administration -- Timbuktu. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 5 Some built-in server functionality exists, but with limited over-the-network user control. In other words, “out of the box” Macs can share files (File Sharing), act as print servers for printing over the network (Printer Sharing), and serve web pages (Personal Web Sharing). With the shareware program NetPresenz, a Mac can be an FTP/web/gopher server. But remote administration of a (non-OS X) Mac is tricky. Perhaps the most powerful tool for this is Timbuktu. 5 Ok, so what’s Timbuktu? Server component on one Mac Client on another Mac Client can control the server iMac = LoJack! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 6 Like PCAnywhere. Load the server component on one Mac, load the client on another Mac, and the client can control the server. You can even move the cursor, open/close apps, etc. on the remote machine. Nice for teaching and presentations. Also nice for turning a stolen iMac into a LoJack. :) See handout # 2 or URL below. http://www.macscripter.net/un_ilojack.html Not really important to our class, but OH so cool. 6 General security implications Single-user-ness -- inconvenient, but aids security. • Typically, not a lot of services listening on ports • No remote login Basic services - relatively easy to do safely Without physical access, not much a bad guy can do Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 7 The Mac’s single-user-ness, while sometimes inconvenient, helps contribute to its security. You generally do not have a bunch of services listening on ports and you cannot log in remotely. Even if you do set up file and web sharing, it’s pretty easy to do it safely. Without physical access to the machine, there is not much a bad guy can do to a stock Mac. 7 Unique is Good (Apple users have learned how to find the silver lining in a mushroom cloud.) Macs are a small population -- security advantage Example: Viruses. • Creators want large-scale effects, so, go after the big target -- Windows. • Why bother with Macs? Too small of a target. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 8 Mac users, by virtue of being part of a relatively small population, have some significant security advantages. Take viruses. People who create viruses and worms tend to want their little creations to have large-scale effects. This is part of the reason why there are so many Windows viruses -- big target. Who’s going to bother to spend all the time and effort making a piece of Mac-specific malware that affects maybe ten percent of all computer users? 8 Unique, but still pretty versatile Security tools available for Macs that you might not have known about: • PGP, email with SSL support, SSH, SFTP, personal firewalls, antivirus software, VPN clients, traceroute, ping, sniffers, file encryption tools, etc. Lots are free, or cheap shareware. Many available on Dartmouth’s PUBLIC file server. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 9 PGP: MacPGP (for older systems -- free), Network Associates PGPFreeware (free for academics), GPG for OS X (GPL, free) SSL email: Eudora, Outlook/Entourage, Communicator? All free, all available for OS X or Classic SSH: MacSSH (free), F-secure SSH for Mac (payware, big academic discount, but MacSSH is better anyway). SSH is built in to OS X. SFTP: MacSFTP Carbon, MacSFTP Classic, shareware (cheap) Personal firewalls: Norton for Mac, commercial, academic discount. OS X has built-in fw, Brickhouse front end is shareware. Antivirus: Various. Norton is good, academic discount. VPN -- CheckPoint VPN-1 for MacOS 8 and up. Commercial, academic price unknown. Traceroute -- WhatRoute. Free. Get from PUBLIC. Not needed on OS X. Ping -- MacPing. Free, PUBLIC. Not needed on OS X. Sniffers -- Etherpeek, NetWatchman, others…most seem to be payware, but you can use demos for free. File encryption -- PGP (see above), Apple File Encryption tool, Stuffit Lite (stuff and require password -- not really encryption, but does help hide the data in a pinch). Available for OS X or Classic, free. 9 Versatile in not so nice ways Macs were not completely overlooked by the black hat community… • Several groups develop Mac hacking software • Online sources of Mac hacks, e.g. Freaky’s, alt.hackintosh, HotLine servers, etc. • There were/are a variety of blackhat tools and exploits for Mac Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 10 In spite of the uniqueness factor, Macs were not completely overlooked by the black hat community. A handful of small but dedicated underground hacker groups do develop Mac hacking software, and websites devoted to Mac hacks, e.g. Freaky’s Macintosh hacks archive, alt.hackintosh, HotLine servers, and more. There were/are a variety of blackhat tools and exploits for Mac. AtEase and File Sharing hacks, SubSeven trojan, portscanners, keystroke loggers, BackOrifice client (for Mac users who want to 0\/\/N BO’d Windows victims), anonymous emailers, DOS attacks (early version of Open Transport had a bug, it was used in a DDOS attack here at Dartmouth and it brought our network to its knees)... etc. 10 What to do Now: OS X, the Unix-based next generation of Mac OS. We’re not so unique anymore. Our focus: How to secure your Mac using mainly the tools that came with it, and how you can use the network/Internet more securely. Mac OS 9.x and Mac OS X. Not OS X Server Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 11 And now, we have...OS X, the Unix-based next generation of MacOS, and EVERYTHING has changed. We’re not so unique anymore. We’re going to focus on how you can secure your Mac using mainly the tools that came with it, and how you can use the network/Internet more securely. Starting with old MacOS (still in use on a lot of old and not so old machines, and as a second boot choice under OS X), and then moving on to OS X (now preinstalled on new Macs). We won’t be getting into Mac OS X Server, but the same principles that apply to normal OS X also apply to Server. 11 Physical Security Crucial. Generally, if someone has physical access to your Mac, they can own it. • Boot from external devices • Single-user mode (OS X) • Mess with OF • OS X can dual-boot into OS 9, rendering Unix file permissions moot Options: Security cage, disable single-user mode, password-protect OF, password protect HD Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 12 Crucial. Generally, if someone has physical access to your Mac, they can own it. They can boot from CD-ROM, Zip, netboot, external USB/FireWire drive; in OS X, they can boot single-user mode (root shell with no password), or boot old MacOS and OS X’s permissions become moot (similar to dual-boot Windows machines) Options: Security cage. Block access to CD-ROM etc. and rear ports. Annoying if it’s the machine you use every day. In OS X, disable single-user mode in Open Firmware, then password-protect OF. But that can cut both ways -- SUM is sometimes the last resort for rescuing data. (The Miller handout mentions a utility to password-protect single-user mode -- I have not tried it, but that might be a good thing to add.) For MacOS, there is third party software for password-protecting the hard disk such that it can’t be mounted even if you boot of other media. Don’t forget the password though... 12 Physical Security Solutions Realistically: Be sensible. • In a server environment, lock and key • In a dorm, hide the power cord or the mouse, or pull the hard drive power connector and then lock the case with a padlock. :) No tools needed. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 13 Realistically, the best option is to be sensible. In a server environment, important machines should be under supervision and/or lock and key anyway. In a place like a dorm, you can discourage the casual nosiness of your roommate’s friends when you’re not there, by doing something like hide the power cord or the mouse, or, for the slightly geekier approach, pull the hard drive power connector and then lock the case with a padlock (the case has a built-in loop for this purpose). 13 File Sharing Client use: • Prep • AppleTalk “on” (see Chooser) • Appletalk set to proper network interface (AppleTalk Control Panel -> Ethernet) • Connecting to shares • Old and new way (same end result, new way is a bit easier and more flexible) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 14 First, client use. Quick howto: Make sure AppleTalk is “on” (see Chooser) and that it is pointed at the right network interface (AppleTalk Control Panel, choose Ethernet.) Connecting to shares the “old school” way: Apple Menu -> Chooser -> AppleShare -> pick a zone -> pick a server from the list of servers in that zone -> connect using a logon and password, or select “Guest” if available/applicable. The newfangled way: Launch Network Browser (from Apple Menu, probably) -> pick a domain (or just go for AppleTalk) -> look for servers, connect as above. 14 Password encryption Starting with MacOS 9, File Sharing passwords are encrypted BUT… ONLY if both the client and server are running OS 9.x or better. Backwards compatibility. Newer client will default to a clear text password in order to accommodate the older Mac. Login window will indicate the level of security of the password transfer. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 15 Starting with MacOS 9, File Sharing passwords are encrypted (I don’t know the scheme), but ONLY if both the client and server are running OS 9.x or better. In other words, to maintain backwards compatibility, if a MacOS 9 user tries to connect to a MacOS 8 server (or another old server, like Linux with netatalk), then the OS 9 client will default to a clear text password in order to accommodate the older Mac. You will be able to tell when you go to login -- the login window will indicate the level of security of the password transfer. If it says “clear text” then watch out. 15 OS 9 on both ends MacOS 9 to MacOS 9 Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 16 16 OS 9 to old server MacOS 9 to Linux Netatalk Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 17 17 OS 9 to OS X MacOS 9 to OS X (Diffie-Hellman Exchange) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 18 18 What if it IS clear text? Sensitive data? Only copy? • If so, use encryption, or another medium Access privileges? • Impostors logging in as you, what could they do? Server admin contact? Duplicate password? Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 19 Is the data on the other end extremely sensitive or is it the only copy? Perhaps you should encrypt it or compress and password-protect the file(s) first, or use another more secure medium to transfer them. What access privileges does your account have on that server? (In other words, if someone did sniff your password, and that person later logs in as you, can he damage the system? It would look like YOU did it.) Can you contact the server admin and ask him to change your password to something else? (You can usually change it yourself, but of course if the whole communication is unencrypted, then the new password will also be visible to a sniffer.) Are you using the same password that you use for other things (like BlitzMail, KClient, your web account, etc.)? A bad guy will probably try applying that password to these other services. 19 Done with client, now: Server FS Lots of (better) alternatives… • Dartfiles • Blitz • Dartmouth ftp • Floppy, Zip, CD-R or CDRW • USB/FireWire HD Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 20 Don’t do it unless you have to. Alternatives: Put copies of your most-used and/or current working files in your 10MB folder on Locker, Strongbox, or Vault. Blitz them to yourself. If you have a homepage at Dartmouth, make a directory on the ftp server where your webpages live, and use that to move files around (you have 5MB of storage for web files, more than most would ever need for webpages). Carry a floppy or Zip disk. If you have a CD burner, carry a CDR or CDRW with copies of your stuff on it. Media is cheap. External hot-swappable drives (how about your iPod? ;) are getting cheaper. 20 The point of diversification Eggs in one basket and all that. Lose a copy at worst, your Mac doesn’t go down with it. You might want File Sharing anyway: • Collaboration on group projects • Fun stuff (sharing games, pictures, or mp3s How to do it safely. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 21 If someone hacks into your Strongbox folder, or Webster, or you lose the Zip disk, then you’ve lost only a copy of your stuff. Beats the heck out of someone breaking into your Mac and deleting the originals or nuking your System Folder. But, File Sharing is nice and lots of people use it not only for retrieving things remotely, but also for collaborating on group projects (you and your project partners could upload and download each other’s work from a shared folder, for example) and for fun stuff (sharing games, pictures, or mp3s -- of course, only the legal ones). So let’s go into how to do it right. 21 Configuring a File Sharing server File Sharing Control Panel • Owner Name • Owner password (NOT BLANK!) • Computer Name. The IP address will be filled in automatically. Default: Computer name will be “<name’s> Macintosh.” Change it… Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 22 Open the File Sharing Control Panel. Before you can start sharing files, you have to define an Owner Name, an Owner password (DON’T LEAVE IT BLANK!), and a Computer Name. The IP address will be filled in automatically. By default, your computer name will be “<name’s> Macintosh.” I recommend that you change this, or don’t use your real name in the Owner box, because otherwise anyone surfing through the Chooser will be able to see that and know it’s your Mac. Never give potential attackers more information than you must. You can name your Mac pretty much anything you want, with or without spaces, but spaces are not recommended due to potential network incompatibility. 22 File Sharing control panel Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 23 23 Security Through Obscurity If computer name is revealing, then login should be different Don’t make it easy for attackers to gather info from public information. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 24 If your computer’s name is something revealing about you (like “Joe Smith’s House of MP3s”) then perhaps your login should NOT be “joe” or “smith” or “jsmith” etc. If attackers can enumerate likely usernames or passwords from public information, like the computer name, then you’ve significantly decreased the amount of effort it will take for them to break in. Don’t give out clues. 24 Owner is omnipotent If FS is on, Owner can already log in and get to everything No matter what you do with specific shared items, Owner can see it all. Protect Owner’s login info! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 25 Keep in mind that once you turn on File Sharing, anyone who can log in as Owner will be able to do anything to your data (including most of your system files -- enough to render your Mac un-bootable). This is true EVEN IF you do not explicitly share anything. If file sharing is turned on, Owner basically has remote “god” rights. Owner is a special account, the closest thing to root on MacOS, and the rest of the sharing privileges you specify are moot for the user logging in as owner. Protect this login and password! 25 File Sharing over TCP You can allow FS over TCP/IP Faster, but more revealing • AFPoverTCP will show up on portscan Routers and AppleTalk • Now, more of the Internet can see your Mac But, AppleTalk is clear text. Pro, con, pro, con, etc. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 26 Now that file sharing is turned on, you can start tweaking. You can choose to allow File Sharing over IP -- this means that clients can connect to your Mac by its IP address, and use TCP/IP to transfer data. This is faster than AppleTalk and has the advantage of TCP’s connection integrity maintenance, but keep in mind that it also pulls the curtain aside a little more than plain old AppleTalk. Your Mac will now have AFPoverTCP services listening on TCP ports; this will show up on a portscan, and it’s a dead giveaway that your machine is a Mac. Furthermore, most routers do not route AppleTalk, but they pretty much all route TCP. This is a double-edged sword; a user on the other side of your network’s router could theoretically (assuming the network admins don’t specifically filter out afpovertcp at the border) connect to your Mac. This is a nice idea for legitimate use, but it also opens you up to an even bigger pool of potential bad guys. If you use AppleTalk, then your machine is only visible to users on Dartmouth’s local network. BUT the disadvantage to using AppleTalk is that your password will be sent cleartext. So there’s always give-and-take with this. It depends on your configuration (do you have a firewall?) and what’s most important to you. For the sake of this example, I’m going to sacrifice password security in order to minimize my overall exposure to potential bad guys. This would not be the best choice for everyone. 26 Apps over the net and Program Linking You can share apps such that a remote user can launch an app on the Mac server from another Mac. It runs over the network and displays on your local screen. Nice idea, but…not really. • Resource/network hog • CRASH Program Linking is an AppleScript thing. Scary. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 27 If you share an application (or a folder containing an application), remote users can launch the app over the network to do stuff on their client Macs. In other words, I could be working in a lab and discover that someone deleted Microsoft Word off the computer I’m using. I need to use Word to write my paper. So I simply connect to my Mac and launch MY copy of Word over the net. It opens on my screen, and I can open and save files with it on my local lab Mac. This is a cute idea, but in my experience, it’s such a huge resource hog that it typically causes one or both Macs to crash. It’s also pretty unkind to other users on the network. And good luck if two of your users try to launch the same program simultaneously. Program Linking (now known as Remote Apple Events) allows one Mac to send AppleScript commands (“Apple Events”) to applications on another Mac via AppleTalk or TCP/IP. For normal users (with passwords), they would need to login for each Event. But if you give Guests PL privs AND you enable PL for a given app, then anyone with a Mac could send Events to that app. You might ask, why would anyone do such a thing? Well, in my experience, new users who are trying to get File Sharing to work have a tendency to think “Jeez, I just want this to work, I’m gonna check EVERY BOX until it does.” And keep in mind that the Finder is scriptable -- this means that, if PL is enabled for the Finder, remote users could send Apple Events to the remote machine’s Finder telling it to, say, delete some System files. Or shut down the computer. Remember the LoJack story and what he was able to do with AppleScripts, then realize that someone could do all that without even loading a file onto the hard disk. 27 Recommended initial setup Assume recommended initial setup: • Computer name not too revealing • Owner name not related to computer name • Good strong password • File Sharing enabled but not over TCP • Program Linking NOT enabled Test config from another machine. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 28 If you are the only one who’s ever going to be using your Mac, and you trust yourself to have full privileges (i.e. Owner), then you’re done. You can test your setup by using another Mac to connect to yours; you should NOT be able to logon as “Guest” (which requires no password). 28 Other users If you want to have other users or guests: • First create their accounts/enable their access • The Guest account already exists, and cannot have a password. So, ANYTHING you make accessible to Guest will be accessible to ANYONE Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 29 Now, if you want to have other users or guests connecting to your Mac, you must first create their accounts (in the cases of other named/passworded users) or enable their access (in the case of the Guest user). The Guest account already exists, and cannot have a password. So keep in mind that ANYTHING you make accessible to Guest will be accessible to ANYONE who can connect to your Mac (in our case, anyone with a Mac at Dartmouth) with no password required. 29 Creating accounts File Sharing Control Panel -> Users and Groups Later on, specify which volumes/folders/files users can connect to Right now, you’re defining the basics (what accounts exist, whether or not they can connect at all, etc.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 30 In the File Sharing Control Panel, click on the Users and Groups tab. This is where you can edit the privileges of an existing user (for example, if you wanted to enable Guests to connect, then double-click the Guest user, drop down the “Sharing” menu option, and click the appropriate boxes). Later on, you will specify which volumes/folders/files users can connect to; right now, you’re defining the basics (can Guests connect at all, what are your users’ names and passwords, can they change their passwords, what groups do they belong to, etc.) 30 Users and Groups Here, I have defined two users, joeblow and joeschmoe, in addition to the built-in owner and guest accounts. I also have a group called my-users. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 31 31 User Identity This is the box you see when you create a new user. You must set an initial password. Notice that you can choose whether or not to allow your users to change their passwords. Another note: As an administrator, you can reset a user’s password, but you can’t see the old one. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 32 32 User Sharing From the popup menu in this window, select “Sharing” (instead of “Identity”) and this is where you can specify whether to allow the user to connect at all, and whether that user can make use of Program Linking (only applicable if you enabled PL in the initial setup.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 33 33 Groups The group my-users contains both joeblow and joeschmoe. So if I want to share a folder to the two of them, but no one else, I can use this group. (This will be made more clear in a couple slides.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 34 34 Guest Same idea with the Guest account, except that you can’t change the account name or set a password. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 35 35 On to the files So far: • Users have been created • Groups have been created • Guest is enabled, maybe Now, we decide which files/folders to share with them. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 36 Ok, so now you’ve defined some users, made a decision about Guest access, and defined which users belong to groups, if any. (Groups are used when you want to allow more than one user specific access to a folder or file, but not guests. This will make more sense later.) Now we’ll move on to actually specifying the folders and files to share. 36 Example What you want: • One folder each with full privs for joeschmoe and joeblow. • One folder that the two of them can only read from. • One folder which anyone can write to, but not see what’s inside (a “dropbox”). • A folder that anyone, including Guests, can download from. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 37 Let’s say you have two users, joeschmoe and joeblow, and you want each of them to have a folder to use for downloading and uploading homework files. You also want to make a folder that both of them can download from, but not change or upload to (maybe you have stuff you want to show them, but you don’t want them to be able to delete or mess up the files in that folder). You also want to have a folder which anyone can write to, but not read from (a “dropbox”). Lastly, you want to make a folder that anyone, including Guests, can download from, but not change the contents of (for sharing your legally-obtained MP3s). 37 We can do this. First, make folders to represent this scenario. (-n) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 38 I might put all of these in a folder called “Shares.” Do whatever’s easiest for your organizational preferences. 38 Set the permissions... • Next, set appropriate permissions for each of the folders you want to share. • Click on folder icon, select “Get Info” from File menu (or hit -i), and select the “Sharing...” option from the popup menu. • Or, control-click (or right click, if you have a second mouse button mapped properly) on the folder icon and select “Sharing.” Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 39 39 Control-click… Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 40 40 Specify Access for each Joe Now, in the Info -> Sharing window for Joe Schmoe’s folder, we can specify the level of access for this item. Once you check the “Share this item” box, the privilege options below will become available. Obviously, we’d then do the same for Joe Blow’s folder. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 41 41 The Joes’ read-only folder This is the folder I want to share for download only, to the two Joes but no one else. This is where we make use of the group called myusers (which contains the two Joes). Notice the readonly icon: Glasses with no pencil. :) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 42 Here’s where the groups come in. Note: I’m not certain, but I believe it is possible to have groups within groups. However, it’s best to try to avoid potential confusion as much as you can. I like very shallow hierarchies for that reason. 42 Dropbox Here’s the drop box folder. Notice that the option even says “(Drop Box).” Pencil only, no glasses, for myusers and for Everyone. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 43 This is a little redundant -- “Everyone” includes my-users -- but I tend to be explicit about it anyway, just so I have a reminder when I look at this folder later. 43 The MP3’s folder And here’s the MP3s folder, readable to all. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 44 44 Check for Leaks Test your configuration from another Mac, since your Mac cannot connect to itself. Log on as Owner, as each Joe, and as Guest, and make sure those accounts have the access they should; no more, no less. Remember that you as Owner will be able to do anything you want to the contents of all of these folders. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 45 Test your configuration from another Mac, since your Mac cannot connect to itself. Try to hack your Mac -- you can bet someone else will. Guests should be able to see and download the contents of the “Legal MP3s” folder, and they should be able to upload things to the “Drop Box” folder but they should NOT be able to see the contents of that folder or any of the others. The two Joes should have full access to their respective folders, but should only be able to open and download from (not write to) the “my shared stuff” folder. You as Owner will be able to do anything you want to the contents of all of these folders. 45 File Sharing Wrap-up Not a heavy-duty server. • Limits on number of users • Limits on number of simultaneous connections If you need more power, buy AppleShare IP, Apple’s commercial server product. Use Activity Monitor to what’s shared and who’s connected right now Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 46 Don’t expect FS to be a heavy-duty server. There are built-in limits regarding how many users you can have and how many simultaneous connections are possible. (If you need more power, buy AppleShare IP, Apple’s commercial server product. It can do all sorts of nifty things, like allow Windows users to connect to Mac shares.) Use Activity Monitor to see a summary of what’s shared and who’s connected right now. You can also disconnect users (for example, when a Guest starts six simultaneous MP3 downloads and chokes all your bandwidth). 46 File Sharing Wrap-up Beware of nesting folders with different privileges • Can’t go very deep with the nesting • Confusion leads to mistakes If you use Program Linking, then it’s all or nothing with respect to privileges If you delete a user, his folders’ permissions will be transferred to Owner. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 47 Beware of nesting folders with different privileges -- it can be done, but there’s a shallow depth limit. It can also be incredibly confusing and can lead to security errors. It’s a good habit to just keep it simple and use a flat hierarchy for your shared stuff, even if there’s some redundancy. If you use Program Linking, then it’s all or nothing with respect to privileges (the app is either remotely linkable by all users, or by none). You can limit who’s allowed to run programs remotely by putting (a copy of) the app into the appropriate users’ folder(s). This does not work with aliases. If you delete a user, his folders’ permissions will be transferred to Owner. 47 Personal Web Sharing Do you really need to do this? • Anyone at Dartmouth can have a homepage on the main Dartmouth webserver • Real web servers typically work better for the purpose If you still want to do it, Apple’s default setup is recommended (read-only access to the web folder). Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 48 Ask yourself: Do you really need to do this? Anyone at Dartmouth can have a homepage on the main Dartmouth webserver. Then, security is THEIR problem, not yours. :) There are many free homepage sites (Angelfire etc.) Real web servers typically work better for the purpose (more bandwidth, more reliable uptime, usage statistics, CGI access, static IP, etc.) Eggs in one basket issue again. If you still want to do it, the default setup is recommended (read-only access to the web folder). 48 PWS Features PWS can be configured to inherit access privileges from Sharing Setup. You can make web folders writeable to allow HTTP upload, if the client browser supports it. Yikes… You can configure PWS such that aliases can be followed. Confusion risk though. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 49 Instead of the default privs, PWS can be configured to make use of the users and privileges in Sharing Setup. You can make web folders writeable to allow HTTP upload, if the client browser supports it. But I don’t think this is used much, if at all, and it sure sounds like a security hole, no? You can configure PWS such that aliases can be followed (i.e., put an alias in the web folder, users can get to the real item even if it’s outside of the web folder). Scary. If you forget the alias is there, and you put sensitive data into the original folder, now anyone can see it... 49 PWS Caveats and Wrap-up Be careful not to share your whole disk. PWS claims to have support for CGI scripts. Careful… Again, do you really need to serve webpages off your Mac? Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 50 Be careful not to share your whole disk. The webserver software is not magical enough to “know” which files are webpages and which files are, say, your thesis. It will happily allow users to “view” (i.e., download) anything on your disk -- including documents, applications, and system files. PWS claims to have support for CGI scripts. I assume they mean scripts written in AppleScript (as opposed to Perl or PHP). If you venture into that realm, know what you’re doing with your scripts -- AppleScript can be misused. (Remember the LoJack story and the “suicide scripts.”) Again, do you really need to serve webpages off your Mac? 50 Remote Access Remote Access Server. Allows another Mac with Remote Access Client to dial into your Mac. • Do not configure Remote Access Server to allow guests to dial in. • If your users won’t need TCP/IP services, don’t choose PPP as the protocol. The default is ARAP, which is safer. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 51 It used to be that you had to buy the full-blown Server package to answer calls, but I think nowadays a light version is included with the OS. Perhaps only on OS X though. If you have a modem, it allows another Mac with Remote Access Client to dial into your Mac. Do not configure Remote Access Server to allow guests to dial in. Wardialing is still popular. (Each User in the Users and Groups tab of Sharing Setup will have a box you can check to “allow this user to dial in.”) If your users won’t need TCP/IP services, don’t choose PPP as the protocol. The default is ARAP (AppleTalk for Remote Access), which is safer because again, you’re taking advantage of the relative uniqueness of AppleTalk to help obscure what’s going on. 51 Moving on: “Safer Surfing” Most of the suggestions here apply to any operating system. We’ll point out some Mac-specific details. • Web browsing tips • FTP and Fetch • Email Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 52 52 Web browsing You’ve probably heard this before. In Netscape, go to Edit menu -> Preferences. Scroll the left pane and select Advanced. Disable Java, disable JavaScript, disable cookies. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 53 It might also be a good idea to turn off Flash, since Flash has its own Javascript stuff built in…depends on how paranoid you feel vs. how much you care about flashy webpages functioning properly. 53 Ok, now I can’t use the web at all. Trouble is, a lot of sites simply won’t work anymore. Compromises: • Only accept cookies that go back to originating server • Delete the cookies file over and over. - Tiny freeware program called NoCookie did this automatically… • Or, try Anonymizer! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 54 Trouble is, a lot of sites simply won’t work if you do this. Compromises: Only accept cookies that go back to originating server, and you might even want to check the “warn me” box (but I’ve found that this gets REALLY annoying when you visit a site that wants to set half a dozen cookies for every page). Or, delete the stupid cookies file over and over. For Netscape Communicator on MacOS, go into System Folder -> Preferences -> Netscape Users -> Your-User-Name and delete (or delete the contents of) the file named “MagicCookie.” If you never want the cookies set or the scripts exectued in the first place, but there’s a site you really want to visit that requires those things, there is another way: http://www.anonymizer.com. You put in the URL you want to visit, then Anonymizer makes the connection for you, and it dev-nulls all the cookies and other crud so the server never talks directly to your machine. Nice for when you’re visiting certain nefarious websites (like 3L33T hAX0r homepages, or fbi.gov) and you don’t even want your IP recorded. The basic service is free, but for a fee, they offer some kind of service that anonymizes all of your surfing automatically (I think you install a plugin and it invisibly does its thing.) The whole company’s probably a CIA front and they’re logging every keystroke… ;) 54 FTP... ...is bad. • Anonymous FTP is ok • The whole session is clear text • Easy to pick out login info • Two ports = hard to tunnel Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 55 FTP (File Transfer Protocol) with a username and password is just Bad. The username and password are preceded by “USER” and “PASS” respectively, so it’s utterly trivial for an attacker to watch for and flag that data as it is transmitted (e.g., ngrep). 55 What you can do If you HAVE to use FTP with login/pass, use a password that you don’t use for anything else Don’t transfer sensitive files over FTP Keep backups Work under the assumption that someone is going to be able to log in as you Try to use a more secure alternative Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 56 A better solution: Tunnel the USER/PASS portion of your session over MacSSH. http://www.bio.upenn.edu/computing/instructions/security/portforwarding/ See if the server supports any of Fetch’s built-in security support (Kerberos authentication, one-time passwords, challenge-response system). Use them if possible. See if the server supports SFTP (Secure FTP) as part of SSH (Secure SHell, and its counterpart, SCP or Secure CoPy). Try connecting with MacSFTP, an easy-to-use shareware SFTP client with a very Fetch-like interface. Also, the next release of Fetch is supposed to include built-in SFTP support. Fetch v. 4.0.x already has some security options, but they require you to install additional software, and the server(s) you connect to must support those features as well. To take advantage of some of them, you have to install and properly configure M.I.T.’s KClient package for your OS (there are versions for both OS 9 and OS X). But from what I can tell, the Kerberos server version in use at Dartmouth is not compatible with the current M.I.T. release, and Fetch is too new to use the old KClient. And configuring the client properly can be a non-trivial task anyway. So watch out. Just for fun, we’ll talk about these features a little bit. The following assumes that you have installed and configured the right version of the KClient software. 56 Fetch gets teeth The “encrypt session” option is only available with the other security options; it will be grayed out for “cleartext password.” Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 57 Fetch’s “New Connection” window gains some new features when you install the Kerberos software. Notice the “Security” popup menu, and the “Encrypt session” checkbox. Remember that the FTP server must support the security option you choose, or Fetch has to default to the cleartext password option. (By the way, this window’s font and color will look a little different if you use it under Classic. I took these screenshots in OS X. The information’s the same though.) 57 Fetch security options Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 58 Clicking on the Security menu reveals these options, both of which appear as a result of the Kerberos package we installed. If we used another security package supported by Fetch, we would see those options under this menu. Consult the Fetch documentation to see what other security packages it supports. 58 Fetch with baby teeth From Fetch’s Customize menu, select Preferences and click the Security tab. You’ll see this when you connect: Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 59 Since the Kerberos thing is difficult or impossible to use, we can at least take advantage of the basic security features. Under Fetch’s Security preferences, checking the top two boxes will not make your connection secure, but at least it will remind you when you’re about to expose your password. 59 Email Normal POP/POP3 mail is unencrypted But, most major email clients support SSL • Mail server(s) must support it too Eudora and Outlook both have SSL option • Protects your password and content • Only for the path between your Mac and your ISP. Next hop mail server may not. Always assume that your mail message is not going to be secure for its entire journey to the recipient. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 60 Normal POP/POP3 mail is unencrypted, but most major email clients support some level of extra security (but again, the mail server(s) must support those features as well). Eudora and Outlook both have an option for email over SSL, which if supported on your service provider’s server, protects your password and the email content -- but only for the path between your Mac and your ISP. The next mail server down the line may not have SSL, so you should always assume that your mail message is not going to be secure for its entire journey to the recipient. Eudora also supports APOP (Authenticated Post Office Protocol) which encrypts your password (though not as securely as SSL). There is also S/MIME, in which both the sender and recipient use certificates to sign or encrypt email (sort of PGP-esque). 60 PGP The encryption lecture covers the details of PGP. At least one PGP client for the Mac • PGP.com (formerly Network Associates, Inc.) has “PGPFreeware” (v. 7.0 at the time of this writing) for OS 9 and “PGP 8.0 LIVE” for OS X. • Free for academic use • Compatible with other flavors of PGP (such as GPG). For OS X, there is also GPG (GNU Privacy Guard) -- more on that later. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 61 PGP, or Pretty Good Privacy, will be/has been discussed in depth in another class, so we won’t go into detail here. There is at least one PGP client for the Mac, which plugs in nicely to Eudora and probably Outlook, and which also provides an easy way to interact with non-standard email clients (like BlitzMail). The client I use is made by PGP.com (formerly Network Associates, Inc.) and is called simply “PGP” (v. 7.0 at the time of this writing). It’s free for academic use, and it’s compatible with other flavors of PGP (such as GPG). You can get GPG for OS X, and at this time the GUI is still kinda clunky, but it works if you follow the directions carefully when you set it up. 61 Attachments (“Enclosures”) Most common way of getting a virus or other malware is via email attachments Lots of clever tactics to lure you into opening something that looks legit…beware! As a Dartmouth Mac user, you have a rare advantage -BlitzMail. It… • doesn’t download attachments automatically • doesn’t interpret HTML mail (spammers send HTML mail with bad Javascripts etc.) • isn’t Outlook ;) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 62 Probably the most common way of getting an unwanted program (such as a virus) is by receiving an attachment in email. In the last couple years, there have been a huge number of worms which infect Windows machines via the Outlook email program. This is not directly dangerous to Mac users, but it serves to illustrate a point. The recent “Klez” virus/worm used several tactics to increase the likelihood that a recipient of the virus would open the attachment; it would pull email addresses out of the user’s address book or web cache, and create Subject lines from bits of documents or cached webpages on the victim’s computer, then generate more emails from those. The result was that other victims would receive email from people they knew, with message content that looked familiar. What a lure! The point here is that, while Klez posed no threat to Mac users (even Mac Outlook users), the methods used by Klez demonstrate that viruses can be pretty clever. Be certain, before you open an attachment, that the sender really is the sender, and that it’s someone you trust. Even then, you should scan the file with your antivirus software before you open it. Norton and others can be easily configured to “quarantine” and check new files before you use them. 62 More on email at Dartmouth • BlitzMail hides password (challenge-response) • Comp Svcs is currently testing software to automatically filter/alert on virus-ridden email before it even gets to you • Also, there are plans to make the servers fully IMAP-compliant (beta testing now) • But, the session is still clear text. Your messages can be read. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 63 Dartmouth’s BlitzMail system provides a simple, easy-to-use, yet powerful interface for electronic mail. Its simplicity and uniqueness also add to its security; BlitzMail is immune to all the Outlook email viruses, since it does not arbitrarily download or execute code of any sort. It also does not have HTML mail capability, which thwarts a great deal of spam email containing JavaScripts and other “spyware” elements. Macintosh BlitzMail versions since 2.0.5 will even detect a keystroke logger running on the user’s machine, and will not only alert the user to this fact, but will also scramble the keystrokes as they are written to the keystroke logger’s result file, so the malicious user cannot see what was typed. Luckily for us, BlitzMail uses a challenge-response technique to encrypt your password every time you log on. If you use a non-BlitzMail client to check your Dartmouth email, you do not get to have this extra layer of protection. Dartmouth email is moving towards a more standard scheme (IMAP) and they’re also looking into border filtering of viruses. However, with the exception of the password, the BlitzMail session is still sent as clear text. So the content of the messages you send or receive, as well as your inbox summary, are still visible to an eavesdropper. (We can, however, tunnel BlitzMail through SSH, in both OS X and Classic. There is a paper on this listed in the “Supplemental Sources” section of the course webpage.) 63 BlitzMail’s brethren Other secure ways to use Blitz: • WebBlitz (Basement) • NetBlitz (my favorite, if the regular client is unavailable) • TextBlitz via SSH (old and primitive, but works in a pinch) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 64 In addition to the real BlitzMail client, there are other secure ways to use Blitz. WebBlitz -- https://basement.dartmouth.edu/blitz. Uses SSL to protect your session. NetBlitz -- a streamlined web-based client. http://netblitz2.dartmouth.edu/Bl.cgi. Has multiple security options -- you can SSL-encrypt just your login, or your whole session, depending on how much speed vs. security you care about. TextBlitz -- very bare-bones Blitz access. SSH to textblitz.dartmouth.edu as user “blitz” with no password. You’ll be prompted for your BlitzMail login info. You can only read what’s in your inbox. This is very old. 64 VIRUSES! Not really a big deal for Macs (so far). • Again, small user base and the uniqueness of MacOS = small target • Most recent big one: Word macro virus (which affected Word documents on all platforms) • Also, a worm or two Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 65 Not a big deal for Macs. There just aren’t very many viruses out there. Again, the small user base and the uniqueness of MacOS make it a small, unattractive target for most of the virus-writing twits in the world. Probably the most dramatic one in recent history was the Word macro virus (which affected Word documents on all platforms, not just the Mac). It wasn’t super-destructive, but it did manage to irritate just about everybody at Dartmouth for a few months. Macro scripting language is supposed to be used for creating in-document shortcuts for repetitive functions. The macro scripting language developed by MS apparently can do much more, because a couple years back there was a huge epidemic of macro viruses in Word documents on Windows and Mac (mostly affecting Word version 6). These viruses did a variety of cute things, like alter your “Normal” Word template such that every Word document you opened or created would be infected, and/or embed a chunk of text in every Word document you ever opened, that you could NOT remove from the document (the text contained a message about a Scrabble game), and one variant could even hide a menu in the program (!) which you had to use in order to get rid of the virus! (I thought I had gone insane. The cleanup instructions said “1. Go to the Tools menu” and there WAS NO TOOLS MENU.) 65 Countermeasures 3 or 4 other known Mac viruses • Some do have destructive payloads • Rate of infection is very low Run Norton Antivirus or equivalent List and description of Mac viruses: http://www.symantec.com/mac/security/macattack.html Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 66 The macro virus thing is pretty much over. Word98 and up have macro support disabled by default and/or built-in macro virus detection. Also, antivirus utilities such as Norton are able to detect and clean or at least quarantine documents containing macro viruses. The other fairly-memorable and somewhat recent Mac malware was a worm. It used QuickTime’s “autoplay” feature (which starts playing audio CDs as soon as they’re inserted) and some strains of the worm would destroy files with .dat or .data name extensions, but mostly all it did was start up Print Spooler and slow your system down. All you had to do to avoid infection was turn off the autoplay feature in QuickTime. There are 3 or 4 other known Mac viruses, some of which do have destructive payloads (delete random files, interfere with loading of extensions, etc.) But the rate of infection is very low. If you’re paranoid, which is a good thing, run Norton Antivirus or another AV program. It’s a good idea to boot off the CD and have it scan your system BEFORE you install it, since some viruses try to disable AV programs. Hold down the C key to boot off a CD. List and description of Mac viruses: http://www.symantec.com/mac/security/macattack.html 66 Firewalls The firewall lecture covers how they work. Mac ones: • Norton Personal Firewall for Macintosh • OS X has built-in firewall software In general, firewall software should: • Have basic and advanced user modes • Have good logging and notification options • Support multiple rule sets • Be able to export logs in standard formats • Support multihoming • Ideally, support egress filtering Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 67 The firewall lecture in this class covers what firewalls do and how they work. Norton Personal Firewall for Macintosh is a good choice. (OS X has built-in firewall software, but we’ll get into that later.) A good firewall should be easy to use, have basic and advanced user modes, and have good logging (and should be able to export logs in standard formats, so you can analyze the logs with another program). It ought to support multihoming (I.e., separate rules for different network interfaces or locations, especially for PowerBook users), and ideally, filtering of outbound traffic (e.g., prevent your credit card number from being sent in a clear text format, or stop traffic destined for known Trojan horse ports.) A decent fw program should also allow you to have multiple sets of rules. You ought to be able to easily create a basic ruleset with high-security rules (the default set, preferably). There should be notification options (for example, Norton can pop up mini-windows telling you about access attempts right as they happen). Ideally, your fw should have the abilitiy to silently drop OR explicitly reject traffic. And it should be stateful. But these last two features are pretty frequently left out of “personal” firewalls. If you really want to have these features, get a cheap old PC, install two cheap NICs, and put Linux with Netfilter on it for a dedicated, powerful, stateful inspection firewall and put your Mac behind it. :) But that’s kinda overkill. 67 Test it Play the hacker. Symantec can scan your machine and generate a report http://security1.norton.com/SSC/ Caveats: • Multiple Users • Non-passive-mode FTP connections • Allowing for non-obvious traffic (e.g. Keyserver) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 68 Test your firewall settings. Play the hacker. Symantec has a URL you can visit which scans your machine and generates a report about its level of security. Keep in mind that if you’re NAT’ed, it won’t work, and if you’re behind a firewall, your security administrator may hate you for doing this. Caveats: • If you’re using Multiple Users, you’ll need to make sure that your fw offers the proper amount of protection for all users. NPF uses one Prefs file for all users but other fws may not. • Beware of non-passive-mode FTP connections, often characterized by a connection drop at 99 percent download completion. (It’s like they TRIED to make it as frustrating as possible.) Set Passive Mode under Fetch’s “Firewall” Preferences tab. • If email takes forever, it may be an AUTH thing. Either allow the traffic (TCP/113) or do an explicit reject so it doesn’t do the long timeout in response to a silent drop. • PTP programs (Gnutella and such) may malfunction in the presence of a firewall. • If you block UDP access on high ports, it may mess up DNS. Also don’t block UDP/68 if you use DHCP to get an IP address (at Dartmouth, this is the standard method). Ideally you need only allow that access from the IP of the DHCP server, but if you’re not sure, open that port to anything. It’s a pretty minor security hole. •If you use NTP for Date and Time, open up UDP/123 from the specified NTP server. • If you use Keyserver over IP, it needs UDP/19283. You probably use it over AppleTalk, though (default). 68 MAC OS X Everything’s changed. OS X is based on a Unix subsystem, a version of FreeBSD called Darwin. Here’s a pictorial representation of the OS: (Don’t worry about the GTK/Xdarwin part.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 69 To maintain backwards compatibility with the existing library of Macintosh software, Mac OS X integrates the new Unix-based environment with a MacOS-based emulation environment called “Classic” (also sometimes called the True Blue Environment, which is how it shows up in top). Old Mac apps run within Classic, and Classic runs within X. As far as X is concerned, Classic is just another application. It can be killed like any other Unix app, which is nice for those times when some Classic app crashes the environment. The term “Carbon” is used to describe applications which are written such that they can run natively in either OS X or Classic/OS 9. This is similar to “fat binary” apps (which existed during the transition from the 680x0 processor to the PowerPC processor -- some software was re-written to include code for both processor types, and since this tended to make them bigger, they were called “fat.”) If you Get Info on a Carbon app, you can toggle a checkbox to tell the app whether to launch in OS X or in Classic. “Cocoa” describes apps written specifically for OS X, and which will not run in OS 9. Platinum and Aqua are the names Apple uses to describe the user-visible appearance of the operating system. Think of them as Winamp skins. Classic always wears the Platinum appearance, which among other things, describes the shape and size of common elements like scroll bars and title bars and menu fonts. Similarly, Aqua is the skin worn by OS X, and it describes things like translucency of background windows and drop shadows and such. 69 Mac OS X cont’d Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 70 QuickDraw and Quartz are the respective underlying graphics “engines” which are what drive the appearance of the OS. I’m not sure if it’s still the case today, but originally, most if not all of the Mac’s QuickDraw calls were hardwired into the ROMs, which is why all Mac apps tended to look very similar; things like title bars and menus and the shape of the cursor were standard objects. This was very deliberate on Apple’s part -- it was a big part of what made the Mac easy to use for newbies, because so much of what you learned about one app could be applied to all the others. The light-gray column in this picture shows the “command line” riding on top of the Terminal window, which in turn sits above the Shell. IMHO this doesn’t really serve to illustrate much -- all you need to know is that if you want to get at the Unix command-line interface, you first have to open a Terminal window (Terminal is the name of the app that gives you CLI access). By default, your shell is tcsh, though it’s easy to add bash if you prefer it. The far-right column has to do with a nifty add-on (NOT part of the OS, whereas the rest of the picture is) called XDarwin, which is the Unix XWindows environment for OS X. This may seem incredibly redundant, but it allows you to do some very cool things that you wouldn’t otherwise be able to do. It’s outside the scope of this class, but blitz me if you’d like a demo. 70 Macs and Unix OS X inherits from NeXTStep and Rhapsody What you get: • Memory protection • Preemptive multitasking • Built-in compiler • etc. -- all the coolness of Unix Combined with: • Really terrific UI that Macs are famous for • BUT: We gave up uniqueness. Vulnerabilities that affect BSD Unix can now affect Macs, too. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 71 OS X inherits much from NeXTStep and Rhapsody. See handout # 3, “Mac OS X System Administration,” for more about the history of NeXT and OS X. OS X is the best of both worlds. It has all the functional advantages of Unix, like memory protection, preemptive multitasking, the built-in compiler, Unix compatibility resulting in access to a huge library of software (even the Debian apt-get tools have been ported to OS X), Darwin is open-source so more software’s coming faster, etc. AND... …it has all the user-interface advantages that the Macintosh is famous for. Most Mac users never need to interact with the Unix-ness directly; they just revel in the delight of using a Mac that (almost) never crashes. • The price we pay for this: We’re not unique anymore. Vulnerabilities that affect BSD Unix, Apache, OpenSSH, etc. can now affect Macs, too. 71 There can be many OS X is a multi-user system. Administrator is not quite root, but almost • Sudo is invoked when needed in the GUI • It can also be used explicitly at the CLI, just like in any other Unix Administrator has enough privileges to do just about anything you need Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 72 Unlike old MacOS, OS X is a multi-user system. When you first set up your new Mac, you are asked to provide a username and password for the Administrator account. Administrator is not root, but it’s almost that powerful -- Apple hides root from you, for your own safety, and invokes something much like sudo when you need to do root-esque things. At first I didn’t understand this -- I thought, “this is MY computer, I should be able to do ANYTHING I WANT.” So I performed the convoluted hack to enable root login (this was OS X 10.0, it wasn’t easy) and I habitually ran things while logged in as root. One day, I went to change modes (chmod) a file, but I didn’t notice that I’d accidentally selected the whole hard disk (I was still getting used to OS X), and it seemed to be taking awhile to finish…spinning beach ball of doom…uh-oh. I’d recursively chmod’ed every file on the disk. OS X never booted again. I had to boot into OS 9 to get my data, then wipe the drive and start over. The moral of the story is, that wouldn’t have happened if I hadn’t insisted on being root all the time. OS X would’ve chmod’ed maybe one folder’s worth of stuff, but it would’ve stopped before it reached the core system files and tossed a dialog saying “you don’t have permission to do that” or something similar. Administrator has enough privileges to do nearly anything you’ll need to do -- you don’t need true root unless you start really messing around with the Unix guts of OS X. Even then, it’s HIGHLY recommended that you use sudo, rather than enable the root password and stay logged in as root for long periods of time. You’re far less likely to do irreparable damage to your system if you use sudo, since it gives you root privs only on a per-command basis. Metaphorically, you’ve only chambered one round at a time, and if the gun goes off, at least it’s not on full auto. ;) Very rarely will sudo fail to meet your needs. But once in a while, something in a shell script or some hardcore tinkering will require true root. The easiest way to go at it in that case is sudo su - and use your Administrator password. You will be root, with root’s path. 72 Users and folders You can create users, and choose whether or not to give them Administrator rights Each user has a home folder (under /Users) Each user also has a “Desktop” folder, which corresponds to the desktop he or she sees. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 73 You can create however many users you want, and you can give them Administrator rights (they can do Admin-level stuff using just their own passwords for authentication, like sudo) or leave them as normal, non-admin users. Each user has a home folder (under /Users) which stores his/her documents, preferences, fonts, personal webpage (if you have Web Sharing enabled), etc. If you do NOT give users admin rights, then they can only make new files in their home directories. They can still run applications that reside outside their home folders, but apps that need root (say, a sniffer) will not work for them. This should be quite familiar to Unix users. Each user also has a “Desktop” folder, which corresponds to the desktop he or she sees. It shows up as a folder called Desktop in your home directory, but it’s simultaneously also the desktop underneath all your windows (which can get weird, since you can open the Desktop _folder_ and be looking at the icons that are also on your visible Desktop.) This is quite different from the Desktop of old MacOS, which was sort of an über-folder. Each user can put different things on his or her Desktop, and other users won’t see them -- they’ll see their own Desktops. Note: Users ought to make use of the screen saver lock feature -- it requires you to enter your password to unlock the screen saver. System Preferences -> Screen Effects. And never turn on the auto-login feature unless you’re sure your Mac is physically isolated from other people; also, it’s better to leave off the “pick user from list” option and type your username. Again, don’t make it easier for the bad guys. 73 Users and Apps Users can install their own applications If they have Admin rights, they can install apps available to all users In general, applications run with the privileges of the user who launches them Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 74 Users can install their own applications, available only to them, or (if they have Admin rights) they can install apps available to the whole system. For the most part, applications run with the privileges of the user who launches them. In other words, if I open BBEdit and try to edit the /etc/hosts file, BBEdit will ask me to authenticate as Admin with my password before I can save changes. (This assumes that my account has Admin rights, or in more Unixy terms, I am in the sudoers list.) Users who are not flagged as Administrators would not be able to edit that file at all. 74 BSD File Security Same as any Unix -- owner, group, everyone, modes, etc. Can be changed at the CLI using the usual -- chmod, chown, etc. -- as well as with the GUI Get Info. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 75 As with any Unix, files in OS X have access restrictions based on owner and group, and files have modes (r/w/x). This isn’t just the case for network file sharing (as is true with pre-X Mac OS) -- it’s also true for every file on the system. Old news for Unix folks, but a new realm for Mac users. 75 Classic When you open an old Mac app, OS X first launches the Classic (“TrueBlue”) environment, then opens the app within that The integration is fairly seamless -- some menus change, but you always see the OS X Finder/Desktop and the Dock If some Classic Mac app crashes, it’ll probably take the Classic environment down with it, but OS X keeps running :) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 76 To maintain compatibility with old MacOS software, Apple developed a MacOS emulation environment, called Classic. When you open an old Mac app, say, Classic Netscape, OS X first launches the Classic (“TrueBlue”) environment, then opens Netscape within that. The integration is fairly seamless -- some menus change when you flip between OS X and Classic apps, but you always see the OS X Finder/Desktop and the Dock. Classic runs as a separate process under OS X -- Classic is, in effect, just another application under OS X. The cool thing about this is that when some Classic Mac app crashes (that would NEVER happen! hah), it’ll probably take the Classic environment down with it, but OS X keeps running happily. The miracle of memory protection. (In the beta release of OS X Server, Classic and X were integrated differently, and it was possible for Classic to crash and take the input devices with it. OS X would still be running, but you couldn’t reach it to kill Classic -- your cursor was frozen, keyboard locked. But, you COULD shell in from another machine and run ps, find the Classic process, and kill -9 it and get X back. Nice.) 76 Classiconfusion • The integration is fairly seamless. Not completely. Examples: • Both Classic and OS X use a single IP address • File sharing weirdness • Both environments can share a printer • OS X owns the CD-ROM and Zip drive • Only one Finder (X) • OS 9 Desktop is still separate from OS X’s Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 77 The integration is _fairly_ seamless. It still takes a lot of getting used to, especially if you’ve been a Mac user for awhile. Examples: Both Classic and OS X use a single IP address. It doesn’t affect client-type behavior (e.g., you can use a web browser in each environment simultaneously), but it can get weird with running servers. You can’t do file sharing under Classic under X anymore (but you could do it with AppleTalk only, no AFPoverTCP, in OS X 10.1, WHILE you were sharing files directly from X too. Schizophrenic.) You can’t connect to AppleTalk-only servers from Classic, but you can from X. You CAN do Program Linking from within Classic, God only knows what happens if try to do Apple Events in X at the same time. (It seems to let you turn on both simultaneously…) Both environments can share one printer (need drivers for each environment, except for the occasions when Classic just seems to “learn” about the printer from X), but OS X owns the CD-ROM and Zip drive. There is only one Finder (in X). The Desktop of Mac OS 9 is a separate entity from that of OS X, and under OS X, it’s invisible in the Finder (but you can see it from the Terminal if you list the contents of the / directory). When you install OS X, it automatically creates an alias to the Mac OS 9 Desktop, and puts that on your OS X Desktop (stay with me here) and if you delete it, like I did, then you’re sorta locked out of your OS 9 Desktop. But don’t worry, it’s still there if you boot into 9. (More 77 More on Classic/X More: Under the standard partitioning scheme, you can boot directly into MacOS 9 • This has scary implications for file permissions Carbon apps will run in anything, which is good to know OS X “packages” (app bundles) will appear as folders in 9, don’t mess with the contents! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 78 Oh, and as if that’s not enough, you can tell the Mac to boot directly into MacOS 9 (using the same System Folder as Classic), and then OS X effectively disappears and you have an old-school Mac again. This also has the side effect of making most of the Unix file permissions moot -- in other words, if you boot into 9, you can probably delete the /bin directory REGARDLESS of your OS X Administrator status, because regular MacOS doesn’t speak that language. There isn’t a complete disregard for it, though. Some key files and directories from OS X will be “grayed out” in the Finder if you boot into MacOS 9. But…from a Save or Open dialog in some applications, you can still see and modify everything. Mac OS 9 is gradually being phased out, but in the meantime, all you can really do is shrug and be careful. Remember the Carbon thing? Those apps will run in OS X, or in Classic, or in OS 9 directly. So? Well, if you make a bad mistake like I did, and hose your OS X system, you can (hopefully) still boot into OS 9. You can grab your original CD and boot off it long enough to change the Startup Disk setting and reboot 9. Then, if you held onto some Carbon (or Classic) apps, you can go in and run them from 9 and perhaps use them to recover your data. It’s nice to have a copy of Fetch that will work in either environment -- I used it to move my data onto a network file server when I did the Bad Chmod that time. In short: If you’ve got the disk space, it’s a good idea to hang onto Classic/Carbon apps even after you install a superior Cocoa equivalent, so you double your chances of being able to recover from a bad event. If you’re in 9 and you want to know whether some app will run or not, you can just try it, and you’ll get a message if it’s Cocoa. In general, if the application icon appears properly in 9, it’s probably Carbonized. One other note: OS X Cocoa apps sometimes make use of “packages,” which are essentially application bundles -- they will appear as a single icon that you double-click to launch, just like any other app, but if you control-click them, you can see and alter the contents. Sort of like using ResEdit in the old days to hack the resource fork, only now you don’t need a separate tool. But if you boot into OS 9, packages will appear as folders since OS 9 doesn’t know what packages are -- don’t start adding or removing things from them, because when you boot back into OS X, they might not work right anymore! 78 OS X Security “out of the box” Is pretty good. If I turn off my firewall and run TCP and UDP portscans against my Mac, here are the results (notes sections): I can explain what I see. Nothing mysterious. This is important. I haven’t done any low-level hacking to turn off default services, so a base OS X install should have fewer open ports than what I have. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 79 Results of nmap -sT -p 1-65535 my-mac (that’s a plain vanilla TCP scan of all ports): Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on my-mac (some.ip.address): (The 65530 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 427/tcp open svrloc 548/tcp open afpovertcp 902/tcp open unknown 913/tcp open unknown 2151/tcp open unknown We know what the first two are. I’m running SSH (“Allow remote login” is turned on in Sharing) and I’ve got Web Sharing turned on. 427 (svrloc) is the Server Location daemon/protocol, which helps my Mac and other Macs find each other’s services on the network. Port 548 shows File Sharing enabled (over TCP, default on OS X, though I can enable AppleTalk as well). Nmap didn’t know what port 913 is for, so I Googled for “port 913” and discovered that it’s the Sidecar port (part of Kerberos, which we use to access protected portions of the Dartmouth website, among other things). Ports 902 and 2151 are for my BlitzMail ssh tunnel. If I hadn’t already known that, it’d be kinda hard to figure out, since BlitzMail is a Dartmouth thing and Googling for those ports will get you a lot of nonsense. But I could’ve tried telnetting to those ports… 79 What is THAT port? bash mbates@my-mac ~ $ telnet localhost 902 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 DND server here. Aha! Unfortunately, the same trick for 2151 is a lot less informative. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 80 bash mbates@my-mac ~ $ telnet localhost 2151 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. hello? 011 Unknown command: hell helo 011 Unknown command: helo help 011 Unknown command: help user 013 Missing argument. info 011 Unknown command: info get 011 Unknown command: get (I gave up and exited) Heh. But, a logical next step might’ve been to search the Dartmouth Computing Services webpages for info on what ports BlitzMail uses. 80 More on ports and services • lsof -i shows ports and their corresponding services • You can get this with netstat, but lsof is a little easier to read and interpret • You need to run it with sudo to see everything (since you don’t own many of the network services) Excerpt: automount httpd httpd sshd slpd slpd 260 268 270 283 293 293 root root www root root root 4u 16u 16u 3u 0u 1u inet inet inet inet inet inet 0x01bb8970 0x01d33cdc 0x01d33cdc 0x01d33a2c 0x01bb8560 0x01d3377c 0t0 0t0 0t0 0t0 0t0 0t0 UDP TCP TCP TCP UDP TCP *:860 *:80 (LISTEN) *:80 (LISTEN) *:ssh (LISTEN) *:427 *:427 (LISTEN) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 81 Results of nmap -sU -p 1-65535 my-mac (same as before, but UDP ports this time): Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on my-mac (some.ip.address): (The 65526 ports scanned but not shown below are in state: closed) Port State Service 68/udp open dhcpclient 123/udp open ntp 427/udp open svrloc 514/udp open syslog 860/udp open unknown 49152/udp open unknown 49155/udp open unknown 49158/udp open unknown 49160/udp open unknown 68 is for my Mac to get an IP address from the DHCP server on my network. 123 is ntp, Network Time Protocol -- my Mac syncs its clock with Dartmouth’s NTP server. 427 is the UDP port for svrloc, explained on the previous slide (svrloc uses both TCP and UDP). 514 is syslog appearing to listen on the network, but it doesn’t actually accept data from other hosts. 860 is automounter listening for other hosts’ nfs requests, which is moot since I don’t have any nfs shares defined. 49152 is being used by Keyserver, and I can’t telnet to it (connection refused), so how would I know? I cheated and used lsof. (Could’ve done that before too, but I wanted to show you another way to figure out what ports are used for which applications.) The last three ports are being used by lookupd, the all-purpose lookup daemon (for DNS among other things) and again, I used lsof to figure that out. 81 Logs Via syslog. Look in /var/log system.log is a good place to start • Firewall logs (seems buggy, at least with BrickHouse -- sometimes stops???) • Use of sudo • Subsystem status messages also, /var/log/httpd/access_log and error_log others for other services (ftp, mail, etc.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 82 OS X logs via the Unix syslog facility. There may be some nice GUI log reader available, but your best log analysis tools are grep and/or a good text editor with a Find function. E.g.: grep sudo /var/log/system.log # Look for all instances of sudo tail -f /var/log/system.log | grep something # Watch the log as it’s written (-f # = “follow”) and pipe the output # to grep to look for “something” grep -v <your-ip> /var/log/httpd/access.log # Inverse grep (look for # everything BUT your-ip) And so on. 82 Unix and Mac can collide… HFS+ is the native/default file system for OS X OS X also supports UFS (Unix File System) One big difference: • HFS+ preserves case of file names, but is caseinsensitive (filename = FileName = FILENAME) • UFS is not! Those could be three separate files • Implications? Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 83 Sometimes the Mac-ness and the Unix-ness of OS X really butt heads. HFS+, the Mac’s native file system since approximately MacOS v. 8, is a case preserving but case-insensitive file system. This means that, under HFS+, a file called “goober” cannot exist in the same folder as a file called “GooBer” or “GOOBER” etc. Those are all considered to be the same name. But, under UFS, which is also supported by OS X, case DOES make a difference; UFS would consider all of those to be separate file names. Well, so what? 83 Apache vulnerability! “CERT/CC Vulnerability Note VU#439395 Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem... ...Impact: Can bypass Apache file access protection, allowing remote unprivileged users to read privileged files.” Yikes! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 84 THIS is what: --------------------------------------------------------------------------------------------------------------CERT/CC Vulnerability Note VU#439395 Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem I. Description: The Apache web server's file access protection scheme (i.e., file request "filtering") assumes that the filesystem being protected is case sensitve... Under the Apache scheme, you specify whether to deny or allow access to a filesystem object (which can be a directory, filename, or URL). The specifications are called "directives", which include <Directory>, <Files> and <Location> directives. See http://httpd.apache.org/docs/mod/core.html#directory for further information on directives. When you use a directive to deny access to a file or directory using the Apache web server under Mac OS X HFS+, the directive will NOT deny access to any other upper and lower case variation on the filename or directory... ----------------------------------------------------------------------------------------------------------------- OOPS! Some tweaking in the Apache config file could fix this, and Apple released a patch right away, so it’s not an issue now. But this serves to illustrate how programs which are accustomed to Unix/UFS behavior can potentially be tripped up by seemingly-subtle differences like that. For more details on this vulnerability and its solutions, go to: http://www.kb.cert.org/vuls/id/439395 84 Ease of use OS X is much more server-oriented than old MacOS All sharing-related services are handled from a single Preference pane • One click turns on file sharing • One click turns on FTP access to shared files • One click turns on Web Sharing • One click turns on SSH access Even more important: One click turns these OFF! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 85 OS X, even the non-”Server” version, is much more server-oriented than old MacOS. Most of its server functionality can be turned on or off and configured through the Sharing preference pane. The defaults for most services are well-thought-out and are sufficient for most users’ needs. In the Sharing preference pane, all of the following services can be turned on or off, and tweaked: • File sharing • FTP access to shared files (yikes…) • Web Sharing, which uses the tried-and-true Apache web server -- root web dir is Admin-access only, and each user has homepage folder (http://.../~username) • Remote shell access - using OpenSSH, not telnet! • Remote Apple Events (formerly known as Program Linking) Likewise, one click turns these OFF, which is important when a vulnerability in Apache or OpenSSH is discovered. As of OS X 10.2, the Sharing pane also includes a GUI to administer the firewall. From what I’ve seen, it seems pretty minimal...I’d still recommend BrickHouse, which we’ll talk about soon. A note: These service startup settings are written to a file, /etc/hostconfig. You can edit this file directly to turn services on/off at startup. Good to know if you want to shut down a service when you’re not sitting in front of the Mac (i.e., do this over SSH). 85 OS X 10.2 Sharing pane Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 86 Sharing pane under Jaguar. The “Internet” tab lets you share your connection (i.e., act as a router) for other computers. 86 File Sharing File Sharing is more intuitive, possibly less flexible Most of these have the red symbol because this is not my user folder, so I can’t peek in those folders. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 87 To begin with, File Sharing is more intuitive, if less flexible -- each user automatically has full permissions on his own directory, as well as a read-only folder for sharing things with users/Guests and a write-only DropBox. There is also a communal Shared folder which is read-only for all named users. The OS 9 sharing setup we went through for the two Joes etc. is basically the default setup for OS X sharing -- pretty much any permutation of privileges you would need is already available, just create your users and put the right things in the right folders. 87 Connecting to other servers Go menu -> “Connect to Server…” or -K: This slide (self-referential) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 88 88 Connecting with 10.2 Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 89 Choose a realm, and X detects and displays available servers. Or, type the address manually and hit Connect. Or, select from Favorites (top popup menu, it bookmarks your most recent servers). In Jaguar (10.2), you can even browse SMB shares! 89 Connecting to other servers Once you’ve picked the server you want to connect to, the next box should look familiar: Hit the Options… button to get the box below: Familiar? This is one OS X machine connecting to another. Good to have a reminder. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 90 This part of the process is pretty similar to the equivalent under old MacOS. One thing that I find rather lacking is that you have to hit the Options button to see what kind of password encryption is being used. But, you can also set a preference to tell you when you’re about to send your password in clear text, which is a step up from the OS 9 version. 90 Firewalling on OS X OS X’s built-in firewall is ipfw. By default, allows anything. :( There are a couple of good GUIs for it. Brickhouse! Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 91 Ipfw can be administered from the command line, but there are a couple of terrific front end programs for it. Brickhouse, by Brian Hill (who’s written a heap of good security apps for OS X) is $25 shareware. It’s well worth it. Brickhouse has a built-in assistant feature to help guide you through creating a set of firewall rules, or you can make your own. It even has Expert Mode, which displays the actual ipfw config file and lets you edit that directly. Use drag and drop to re-order rules. It has logging in human-readable format. It’s great. Shortly after the release of Jaguar (10.2), Apple patched ipfw to enable support for stateful rules. The firewalls lecture in this course covers what that means in detail, so we’re not going to explore it right now, but suffice to say that stateful is very very good. And the latest versions of Brickhouse are aware of the feature, and will generate rules accordingly. One Brickhouse caveat: it is possible (at the time of this writing, with version 1.2b9) to create a rule which contains invalid syntax and which causes ipfw to silently fail. If you make a rule and specify “all” or “any” in the destination port box, Brickhouse will not tell you that that’s wrong, and it’ll break your firewall. If you want to specify all destination ports, just leave that box blank. There’s a ton of documentation on ipfw, since it comes directly from the FreeBSD camp. 91 Firewalling on OS X Brickhouse’s Add Filter dialog box. Has a lot of presets, or you can create custom ones. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 92 The Advanced Options button lets you specify flags and toggle logging for that rule. An odd caveat: I had to make an allow rule for SSH inbound from my IP to my IP in order to tunnel SSH from Classic (even though they have the same IP!) If you encounter this sort of strangeness between Classic and X, check your firewall settings. This may not be necessary anymore in 10.2. Another note: In 10.2, if you want to be able to browse local Windows domains and shares (as opposed to just connecting to them if you know their names), then you’ll need to add an allow rule for UDP traffic with destination port 137 destined for your Mac. 92 Useful Tools - Network Utility • ping • traceroute • whois • nslookup • netstat • finger • a port scanner (careful with that one.) Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 93 In most, if not all cases, these tools will work better and/or have more options if you use them from the CLI. Especially netstat. (netstat -an | less) Know the Terminal. Love the Terminal. 93 Useful Tools - Keychain Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 94 Keychain can store your passwords for frequently-accessed things, and prompt you for your Keychain uber-password to unlock the other passwords. Many apps are Keychain-aware (such as MacSFTP -- keeps you from having to reenter your password for every SCP operation you perform). It goes without saying that your Keychain password ought to be very secure. 94 Useful Tools Process Viewer GUI for the Unix top command. Shows which apps are running on your Mac. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 95 From here, you can select a process and the Process ID and Statistics tabs will display information about it. You can also go to the Processes menu and select “Quit Process” to kill it. 95 Useful Tools - NetInfo Manager Getting into NetInfo is outside the scope of this class. See the von Stauber presentations for more on NetInfo Be careful with this tool and the command-line tools (nidump, niutil, etc.) But you should know that they exist in case you come across a howto that requires their use. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 96 Put simply, NetInfo is a central directory for storage of service information (e.g., DNS lookups, but it does more than that). It’s a distributed database system, inherited from the days of NeXT. Since there aren’t many large OS X environments, it’s usually manifested as a local database just on your machine. Use Netinfo Manager to view information, but don’t change anything unless you know what you’re doing. Among other things, you can use it to create non-standard shares beyond the OS X default. The OS X System Administration guide goes into some detail about NetInfo and its security implications, see his references for more info. 96 Useful Tools - Terminal We’ve already mentioned the Terminal a bunch of times. It’s your window onto the CLI. There is a Terminal-related caveat in OS X: aliases and symlinks Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 97 The Terminal is how to get at the CLI on OS X. The default shell is tcsh, I use bash. With some tweaking, you can get color-coded dir listings, syntax highlighting in Vim, etc. All that cute Unix stuff. Google for what you want to do and odds are that someone will already know how. Terminal caveat: Mac aliases created in the Finder (which operate like symlinks or Shortcuts) do not behave properly from the Terminal, at least not in bash. They are treated as empty files. Furthermore, symlinks created in the Terminal will not work as aliases in the Finder. It’s a quirk. 97 Useful Tools - tcpdump Covered in detail in another class Use sudo, and remember that the Mac’s ethernet interface is called en0, not eth0, and you have to specify it explicitly: sudo tcpdump -i en0 … MacSniffer is a nice front end Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 98 Tcpdump is included in OS X. It needs to be run with sudo or as root, and you always have to tell it which interface to use (en0 by default). MacSniffer is a good graphical front end for it, written by the same guy that wrote BrickHouse. 98 Useful Tools - MacSniffer Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 99 MacSniffer lets you select options like capture size, how much header info to show, hex/ascii data, name lookups on or off, etc. and you can create and run filters to pick out the data you want to see. Ethereal-esque. 99 Useful Tools - MacJanitor Shareware or freeware program for doing system cleanup tasks like log rotation, cache cleanup, etc. Good to use if you have to shut down your Mac every night, since that may prevent a lot of tasks from running. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 100 It’s important to keep your logs working properly, since that’s likely to be the first place you look if you have a security problem. 100 Useful Tools - CheckMate Preference pane to generate MD5 checksums of key files and scan for changes. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 101 Brian Hill rules. CheckMate generates a list of MD5 checksums for key files (and for any other files you add to it) and re-scans on a schedule you specify. It and emails you the scan results, and also sends an email alert if a checksum has changed. A caveat: If you toggle ftp on/off in the Sharing Pane, that does change inetd.conf, which causes CheckMate to send an alert. Don’t panic. 101 Useful Tools - CheckMate The files and their checksums. You can add/remove and import/export, or go back to default. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 102 102 GPG Mac The GNU Privacy Guard program for OS X. PGPcompatible. • Follow the readme’s to a tee and you’ll be fine. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 103 GPG for Mac OS X works perfectly as long as you follow every step in the directions. The GUI tools are kinda minimalist, but they work, and everything works fine from the CLI. Definitely not as pretty as PGP Freeware for Mac, but it’ll get better. Apple’s “Mail” program has built-in GPG support, too. 103 MacSFTP Carbon Drag-and-drop SCP (Secure CoPy). Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 104 Fetch-like interface, but secure. If you’re moving files between your Mac and an SSH-able server, this is a must. Caveat: It will keep asking for your password over and over (because each transfer is a separate SCP action). But you can add that password to your Keychain and then it will stop bugging you. (Remove it later if you’re worried about your Keychain’s security.) 104 Surfing Differences Principles and methods from the previous section also hold true in OS X. One big tip: OS X ships with Internet Explorer. Update it asap. Apple’s “Mail” program has SSL and GPG support! :) Eudora, Outlook, BlitzMail for OS X are available Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 105 We covered the principles of safer surfing in the last section, so here we’ll only skim and point out some key tips. Thing One is, Internet Explorer comes with OS X. Make sure you update it right away -- early versions had severe security problems. Pure opinion re web browsers: Use OmniWeb. It’s shareware, but it has all features enabled regardless of whether you register or not, and it has a bunch of security and privacy options that are easy to understand and modify. It’s also fully integrated with the Quartz engine, so even silly web pages look beautiful when viewed with OmniWeb. This program is what tipped me over the edge from OS 9 to X. :) Apple’s email program, called Mail, doesn’t have much in the way of bells and whistles but it does have SSL and GPG support. And there is a version of BlitzMail for OS X, as well as Eudora for X, and Outlook (now called Entourage I think?) I’m not sure how well the rest of these integrate with GPG, since GPG is so new, but the support will be there soon if it’s not already. 105 Patches Are vital. Software Update • Runs automatically, you can specify when (at least once a week please…) You might be able to patch things quicker yourself with sourcecode, but usually not a great idea Apple’s pretty fast. If they’re not fast enough, then get creative with your firewall. • Or turn off services and just wait. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 106 Software Update runs automatically, once a week unless you say otherwise. Or you can “Update Now.” Sometimes, you’ll hear about an update before your computer’s updater detects it; try again in a few hours. Apple staggers the availability to avoid having a big traffic glut all at once. If you don’t want to wait, you can download and install manually -- go to the Apple menu and select “Get Mac OS X Software…” to be taken to the website. As an alternative to waiting for Apple’s patch, if you know which services are affected, you can get the updated source code and compile it yourself. But the downside is that this can confuse Software Update, making future updates more difficult to apply. Also, some of the BSD things are specially tweaked for OS X, and if you overwrite them with your own installation, you can lose functionality (I updated my copy of Apache manually, and in the process broke my users’ Sites folders. Wonder what else I broke). On average, Apple’s patches come out within a week or two of an advisory. Turn off/block the affected service, or reconfigure/disable whatever aspect of the service is affected, until you’ve installed the patch. But what if you absolutely cannot live without that service for any length of time? Alter your usage to compensate. For example, the OpenSSH vulnerability -- limit access to one other machine, then shell into that first. By the way, run Software Update (and reboot when applicable) repeatedly until it says “no updates available.” Why? Software Update updates have been released several times, so older versions will not see all the newest updates. 106 Patching 3rd-party Software Many software companies are following Apple’s example • Automatic update check at startup • Or “Check for Updates” menu option If not, use http://www.versiontracker.com Or go to Apple Menu -> “Get Mac OS X Software…” and find updates there. Categorized and searchable, not just Apple’s stuff. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 107 It’s especially good to stay up-to-date with your programs now, even if they’re not network- or security-related per se, since OS X is still so relatively new. Bug fixes tend to be pretty major (like, stop Word from crashing on launch). 107 Conclusions Why use MacOS/OS X? Running OS X is a bigger security risk than using old MacOS. We don’t know how much longer we’ll have the choice (OS 9 is being phased out) but for now, you might want it. What do you use a computer for? Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 108 Why use MacOS/OS X? Running OS X _is_ a bigger security risk than using old MacOS. You are in the Unix world now. What do you use a computer for? If you’re just doing word processing and using a web browser, MacOS 9 is probably enough for you, and if you’re extremely paranoid about hackers, that’s another reason to stick with old MacOS while you still have the choice. If you’re not sharing files or web pages, your OS 9 Mac is a fortress, network-wise. But if you’re interested in Unix, OS X is a nice environment for learning about it; you can delve in as deeply as you want through the Terminal, then back out and use it as a Mac again. If you need the power of Unix and you like to write code, or you need to be able to perform remote administration tasks (but don’t want to cough up bucks for Timbuktu), OS X may be a great match. And in another year or two, it will be your ONLY choice in the Mac world. 108 Conclusions Security is not about definite rights and wrongs, it’s about business need. Or academic need. Sometimes the benefits are worth the risks. Hopefully, from what we’ve talked about, you’ll be able to minimize your risk with minimal expense. Contact info: Email [email protected], AIM screen name nu11dev1ce Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 109 Please feel free to contact me by email or AIM anytime. 109 Appendix A -- URLs and sources This is a list of URLs and other sources of information referenced in this class, plus some sources of supplemental information (not on the test). Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 110 1) Apple’s OS X Security Introduction: http://developer.apple.com/internet/macosx/securityintro.html 2) The iMac LoJack story: http://www.macscripter.net/un_ilojack.html 3) Mac OS X System Administration: http://www.occam.com/ocr/osx/OSX_SA.pdf 4) Mac OS X Security: http://conferences.oreillynet.com/presentations/macosx02/towns_leon.pdf 5) Brief Mac security intro. Here mainly for the port list: http://www.sans.org/infosecFAQ/mac/mac_sec.htm 6) OS X Security Intro paper. Based on 10.0, but still largely applicable: http://rr.sans.org/mac/OSX_sec.php 7) “The Challenges of Integrating the Unix and Mac OS Environments”: http://www.mit.edu/people/wsanchez/papers/USENIX_2000/ These are additional URLs mentioned in this presentation: • http://www.anonymizer.com -- Anonymous websurfing • http://www.bio.upenn.edu/computing/instructions/security/portforwarding/ How to make an ssh tunnel for user/pass part of ftp session • Blitzmail alternatives: https://basement.dartmouth.edu/blitz http://netblitz2.dartmouth.edu/Bl.cgi ssh textblitz.dartmouth.edu as user “blitz” with no password • http://www.symantec.com/mac/security/macattack.html -- Mac virus information • http://www.kb.cert.org/vuls/id/439395 -- OS X Apache HFS case vulnerability 110 Appendix B -- Supplemental Info Not required reading, but good sources of more information. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 111 Supplemental information: http://www.securemac.com http://www.macsecurity.org/ http://www.macwrite.com/macsecurity/mac-os-x-security-intro.php http://www.macosxhints.com/search.php?mode=search&type=stories&topic=network http://www.info.apple.com/usen/security/index.html http://www3.sympatico.ca/dccote/firewall.html http://www.macintoshsecurity.com/modules.php?name=Topics http://forums.osxfaq.com/index.php http://freaky.staticusers.net/update.shtml http://www.info.apple.com/usen/security/security_updates.html book://“Internet Security For Your Macintosh.” By Alan B. Oppenheimer and Charles H. Whitaker. Less relevant: OS X Guide -- a shareware “book” distributed as a PDF. About 75 pages. It’s general OS X info, some of which is security-related. If you’d like to know more general OS X info, blitz me and I’ll send it to you. http://www.securemac.com/osxsecurity.php -- Intro to securing OS X Server http://www.macdevcenter.com/pub/a/mac/2002/01/29/apache_macosx_four.html?page1 -A short article on using Apache under OS X. http://web.archive.org/web/20011129045631/http://homepage.mac.com/gdif/tipstricks.html -- Mac OS X tips and tricks aimed at the Unix side of the OS, several security-relevant. 111 Appendix C -- Software Where to download or buy the things we mentioned. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 112 Uber-site for OS X software: “Get OS X Software...” from Apple menu. MacSSH and MacSFTP, Classic or Carbon: http://www.macssh.com Timbuktu: http://www.netopia.com/en-us/software/products/tb2/mac/index.html Fetch (FTP): old free version on PUBLIC, new shareware version at http://www.fetchsoftworks.com Eudora: http://www.eudora.com/ BlitzMail: Classic version on PUBLIC, new version at http://www.dartmouth.edu/~helpdesk/help/mac_updates.html Kerberos for OS X:http://www.dartmouth.edu/~helpdesk/help/mac_updates.html (Classic on PUBLIC) Norton Antivirus: Dartmouth used to have a site license agreement, $7 per copy, or http://www.symantec.com/product/ (also URL for Personal Firewall) BrickHouse, CheckMate, MacSniffer, MacJanitor, and other good stuff: http://personalpages.tds.net/~brian_hill/ GPG Mac: http://macgpg.sourceforge.net/ PGPFreeware for Mac: http://download.com.com/3000-21495065566.html?legacy=cnet OmniWeb: http://www.omnigroup.com/applications/omniweb/ Many of these are also on the CD, as well as some other programs we didn’t mention. Dartmouth carries a lot of the commercial software, so you get an academic discount if it’s available (and no sales tax, yay). MacConnection.com is also good, ask for academic pricing. 112 This space for rent. Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 113 113
Similar documents
2014-2013_v3_Class of 1998 Newsletter-Summer
in the area, check it out.Katey and Stu will post the announcement of time and date
on the Dartmouth Class of 1998 Facebook page and possibly by email. Which begs
a small and friendly reminder (see...