ENGS 69 - Whoopis.com

Transcription

ENGS 69: Engineering Secure
Computer Systems
Macintosh Security Basics
Thayer School of Engineering, Dartmouth College
Winter 2002-2003
Marion Bates
Investigative Research for Infrastructure Assurance
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
1
1
Macintosh Security Basics
What we’ll cover:
Basic system security for MacOS (mainly v. 9.x) and
Mac OS X, including:
• File Sharing (from both client and server perspectives)
• Network/Internet client security (“safe surfing”)
• Firewalls, viruses, email
• OS X basics, bonuses, and pitfalls
We’ll start with MacOS 9, since OS X inherits from 9.
2
2
A little bit of history.
MacOS < OS X has no command line.
“Where’s the DOS?” There isn’t one.
Control vs. simplicity
3
MacOS versions prior to OS X have no command line. The “GUI” you see IS
the actual OS, not just a user interface on top of an underlying OS structure.
This may seem obvious, but people have asked me “Where’s the DOS?” There
isn’t one.
So, WYSIWYG for real. Depending on your point of view, this can be
extremely comforting, or extremely frustrating. Or both.
3
There can be only one.
Historically, single-user systems
Multi-user addons: AtEase, Multiple Users
But, no over-the-network console login
Timbuktu
4
Macs were historically always single-user systems. Things like AtEase (and
more recently, Multiple Users, which comes with the OS) allow for different
users with different levels of access privileges (kinda like the Win98 login).
But there is no over-the-network console login. You can’t remotely connect to
your Mac as though you’re sitting at the actual keyboard. (Well, there is
Timbuktu...we’ll talk about that later.)
4
Macs can serve
Some built-in server functionality
• File Sharing
• Printer Sharing
• Personal Web Sharing
With 3rd party apps, FTP/Gopher server, etc.
Remote administration -- Timbuktu.
5
Some built-in server functionality exists, but with limited over-the-network
user control.
In other words, “out of the box” Macs can share files (File Sharing), act as
print servers for printing over the network (Printer Sharing), and serve web
pages (Personal Web Sharing). With the shareware program NetPresenz, a
Mac can be an FTP/web/gopher server.
But remote administration of a (non-OS X) Mac is tricky. Perhaps the most
powerful tool for this is Timbuktu.
5
Ok, so what’s Timbuktu?
Server component on one Mac
Client on another Mac
Client can control the server
iMac = LoJack!
6
Like PCAnywhere. Load the server component on one Mac, load the client on
another Mac, and the client can control the server. You can even move the
cursor, open/close apps, etc. on the remote machine. Nice for teaching and
presentations.
Also nice for turning a stolen iMac into a LoJack. :) See handout # 2 or URL
below.
http://www.macscripter.net/un_ilojack.html
Not really important to our class, but OH so cool.
6
General security implications
Single-user-ness -- inconvenient, but aids security.
• Typically, not a lot of services listening on ports
• No remote login
Basic services - relatively easy to do safely
Without physical access, not much a bad guy can do
7
The Mac’s single-user-ness, while sometimes inconvenient, helps contribute to
its security. You generally do not have a bunch of services listening on ports
and you cannot log in remotely. Even if you do set up file and web sharing, it’s
pretty easy to do it safely. Without physical access to the machine, there is not
much a bad guy can do to a stock Mac.
7
Unique is Good
(Apple users have learned how to find the silver lining
in a mushroom cloud.)
Macs are a small population -- security advantage
Example: Viruses.
• Creators want large-scale effects, so, go after
the big target -- Windows.
• Why bother with Macs? Too small of a target.
8
Mac users, by virtue of being part of a relatively small population, have some
significant security advantages.
Take viruses. People who create viruses and worms tend to want their little
creations to have large-scale effects. This is part of the reason why there are so
many Windows viruses -- big target. Who’s going to bother to spend all the
time and effort making a piece of Mac-specific malware that affects maybe ten
percent of all computer users?
8
Unique, but still pretty versatile
Security tools available for Macs that you might not
have known about:
• PGP, email with SSL support, SSH, SFTP,
personal firewalls, antivirus software, VPN clients,
traceroute, ping, sniffers, file encryption tools, etc.
Lots are free, or cheap shareware. Many available on
Dartmouth’s PUBLIC file server.
9
PGP: MacPGP (for older systems -- free), Network Associates PGPFreeware
(free for academics), GPG for OS X (GPL, free)
SSL email: Eudora, Outlook/Entourage, Communicator? All free, all available
for OS X or Classic
SSH: MacSSH (free), F-secure SSH for Mac (payware, big academic discount,
but MacSSH is better anyway). SSH is built in to OS X.
SFTP: MacSFTP Carbon, MacSFTP Classic, shareware (cheap)
Personal firewalls: Norton for Mac, commercial, academic discount. OS X has
built-in fw, Brickhouse front end is shareware.
Antivirus: Various. Norton is good, academic discount.
VPN -- CheckPoint VPN-1 for MacOS 8 and up. Commercial, academic price
unknown.
Traceroute -- WhatRoute. Free. Get from PUBLIC. Not needed on OS X.
Ping -- MacPing. Free, PUBLIC. Not needed on OS X.
Sniffers -- Etherpeek, NetWatchman, others…most seem to be payware, but
you can use demos for free.
File encryption -- PGP (see above), Apple File Encryption tool, Stuffit Lite
(stuff and require password -- not really encryption, but does help hide the data
in a pinch). Available for OS X or Classic, free.
9
Versatile in not so nice ways
Macs were not completely overlooked by the black hat
community…
• Several groups develop Mac hacking software
• Online sources of Mac hacks, e.g. Freaky’s,
alt.hackintosh, HotLine servers, etc.
• There were/are a variety of blackhat tools and
exploits for Mac
10
In spite of the uniqueness factor, Macs were not completely overlooked by the
black hat community. A handful of small but dedicated underground hacker
groups do develop Mac hacking software, and websites devoted to Mac hacks,
e.g. Freaky’s Macintosh hacks archive, alt.hackintosh, HotLine servers, and
more.
There were/are a variety of blackhat tools and exploits for Mac.
AtEase and File Sharing hacks, SubSeven trojan, portscanners, keystroke
loggers, BackOrifice client (for Mac users who want to 0\/\/N BO’d Windows
victims), anonymous emailers, DOS attacks (early version of Open Transport
had a bug, it was used in a DDOS attack here at Dartmouth and it brought our
network to its knees)... etc.
10
What to do
Now: OS X, the Unix-based next generation of
Mac OS. We’re not so unique anymore.
Our focus: How to secure your Mac using mainly the
tools that came with it, and how you can use the
network/Internet more securely.
Mac OS 9.x and Mac OS X. Not OS X Server
11
And now, we have...OS X, the Unix-based next generation of MacOS, and
EVERYTHING has changed. We’re not so unique anymore.
We’re going to focus on how you can secure your Mac using mainly the tools
that came with it, and how you can use the network/Internet more securely.
Starting with old MacOS (still in use on a lot of old and not so old machines,
and as a second boot choice under OS X), and then moving on to OS X (now
preinstalled on new Macs).
We won’t be getting into Mac OS X Server, but the same principles that apply
to normal OS X also apply to Server.
11
Physical Security
Crucial. Generally, if someone has physical access to
your Mac, they can own it.
• Boot from external devices
• Single-user mode (OS X)
• Mess with OF
• OS X can dual-boot into OS 9, rendering Unix
file permissions moot
Options: Security cage, disable single-user mode,
password-protect OF, password protect HD
12
Crucial. Generally, if someone has physical access to your Mac, they can own
it. They can boot from CD-ROM, Zip, netboot, external USB/FireWire drive;
in OS X, they can boot single-user mode (root shell with no password), or boot
old MacOS and OS X’s permissions become moot (similar to dual-boot
Windows machines)
Options:
Security cage. Block access to CD-ROM etc. and rear ports. Annoying if it’s
the machine you use every day.
In OS X, disable single-user mode in Open Firmware, then password-protect
OF. But that can cut both ways -- SUM is sometimes the last resort for
rescuing data. (The Miller handout mentions a utility to password-protect
single-user mode -- I have not tried it, but that might be a good thing to add.)
For MacOS, there is third party software for password-protecting the hard disk
such that it can’t be mounted even if you boot of other media. Don’t forget the
password though...
12
Physical Security Solutions
Realistically: Be sensible.
• In a server environment, lock and key
• In a dorm, hide the power cord or the mouse,
or pull the hard drive power connector and then
lock the case with a padlock. :) No tools
needed.
13
Realistically, the best option is to be sensible.
In a server environment, important machines should be under supervision
and/or lock and key anyway.
In a place like a dorm, you can discourage the casual nosiness of your
roommate’s friends when you’re not there, by doing something like hide the
power cord or the mouse, or, for the slightly geekier approach, pull the hard
drive power connector and then lock the case with a padlock (the case has a
built-in loop for this purpose).
13
File Sharing
Client use:
• Prep
• AppleTalk “on” (see Chooser)
• Appletalk set to proper network interface
(AppleTalk Control Panel -> Ethernet)
• Connecting to shares
• Old and new way (same end result, new way
is a bit easier and more flexible)
14
First, client use. Quick howto:
Make sure AppleTalk is “on” (see Chooser) and that it is pointed at the right
network interface (AppleTalk Control Panel, choose Ethernet.)
Connecting to shares the “old school” way:
Apple Menu -> Chooser -> AppleShare -> pick a zone -> pick a server from
the list of servers in that zone -> connect using a logon and password, or select
“Guest” if available/applicable.
The newfangled way:
Launch Network Browser (from Apple Menu, probably) -> pick a domain (or
just go for AppleTalk) -> look for servers, connect as above.
14
Password encryption
Starting with MacOS 9, File Sharing passwords are
encrypted BUT…
ONLY if both the client and server are running OS
9.x or better. Backwards compatibility.
Newer client will default to a clear text password in
order to accommodate the older Mac.
Login window will indicate the level of security of the
password transfer.
15
Starting with MacOS 9, File Sharing passwords are encrypted (I don’t know
the scheme), but ONLY if both the client and server are running OS 9.x or
better. In other words, to maintain backwards compatibility, if a MacOS 9
user tries to connect to a MacOS 8 server (or another old server, like Linux
with netatalk), then the OS 9 client will default to a clear text password in
order to accommodate the older Mac. You will be able to tell when you go to
login -- the login window will indicate the level of security of the password
transfer. If it says “clear text” then watch out.
15
OS 9 on both ends
MacOS 9 to MacOS 9
16
16
OS 9 to old server
MacOS 9 to Linux Netatalk
17
17
OS 9 to OS X
MacOS 9 to OS X (Diffie-Hellman Exchange)
18
18
What if it IS clear text?
Sensitive data?
Only copy?
• If so, use encryption, or another medium
Access privileges?
• Impostors logging in as you, what could they
do?
Server admin contact?
Duplicate password?
19
Is the data on the other end extremely sensitive or is it the only copy? Perhaps
you should encrypt it or compress and password-protect the file(s) first, or use
another more secure medium to transfer them.
What access privileges does your account have on that server? (In other words,
if someone did sniff your password, and that person later logs in as you, can he
damage the system? It would look like YOU did it.)
Can you contact the server admin and ask him to change your password to
something else? (You can usually change it yourself, but of course if the whole
communication is unencrypted, then the new password will also be visible to a
sniffer.)
Are you using the same password that you use for other things (like BlitzMail,
KClient, your web account, etc.)? A bad guy will probably try applying that
password to these other services.
19
Done with client, now: Server FS
Lots of (better) alternatives…
• Dartfiles
• Blitz
• Dartmouth ftp
• Floppy, Zip, CD-R or CDRW
• USB/FireWire HD
20
Don’t do it unless you have to. Alternatives:
Put copies of your most-used and/or current working files in your 10MB folder
on Locker, Strongbox, or Vault.
Blitz them to yourself.
If you have a homepage at Dartmouth, make a directory on the ftp server
where your webpages live, and use that to move files around (you have 5MB
of storage for web files, more than most would ever need for webpages).
Carry a floppy or Zip disk. If you have a CD burner, carry a CDR or CDRW
with copies of your stuff on it. Media is cheap.
External hot-swappable drives (how about your iPod? ;) are getting cheaper.
20
The point of diversification
Eggs in one basket and all that. Lose a copy at worst,
your Mac doesn’t go down with it.
You might want File Sharing anyway:
• Collaboration on group projects
• Fun stuff (sharing games, pictures, or mp3s
How to do it safely.
21
If someone hacks into your Strongbox folder, or Webster, or you lose the Zip
disk, then you’ve lost only a copy of your stuff. Beats the heck out of someone
breaking into your Mac and deleting the originals or nuking your System
Folder.
But, File Sharing is nice and lots of people use it not only for retrieving things
remotely, but also for collaborating on group projects (you and your project
partners could upload and download each other’s work from a shared folder,
for example) and for fun stuff (sharing games, pictures, or mp3s -- of course,
only the legal ones). So let’s go into how to do it right.
21
Configuring a File Sharing server
File Sharing Control Panel
• Owner Name
• Owner password (NOT BLANK!)
• Computer Name.
The IP address will be filled in automatically.
Default: Computer name will be “<name’s> Macintosh.”
Change it…
22
Open the File Sharing Control Panel. Before you can start sharing files, you
have to define an Owner Name, an Owner password (DON’T LEAVE IT
BLANK!), and a Computer Name. The IP address will be filled in
automatically.
By default, your computer name will be “<name’s> Macintosh.” I recommend
that you change this, or don’t use your real name in the Owner box, because
otherwise anyone surfing through the Chooser will be able to see that and
know it’s your Mac. Never give potential attackers more information than you
must. You can name your Mac pretty much anything you want, with or
without spaces, but spaces are not recommended due to potential network
incompatibility.
22
File Sharing control panel
23
23
Security Through Obscurity
If computer name is revealing, then login should be
different
Don’t make it easy for attackers to gather info from
public information.
24
If your computer’s name is something revealing about you (like “Joe Smith’s
House of MP3s”) then perhaps your login should NOT be “joe” or “smith” or
“jsmith” etc. If attackers can enumerate likely usernames or passwords from
public information, like the computer name, then you’ve significantly
decreased the amount of effort it will take for them to break in. Don’t give out
clues.
24
Owner is omnipotent
If FS is on, Owner can already log in and get to
everything
No matter what you do with specific shared items,
Owner can see it all.
Protect Owner’s login info!
25
Keep in mind that once you turn on File Sharing, anyone who can log in as
Owner will be able to do anything to your data (including most of your system
files -- enough to render your Mac un-bootable). This is true EVEN IF you
do not explicitly share anything. If file sharing is turned on, Owner
basically has remote “god” rights. Owner is a special account, the closest
thing to root on MacOS, and the rest of the sharing privileges you specify are
moot for the user logging in as owner. Protect this login and password!
25
File Sharing over TCP
You can allow FS over TCP/IP
Faster, but more revealing
• AFPoverTCP will show up on portscan
Routers and AppleTalk
• Now, more of the Internet can see your Mac
But, AppleTalk is clear text. Pro, con, pro, con, etc.
26
Now that file sharing is turned on, you can start tweaking. You can choose to allow
File Sharing over IP -- this means that clients can connect to your Mac by its IP
address, and use TCP/IP to transfer data. This is faster than AppleTalk and has the
advantage of TCP’s connection integrity maintenance, but keep in mind that it also
pulls the curtain aside a little more than plain old AppleTalk. Your Mac will now have
AFPoverTCP services listening on TCP ports; this will show up on a portscan, and it’s
a dead giveaway that your machine is a Mac.
Furthermore, most routers do not route AppleTalk, but they pretty much all route
TCP. This is a double-edged sword; a user on the other side of your network’s router
could theoretically (assuming the network admins don’t specifically filter out
afpovertcp at the border) connect to your Mac. This is a nice idea for legitimate use,
but it also opens you up to an even bigger pool of potential bad guys. If you use
AppleTalk, then your machine is only visible to users on Dartmouth’s local network.
BUT the disadvantage to using AppleTalk is that your password will be sent cleartext.
So there’s always give-and-take with this. It depends on your configuration (do you
have a firewall?) and what’s most important to you. For the sake of this example, I’m
going to sacrifice password security in order to minimize my overall exposure to
potential bad guys. This would not be the best choice for everyone.
26
Apps over the net
and Program Linking
You can share apps such that a remote user can
launch an app on the Mac server from another Mac. It
runs over the network and displays on your local
screen.
Nice idea, but…not really.
• Resource/network hog
• CRASH
Program Linking is an AppleScript thing. Scary.
27
If you share an application (or a folder containing an application), remote users can
launch the app over the network to do stuff on their client Macs. In other words, I
could be working in a lab and discover that someone deleted Microsoft Word off
the computer I’m using. I need to use Word to write my paper. So I simply connect
to my Mac and launch MY copy of Word over the net. It opens on my screen, and I
can open and save files with it on my local lab Mac. This is a cute idea, but in my
experience, it’s such a huge resource hog that it typically causes one or both Macs
to crash. It’s also pretty unkind to other users on the network. And good luck if two
of your users try to launch the same program simultaneously.
Program Linking (now known as Remote Apple Events) allows one Mac to send
AppleScript commands (“Apple Events”) to applications on another Mac via
AppleTalk or TCP/IP. For normal users (with passwords), they would need to login
for each Event. But if you give Guests PL privs AND you enable PL for a given
app, then anyone with a Mac could send Events to that app. You might ask, why
would anyone do such a thing? Well, in my experience, new users who are trying to
get File Sharing to work have a tendency to think “Jeez, I just want this to work,
I’m gonna check EVERY BOX until it does.” And keep in mind that the Finder is
scriptable -- this means that, if PL is enabled for the Finder, remote users could
send Apple Events to the remote machine’s Finder telling it to, say, delete some
System files. Or shut down the computer. Remember the LoJack story and what he
was able to do with AppleScripts, then realize that someone could do all that
without even loading a file onto the hard disk.
27
Recommended initial setup
Assume recommended initial setup:
• Computer name not too revealing
• Owner name not related to computer name
• Good strong password
• File Sharing enabled but not over TCP
• Program Linking NOT enabled
Test config from another machine.
28
If you are the only one who’s ever going to be using your Mac, and you trust
yourself to have full privileges (i.e. Owner), then you’re done. You can test
your setup by using another Mac to connect to yours; you should NOT be able
to logon as “Guest” (which requires no password).
28
Other users
If you want to have other users or guests:
• First create their accounts/enable their access
• The Guest account already exists, and cannot
have a password.
So, ANYTHING you make accessible to Guest will be
accessible to ANYONE
29
Now, if you want to have other users or guests connecting to your Mac, you
must first create their accounts (in the cases of other named/passworded users)
or enable their access (in the case of the Guest user).
The Guest account already exists, and cannot have a password. So keep in
mind that ANYTHING you make accessible to Guest will be accessible to
ANYONE who can connect to your Mac (in our case, anyone with a Mac at
Dartmouth) with no password required.
29
Creating accounts
File Sharing Control Panel -> Users and Groups
Later on, specify which volumes/folders/files users
can connect to
Right now, you’re defining the basics (what accounts
exist, whether or not they can connect at all, etc.)
30
In the File Sharing Control Panel, click on the Users and Groups tab. This is
where you can edit the privileges of an existing user (for example, if you
wanted to enable Guests to connect, then double-click the Guest user, drop
down the “Sharing” menu option, and click the appropriate boxes).
Later on, you will specify which volumes/folders/files users can connect to;
right now, you’re defining the basics (can Guests connect at all, what are your
users’ names and passwords, can they change their passwords, what groups do
they belong to, etc.)
30
Users and Groups
Here, I have defined
two users, joeblow
and joeschmoe, in
addition to the built-in
owner and guest
accounts.
I also have a group
called my-users.
31
31
User Identity
This is the box you see when
you create a new user. You
must set an initial password.
Notice that you can choose
whether or not to allow your
users to change their
passwords.
Another note: As an
administrator, you can reset a
user’s password, but you can’t
see the old one.
32
32
User Sharing
From the popup menu in
this window, select
“Sharing” (instead of
“Identity”) and this is where
you can specify whether to
allow the user to connect at
all, and whether that user
can make use of Program
Linking (only applicable if
you enabled PL in the initial
setup.)
33
33
Groups
The group my-users
contains both joeblow
and joeschmoe. So if I
want to share a folder to
the two of them, but no
one else, I can use this
group. (This will be made
more clear in a couple
slides.)
34
34
Guest
Same idea with the Guest account, except that you
can’t change the account name or set a password.
35
35
On to the files
So far:
• Users have been created
• Groups have been created
• Guest is enabled, maybe
Now, we decide which files/folders to share with them.
36
Ok, so now you’ve defined some users, made a decision about Guest access,
and defined which users belong to groups, if any. (Groups are used when you
want to allow more than one user specific access to a folder or file, but not
guests. This will make more sense later.)
Now we’ll move on to actually specifying the folders and files to share.
36
Example
What you want:
• One folder each with full privs for joeschmoe and
joeblow.
• One folder that the two of them can only read from.
• One folder which anyone can write to, but not see
what’s inside (a “dropbox”).
• A folder that anyone, including Guests, can download
from.
37
Let’s say you have two users, joeschmoe and joeblow, and you want each of
them to have a folder to use for downloading and uploading homework files.
You also want to make a folder that both of them can download from, but not
change or upload to (maybe you have stuff you want to show them, but you
don’t want them to be able to delete or mess up the files in that folder).
You also want to have a folder which anyone can write to, but not read from (a
“dropbox”).
Lastly, you want to make a folder that anyone, including Guests, can download
from, but not change the contents of (for sharing your legally-obtained MP3s).
37
We can do this.
First, make folders to represent this scenario. (-n)
38
I might put all of these in a folder called “Shares.” Do whatever’s easiest for
your organizational preferences.
38
Set the permissions...
• Next, set appropriate permissions for each of the
folders you want to share.
• Click on folder icon, select “Get Info” from File
menu (or hit -i), and select the “Sharing...” option from
the popup menu.
• Or, control-click (or right click, if you have a
second mouse button mapped properly) on the folder
icon and select “Sharing.”
39
39
Control-click…
40
40
Specify Access for each Joe
Now, in the Info -> Sharing
window for Joe Schmoe’s
folder, we can specify the
level of access for this
item. Once you check the
“Share this item” box, the
privilege options below will
become available.
Obviously, we’d then do
the same for Joe Blow’s
folder.
41
41
The Joes’ read-only folder
This is the folder I want to
share for download only, to
the two Joes but no one
else. This is where we make
use of the group called myusers (which contains the
two Joes). Notice the readonly icon: Glasses with no
pencil. :)
42
Here’s where the groups come in. Note: I’m not certain, but I believe it is
possible to have groups within groups. However, it’s best to try to avoid
potential confusion as much as you can. I like very shallow hierarchies for that
reason.
42
Dropbox
Here’s the drop box folder.
Notice that the option even
says “(Drop Box).” Pencil
only, no glasses, for myusers and for Everyone.
43
This is a little redundant -- “Everyone” includes my-users -- but I tend to be
explicit about it anyway, just so I have a reminder when I look at this folder
later.
43
The MP3’s folder
And here’s the MP3s
folder, readable to all.
44
44
Check for Leaks
Test your configuration from another Mac, since your Mac
cannot connect to itself.
Log on as Owner, as each Joe, and as Guest, and
make sure those accounts have the access they should;
no more, no less.
Remember that you as Owner will be able to do
anything you want to the contents of all of these folders.
45
Test your configuration from another Mac, since your Mac cannot connect to
itself. Try to hack your Mac -- you can bet someone else will.
Guests should be able to see and download the contents of the “Legal MP3s”
folder, and they should be able to upload things to the “Drop Box” folder but
they should NOT be able to see the contents of that folder or any of the others.
The two Joes should have full access to their respective folders, but should
only be able to open and download from (not write to) the “my shared stuff”
folder.
You as Owner will be able to do anything you want to the contents of all of
these folders.
45
File Sharing Wrap-up
Not a heavy-duty server.
• Limits on number of users
• Limits on number of simultaneous connections
If you need more power, buy AppleShare IP, Apple’s
commercial server product.
Use Activity Monitor to what’s shared and who’s
connected right now
46
Don’t expect FS to be a heavy-duty server. There are built-in limits regarding
how many users you can have and how many simultaneous connections are
possible. (If you need more power, buy AppleShare IP, Apple’s commercial
server product. It can do all sorts of nifty things, like allow Windows users to
connect to Mac shares.)
Use Activity Monitor to see a summary of what’s shared and who’s connected
right now. You can also disconnect users (for example, when a Guest starts six
simultaneous MP3 downloads and chokes all your bandwidth).
46
File Sharing Wrap-up
Beware of nesting folders with different privileges
• Can’t go very deep with the nesting
• Confusion leads to mistakes
If you use Program Linking, then it’s all or nothing with
respect to privileges
If you delete a user, his folders’ permissions will be
transferred to Owner.
47
Beware of nesting folders with different privileges -- it can be done, but
there’s a shallow depth limit. It can also be incredibly confusing and can lead
to security errors. It’s a good habit to just keep it simple and use a flat
hierarchy for your shared stuff, even if there’s some redundancy.
If you use Program Linking, then it’s all or nothing with respect to privileges
(the app is either remotely linkable by all users, or by none). You can limit
who’s allowed to run programs remotely by putting (a copy of) the app into the
appropriate users’ folder(s). This does not work with aliases.
If you delete a user, his folders’ permissions will be transferred to Owner.
47
Personal Web Sharing
Do you really need to do this?
• Anyone at Dartmouth can have a homepage on
the main Dartmouth webserver
• Real web servers typically work better for the
purpose
If you still want to do it, Apple’s default setup is
recommended (read-only access to the web folder).
48
Ask yourself: Do you really need to do this?
Anyone at Dartmouth can have a homepage on the main Dartmouth
webserver. Then, security is THEIR problem, not yours. :)
There are many free homepage sites (Angelfire etc.)
Real web servers typically work better for the purpose (more bandwidth, more
reliable uptime, usage statistics, CGI access, static IP, etc.)
Eggs in one basket issue again.
If you still want to do it, the default setup is recommended (read-only access to
the web folder).
48
PWS Features
PWS can be configured to inherit access privileges from
Sharing Setup.
You can make web folders writeable to allow HTTP
upload, if the client browser supports it. Yikes…
You can configure PWS such that aliases can be
followed. Confusion risk though.
49
Instead of the default privs, PWS can be configured to make use of the users
and privileges in Sharing Setup.
You can make web folders writeable to allow HTTP upload, if the client
browser supports it. But I don’t think this is used much, if at all, and it sure
sounds like a security hole, no?
You can configure PWS such that aliases can be followed (i.e., put an alias in
the web folder, users can get to the real item even if it’s outside of the web
folder). Scary. If you forget the alias is there, and you put sensitive data into
the original folder, now anyone can see it...
49
PWS Caveats and Wrap-up
Be careful not to share your whole disk.
PWS claims to have support for CGI scripts. Careful…
Again, do you really need to serve webpages off your
Mac?
50
Be careful not to share your whole disk. The webserver software is not magical
enough to “know” which files are webpages and which files are, say, your
thesis. It will happily allow users to “view” (i.e., download) anything on your
disk -- including documents, applications, and system files.
PWS claims to have support for CGI scripts. I assume they mean scripts
written in AppleScript (as opposed to Perl or PHP). If you venture into that
realm, know what you’re doing with your scripts -- AppleScript can be
misused. (Remember the LoJack story and the “suicide scripts.”)
Again, do you really need to serve webpages off your Mac?
50
Remote Access
Remote Access Server. Allows another Mac with Remote
Access Client to dial into your Mac.
• Do not configure Remote Access Server to allow
guests to dial in.
• If your users won’t need TCP/IP services, don’t
choose PPP as the protocol. The default is ARAP,
which is safer.
51
It used to be that you had to buy the full-blown Server package to answer calls,
but I think nowadays a light version is included with the OS. Perhaps only on
OS X though. If you have a modem, it allows another Mac with Remote
Access Client to dial into your Mac.
Do not configure Remote Access Server to allow guests to dial in. Wardialing
is still popular. (Each User in the Users and Groups tab of Sharing Setup will
have a box you can check to “allow this user to dial in.”)
If your users won’t need TCP/IP services, don’t choose PPP as the protocol.
The default is ARAP (AppleTalk for Remote Access), which is safer because
again, you’re taking advantage of the relative uniqueness of AppleTalk to help
obscure what’s going on.
51
Moving on: “Safer Surfing”
Most of the suggestions here apply to any operating
system. We’ll point out some Mac-specific details.
• Web browsing tips
• FTP and Fetch
• Email
52
52
Web browsing
You’ve probably heard
this before.
In Netscape, go to Edit
menu -> Preferences.
Scroll the left pane
and select Advanced.
Disable Java, disable
JavaScript, disable
cookies.
53
It might also be a good idea to turn off Flash, since Flash has its own
Javascript stuff built in…depends on how paranoid you feel vs. how much you
care about flashy webpages functioning properly.
53
Ok, now I can’t use the web at all.
Trouble is, a lot of sites simply won’t work anymore.
Compromises:
• Only accept cookies that go back to
originating server
• Delete the cookies file over and over.
- Tiny freeware program called
NoCookie did this automatically…
• Or, try Anonymizer!
54
Trouble is, a lot of sites simply won’t work if you do this. Compromises:
Only accept cookies that go back to originating server, and you might even
want to check the “warn me” box (but I’ve found that this gets REALLY
annoying when you visit a site that wants to set half a dozen cookies for every
page). Or, delete the stupid cookies file over and over. For Netscape
Communicator on MacOS, go into System Folder -> Preferences -> Netscape
Users -> Your-User-Name and delete (or delete the contents of) the file named
“MagicCookie.”
If you never want the cookies set or the scripts exectued in the first place, but
there’s a site you really want to visit that requires those things, there is another
way: http://www.anonymizer.com. You put in the URL you want to visit, then
Anonymizer makes the connection for you, and it dev-nulls all the cookies and
other crud so the server never talks directly to your machine. Nice for when
you’re visiting certain nefarious websites (like 3L33T hAX0r homepages, or
fbi.gov) and you don’t even want your IP recorded.
The basic service is free, but for a fee, they offer some kind of service that
anonymizes all of your surfing automatically (I think you install a plugin and it
invisibly does its thing.) The whole company’s probably a CIA front and
they’re logging every keystroke… ;)
54
FTP...
...is bad.
• Anonymous FTP is ok
• The whole session is clear text
• Easy to pick out login info
• Two ports = hard to tunnel
55
FTP (File Transfer Protocol) with a username and password is just Bad.
The username and password are preceded by “USER” and “PASS”
respectively, so it’s utterly trivial for an attacker to watch for and flag that data
as it is transmitted (e.g., ngrep).
55
What you can do
If you HAVE to use FTP with login/pass, use a password
that you don’t use for anything else
Don’t transfer sensitive files over FTP
Keep backups
Work under the assumption that someone is going to be
able to log in as you
Try to use a more secure alternative
56
A better solution: Tunnel the USER/PASS portion of your session over MacSSH.
http://www.bio.upenn.edu/computing/instructions/security/portforwarding/
See if the server supports any of Fetch’s built-in security support (Kerberos
authentication, one-time passwords, challenge-response system). Use them if
possible. See if the server supports SFTP (Secure FTP) as part of SSH (Secure
SHell, and its counterpart, SCP or Secure CoPy). Try connecting with MacSFTP, an
easy-to-use shareware SFTP client with a very Fetch-like interface. Also, the next
release of Fetch is supposed to include built-in SFTP support.
Fetch v. 4.0.x already has some security options, but they require you to install
additional software, and the server(s) you connect to must support those features as
well. To take advantage of some of them, you have to install and properly configure
M.I.T.’s KClient package for your OS (there are versions for both OS 9 and OS X).
But from what I can tell, the Kerberos server version in use at Dartmouth is not
compatible with the current M.I.T. release, and Fetch is too new to use the old
KClient. And configuring the client properly can be a non-trivial task anyway. So
watch out.
Just for fun, we’ll talk about these features a little bit. The following assumes that
you have installed and configured the right version of the KClient software.
56
Fetch gets teeth
The “encrypt session” option is only
available with the other security options; it
will be grayed out for “cleartext password.”
57
Fetch’s “New Connection” window gains some new features when you install
the Kerberos software. Notice the “Security” popup menu, and the “Encrypt
session” checkbox. Remember that the FTP server must support the security
option you choose, or Fetch has to default to the cleartext password option.
(By the way, this window’s font and color will look a little different if you use
it under Classic. I took these screenshots in OS X. The information’s the same
though.)
57
Fetch security options
58
Clicking on the Security menu reveals these options, both of which appear as a
result of the Kerberos package we installed. If we used another security
package supported by Fetch, we would see those options under this menu.
Consult the Fetch documentation to see what other security packages it
supports.
58
Fetch with baby teeth
From Fetch’s Customize
menu, select Preferences
and click the Security tab.
You’ll see this when
you connect:
59
Since the Kerberos thing is difficult or impossible to use, we can at least take
advantage of the basic security features. Under Fetch’s Security preferences,
checking the top two boxes will not make your connection secure, but at least
it will remind you when you’re about to expose your password.
59
Email
Normal POP/POP3 mail is unencrypted
But, most major email clients support SSL
• Mail server(s) must support it too
Eudora and Outlook both have SSL option
• Protects your password and content
• Only for the path between your Mac and your ISP.
Next hop mail server may not.
Always assume that your mail message is not going to be
secure for its entire journey to the recipient.
60
Normal POP/POP3 mail is unencrypted, but most major email clients support
some level of extra security (but again, the mail server(s) must support those
features as well). Eudora and Outlook both have an option for email over SSL,
which if supported on your service provider’s server, protects your password
and the email content -- but only for the path between your Mac and your ISP.
The next mail server down the line may not have SSL, so you should always
assume that your mail message is not going to be secure for its entire journey
to the recipient. Eudora also supports APOP (Authenticated Post Office
Protocol) which encrypts your password (though not as securely as SSL).
There is also S/MIME, in which both the sender and recipient use certificates
to sign or encrypt email (sort of PGP-esque).
60
PGP
The encryption lecture covers the details of PGP.
At least one PGP client for the Mac
• PGP.com (formerly Network Associates, Inc.) has
“PGPFreeware” (v. 7.0 at the time of this writing) for OS
9 and “PGP 8.0 LIVE” for OS X.
• Free for academic use
• Compatible with other flavors of PGP (such as GPG).
For OS X, there is also GPG (GNU Privacy Guard) -- more on
that later.
61
PGP, or Pretty Good Privacy, will be/has been discussed in depth in another
class, so we won’t go into detail here. There is at least one PGP client for the
Mac, which plugs in nicely to Eudora and probably Outlook, and which also
provides an easy way to interact with non-standard email clients (like
BlitzMail).
The client I use is made by PGP.com (formerly Network Associates, Inc.) and
is called simply “PGP” (v. 7.0 at the time of this writing). It’s free for
academic use, and it’s compatible with other flavors of PGP (such as GPG).
You can get GPG for OS X, and at this time the GUI is still kinda clunky, but
it works if you follow the directions carefully when you set it up.
61
Attachments (“Enclosures”)
Most common way of getting a virus or other malware is via
email attachments
Lots of clever tactics to lure you into opening something
that looks legit…beware!
As a Dartmouth Mac user, you have a rare advantage -BlitzMail. It…
• doesn’t download attachments automatically
• doesn’t interpret HTML mail (spammers send
HTML mail with bad Javascripts etc.)
• isn’t Outlook ;)
62
Probably the most common way of getting an unwanted program (such as a
virus) is by receiving an attachment in email. In the last couple years, there
have been a huge number of worms which infect Windows machines via the
Outlook email program. This is not directly dangerous to Mac users, but it
serves to illustrate a point. The recent “Klez” virus/worm used several tactics
to increase the likelihood that a recipient of the virus would open the
attachment; it would pull email addresses out of the user’s address book or
web cache, and create Subject lines from bits of documents or cached
webpages on the victim’s computer, then generate more emails from those.
The result was that other victims would receive email from people they knew,
with message content that looked familiar. What a lure!
The point here is that, while Klez posed no threat to Mac users (even Mac
Outlook users), the methods used by Klez demonstrate that viruses can be
pretty clever.
Be certain, before you open an attachment, that the sender really is the sender,
and that it’s someone you trust. Even then, you should scan the file with your
antivirus software before you open it. Norton and others can be easily
configured to “quarantine” and check new files before you use them.
62
More on email at Dartmouth
• BlitzMail hides password (challenge-response)
• Comp Svcs is currently testing software to
automatically filter/alert on virus-ridden email before it
even gets to you
• Also, there are plans to make the servers fully
IMAP-compliant (beta testing now)
• But, the session is still clear text. Your messages
can be read.
63
Dartmouth’s BlitzMail system provides a simple, easy-to-use, yet powerful
interface for electronic mail. Its simplicity and uniqueness also add to its
security; BlitzMail is immune to all the Outlook email viruses, since it does
not arbitrarily download or execute code of any sort. It also does not have
HTML mail capability, which thwarts a great deal of spam email containing
JavaScripts and other “spyware” elements. Macintosh BlitzMail versions since
2.0.5 will even detect a keystroke logger running on the user’s machine, and
will not only alert the user to this fact, but will also scramble the keystrokes as
they are written to the keystroke logger’s result file, so the malicious user
cannot see what was typed.
Luckily for us, BlitzMail uses a challenge-response technique to encrypt your
password every time you log on. If you use a non-BlitzMail client to check
your Dartmouth email, you do not get to have this extra layer of protection.
Dartmouth email is moving towards a more standard scheme (IMAP) and
they’re also looking into border filtering of viruses.
However, with the exception of the password, the BlitzMail session is still sent
as clear text. So the content of the messages you send or receive, as well as
your inbox summary, are still visible to an eavesdropper. (We can, however,
tunnel BlitzMail through SSH, in both OS X and Classic. There is a paper on
this listed in the “Supplemental Sources” section of the course webpage.)
63
BlitzMail’s brethren
Other secure ways to use Blitz:
• WebBlitz (Basement)
• NetBlitz (my favorite, if the regular client is
unavailable)
• TextBlitz via SSH (old and primitive, but works
in a pinch)
64
In addition to the real BlitzMail client, there are other secure ways to use Blitz.
WebBlitz -- https://basement.dartmouth.edu/blitz. Uses SSL to protect your
session.
NetBlitz -- a streamlined web-based client.
http://netblitz2.dartmouth.edu/Bl.cgi. Has multiple security options -- you can
SSL-encrypt just your login, or your whole session, depending on how much
speed vs. security you care about.
TextBlitz -- very bare-bones Blitz access. SSH to textblitz.dartmouth.edu as
user “blitz” with no password. You’ll be prompted for your BlitzMail login
info. You can only read what’s in your inbox. This is very old.
64
VIRUSES!
Not really a big deal for Macs (so far).
• Again, small user base and the uniqueness of
MacOS = small target
• Most recent big one: Word macro virus (which
affected Word documents on all platforms)
• Also, a worm or two
65
Not a big deal for Macs. There just aren’t very many viruses out there. Again,
the small user base and the uniqueness of MacOS make it a small, unattractive
target for most of the virus-writing twits in the world.
Probably the most dramatic one in recent history was the Word macro virus
(which affected Word documents on all platforms, not just the Mac). It wasn’t
super-destructive, but it did manage to irritate just about everybody at
Dartmouth for a few months.
Macro scripting language is supposed to be used for creating in-document
shortcuts for repetitive functions. The macro scripting language developed by
MS apparently can do much more, because a couple years back there was a
huge epidemic of macro viruses in Word documents on Windows and Mac
(mostly affecting Word version 6). These viruses did a variety of cute things,
like alter your “Normal” Word template such that every Word document you
opened or created would be infected, and/or embed a chunk of text in every
Word document you ever opened, that you could NOT remove from the
document (the text contained a message about a Scrabble game), and one
variant could even hide a menu in the program (!) which you had to use in
order to get rid of the virus! (I thought I had gone insane. The cleanup
instructions said “1. Go to the Tools menu” and there WAS NO TOOLS
MENU.)
65
Countermeasures
3 or 4 other known Mac viruses
• Some do have destructive payloads
• Rate of infection is very low
Run Norton Antivirus or equivalent
List and description of Mac viruses:
http://www.symantec.com/mac/security/macattack.html
66
The macro virus thing is pretty much over. Word98 and up have macro support
disabled by default and/or built-in macro virus detection. Also, antivirus
utilities such as Norton are able to detect and clean or at least quarantine
documents containing macro viruses.
The other fairly-memorable and somewhat recent Mac malware was a worm.
It used QuickTime’s “autoplay” feature (which starts playing audio CDs as
soon as they’re inserted) and some strains of the worm would destroy files
with .dat or .data name extensions, but mostly all it did was start up Print
Spooler and slow your system down. All you had to do to avoid infection was
turn off the autoplay feature in QuickTime.
There are 3 or 4 other known Mac viruses, some of which do have destructive
payloads (delete random files, interfere with loading of extensions, etc.) But
the rate of infection is very low. If you’re paranoid, which is a good thing, run
Norton Antivirus or another AV program. It’s a good idea to boot off the CD
and have it scan your system BEFORE you install it, since some viruses try to
disable AV programs. Hold down the C key to boot off a CD.
List and description of Mac viruses:
http://www.symantec.com/mac/security/macattack.html
66
Firewalls
The firewall lecture covers how they work. Mac ones:
• Norton Personal Firewall for Macintosh
• OS X has built-in firewall software
In general, firewall software should:
• Have basic and advanced user modes
• Have good logging and notification options
• Support multiple rule sets
• Be able to export logs in standard formats
• Support multihoming
• Ideally, support egress filtering
67
The firewall lecture in this class covers what firewalls do and how they work.
Norton Personal Firewall for Macintosh is a good choice. (OS X has built-in
firewall software, but we’ll get into that later.)
A good firewall should be easy to use, have basic and advanced user modes,
and have good logging (and should be able to export logs in standard formats,
so you can analyze the logs with another program). It ought to support
multihoming (I.e., separate rules for different network interfaces or locations,
especially for PowerBook users), and ideally, filtering of outbound traffic
(e.g., prevent your credit card number from being sent in a clear text format, or
stop traffic destined for known Trojan horse ports.) A decent fw program
should also allow you to have multiple sets of rules. You ought to be able to
easily create a basic ruleset with high-security rules (the default set,
preferably). There should be notification options (for example, Norton can pop
up mini-windows telling you about access attempts right as they happen).
Ideally, your fw should have the abilitiy to silently drop OR explicitly reject
traffic. And it should be stateful. But these last two features are pretty
frequently left out of “personal” firewalls. If you really want to have these
features, get a cheap old PC, install two cheap NICs, and put Linux with
Netfilter on it for a dedicated, powerful, stateful inspection firewall and put
your Mac behind it. :) But that’s kinda overkill.
67
Test it
Play the hacker.
Symantec can scan your machine and generate a report
http://security1.norton.com/SSC/
Caveats:
• Multiple Users
• Non-passive-mode FTP connections
• Allowing for non-obvious traffic (e.g. Keyserver)
68
Test your firewall settings. Play the hacker. Symantec has a URL you can visit which
scans your machine and generates a report about its level of security. Keep in mind
that if you’re NAT’ed, it won’t work, and if you’re behind a firewall, your security
administrator may hate you for doing this.
Caveats:
• If you’re using Multiple Users, you’ll need to make sure that your fw offers the
proper amount of protection for all users. NPF uses one Prefs file for all users but
other fws may not.
• Beware of non-passive-mode FTP connections, often characterized by a connection
drop at 99 percent download completion. (It’s like they TRIED to make it as
frustrating as possible.) Set Passive Mode under Fetch’s “Firewall” Preferences tab.
• If email takes forever, it may be an AUTH thing. Either allow the traffic (TCP/113)
or do an explicit reject so it doesn’t do the long timeout in response to a silent drop.
• PTP programs (Gnutella and such) may malfunction in the presence of a firewall.
• If you block UDP access on high ports, it may mess up DNS. Also don’t block
UDP/68 if you use DHCP to get an IP address (at Dartmouth, this is the standard
method). Ideally you need only allow that access from the IP of the DHCP server,
but if you’re not sure, open that port to anything. It’s a pretty minor security hole.
•If you use NTP for Date and Time, open up UDP/123 from the specified NTP
server.
• If you use Keyserver over IP, it needs UDP/19283. You probably use it over
AppleTalk, though (default).
68
MAC OS X
Everything’s changed.
OS X is based on a Unix subsystem, a version of FreeBSD
called Darwin. Here’s a pictorial representation of the OS:
(Don’t worry about the GTK/Xdarwin part.)
69
To maintain backwards compatibility with the existing library of Macintosh
software, Mac OS X integrates the new Unix-based environment with a
MacOS-based emulation environment called “Classic” (also sometimes called
the True Blue Environment, which is how it shows up in top). Old Mac apps
run within Classic, and Classic runs within X. As far as X is concerned,
Classic is just another application. It can be killed like any other Unix app,
which is nice for those times when some Classic app crashes the environment.
The term “Carbon” is used to describe applications which are written such that
they can run natively in either OS X or Classic/OS 9. This is similar to “fat
binary” apps (which existed during the transition from the 680x0 processor to
the PowerPC processor -- some software was re-written to include code for
both processor types, and since this tended to make them bigger, they were
called “fat.”) If you Get Info on a Carbon app, you can toggle a checkbox to
tell the app whether to launch in OS X or in Classic. “Cocoa” describes apps
written specifically for OS X, and which will not run in OS 9. Platinum and
Aqua are the names Apple uses to describe the user-visible appearance of the
operating system. Think of them as Winamp skins. Classic always wears the
Platinum appearance, which among other things, describes the shape and size
of common elements like scroll bars and title bars and menu fonts. Similarly,
Aqua is the skin worn by OS X, and it describes things like translucency of
background windows and drop shadows and such.
69
Mac OS X cont’d
70
QuickDraw and Quartz are the respective underlying graphics “engines” which
are what drive the appearance of the OS. I’m not sure if it’s still the case
today, but originally, most if not all of the Mac’s QuickDraw calls were
hardwired into the ROMs, which is why all Mac apps tended to look very
similar; things like title bars and menus and the shape of the cursor were
standard objects. This was very deliberate on Apple’s part -- it was a big part
of what made the Mac easy to use for newbies, because so much of what you
learned about one app could be applied to all the others.
The light-gray column in this picture shows the “command line” riding on top
of the Terminal window, which in turn sits above the Shell. IMHO this doesn’t
really serve to illustrate much -- all you need to know is that if you want to get
at the Unix command-line interface, you first have to open a Terminal window
(Terminal is the name of the app that gives you CLI access). By default, your
shell is tcsh, though it’s easy to add bash if you prefer it.
The far-right column has to do with a nifty add-on (NOT part of the OS,
whereas the rest of the picture is) called XDarwin, which is the Unix
XWindows environment for OS X. This may seem incredibly redundant, but it
allows you to do some very cool things that you wouldn’t otherwise be able to
do. It’s outside the scope of this class, but blitz me if you’d like a demo.
70
Macs and Unix
OS X inherits from NeXTStep and Rhapsody
What you get:
• Memory protection
• Preemptive multitasking
• Built-in compiler
• etc. -- all the coolness of Unix
Combined with:
• Really terrific UI that Macs are famous for
• BUT: We gave up uniqueness. Vulnerabilities that
affect BSD Unix can now affect Macs, too.
71
OS X inherits much from NeXTStep and Rhapsody. See handout # 3, “Mac
OS X System Administration,” for more about the history of NeXT and OS X.
OS X is the best of both worlds. It has all the functional advantages of Unix,
like memory protection, preemptive multitasking, the built-in compiler, Unix
compatibility resulting in access to a huge library of software (even the Debian
apt-get tools have been ported to OS X), Darwin is open-source so more
software’s coming faster, etc. AND...
…it has all the user-interface advantages that the Macintosh is famous for.
Most Mac users never need to interact with the Unix-ness directly; they just
revel in the delight of using a Mac that (almost) never crashes.
• The price we pay for this: We’re not unique anymore.
Vulnerabilities that affect BSD Unix, Apache, OpenSSH, etc. can now
affect Macs, too.
71
There can be many
OS X is a multi-user system.
Administrator is not quite root, but almost
• Sudo is invoked when needed in the GUI
• It can also be used explicitly at the CLI, just like
in any other Unix
Administrator has enough privileges to do just about
anything you need
72
Unlike old MacOS, OS X is a multi-user system. When you first set up your new Mac, you are asked to
provide a username and password for the Administrator account. Administrator is not root, but it’s almost
that powerful -- Apple hides root from you, for your own safety, and invokes something much like sudo
when you need to do root-esque things.
At first I didn’t understand this -- I thought, “this is MY computer, I should be able to do ANYTHING I
WANT.” So I performed the convoluted hack to enable root login (this was OS X 10.0, it wasn’t easy) and
I habitually ran things while logged in as root. One day, I went to change modes (chmod) a file, but I
didn’t notice that I’d accidentally selected the whole hard disk (I was still getting used to OS X), and it
seemed to be taking awhile to finish…spinning beach ball of doom…uh-oh. I’d recursively chmod’ed
every file on the disk. OS X never booted again. I had to boot into OS 9 to get my data, then wipe the drive
and start over.
The moral of the story is, that wouldn’t have happened if I hadn’t insisted on being root all the time. OS X
would’ve chmod’ed maybe one folder’s worth of stuff, but it would’ve stopped before it reached the core
system files and tossed a dialog saying “you don’t have permission to do that” or something similar.
Administrator has enough privileges to do nearly anything you’ll need to do -- you don’t need true root
unless you start really messing around with the Unix guts of OS X. Even then, it’s HIGHLY recommended
that you use sudo, rather than enable the root password and stay logged in as root for long periods of time.
You’re far less likely to do irreparable damage to your system if you use sudo, since it gives you root privs
only on a per-command basis. Metaphorically, you’ve only chambered one round at a time, and if the gun
goes off, at least it’s not on full auto. ;)
Very rarely will sudo fail to meet your needs. But once in a while, something in a shell script or some
hardcore tinkering will require true root. The easiest way to go at it in that case is sudo su - and use your
Administrator password. You will be root, with root’s path.
72
Users and folders
You can create users, and choose whether or not to
give them Administrator rights
Each user has a home folder (under /Users)
Each user also has a “Desktop” folder, which
corresponds to the desktop he or she sees.
73
You can create however many users you want, and you can give them Administrator
rights (they can do Admin-level stuff using just their own passwords for
authentication, like sudo) or leave them as normal, non-admin users. Each user has a
home folder (under /Users) which stores his/her documents, preferences, fonts,
personal webpage (if you have Web Sharing enabled), etc. If you do NOT give users
admin rights, then they can only make new files in their home directories. They can
still run applications that reside outside their home folders, but apps that need root
(say, a sniffer) will not work for them. This should be quite familiar to Unix users.
Each user also has a “Desktop” folder, which corresponds to the desktop he or she
sees. It shows up as a folder called Desktop in your home directory, but it’s
simultaneously also the desktop underneath all your windows (which can get weird,
since you can open the Desktop _folder_ and be looking at the icons that are also on
your visible Desktop.) This is quite different from the Desktop of old MacOS, which
was sort of an über-folder. Each user can put different things on his or her Desktop,
and other users won’t see them -- they’ll see their own Desktops.
Note: Users ought to make use of the screen saver lock feature -- it requires you to
enter your password to unlock the screen saver. System Preferences -> Screen Effects.
And never turn on the auto-login feature unless you’re sure your Mac is physically
isolated from other people; also, it’s better to leave off the “pick user from list” option
and type your username. Again, don’t make it easier for the bad guys.
73
Users and Apps
Users can install their own applications
If they have Admin rights, they can install apps
available to all users
In general, applications run with the privileges of the
user who launches them
74
Users can install their own applications, available only to them, or (if they
have Admin rights) they can install apps available to the whole system.
For the most part, applications run with the privileges of the user who launches
them. In other words, if I open BBEdit and try to edit the /etc/hosts file,
BBEdit will ask me to authenticate as Admin with my password before I can
save changes. (This assumes that my account has Admin rights, or in more
Unixy terms, I am in the sudoers list.) Users who are not flagged as
Administrators would not be able to edit that file at all.
74
BSD File Security
Same as any Unix -- owner, group, everyone, modes,
etc.
Can be changed at the CLI using the usual -- chmod,
chown, etc. -- as well as with the GUI Get Info.
75
As with any Unix, files in OS X have access restrictions based on owner and
group, and files have modes (r/w/x). This isn’t just the case for network file
sharing (as is true with pre-X Mac OS) -- it’s also true for every file on the
system. Old news for Unix folks, but a new realm for Mac users.
75
Classic
When you open an old Mac app, OS X first launches
the Classic (“TrueBlue”) environment, then opens
the app within that
The integration is fairly seamless -- some menus
change, but you always see the OS X
Finder/Desktop and the Dock
If some Classic Mac app crashes, it’ll probably take
the Classic environment down with it, but OS X
keeps running :)
76
To maintain compatibility with old MacOS software, Apple developed a
MacOS emulation environment, called Classic. When you open an old Mac
app, say, Classic Netscape, OS X first launches the Classic (“TrueBlue”)
environment, then opens Netscape within that. The integration is fairly
seamless -- some menus change when you flip between OS X and Classic
apps, but you always see the OS X Finder/Desktop and the Dock.
Classic runs as a separate process under OS X -- Classic is, in effect, just
another application under OS X. The cool thing about this is that when some
Classic Mac app crashes (that would NEVER happen! hah), it’ll probably take
the Classic environment down with it, but OS X keeps running happily. The
miracle of memory protection.
(In the beta release of OS X Server, Classic and X were integrated differently,
and it was possible for Classic to crash and take the input devices with it. OS
X would still be running, but you couldn’t reach it to kill Classic -- your cursor
was frozen, keyboard locked. But, you COULD shell in from another machine
and run ps, find the Classic process, and kill -9 it and get X back. Nice.)
76
Classiconfusion
• The integration is fairly seamless. Not completely.
Examples:
• Both Classic and OS X use a single IP address
• File sharing weirdness
• Both environments can share a printer
• OS X owns the CD-ROM and Zip drive
• Only one Finder (X)
• OS 9 Desktop is still separate from OS X’s
77
The integration is _fairly_ seamless. It still takes a lot of getting used to,
especially if you’ve been a Mac user for awhile.
Examples:
Both Classic and OS X use a single IP address. It doesn’t affect client-type
behavior (e.g., you can use a web browser in each environment
simultaneously), but it can get weird with running servers.
You can’t do file sharing under Classic under X anymore (but you could do it
with AppleTalk only, no AFPoverTCP, in OS X 10.1, WHILE you were
sharing files directly from X too. Schizophrenic.) You can’t connect to
AppleTalk-only servers from Classic, but you can from X. You CAN do
Program Linking from within Classic, God only knows what happens if try to
do Apple Events in X at the same time. (It seems to let you turn on both
simultaneously…)
Both environments can share one printer (need drivers for each environment,
except for the occasions when Classic just seems to “learn” about the printer
from X), but OS X owns the CD-ROM and Zip drive.
There is only one Finder (in X).
The Desktop of Mac OS 9 is a separate entity from that of OS X, and under OS
X, it’s invisible in the Finder (but you can see it from the Terminal if you list
the contents of the / directory). When you install OS X, it automatically
creates an alias to the Mac OS 9 Desktop, and puts that on your OS X Desktop
(stay with me here) and if you delete it, like I did, then you’re sorta locked out
of your OS 9 Desktop. But don’t worry, it’s still there if you boot into 9. (More
77
More on Classic/X
More: Under the standard partitioning scheme, you can boot
directly into MacOS 9
• This has scary implications for file permissions
Carbon apps will run in anything, which is good to know
OS X “packages” (app bundles) will appear as folders in 9,
don’t mess with the contents!
78
Oh, and as if that’s not enough, you can tell the Mac to boot directly into MacOS 9 (using the same
System Folder as Classic), and then OS X effectively disappears and you have an old-school Mac
again. This also has the side effect of making most of the Unix file permissions moot -- in other words,
if you boot into 9, you can probably delete the /bin directory REGARDLESS of your OS X
Administrator status, because regular MacOS doesn’t speak that language. There isn’t a complete
disregard for it, though. Some key files and directories from OS X will be “grayed out” in the Finder if
you boot into MacOS 9. But…from a Save or Open dialog in some applications, you can still see and
modify everything. Mac OS 9 is gradually being phased out, but in the meantime, all you can really do
is shrug and be careful.
Remember the Carbon thing? Those apps will run in OS X, or in Classic, or in OS 9 directly. So? Well,
if you make a bad mistake like I did, and hose your OS X system, you can (hopefully) still boot into OS
9. You can grab your original CD and boot off it long enough to change the Startup Disk setting and
reboot 9. Then, if you held onto some Carbon (or Classic) apps, you can go in and run them from 9 and
perhaps use them to recover your data. It’s nice to have a copy of Fetch that will work in either
environment -- I used it to move my data onto a network file server when I did the Bad Chmod that
time. In short: If you’ve got the disk space, it’s a good idea to hang onto Classic/Carbon apps even after
you install a superior Cocoa equivalent, so you double your chances of being able to recover from a bad
event. If you’re in 9 and you want to know whether some app will run or not, you can just try it, and
you’ll get a message if it’s Cocoa. In general, if the application icon appears properly in 9, it’s probably
Carbonized.
One other note: OS X Cocoa apps sometimes make use of “packages,” which are essentially application
bundles -- they will appear as a single icon that you double-click to launch, just like any other app, but
if you control-click them, you can see and alter the contents. Sort of like using ResEdit in the old days
to hack the resource fork, only now you don’t need a separate tool. But if you boot into OS 9, packages
will appear as folders since OS 9 doesn’t know what packages are -- don’t start adding or removing
things from them, because when you boot back into OS X, they might not work right anymore!
78
OS X Security “out of the box”
Is pretty good.
If I turn off my firewall and run TCP and UDP portscans
against my Mac, here are the results (notes sections):
I can explain what I see. Nothing mysterious. This is
important.
I haven’t done any low-level hacking to turn off default
services, so a base OS X install should have fewer
open ports than what I have.
79
Results of nmap -sT -p 1-65535 my-mac (that’s a plain vanilla TCP scan of all ports):
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on my-mac (some.ip.address):
(The 65530 ports scanned but not shown below are in state: closed)
Port
State
Service
22/tcp open
ssh
80/tcp open
http
427/tcp open
svrloc
548/tcp open
afpovertcp
902/tcp open
unknown
913/tcp open
unknown
2151/tcp open
unknown
We know what the first two are. I’m running SSH (“Allow remote login” is turned on
in Sharing) and I’ve got Web Sharing turned on. 427 (svrloc) is the Server Location
daemon/protocol, which helps my Mac and other Macs find each other’s services on
the network. Port 548 shows File Sharing enabled (over TCP, default on OS X, though
I can enable AppleTalk as well). Nmap didn’t know what port 913 is for, so I Googled
for “port 913” and discovered that it’s the Sidecar port (part of Kerberos, which we
use to access protected portions of the Dartmouth website, among other things). Ports
902 and 2151 are for my BlitzMail ssh tunnel. If I hadn’t already known that, it’d be
kinda hard to figure out, since BlitzMail is a Dartmouth thing and Googling for those
ports will get you a lot of nonsense. But I could’ve tried telnetting to those ports…
79
What is THAT port?
bash mbates@my-mac ~ $ telnet localhost 902
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 DND server here.
Aha! Unfortunately, the same trick for 2151 is a lot less
informative.
80
bash mbates@my-mac ~ $ telnet localhost 2151
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
hello?
011 Unknown command: hell
helo
011 Unknown command: helo
help
011 Unknown command: help
user
013 Missing argument.
info
011 Unknown command: info
get
011 Unknown command: get
(I gave up and exited)
Heh. But, a logical next step might’ve been to search the Dartmouth
Computing Services webpages for info on what ports BlitzMail uses.
80
More on ports and services
• lsof -i shows ports and their corresponding services
• You can get this with netstat, but lsof is a little
easier to read and interpret
• You need to run it with sudo to see everything (since you
don’t own many of the network services)
Excerpt:
automount
httpd
httpd
sshd
slpd
slpd
260
268
270
283
293
293
root
root
www
root
root
root
4u
16u
16u
3u
0u
1u
inet
inet
inet
inet
inet
inet
0x01bb8970
0x01d33cdc
0x01d33cdc
0x01d33a2c
0x01bb8560
0x01d3377c
0t0
0t0
0t0
0t0
0t0
0t0
UDP
TCP
TCP
TCP
UDP
TCP
*:860
*:80 (LISTEN)
*:80 (LISTEN)
*:ssh (LISTEN)
*:427
*:427 (LISTEN)
81
Results of nmap -sU -p 1-65535 my-mac (same as before, but UDP ports this time):
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on my-mac (some.ip.address):
(The 65526 ports scanned but not shown below are in state: closed)
Port
State
Service
68/udp open
dhcpclient
123/udp open
ntp
427/udp open
svrloc
514/udp open
syslog
860/udp open
unknown
49152/udp open
unknown
49155/udp open
unknown
49158/udp open
unknown
49160/udp open
unknown
68 is for my Mac to get an IP address from the DHCP server on my network. 123 is
ntp, Network Time Protocol -- my Mac syncs its clock with Dartmouth’s NTP server.
427 is the UDP port for svrloc, explained on the previous slide (svrloc uses both TCP
and UDP). 514 is syslog appearing to listen on the network, but it doesn’t actually
accept data from other hosts. 860 is automounter listening for other hosts’ nfs
requests, which is moot since I don’t have any nfs shares defined. 49152 is being used
by Keyserver, and I can’t telnet to it (connection refused), so how would I know? I
cheated and used lsof. (Could’ve done that before too, but I wanted to show you
another way to figure out what ports are used for which applications.) The last three
ports are being used by lookupd, the all-purpose lookup daemon (for DNS among
other things) and again, I used lsof to figure that out.
81
Logs
Via syslog. Look in /var/log
system.log is a good place to start
• Firewall logs (seems buggy, at least with
BrickHouse -- sometimes stops???)
• Use of sudo
• Subsystem status messages
also, /var/log/httpd/access_log and error_log
others for other services (ftp, mail, etc.)
82
OS X logs via the Unix syslog facility. There may be some nice GUI log
reader available, but your best log analysis tools are grep and/or a good text
editor with a Find function. E.g.:
grep sudo /var/log/system.log
# Look for all instances of sudo
tail -f /var/log/system.log | grep something # Watch the log as it’s written (-f
# = “follow”) and pipe the output
# to grep to look for
“something”
grep -v <your-ip> /var/log/httpd/access.log # Inverse grep (look for
# everything BUT your-ip)
And so on.
82
Unix and Mac can collide…
HFS+ is the native/default file system for OS X
OS X also supports UFS (Unix File System)
One big difference:
• HFS+ preserves case of file names, but is caseinsensitive (filename = FileName = FILENAME)
• UFS is not! Those could be three separate files
• Implications?
83
Sometimes the Mac-ness and the Unix-ness of OS X really butt heads.
HFS+, the Mac’s native file system since approximately MacOS v. 8, is a case
preserving but case-insensitive file system. This means that, under HFS+, a
file called “goober” cannot exist in the same folder as a file called “GooBer”
or “GOOBER” etc. Those are all considered to be the same name. But, under
UFS, which is also supported by OS X, case DOES make a difference; UFS
would consider all of those to be separate file names. Well, so what?
83
Apache vulnerability!
“CERT/CC Vulnerability Note VU#439395
Apache web server performs case sensitive filtering
on Mac OS X HFS+ case insensitive filesystem...
...Impact: Can bypass Apache file access protection,
allowing remote unprivileged users to read privileged
files.”
Yikes!
84
THIS is what:
--------------------------------------------------------------------------------------------------------------CERT/CC Vulnerability Note VU#439395
Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive
filesystem
I. Description: The Apache web server's file access protection scheme (i.e., file request
"filtering") assumes that the filesystem being protected is case sensitve...
Under the Apache scheme, you specify whether to deny or allow access to a filesystem object
(which can be a directory, filename, or URL). The specifications are called "directives", which
include <Directory>, <Files> and <Location> directives. See
http://httpd.apache.org/docs/mod/core.html#directory for further information on directives.
When you use a directive to deny access to a file or directory using the Apache web server
under Mac OS X HFS+, the directive will NOT deny access to any other upper and lower case
variation on the filename or directory...
-----------------------------------------------------------------------------------------------------------------
OOPS! Some tweaking in the Apache config file could fix this, and Apple
released a patch right away, so it’s not an issue now. But this serves to
illustrate how programs which are accustomed to Unix/UFS behavior can
potentially be tripped up by seemingly-subtle differences like that.
For more details on this vulnerability and its solutions, go to:
http://www.kb.cert.org/vuls/id/439395
84
Ease of use
OS X is much more server-oriented than old MacOS
All sharing-related services are handled from a single
Preference pane
• One click turns on file sharing
• One click turns on FTP access to shared files
• One click turns on Web Sharing
• One click turns on SSH access
Even more important: One click turns these OFF!
85
OS X, even the non-”Server” version, is much more server-oriented than old MacOS.
Most of its server functionality can be turned on or off and configured through the
Sharing preference pane. The defaults for most services are well-thought-out and are
sufficient for most users’ needs.
In the Sharing preference pane, all of the following services can be turned on or off,
and tweaked:
• File sharing
• FTP access to shared files (yikes…)
• Web Sharing, which uses the tried-and-true Apache web server -- root web dir is
Admin-access only, and each user has homepage folder (http://.../~username)
• Remote shell access - using OpenSSH, not telnet!
• Remote Apple Events (formerly known as Program Linking)
Likewise, one click turns these OFF, which is important when a vulnerability in
Apache or OpenSSH is discovered. As of OS X 10.2, the Sharing pane also includes a
GUI to administer the firewall. From what I’ve seen, it seems pretty minimal...I’d still
recommend BrickHouse, which we’ll talk about soon.
A note: These service startup settings are written to a file, /etc/hostconfig. You can edit
this file directly to turn services on/off at startup. Good to know if you want to shut
down a service when you’re not sitting in front of the Mac (i.e., do this over SSH).
85
OS X 10.2 Sharing pane
86
Sharing pane under Jaguar. The “Internet” tab lets you share your connection
(i.e., act as a router) for other computers.
86
File Sharing
File Sharing is more
intuitive, possibly less
flexible
Most of these have the red symbol
because this is not my user folder, so
I can’t peek in those folders.
87
To begin with, File Sharing is more intuitive, if less flexible -- each user
automatically has full permissions on his own directory, as well as a read-only
folder for sharing things with users/Guests and a write-only DropBox. There is
also a communal Shared folder which is read-only for all named users. The OS
9 sharing setup we went through for the two Joes etc. is basically the default
setup for OS X sharing -- pretty much any permutation of privileges you
would need is already available, just create your users and put the right things
in the right folders.
87
Connecting to other servers
Go menu -> “Connect to Server…” or -K:
This slide (self-referential)
88
88
Connecting with 10.2
89
Choose a realm, and X detects and displays available servers. Or, type the
address manually and hit Connect. Or, select from Favorites (top popup menu,
it bookmarks your most recent servers). In Jaguar (10.2), you can even browse
SMB shares!
89
Connecting to other servers
Once you’ve picked the server you want to connect to, the next
box should look familiar:
Hit the Options… button to
get the box below:
Familiar? This is one OS X
machine connecting to another.
Good to have a reminder.
90
This part of the process is pretty similar to the equivalent under old MacOS.
One thing that I find rather lacking is that you have to hit the Options button to
see what kind of password encryption is being used. But, you can also set a
preference to tell you when you’re about to send your password in clear text,
which is a step up from the OS 9 version.
90
Firewalling on OS X
OS X’s built-in
firewall is ipfw.
By default,
allows anything.
:(
There are a
couple of good
GUIs for it.
Brickhouse!
91
Ipfw can be administered from the command line, but there are a couple of terrific
front end programs for it. Brickhouse, by Brian Hill (who’s written a heap of good
security apps for OS X) is $25 shareware. It’s well worth it. Brickhouse has a built-in
assistant feature to help guide you through creating a set of firewall rules, or you can
make your own. It even has Expert Mode, which displays the actual ipfw config file
and lets you edit that directly. Use drag and drop to re-order rules. It has logging in
human-readable format. It’s great.
Shortly after the release of Jaguar (10.2), Apple patched ipfw to enable support for
stateful rules. The firewalls lecture in this course covers what that means in detail, so
we’re not going to explore it right now, but suffice to say that stateful is very very
good. And the latest versions of Brickhouse are aware of the feature, and will generate
rules accordingly. One Brickhouse caveat: it is possible (at the time of this writing,
with version 1.2b9) to create a rule which contains invalid syntax and which causes
ipfw to silently fail. If you make a rule and specify “all” or “any” in the destination
port box, Brickhouse will not tell you that that’s wrong, and it’ll break your firewall.
If you want to specify all destination ports, just leave that box blank.
There’s a ton of documentation on ipfw, since it comes directly from the FreeBSD
camp.
91
Firewalling on OS X
Brickhouse’s Add
Filter dialog box. Has
a lot of presets, or
you can create
custom ones.
92
The Advanced Options button lets you specify flags and toggle logging for that
rule.
An odd caveat: I had to make an allow rule for SSH inbound from my IP to my
IP in order to tunnel SSH from Classic (even though they have the same IP!) If
you encounter this sort of strangeness between Classic and X, check your
firewall settings. This may not be necessary anymore in 10.2.
Another note: In 10.2, if you want to be able to browse local Windows
domains and shares (as opposed to just connecting to them if you know their
names), then you’ll need to add an allow rule for UDP traffic with destination
port 137 destined for your Mac.
92
Useful Tools - Network Utility
• ping
• traceroute
• whois
• nslookup
• netstat
• finger
• a port scanner
(careful with that
one.)
93
In most, if not all cases, these tools will work better and/or have more options
if you use them from the CLI. Especially netstat. (netstat -an | less) Know the
Terminal. Love the Terminal.
93
Useful Tools - Keychain
94
Keychain can store your passwords for frequently-accessed things, and prompt
you for your Keychain uber-password to unlock the other passwords. Many
apps are Keychain-aware (such as MacSFTP -- keeps you from having to reenter your password for every SCP operation you perform). It goes without
saying that your Keychain password ought to be very secure.
94
Useful Tools Process
Viewer
GUI for the Unix top
command. Shows
which apps are
running on your
Mac.
95
From here, you can select a process and the Process ID and Statistics tabs will
display information about it. You can also go to the Processes menu and select
“Quit Process” to kill it.
95
Useful Tools - NetInfo Manager
Getting into NetInfo is outside the scope of this class.
See the von Stauber presentations for more on NetInfo
Be careful with this tool and the command-line tools
(nidump, niutil, etc.) But you should know that they exist
in case you come across a howto that requires their use.
96
Put simply, NetInfo is a central directory for storage of service information
(e.g., DNS lookups, but it does more than that). It’s a distributed database
system, inherited from the days of NeXT. Since there aren’t many large OS X
environments, it’s usually manifested as a local database just on your machine.
Use Netinfo Manager to view information, but don’t change anything unless
you know what you’re doing. Among other things, you can use it to create
non-standard shares beyond the OS X default.
The OS X System Administration guide goes into some detail about NetInfo
and its security implications, see his references for more info.
96
Useful Tools - Terminal
We’ve already mentioned the Terminal a bunch of times.
It’s your window onto the CLI.
There is a Terminal-related caveat in OS X: aliases and
symlinks
97
The Terminal is how to get at the CLI on OS X. The default shell is tcsh, I use
bash. With some tweaking, you can get color-coded dir listings, syntax
highlighting in Vim, etc. All that cute Unix stuff. Google for what you want to
do and odds are that someone will already know how.
Terminal caveat: Mac aliases created in the Finder (which operate like
symlinks or Shortcuts) do not behave properly from the Terminal, at least not
in bash. They are treated as empty files. Furthermore, symlinks created in the
Terminal will not work as aliases in the Finder. It’s a quirk.
97
Useful Tools - tcpdump
Covered in detail in another class
Use sudo, and remember that the Mac’s ethernet
interface is called en0, not eth0, and you have to specify
it explicitly:
sudo tcpdump -i en0 …
MacSniffer is a nice front end
98
Tcpdump is included in OS X. It needs to be run with sudo or as root, and you
always have to tell it which interface to use (en0 by default).
MacSniffer is a good graphical front end for it, written by the same guy that
wrote BrickHouse.
98
Useful Tools - MacSniffer
99
MacSniffer lets you select options like capture size, how much header info to
show, hex/ascii data, name lookups on or off, etc. and you can create and run
filters to pick out the data you want to see. Ethereal-esque.
99
Useful Tools - MacJanitor
Shareware or freeware program for doing system
cleanup tasks like log rotation, cache cleanup, etc.
Good to use if you have to shut down your Mac every
night, since that may prevent a lot of tasks from running.
100
It’s important to keep your logs working properly, since that’s likely to be the
first place you look if you have a security problem.
100
Useful Tools - CheckMate
Preference pane
to generate MD5
checksums of key
files and scan for
changes.
101
Brian Hill rules. CheckMate generates a list of MD5 checksums for key files
(and for any other files you add to it) and re-scans on a schedule you specify. It
and emails you the scan results, and also sends an email alert if a checksum
has changed.
A caveat: If you toggle ftp on/off in the Sharing Pane, that does change
inetd.conf, which causes CheckMate to send an alert. Don’t panic.
101
Useful Tools - CheckMate
The files and their
checksums. You
can add/remove
and import/export,
or go back to
default.
102
102
GPG Mac
The GNU Privacy Guard program for OS X. PGPcompatible.
• Follow the readme’s to a tee and you’ll be fine.
103
GPG for Mac OS X works perfectly as long as you follow every step in the
directions. The GUI tools are kinda minimalist, but they work, and everything
works fine from the CLI. Definitely not as pretty as PGP Freeware for Mac,
but it’ll get better. Apple’s “Mail” program has built-in GPG support, too.
103
MacSFTP Carbon
Drag-and-drop SCP (Secure CoPy).
104
Fetch-like interface, but secure. If you’re moving files between your Mac and
an SSH-able server, this is a must.
Caveat: It will keep asking for your password over and over (because each
transfer is a separate SCP action). But you can add that password to your
Keychain and then it will stop bugging you. (Remove it later if you’re worried
about your Keychain’s security.)
104
Surfing Differences
Principles and methods from the previous section also
hold true in OS X.
One big tip: OS X ships with Internet Explorer. Update it
asap.
Apple’s “Mail” program has SSL and GPG support! :)
Eudora, Outlook, BlitzMail for OS X are available
105
We covered the principles of safer surfing in the last section, so here we’ll
only skim and point out some key tips.
Thing One is, Internet Explorer comes with OS X. Make sure you update it
right away -- early versions had severe security problems.
Pure opinion re web browsers: Use OmniWeb. It’s shareware, but it has all
features enabled regardless of whether you register or not, and it has a bunch
of security and privacy options that are easy to understand and modify. It’s
also fully integrated with the Quartz engine, so even silly web pages look
beautiful when viewed with OmniWeb. This program is what tipped me over
the edge from OS 9 to X. :)
Apple’s email program, called Mail, doesn’t have much in the way of bells and
whistles but it does have SSL and GPG support. And there is a version of
BlitzMail for OS X, as well as Eudora for X, and Outlook (now called
Entourage I think?) I’m not sure how well the rest of these integrate with GPG,
since GPG is so new, but the support will be there soon if it’s not already.
105
Patches
Are vital.
Software Update
• Runs automatically, you can specify when (at
least once a week please…)
You might be able to patch things quicker yourself with
sourcecode, but usually not a great idea
Apple’s pretty fast. If they’re not fast enough, then get
creative with your firewall.
• Or turn off services and just wait.
106
Software Update runs automatically, once a week unless you say otherwise. Or you can
“Update Now.” Sometimes, you’ll hear about an update before your computer’s updater
detects it; try again in a few hours. Apple staggers the availability to avoid having a big
traffic glut all at once. If you don’t want to wait, you can download and install manually
-- go to the Apple menu and select “Get Mac OS X Software…” to be taken to the
website.
As an alternative to waiting for Apple’s patch, if you know which services are affected,
you can get the updated source code and compile it yourself. But the downside is that
this can confuse Software Update, making future updates more difficult to apply. Also,
some of the BSD things are specially tweaked for OS X, and if you overwrite them with
your own installation, you can lose functionality (I updated my copy of Apache
manually, and in the process broke my users’ Sites folders. Wonder what else I broke).
On average, Apple’s patches come out within a week or two of an advisory. Turn
off/block the affected service, or reconfigure/disable whatever aspect of the service is
affected, until you’ve installed the patch. But what if you absolutely cannot live without
that service for any length of time? Alter your usage to compensate. For example, the
OpenSSH vulnerability -- limit access to one other machine, then shell into that first.
By the way, run Software Update (and reboot when applicable) repeatedly until it says
“no updates available.” Why? Software Update updates have been released several
times, so older versions will not see all the newest updates.
106
Patching 3rd-party Software
Many software companies are following Apple’s
example
• Automatic update check at startup
• Or “Check for Updates” menu option
If not, use http://www.versiontracker.com
Or go to Apple Menu -> “Get Mac OS X Software…” and
find updates there. Categorized and searchable, not just
Apple’s stuff.
107
It’s especially good to stay up-to-date with your programs now, even if they’re not
network- or security-related per se, since OS X is still so relatively new. Bug fixes
tend to be pretty major (like, stop Word from crashing on launch).
107
Conclusions
Why use MacOS/OS X?
Running OS X is a bigger security risk than using old
MacOS.
We don’t know how much longer we’ll have the choice (OS
9 is being phased out) but for now, you might want it.
What do you use a computer for?
108
Why use MacOS/OS X?
Running OS X _is_ a bigger security risk than using old MacOS. You are in the
Unix world now.
What do you use a computer for? If you’re just doing word processing and using
a web browser, MacOS 9 is probably enough for you, and if you’re extremely
paranoid about hackers, that’s another reason to stick with old MacOS while you
still have the choice. If you’re not sharing files or web pages, your OS 9 Mac is a
fortress, network-wise.
But if you’re interested in Unix, OS X is a nice environment for learning about it;
you can delve in as deeply as you want through the Terminal, then back out and
use it as a Mac again. If you need the power of Unix and you like to write code,
or you need to be able to perform remote administration tasks (but don’t want to
cough up bucks for Timbuktu), OS X may be a great match. And in another year
or two, it will be your ONLY choice in the Mac world.
108
Conclusions
Security is not about definite rights and wrongs, it’s about
business need. Or academic need.
Sometimes the benefits are worth the risks.
Hopefully, from what we’ve talked about, you’ll be able to
minimize your risk with minimal expense.
Contact info: Email [email protected],
AIM screen name nu11dev1ce
109
Please feel free to contact me by email or AIM anytime.
109
Appendix A -- URLs and sources
This is a list of URLs and other sources of information
referenced in this class, plus some sources of
supplemental information (not on the test).
110
1) Apple’s OS X Security Introduction:
http://developer.apple.com/internet/macosx/securityintro.html
2) The iMac LoJack story: http://www.macscripter.net/un_ilojack.html
3) Mac OS X System Administration: http://www.occam.com/ocr/osx/OSX_SA.pdf
4) Mac OS X Security:
http://conferences.oreillynet.com/presentations/macosx02/towns_leon.pdf
5) Brief Mac security intro. Here mainly for the port list:
http://www.sans.org/infosecFAQ/mac/mac_sec.htm
6) OS X Security Intro paper. Based on 10.0, but still largely applicable:
http://rr.sans.org/mac/OSX_sec.php
7) “The Challenges of Integrating the Unix and Mac OS Environments”:
http://www.mit.edu/people/wsanchez/papers/USENIX_2000/
These are additional URLs mentioned in this presentation:
• http://www.anonymizer.com -- Anonymous websurfing
• http://www.bio.upenn.edu/computing/instructions/security/portforwarding/
How to make an ssh tunnel for user/pass part of ftp session
• Blitzmail alternatives:
https://basement.dartmouth.edu/blitz
http://netblitz2.dartmouth.edu/Bl.cgi
ssh textblitz.dartmouth.edu as user “blitz” with no password
• http://www.symantec.com/mac/security/macattack.html -- Mac virus information
• http://www.kb.cert.org/vuls/id/439395 -- OS X Apache HFS case vulnerability
110
Appendix B -- Supplemental Info
Not required reading, but good sources of more
information.
111
Supplemental information:
http://www.securemac.com
http://www.macsecurity.org/
http://www.macwrite.com/macsecurity/mac-os-x-security-intro.php
http://www.macosxhints.com/search.php?mode=search&type=stories&topic=network
http://www.info.apple.com/usen/security/index.html
http://www3.sympatico.ca/dccote/firewall.html
http://www.macintoshsecurity.com/modules.php?name=Topics
http://forums.osxfaq.com/index.php
http://freaky.staticusers.net/update.shtml
http://www.info.apple.com/usen/security/security_updates.html
book://“Internet Security For Your Macintosh.” By Alan B. Oppenheimer and Charles H.
Whitaker.
Less relevant:
OS X Guide -- a shareware “book” distributed as a PDF. About 75 pages. It’s general OS
X info, some of which is security-related. If you’d like to know more general OS X info,
blitz me and I’ll send it to you.
http://www.securemac.com/osxsecurity.php -- Intro to securing OS X Server
http://www.macdevcenter.com/pub/a/mac/2002/01/29/apache_macosx_four.html?page1 -A short article on using Apache under OS X.
http://web.archive.org/web/20011129045631/http://homepage.mac.com/gdif/tipstricks.html
-- Mac OS X tips and tricks aimed at the Unix side of the OS, several security-relevant.
111
Appendix C -- Software
Where to download or buy the things we mentioned.
112
Uber-site for OS X software: “Get OS X Software...” from Apple menu.
MacSSH and MacSFTP, Classic or Carbon: http://www.macssh.com
Timbuktu: http://www.netopia.com/en-us/software/products/tb2/mac/index.html
Fetch (FTP): old free version on PUBLIC, new shareware version at
http://www.fetchsoftworks.com
Eudora: http://www.eudora.com/
BlitzMail: Classic version on PUBLIC, new version at
http://www.dartmouth.edu/~helpdesk/help/mac_updates.html
Kerberos for OS X:http://www.dartmouth.edu/~helpdesk/help/mac_updates.html
(Classic on PUBLIC)
Norton Antivirus: Dartmouth used to have a site license agreement, $7 per copy, or
http://www.symantec.com/product/ (also URL for Personal Firewall)
BrickHouse, CheckMate, MacSniffer, MacJanitor, and other good stuff:
http://personalpages.tds.net/~brian_hill/
GPG Mac: http://macgpg.sourceforge.net/
PGPFreeware for Mac: http://download.com.com/3000-21495065566.html?legacy=cnet
OmniWeb: http://www.omnigroup.com/applications/omniweb/
Many of these are also on the CD, as well as some other programs we didn’t
mention. Dartmouth carries a lot of the commercial software, so you get an academic
discount if it’s available (and no sales tax, yay). MacConnection.com is also good, ask for
academic pricing.
112
This space for rent.
113
113

ENGS 69 - Whoopis.com

Transcription

Similar documents

Thank you! Thank you! Thank you!

RV Winter Cover Product Launch Offer 2012 25 Rousseau Avenue

december 2008 wdcr`s golden oldies!

June 2012 - Dartmouth Class of 1983

Development of a Radioisotope Thermophotovoltaic Power System

August 2011 WEST CENTRAL BEHAVIORAL HEALTH

2014-2013_v3_Class of 1998 Newsletter-Summer

view flyer - AppleUsers.org

The Buena Vista News - Holiday Health Care!