<< Index | Page 1 | Next >>
Macintosh Security Basics - Presentation Notes

A little bit of history.

MacOS < OS X has no command line.

“ Where’s the DOS?” There isn’t one.

Control vs. simplicity 3
MacOS versions prior to OS X have no command line. The “GUI” you see IS the actual OS, not just a user interface on top of an underlying OS structure. This may seem obvious, but people have asked me “Where’s the DOS?” There isn’t one.

So, WYSIWYG for real. Depending on your point of view, this can be extremely comforting, or extremely frustrating. Or both.

There can be only one.

Historically, single-user systems Multi-user addons: AtEase, Multiple Users

But, no over-the-network console login

Macs were historically always single-user systems. Things like AtEase (and more recently, Multiple Users, which comes with the OS) allow for different users with different levels of access privileges (kinda like the Win98 login). But there is no over-the-network console login. You can’t remotely connect to your Mac as though you’re sitting at the actual keyboard. (Well, there is Timbuktu...we’ll talk about that later.)

Macs can serve

Some built-in server functionality

• File Sharing
• Printer Sharing
• Personal Web Sharing With 3rd party apps, FTP/Gopher server, etc. Remote administration -- Timbuktu.
Some built-in server functionality exists, but with limited over-the-network user control.

In other words, “out of the box” Macs can share files (File Sharing), act as print servers for printing over the network (Printer Sharing), and serve web pages (Personal Web Sharing). With the shareware program NetPresenz, a Mac can be an FTP/web/gopher server.

But remote administration of a (non-OS X) Mac is tricky. Perhaps the most powerful tool for this is Timbuktu.

Ok, so what’s Timbuktu?

Server component on one Mac

Client on another Mac

Client can control the server

iMac = LoJack!
Like PCAnywhere. Load the server component on one Mac, load the client on another Mac, and the client can control the server. You can even move the cursor, open/close apps, etc. on the remote machine. Nice for teaching and presentations.

Also nice for turning a stolen iMac into a LoJack. :) See handout # 2 or URL below.


Not really important to our class, but OH so cool.

General Security implications

Single-user-ness -- inconvenient, but aids security.

• Typically, not a lot of services listening on ports

• No remote login Basic services - relatively easy to do safely

Without physical access, not much a bad guy can do
The Mac’s single-user-ness, while sometimes inconvenient, helps contribute to its security. You generally do not have a bunch of services listening on ports and you cannot log in remotely. Even if you do set up file and web sharing, it’s pretty easy to do it safely. Without physical access to the machine, there is not much a bad guy can do to a stock Mac.

Unique is Good

(Apple users have learned how to find the silver lining in a mushroom cloud.)

Macs are a small population -- security advantage

Example: Viruses.

• Creators want large-scale effects, so, go after the big target -- Windows.
• Why bother with Macs? Too small of a target.
Mac users, by virtue of being part of a relatively small population, have some significant security advantages.

Take viruses. People who create viruses and worms tend to want their little creations to have large-scale effects. This is part of the reason why there are so many Windows viruses -- big target. Who’s going to bother to spend all the time and effort making a piece of Mac-specific malware that affects maybe ten percent of all computer users?

Unique, but still pretty versatile

Security tools available for Macs that you might not have known about:

• PGP, email with SSL support, SSH, SFTP, personal firewalls, antivirus software, VPN clients, traceroute, ping, sniffers, file encryption tools, etc.

Lots are free, or cheap shareware. Many available on Dartmouth’s PUBLIC file server.
PGP: MacPGP (for older systems -- free), Network Associates PGPFreeware (free for academics), GPG for OS X (GPL, free)

SSL email: Eudora, Outlook/Entourage, Communicator? All free, all available for OS X or Classic

SSH: MacSSH (free), F-secure SSH for Mac (payware, big academic discount, but MacSSH is better anyway). SSH is built in to OS X.

SFTP: MacSFTP Carbon, MacSFTP Classic, shareware (cheap)

Personal firewalls: Norton for Mac, commercial, academic discount. OS X has built-in fw, Brickhouse front end is shareware.

Antivirus: Various. Norton is good, academic discount.

VPN -- CheckPoint VPN-1 for MacOS 8 and up. Commercial, academic price unknown.

Traceroute -- WhatRoute. Free. Get from PUBLIC. Not needed on OS X.

Ping -- MacPing. Free, PUBLIC. Not needed on OS X.

Sniffers -- Etherpeek, NetWatchman, others…most seem to be payware, but you can use demos for free.

File encryption -- PGP (see above), Apple File Encryption tool, Stuffit Lite (stuff and require password -- not really encryption, but does help hide the data in a pinch). Available for OS X or Classic, free.

Versatile in not so nice ways

Macs were not completely overlooked by the black hat community…

• Several groups develop Mac hacking software
• Online sources of Mac hacks, e.g. Freaky’s, alt.hackintosh, HotLine servers, etc.
• There were/are a variety of blackhat tools and exploits for Mac
In spite of the uniqueness factor, Macs were not completely overlooked by the black hat community. A handful of small but dedicated underground hacker groups do develop Mac hacking software, and websites devoted to Mac hacks, e.g. Freaky’s Macintosh hacks archive, alt.hackintosh, HotLine servers, and more.

There were/are a variety of blackhat tools and exploits for Mac.

AtEase and File Sharing hacks, SubSeven trojan, portscanners, keystroke loggers, BackOrifice client (for Mac users who want to 0\/\/N BO’d Windows victims), anonymous emailers, DOS attacks (early version of Open Transport had a bug, it was used in a DDOS attack here at Dartmouth and it brought our network to its knees)... etc.

What to do

OS X, the Unix-based next generation of Mac OS. We’re not so unique anymore.

Our focus:
How to secure your Mac using mainly the tools that came with it, and how you can use the network/Internet more securely.

Mac OS 9.x and Mac OS X. Not OS X Server.
And now, we have...OS X, the Unix-based next generation of MacOS, and EVERYTHING has changed. We’re not so unique anymore.

We’re going to focus on how you can secure your Mac using mainly the tools that came with it, and how you can use the network/Internet more securely. Starting with old MacOS (still in use on a lot of old and not so old machines, and as a second boot choice under OS X), and then moving on to OS X (now preinstalled on new Macs).

We won’t be getting into Mac OS X Server, but the same principles that apply to normal OS X also apply to Server.

Physical Security

Crucial. Generally, if someone has physical access to your Mac, they can own it.

• Boot from external devices
• Single-user mode (OS X)
• Mess with OF
• OS X can dual-boot into OS 9, rendering Unix file permissions moot

Security cage, disable single-user mode, password-protect OF, password protect HD
Crucial. Generally, if someone has physical access to your Mac, they can own it. They can boot from CD-ROM, Zip, netboot, external USB/FireWire drive; in OS X, they can boot single-user mode (root shell with no password), or boot old MacOS and OS X’s permissions become moot (similar to dual-boot Windows machines)


Security cage. Block access to CD-ROM etc. and rear ports. Annoying if it’s the machine you use every day.

In OS X, disable single-user mode in Open Firmware, then password-protect OF. But that can cut both ways -- SUM is sometimes the last resort for rescuing data. (The Miller handout mentions a utility to password-protect single-user mode -- I have not tried it, but that might be a good thing to add.)

For MacOS, there is third party software for password-protecting the hard disk such that it can’t be mounted even if you boot of other media. Don’t forget the password though...

Physical Security Solutions

Realistically: Be sensible.

• In a server environment, lock and key
• In a dorm, hide the power cord or the mouse, or pull the hard drive power connector and then lock the case with a padlock. :) No tools needed.
Realistically, the best option is to be sensible.

In a server environment, important machines should be under supervision and/or lock and key anyway.

In a place like a dorm, you can discourage the casual nosiness of your roommate’s friends when you’re not there, by doing something like hide the power cord or the mouse, or, for the slightly geekier approach, pull the hard drive power connector and then lock the case with a padlock (the case has a built-in loop for this purpose).

File Sharing

Client use:

• Prep

• AppleTalk “on” (see Chooser)

• Appletalk set to proper network interface (AppleTalk Control Panel -> Ethernet)

• Connecting to shares

• Old and new way (same end result, new way is a bit easier and more flexible).
First, client use. Quick howto:

Make sure AppleTalk is “on” (see Chooser) and that it is pointed at the right network interface (AppleTalk Control Panel, choose Ethernet.)

Connecting to shares the “old school” way:

Apple Menu -> Chooser -> AppleShare -> pick a zone -> pick a server from the list of servers in that zone -> connect using a logon and password, or select “Guest” if available/applicable.

The newfangled way:

Launch Network Browser (from Apple Menu, probably) -> pick a domain (or just go for AppleTalk) -> look for servers, connect as above.

Password Encryption

Starting with MacOS 9, File Sharing passwords are encrypted BUT…

ONLY if both the client and server are running OS 9.x or better. Backwards compatibility.

Newer client will default to a clear text password in order to accommodate the older Mac.

Login window will indicate the level of security of the password transfer.
Starting with MacOS 9, File Sharing passwords are encrypted (I don’t know the scheme), but ONLY if both the client and server are running OS 9.x or better. In other words, to maintain backwards compatibility, if a MacOS 9 user tries to connect to a MacOS 8 server (or another old server, like Linux with netatalk), then the OS 9 client will default to a clear text password in order to accommodate the older Mac. You will be able to tell when you go to login -- the login window will indicate the level of security of the password transfer. If it says “clear text” then watch out.

OS 9 on both ends

MacOS 9 to MacOS 9


OS 9 to old server

MacOS 9 to Linux Netatalk

OS 9 to OS X

MacOS 9 to OS X (Diffie-Hellman Exchange)


What if it IS clear text?

Sensitive data?

Only copy?

• If so, use encryption, or another medium Access privileges?
• Impostors logging in as you, what could they do?

Server admin contact?

Duplicate password?
Is the data on the other end extremely sensitive or is it the only copy? Perhaps you should encrypt it or compress and password-protect the file(s) first, or use another more secure medium to transfer them.

What access privileges does your account have on that server? (In other words, if someone did sniff your password, and that person later logs in as you, can he damage the system? It would look like YOU did it.)

Can you contact the server admin and ask him to change your password to something else? (You can usually change it yourself, but of course if the whole communication is unencrypted, then the new password will also be visible to a sniffer.)

Are you using the same password that you use for other things (like BlitzMail, KClient, your web account, etc.)? A bad guy will probably try applying that password to these other services.

Done with client, now: Server FS

Lots of (better) alternatives…

• Dartfiles
• Blitz
• Dartmouth ftp
• Floppy, Zip, CD-R or CDRW
• USB/FireWire HD
IDon’t do it unless you have to. Alternatives:

Put copies of your most-used and/or current working files in your 10MB folder on Locker, Strongbox, or Vault.

Blitz them to yourself.

If you have a homepage at Dartmouth, make a directory on the ftp server where your webpages live, and use that to move files around (you have 5MB of storage for web files, more than most would ever need for webpages).

Carry a floppy or Zip disk. If you have a CD burner, carry a CDR or CDRW with copies of your stuff on it. Media is cheap.

External hot-swappable drives (how about your iPod? ;) are getting cheaper.

The point of diversification

Eggs in one basket and all that. Lose a copy at worst, your Mac doesn’t go down with it.

You might want File Sharing anyway:

• Collaboration on group projects
• Fun stuff (sharing games, pictures, or mp3s How to do it safely.
If someone hacks into your Strongbox folder, or Webster, or you lose the Zip disk, then you’ve lost only a copy of your stuff. Beats the heck out of someone breaking into your Mac and deleting the originals or nuking your System Folder.

But, File Sharing is nice and lots of people use it not only for retrieving things remotely, but also for collaborating on group projects (you and your project partners could upload and download each other’s work from a shared folder, for example) and for fun stuff (sharing games, pictures, or mp3s -- of course, only the legal ones). So let’s go into how to do it right.
<< Index | Page 1 | Next >>