Page 13
<<Back | Index

Macintosh Security Basics - Presentation Notes



Useful Tools - CheckMate - Part 2

The files and their checksums. You can add/remove and import/export, or go back to default..

 


GPG Mac

The GNU Privacy Guard program for OS X. PGP-compatible.

• Follow the readme’s to a tee and you’ll be fine.

GPG for Mac OS X works perfectly as long as you follow every step in the directions. The GUI tools are kinda minimalist, but they work, and everything works fine from the CLI. Definitely not as pretty as PGP Freeware for Mac, but it’ll get better. Apple’s “Mail” program has built-in GPG support, too.


MacSFTP Carbon

Drag-and-drop SCP (Secure CoPy).

Fetch-like interface, but secure. If you’re moving files between your Mac and an SSH-able server, this is a must.

Caveat: It will keep asking for your password over and over (because each transfer is a separate SCP action). But you can add that password to your Keychain and then it will stop bugging you. (Remove it later if you’re worried about your Keychain’s security.)


Surfing Differences

Principles and methods from the previous section also hold true in OS X.

One big tip: OS X ships with Internet Explorer. Update it asap.

Apple’s “Mail” program has SSL and GPG support! :)

Eudora, Outlook, BlitzMail for OS X are available

We covered the principles of safer surfing in the last section, so here we’ll only skim and point out some key tips.

Thing One is, Internet Explorer comes with OS X. Make sure you update it right away -- early versions had severe security problems.

Pure opinion re web browsers: Use OmniWeb. It’s shareware, but it has all features enabled regardless of whether you register or not, and it has a bunch of security and privacy options that are easy to understand and modify. It’s also fully integrated with the Quartz engine, so even silly web pages look beautiful when viewed with OmniWeb. This program is what tipped me over the edge from OS 9 to X. :)


Patches

Are vital.

Software Update

• Runs automatically, you can specify when (at least once a week please…)

You might be able to patch things quicker yourself with sourcecode, but usually not a great idea

Apple’s pretty fast. If they’re not fast enough, then get creative with your firewall.

• Or turn off services and just wait.
Software Update runs automatically, once a week unless you say otherwise. Or you can “Update Now.” Sometimes, you’ll hear about an update before your computer’s updater detects it; try again in a few hours. Apple staggers the availability to avoid having a big traffic glut all at once. If you don’t want to wait, you can download and install manually -- go to the Apple menu and select “Get Mac OS X Software…” to be taken to the website.

As an alternative to waiting for Apple’s patch, if you know which services are affected, you can get the updated source code and compile it yourself. But the downside is that this can confuse Software Update, making future updates more difficult to apply. Also, some of the BSD things are specially tweaked for OS X, and if you overwrite them with your own installation, you can lose functionality (I updated my copy of Apache manually, and in the process broke my users’ Sites folders. Wonder what else I broke).

On average, Apple’s patches come out within a week or two of an advisory. Turn off/block the affected service, or reconfigure/disable whatever aspect of the service is affected, until you’ve installed the patch. But what if you absolutely cannot live without that service for any length of time? Alter your usage to compensate. For example, the OpenSSH vulnerability -- limit access to one other machine, then shell into that first.

By the way, run Software Update (and reboot when applicable) repeatedly until it says “no updates available.” Why? Software Update updates have been released several times, so older versions will not see all the newest updates.


Patching 3rd Party Software

Many software companies are following Apple’s example

• Automatic update check at startup
• Or “Check for Updates” menu option

If not, use http://www.versiontracker.com

Or go to Apple Menu -> “Get Mac OS X Software…” and find updates there. Categorized and searchable, not just Apple’s stuff.
It’s especially good to stay up-to-date with your programs now, even if they’re not network- or security-related per se, since OS X is still so relatively new. Bug fixes tend to be pretty major (like, stop Word from crashing on launch).


Conclusions

Why use MacOS/OS X?

Running OS X is a bigger security risk than using old MacOS.

We don’t know how much longer we’ll have the choice (OS 9 is being phased out) but for now, you might want it.

What do you use a computer for?


Security is not about definite rights and wrongs, it’s about business need. Or academic need.

Sometimes the benefits are worth the risks.

Hopefully, from what we’ve talked about, you’ll be able to minimize your risk with minimal expense.

Contact info: Email mbates@ists.dartmouth.edu, AIM screen name nu11dev1ce
Why use MacOS/OS X?

Running OS X _is_ a bigger security risk than using old MacOS. You are in the Unix world now.

What do you use a computer for? If you’re just doing word processing and using a web browser, MacOS 9 is probably enough for you, and if you’re extremely paranoid about hackers, that’s another reason to stick with old MacOS while you still have the choice. If you’re not sharing files or web pages, your OS 9 Mac is a fortress, network-wise.

But if you’re interested in Unix, OS X is a nice environment for learning about it; you can delve in as deeply as you want through the Terminal, then back out and use it as a Mac again. If you need the power of Unix and you like to write code, or you need to be able to perform remote administration tasks (but don’t want to cough up bucks for Timbuktu), OS X may be a great match. And in another year or two, it will be your ONLY choice in the Mac world.

Please feel free to contact me by email or AIM anytime.


Appendix A -- URLs and sources

This is a list of URLs and other sources of information referenced in this class, plus some sources of supplemental information (not on the test).

1) Apple’s OS X Security Introduction: http://developer.apple.com/internet/macosx/securityintro.html

2) The iMac LoJack story: http://www.macscripter.net/un_ilojack.html

3) Mac OS X System Administration: http://www.occam.com/ocr/osx/OSX_SA.pdf

4) Mac OS X Security:

http://conferences.oreillynet.com/presentations/macosx02/towns_leon.pdf

5) Brief Mac security intro. Here mainly for the port list: http://www.sans.org/infosecFAQ/mac/mac_sec.htm

6) OS X Security Intro paper. Based on 10.0, but still largely applicable: http://rr.sans.org/mac/OSX_sec.php

7) “The Challenges of Integrating the Unix and Mac OS Environments”: http://www.mit.edu/people/wsanchez/papers/USENIX_2000/

These are additional URLs mentioned in this presentation:

http://www.anonymizer.com -- Anonymous websurfing

http://www.bio.upenn.edu/computing/instructions/security/portforwarding/

How to make an ssh tunnel for user/pass part of ftp session

• Blitzmail alternatives:

https://basement.dartmouth.edu/blitz

http://netblitz2.dartmouth.edu/Bl.cgi

ssh textblitz.dartmouth.edu as user “blitz” with no password

http://www.symantec.com/mac/security/macattack.html -- Mac virus information

http://www.kb.cert.org/vuls/id/439395 -- OS X Apache HFS case vulnerability
 


Appendix B -- Supplemental Info

Not required reading, but good sources of more information.

http://www.securemac.com

http://www.macsecurity.org/

http://www.macwrite.com/macsecurity/mac-os-x-security-intro.php

http://www.macosxhints.com/search.php?mode=search&type=stories&topic=network

http://www.info.apple.com/usen/security/index.html

http://www3.sympatico.ca/dccote/firewall.html

http://www.macintoshsecurity.com/modules.php?name=Topics

http://forums.osxfaq.com/index.php

http://freaky.staticusers.net/update.shtml

http://www.info.apple.com/usen/security/security_updates.html

book://“Internet Security For Your Macintosh.” By Alan B. Oppenheimer and Charles H. Whitaker.

Less relevant:


OS X Guide -- a shareware “book” distributed as a PDF. About 75 pages. It’s general OS
X info, some of which is security-related. If you’d like to know more general OS X info,
blitz me and I’ll send it to you.

http://www.securemac.com/osxsecurity.php -- Intro to securing OS X Server

http://www.macdevcenter.com/pub/a/mac/2002/01/29/
apache_macosx_four.html?page1
-- A short article on using Apache under OS X.

http://web.archive.org/web/20011129045631/http://homepage.mac.com/
gdif/tipstricks.html


-- Mac OS X tips and tricks aimed at the Unix side of the OS, several security-relevant.

 

<<Back | Index