engs 69: engineering secure computer systems macintosh security basics
TRANSCRIPT
1
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Thayer School of Engineering, Dartmouth College
Winter 2002-2003
Marion BatesInvestigative Research for Infrastructure Assurance
1
ENGS 69: Engineering SecureComputer Systems
Macintosh Security Basics
2
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
What we’ll cover:
Basic system security for MacOS (mainly v. 9.x) andMac OS X, including:
• File Sharing (from both client and server perspectives)• Network/Internet client security (“safe surfing”)• Firewalls, viruses, email• OS X basics, bonuses, and pitfalls
We’ll start with MacOS 9, since OS X inherits from 9.
2
Macintosh Security Basics
3
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
MacOS < OS X has no command line.
“Where’s the DOS?” There isn’t one.
Control vs. simplicity
3
A little bit of history.
MacOS versions prior to OS X have no command line. The “GUI” you see ISthe actual OS, not just a user interface on top of an underlying OS structure.This may seem obvious, but people have asked me “Where’s the DOS?” Thereisn’t one.
So, WYSIWYG for real. Depending on your point of view, this can beextremely comforting, or extremely frustrating. Or both.
4
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Historically, single-user systems
Multi-user addons: AtEase, Multiple Users
But, no over-the-network console login
Timbuktu
4
There can be only one.
Macs were historically always single-user systems. Things like AtEase (andmore recently, Multiple Users, which comes with the OS) allow for differentusers with different levels of access privileges (kinda like the Win98 login).But there is no over-the-network console login. You can’t remotely connect toyour Mac as though you’re sitting at the actual keyboard. (Well, there isTimbuktu...we’ll talk about that later.)
5
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Some built-in server functionality
• File Sharing• Printer Sharing• Personal Web Sharing
With 3rd party apps, FTP/Gopher server, etc.
Remote administration -- Timbuktu.
5
Macs can serve
Some built-in server functionality exists, but with limited over-the-networkuser control.
In other words, “out of the box” Macs can share files (File Sharing), act asprint servers for printing over the network (Printer Sharing), and serve webpages (Personal Web Sharing). With the shareware program NetPresenz, aMac can be an FTP/web/gopher server.
But remote administration of a (non-OS X) Mac is tricky. Perhaps the mostpowerful tool for this is Timbuktu.
6
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Server component on one Mac
Client on another Mac
Client can control the server
iMac = LoJack!
6
Ok, so what’s Timbuktu?
Like PCAnywhere. Load the server component on one Mac, load the client onanother Mac, and the client can control the server. You can even move thecursor, open/close apps, etc. on the remote machine. Nice for teaching andpresentations.
Also nice for turning a stolen iMac into a LoJack. :) See handout # 2 or URLbelow.http://www.macscripter.net/un_ilojack.html
Not really important to our class, but OH so cool.
7
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Single-user-ness -- inconvenient, but aids security.
• Typically, not a lot of services listening on ports• No remote login
Basic services - relatively easy to do safely
Without physical access, not much a bad guy can do
7
General security implications
The Mac’s single-user-ness, while sometimes inconvenient, helps contribute toits security. You generally do not have a bunch of services listening on portsand you cannot log in remotely. Even if you do set up file and web sharing, it’spretty easy to do it safely. Without physical access to the machine, there is notmuch a bad guy can do to a stock Mac.
8
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
(Apple users have learned how to find the silver liningin a mushroom cloud.)
Macs are a small population -- security advantage
Example: Viruses.
• Creators want large-scale effects, so, go afterthe big target -- Windows.
• Why bother with Macs? Too small of a target.
8
Unique is Good
Mac users, by virtue of being part of a relatively small population, have somesignificant security advantages.
Take viruses. People who create viruses and worms tend to want their littlecreations to have large-scale effects. This is part of the reason why there are somany Windows viruses -- big target. Who’s going to bother to spend all thetime and effort making a piece of Mac-specific malware that affects maybe tenpercent of all computer users?
9
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Security tools available for Macs that you might nothave known about:
• PGP, email with SSL support, SSH, SFTP,personal firewalls, antivirus software, VPN clients,traceroute, ping, sniffers, file encryption tools, etc.
Lots are free, or cheap shareware. Many available onDartmouth’s PUBLIC file server.
9
Unique, but still pretty versatile
PGP: MacPGP (for older systems -- free), Network Associates PGPFreeware(free for academics), GPG for OS X (GPL, free)
SSL email: Eudora, Outlook/Entourage, Communicator? All free, all availablefor OS X or Classic
SSH: MacSSH (free), F-secure SSH for Mac (payware, big academic discount,but MacSSH is better anyway). SSH is built in to OS X.
SFTP: MacSFTP Carbon, MacSFTP Classic, shareware (cheap)
Personal firewalls: Norton for Mac, commercial, academic discount. OS X hasbuilt-in fw, Brickhouse front end is shareware.
Antivirus: Various. Norton is good, academic discount.
VPN -- CheckPoint VPN-1 for MacOS 8 and up. Commercial, academic priceunknown.
Traceroute -- WhatRoute. Free. Get from PUBLIC. Not needed on OS X.
Ping -- MacPing. Free, PUBLIC. Not needed on OS X.
Sniffers -- Etherpeek, NetWatchman, others…most seem to be payware, butyou can use demos for free.
File encryption -- PGP (see above), Apple File Encryption tool, Stuffit Lite(stuff and require password -- not really encryption, but does help hide the datain a pinch). Available for OS X or Classic, free.
10
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Macs were not completely overlooked by the black hatcommunity…
• Several groups develop Mac hacking software
• Online sources of Mac hacks, e.g. Freaky’s, alt.hackintosh, HotLine servers, etc.
• There were/are a variety of blackhat tools andexploits for Mac
10
Versatile in not so nice ways
In spite of the uniqueness factor, Macs were not completely overlooked by theblack hat community. A handful of small but dedicated underground hackergroups do develop Mac hacking software, and websites devoted to Mac hacks,e.g. Freaky’s Macintosh hacks archive, alt.hackintosh, HotLine servers, andmore.
There were/are a variety of blackhat tools and exploits for Mac.
AtEase and File Sharing hacks, SubSeven trojan, portscanners, keystrokeloggers, BackOrifice client (for Mac users who want to 0\/\/N BO’d Windowsvictims), anonymous emailers, DOS attacks (early version of Open Transporthad a bug, it was used in a DDOS attack here at Dartmouth and it brought ournetwork to its knees)... etc.
11
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Now: OS X, the Unix-based next generation ofMac OS. We’re not so unique anymore.
Our focus: How to secure your Mac using mainly thetools that came with it, and how you can use thenetwork/Internet more securely.
Mac OS 9.x and Mac OS X. Not OS X Server
11
What to do
And now, we have...OS X, the Unix-based next generation of MacOS, andEVERYTHING has changed. We’re not so unique anymore.
We’re going to focus on how you can secure your Mac using mainly the toolsthat came with it, and how you can use the network/Internet more securely.Starting with old MacOS (still in use on a lot of old and not so old machines,and as a second boot choice under OS X), and then moving on to OS X (nowpreinstalled on new Macs).
We won’t be getting into Mac OS X Server, but the same principles that applyto normal OS X also apply to Server.
12
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Crucial. Generally, if someone has physical access toyour Mac, they can own it.
• Boot from external devices• Single-user mode (OS X)• Mess with OF• OS X can dual-boot into OS 9, rendering Unixfile permissions moot
Options: Security cage, disable single-user mode,password-protect OF, password protect HD
12
Physical Security
Crucial. Generally, if someone has physical access to your Mac, they can ownit. They can boot from CD-ROM, Zip, netboot, external USB/FireWire drive;in OS X, they can boot single-user mode (root shell with no password), or bootold MacOS and OS X’s permissions become moot (similar to dual-bootWindows machines)
Options: Security cage. Block access to CD-ROM etc. and rear ports. Annoying if it’sthe machine you use every day.
In OS X, disable single-user mode in Open Firmware, then password-protectOF. But that can cut both ways -- SUM is sometimes the last resort forrescuing data. (The Miller handout mentions a utility to password-protectsingle-user mode -- I have not tried it, but that might be a good thing to add.)
For MacOS, there is third party software for password-protecting the hard disksuch that it can’t be mounted even if you boot of other media. Don’t forget thepassword though...
13
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Realistically: Be sensible.
• In a server environment, lock and key
• In a dorm, hide the power cord or the mouse, or pull the hard drive power connector and thenlock the case with a padlock. :) No tools needed.
13
Physical Security Solutions
Realistically, the best option is to be sensible.
In a server environment, important machines should be under supervisionand/or lock and key anyway.
In a place like a dorm, you can discourage the casual nosiness of yourroommate’s friends when you’re not there, by doing something like hide thepower cord or the mouse, or, for the slightly geekier approach, pull the harddrive power connector and then lock the case with a padlock (the case has abuilt-in loop for this purpose).
14
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Client use:
• Prep• AppleTalk “on” (see Chooser)• Appletalk set to proper network interface (AppleTalk Control Panel -> Ethernet)
• Connecting to shares• Old and new way (same end result, new way is a bit easier and more flexible)
14
File Sharing
First, client use. Quick howto:
Make sure AppleTalk is “on” (see Chooser) and that it is pointed at the rightnetwork interface (AppleTalk Control Panel, choose Ethernet.)
Connecting to shares the “old school” way:Apple Menu -> Chooser -> AppleShare -> pick a zone -> pick a server fromthe list of servers in that zone -> connect using a logon and password, or select“Guest” if available/applicable.
The newfangled way:Launch Network Browser (from Apple Menu, probably) -> pick a domain (orjust go for AppleTalk) -> look for servers, connect as above.
15
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Starting with MacOS 9, File Sharing passwords areencrypted BUT…
ONLY if both the client and server are running OS9.x or better. Backwards compatibility.
Newer client will default to a clear text password inorder to accommodate the older Mac.
Login window will indicate the level of security of thepassword transfer.
15
Password encryption
Starting with MacOS 9, File Sharing passwords are encrypted (I don’t knowthe scheme), but ONLY if both the client and server are running OS 9.x orbetter. In other words, to maintain backwards compatibility, if a MacOS 9user tries to connect to a MacOS 8 server (or another old server, like Linuxwith netatalk), then the OS 9 client will default to a clear text password inorder to accommodate the older Mac. You will be able to tell when you go tologin -- the login window will indicate the level of security of the passwordtransfer. If it says “clear text” then watch out.
16
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
MacOS 9 to MacOS 9
16
OS 9 on both ends
17
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
MacOS 9 to Linux Netatalk
17
OS 9 to old server
18
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
MacOS 9 to OS X (Diffie-Hellman Exchange)
18
OS 9 to OS X
19
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Sensitive data?Only copy?
• If so, use encryption, or another medium
Access privileges?• Impostors logging in as you, what could they do?
Server admin contact?Duplicate password?
19
What if it IS clear text?
Is the data on the other end extremely sensitive or is it the only copy? Perhapsyou should encrypt it or compress and password-protect the file(s) first, or useanother more secure medium to transfer them.
What access privileges does your account have on that server? (In other words,if someone did sniff your password, and that person later logs in as you, can hedamage the system? It would look like YOU did it.)
Can you contact the server admin and ask him to change your password tosomething else? (You can usually change it yourself, but of course if the wholecommunication is unencrypted, then the new password will also be visible to asniffer.)
Are you using the same password that you use for other things (like BlitzMail,KClient, your web account, etc.)? A bad guy will probably try applying thatpassword to these other services.
20
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Lots of (better) alternatives…
• Dartfiles• Blitz• Dartmouth ftp• Floppy, Zip, CD-R or CDRW• USB/FireWire HD
20
Done with client, now: Server FS
Don’t do it unless you have to. Alternatives:
Put copies of your most-used and/or current working files in your 10MB folderon Locker, Strongbox, or Vault.
Blitz them to yourself.
If you have a homepage at Dartmouth, make a directory on the ftp serverwhere your webpages live, and use that to move files around (you have 5MBof storage for web files, more than most would ever need for webpages).
Carry a floppy or Zip disk. If you have a CD burner, carry a CDR or CDRWwith copies of your stuff on it. Media is cheap.
External hot-swappable drives (how about your iPod? ;) are getting cheaper.
21
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Eggs in one basket and all that. Lose a copy at worst,your Mac doesn’t go down with it.
You might want File Sharing anyway:• Collaboration on group projects• Fun stuff (sharing games, pictures, or mp3s
How to do it safely.
21
The point of diversification
If someone hacks into your Strongbox folder, or Webster, or you lose the Zipdisk, then you’ve lost only a copy of your stuff. Beats the heck out of someonebreaking into your Mac and deleting the originals or nuking your SystemFolder.
But, File Sharing is nice and lots of people use it not only for retrieving thingsremotely, but also for collaborating on group projects (you and your projectpartners could upload and download each other’s work from a shared folder,for example) and for fun stuff (sharing games, pictures, or mp3s -- of course,only the legal ones). So let’s go into how to do it right.
22
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
File Sharing Control Panel• Owner Name• Owner password (NOT BLANK!)• Computer Name.
The IP address will be filled in automatically.
Default: Computer name will be “<name’s> Macintosh.”Change it…
22
Configuring a File Sharing server
Open the File Sharing Control Panel. Before you can start sharing files, youhave to define an Owner Name, an Owner password (DON’T LEAVE ITBLANK!), and a Computer Name. The IP address will be filled inautomatically.
By default, your computer name will be “<name’s> Macintosh.” I recommendthat you change this, or don’t use your real name in the Owner box, becauseotherwise anyone surfing through the Chooser will be able to see that andknow it’s your Mac. Never give potential attackers more information than youmust. You can name your Mac pretty much anything you want, with orwithout spaces, but spaces are not recommended due to potential networkincompatibility.
23
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 23
File Sharing control panel
24
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
If computer name is revealing, then login should bedifferent
Don’t make it easy for attackers to gather info frompublic information.
24
Security Through Obscurity
If your computer’s name is something revealing about you (like “Joe Smith’sHouse of MP3s”) then perhaps your login should NOT be “joe” or “smith” or“jsmith” etc. If attackers can enumerate likely usernames or passwords frompublic information, like the computer name, then you’ve significantlydecreased the amount of effort it will take for them to break in. Don’t give outclues.
25
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
If FS is on, Owner can already log in and get toeverything
No matter what you do with specific shared items,Owner can see it all.
Protect Owner’s login info!
25
Owner is omnipotent
Keep in mind that once you turn on File Sharing, anyone who can log in asOwner will be able to do anything to your data (including most of your systemfiles -- enough to render your Mac un-bootable). This is true EVEN IF youdo not explicitly share anything. If file sharing is turned on, Ownerbasically has remote “god” rights. Owner is a special account, the closestthing to root on MacOS, and the rest of the sharing privileges you specify aremoot for the user logging in as owner. Protect this login and password!
26
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
You can allow FS over TCP/IP
Faster, but more revealing• AFPoverTCP will show up on portscan
Routers and AppleTalk• Now, more of the Internet can see your Mac
But, AppleTalk is clear text. Pro, con, pro, con, etc.
26
File Sharing over TCP
Now that file sharing is turned on, you can start tweaking. You can choose to allowFile Sharing over IP -- this means that clients can connect to your Mac by its IPaddress, and use TCP/IP to transfer data. This is faster than AppleTalk and has theadvantage of TCP’s connection integrity maintenance, but keep in mind that it alsopulls the curtain aside a little more than plain old AppleTalk. Your Mac will now haveAFPoverTCP services listening on TCP ports; this will show up on a portscan, and it’sa dead giveaway that your machine is a Mac.
Furthermore, most routers do not route AppleTalk, but they pretty much all routeTCP. This is a double-edged sword; a user on the other side of your network’s routercould theoretically (assuming the network admins don’t specifically filter outafpovertcp at the border) connect to your Mac. This is a nice idea for legitimate use,but it also opens you up to an even bigger pool of potential bad guys. If you useAppleTalk, then your machine is only visible to users on Dartmouth’s local network.
BUT the disadvantage to using AppleTalk is that your password will be sent clear-text.
So there’s always give-and-take with this. It depends on your configuration (do youhave a firewall?) and what’s most important to you. For the sake of this example, I’mgoing to sacrifice password security in order to minimize my overall exposure topotential bad guys. This would not be the best choice for everyone.
27
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
You can share apps such that a remote user canlaunch an app on the Mac server from another Mac. Itruns over the network and displays on your localscreen.
Nice idea, but…not really.• Resource/network hog• CRASH
Program Linking is an AppleScript thing. Scary.
27
Apps over the netand Program Linking
If you share an application (or a folder containing an application), remote users canlaunch the app over the network to do stuff on their client Macs. In other words, Icould be working in a lab and discover that someone deleted Microsoft Word offthe computer I’m using. I need to use Word to write my paper. So I simply connectto my Mac and launch MY copy of Word over the net. It opens on my screen, and Ican open and save files with it on my local lab Mac. This is a cute idea, but in myexperience, it’s such a huge resource hog that it typically causes one or both Macsto crash. It’s also pretty unkind to other users on the network. And good luck if twoof your users try to launch the same program simultaneously.
Program Linking (now known as Remote Apple Events) allows one Mac to sendAppleScript commands (“Apple Events”) to applications on another Mac viaAppleTalk or TCP/IP. For normal users (with passwords), they would need to loginfor each Event. But if you give Guests PL privs AND you enable PL for a givenapp, then anyone with a Mac could send Events to that app. You might ask, whywould anyone do such a thing? Well, in my experience, new users who are trying toget File Sharing to work have a tendency to think “Jeez, I just want this to work,I’m gonna check EVERY BOX until it does.” And keep in mind that the Finder isscriptable -- this means that, if PL is enabled for the Finder, remote users couldsend Apple Events to the remote machine’s Finder telling it to, say, delete someSystem files. Or shut down the computer. Remember the LoJack story and what hewas able to do with AppleScripts, then realize that someone could do all thatwithout even loading a file onto the hard disk.
28
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Assume recommended initial setup:
• Computer name not too revealing• Owner name not related to computer name• Good strong password• File Sharing enabled but not over TCP• Program Linking NOT enabled
Test config from another machine.
28
Recommended initial setup
If you are the only one who’s ever going to be using your Mac, and you trustyourself to have full privileges (i.e. Owner), then you’re done. You can testyour setup by using another Mac to connect to yours; you should NOT be ableto logon as “Guest” (which requires no password).
29
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
If you want to have other users or guests:
• First create their accounts/enable their access
• The Guest account already exists, and cannothave a password.
So, ANYTHING you make accessible to Guest will beaccessible to ANYONE
29
Other users
Now, if you want to have other users or guests connecting to your Mac, youmust first create their accounts (in the cases of other named/passworded users)or enable their access (in the case of the Guest user).
The Guest account already exists, and cannot have a password. So keep inmind that ANYTHING you make accessible to Guest will be accessible toANYONE who can connect to your Mac (in our case, anyone with a Mac atDartmouth) with no password required.
30
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
File Sharing Control Panel -> Users and Groups
Later on, specify which volumes/folders/files userscan connect to
Right now, you’re defining the basics (what accountsexist, whether or not they can connect at all, etc.)
30
Creating accounts
In the File Sharing Control Panel, click on the Users and Groups tab. This iswhere you can edit the privileges of an existing user (for example, if youwanted to enable Guests to connect, then double-click the Guest user, dropdown the “Sharing” menu option, and click the appropriate boxes).
Later on, you will specify which volumes/folders/files users can connect to;right now, you’re defining the basics (can Guests connect at all, what are yourusers’ names and passwords, can they change their passwords, what groups dothey belong to, etc.)
31
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 31
Here, I have definedtwo users, joeblowand joeschmoe, inaddition to the built-inowner and guestaccounts.
I also have a groupcalled my-users.
Users and Groups
32
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 32
This is the box you see whenyou create a new user. Youmust set an initial password.
Notice that you can choosewhether or not to allow yourusers to change theirpasswords.
Another note: As anadministrator, you can reset auser’s password, but you can’tsee the old one.
User Identity
33
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 33
From the popup menu inthis window, select“Sharing” (instead of“Identity”) and this is whereyou can specify whether toallow the user to connect atall, and whether that usercan make use of ProgramLinking (only applicable ifyou enabled PL in the initialsetup.)
User Sharing
34
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 34
The group my-userscontains both joeblowand joeschmoe. So if Iwant to share a folder tothe two of them, but noone else, I can use thisgroup. (This will be mademore clear in a coupleslides.)
Groups
35
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 35
Same idea with the Guest account, except that youcan’t change the account name or set a password.
Guest
36
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 36
On to the files
So far:
• Users have been created
• Groups have been created
• Guest is enabled, maybe
Now, we decide which files/folders to share with them.
Ok, so now you’ve defined some users, made a decision about Guest access,and defined which users belong to groups, if any. (Groups are used when youwant to allow more than one user specific access to a folder or file, but notguests. This will make more sense later.)
Now we’ll move on to actually specifying the folders and files to share.
37
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
What you want:
• One folder each with full privs for joeschmoe andjoeblow.
• One folder that the two of them can only read from.
• One folder which anyone can write to, but not seewhat’s inside (a “dropbox”).
• A folder that anyone, including Guests, can downloadfrom.
37
Example
Let’s say you have two users, joeschmoe and joeblow, and you want each ofthem to have a folder to use for downloading and uploading homework files.
You also want to make a folder that both of them can download from, but notchange or upload to (maybe you have stuff you want to show them, but youdon’t want them to be able to delete or mess up the files in that folder).
You also want to have a folder which anyone can write to, but not read from (a“dropbox”).
Lastly, you want to make a folder that anyone, including Guests, can downloadfrom, but not change the contents of (for sharing your legally-obtained MP3s).
38
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
First, make folders to represent this scenario. (-n)
38
We can do this.
I might put all of these in a folder called “Shares.” Do whatever’s easiest foryour organizational preferences.
39
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
• Next, set appropriate permissions for each of thefolders you want to share.
• Click on folder icon, select “Get Info” from Filemenu (or hit -i), and select the “Sharing...” option fromthe popup menu.
• Or, control-click (or right click, if you have asecond mouse button mapped properly) on the foldericon and select “Sharing.”
39
Set the permissions...
40
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 40
Control-click…
41
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
Now, in the Info -> Sharingwindow for Joe Schmoe’sfolder, we can specify thelevel of access for thisitem. Once you check the“Share this item” box, theprivilege options below willbecome available.
Obviously, we’d then dothe same for Joe Blow’sfolder.
41
Specify Access for each Joe
42
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003
This is the folder I want toshare for download only, tothe two Joes but no oneelse. This is where we makeuse of the group called my-users (which contains thetwo Joes). Notice the read-only icon: Glasses with nopencil. :)
42
The Joes’ read-only folder
Here’s where the groups come in. Note: I’m not certain, but I believe it ispossible to have groups within groups. However, it’s best to try to avoidpotential confusion as much as you can. I like very shallow hierarchies for thatreason.
43
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 43
Here’s the drop box folder.Notice that the option evensays “(Drop Box).” Pencilonly, no glasses, for my-users and for Everyone.
Dropbox
This is a little redundant -- “Everyone” includes my-users -- but I tend to beexplicit about it anyway, just so I have a reminder when I look at this folderlater.
44
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 44
And here’s the MP3sfolder, readable to all.
The MP3’s folder
45
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 45
Test your configuration from another Mac, since your Maccannot connect to itself.
Log on as Owner, as each Joe, and as Guest, andmake sure those accounts have the access they should;no more, no less.
Remember that you as Owner will be able to doanything you want to the contents of all of these folders.
Check for Leaks
Test your configuration from another Mac, since your Mac cannot connect toitself. Try to hack your Mac -- you can bet someone else will.
Guests should be able to see and download the contents of the “Legal MP3s”folder, and they should be able to upload things to the “Drop Box” folder butthey should NOT be able to see the contents of that folder or any of the others.
The two Joes should have full access to their respective folders, but shouldonly be able to open and download from (not write to) the “my shared stuff”folder.
You as Owner will be able to do anything you want to the contents of all ofthese folders.
46
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 46
Not a heavy-duty server.
• Limits on number of users• Limits on number of simultaneous connections
If you need more power, buy AppleShare IP, Apple’scommercial server product.
Use Activity Monitor to what’s shared and who’sconnected right now
File Sharing Wrap-up
Don’t expect FS to be a heavy-duty server. There are built-in limits regardinghow many users you can have and how many simultaneous connections arepossible. (If you need more power, buy AppleShare IP, Apple’s commercialserver product. It can do all sorts of nifty things, like allow Windows users toconnect to Mac shares.)
Use Activity Monitor to see a summary of what’s shared and who’s connectedright now. You can also disconnect users (for example, when a Guest starts sixsimultaneous MP3 downloads and chokes all your bandwidth).
47
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 47
Beware of nesting folders with different privileges
• Can’t go very deep with the nesting• Confusion leads to mistakes
If you use Program Linking, then it’s all or nothing withrespect to privileges
If you delete a user, his folders’ permissions will betransferred to Owner.
File Sharing Wrap-up
Beware of nesting folders with different privileges -- it can be done, butthere’s a shallow depth limit. It can also be incredibly confusing and can leadto security errors. It’s a good habit to just keep it simple and use a flathierarchy for your shared stuff, even if there’s some redundancy.
If you use Program Linking, then it’s all or nothing with respect to privileges(the app is either remotely linkable by all users, or by none). You can limitwho’s allowed to run programs remotely by putting (a copy of) the app into theappropriate users’ folder(s). This does not work with aliases.
If you delete a user, his folders’ permissions will be transferred to Owner.
48
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 48
Do you really need to do this?
• Anyone at Dartmouth can have a homepage onthe main Dartmouth webserver
• Real web servers typically work better for the purpose
If you still want to do it, Apple’s default setup isrecommended (read-only access to the web folder).
Personal Web Sharing
Ask yourself: Do you really need to do this?
Anyone at Dartmouth can have a homepage on the main Dartmouthwebserver. Then, security is THEIR problem, not yours. :)
There are many free homepage sites (Angelfire etc.)
Real web servers typically work better for the purpose (more bandwidth, morereliable uptime, usage statistics, CGI access, static IP, etc.)
Eggs in one basket issue again.
If you still want to do it, the default setup is recommended (read-only access tothe web folder).
49
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 49
PWS can be configured to inherit access privileges fromSharing Setup.
You can make web folders writeable to allow HTTPupload, if the client browser supports it. Yikes…
You can configure PWS such that aliases can befollowed. Confusion risk though.
PWS Features
Instead of the default privs, PWS can be configured to make use of the usersand privileges in Sharing Setup.
You can make web folders writeable to allow HTTP upload, if the clientbrowser supports it. But I don’t think this is used much, if at all, and it suresounds like a security hole, no?
You can configure PWS such that aliases can be followed (i.e., put an alias inthe web folder, users can get to the real item even if it’s outside of the webfolder). Scary. If you forget the alias is there, and you put sensitive data intothe original folder, now anyone can see it...
50
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 50
Be careful not to share your whole disk.
PWS claims to have support for CGI scripts. Careful…
Again, do you really need to serve webpages off yourMac?
PWS Caveats and Wrap-up
Be careful not to share your whole disk. The webserver software is not magicalenough to “know” which files are webpages and which files are, say, yourthesis. It will happily allow users to “view” (i.e., download) anything on yourdisk -- including documents, applications, and system files.
PWS claims to have support for CGI scripts. I assume they mean scriptswritten in AppleScript (as opposed to Perl or PHP). If you venture into thatrealm, know what you’re doing with your scripts -- AppleScript can bemisused. (Remember the LoJack story and the “suicide scripts.”)
Again, do you really need to serve webpages off your Mac?
51
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 51
Remote Access Server. Allows another Mac with RemoteAccess Client to dial into your Mac.
• Do not configure Remote Access Server to allowguests to dial in.
• If your users won’t need TCP/IP services, don’tchoose PPP as the protocol. The default is ARAP,which is safer.
Remote Access
It used to be that you had to buy the full-blown Server package to answer calls,but I think nowadays a light version is included with the OS. Perhaps only onOS X though. If you have a modem, it allows another Mac with RemoteAccess Client to dial into your Mac.
Do not configure Remote Access Server to allow guests to dial in. Wardialingis still popular. (Each User in the Users and Groups tab of Sharing Setup willhave a box you can check to “allow this user to dial in.”)
If your users won’t need TCP/IP services, don’t choose PPP as the protocol.The default is ARAP (AppleTalk for Remote Access), which is safer becauseagain, you’re taking advantage of the relative uniqueness of AppleTalk to helpobscure what’s going on.
52
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 52
Most of the suggestions here apply to any operatingsystem. We’ll point out some Mac-specific details.
• Web browsing tips• FTP and Fetch• Email
Moving on: “Safer Surfing”
53
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 53
You’ve probably heardthis before.
In Netscape, go to Editmenu -> Preferences.Scroll the left paneand select Advanced.Disable Java, disableJavaScript, disablecookies.
Web browsing
It might also be a good idea to turn off Flash, since Flash has its ownJavascript stuff built in…depends on how paranoid you feel vs. how much youcare about flashy webpages functioning properly.
54
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 54
Trouble is, a lot of sites simply won’t work anymore.Compromises:
• Only accept cookies that go back to originating server
• Delete the cookies file over and over.- Tiny freeware program called NoCookie did this automatically…
• Or, try Anonymizer!
Ok, now I can’t use the web at all.
Trouble is, a lot of sites simply won’t work if you do this. Compromises:
Only accept cookies that go back to originating server, and you might evenwant to check the “warn me” box (but I’ve found that this gets REALLYannoying when you visit a site that wants to set half a dozen cookies for everypage). Or, delete the stupid cookies file over and over. For NetscapeCommunicator on MacOS, go into System Folder -> Preferences -> NetscapeUsers -> Your-User-Name and delete (or delete the contents of) the file named“MagicCookie.”
If you never want the cookies set or the scripts exectued in the first place, butthere’s a site you really want to visit that requires those things, there is anotherway: http://www.anonymizer.com. You put in the URL you want to visit, thenAnonymizer makes the connection for you, and it dev-nulls all the cookies andother crud so the server never talks directly to your machine. Nice for whenyou’re visiting certain nefarious websites (like 3L33T hAX0r homepages, orfbi.gov) and you don’t even want your IP recorded.
The basic service is free, but for a fee, they offer some kind of service thatanonymizes all of your surfing automatically (I think you install a plugin and itinvisibly does its thing.) The whole company’s probably a CIA front andthey’re logging every keystroke… ;)
55
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 55
...is bad.
• Anonymous FTP is ok
• The whole session is clear text
• Easy to pick out login info
• Two ports = hard to tunnel
FTP...
FTP (File Transfer Protocol) with a username and password is just Bad.
The username and password are preceded by “USER” and “PASS”respectively, so it’s utterly trivial for an attacker to watch for and flag that dataas it is transmitted (e.g., ngrep).
56
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 56
If you HAVE to use FTP with login/pass, use a passwordthat you don’t use for anything else
Don’t transfer sensitive files over FTP
Keep backups
Work under the assumption that someone is going to beable to log in as you
Try to use a more secure alternative
What you can do
A better solution: Tunnel the USER/PASS portion of your session over MacSSH.
http://www.bio.upenn.edu/computing/instructions/security/portforwarding/
See if the server supports any of Fetch’s built-in security support (Kerberosauthentication, one-time passwords, challenge-response system). Use them ifpossible. See if the server supports SFTP (Secure FTP) as part of SSH (SecureSHell, and its counterpart, SCP or Secure CoPy). Try connecting with MacSFTP, aneasy-to-use shareware SFTP client with a very Fetch-like interface. Also, the nextrelease of Fetch is supposed to include built-in SFTP support.
Fetch v. 4.0.x already has some security options, but they require you to installadditional software, and the server(s) you connect to must support those features aswell. To take advantage of some of them, you have to install and properly configureM.I.T.’s KClient package for your OS (there are versions for both OS 9 and OS X).But from what I can tell, the Kerberos server version in use at Dartmouth is notcompatible with the current M.I.T. release, and Fetch is too new to use the oldKClient. And configuring the client properly can be a non-trivial task anyway. Sowatch out.
Just for fun, we’ll talk about these features a little bit. The following assumes thatyou have installed and configured the right version of the KClient software.
57
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 57
The “encrypt session” option is onlyavailable with the other security options; itwill be grayed out for “cleartext password.”
Fetch gets teeth
Fetch’s “New Connection” window gains some new features when you installthe Kerberos software. Notice the “Security” popup menu, and the “Encryptsession” checkbox. Remember that the FTP server must support the securityoption you choose, or Fetch has to default to the cleartext password option.
(By the way, this window’s font and color will look a little different if you useit under Classic. I took these screenshots in OS X. The information’s the samethough.)
58
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 58
Fetch security options
Clicking on the Security menu reveals these options, both of which appear as aresult of the Kerberos package we installed. If we used another securitypackage supported by Fetch, we would see those options under this menu.
Consult the Fetch documentation to see what other security packages itsupports.
59
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 59
From Fetch’s Customizemenu, select Preferencesand click the Security tab. You’ll see this when
you connect:
Fetch with baby teeth
Since the Kerberos thing is difficult or impossible to use, we can at least takeadvantage of the basic security features. Under Fetch’s Security preferences,checking the top two boxes will not make your connection secure, but at leastit will remind you when you’re about to expose your password.
60
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 60
Normal POP/POP3 mail is unencrypted
But, most major email clients support SSL• Mail server(s) must support it too
Eudora and Outlook both have SSL option• Protects your password and content• Only for the path between your Mac and your ISP.Next hop mail server may not.
Always assume that your mail message is not going to besecure for its entire journey to the recipient.
Normal POP/POP3 mail is unencrypted, but most major email clients supportsome level of extra security (but again, the mail server(s) must support thosefeatures as well). Eudora and Outlook both have an option for email over SSL,which if supported on your service provider’s server, protects your passwordand the email content -- but only for the path between your Mac and your ISP.The next mail server down the line may not have SSL, so you should alwaysassume that your mail message is not going to be secure for its entire journeyto the recipient. Eudora also supports APOP (Authenticated Post OfficeProtocol) which encrypts your password (though not as securely as SSL).There is also S/MIME, in which both the sender and recipient use certificatesto sign or encrypt email (sort of PGP-esque).
61
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 61
The encryption lecture covers the details of PGP.
At least one PGP client for the Mac• PGP.com (formerly Network Associates, Inc.) has“PGPFreeware” (v. 7.0 at the time of this writing) for OS9 and “PGP 8.0 LIVE” for OS X.• Free for academic use• Compatible with other flavors of PGP (such as GPG).
For OS X, there is also GPG (GNU Privacy Guard) -- more onthat later.
PGP
PGP, or Pretty Good Privacy, will be/has been discussed in depth in anotherclass, so we won’t go into detail here. There is at least one PGP client for theMac, which plugs in nicely to Eudora and probably Outlook, and which alsoprovides an easy way to interact with non-standard email clients (likeBlitzMail).
The client I use is made by PGP.com (formerly Network Associates, Inc.) andis called simply “PGP” (v. 7.0 at the time of this writing). It’s free foracademic use, and it’s compatible with other flavors of PGP (such as GPG).
You can get GPG for OS X, and at this time the GUI is still kinda clunky, butit works if you follow the directions carefully when you set it up.
62
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 62
Most common way of getting a virus or other malware is viaemail attachments
Lots of clever tactics to lure you into opening somethingthat looks legit…beware!
As a Dartmouth Mac user, you have a rare advantage --BlitzMail. It…
• doesn’t download attachments automatically• doesn’t interpret HTML mail (spammers send HTML mail with bad Javascripts etc.)• isn’t Outlook ;)
Attachments (“Enclosures”)
Probably the most common way of getting an unwanted program (such as avirus) is by receiving an attachment in email. In the last couple years, therehave been a huge number of worms which infect Windows machines via theOutlook email program. This is not directly dangerous to Mac users, but itserves to illustrate a point. The recent “Klez” virus/worm used several tacticsto increase the likelihood that a recipient of the virus would open theattachment; it would pull email addresses out of the user’s address book orweb cache, and create Subject lines from bits of documents or cachedwebpages on the victim’s computer, then generate more emails from those.The result was that other victims would receive email from people they knew,with message content that looked familiar. What a lure!
The point here is that, while Klez posed no threat to Mac users (even MacOutlook users), the methods used by Klez demonstrate that viruses can bepretty clever.
Be certain, before you open an attachment, that the sender really is the sender,and that it’s someone you trust. Even then, you should scan the file with yourantivirus software before you open it. Norton and others can be easilyconfigured to “quarantine” and check new files before you use them.
63
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 63
• BlitzMail hides password (challenge-response)
• Comp Svcs is currently testing software to automatically filter/alert on virus-ridden email before iteven gets to you
• Also, there are plans to make the servers fully IMAP-compliant (beta testing now)
• But, the session is still clear text. Your messagescan be read.
More on email at Dartmouth
Dartmouth’s BlitzMail system provides a simple, easy-to-use, yet powerfulinterface for electronic mail. Its simplicity and uniqueness also add to itssecurity; BlitzMail is immune to all the Outlook email viruses, since it doesnot arbitrarily download or execute code of any sort. It also does not haveHTML mail capability, which thwarts a great deal of spam email containingJavaScripts and other “spyware” elements. Macintosh BlitzMail versions since2.0.5 will even detect a keystroke logger running on the user’s machine, andwill not only alert the user to this fact, but will also scramble the keystrokes asthey are written to the keystroke logger’s result file, so the malicious usercannot see what was typed.
Luckily for us, BlitzMail uses a challenge-response technique to encrypt yourpassword every time you log on. If you use a non-BlitzMail client to checkyour Dartmouth email, you do not get to have this extra layer of protection.Dartmouth email is moving towards a more standard scheme (IMAP) andthey’re also looking into border filtering of viruses.
However, with the exception of the password, the BlitzMail session is still sentas clear text. So the content of the messages you send or receive, as well asyour inbox summary, are still visible to an eavesdropper. (We can, however,tunnel BlitzMail through SSH, in both OS X and Classic. There is a paper onthis listed in the “Supplemental Sources” section of the course webpage.)
64
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 64
Other secure ways to use Blitz:
• WebBlitz (Basement)
• NetBlitz (my favorite, if the regular client is unavailable)
• TextBlitz via SSH (old and primitive, but worksin a pinch)
BlitzMail’s brethren
In addition to the real BlitzMail client, there are other secure ways to use Blitz.
WebBlitz -- https://basement.dartmouth.edu/blitz. Uses SSL to protect yoursession.
NetBlitz -- a streamlined web-based client.http://netblitz2.dartmouth.edu/Bl.cgi. Has multiple security options -- you canSSL-encrypt just your login, or your whole session, depending on how muchspeed vs. security you care about.
TextBlitz -- very bare-bones Blitz access. SSH to textblitz.dartmouth.edu asuser “blitz” with no password. You’ll be prompted for your BlitzMail logininfo. You can only read what’s in your inbox. This is very old.
65
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 65
Not really a big deal for Macs (so far).
• Again, small user base and the uniqueness of MacOS = small target
• Most recent big one: Word macro virus (which affected Word documents on all platforms)
• Also, a worm or two
VIRUSES!
Not a big deal for Macs. There just aren’t very many viruses out there. Again,the small user base and the uniqueness of MacOS make it a small, unattractivetarget for most of the virus-writing twits in the world.
Probably the most dramatic one in recent history was the Word macro virus(which affected Word documents on all platforms, not just the Mac). It wasn’tsuper-destructive, but it did manage to irritate just about everybody atDartmouth for a few months.
Macro scripting language is supposed to be used for creating in-documentshortcuts for repetitive functions. The macro scripting language developed byMS apparently can do much more, because a couple years back there was ahuge epidemic of macro viruses in Word documents on Windows and Mac(mostly affecting Word version 6). These viruses did a variety of cute things,like alter your “Normal” Word template such that every Word document youopened or created would be infected, and/or embed a chunk of text in everyWord document you ever opened, that you could NOT remove from thedocument (the text contained a message about a Scrabble game), and onevariant could even hide a menu in the program (!) which you had to use inorder to get rid of the virus! (I thought I had gone insane. The cleanupinstructions said “1. Go to the Tools menu” and there WAS NO TOOLSMENU.)
66
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 66
3 or 4 other known Mac viruses
• Some do have destructive payloads• Rate of infection is very low
Run Norton Antivirus or equivalent
List and description of Mac viruses:http://www.symantec.com/mac/security/macattack.html
Countermeasures
The macro virus thing is pretty much over. Word98 and up have macro supportdisabled by default and/or built-in macro virus detection. Also, antivirusutilities such as Norton are able to detect and clean or at least quarantinedocuments containing macro viruses.
The other fairly-memorable and somewhat recent Mac malware was a worm.It used QuickTime’s “autoplay” feature (which starts playing audio CDs assoon as they’re inserted) and some strains of the worm would destroy fileswith .dat or .data name extensions, but mostly all it did was start up PrintSpooler and slow your system down. All you had to do to avoid infection wasturn off the autoplay feature in QuickTime.
There are 3 or 4 other known Mac viruses, some of which do have destructivepayloads (delete random files, interfere with loading of extensions, etc.) Butthe rate of infection is very low. If you’re paranoid, which is a good thing, runNorton Antivirus or another AV program. It’s a good idea to boot off the CDand have it scan your system BEFORE you install it, since some viruses try todisable AV programs. Hold down the C key to boot off a CD.
List and description of Mac viruses:http://www.symantec.com/mac/security/macattack.html
67
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 67
The firewall lecture covers how they work. Mac ones:
• Norton Personal Firewall for Macintosh• OS X has built-in firewall software
In general, firewall software should:
• Have basic and advanced user modes• Have good logging and notification options• Support multiple rule sets• Be able to export logs in standard formats• Support multihoming• Ideally, support egress filtering
Firewalls
The firewall lecture in this class covers what firewalls do and how they work.Norton Personal Firewall for Macintosh is a good choice. (OS X has built-infirewall software, but we’ll get into that later.)
A good firewall should be easy to use, have basic and advanced user modes,and have good logging (and should be able to export logs in standard formats,so you can analyze the logs with another program). It ought to supportmultihoming (I.e., separate rules for different network interfaces or locations,especially for PowerBook users), and ideally, filtering of outbound traffic(e.g., prevent your credit card number from being sent in a clear text format, orstop traffic destined for known Trojan horse ports.) A decent fw programshould also allow you to have multiple sets of rules. You ought to be able toeasily create a basic ruleset with high-security rules (the default set,preferably). There should be notification options (for example, Norton can popup mini-windows telling you about access attempts right as they happen).
Ideally, your fw should have the abilitiy to silently drop OR explicitly rejecttraffic. And it should be stateful. But these last two features are prettyfrequently left out of “personal” firewalls. If you really want to have thesefeatures, get a cheap old PC, install two cheap NICs, and put Linux withNetfilter on it for a dedicated, powerful, stateful inspection firewall and putyour Mac behind it. :) But that’s kinda overkill.
68
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 68
Play the hacker.
Symantec can scan your machine and generate a reporthttp://security1.norton.com/SSC/
Caveats:
• Multiple Users• Non-passive-mode FTP connections• Allowing for non-obvious traffic (e.g. Keyserver)
Test it
Test your firewall settings. Play the hacker. Symantec has a URL you can visit whichscans your machine and generates a report about its level of security. Keep in mindthat if you’re NAT’ed, it won’t work, and if you’re behind a firewall, your securityadministrator may hate you for doing this.
Caveats:• If you’re using Multiple Users, you’ll need to make sure that your fw offers theproper amount of protection for all users. NPF uses one Prefs file for all users butother fws may not.• Beware of non-passive-mode FTP connections, often characterized by a connectiondrop at 99 percent download completion. (It’s like they TRIED to make it asfrustrating as possible.) Set Passive Mode under Fetch’s “Firewall” Preferences tab.• If email takes forever, it may be an AUTH thing. Either allow the traffic (TCP/113)or do an explicit reject so it doesn’t do the long timeout in response to a silent drop.• PTP programs (Gnutella and such) may malfunction in the presence of a firewall.• If you block UDP access on high ports, it may mess up DNS. Also don’t blockUDP/68 if you use DHCP to get an IP address (at Dartmouth, this is the standardmethod). Ideally you need only allow that access from the IP of the DHCP server,but if you’re not sure, open that port to anything. It’s a pretty minor security hole.•If you use NTP for Date and Time, open up UDP/123 from the specified NTPserver.• If you use Keyserver over IP, it needs UDP/19283. You probably use it overAppleTalk, though (default).
69
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 69
Everything’s changed.
OS X is based on a Unix subsystem, a version of FreeBSDcalled Darwin. Here’s a pictorial representation of the OS:
(Don’t worry about the GTK/Xdarwin part.)
MAC OS X
To maintain backwards compatibility with the existing library of Macintoshsoftware, Mac OS X integrates the new Unix-based environment with aMacOS-based emulation environment called “Classic” (also sometimes calledthe True Blue Environment, which is how it shows up in top). Old Mac appsrun within Classic, and Classic runs within X. As far as X is concerned,Classic is just another application. It can be killed like any other Unix app,which is nice for those times when some Classic app crashes the environment.
The term “Carbon” is used to describe applications which are written such thatthey can run natively in either OS X or Classic/OS 9. This is similar to “fatbinary” apps (which existed during the transition from the 680x0 processor tothe PowerPC processor -- some software was re-written to include code forboth processor types, and since this tended to make them bigger, they werecalled “fat.”) If you Get Info on a Carbon app, you can toggle a checkbox totell the app whether to launch in OS X or in Classic. “Cocoa” describes appswritten specifically for OS X, and which will not run in OS 9. Platinum andAqua are the names Apple uses to describe the user-visible appearance of theoperating system. Think of them as Winamp skins. Classic always wears thePlatinum appearance, which among other things, describes the shape and sizeof common elements like scroll bars and title bars and menu fonts. Similarly,Aqua is the skin worn by OS X, and it describes things like translucency ofbackground windows and drop shadows and such.
70
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 70
Mac OS X cont’d
QuickDraw and Quartz are the respective underlying graphics “engines” whichare what drive the appearance of the OS. I’m not sure if it’s still the casetoday, but originally, most if not all of the Mac’s QuickDraw calls werehardwired into the ROMs, which is why all Mac apps tended to look verysimilar; things like title bars and menus and the shape of the cursor werestandard objects. This was very deliberate on Apple’s part -- it was a big partof what made the Mac easy to use for newbies, because so much of what youlearned about one app could be applied to all the others.
The light-gray column in this picture shows the “command line” riding on topof the Terminal window, which in turn sits above the Shell. IMHO this doesn’treally serve to illustrate much -- all you need to know is that if you want to getat the Unix command-line interface, you first have to open a Terminal window(Terminal is the name of the app that gives you CLI access). By default, yourshell is tcsh, though it’s easy to add bash if you prefer it.
The far-right column has to do with a nifty add-on (NOT part of the OS,whereas the rest of the picture is) called XDarwin, which is the UnixXWindows environment for OS X. This may seem incredibly redundant, but itallows you to do some very cool things that you wouldn’t otherwise be able todo. It’s outside the scope of this class, but blitz me if you’d like a demo.
71
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 71
OS X inherits from NeXTStep and Rhapsody
What you get:• Memory protection• Preemptive multitasking• Built-in compiler• etc. -- all the coolness of Unix
Combined with:• Really terrific UI that Macs are famous for
• BUT: We gave up uniqueness. Vulnerabilities thataffect BSD Unix can now affect Macs, too.
Macs and Unix
OS X inherits much from NeXTStep and Rhapsody. See handout # 3, “MacOS X System Administration,” for more about the history of NeXT and OS X.
OS X is the best of both worlds. It has all the functional advantages of Unix,like memory protection, preemptive multitasking, the built-in compiler, Unixcompatibility resulting in access to a huge library of software (even the Debianapt-get tools have been ported to OS X), Darwin is open-source so moresoftware’s coming faster, etc. AND...
…it has all the user-interface advantages that the Macintosh is famous for.Most Mac users never need to interact with the Unix-ness directly; they justrevel in the delight of using a Mac that (almost) never crashes.
• The price we pay for this: We’re not unique anymore.Vulnerabilities that affect BSD Unix, Apache, OpenSSH, etc. can nowaffect Macs, too.
72
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 72
OS X is a multi-user system.
Administrator is not quite root, but almost• Sudo is invoked when needed in the GUI• It can also be used explicitly at the CLI, just likein any other Unix
Administrator has enough privileges to do just aboutanything you need
There can be many
Unlike old MacOS, OS X is a multi-user system. When you first set up your new Mac, you are asked toprovide a username and password for the Administrator account. Administrator is not root, but it’s almostthat powerful -- Apple hides root from you, for your own safety, and invokes something much like sudowhen you need to do root-esque things.
At first I didn’t understand this -- I thought, “this is MY computer, I should be able to do ANYTHING IWANT.” So I performed the convoluted hack to enable root login (this was OS X 10.0, it wasn’t easy) andI habitually ran things while logged in as root. One day, I went to change modes (chmod) a file, but Ididn’t notice that I’d accidentally selected the whole hard disk (I was still getting used to OS X), and itseemed to be taking awhile to finish…spinning beach ball of doom…uh-oh. I’d recursively chmod’edevery file on the disk. OS X never booted again. I had to boot into OS 9 to get my data, then wipe the driveand start over.
The moral of the story is, that wouldn’t have happened if I hadn’t insisted on being root all the time. OS Xwould’ve chmod’ed maybe one folder’s worth of stuff, but it would’ve stopped before it reached the coresystem files and tossed a dialog saying “you don’t have permission to do that” or something similar.
Administrator has enough privileges to do nearly anything you’ll need to do -- you don’t need true rootunless you start really messing around with the Unix guts of OS X. Even then, it’s HIGHLY recommendedthat you use sudo, rather than enable the root password and stay logged in as root for long periods of time.You’re far less likely to do irreparable damage to your system if you use sudo, since it gives you root privsonly on a per-command basis. Metaphorically, you’ve only chambered one round at a time, and if the gungoes off, at least it’s not on full auto. ;)
Very rarely will sudo fail to meet your needs. But once in a while, something in a shell script or somehardcore tinkering will require true root. The easiest way to go at it in that case is sudo su - and use yourAdministrator password. You will be root, with root’s path.
73
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 73
You can create users, and choose whether or not togive them Administrator rights
Each user has a home folder (under /Users)
Each user also has a “Desktop” folder, whichcorresponds to the desktop he or she sees.
Users and folders
You can create however many users you want, and you can give them Administratorrights (they can do Admin-level stuff using just their own passwords forauthentication, like sudo) or leave them as normal, non-admin users. Each user has ahome folder (under /Users) which stores his/her documents, preferences, fonts,personal webpage (if you have Web Sharing enabled), etc. If you do NOT give usersadmin rights, then they can only make new files in their home directories. They canstill run applications that reside outside their home folders, but apps that need root(say, a sniffer) will not work for them. This should be quite familiar to Unix users.
Each user also has a “Desktop” folder, which corresponds to the desktop he or shesees. It shows up as a folder called Desktop in your home directory, but it’ssimultaneously also the desktop underneath all your windows (which can get weird,since you can open the Desktop _folder_ and be looking at the icons that are also onyour visible Desktop.) This is quite different from the Desktop of old MacOS, whichwas sort of an über-folder. Each user can put different things on his or her Desktop,and other users won’t see them -- they’ll see their own Desktops.
Note: Users ought to make use of the screen saver lock feature -- it requires you toenter your password to unlock the screen saver. System Preferences -> Screen Effects.And never turn on the auto-login feature unless you’re sure your Mac is physicallyisolated from other people; also, it’s better to leave off the “pick user from list” optionand type your username. Again, don’t make it easier for the bad guys.
74
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 74
Users can install their own applications
If they have Admin rights, they can install appsavailable to all users
In general, applications run with the privileges of theuser who launches them
Users and Apps
Users can install their own applications, available only to them, or (if theyhave Admin rights) they can install apps available to the whole system.
For the most part, applications run with the privileges of the user who launchesthem. In other words, if I open BBEdit and try to edit the /etc/hosts file,BBEdit will ask me to authenticate as Admin with my password before I cansave changes. (This assumes that my account has Admin rights, or in moreUnixy terms, I am in the sudoers list.) Users who are not flagged asAdministrators would not be able to edit that file at all.
75
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 75
Same as any Unix -- owner, group, everyone, modes,etc.
Can be changed at the CLI using the usual -- chmod,chown, etc. -- as well as with the GUI Get Info.
BSD File Security
As with any Unix, files in OS X have access restrictions based on owner andgroup, and files have modes (r/w/x). This isn’t just the case for network filesharing (as is true with pre-X Mac OS) -- it’s also true for every file on thesystem. Old news for Unix folks, but a new realm for Mac users.
76
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 76
When you open an old Mac app, OS X first launchesthe Classic (“TrueBlue”) environment, then opensthe app within that
The integration is fairly seamless -- some menuschange, but you always see the OS XFinder/Desktop and the Dock
If some Classic Mac app crashes, it’ll probably takethe Classic environment down with it, but OS Xkeeps running :)
Classic
To maintain compatibility with old MacOS software, Apple developed aMacOS emulation environment, called Classic. When you open an old Macapp, say, Classic Netscape, OS X first launches the Classic (“TrueBlue”)environment, then opens Netscape within that. The integration is fairlyseamless -- some menus change when you flip between OS X and Classicapps, but you always see the OS X Finder/Desktop and the Dock.
Classic runs as a separate process under OS X -- Classic is, in effect, justanother application under OS X. The cool thing about this is that when someClassic Mac app crashes (that would NEVER happen! hah), it’ll probably takethe Classic environment down with it, but OS X keeps running happily. Themiracle of memory protection.
(In the beta release of OS X Server, Classic and X were integrated differently,and it was possible for Classic to crash and take the input devices with it. OSX would still be running, but you couldn’t reach it to kill Classic -- your cursorwas frozen, keyboard locked. But, you COULD shell in from another machineand run ps, find the Classic process, and kill -9 it and get X back. Nice.)
77
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 77
• The integration is fairly seamless. Not completely.
Examples:
• Both Classic and OS X use a single IP address• File sharing weirdness• Both environments can share a printer• OS X owns the CD-ROM and Zip drive• Only one Finder (X)• OS 9 Desktop is still separate from OS X’s
Classiconfusion
The integration is _fairly_ seamless. It still takes a lot of getting used to,especially if you’ve been a Mac user for awhile.
Examples:Both Classic and OS X use a single IP address. It doesn’t affect client-typebehavior (e.g., you can use a web browser in each environmentsimultaneously), but it can get weird with running servers.
You can’t do file sharing under Classic under X anymore (but you could do itwith AppleTalk only, no AFPoverTCP, in OS X 10.1, WHILE you weresharing files directly from X too. Schizophrenic.) You can’t connect toAppleTalk-only servers from Classic, but you can from X. You CAN doProgram Linking from within Classic, God only knows what happens if try todo Apple Events in X at the same time. (It seems to let you turn on bothsimultaneously…)
Both environments can share one printer (need drivers for each environment,except for the occasions when Classic just seems to “learn” about the printerfrom X), but OS X owns the CD-ROM and Zip drive.
There is only one Finder (in X).
The Desktop of Mac OS 9 is a separate entity from that of OS X, and under OSX, it’s invisible in the Finder (but you can see it from the Terminal if you listthe contents of the / directory). When you install OS X, it automaticallycreates an alias to the Mac OS 9 Desktop, and puts that on your OS X Desktop(stay with me here) and if you delete it, like I did, then you’re sorta locked outof your OS 9 Desktop. But don’t worry, it’s still there if you boot into 9. (Moreon that in the next slide)
78
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 78
More: Under the standard partitioning scheme, you can bootdirectly into MacOS 9
• This has scary implications for file permissions
Carbon apps will run in anything, which is good to know
OS X “packages” (app bundles) will appear as folders in 9,don’t mess with the contents!
More on Classic/X
Oh, and as if that’s not enough, you can tell the Mac to boot directly into MacOS 9 (using the sameSystem Folder as Classic), and then OS X effectively disappears and you have an old-school Macagain. This also has the side effect of making most of the Unix file permissions moot -- in other words,if you boot into 9, you can probably delete the /bin directory REGARDLESS of your OS XAdministrator status, because regular MacOS doesn’t speak that language. There isn’t a completedisregard for it, though. Some key files and directories from OS X will be “grayed out” in the Finder ifyou boot into MacOS 9. But…from a Save or Open dialog in some applications, you can still see andmodify everything. Mac OS 9 is gradually being phased out, but in the meantime, all you can really dois shrug and be careful.
Remember the Carbon thing? Those apps will run in OS X, or in Classic, or in OS 9 directly. So? Well,if you make a bad mistake like I did, and hose your OS X system, you can (hopefully) still boot into OS9. You can grab your original CD and boot off it long enough to change the Startup Disk setting andreboot 9. Then, if you held onto some Carbon (or Classic) apps, you can go in and run them from 9 andperhaps use them to recover your data. It’s nice to have a copy of Fetch that will work in eitherenvironment -- I used it to move my data onto a network file server when I did the Bad Chmod thattime. In short: If you’ve got the disk space, it’s a good idea to hang onto Classic/Carbon apps even afteryou install a superior Cocoa equivalent, so you double your chances of being able to recover from a badevent. If you’re in 9 and you want to know whether some app will run or not, you can just try it, andyou’ll get a message if it’s Cocoa. In general, if the application icon appears properly in 9, it’s probablyCarbonized.
One other note: OS X Cocoa apps sometimes make use of “packages,” which are essentially applicationbundles -- they will appear as a single icon that you double-click to launch, just like any other app, butif you control-click them, you can see and alter the contents. Sort of like using ResEdit in the old daysto hack the resource fork, only now you don’t need a separate tool. But if you boot into OS 9, packageswill appear as folders since OS 9 doesn’t know what packages are -- don’t start adding or removingthings from them, because when you boot back into OS X, they might not work right anymore!
79
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 79
Is pretty good.
If I turn off my firewall and run TCP and UDP portscansagainst my Mac, here are the results (notes sections):
I can explain what I see. Nothing mysterious. This isimportant.
I haven’t done any low-level hacking to turn off defaultservices, so a base OS X install should have feweropen ports than what I have.
OS X Security “out of the box”
Results of nmap -sT -p 1-65535 my-mac (that’s a plain vanilla TCP scan of all ports):
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )Interesting ports on my-mac (some.ip.address):(The 65530 ports scanned but not shown below are in state: closed)Port State Service22/tcp open ssh80/tcp open http427/tcp open svrloc548/tcp open afpovertcp902/tcp open unknown913/tcp open unknown2151/tcp open unknown
We know what the first two are. I’m running SSH (“Allow remote login” is turned onin Sharing) and I’ve got Web Sharing turned on. 427 (svrloc) is the Server Locationdaemon/protocol, which helps my Mac and other Macs find each other’s services onthe network. Port 548 shows File Sharing enabled (over TCP, default on OS X, thoughI can enable AppleTalk as well). Nmap didn’t know what port 913 is for, so I Googledfor “port 913” and discovered that it’s the Sidecar port (part of Kerberos, which weuse to access protected portions of the Dartmouth website, among other things). Ports902 and 2151 are for my BlitzMail ssh tunnel. If I hadn’t already known that, it’d bekinda hard to figure out, since BlitzMail is a Dartmouth thing and Googling for thoseports will get you a lot of nonsense. But I could’ve tried telnetting to those ports…
80
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 80
bash mbates@my-mac ~ $ telnet localhost 902
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 DND server here.
Aha! Unfortunately, the same trick for 2151 is a lot lessinformative.
What is THAT port?
bash mbates@my-mac ~ $ telnet localhost 2151Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.hello?011 Unknown command: hellhelo011 Unknown command: helohelp011 Unknown command: helpuser013 Missing argument.info011 Unknown command: infoget011 Unknown command: get
(I gave up and exited)
Heh. But, a logical next step might’ve been to search the DartmouthComputing Services webpages for info on what ports BlitzMail uses.
81
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 81
• lsof -i shows ports and their corresponding services• You can get this with netstat, but lsof is a littleeasier to read and interpret
• You need to run it with sudo to see everything (since youdon’t own many of the network services)
Excerpt:
automount 260 root 4u inet 0x01bb8970 0t0 UDP *:860httpd 268 root 16u inet 0x01d33cdc 0t0 TCP *:80 (LISTEN)httpd 270 www 16u inet 0x01d33cdc 0t0 TCP *:80 (LISTEN)sshd 283 root 3u inet 0x01d33a2c 0t0 TCP *:ssh (LISTEN)slpd 293 root 0u inet 0x01bb8560 0t0 UDP *:427slpd 293 root 1u inet 0x01d3377c 0t0 TCP *:427 (LISTEN)
More on ports and services
Results of nmap -sU -p 1-65535 my-mac (same as before, but UDP ports this time):
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )Interesting ports on my-mac (some.ip.address):(The 65526 ports scanned but not shown below are in state: closed)Port State Service68/udp open dhcpclient123/udp open ntp427/udp open svrloc514/udp open syslog860/udp open unknown49152/udp open unknown49155/udp open unknown49158/udp open unknown49160/udp open unknown
68 is for my Mac to get an IP address from the DHCP server on my network. 123 isntp, Network Time Protocol -- my Mac syncs its clock with Dartmouth’s NTP server.427 is the UDP port for svrloc, explained on the previous slide (svrloc uses both TCPand UDP). 514 is syslog appearing to listen on the network, but it doesn’t actuallyaccept data from other hosts. 860 is automounter listening for other hosts’ nfsrequests, which is moot since I don’t have any nfs shares defined. 49152 is being usedby Keyserver, and I can’t telnet to it (connection refused), so how would I know? Icheated and used lsof. (Could’ve done that before too, but I wanted to show youanother way to figure out what ports are used for which applications.) The last threeports are being used by lookupd, the all-purpose lookup daemon (for DNS amongother things) and again, I used lsof to figure that out.
82
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 82
Via syslog. Look in /var/log
system.log is a good place to start
• Firewall logs (seems buggy, at least with BrickHouse -- sometimes stops???)• Use of sudo• Subsystem status messages
also, /var/log/httpd/access_log and error_log
others for other services (ftp, mail, etc.)
Logs
OS X logs via the Unix syslog facility. There may be some nice GUI logreader available, but your best log analysis tools are grep and/or a good texteditor with a Find function. E.g.:
grep sudo /var/log/system.log # Look for all instances of sudo
tail -f /var/log/system.log | grep something # Watch the log as it’s written (-f# = “follow”) and pipe the output# to grep to look for
“something”
grep -v <your-ip> /var/log/httpd/access.log # Inverse grep (look for # everything BUT your-ip)
And so on.
83
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 83
HFS+ is the native/default file system for OS X
OS X also supports UFS (Unix File System)
One big difference:
• HFS+ preserves case of file names, but is case-insensitive (filename = FileName = FILENAME)
• UFS is not! Those could be three separate files
• Implications?
Unix and Mac can collide…
Sometimes the Mac-ness and the Unix-ness of OS X really butt heads.HFS+, the Mac’s native file system since approximately MacOS v. 8, is a casepreserving but case-insensitive file system. This means that, under HFS+, afile called “goober” cannot exist in the same folder as a file called “GooBer”or “GOOBER” etc. Those are all considered to be the same name. But, underUFS, which is also supported by OS X, case DOES make a difference; UFSwould consider all of those to be separate file names. Well, so what?
84
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 84
“CERT/CC Vulnerability Note VU#439395Apache web server performs case sensitive filteringon Mac OS X HFS+ case insensitive filesystem...
...Impact: Can bypass Apache file access protection,allowing remote unprivileged users to read privilegedfiles.”
Yikes!
Apache vulnerability!
THIS is what:
---------------------------------------------------------------------------------------------------------------CERT/CC Vulnerability Note VU#439395Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitivefilesystem
I. Description: The Apache web server's file access protection scheme (i.e., file request"filtering") assumes that the filesystem being protected is case sensitve...
Under the Apache scheme, you specify whether to deny or allow access to a filesystem object(which can be a directory, filename, or URL). The specifications are called "directives", whichinclude <Directory>, <Files> and <Location> directives. Seehttp://httpd.apache.org/docs/mod/core.html#directory for further information on directives.When you use a directive to deny access to a file or directory using the Apache web serverunder Mac OS X HFS+, the directive will NOT deny access to any other upper and lower casevariation on the filename or directory...-----------------------------------------------------------------------------------------------------------------
OOPS! Some tweaking in the Apache config file could fix this, and Applereleased a patch right away, so it’s not an issue now. But this serves toillustrate how programs which are accustomed to Unix/UFS behavior canpotentially be tripped up by seemingly-subtle differences like that.
For more details on this vulnerability and its solutions, go to:http://www.kb.cert.org/vuls/id/439395
85
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 85
OS X is much more server-oriented than old MacOS
All sharing-related services are handled from a singlePreference pane
• One click turns on file sharing• One click turns on FTP access to shared files• One click turns on Web Sharing• One click turns on SSH access
Even more important: One click turns these OFF!
Ease of use
OS X, even the non-”Server” version, is much more server-oriented than old MacOS.Most of its server functionality can be turned on or off and configured through theSharing preference pane. The defaults for most services are well-thought-out and aresufficient for most users’ needs.
In the Sharing preference pane, all of the following services can be turned on or off,and tweaked:• File sharing• FTP access to shared files (yikes…)• Web Sharing, which uses the tried-and-true Apache web server -- root web dir isAdmin-access only, and each user has homepage folder (http://.../~username)• Remote shell access - using OpenSSH, not telnet!• Remote Apple Events (formerly known as Program Linking)
Likewise, one click turns these OFF, which is important when a vulnerability inApache or OpenSSH is discovered. As of OS X 10.2, the Sharing pane also includes aGUI to administer the firewall. From what I’ve seen, it seems pretty minimal...I’d stillrecommend BrickHouse, which we’ll talk about soon.
A note: These service startup settings are written to a file, /etc/hostconfig. You can editthis file directly to turn services on/off at startup. Good to know if you want to shutdown a service when you’re not sitting in front of the Mac (i.e., do this over SSH).
86
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 86
OS X 10.2 Sharing pane
Sharing pane under Jaguar. The “Internet” tab lets you share your connection(i.e., act as a router) for other computers.
87
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 87
File Sharing is moreintuitive, possibly lessflexible
Most of these have the red symbolbecause this is not my user folder, soI can’t peek in those folders.
File Sharing
To begin with, File Sharing is more intuitive, if less flexible -- each userautomatically has full permissions on his own directory, as well as a read-onlyfolder for sharing things with users/Guests and a write-only DropBox. There isalso a communal Shared folder which is read-only for all named users. The OS9 sharing setup we went through for the two Joes etc. is basically the defaultsetup for OS X sharing -- pretty much any permutation of privileges youwould need is already available, just create your users and put the right thingsin the right folders.
88
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 88
Go menu -> “Connect to Server…” or -K:
This slide (self-referential)
Connecting to other servers
89
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 89
Connecting with 10.2
Choose a realm, and X detects and displays available servers. Or, type theaddress manually and hit Connect. Or, select from Favorites (top popup menu,it bookmarks your most recent servers). In Jaguar (10.2), you can even browseSMB shares!
90
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 90
Once you’ve picked the server you want to connect to, the nextbox should look familiar:
Hit the Options… button toget the box below:
Familiar? This is one OS X machine connecting to another.
Good to have a reminder.
Connecting to other servers
This part of the process is pretty similar to the equivalent under old MacOS.One thing that I find rather lacking is that you have to hit the Options button tosee what kind of password encryption is being used. But, you can also set apreference to tell you when you’re about to send your password in clear text,which is a step up from the OS 9 version.
91
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 91
OS X’s built-infirewall is ipfw.By default,allows anything.:(
There are acouple of goodGUIs for it.Brickhouse!
Firewalling on OS X
Ipfw can be administered from the command line, but there are a couple of terrificfront end programs for it. Brickhouse, by Brian Hill (who’s written a heap of goodsecurity apps for OS X) is $25 shareware. It’s well worth it. Brickhouse has a built-inassistant feature to help guide you through creating a set of firewall rules, or you canmake your own. It even has Expert Mode, which displays the actual ipfw config fileand lets you edit that directly. Use drag and drop to re-order rules. It has logging inhuman-readable format. It’s great.
Shortly after the release of Jaguar (10.2), Apple patched ipfw to enable support forstateful rules. The firewalls lecture in this course covers what that means in detail, sowe’re not going to explore it right now, but suffice to say that stateful is very verygood. And the latest versions of Brickhouse are aware of the feature, and will generaterules accordingly. One Brickhouse caveat: it is possible (at the time of this writing,with version 1.2b9) to create a rule which contains invalid syntax and which causesipfw to silently fail. If you make a rule and specify “all” or “any” in the destinationport box, Brickhouse will not tell you that that’s wrong, and it’ll break your firewall.If you want to specify all destination ports, just leave that box blank.
There’s a ton of documentation on ipfw, since it comes directly from the FreeBSDcamp.
92
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 92
Brickhouse’s AddFilter dialog box. Hasa lot of presets, oryou can createcustom ones.
Firewalling on OS X
The Advanced Options button lets you specify flags and toggle logging for thatrule.
An odd caveat: I had to make an allow rule for SSH inbound from my IP to myIP in order to tunnel SSH from Classic (even though they have the same IP!) Ifyou encounter this sort of strangeness between Classic and X, check yourfirewall settings. This may not be necessary anymore in 10.2.
Another note: In 10.2, if you want to be able to browse local Windowsdomains and shares (as opposed to just connecting to them if you know theirnames), then you’ll need to add an allow rule for UDP traffic with destinationport 137 destined for your Mac.
93
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 93
• ping• traceroute• whois• nslookup• netstat• finger• a port scanner(careful with thatone.)
Useful Tools - Network Utility
In most, if not all cases, these tools will work better and/or have more optionsif you use them from the CLI. Especially netstat. (netstat -an | less) Know theTerminal. Love the Terminal.
94
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 94
Useful Tools - Keychain
Keychain can store your passwords for frequently-accessed things, and promptyou for your Keychain uber-password to unlock the other passwords. Manyapps are Keychain-aware (such as MacSFTP -- keeps you from having to re-enter your password for every SCP operation you perform). It goes withoutsaying that your Keychain password ought to be very secure.
95
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 95
GUI for the Unix topcommand. Showswhich apps arerunning on yourMac.
Useful Tools -ProcessViewer
From here, you can select a process and the Process ID and Statistics tabs willdisplay information about it. You can also go to the Processes menu and select“Quit Process” to kill it.
96
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 96
Getting into NetInfo is outside the scope of this class.
See the von Stauber presentations for more on NetInfo
Be careful with this tool and the command-line tools(nidump, niutil, etc.) But you should know that they existin case you come across a howto that requires their use.
Useful Tools - NetInfo Manager
Put simply, NetInfo is a central directory for storage of service information(e.g., DNS lookups, but it does more than that). It’s a distributed databasesystem, inherited from the days of NeXT. Since there aren’t many large OS Xenvironments, it’s usually manifested as a local database just on your machine.Use Netinfo Manager to view information, but don’t change anything unlessyou know what you’re doing. Among other things, you can use it to createnon-standard shares beyond the OS X default.
The OS X System Administration guide goes into some detail about NetInfoand its security implications, see his references for more info.
97
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 97
We’ve already mentioned the Terminal a bunch of times.It’s your window onto the CLI.
There is a Terminal-related caveat in OS X: aliases andsymlinks
Useful Tools - Terminal
The Terminal is how to get at the CLI on OS X. The default shell is tcsh, I usebash. With some tweaking, you can get color-coded dir listings, syntaxhighlighting in Vim, etc. All that cute Unix stuff. Google for what you want todo and odds are that someone will already know how.
Terminal caveat: Mac aliases created in the Finder (which operate likesymlinks or Shortcuts) do not behave properly from the Terminal, at least notin bash. They are treated as empty files. Furthermore, symlinks created in theTerminal will not work as aliases in the Finder. It’s a quirk.
98
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 98
Covered in detail in another class
Use sudo, and remember that the Mac’s ethernetinterface is called en0, not eth0, and you have to specifyit explicitly:
sudo tcpdump -i en0 …
MacSniffer is a nice front end
Useful Tools - tcpdump
Tcpdump is included in OS X. It needs to be run with sudo or as root, and youalways have to tell it which interface to use (en0 by default).
MacSniffer is a good graphical front end for it, written by the same guy thatwrote BrickHouse.
99
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 99
Useful Tools - MacSniffer
MacSniffer lets you select options like capture size, how much header info toshow, hex/ascii data, name lookups on or off, etc. and you can create and runfilters to pick out the data you want to see. Ethereal-esque.
100
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 100
Useful Tools - MacJanitorShareware or freeware program for doing systemcleanup tasks like log rotation, cache cleanup, etc.
Good to use if you have to shut down your Mac everynight, since that may prevent a lot of tasks from running.
It’s important to keep your logs working properly, since that’s likely to be thefirst place you look if you have a security problem.
101
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 101
Useful Tools - CheckMate
Preference paneto generate MD5checksums of keyfiles and scan forchanges.
Brian Hill rules. CheckMate generates a list of MD5 checksums for key files(and for any other files you add to it) and re-scans on a schedule you specify. Itand emails you the scan results, and also sends an email alert if a checksumhas changed.
A caveat: If you toggle ftp on/off in the Sharing Pane, that does changeinetd.conf, which causes CheckMate to send an alert. Don’t panic.
102
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 102
Useful Tools - CheckMate
The files and theirchecksums. Youcan add/removeand import/export,or go back todefault.
103
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 103
GPG MacThe GNU Privacy Guard program for OS X. PGP-compatible.
• Follow the readme’s to a tee and you’ll be fine.
GPG for Mac OS X works perfectly as long as you follow every step in thedirections. The GUI tools are kinda minimalist, but they work, and everythingworks fine from the CLI. Definitely not as pretty as PGP Freeware for Mac,but it’ll get better. Apple’s “Mail” program has built-in GPG support, too.
104
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 104
MacSFTP Carbon
Drag-and-drop SCP (Secure CoPy).
Fetch-like interface, but secure. If you’re moving files between your Mac andan SSH-able server, this is a must.
Caveat: It will keep asking for your password over and over (because eachtransfer is a separate SCP action). But you can add that password to yourKeychain and then it will stop bugging you. (Remove it later if you’re worriedabout your Keychain’s security.)
105
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 105
Surfing Differences
Principles and methods from the previous section alsohold true in OS X.
One big tip: OS X ships with Internet Explorer. Update itasap.
Apple’s “Mail” program has SSL and GPG support! :)
Eudora, Outlook, BlitzMail for OS X are available
We covered the principles of safer surfing in the last section, so here we’llonly skim and point out some key tips.
Thing One is, Internet Explorer comes with OS X. Make sure you update itright away -- early versions had severe security problems.
Pure opinion re web browsers: Use OmniWeb. It’s shareware, but it has allfeatures enabled regardless of whether you register or not, and it has a bunchof security and privacy options that are easy to understand and modify. It’salso fully integrated with the Quartz engine, so even silly web pages lookbeautiful when viewed with OmniWeb. This program is what tipped me overthe edge from OS 9 to X. :)
Apple’s email program, called Mail, doesn’t have much in the way of bells andwhistles but it does have SSL and GPG support. And there is a version ofBlitzMail for OS X, as well as Eudora for X, and Outlook (now calledEntourage I think?) I’m not sure how well the rest of these integrate with GPG,since GPG is so new, but the support will be there soon if it’s not already.
106
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 106
PatchesAre vital.
Software Update• Runs automatically, you can specify when (at least once a week please…)
You might be able to patch things quicker yourself withsourcecode, but usually not a great idea
Apple’s pretty fast. If they’re not fast enough, then getcreative with your firewall.
• Or turn off services and just wait.
Software Update runs automatically, once a week unless you say otherwise. Or you can“Update Now.” Sometimes, you’ll hear about an update before your computer’s updaterdetects it; try again in a few hours. Apple staggers the availability to avoid having a bigtraffic glut all at once. If you don’t want to wait, you can download and install manually-- go to the Apple menu and select “Get Mac OS X Software…” to be taken to thewebsite.
As an alternative to waiting for Apple’s patch, if you know which services are affected,you can get the updated source code and compile it yourself. But the downside is thatthis can confuse Software Update, making future updates more difficult to apply. Also,some of the BSD things are specially tweaked for OS X, and if you overwrite them withyour own installation, you can lose functionality (I updated my copy of Apachemanually, and in the process broke my users’ Sites folders. Wonder what else I broke).
On average, Apple’s patches come out within a week or two of an advisory. Turnoff/block the affected service, or reconfigure/disable whatever aspect of the service isaffected, until you’ve installed the patch. But what if you absolutely cannot live withoutthat service for any length of time? Alter your usage to compensate. For example, theOpenSSH vulnerability -- limit access to one other machine, then shell into that first.
By the way, run Software Update (and reboot when applicable) repeatedly until it says“no updates available.” Why? Software Update updates have been released severaltimes, so older versions will not see all the newest updates.
107
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 107
Patching 3rd-party Software
Many software companies are following Apple’sexample
• Automatic update check at startup• Or “Check for Updates” menu option
If not, use http://www.versiontracker.com
Or go to Apple Menu -> “Get Mac OS X Software…” andfind updates there. Categorized and searchable, not justApple’s stuff.
It’s especially good to stay up-to-date with your programs now, even if they’re notnetwork- or security-related per se, since OS X is still so relatively new. Bug fixestend to be pretty major (like, stop Word from crashing on launch).
108
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 108
Why use MacOS/OS X?
Running OS X is a bigger security risk than using oldMacOS.
We don’t know how much longer we’ll have the choice (OS9 is being phased out) but for now, you might want it.
What do you use a computer for?
Conclusions
Why use MacOS/OS X?
Running OS X _is_ a bigger security risk than using old MacOS. You are in theUnix world now.
What do you use a computer for? If you’re just doing word processing and usinga web browser, MacOS 9 is probably enough for you, and if you’re extremelyparanoid about hackers, that’s another reason to stick with old MacOS while youstill have the choice. If you’re not sharing files or web pages, your OS 9 Mac is afortress, network-wise.
But if you’re interested in Unix, OS X is a nice environment for learning about it;you can delve in as deeply as you want through the Terminal, then back out anduse it as a Mac again. If you need the power of Unix and you like to write code,or you need to be able to perform remote administration tasks (but don’t want tocough up bucks for Timbuktu), OS X may be a great match. And in another yearor two, it will be your ONLY choice in the Mac world.
109
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 109
Security is not about definite rights and wrongs, it’s aboutbusiness need. Or academic need.
Sometimes the benefits are worth the risks.
Hopefully, from what we’ve talked about, you’ll be able tominimize your risk with minimal expense.
Contact info: Email [email protected],AIM screen name nu11dev1ce
Conclusions
Please feel free to contact me by email or AIM anytime.
110
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 110
This is a list of URLs and other sources of informationreferenced in this class, plus some sources ofsupplemental information (not on the test).
Appendix A -- URLs and sources
1) Apple’s OS X Security Introduction:http://developer.apple.com/internet/macosx/securityintro.html
2) The iMac LoJack story: http://www.macscripter.net/un_ilojack.html3) Mac OS X System Administration: http://www.occam.com/ocr/osx/OSX_SA.pdf4) Mac OS X Security:
http://conferences.oreillynet.com/presentations/macosx02/towns_leon.pdf5) Brief Mac security intro. Here mainly for the port list:
http://www.sans.org/infosecFAQ/mac/mac_sec.htm6) OS X Security Intro paper. Based on 10.0, but still largely applicable:
http://rr.sans.org/mac/OSX_sec.php7) “The Challenges of Integrating the Unix and Mac OS Environments”:
http://www.mit.edu/people/wsanchez/papers/USENIX_2000/
These are additional URLs mentioned in this presentation:• http://www.anonymizer.com -- Anonymous websurfing• http://www.bio.upenn.edu/computing/instructions/security/portforwarding/
How to make an ssh tunnel for user/pass part of ftp session• Blitzmail alternatives:
https://basement.dartmouth.edu/blitzhttp://netblitz2.dartmouth.edu/Bl.cgissh textblitz.dartmouth.edu as user “blitz” with no password
• http://www.symantec.com/mac/security/macattack.html -- Mac virus information• http://www.kb.cert.org/vuls/id/439395 -- OS X Apache HFS case vulnerability
111
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 111
Not required reading, but good sources of moreinformation.
Appendix B -- Supplemental Info
Supplemental information:
http://www.securemac.comhttp://www.macsecurity.org/http://www.macwrite.com/macsecurity/mac-os-x-security-intro.phphttp://www.macosxhints.com/search.php?mode=search&type=stories&topic=networkhttp://www.info.apple.com/usen/security/index.htmlhttp://www3.sympatico.ca/dccote/firewall.htmlhttp://www.macintoshsecurity.com/modules.php?name=Topicshttp://forums.osxfaq.com/index.phphttp://freaky.staticusers.net/update.shtmlhttp://www.info.apple.com/usen/security/security_updates.htmlbook://“Internet Security For Your Macintosh.” By Alan B. Oppenheimer and Charles H.
Whitaker.
Less relevant:
OS X Guide -- a shareware “book” distributed as a PDF. About 75 pages. It’s general OSX info, some of which is security-related. If you’d like to know more general OS X info,blitz me and I’ll send it to you.http://www.securemac.com/osxsecurity.php -- Intro to securing OS X Serverhttp://www.macdevcenter.com/pub/a/mac/2002/01/29/apache_macosx_four.html?page1 --
A short article on using Apache under OS X.http://web.archive.org/web/20011129045631/http://homepage.mac.com/gdif/tipstricks.html-- Mac OS X tips and tricks aimed at the Unix side of the OS, several security-relevant.
112
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 112
Where to download or buy the things we mentioned.
Appendix C -- Software
Uber-site for OS X software: “Get OS X Software...” from Apple menu.MacSSH and MacSFTP, Classic or Carbon: http://www.macssh.comTimbuktu: http://www.netopia.com/en-us/software/products/tb2/mac/index.htmlFetch (FTP): old free version on PUBLIC, new shareware version at
http://www.fetchsoftworks.comEudora: http://www.eudora.com/BlitzMail: Classic version on PUBLIC, new version at
http://www.dartmouth.edu/~helpdesk/help/mac_updates.htmlKerberos for OS X:http://www.dartmouth.edu/~helpdesk/help/mac_updates.html
(Classic on PUBLIC)Norton Antivirus: Dartmouth used to have a site license agreement, $7 per copy, or
http://www.symantec.com/product/ (also URL for Personal Firewall)BrickHouse, CheckMate, MacSniffer, MacJanitor, and other good stuff:
http://personalpages.tds.net/~brian_hill/GPG Mac: http://macgpg.sourceforge.net/PGPFreeware for Mac: http://download.com.com/3000-21495065566.html?legacy=cnetOmniWeb: http://www.omnigroup.com/applications/omniweb/
Many of these are also on the CD, as well as some other programs we didn’tmention. Dartmouth carries a lot of the commercial software, so you get an academicdiscount if it’s available (and no sales tax, yay). MacConnection.com is also good, ask foracademic pricing.
113
Macintosh Security Basics • IRIA Group, Dartmouth College • Hanover, NH • Winter 2002-2003 113
This space for rent.