SecuringAMac
Download
Report
Transcript SecuringAMac
Securing a Macintosh
Rich Straka
University of Tulsa
Center for Information Security
[email protected]
Hmmmmmm,
this doesn't look
like a Macintosh
Securing a Macintosh:
What do you think?
MacOS: Inherently
MacOS 9
network secure or not?
Yes, few if any vulnerabilities
MacOS X
Inherits many BSD-style vulnerabilities
All
network services turned off by default
All security parameter defaults set to most conservative
values
Easy or difficult to secure?
Clients relatively easy
Servers need more care, of course
But … Physical security is weak
Securing a Macintosh
-
Richard Straka
November 22, 2002 3
Outline:
Macintosh
History
Current Hardware and OS
File, Physical Security
Network Security
Virus Threats
Administrative Practices
Securing a Macintosh
-
Richard Straka
November 22, 2002 4
Macintosh History
Securing a Macintosh
-
Richard Straka
November 22, 2002 5
Macintosh Product History
First
introduced in 1984 - 128KB RAM, 3.5"
400KB floppy only
First commercially successful GUI
First modular (slotted) Mac in 1987
Real
plug-and play - drivers in ROM on the card
Motorola
68K family CPUs - 1984-1994
IBM/Motorola PowerPC CPU - 1995-present
Recent rumors of Intel-based CPUs
Don't
hold your breath.
This basic rumor has been around for at least 10 years.
Securing a Macintosh
-
Richard Straka
November 22, 2002 6
Software Compatibility
This file encoder/decoder
Written in 1985
The Mac was 1 year old
Originally written for an 8MHz
68000 CPU (CISC)
Mac OS 1.1
still runs flawlessly today
On the latest hardware and
software
GHz+ dual G4 PowerPC CPU
(RISC)
MacOS X 10.2
Securing a Macintosh
-
Richard Straka
November 22, 2002 7
GUI Roots
Current
GUIs are
rooted in work
from Xerox PARC
Late 70s, early
Alto and Star
80s
Alan
Kay (creator
of Smalltalk) went
to Apple
Rob Pike went to
Bell Labs working
on UNIX
Securing a Macintosh
-
Richard Straka
November 22, 2002 8
Mac Paradigm
Make
the computing experience easy for
users
Modularity / regularity / orthogonality
Hide complexities from end users
Application acting badly?
Windows - fiddle with the registry (complicated, risky).
Mac - trash the application's preferences file (easy,
safe).
Rebuild the OS from scratch on a Mac?
Just copy the previous preference files to the new
System Folder.
No need to reinstall your applications.
Securing a Macintosh
-
Richard Straka
November 22, 2002 9
Mac Users
Heavy use
Publishing
Music
in the creative arts
Studio and Live
Video
Film
Elitists who insist on the best UI available
From any profession, even computer science
Roger Ebert, February, 2001:
"Actually, we have six Macs here in my office at home. Life is too short
to use anything but a Mac; Windows is just not a human environment."
Common thread?
Significant amounts of right-brain thinking
Securing a Macintosh
-
Richard Straka
November 22, 200210
Software Timeline
Year
1984
1987
1991
1996
1998
1999
2001
Release
System 1.0
System 4.2
System 7
MacOS 7.5.3
MacOS 8.1
MacOS 9
MacOS X
Most notable feature
early multitasking
improved multitasking
improved networking
extended file system
UNIX-based
(Runs MacOS 9 as a single processtransition period)
Securing a Macintosh
-
Richard Straka
November 22, 200211
Mac OS X
MacOS X (pronounced "ten",
BSD 4.4 based
Tenon's Mach 3.0 microkernel
Introduced in 2001
not "ex")
MacOS X Server
10.0 also based on BSD 4.4
A precursor to MacOS X
Introduced in 2000 (the GUI wasn't tweaked yet)
10.2 (Jaguar) now reintegrated with MacOSX - sharing
code base (2002)
Securing a Macintosh
-
Richard Straka
November 22, 200212
Desktops / Towers vs. Servers
Just
desktops and mini-towers
… until now:
Apple recently introduced
Xserve
Rack-mount
server platform
1U
high
Runs OS X and OS X Server only
1 or 2 CPUs
Dual Gigabit Ethernet
Up to 480 GB of hot-pluggable RAID
disk (4 spindles)
Securing a Macintosh
-
Richard Straka
November 22, 200213
Macintosh File
and
Physical Security
Securing a Macintosh
-
Richard Straka
November 22, 200214
File Security Model Very Similar to UNIX
User,
group, other
Read, Write, Sticky
Bit (drop box)
No ACLs (Access
Control Lists)
Securing a Macintosh
-
Richard Straka
November 22, 200215
File Security Differences
MacOS 9
Volume level
Folder level
Not file level (except for applications)
Network level
MacOS 10
Full UNIX permissions down to the file level
MacOS
X Server 10.2.2 - supports file
system journaling.
Securing a Macintosh
-
Richard Straka
November 22, 200216
File System Security
Macintosh
file systems (HFS+, UFS) do not
provide native file encryption
Unlike
Secure
NTFS under Windows 2000 or Windows XP
sensitive data with a data encryption
utility.
Disk
locking, encrypting software is available from
several vendors.
Disk "images" can be encrypted. (Combine with
"Keychain".)
Do not require files system changes.
Securing a Macintosh
-
Richard Straka
November 22, 200217
Disk Image Security
MacOS
9 introduced
the "Keychain" - a
local login and
password storage tool
for both local and
external services (e.g.
authentication)
You can encrypt a disk
image file and
manage access with
the Keychain.
Securing a Macintosh
-
Richard Straka
November 22, 200218
Physical Security
Since
1997, Macs support Open Firmware
(IEEE 1275-1994)
Controls
boot functions and PCI cards
Recent Apple firmware updates support a firmware
password feature like most PC BIOS
Password feature not well supported by Apple, however.
Securing a Macintosh
-
Richard Straka
November 22, 200219
Macintosh Network Security
Securing a Macintosh
-
Richard Straka
November 22, 200220
The Upshot
MacOS 9 is innately relatively secure
ASIP (AppleShare IP) - adds many services
MacOS
MacOS
X is also reasonably secure
X Server - adds many services
Small virus target, but…
Anti-virus software still important
A "personal firewall" is a good idea.
MacOS9 - 3rd party software
MacOS X has one built in.
Securing a Macintosh
-
Richard Straka
November 22, 200221
CERT Vulnerability Note Alerts Comparison by Platform
Notes:
These numbers are not scientific
These are vulnerabilities reports relevant to a welladministered machine
Windows
- 161
Linux - 51
MacOS - 8
OS
-2
3rd party software - 3
Microsoft apps - 2
UNIX (CDE) - 1
Securing a Macintosh
-
Richard Straka
November 22, 200222
MacOS 9
MacOS 9 is relatively secure
Because all services are turned off by default
Users can turn on services which introduce potential
vulnerabilities
File sharing
Web services
Additional software packages
Remote control
Instant messaging
Mactella, Limewire, etc.
SNMP
Securing a Macintosh
-
Richard Straka
introduce vulnerabilities
November 22, 200223
Open Ports
By
default, all
MacOS TCP
ports are turned
off
A port scan on
vanilla MacOS 9
One TCP port
showed up.
Specific software
that I had
installed. :-)
Securing a Macintosh
-
Richard Straka
November 22, 200224
MacOS X
A nice
GUI integrated with
BSD 4.4 and a Mach 3.0
microkernel
Many more network services
available
Telnet, SSH, X, FTP,
SMB/CIFS easily provided
Both clients and daemons
Like
OS9, all network
services turned off by default
But, it still has some
inherent BSD-inherited
security weaknesses
Securing a Macintosh
-
Richard Straka
November 22, 200225
Peer-to-Peer
File Sharing, Program Linking
Apple
Filing Protocol
(AFP)
File Sharing
Moderate
risk
Program Linking
Higher risk (AppleScript)
On MacOS9, this is
also where the
owner password of
the computer is
entered
Securing a Macintosh
-
Richard Straka
November 22, 200226
Apple Filing Protocol:
via AppleTalk Protocol
AppleTalk
goes back to ~1982
Used for file sharing, printing
Routable, but not commonly routed
Think of it as a routable NetBEUI
Some badly configured cable modem ISP
do route it
Naturally limits client visibility (to local LAN
segment)
Note: AFP Data stream is not encrypted
Securing a Macintosh
-
Richard Straka
November 22, 200227
Apple Filing Protocol:
via TCP
Uses
TCP port 548
Fully routable, of course
Client side functionality since
MacOS 8
Server side functionality as of
MacOS 9
This presents more of a
security risk, especially
Program Linking
AFP supports SLP - Service
Location Protocol (RFC 2165)
Securing a Macintosh
-
Richard Straka
November 22, 200228
User Administration
User
logins, passwords
and basic privileges are
set here.
MacOS 9 passwords
limited to 8 characters
MacOS X has longer
ones, but many UNIX
utilities only look at the
first 8 characters (i.e.,
POSIX compliance).
Securing a Macintosh
-
Richard Straka
November 22, 200229
Client Authentication
Via
UAM (User Authentication
Module)
Extensible UAM API
Enables security upgrades orthogonal
to both client and server
Early
MacOS UAM was
primitive
Login, password sent in clear text
Limited to 8 character passwords
More
recent UAMs use 2-way
encryption, support longer
passwords
A 3rd party UAM is also
available from Microsoft
Securing a Macintosh
-
Richard Straka
November 22, 200230
ASIP - AppleShare IP
Pre
MacOS X
Services analogous to NT Server, Win 2K
Server
Authentication
Directory
Services
File and Print
Netboot (for kiosk-style or diskless clients)
Email, Web, services, etc.
But
sold as a software package, not a
separate OS
MacOS X Server replaces ASIP
Securing a Macintosh
-
Richard Straka
November 22, 200231
MacOS X Server 10.2
Adds recent security standards
SSH2, IPsec, Kerberos v5
Other Open Standards
IMAP, LDAPv3, DHCP, DNS, IPv6, NFS
Proprietary (Microsoft) Standards
WINS, SMB/CIFS via SAMBA
NFS "republishing"
Can share out remote NFS volumes over AFP
Keeps the clear text NIS authentication localized
Nobody ever really adopted NIS+, right?
Securing a Macintosh
-
Richard Straka
November 22, 200232
Additional Add-on (3rd party) Services
PC
File Sharing (via SMB/CIFS)
Database (e.g., ODBC)
Remote control for desktops
Remote backup daemons
HTTP
FTP (still a bad idea, right?)
Instant Messaging
Gnutella, etc.
Securing a Macintosh
-
Richard Straka
November 22, 200233
And with OS X (regular and server)
Any
UNIX service you activate, load,
compile, etc.
X
NFS
http
(Apache)
mySQL
Samba
ssh
finger
etc.
Securing a Macintosh
-
Richard Straka
November 22, 200234
Macintosh Networking
Securing a Macintosh
-
Richard Straka
November 22, 200235
Network Subsystem
From
MacOS 7.5.3 through MacOS 9.2,
Apple used the Mentat TCP and IP stack
components
Sun also bought the Mentat stack for use in
Solaris
OS X is BSD-based instead
Securing a Macintosh
-
Richard Straka
November 22, 200236
MacOS Network Layers TCP
Very
modular and
simple interface
Layers 2 and 3
separated from
and orthogonal to
each other
Securing a Macintosh
-
Richard Straka
November 22, 200237
Another Layer 3 Protocol
AppleTalk
Notice
that the
available interfaces
Ethernet
Modem
Port
Printer Port
are different from
TCP's
Ethernet
AppleTalk (MacIP)
(interesting!)
PPP
Securing a Macintosh
-
Richard Straka
November 22, 200238
External Threats
Securing a Macintosh
-
Richard Straka
November 22, 200239
Viruses, Worms and Trojan Horses
Mac desktop market share is tiny - ~5%
Presents a very small - and mostly ignored - target for
virus and trojan horse writers
Viral, etc. activity minimal on this platform
Not suspectible to MS-oriented mail viruses
Certainly not susceptible to x86 .exe viruses
Commercial antiviral software available
Norton, NAI (McAfee's Virex)
Effective protection, auto-updaters for virus "dat" files
Securing a Macintosh
-
Richard Straka
November 22, 200240
MS Office Macro Viruses
The
only true multi-platform virus type so far
Office:Mac is susceptible
Turn off the macro options within Word,
Excel and Powerpoint.
Securing a Macintosh
-
Richard Straka
November 22, 200241
AppleScript
Powerful
system-level scripting language
AppleScripts sent as email attachments can
be executed and can be very dangerous
This is essentially unheard of, but could be
just as dangerous as executing a .exe file
attachment on a PC.
AppleScripts can be run remotely - over
TCP (if enabled) - much like RMI
File
sharing security governs authentication and
authorization of remote AppleScripts.
Securing a Macintosh
-
Richard Straka
November 22, 200242
Javascript
HTML
email with malicious Javascript is
always a security exposure
Turn off this option in mail clients
Securing a Macintosh
-
Richard Straka
November 22, 200243
Administrative Practices
Securing a Macintosh
-
Richard Straka
November 22, 200244
Security Administration Facets
Users
Protocols
Ports
Services
Network
Most
Macintosh security exposures come
from simple misconfiguration and/or lack of
attention to security
Securing a Macintosh
-
Richard Straka
November 22, 200245
Users
Use
a centralized file and authentication
server where practical
AppleShare IP
MacOS X Server
Microsoft NT, … Services
For Macintosh (SFM)
Standard admin practices
Ensure that guest access is turned off.
Set and implement password policies
Don't let users have root (admin) access
Install virus protection software
Establish consistent user training
on security
and virus policies
Securing a Macintosh
-
Richard Straka
November 22, 200246
Protocols
AppleTalk
networking more limited in scope
than TCP
(less
exposure)
Shareway
IP Pro can republish AppleTalkonly accessible volumes over TCP - handy,
but decreases security
MacOS X can republish an NFS volume actually improving security.
Securing a Macintosh
-
Richard Straka
November 22, 200247
Ports
Scan
for open well-known Mac ports on user
machines
Install a personal firewall and scan the
"attacked" logs.
Securing a Macintosh
-
Richard Straka
November 22, 200248
Services
Set
proper passwords on all services - used
or not. Don't leave the default passwords.
Turn on only the services you really need
Turn on file sharing only where needed
Better
to have a central file server than peer-peer
Use IP address filters on the server
Don't support FTP
FTP is said to have negative security
Better to just have anonymous FTP for download.
Consider using WebDAV instead.
Securing a Macintosh
-
Richard Straka
November 22, 200249
Network
Several personal firewalls are available
Norton, DoorStop, etc.
NAT/NAPT ("broadband") routers are a good
first line of defense - and cheap.
Apple supports 802.11b very well.
But 802.11 has some holes:
WEP and MAC cloning.
Use maximum key length (128 bit) WEP.
Combine MAC registration and WEP.
Better approach to secure any important
wireless
network:
VPN client on each wireless device
VPN gateway to the rest of the network
Securing a Macintosh
-
Richard Straka
November 22, 200250
General, Security Patches
MacOS
9 is very stable. (9.2.2)
Strictly maintenance mode now.
Will
be around for many years.
No security patches at this time.
Apple never released security-specific patches before
MacOS X.
MacOS X is new.
All new Macs can boot MacOS X or MacOS 9.
Macs introduced after 2002 will not boot MacOS 9.
MacOS X Security Patches
Keep on top of security patches from Apple.
Securing a Macintosh
-
Richard Straka
November 22, 200251
Macintosh Security Products, Vendors
Anti-virus Software
Symantec (Norton)
NAI (Virex)
Intego (VirusBarrier)
Access Control
Intego (DiskGuard)
Hi-Resolution (MacAdministrator)
PowerOnSoftware (DiskLock)
Low-Level Disk Encryption
Intego (FileGuard)
Securing a Macintosh
-
Richard Straka
November 22, 200252
A Few References:
Book:
Internet Security for Your Macintosh
http://www.opendoor.com/books.html
MacOS
http://www.securemac.com/
http://www.macintoshsecurity.com/
MacOS
Security Sites
X Security
http://www.apple.com/macosx/technologies/security.html
http://developer.apple.com/internet/macosx/securityintro.html
http://www.stanford.edu/group/itss-crc/osx/final-report/
Well-Known
Mac Port List:
http://www.opendoor.com/doorstop/ports.html
Securing a Macintosh
-
Richard Straka
November 22, 200253
Questions?
Securing a Macintosh
-
Richard Straka
November 22, 200254