securing a macintosh rich straka university of tulsa center for information security...

Securing a Macintosh

Rich StrakaUniversity of Tulsa

Center for Information [email protected]

Hmmmmmm,this doesn't look like a Macintosh

November 22, 2002 3Securing a Macintosh - Richard Straka

Securing a Macintosh:What do you think?

MacOS: Inherently network secure or not? MacOS 9

Yes, few if any vulnerabilities MacOS X

Inherits many BSD-style vulnerabilities All network services turned off by default All security parameter defaults set to most conservative

values

Easy or difficult to secure? Clients relatively easy Servers need more care, of course But … Physical security is weak


Outline:

Macintosh History Current Hardware and OS File, Physical Security Network Security Virus Threats Administrative Practices


Macintosh History


Macintosh Product History

First introduced in 1984 - 128KB RAM, 3.5" 400KB floppy only

First commercially successful GUI First modular (slotted) Mac in 1987

Real plug-and play - drivers in ROM on the card Motorola 68K family CPUs - 1984-1994 IBM/Motorola PowerPC CPU - 1995-present Recent rumors of Intel-based CPUs

Don't hold your breath. This basic rumor has been around for at least 10 years.


Software Compatibility

This file encoder/decoder Written in 1985 The Mac was 1 year old Originally written for an 8MHz

68000 CPU (CISC) Mac OS 1.1

still runs flawlessly today On the latest hardware and

software GHz+ dual G4 PowerPC CPU

(RISC) MacOS X 10.2


GUI Roots

Current GUIs are rooted in work from Xerox PARC Late 70s, early 80s Alto and Star

Alan Kay (creator of Smalltalk) went to Apple

Rob Pike went to Bell Labs working on UNIX


Mac Paradigm

Make the computing experience easy for users

Modularity / regularity / orthogonality Hide complexities from end users Application acting badly?

Windows - fiddle with the registry (complicated, risky). Mac - trash the application's preferences file (easy,

safe). Rebuild the OS from scratch on a Mac?

Just copy the previous preference files to the new System Folder.

No need to reinstall your applications.


Mac Users

Heavy use in the creative arts Publishing Music

Studio and Live Video Film

Elitists who insist on the best UI available From any profession, even computer science Roger Ebert, February, 2001:

"Actually, we have six Macs here in my office at home. Life is too short to use anything but a Mac; Windows is just not a human environment."

Common thread? Significant amounts of right-brain thinking


Software Timeline

Year Release Most notable feature 1984 System 1.0 1987 System 4.2 early multitasking 1991 System 7 improved multitasking 1996 MacOS 7.5.3 improved networking 1998 MacOS 8.1 extended file system 1999 MacOS 9 2001 MacOS X UNIX-based

(Runs MacOS 9 as a single process- transition period)


Mac OS X

MacOS X (pronounced "ten", not "ex") BSD 4.4 based Tenon's Mach 3.0 microkernel Introduced in 2001

MacOS X Server 10.0 also based on BSD 4.4 A precursor to MacOS X Introduced in 2000 (the GUI wasn't tweaked yet) 10.2 (Jaguar) now reintegrated with MacOSX - sharing

code base (2002)


Desktops / Towers vs. Servers

Just desktops and mini-towers … until now:

Apple recently introduced Xserve Rack-mount server platform 1U high Runs OS X and OS X Server only 1 or 2 CPUs Dual Gigabit Ethernet Up to 480 GB of hot-pluggable RAID

disk (4 spindles)


Macintosh Fileand

Physical Security


File Security Model -Very Similar to UNIX

User, group, other Read, Write, Sticky

Bit (drop box) No ACLs (Access

Control Lists)


File Security -Differences

MacOS 9 Volume level Folder level Not file level (except for applications) Network level

MacOS 10 Full UNIX permissions down to the file level

MacOS X Server 10.2.2 - supports file system journaling.


File System Security

Macintosh file systems (HFS+, UFS) do not provide native file encryption Unlike NTFS under Windows 2000 or Windows XP

Secure sensitive data with a data encryption utility. Disk locking, encrypting software is available from

several vendors. Disk "images" can be encrypted. (Combine with

"Keychain".) Do not require files system changes.


Disk Image Security

MacOS 9 introduced the "Keychain" - a local login and password storage tool for both local and external services (e.g. authentication)

You can encrypt a disk image file and manage access with the Keychain.


Physical Security

Since 1997, Macs support Open Firmware (IEEE 1275-1994) Controls boot functions and PCI cards Recent Apple firmware updates support a firmware

password feature like most PC BIOS Password feature not well supported by Apple, however.


Macintosh Network Security


The Upshot

MacOS 9 is innately relatively secure ASIP (AppleShare IP) - adds many services

MacOS X is also reasonably secure MacOS X Server - adds many services

Small virus target, but… Anti-virus software still important A "personal firewall" is a good idea.

MacOS9 - 3rd party software MacOS X has one built in.


CERT Vulnerability Note Alerts -Comparison by Platform

Notes: These numbers are not scientific These are vulnerabilities reports relevant to a well-

administered machine

Windows - 161 Linux - 51 MacOS - 8

OS - 2 3rd party software - 3 Microsoft apps - 2 UNIX (CDE) - 1


MacOS 9

MacOS 9 is relatively secure Because all services are turned off by default Users can turn on services which introduce potential

vulnerabilities File sharing Web services

Additional software packages introduce vulnerabilities Remote control Instant messaging Mactella, Limewire, etc. SNMP


Open Ports

By default, all MacOS TCP ports are turned off

A port scan on vanilla MacOS 9

One TCP port showed up.

Specific software that I had installed. :-)


A nice GUI integrated with BSD 4.4 and a Mach 3.0 microkernel

Many more network services available

Telnet, SSH, X, FTP, SMB/CIFS easily provided Both clients and daemons

Like OS9, all network services turned off by default

But, it still has some inherent BSD-inherited security weaknesses

MacOS X


Peer-to-PeerFile Sharing, Program Linking

Apple Filing Protocol (AFP)

File Sharing Moderate risk

Program Linking Higher risk (AppleScript)

On MacOS9, this is also where the owner password of the computer is entered


Apple Filing Protocol:via AppleTalk Protocol

AppleTalk goes back to ~1982 Used for file sharing, printing Routable, but not commonly routed Think of it as a routable NetBEUI Some badly configured cable modem ISP

do route it Naturally limits client visibility (to local LAN

segment) Note: AFP Data stream is not encrypted


Apple Filing Protocol:via TCP

Uses TCP port 548 Fully routable, of course Client side functionality since

MacOS 8 Server side functionality as of

MacOS 9 This presents more of a

security risk, especially Program Linking

AFP supports SLP - Service Location Protocol (RFC 2165)


User Administration

User logins, passwords and basic privileges are set here.

MacOS 9 passwords limited to 8 characters

MacOS X has longer ones, but many UNIX utilities only look at the first 8 characters (i.e., POSIX compliance).


Client Authentication

Via UAM (User Authentication Module)

Extensible UAM API Enables security upgrades orthogonal

to both client and server Early MacOS UAM was

primitive Login, password sent in clear text Limited to 8 character passwords

More recent UAMs use 2-way encryption, support longer passwords

A 3rd party UAM is also available from Microsoft


ASIP - AppleShare IP

Pre MacOS X Services analogous to NT Server, Win 2K

Server Authentication Directory Services File and Print Netboot (for kiosk-style or diskless clients) Email, Web, services, etc.

But sold as a software package, not a separate OS

MacOS X Server replaces ASIP


MacOS X Server 10.2

Adds recent security standards SSH2, IPsec, Kerberos v5

Other Open Standards IMAP, LDAPv3, DHCP, DNS, IPv6, NFS

Proprietary (Microsoft) Standards WINS, SMB/CIFS via SAMBA

NFS "republishing" Can share out remote NFS volumes over AFP

Keeps the clear text NIS authentication localized Nobody ever really adopted NIS+, right?


Additional Add-on (3rd party) Services

PC File Sharing (via SMB/CIFS) Database (e.g., ODBC) Remote control for desktops Remote backup daemons HTTP FTP (still a bad idea, right?) Instant Messaging Gnutella, etc.


And with OS X (regular and server)

Any UNIX service you activate, load, compile, etc. X NFS http (Apache) mySQL Samba ssh finger etc.


Macintosh Networking


Network Subsystem

From MacOS 7.5.3 through MacOS 9.2, Apple used the Mentat TCP and IP stack components

Sun also bought the Mentat stack for use in Solaris

OS X is BSD-based instead


MacOS Network Layers -TCP

Very modular and simple interface

Layers 2 and 3 separated from and orthogonal to each other


Another Layer 3 Protocol

AppleTalk Notice that the

available interfaces Ethernet Modem Port Printer Port

are different from TCP's Ethernet AppleTalk (MacIP)

(interesting!) PPP


External Threats


Viruses, Worms and Trojan Horses

Mac desktop market share is tiny - ~5% Presents a very small - and mostly ignored - target for

virus and trojan horse writers Viral, etc. activity minimal on this platform Not suspectible to MS-oriented mail viruses Certainly not susceptible to x86 .exe viruses

Commercial antiviral software available Norton, NAI (McAfee's Virex) Effective protection, auto-updaters for virus "dat" files


MS Office Macro Viruses

The only true multi-platform virus type so far Office:Mac is susceptible Turn off the macro options within Word,

Excel and Powerpoint.


AppleScript

Powerful system-level scripting language AppleScripts sent as email attachments can

be executed and can be very dangerous This is essentially unheard of, but could be

just as dangerous as executing a .exe file attachment on a PC.

AppleScripts can be run remotely - over TCP (if enabled) - much like RMI File sharing security governs authentication and

authorization of remote AppleScripts.


Javascript

HTML email with malicious Javascript is always a security exposure

Turn off this option in mail clients


Administrative Practices


Security Administration Facets

Users Protocols Ports Services Network

Most Macintosh security exposures come from simple misconfiguration and/or lack of attention to security


Users

Use a centralized file and authentication server where practical AppleShare IP MacOS X Server Microsoft NT, … Services For Macintosh (SFM)

Standard admin practices Ensure that guest access is turned off. Set and implement password policies Don't let users have root (admin) access

Install virus protection software Establish consistent user training on

security and virus policies


Protocols

AppleTalk networking more limited in scope than TCP (less exposure)

Shareway IP Pro can republish AppleTalk-only accessible volumes over TCP - handy, but decreases security

MacOS X can republish an NFS volume - actually improving security.


Ports

Scan for open well-known Mac ports on user machines

Install a personal firewall and scan the "attacked" logs.


Services

Set proper passwords on all services - used or not. Don't leave the default passwords.

Turn on only the services you really need Turn on file sharing only where needed

Better to have a central file server than peer-peer Use IP address filters on the server

Don't support FTP FTP is said to have negative security Better to just have anonymous FTP for download. Consider using WebDAV instead.


Network

Several personal firewalls are available Norton, DoorStop, etc.

NAT/NAPT ("broadband") routers are a good first line of defense - and cheap.

Apple supports 802.11b very well. But 802.11 has some holes:

WEP and MAC cloning. Use maximum key length (128 bit) WEP. Combine MAC registration and WEP. Better approach to secure any important wireless

network: VPN client on each wireless device VPN gateway to the rest of the network


General, Security Patches

MacOS 9 is very stable. (9.2.2)Strictly maintenance mode now. Will be around for many years. No security patches at this time. Apple never released security-specific patches before

MacOS X. MacOS X is new.

All new Macs can boot MacOS X or MacOS 9. Macs introduced after 2002 will not boot MacOS 9.

MacOS X Security Patches Keep on top of security patches from Apple.


Macintosh Security Products, Vendors

Anti-virus Software Symantec (Norton) NAI (Virex) Intego (VirusBarrier)

Access Control Intego (DiskGuard) Hi-Resolution (MacAdministrator) PowerOnSoftware (DiskLock)

Low-Level Disk Encryption Intego (FileGuard)


A Few References:

Book: Internet Security for Your Macintosh http://www.opendoor.com/books.html

MacOS Security Sites http://www.securemac.com/ http://www.macintoshsecurity.com/

MacOS X Security http://www.apple.com/macosx/technologies/security.html http://developer.apple.com/internet/macosx/securityintro.html http://www.stanford.edu/group/itss-crc/osx/final-report/

Well-Known Mac Port List: http://www.opendoor.com/doorstop/ports.html


Questions?

securing a macintosh rich straka university of tulsa center for information security...

Documents

unix slide

weak slide

mac windows

macos xunixbased runs

vulnerabilities macos

cpu cisc mac os

os file

extended file system