Do you know how safe your Mac is? Melbourne security expert Neal Wise outlines the Snow Leopard security threats and countermeasures.
Keeping your Mac secured can be a slippery situation. Most applied security can be broken down to some form of threat to computing resources and, where practical, some form of counter-measure or control that addresses the initial threat.
The most secure state for your computer is likely to be when it’s turned off. But even then your data may not be protected from unauthorised access and theft. Realistically, threats are more likely to exist once your Mac is connected to a network such as the internet or a wireless hotspot.
‘Likelihood’ is an important concept to consider in managing threats. What is the likelihood a known issue will affect my Mac? Well that depends.
Most computers aren’t well protected against basic, common types of threats, and many environments overextend trust to users without needing to do so. This can lead to weakened system security.
All modern, general-purpose operating systems contain basic network packet blocking (firewall) functions. All have process execution privilege concepts like user-level separation and privileged resource protection. Most contain some concept of data ownership by users and groups. There are reasonable limits and controls for these and other functions that aren’t usually configured by default.
As a result, when flaws are identified it becomes possible for widespread abuse of large numbers of computers with the same vulnerable functions to occur. This creates pandemic-like opportunities for individuals and technology with malicious intent.
So what we want to achieve is a baseline of security for technology. For your Mac that means first understanding the threats to its continued healthy operation and what you can do to address these.
Network and connection threats
These threats may come simply from being directly or indirectly connected to the internet. The ‘background’ noise of the internet is a constant churn of random passers-by.
Looking at connection attempts made to a range of internet TCP/IP addresses usually reveals lazy scans for a desired network service hitting each host along the contiguous list of addresses. Or very slow scans across random addresses to build a list of detected services.
The intent of these attempts is to find a desired service like, for example, SMTP email and, perhaps, to get lucky by finding a weakness such as an open SMTP relay to send spam through.
Network-based threats are usually manual or automated attempts to connect to network services on your Mac.
The services attempted to be accessed are typically remote console-type access services and file sharing or workgroup services.
A common goal for attackers is to gain access to your system to take or modify data or use your Mac to attack others. Luckily these threats can be mostly avoided. The result of this, however, is that any time your Mac is directly connected to the internet you’re potentially exposed to this maliciously intended background noise.
Macs are mostly connected to the internet using a personal or business wired or wireless broadband service. There may be some level of protection provided by an enterprise or broadband device-based network firewall.
The connection to use this internet service may be over Ethernet, Wi-Fi or even Bluetooth or USB with iPhone tethering. An ‘upstream’ device may provide some protection but it’s a good practice to presume that any other device may fail to be an effective control against threats.
This concept is the basis of the ‘defence in depth’ security principal underlying most effective security strategies. Your security strategy should comprise multiple, complementary methods of control. The general rule of thumb for enterprise computing is to only take on what you can manage well. The same applies for your Mac.
It’s up to you to secure the endpoint you control – your Mac. To do so you’ll have to presume that threats could exist in each medium your network traffic passes from leaving your Mac to arriving at the end resource you’re accessing (website, email server, etc). You may be able to manage some of these threats, while others should be presumed and considered in how you use networks.
Your basic controls to address network connection-based threats – your local network security – mostly ensure that device management interfaces aren’t accessible to others and that you’ve chosen sensible passwords.
Additionally, the services you present to a network are the ‘stepping stones’ attackers will attempt to access.
Thinking about your network. So let’s start with your network-related passwords. Ask yourself the following questions:
• Would it be reasonable for someone to guess or otherwise determine your DSL/cable modem or Wi-Fi access point management username and password?
• Do you have other network connection passwords stored in your Mac? For example to connect to network shares from other systems. Are these well chosen?
• If you use Wi-Fi would your wireless network have a sensible passphrase and encryption method?
You should start with changing default username and passwords for your management access for these devices. Even where a vendor avoids the ‘Username: admin; Password: admin’ default credentials trap if they nominate a unique but still “default for their product password” it’s usually easily located in an online manual or forum.
Your broadband service user and access credentials should be treated like any other username and password.
Using Wi-Fi or Bluetooth? Of course you are. Threats to Wi-Fi networks are widely known in computer security. To secure your Wi-Fi connection, here are a few quick tips.
Avoid using Wired Equivalent Privacy (WEP) to secure your wireless network as it’s been busted for years.
Wi-Fi Protected Access (WPA) is an industry program to adopt improved authentication and encryption methods to improve on WEP’s weaknesses. WPA/WPA2 are implemented in either ‘personal’ mode using passphrases or in ‘enterprise’ mode using Extensible Authentication Protocol (EAP) methods for encryption and authentication.
To minimise known threats avoid using WPA Personal and use WPA2 Personal with a long, non-dictionary-based passphrase. You get bonus ‘tinfoil-hat-wearing paranoid’ points for using OSX Server or another authentication source – Windows Active Directory, LDAP, RADIUS – to enable a WPA2 802.1x EAP-TTLS-based network.
If you use a lot of hotspots and public wireless networks you may accumulate a list of these in your Network Preferences. I recommend reviewing this from time to time.
Looking for unsecured networks by name only (and that’s how it works) may provide an opportunity for an attacker to substitute a network with the same network name (SSID). Also, if the network you’re intending to join is far down the list of networks your Mac is looking for, it will take longer to find it because it looks for the networks in list order. Reducing this list will speed things up.
Controlling Bluetooth wireless is a little more straightforward. By default OSX enables Bluetooth to be ‘discoverable’. This is going to permit other Bluetooth devices – including those that aren’t yours – to probe details about your Mac like its hostname and Bluetooth-based services it’s willing to support.
Disable this by un-checking Discoverable in the Bluetooth Menu Item or Preference Pane. There are Bluetooth connection and sharing-related attributes in the Sharing preference pane. These should be carefully considered – especially the Browse options.
For more crazy ‘tinfoil-hat paranoia’ points, when pairing with Bluetooth devices I recommend doing so in an isolated location. Observing the pairing process may assist an attacker with later attacks on your Bluetooth services.
Controlling connections – Services and Firewalls. To reduce the ‘attack surface’ your Mac presents to networks review your Sharing preferences and ensure that you minimise the services there. In fact, if you’re directly connected to the internet, you probably shouldn’t have any of those items enabled.
There are many more extreme ways to reduce the services exposed on your Mac – disabling “multicast DNS” and hence Bonjour service advertisement is a big one – but it’s probably easier to just block connections into those services using a network firewall.
Confusingly, there are a few firewall functions available on OSX. The first firewall function is in Darwin – the FreeBSD UNIX-tasting primordial soup in OSX – which contains a network packet-blocking framework called ipfw. There’s no graphical interface in Leopard and Snow Leopard to configure ipfw so you’ll have to use Terminal or a third-party application that helps you do this.
Hanynet.com’s WaterRoof and the free NoobProof firewalls (www.hanynet.com) and Open Door Networks’ DoorStop (www.opendoor.com/DoorStop) are some of the applications that permit more granular control of network traffic including specific traffic permitted for egress (outbound) from your Mac and trusted (or not) endpoints for your ingress traffic.
Packet filters like ipfw only do what you tell them. They may block or pass the wrong packet if configured to do so. Packet filters are usually used to define a baseline of network activity for a client OSX system like your Mac. In firewalls we usually define the network traffic we know we’ll want and then block all the rest.
Prepare to ‘trial and error’ your way through this by looking at the Console logs and using your everyday applications. You’ll learn a lot about how your Mac uses the network in the process.
There are also more advanced firewall functions that attempt to be adaptive to your Mac as you’re using it. One is the built-in OS X Application Firewall on your Mac that you can enable using the Security Preferences pane. Its primary purpose is to permit applications to open network ports on your Mac for various purposes and to provide basic packet blocking functions. It’s primitive and mostly adequate but has limitations and, by default, is not turned on.
If you use the Application Firewall it’s advisable to adopt additional options available under the Advanced tab on the Firewall menu of the Security Preference pane. The option to ‘Block all incoming connections’ is a good choice from a security point-of-view, but always remember this is enabled if network applications you use seem to stop working.
As with the previous version of the OS X Application Firewall in Leopard, you can select applications to trust. Avoid permitting this activity and review this list from time to time. Other than licence checking I can’t think of a reason I would trust Microsoft Word to receive external connections.
There’s some subtlety in the OS X Application Firewall regarding trusting ‘signed applications’ which will include many Apple applications. You can add these to the list and then specifically deny them from receiving connections. I’d also recommend considering using the Enable Stealth Mode option in the Advanced Firewall preferences.
The Enable Stealth Mode configuration will stop your Mac from responding to ICMP message requests. For example an ICMP ‘echo request’ message to your Mac would normally elicit an ICMP ‘echo response’ message from your Mac. More conventionally, this operation is known as a network ping to see if your Mac is present on the network. There are legitimate uses of ping but most users rarely use it except to annoy ISP/family help desk staff.
Conceptually similar to the OSX Application Firewall there’s also the Little Snitch application firewall (www.obdev.at). This allows you to control the connections your applications make outbound to other network devices. If you like to tweak stuff you can go nuts with Little Snitch.
This can be interesting to identify ‘phone home’ functions in your applications. Little Snitch permits specifying endpoints for connections like various ipfw management applications. This makes it a winner for specifically controlling application behaviour. Prepare to “go full Vista” with lots of clicking through prompts for permitting or denying applications using the network.
All of these firewall products operate by either directly using the native ipfw firewall or by interceding when any application calls a network-related system call function.
Personally I use Little Snitch for managing outbound connections and an ipfw ruleset to control inbound traffic. I have the OSX Application Firewall disabled. You’ll want to experiment a bit to work out what works for you.
Data content-based threats
Since you’re probably sitting behind a firewall on your network connection and you’re probably using Network Address Translation it’s not that likely that you’ll be hit with a direct network-based attack. Issues exposed through your web browser are probably greater threats to your Mac.
This is primarily thanks to browser plug-ins for Flash, Java and other content types handled through your browser. It may make it possible to access data on your Mac or to execute data on your Mac or data provided by an attacker.
Until the last few years worrying about host-side issues didn’t seem to interest the large commercial anti-virus and anti-malware companies much. Threats have been catching up during that time and, these days, the Mac is becoming as exposed as any platform out there.
If you have a 64-bit-ready machine, Snow Leopard tries to protect your Mac from content-related issues that use browser plug-ins. These plug-ins will be executed as a different system thread. This helps a little by partially isolating potentially harmful execution of internet-sourced data but this is more of a stability benefit than a security control.
Snow Leopard also has a new (basic) function for stopping execution of some known malicious software. This Xprotect feature has some anti-virus companies grumbling about Apple cutting their lunch. Not really sure why, though.
Really, as users we should want this functionality to be handled close to or as part of the operating system. This is no different than Microsoft technologies and even the iPhone having ‘kill bits’ concepts to disable the ability to run Known Bad Stuff.
However, as of this writing (mid-November 2009), the XProtect.plist file distributed with Snow Leopard appears to be a Snow Leopard release default and the file is dated 30 July 2009. It only has two signatures in it. It needs to be ‘fully baked’, kept up to date and visible to users.
Similarly Apple missed an opportunity with Snow Leopard to fully implement a control that can assist with some forms of malicious software.
Windows operating systems since Vista and Server 2008, Linux and other free operating systems have a memory randomisation concept called ASLR. Leopard partially introduced ASLR, but not for the entire operating system.
This technique helps prevent attacks where a particular memory location is targeted by an exploit. To do this ASLR reduces memory stack execution attacks where malicious code is stored in (and later executed from) a predictable location in memory, or where known flaws with existing code are located in memory and used.
Until we can rely on more mature technology from Apple, I’d recommend investigating an anti-virus/anti-malware solution and being very careful about browser plug-ins.
Threats to privacy and encryption
There are multitudes of ways to encrypt data on your Mac. We have to also think about what form data takes – data ‘at rest’ on your Mac or ‘in flight’ on the network, for example.
On the network many common internet services use non-encrypted network connections to carry privileged information. An obvious example is email.
The email you may send using Mail or Entourage is delivered with SMTP and received using POP3 or IMAP. Most use of these email application protocols are without encryption such as Secure Sockets Layer (SSL). When you set up your email you’ll notice the ability to enable SSL usage, so it might be worth asking your service provider if it supports SSL for IMAP or POP3. SSL is currently under serious threat but remains our best current option for application-layer encryption.
Sensitive data on your Mac also needs protection. There are native data encryption functions on your Mac but they involve using Keychain Access to store data or using Disk Utility to create encrypted volumes and can be a bit goofy to use in practice. There are also free third-party options to provide data encryption such as Truecrypt (www.truecrypt.org) and MacGPG (macgpg.sourceforge.net).
Commercial products such PGP Desktop (www.pgp.com) and Check Point’s Full Disk Encryption (www.checkpoint.com) that provide file encryption and, in some cases, whole disk encryption from boot. An obvious benefit for full disk encryption is in the event of theft of loss of your MacBook.
Encrypting the email you send can be provided by an open-source package for Mail.app called MacGPG (sourceforge.net/projects/gpgmail) and with commercial software from PGP. Both of these products will protect emails being sent to others and emails stored on your Mac.
Removable media and your backups should also have special consideration for encryption. Time Machine backups can’t officially use the encrypted ‘sparse image’ volumes you can create through Disk Utility. Attempting this may make restoring on a new/replaced system more difficult. So Time Machine and other backups will best benefit from some basic thought about where you keep your sensitive data.
Threats to Mac physical security
With most technology, if an attacker can gain physical access they can get access to your data. This could be when your Mac is powered on, off, lost – whatever. To prevent this on your Mac you can take a few basic steps. See the ‘Set to go’ screenshot for my Security preferences.
I’ve enabled a few things you should consider. First ensure that your Mac requires a username and password to log back in from sleep or screensaver mode. A related configuration disables automatic login for all accounts.
Second, with Snow Leopard your Mac uses Location Services to make a call home to Apple once it scans the wireless networks near your Mac. Apple then queries data from a company called Skyhook Wireless which has mapped the location of Wi-Fi networks around the world. Neat but kind of creepy. This function identified my location to within about 20m. I strongly recommend disabling this.
Some other tricks are to boot from your Snow Leopard (or earlier) install media and to run the Firmware Password Utility. This will prevent your Mac from providing (if supported) Target Disk Mode and will require a password to boot from other volumes. You can also carefully add an OSX login banner using the following terminal command:
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Your Name – call 04xxxxxxxx if found – reward offered”
This means you might get your lost or stolen Mac back.
Snow Leopard needs work
Snow Leopard has introduced some features which are meant to help provide greater protection. But all tech requires further effort to secure it.
Keep in mind you’re sitting on an 8GB default install of many, many sources of code from Apple through to hundreds of open source projects.
The code already on your Mac will, over time, be found to have flaws. Apple is usually pro-active about providing fixes but not always (see the Java runtime environment article in the July 2009 issue of AMW).
So as users we have to foster a healthy mistrust of the technology we use and to do what we can to maintain security. We also have to keep pressure on our vendors – including Apple – to maintain their software products and those of others they use and package in OSX. C
Neal Wise breaks stuff for a living at Melbourne IT Security consultancy Assurance.com.au.