Schneier on Security
A blog covering security and security technology.
« Chemical Plant Security and Externalities |
| Hacking of 911 Emergency Phone System »
October 18, 2007
Posted on October 18, 2007 at 2:17 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
… unfortunately without a solution for the drive encryption problem on the Mac (FileVault is limited to the home directory and and renders Spotlight useless, PGP is even more limited and a full disk encryption solution is not available in the markt … :(
There was an interesting slashdot post about the new security features in Leopoard. Some very progressive changes including 128/256-bit AES Disk Encryption, Smartcard Authentication, Library Randomization (ASLR), and different types of application signing.
Check it out:
You can create encrypted containers anywhere even on usb memory. With knox for mac (http://www.knoxformac.com/specs/) , you can manage those containers easily and control spotlight use on a container if you wish.
Containers are great for certain purposes, e.g. for a USB stick. In regard to the encryption of data on a notebook, the aren't that useful since you always risk to miss some sensitive data … Knox is nice but only a nicer GUI for Apple's encrypted DMGs.
I don't see anything in particular about this article which makes it notable...what exactly do you think is interesting or good about this? It Sels more like you just wanted to post a misc mac article just because...
eh, Good starting points. I was hoping it would have more specific security info.
*How to set a software firewall up
*common security configuration pitfalls
You know, with a discussion of how these areas might change with the new Leopard OS.
I would think that protection from internet based threats is greater than that of a curious person that occasionally uses the computer. Or maybe people just tend to overlook the more mundane threats.
Daniel, you should check out Leopards drive encryption support. Maybe it could entice you to "make the switch." :)
Does anyone know if this is more than an incremental upgrade from Filevault?
Another item I would have included in this article is 'Use a virus scanner.' While there may not be many (or perhaps any) OSX viruses out there, having a scanner might help prevent you from unwittingly spreading infected files to PC-using friends or colleagues.
@Milan Ilnyckyj: Use your BRAIN 1.0 instead of a virus scanner …
@Peter: Great news, thank you!
Um...yeah, I agree with bobdole as well, and I thank dmulter for posting some things that are actually worth reading. Seriously Bruce, what's the deal with this link? Why did this suddenly strike you as worth noting?
"Using that administrator account as your normal, day-to-day login account can be risky. First, you make it easier to mistakenly change or delete something crucial to your computer’s operation. And second, you open a potential security hole: if you step away from your computer without logging out, someone else will have complete access to your Mac’s data and settings."
I'm not quite sure I get this. A user with administrative privileges is basically a "sudo" user where in order to do something privileged, you have to type your password again. So a) you can't do anything wrong by accident without typing your password, and b) an attacker can't do something rude without typing your password.
As far as I understand it, the difference between the account types is simply that a normal user just gets denied when he tries to do a privileged operation, as opposed to being prompted for their password, and they also can't use "sudo".
Maybe because they noted how much hassle/security each part is.
tradeoffs and all of that?
The encrypted drive image thing isn't all that useful, since when you mount the encrypted drive, it's open access for all users. This means that if user A mounts an encrypted drive image and user B logs in, user B can see user A's mounted encrypted drive.
Apple really ought to have set it so that when you mount an encrypted drive, you can choose whether or not other users can access it.
Also some of the Kensington laptop locks can be removed pretty easily. http://www.toool.nl/kensington623.wmv
Go for a combination Kensington lock.
The Macworld article also doesn't cover the Keychain (although there's another article about it), which I think is an important part of OS X security - you can easily use it to hold passwords and digital certificates. I use mine for all my web passwords and also my SSH keys and digital certificates. I have the Keychain Access application set up to lock my keychain every thirty minutes. Therefore, if I need to access something on the Keychain, I have to type the master password. I've written shell scripts, and it's relatively easy to use the Keychain from inside Python and Ruby - meaning that you can get away with not storing passwords for online services in the clear inside scripts.
I also have a keyboard shortcut set up to lock my computer (using AppleScript and Quicksilver) - meaning, hop back to the login screen, pause iTunes and lock all my keychains.
"I'm not quite sure I get this. A user with administrative privileges is basically a "sudo" user where in order to do something privileged, you have to type your password again."
False. An admin acct is a member of the 'admin' group. Some dirs are writable to admin-group, notably /Applications and various ones in /Library.
"*How to set a software firewall up"
Open System Preferences.
Click the Sharing pane.
Click its Firewall tab.
Below the words "Firewall Off", click the "Start" button.
If it says "Firewall On" and the button says "Stop", do nothing.
Excellent. Now can you tell us how to set up a software firewall that manages non-TCP traffic?
yeesh- anyone with a moment's access to a mac can kill OF protection, boot off CD or USB, and copy every last bit of child porn on the drive-
or they can install a keylogger to get at your AES volumes-
point being, don't let your lappy out of your sight- ever...
Hmm. I've added password protection to only allow authorised users to boot from drives other than the internal hard drive.
This, added to requiring a password (no automatic login), actually having a password, and screensaver password, makes the laptop much less useful to thieves.
Finally, a guest account, and Undercover installed makes it much easier for recovery should it be stolen.
(Because, as much as I love my MacBook Pro, I do have to occasionally let it out of my sight.)
Thanks for the link, Bruce. For some of the commenters: note that this was one article in a series; other sections, accessible via the links at the top of that page, cover passwords and the keychain; wireless security; online security (including virus protection); and email safety.
Follow 1st Anonymous' instructions.
Click Advanced... button
Check "Block UDP Traffic" box
I suspect the thing Bruce likes the most about this article is that the trade-off he mentions so often is abundantly apparent in the article.
Often, as Security goes up, Hassle also goes up. Sometimes it doesn't...
...and when that happens, you have no excuse not to implement it. Of course, there WILL be a trade-off somewhere, it's just not "Hassle".
As many people have mentioned above, it's important to accurately rate the Security and Hassle parameters. If you get them wrong then you'll just be wasting your own time.
If you want to try running as non-admin on a Mac it's much easier to create an account with admin rights and remove those rights from your account(s) - no need to move preferences, bookmarks, settings, documents, music and photos to the new account which is a lot of hassle. Whichever way, to use sudo from the non-admin account it has to be added to sudoers using visudo.
It's surprising he gives running as non-admin a hassle rating of two, as the only thing I noticed was having to authenticate when installing to the Applications folder.
I don't get the administrator hassle either. If somebody overwrites my system files, well, then i just have to reinstall. The most important thing on my computer is my data, which even my non-admin account would have to have access too. If that gets overwritten then I'm screwed. That's why I only back up my data, and not my windows directory or program files.
@ Josh O.
If someone compromises your machine while you're on your admin account, and gains the ability to overwrite your system files, he can do a lot more than just forcing you to reinstall. He can install a rootkit, add your machine in a bot network, steal your data, all the while giving you no indication that anything's wrong. You would never know you're supposed to reinstall.
@Blake: "I'm not quite sure I get this. A user with administrative privileges is basically a "sudo" user where in order to do something privileged, you have to type your password again."
Incorrect, unfortunately. Under OSX, there's an admin group, and finder often seems (or maybe it's the image that applications are dragged from) to set the permissions on /Applications to group write. So the admin user without using sudo can alter root owned files.
On top of that, it is extremely easy to do code injection in OSX. You don't have to mess with ptrace or dll injection. You can simply swizzle Objective-C code via an InputManager. You don't actually need to run code for code injection, just place a single file in a directory under the users home directory! And the whole thing can be written in a high-level language!
So basically, it is quite easy to do the old change the path to sudo trick in OSX. In any operating system, your day-to-day user should not have admin privileges. You should know that your admin user's environment is completely clean before you try to sudo.
This is also a security bug in Windows and some Linux distributions which make the initial user also admin. In OSX it's almost invisible (any pre-existing Objective-C program can be used with the addition of one bundle), in Windows it's pretty easy to go undetected (but you have to run a bit of code which MS has been so kind to api), and in Linux you have to run code to either alter .profile and hide an executable, or do some assembly level bit juggling that very much depends on the program to be hijacked.
Tom Morris: "The encrypted drive image thing isn't all that useful, since when you mount the encrypted drive, it's open access for all users."
Change your umask to 007.
Now, which script do I have to do that in to get it propagated everywhere....
Oh, you must mean that you want security that just "Works" - is easy to set up. Sorry, Apple ain't helping with that.
Now if only they could keep up with security patches...
(Unfortunately, I don't think the 1-year-old TIFF vulnerability used to get code execution on the iPhone was a one-off. I recall one of the security bloggers complaining about how long it took for them to include security patches for external software.)
This seems to be the main Macintosh security article found by searching "Macintosh" here on Schneier's excellent website, so I will point out here a note in "NewsBriefs" of IEEE Security & Privacy magazine July-Aug 2008 p.11.
Antivirus vendor SecureMac has found a hole in Apple Remote Desktop Agent (ARDAgent) in OS 10.4 and 10.5, and the hole is exploited by a trojan which is in the wild allowing attackers to gain remote access to a system, including to log keystrokes and take photos using a builtin iSight camera. The note mentions as a fix to move ARDAgent from its usual location. What are the odds the hole is a known backdoor, to go along with the EULA which was changed beginning OS 10.4? See:
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.