System 7's Security Shortcomings
By Bruce Schneier
System 7 and the Mac were designed for ease of use, not security. Networked Macs suffer from many security risks that stand-alone machines don't and, unlike mainframe systems, there is no central computing machine from which to control access.
AppleTalk is a dynamic "plug-and-play" system - any Mac can plug into an existing network and immediately become part of it. AppleTalk also is a peer-to-peer system - any Mac can access resources on, send files to and exchange messages with any other machine. "Macintosh users are used to having an open platform and freely sharing files," said Andrew Sneed, computer coordinator at The Analytical Services Corp. (TASC) in Fort Walton Beach, Fla. That openness is not conducive to network security, he added. "They want to be able to get any file on any machine painlessly and effortlessly."
Many Ways to Circumvent Security
Restricting access to data on file servers is the primary security concern at most sites. Both AppleShare and System 7's file sharing capabilities have basic security features built in. The latest version of AppleShare even supports password aging, minimum password lengths and the automatic disabling of accounts after several incorrect password attempts. Some corporate users feel these measures are adequate.
"Network security from AppleShare has been sufficient for our needs," said Bob Brands, a network administrator at Mitre Corp. of Washington, D.C.
But many feel differently, especially about AppleShare's allowance of anonymous, or Guest, log ins. "People get lazy and leave the Guest account enabled for new users," said Kee Nethery, AppleTalk network engineer at Kagi Engineering of Berkeley, Calif. "What a surprise when they find people who shouldn't have access using the Guest account."
Individual Macs on the network also have the option to log on automatically to a file server at start-up. This is a major security hole, and administrators cannot disable it. Interlopers also can access servers by using unattended machines that have servers mounted because AppleShare has no provisions to log users out automatically after a period of inactivity.
The fundamental first step to help secure an AppleShare server is to protect it physically. "Lock it in a room somewhere," said Kagi's Nethery. "It is a trivial task to bypass a Macintosh server's security measures if you can get your hands on it."
"People aren't always aware of the security risks of file sharing," said David Shayer, programmer of Fifth Generation Systems Inc.'s DiskLock. "They turn file sharing on and don't think about whether they let in one person or inadvertently let in the whole office."
File sharing is an optional capability with System 7, and administrators can choose not to install it or remove the feature if they decide it is too great a security risk.
Networked Apple events bring their own largely unexplored security worries. If program linking is enabled on a machine and an application, Apple events could be used to operate that program remotely without the local user's consent.
Personal computer data privacy. Software locks can prevent unauthorized access to individual Macs. In addition to the password-protection features of many hard disk formatters, there are several System 7-compatible security programs on the market: ASD Software Inc.'s FileGuard; Fifth Generation Systems' DiskLock; usrEZ Software's ultraSecure; Magna's Empower I and Empower II; and KentuMarsh Ltd.'s NightWatch II, FolderBolt and MacSafe. These packages provide various security features, incl ding screen savers with passwords and automatic file encryptors that use the federal Data Encryption Standard algorithm. Some security packages require a special key card or floppy disk for access.
"We needed to stop people after hours from bringing in their favorite games and infecting computers with viruses," said Doug Houseman, computer support specialist at Domino's Pizza in Ann Arbor, Mich. "If I had a bigger threat, I would use doors and locks. For my needs, DiskLock is almost unobtrusive," he said.
Others use security to ensure data integrity. "I don't care if people use my Mac when I'm gone. I want to make sure no one deletes any files or moves icons around on my desktop," said Alan Insley, principal at Crenelle Inc., a software-development company in Chicago.
Network Data Privacy
Packet analyzers are hardware or software packages that capture and read traffic on AppleTalk networks. Normally, a Mac ignores any packet not specifically addressed to it; however, packet analyzers can look at a packet addressed to any machine on the network. Vendors of these products are aware of the potential for unauthorized monitoring. Some have attempted to make it more difficult to use these products without first identifying themselves on the network using the Name-Binding Protocol so smart network managers can catch "wiretappers." A smart user can circumvent this, however.
Routers, used to connect different networks, raise additional security problems. Their configuration controls can be password-protected, but often the passwords are not very good. And once they are accessed, routers often can be reconfigured from anywhere on the network.
Anybody can buy a router, attach it to the network and gain unauthorized access to a secured zone by masquerading as a user in an authorized network. "Occasionally we have new zones pop up in our network, and we have to hunt them down and kill them," said Greg German, senior research programmer in the network design office at the University of Illinois at Urbana.
Restricting Remote Access
AppleTalk Remote Access has built-in security features, but many companies are deeply wary of allowing dial-in access to their networks. "We decided the AppleTalk network should be internal only. We don't allow any outside access," said TASC's Sneed.
One solution that limits network access for remote users is zone hiding. Network administrators can hide resources through routers so users on connected networks cannot see or use them. For instance, resource hiding could be used to restrict internet access to one AppleTalk zone or restrict people outside a zone from printing on that zone's printers. "If we didn't hide certain zones, students could print documents on any printer in the network," said University of Illinois' German.
Many people just want to dial in to get electronic mail, so companies set up a mail server for that purpose. Both Microsoft Mail and CE Software Inc.'s QuickMail can configure a Mac as a dial-in mail server. This allows users to send and receive electronic mail but does not give them access to the rest of the network.
"We can give E-mail accounts to people whom we wouldn't otherwise want on our network," said Michael Bentley, president of Crenelle.
People are the solution. In the end, security rests with people. The U.S. Navy spent billions encrypting its data links, only to find that convicted spy John Walker mailed the encryption keys to the Soviets. A company can put all types of security products on its Macs and networks, but if the users don't care about security, they will find a way around it. "People here have taken Empower off their systems; it was an inconvenience to them," said Mark McNew, senior computer scientist at Conoco Inc. of Houston.
No Mac security solution is foolproof. "You do what you can based on the risks you assign," said James Pauley, a senior software engineer at TASC. "Then you tell management you are only protecting against certain kinds of intrusion. It's a risk you take to use Macs."
Perhaps the only reliable security method is to keep sensitive data off the network altogether. "If you're really concerned about it, you'd better put it on a floppy and lock it up," said TASC's Sneed.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.