Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Securing Mac OS X Tiger

Zonk posted more than 8 years ago | from the intense-lockdown dept.

Security 130

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

cancel ×

130 comments

Most secure? (-1, Flamebait)

TCM (130219) | more than 8 years ago | (#13527247)

"Mac OS X is one of the most secure default installations of any OS."

I thought OpenBSD has prior art here.

Re:Most secure? (1)

Henriok (6762) | more than 8 years ago | (#13527269)

That's why it says that it's "one of the most" not "the most".

Re:Most secure? (0)

Anonymous Coward | more than 8 years ago | (#13527280)

"one of the most" - not THE most. At least read the post, let alone the article

Re:Most secure? (0, Offtopic)

Anonymous Coward | more than 8 years ago | (#13527293)

Durr, I make really quick but completely vacuous and inane posts to a new story to get karma.

Durr.

Re:Most secure? (0)

Anonymous Coward | more than 8 years ago | (#13527364)

Oh good god. I appreciate RTFA as a strech, but not even RTFQYQFTS (Read the f'ing quotation you quoted from the summary) - that's a new /. low

Re:Most secure? (0, Flamebait)

g00n (565271) | more than 8 years ago | (#13527743)

correct me if i'm wrong, but i think NetBSD beats OpenBSD on this.

Re:Most secure? (0)

Anonymous Coward | more than 8 years ago | (#13527811)

You would be incorrect, friend. While NetBSD is a very secure operating system, OpenBSD believes in proactive security, that is, fixing problems before they become problems. They regularly undergo code audits and otherwise focus on clean, secure code. More information is available here: http://openbsd.org/security.html [openbsd.org]

Re:Most secure? Says: mi2g (4, Informative)

Anonymous Coward | more than 8 years ago | (#13528395)

London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.

http://www.macworld.com/news/2004/11/02/mi2g/index .php [macworld.com]

Re:Most secure? Says: mi2g (2, Insightful)

laffer1 (701823) | more than 8 years ago | (#13528918)

This is very interesting. The article points out that small businesses and individuals get cracked more than big organizations. It also points out that more people use Windows and Linux than Mac OS X and BSD. I wonder if the numbers take that into account. Are the Linux statistics balanced with the windows counts, etc?

I think there might be two problems with the information assuming the numbers are normalized on installs vs succesful compromises. First, Mac OS X is the most widely sold UNIX like OS in the world. Its hard to believe that OS X and BSD counted together is more than Linux. Most other surveys put them at about the same percentage. If you look at servers then linux would blow out OS X and probably BSD. Desktops i think linux would do better than BSDs aside from OS X. Second, it would be nice to see data on how well trained the sys admins were on the systems. Many people don't know linux well enough to properly secure it. An OSX destkop ships in a safer default than most linux distros. In fact, if you look at the bloated distros they ship with several programs that do the same thing. (KDE and Gnome along with software) 4 browsers, 3 email clients, probably 20 text editors, etc. OS X server and Linux are both a pain in the ass for different reasons. I think they give a false sense of security because of the user interface. (graphical and not distros like gentoo or debian that don't include x11 by default) Windows has the same problem. If you meet a windows admin who's never touched the registry then you know they are an idiot. Likewise, if someone hasn't touch a config file in /etc or used a terminal on OS X server or linux they are an idiot. BSD people have no choice :)

Obscurity only goes so far. I'd also like to know what caused the linux distros to get attacked. Was it a kernel flaw, service issue, common open source software? For example, many operating systems come with a webserver now (apache or iis). Is there a pattern on services?

I write this on a redhat EL 3.0 workstation install. I've noticed that i get about the same number of security updates in a month for my windows box and this redhat machine. Today i had to install 5 patches to redhat. (last patched a week ago) and i patched windows a few days ago and had 3. My ibook g4 laptop with tiger on it has had about 7 security patches in the last month and countless new versions of software like quicktime, itunes, etc. I've always wondered if apple hides security updates in new versions of software and doesn't tell anyone. My point is that all my operating systems seem to require the same amount of security patching in desktop scenarios. My FreeBSD file server and webservers tend to need 1-2 patches a month as part of the userland and then new versions of software add up for say 20-25 portupgrades a month. And that does not include apache, mysql or php which i manually compile and install.

Numbers without more background are not that helpful.

Re:Most secure? Says: mi2g (0)

Anonymous Coward | more than 8 years ago | (#13529005)

mi2g Intelligence Unit on Tuesday released a report
Tuesday the ?? November 2004. Got any measure of the malware released since then? After Windoze & Lunix have finished sluggin' it out the OS-X+BSD death rate is right in line with market share, no better, no worse. I'd like to think the users could make it better, but it ain't so [slashdot.org]

I once tried to secure a tiger (5, Funny)

DrMrLordX (559371) | more than 8 years ago | (#13527249)

I put a tiger on a leash once.  It didn't work.  Don't try this at home, kids!

Re:I once tried to secure a tiger (1)

korba (710095) | more than 8 years ago | (#13527311)

You should try the cage. I works for me.

Re:I once tried to secure a tiger (5, Funny)

kcarlin (99704) | more than 8 years ago | (#13527691)

You should try the cage. I works for me.

Does the tiger let you out for walks?

Nice to see you... (5, Funny)

Anonymous Coward | more than 8 years ago | (#13527326)

Nice to see Roy Horn has recovered enough to post on slashdot.

Next time... (4, Funny)

Farrside (78711) | more than 8 years ago | (#13527617)

Grab it by the toe.

Wear good earplugs.

Re:I once tried to secure a tiger (1)

commodoresloat (172735) | more than 8 years ago | (#13527653)

I believe there's still a job opening at the Mirage in Vegas for someone who can do this right.

Re:I once tried to secure a tiger (1)

Afrosheen (42464) | more than 8 years ago | (#13528074)

Great for bikers, it's a helmet-optional job.

Re:I once tried to secure a tiger (0)

Anonymous Coward | more than 8 years ago | (#13527778)

Yeah, a scroll of taming works better.

Though, rather than a tiger, I much prefer the tame minotaur I managed to get one time. Wow, that thing was mean. It used to kill shopkeepers in 1 or 2 turns.

Re:I once tried to secure a tiger (1)

fafaforza (248976) | more than 8 years ago | (#13529268)

Mike? Mike Tyson? That you?

Securing my Anus (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13527252)


 
well i just thought that i would Secure My Anus [goatse.ca] with the article.. HIV runs in high percentages in the Mac community..

well i just thought that i would Secure My Anus [goatse.ca] with the article.. HIV runs in high percentages in the Mac community..
 

Re:Securing my Anus (1)

FosterKanig (645454) | more than 8 years ago | (#13527312)

You don't have to tell me twice.

Re:Securing my Anus (0)

Anonymous Coward | more than 8 years ago | (#13527455)

I knew he was a Canadian.
I knew it.

Wow - Interesting (1, Offtopic)

repruhsent (672799) | more than 8 years ago | (#13527253)

I would think it would be difficult to lock down a tiger. They'd growl and threaten to bite you when you tried to shut the door on their cage.

Also, FP.

"long pdf"? (4, Funny)

Anonymous Coward | more than 8 years ago | (#13527255)

Ah, good Slashdot.... Now it warns us that TFA is "long", even.
But of course, I don't think anyone ever tries to RTFA, so the thoughtful gesture is lost on us....

Re:"long pdf"? (2, Interesting)

ergo98 (9391) | more than 8 years ago | (#13527458)

Ah, good Slashdot.... Now it warns us that TFA is "long", even.

There have warnings accompanying long related articles for time eternal - some people come here primarily for discussion (sort of like an online book club). The article is a "necessary nuisance" for this bunch, hence the disclaimer. For those who actually come for information it isn't so much of a concern.

Now since I'm here for discussion, what's the deal with .pdf's? It seems to be a running belief that putting one's poorly thought out, poorly edited words into pdf forms makes it professional - just like the big boys! It reminds me of the idiotic days when a couple of big boys put flash intro pages, with the nonsense scrolling/zooming in text that became so cliched. Suddenly every small shop did the same, as if this cargo cult would make them a big shop. Really was silly.

Re:"long pdf"? (1)

Eric(b0mb)Dennis (629047) | more than 8 years ago | (#13527463)

I think I suffered from "Didn't RTFB (read the 'explitive' blurb) and clicked on the link before I saw "long pdf"

Adobe reader, good gosh.. you now know why it took me so long to make such a small comment

Re:"long pdf"? (1)

artemis67 (93453) | more than 8 years ago | (#13527485)

...but does it have pictures?

Re:"long pdf"? Not missed much... (2, Interesting)

justsomebody (525308) | more than 8 years ago | (#13527753)

Believe me, you haven't missed anything.

Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and .app folder copied by user can be tainted anytime by anyone modifying one single file from terminal.

It contains:
Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs, changing user home directories from 022 to 027, tcp_wrappers, xinetd, and other services, file vault, encrypted disk images...

Basicaly the only positive thing I got from reading it, was how insecure default OSX (talking about DEFAULT here, not what is possible. Mac line was always "Just works") really is. It is more or less as secure as Windows 98 with few bugs taken out and few new entred.

That's all well and nice ... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13527256)

but is there any way to make my Mac Mini not suck?

Mac Mini and suck-ness... (0, Offtopic)

Anonymous Coward | more than 8 years ago | (#13527688)

I totally agree. I love my mini... well, let me ammend that: I love OS X and the way the mini looks. The base model (originally) only had 256 mb of RAM. Now normally that wouldn't be the biggest deal in the world, but when coupled with a 4200 RPM hard drive, you get some serious slow-downs whenever it hits the swap file.

Best ways to make a mini better:

Get either an external firewire drive with a huge cache or a 7200 RPM internal 2.5" drive (the speeds for external firewire beat the stock internal drive, how pathetic is that?!)

Upgrade the RAM

Change the minijumper on the logic board to overclock the processor

It's a great machine after that. Apple shouldn't have crippled it the way they did.

Re:That's all well and nice ... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13527722)

Hear, hear! I got duped into buying a Mini, slowest piece of crap ever.

Re:That's all well and nice ... (2)

lullabud (679893) | more than 8 years ago | (#13527887)

Want to trade for a slow intel piece of crap?

MS would clame that not being the case. (0, Flamebait)

madclicker (827757) | more than 8 years ago | (#13527308)

Did macs got more popular then pc's with M$? ~Flamer.

intuitive (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13527309)

From TFA
It is possible to disable support for Bonjour in each of the affected applications (e.g. iTunes, iChat, etc.) or to disable the Bonjour service as a whole. To disable Bonjour on the Mac OS X system, issue the command:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
whooa, it was easy and intuitive. it's entirely different of linux cryptic commands.

Does default matter? (4, Insightful)

Poromenos1 (830658) | more than 8 years ago | (#13527310)

If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?

Re:Does default matter? (2, Insightful)

Meshach (578918) | more than 8 years ago | (#13527391)

I think the idea is that IT departments could save some time / money if out of box operating systems didn't have so many default holes. Also there will be a more forgiving margin of error

Re:Does default matter? (1)

Dylan Zimmerman (607218) | more than 8 years ago | (#13527410)

Having a secure default install means that the admins don't have to do nearly as much work to secure it. This means that you can get away with fewer administrators, and therefore, it has the potential of being cheaper for a company to get an OS that starts out secure.

A company would be foolish not to consider the security of the default install of an OS and comparing it with the security of others.

Re:Does default matter? (1)

Mononoke (88668) | more than 8 years ago | (#13528167)

This means that you can get away with fewer administrators...
Which is the biggest roadblock keeping OSX from becoming popular in the corporate environment. Are you going to specify Macs if it means certain downsizing of your department in the near future? Are your fellow IT staff going to let you get away with it?

Re:Does default matter? (3, Insightful)

Halfbaked Plan (769830) | more than 8 years ago | (#13528202)

You're nuts if you think 'the biggest roadblock' is some tacit conspiracy by IT staffers.

Re:Does default matter? (2, Insightful)

akac (571059) | more than 8 years ago | (#13528768)

I don't think that makes any sense, frankly.

Corporate IT departments prefer working on applications, servers, and such. They abhor "help desk" duty which is what setting up drive images, desktops, and scuh.

So frankly, the IT department usually doesn't give a care what the desktop users use - its the help desk department that does.

Re:Does default matter? (0)

Anonymous Coward | more than 8 years ago | (#13527421)

Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?

Yep, it's also why I can run Solaris on my servers and only worry about patching them every 6 months to a year. I disable all unnecessary services to remove the avenue of a remote attack. If you probed most of my servers you'd find SSH running (TCP wrapped to my workstation's IP) and the service it offers (for example a chroot'd BIND server). I rarely keep myself up at night worrying that someone is going to exploit my Solaris servers through an exploit in some obscure X package since they don't even run X.

Re:Does default matter? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13527495)

but don't you disable services/add firewalls as soon as you set up your OS?

No, because these things should be done by default by the OS vendor.

Re:Does default matter? (4, Interesting)

prichardson (603676) | more than 8 years ago | (#13527561)

The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.

That's what converted me to *nix. (1)

Anti-Trend (857000) | more than 8 years ago | (#13529406)

What you're saying is true (I'm sorry I spent my mod points, you're surely due some). This has been frustrating me about Windows since I was an NT4 admin years back. On the recommendation of a certain famous web designer, I tried out Linux.That really opened up my eyes to the beautifully simple approach Unices take towards multiuser security.

Re:Does default matter? (1)

aristotle-dude (626586) | more than 8 years ago | (#13527716)

You can only lock down an OS to a certain degree without impeding productivity of users. If the OS is insecure by default, locking it down could affect the functionality of the software users run on the machine. However, if you have a pretty secure system to start with your software is likely to function as it normally would.

Re:Does default matter? (4, Informative)

sld126 (667783) | more than 8 years ago | (#13528674)

You're ignorant of the default services for OS X client.

They're all turned off.

Even on the server version, only SSH is turned on by default.

Do you really need a firewall until you turn on any services? Most users will never do this. And they have a GUI for the firewall that allows holes for most typical services with just a check box.
 

CIA still using OS X? (2, Interesting)

OneOver137 (674481) | more than 8 years ago | (#13527316)

I remember they did a write up last year about securing OS X Panther.

Re:CIA still using OS X? (4, Informative)

OneOver137 (674481) | more than 8 years ago | (#13527329)

Oops, guess it was the NSA [nsa.gov]

Re:CIA still using OS X? (4, Informative)

Been on TV (886187) | more than 8 years ago | (#13527636)

NSA did a pretty good writeup of Securing Mac OS X Panther Server [nsa.gov] earlier this year. One can still apply all the recommendations to Tiger Server.

Re:CIA still using OS X? (1)

mclaincausey (777353) | more than 8 years ago | (#13527987)

I could tell you, but then I'd have to klil you...

Secure swap space (5, Informative)

guildsolutions (707603) | more than 8 years ago | (#13527334)

One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment

Wait for it... (5, Funny)

bradleyland (798918) | more than 8 years ago | (#13527461)

Law enforcement agencies annouce that "OS X Tiger" stands in the way of forensic investigation. Story at eleven.

Re:Wait for it... (4, Interesting)

mcgroarty (633843) | more than 8 years ago | (#13527641)

When you encrypt files with Windows, a copy of the file's key is encrypted against the key of each user with access to the file. With Windows, there are several additional keys that all keys are encrypted against, reputedly for law enforcement activities. (I can't find anything backing up the law enforcement claim apart from conspiracy nutcake sites, but the fact remains that the unexplained extra keys do exist.)

Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?

Long answer... (1)

sld126 (667783) | more than 8 years ago | (#13528781)

No.

Re:Secure swap space (0)

Anonymous Coward | more than 8 years ago | (#13527565)

Restate a couple of points from the article in the comments, recommend that people read it, and suddenly you're +5 Informative?

Re:Secure swap space (1)

cammoblammo (774120) | more than 8 years ago | (#13527968)

Come on... for most people around here, an article summary is informative!

-1 Redundant (0)

Anonymous Coward | more than 8 years ago | (#13527637)

all you did was say "the article has this and this in it. read it if you use macs." +5 for that? what's informative about that?

Learn about Apple's misdeeds and mischief (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13527344)

Right here:

http://malfeasance.50megs.com/ [50megs.com]

Re:Learn about Apple's misdeeds and mischief (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13527448)

Wow, bundling iTunes (a program which lets you load MP3s onto an iPod) with an iPod. What blatant disregard for the consumer, who is powerless to install other iPod interface software [ephpod.com] or buy a different MP3 player.

Re:Learn about Apple's misdeeds and mischief (1)

Saven Marek (739395) | more than 8 years ago | (#13528137)

This is terrible and must be stopped.

I bought a printer two weeks ago. IT TOO CAME BUNDLED WITH A DRIVER.

I notice I was powerless to install another driver to work it, this bundling meant I was not able to get a driver for my Canon from Epson, HP, Netscape, Pioneer or DeWalt.

This is a monopoly!

Re:Learn about Apple's misdeeds and mischief (0)

Troglodyt (898143) | more than 8 years ago | (#13527902)

That's not offtopic, you're trolling.. How is outsourcing a bad thing? I thought you americans were promoting globalisation, but I guess that's only when you're not the ones getting screwed over. Thanks for the link though, I didn't know if I should laugh or cry when I read this: "Although the legal limit on pay to foreign workers in the USA is around $60,000[...]".

41 Pages is not long (0)

Anonymous Coward | more than 8 years ago | (#13527434)

When I read 'long pdf" I thought it was at least 400 pages. 1-50 pages is short, 50-400 pages is a bit long 400-infinity is long.

staying secure (3, Insightful)

jacklexbox (912121) | more than 8 years ago | (#13527460)

Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."

Tip # 11 (-1, Flamebait)

bennomatic (691188) | more than 8 years ago | (#13527469)

Don't install Windows!

Seriously (1)

cmdrTacyo (899875) | more than 8 years ago | (#13527476)

How can you secure the OS X Tiger
Rub it up down and here it purr?
Blast crap rock no rap music like the cure
I'm the illest pimp so much grace and tenure
You a sick freak, no class like manure
So I spit these raps cause it's all I got
I'm the illest kid who'll leave ya shot
Bleeding to death no chance to live
I'll snatch your wallet no chance to give

You should also run Apple's bundled secure script (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13527496)

Apple includes a command line utility that more or less completely secures your box. Type the following at the command prompt:

sudo rm -rf /

Enter your password when asked.

Read before you sudo rm -rf / (5, Informative)

JonTurner (178845) | more than 8 years ago | (#13527587)

Mildly funny, but also a bit irresponsible without a warning:

Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.

Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.

Another tip: never enter console commands you don't understand.

mod parent down: clueless alarmism (1)

hildi (868839) | more than 8 years ago | (#13527625)

in this context mac OSX rm is not the same as the brain dead gnu rm.

mac OSX rm -rf / simply removes unneeded clutter from your disk, much as crapcleaner does for windows.

youd think a slashdot poster would have more knowledge. either that or the parent poster is a shameless troll.

Re:Read before you sudo rm -rf / (3, Insightful)

eneville (745111) | more than 8 years ago | (#13527715)

An especially never enter console commands on /. rated anything other than informative, even that is a bad idea. Never enter a console command without first reading the man page, yes it's long and could be a bore, but its not as boring as restoring from backups (if you have backsups of some important directory that you forgot about).

Re:Read before you sudo rm -rf / (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13529111)

please die
please die
please die
please die

die die die

Doesn't work, please advise... (1, Funny)

Anonymous Coward | more than 8 years ago | (#13527694)

I tried it and nothing happened, the hard drive is going though, how long does it ta.....

Seriously, given the inferiority of Microsoft software, it would do the world a favor if someone would "rm-ed" their stuff worldwide.

We Mac users keep waiting for that certain virus to do the job.

Prison isn't as bad as it's made out to be, you'll be out in 5 years on good behavior.

Re:You should also run Apple's bundled secure scri (-1, Troll)

davebarnes (158106) | more than 8 years ago | (#13527698)

clever and accurate

Re:You should also run Apple's bundled secure scri (2, Interesting)

hawaiian717 (559933) | more than 8 years ago | (#13527734)

No, it doesn't. It just marks as deleted all the inodes for all the files on your disk. Do this, then give the disk to someone with EnCase, and watch them promptly recreate every file on your disk.

Re:You should also run Apple's bundled secure scri (2, Interesting)

justsomebody (525308) | more than 8 years ago | (#13527831)

Yeah, right. At what cost? Count downtime and all service costs.

Windows has the same feature, so what?
On Linux you can install libtrash or any other kind of protection, which is much nicer than any filesystem default, so what?
On VAX all the versions were collected, so what??

It is downtime and service needed that counts not someone with EnCase. Problem is that you can do rm / by default and not what it does and not wheter Mac is holy or not.

Re:You should also run Apple's bundled secure scri (1)

Pneuma ROCKS (906002) | more than 8 years ago | (#13527752)

Ok, it's running. Then wh...#$(#*$)#*$)#)$

Quicker way to secure a Mac (2, Funny)

lullabud (679893) | more than 8 years ago | (#13527917)

Unplug the power. I mean, we all know the most secure computer is the one that's turned off, right? And of course it should be locked up in a safe in a deep dark cavern protected by a dragon or something.

Re:Quicker way to secure a Mac (0)

Anonymous Coward | more than 8 years ago | (#13528359)

useless posts yeah. They just simply rock.

Re:You should also run Apple's bundled secure scri (-1, Troll)

Been on TV (886187) | more than 8 years ago | (#13528024)

What you need to run to stay real secure is:

sudo srm -rf /

Takes a bit longer, but it sure does the job... (by default the the 35-pass Gutmann algorithm is used)

how to secure tiger (-1, Troll)

a_greer2005 (863926) | more than 8 years ago | (#13527512)

1) open box and insert DVD into Mac
2)run the installer
3) run software update
4) ???
5) you are profitable ^H^H^H^H^H^H^H^H^H^H Secure

More securing OS X links/pdf's etc (5, Informative)

Anonymous Coward | more than 8 years ago | (#13527606)

http://www.nsa.gov/snac/ [nsa.gov]

http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf [net-security.org]

http://eq.rsug.itd.umich.edu/software/radmind/ [umich.edu]

http://homepage.mac.com/hogfish/PhotoAlbum2.html [mac.com]

Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.

Windows password hash storage (2, Interesting)

cortana (588495) | more than 8 years ago | (#13527678)

I didn't see any mention of disabling this dangerous feature in the article.

By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper [google.com] .

So it's advisable to somehow disable this functionalty.

Re:Windows password hash storage (1)

Rosyna (80334) | more than 8 years ago | (#13527793)

Where is it storing the password as a Windows hash? As of 10.3 all new account passwords are stored using a ShadowHash (and not crypt) and if you change your password in the accounts prefpane and it was previously stored via crypt, it'll be upgraded to ShadowHash.

Re:Windows password hash storage (1)

cortana (588495) | more than 8 years ago | (#13527814)

IIRC, /var/db/samba/hash/$USER. This was on my brother's OS X 10.3 (Panther) machine.

Re:Windows password hash storage (2, Informative)

Smurf (7981) | more than 8 years ago | (#13528010)

You may be recalling incorrectly...

Otherwise, you may be happy to know that on Tiger there is no "hash" subdirectory in /var/db/samba, only a file called secrets.tdb.

Maybe it's stored somewhere else. Or maybe Apple fixed this vulnerability in Tiger (your experience is with Panther anyway).

Re:Windows password hash storage (2, Informative)

zhiwenchong (155773) | more than 8 years ago | (#13528142)

Yes, this was an issue but it was resolved.
Apple fixed this in one of the recent Software Updates. It was mentioned in the release notes.

Re:Windows password hash storage (3, Informative)

kekeruusperi (771725) | more than 8 years ago | (#13528005)

In Tiger, when enabling samba sharing, you have to choose which accounts to use and you are also warned about storing the passwords in a less secure way.

Re:Windows password hash storage (5, Informative)

Anonymous Coward | more than 8 years ago | (#13528244)

Cortana: "By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper"

On Tiger, this is not true. In Tiger, one has to explicitly check a checkbox for each user, and enter that user's password, to allow those users to use Windows sharing. The sheet with these checkboxes states:

"Sharing with Windows computers requires storing your password in a less secure manner. You must enter the password for each account that you want to enable."

So, Windows file sharing is there, but Apple has not exactly made it easy to enable it.

Given this UI, I guess that there is no way to secure this weakness in Windows file sharing without breaking compatibility.

Re:Windows password hash storage (1)

cortana (588495) | more than 8 years ago | (#13528323)

Yeah, I'm glad to see that Apple improved this in 10.4.

Metadata in the PDF (4, Interesting)

grondin (241140) | more than 8 years ago | (#13527991)

"martin" created this PDF document in MS Word 7 (using Acrobat 6 for Windows) on 8/19/05 at 7:07 am. The following meta-data was left in the PDF:
<?xpacket begin='&#212;&#170;&#248;' id='W5M0MpCehiHzreSzNTczkc9d'?>
<?adobe-xap-filte rs esc="CRLF"?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 2.9.1-13, framework 1.6'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax -ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
<rdf:Desc ription rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Acrobat Distiller 6.0.1 (Windows)'></rdf:Description>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xap='http://ns.adobe.com/xap/1.0/' xap:CreatorTool='PScript5.dll Version 5.2.2' xap:ModifyDate='2005-08-19T13:07:33+01:00' xap:CreateDate='2005-08-19T13:07:33+01:00'></rdf:D escription>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID='uuid:e3821de7-3fc1-4e6a-a7b1-268 6024123c0'/>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'><dc:title><rdf:Alt><rd f:li xml:lang='x-default'>Microsoft Word - 7 - Securing Mac OS X 10 4 Tiger v1.0.doc</rdf:li></rdf:Alt></dc:title><dc:creator> <rdf:Seq><rdf:li>martin</rdf:li></rdf:Seq></dc:cre ator></rdf:Description>
</rdf:RDF>
</x:xmpmeta>

Re:Metadata in the PDF (0)

Anonymous Coward | more than 8 years ago | (#13529305)

So?

mo3 Mup (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13528633)

3 simpl3 steps! disappearing up its

Move your keychain file to a removable disk (4, Informative)

sdpinpdx (66786) | more than 8 years ago | (#13528820)

You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.

Re:Move your keychain file to a removable disk (0)

Anonymous Coward | more than 8 years ago | (#13529119)

One problem:

Currently available Mac laptops don't come with CF readers or PCMCIA slots...

Re:Move your keychain file to a removable disk (2, Insightful)

Horst Graben (841338) | more than 8 years ago | (#13529393)

That is incorrect - both the 15" and 17" PowerBook G4 come with a PC card slot.

Good guide overall (2, Informative)

Durandal64 (658649) | more than 8 years ago | (#13528934)

I skimmed through it, and it's pretty thorough. Great for lab admins to have handy. I do wish they would have mentioned something about chroot for SFTP though.

Re:Good guide overall (2, Informative)

netsrek (76063) | more than 8 years ago | (#13529053)

the standard chroot methods for openssh work under OS X, and if you build the binaries yourself, you don't need all the Frameworks that the Apple version requires.

The problem with chrooting on 10.4 now is that Apple's network home mounting method borks if you have /./ in the path, so you have to do static mappings.

small world Durandal. :)

(dhaveconfig/netsrek)

Three thumbs up (4, Interesting)

teaenay (844596) | more than 8 years ago | (#13529145)

As a Security Architect for a major bank in my country and an "I don't do windows" user at home (OS X, linux), I found this document to be a brilliant guide to securing an OS X client.

I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.

There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.

Password policies! I had no idea Tiger could do that.

After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.

This is a very good article.

Re:Three thumbs up (2, Interesting)

macshome (818789) | more than 8 years ago | (#13529492)

Password policies! I had no idea Tiger could do that.

It can starting with 10.3. I have an older article about it on my site here [afp548.com] . The article is from 10.3, but really just more of it works now on 10.4. Also look at the site for my login times script that uses pwpolicy to imitate the login hours policy that other OSes offer admins.

Last year at MacWorld SF, I put together a pwpolicy GUI in AppleScript Studio for a live demo. I also did a minor bit of pwpolicy scripting at WWDC this year. If you have an ADC membership you can watch that preso. It was fun when the demo Mac started to fall apart while I was trying to code...

Easy as any O/S to secure... (4, Insightful)

Nick Driver (238034) | more than 8 years ago | (#13529577)

Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.

1) Unplug it from any network.
2) Strictly control whoever gets physical access.
3) ???
4) Security!

Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.

I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...