oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

A Security Primer for Mac OS X
Pages: 1, 2, 3

Pick a Good Password

It may sound silly but the easiest way to break into most computers is to politely ask the computer to be given the permission to enter! And how do you do that? By guessing the passwords set by the authorized users. Indeed, in most cases, computer users use relatively weak passwords that do not protect them efficiently and that can be guessed easily--remember that hackers can use programs that try a few thousand passwords per minute!

Would an attacker use this method, no firewall or security system could really detect its presence and stop him since, for the computer, this person is you.

Luckily, picking a good password isn't too difficult, as long as you at least follow some basic guidelines:

  • It is not one - or many - word(s) that can be found in a dictionary, no matter in which language of how complex it is.
  • It is not a word followed or preceded by random characters, numbers or signs.
  • It is not a number-only code
  • It is not your computer's hostname, or the name of an account
  • It is not an alteration of the above categories--doubled, reversed...
  • It is longer than 8 characters - longer than 12 would be better.
  • It contains Uppercase and lowercase letters, punctuation, symbols and numbers...
  • It isn't any sensitive information like your social security number..
  • One cannot guess it - i.e. it is not the name of your dog, favorite dish or the name of a celebrity.
  • It is not listed as a "good password" in a book, on a site--including this article!.
  • It is not something that you send in the clear like your user name, email address, an account number, etc.

As surprising as it can be, the user password is, in many cases, the weakest link in a security system.

Related Reading

Running Mac OS X Panther
Inside Mac OS X's Core
By James Duncan Davidson

Of course, would you rely on the "Keychain" to hold your various passwords securely, you should be extra careful when picking this one--and it should not be the same as any of the passwords that are stored inside of it. Panther users will notice that the "new keychain" creation dialog now features a password checker, available through the "i" button.

To use it, click on the button once you have entered the password in the "Password" field of the dialog--you do not need to enter it twice at this stage. You can then alter your password and see the new security rating appear "live" in password checker window. Follow the given recommendations until the bar turns completely green--there should be no remaining trace of red, orange or yellow--and there are no recommendations in the lower part of the window.

Protect Your Password

Now that you have found a relatively secure password, you should also make sure that nobody knows it... The same applies to your other accounts since a malicious user could try to use them to break into your computer --put a malicious program in your email inbox, for example--or steal your identity.

The first rule is to have separate passwords for everything. Rely on the Keychain application to provide these various passwords to the applications or online forms that need them if you cannot remember them but make sure that someone who has your AIM password ( never encrypted ) cannot log into your computer remotely or check your mails!

Never reveal this password to anyone, especially if you are requested to send it through an unencrypted channel (web page, mail, instant message, phone... ) or receive a message with links to follow--these are usually scams that attempt to redirect you to a fraudulent site. You should not send passwords via a network, even to trusted individuals since they can be easily sniffed during the transfer over the wire--or worse, a wireless network.

Do not write your passwords down. Would you need to do it, lock them into a bank safe where you will be able to find them if needed but do not keep them on you or around your computer--no, not even under the keyboard!

If possible, try to create multiple keychains on your Mac in order to group passwords and unlock the passwords sets on an as-needed basis. In order to do that, use the "Keychain Access" utility, located in your Utilities folder. While you create and manage your keychains, be sure to use the "View" menu to display the keychain menu item in your menu bar : that way, you will be able to lock and unlock keychains on-the-fly. Once a keychain is locked, your passwords are safely stored into an encrypted file.

Protecting passwords in a locked file will not only prevent local and remote malicious users from using them but also potential trojan horses --since you are required to provide your password to decrypt a keychain. Of course, as soon as you decrypt a keychain file to use a password, your password is at risk but this limits the periods of exposure.

Inside a keychain you should also set up strict access rules for the various items and restrict their use as much as possible. Such settings can be found in the lower half of the Keychain window.

The "Keychain" application has a frequently forgotten feature : secure notes. Secure notes work exactly as password items and enjoy the same level of protection but allow you to enter an unlimited amount of text. In order to create one, simply use the "Note" button or the "File" menu. Notes are a good way to store relatively sensitive information but you may want to create "notes only" keychains for the sake of organization and security.

Frequent Password Security Issues

A common password security issue is posed by mail readers that do not use SSL to connect to the server. You may want to have a look at this article from Jason McIntosh about secure mail reading. Would you find that your provider does not support any kind of secure mail reading--a surprisingly common situation --, consider switching to another as soon as you can. Apple's very own .Mac mail services do offer secure Mail reading through SSL, and are fully integrated with Panther's

You may even want to go one step further and follow these steps to enjoy truly secure mail reading--although this has nothing to do with the protection of your mail password, such methods can defeat social engineering attempts.

Passwords can be sniffed and intercepted in countless ways and you should never trust the same password over a long period of time. Change your password regularly, and try to create new ones each time--for example, avoid sequential passwords like Password01 > Password02.... These are easily crackable.

Make Sure That You Do Not Allow Intruders In

Unlike many other Unix--and especially Linux--distributions, Mac OS X ships with all services and potentially dangerous daemons turned off by default. Most of them can be turned on by using the "Sharing" preferences pane, available through the "System Preferences" application.

As soon as you turn a "service" on, you start a daemon that will continuously listen for connections on a given port and reply to them. For example, turning "Remote login" on will launch the sshd daemon that will allow anyone to establish a connection to your Mac through port 22. Would a malicious user know your password, he will be in, and legally!

Some of these services turn your Mac into a server, raising a new class of potentially important security issues. Therefore, you should not turn these services on unless you really need them.

Of course, most of these daemons run as nonhuman users on Mac OS X. In other words, they run as if they were a separate user on your machine with very limited privileges. This makes using them to break into your computer more difficult, especially if you make sure that you always use the latest versions of them.

However, such daemons can always be used to gain some interesting information about your computer and to launch DoS ( Denial of Service ) attacks quite easily--for example, repeatedly request SSH logins or file sharing to slow your computer down.

Would you need to run a "dangerous" service--i.e. a widely known, insecure one, like FTP or Windows File Sharing --, you may want to dedicate a specific machine on your network and to use it as a file server. On properly firewalled networks, place this machine outside of the firewalled zone--provided that its contents are to be known by the whole world, of course : this will make connecting it to the Internet and serving data much easier while protecting the rest of your network.

For the same reason, avoid sharing your internet connection through the "Internet" tab since this grants legitimate access to other computers on your network and launches server daemons on your Mac too. Of course, this is not an issue when working with trusted computers and individuals but should not become a common practice in public places.

At the Application Level

However, making sure that you didn't turn on any dangerous service at the operating system level is sometimes not enough since some applications can run their very own server services.

Some group work applications can turn your Mac into a file sharing server, for example. Some webcam drivers have a web server function that allows remote users to connect to your machine to see the images you publish. Of course, some of these applications are well written but you should always consider the security risk associated with running servers, even if this does not happen at the OS level--since the effect is, ultimately, the same or worse.

Without discussing the legal aspects associated with peer-to-peer networks, let's not forget that many such applications have been known for installing spyware or featuring flawed security systems. Would you insist on using them--to share files legally, of course--you may want to follow the procedure mentioned above.

Some applications are known to raise constant security issues--I won't give names but I am sure you see what I mean. Whenever possible, try to avoid these application and to rely on more secure alternatives. The open source community has released some great, fully functional alternative applications that can integrate perfectly into your existing workflow.

Wireless networks protected by WEP are inherently insecure as this excellent article proves--please, do not attempt to reproduce the steps outlined in it before making sure that it is legal in your country, even on your own network. Therefore, you may want to rely on better methods like WPA. Apple recently released an AirPort update that allows you to use this updated security method, even in mixed AirPort / AirPort Extreme environments. More information may be found here.

Better Yet, Lock Them Out

Now that you are sure that you do not allow people in too easily, you may want to make sure that you lock them out, by using a firewall.

As silly as it may seem, a software firewall is no stronger than the operating system it runs on--as the ever increasing Windows security issues show.

Therefore, it is important to get a hardware firewall that will provide a first layer of security for your network by making it "stealth"-- i.e. not responding to various probes--and warning you in case someone really tries to break in.

No hardware firewall is 100% secure but, by applying the security updates provided by your vendor, you should be able to keep most wannabe evildoers out of your LAN.

Also, using a hardware firewall to protect your network will allow you to worry less about the security mistakes that some users may commit on their Macs--although this should not give a false sense of security either.

There are many, many types of firewalls and all of them have their strengths and weaknesses. However, you may want to make sure that you follow these rules :

  1. Your external firewall should not require that you install any software of any kind on your Mac. Most of them now use a web-based interface, solving most compatibility issues. However, all web based interfaces are not created equal and you should try to avoid the ones that have been "optimized for Internet Explorer 6 or better"--this usually indicates a PC-centric vendor and is in no way a warrantee that the interface is better, even if you plan to set it up from a Windows computer.
  2. Your firewall should provide you with detailed logs and should be able to warn you in case it detects something abnormal--by sending a mail, a page or a phone call. Even entry-level firewalls do that now (to some extent, of course) and it can be a valuable help.
  3. Your firewall should use a stateful packet inspection system or better--in other words, it only allows remote packets that come as a reply to a request you sent. NAT is a first step towards security but does not a firewall make--although it is essential if you need to connect multiple computers on your LAN with one ISP-provided IP address.
  4. Your firewall should come with default settings that provide maximum security and not require you to be an iptables expert!
  5. Ideally, your firewall should have DMZ capabilities. A DMZ or de-militarized zone is an area of your network that is isolated from the firewalled computers and that can be connected directly to the internet. This is the place where you will place all your public servers and computers : it is not protected but, in case something goes wrong, the computers that contain your sensitive data are safe.

Some firewalls can act as routers and modems, making creating a network very easy. Of course, you should pick one using Ethernet--I still have to see one that doesn't but you never know what can pop up at a computer store.

Use a Software Firewall

Surprisingly, few Mac OS X users know that their operating system of choice comes with a built-in, time-tested, industrial strength firewall that they can turn on by simply using the "Sharing" preferences pane.

Here are the detailed steps to follow.

  1. Open the "System Preferences" application--you can do so quickly by using the Apple menu
  2. Click on "Sharing" to open the "Sharing" preferences pane and select the "Firewall" tab.
  3. Make sure that no box is checked in the "Allow" list
  4. Click on "start" to start the firewall

The firewall used by Mac OS X is called "ipfw" which stands for "ipfirewall". Its job is fairly simple--close ports and prevent remote hosts and applications from connecting to them. Some users may argue that the interface provided by Apple does not allow a lot of fine-tuning : this is true, but is done on purpose to allow even newcomers to benefit from reliable security settings, without having to worry too much about settings.

Of course, by turning your firewall on, you are preventing some applications from establishing a connection with your computer. This is not likely to interfere with most of your workflow but can, under some circumstances, prevent a few network-aware applications from working, especially Rendezvous enabled ones--iChat over Rendezvous, for example. To avoid this, you can open the necessary ports by checking the corresponding box in the "Allow" list. Just keep in mind that, the more ports you open, the less effective your firewall will be--but it sure is far better than disabling the firewall altogether.

Unfortunately, ipwf does not feature instant warning and will only write its warning messages to a log, accessible through the Console utility. This has the advantage of not disrupting your workflow but, unfortunately, does not allow you to react in a timely manner to some attacks since you are probably not constantly monitoring the logs.

Many companies now sell third-party firewalling solutions that do not rely on ipfw in any way... These firewalls provide you with instant notification systems and are generally more "friendly" for a new user. However, they need to add "kernel extensions" to your installations --files that act as a very low level in your operating system to add features. While a very well written kernel extension can work perfectly, be aware that you will need to update them frequently and to pay attention to potential compatibility and stability issues.

Many firewall companies will provide online tests that will try to "test" your firewall. For example, you may want to have a look here. Of course, most of these tests are linked to advertisements for the company's products and none of them will replace a good security audit. However, they still can provide you with some valuable information.

Pages: 1, 2, 3

Next Pagearrow