Re: Mac X-Server Security Questions...

• Previous message: Javier Blanque: "Re: Mac X-Server Security Questions..."
• In reply to: Brad Berson: "Mac X-Server Security Questions..."
• Next in thread: Florian Rommel: "Re: Mac X-Server Security Questions..."
• Reply: Florian Rommel: "Re: Mac X-Server Security Questions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 6 Apr 2005 18:36:50 -0400
To: security-basics@securityfocus.com

        I work with primarily Macs but also PCs on a regular basis. I find it
contrary to my ongoing experiences, and fairly disingenuous to state as
fact that PC users are more prudent than Mac users: The average user on
any platform is neither informed nor takes appropriate steps to
mitigate the numerous dangers of putting their computer on the
Internet.

        To suggest that OS X is inherently insecure does indeed show a lack of
experience with it, and this common sort of vendor-specific bias is
lamentable. Mac-bashing and/or FUD is no more helpful to anyone than is
MS-bashing and FUD.
        
        For any OS X-based computer, Samba sharing is not enabled by default.
For that matter, nor is the Apple filesharing enabled. Neither is SSH.
Those are the only standard ways available to connect to a Mac OS X box
"out of the box" and they are shut off out-of-the-box. There is still
of course the dangers of web-based exploits (phishing and dns-poisoning
are platform-agnostic) and any files that one could potentially
download via http or ftp.
        Most of the published "exploits" so far require direct (and
misguided/misinformed) actions by the user sitting at the computer:
download a file of unknown origin from an unknown source and run the
installer for it. The rest of these "exploits" are: 1) Issues that
should be handled appropriately that are common concerns for any
Unix-based system 2) proof-of-concept and/or companies using snake-oil
scare-tactics to attempt to generate press coverage and/or revenue.
        Standard precautions for SSH should be taken, as with any Unix-based
system. Edit the sshd_config file and do not allow login by root. Don't
even use the root on the computer if you're not well familiar with the
Unix root-user. Use "sudo" instead.
        Edit /etc/xinted.d/ssh to allow connections from specific IP's only if
you wish.
        Don't use Norton for anti-virus, continually problematic. If something
is needed to check against PC-viruses, go with the latest Virex or
better yet the Open-Source clamav.
        Standard precautions of secure passwords and not using default
usernames/login apply (ie: not Admin).

        Keep the system up-to-date. Use a decent Firewall. Don't use
clear-text logins, be it for filesharing or for email.

> On Apr 5, 2005, at 11:20 AM, Brad Berson wrote:
>
>> Now in the PC world nobody in their right mind leaves Windows' file
>> sharing ports open to the Internet
>
>
> So here's where I'm coming from... I've been doing PC stuff for twenty
> years. I program, I know networking, applications, know Windows inside
> and out, and am fairly conversant in security matters from a Windows
> POV
> and in general, I think. For several years PCs have been such a huge
> target that folks in the Mac world have gotten a little too
> comfortable.
> Only now in the past month I've personally seen two instances of
> completely unprotected OS-X boxes getting almost totally compromised.
>
> The boxes in question have since been rebuilt and put behind firewalls,
> and post-mortem forensics are a bit light because the folks who do the
> Mac work in my organisation went into "oh $#!+" mode, but now I'm
> interested in learning this environment and figuring out how to permit
> access while protecting the system.
>
> As for what happened, the account database was definitely compromised,
> and fairly secure passwords were discovered. My initial worry was that
> Samba would have some NetBIOS -like hole that permitted account
> enumeration but so far I've seen no supporting evidence, so I'm
> assuming
> the account list was compromised through one of many vulnerabilities in
> OS-X and its accompanying layered packages. The scary part is that in
> once instance, a freshly rebuilt box, patched and up to date, went back
> on-line without a firewall and was compromised again in about an hour.
> So we might have had a zero-day issue just to make things more
> entertaining. So behind closed ports it stays, at least for now.
>
> Now in the PC world nobody in their right mind leaves Windows' file
> sharing ports open to the Internet, yet in the Mac world it seems like
> people leave AFP (and Samba) widely accessible. I find this
> exceptionally scary. Then when you tell the folks how scary that is,
> they recoil in horror at the idea of having any obstacle in their way
> to
> point and click heaven. So what do we do? VPN? What sort of
> solutions
> are there? And is there anything special I need to know about OS-X in
> terms of unusual vulnerabilities from an architecture standpoint? (BSD
> heritage, I know).
>

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

• Previous message: Javier Blanque: "Re: Mac X-Server Security Questions..."
• In reply to: Brad Berson: "Mac X-Server Security Questions..."
• Next in thread: Florian Rommel: "Re: Mac X-Server Security Questions..."
• Reply: Florian Rommel: "Re: Mac X-Server Security Questions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]