Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 57
Discuss Xtreme OS X Security at the Using Leopard - Hackint0sh.org; NSA OS X Security Configuration Guide notes (continued): ***CHAPTER 4, Configuring System Settings*** - p. ...
  1. #11
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    NSA OS X Security Configuration Guide notes (continued):


    ***CHAPTER 4, Configuring System Settings***

    - p. 22: Removing Registration Information
    Mac OS X stores any registration information gathered during the installation in a
    file. The system attempts to send the registration information from that file to Apple
    the as soon as a network connection is made. Earlier in this guide, instructions were
    given to bypass entry of registration information. If, however, information was
    entered into the registration screen, it should be deleted before the system is
    connected to a network
    . The following steps will prevent this information from
    being sent:

    1. Make sure the first administrator account is logged in. If the steps in this
    guide have been followed, that account will have been logged in automatically
    when the machine booted.
    2. Open the home folder.
    3. If an alias named Send Registration is located in the home folder, drag
    it to the Trash.
    4. Open the folder Library/Assistants under the home folder of the first
    user account.
    5. If the file Send Registration.setup exists there, drag it to the Trash.
    6. Choose Secure Empty Trash from the Finder menu to delete the files.


    So, if registration information is entered (which should be bypassed as per the instructions above) a message may be sent to Apple automatically by OS X (aka "calling home"). The registration information is stored in two files, the obvious one on the Desktop and one in ~/Library/Assistants. They both should be securely deleted.

    Note that trash can be securely deleted by pulling down the "Finder" menu item in the MainMenu bar.
    Last edited by bofors; 03-11-2007 at 04:28 PM.


  2. #12
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default


    - pp. 23-24: Screen Saver
    ...
    4. Use the slider in the panel to set the Start screen saver time to 5 minutes,
    or whatever is dictated by site policy.
    5. Click on the Hot Corners button at the bottom left of the Desktop &
    Screen Saver panel.
    6. Choose which corner is to be used as the hot corner for starting the screen
    saver (Figure 4).


    Ok, so a locking screen saver should used with an activation time of about 5 minutes. Hot Corners should be set-up to immediately start the screen saver (in case of intrusion) or to disable it (like when watching a movie or reading).

  3. #13
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p. 25 FileVault
    Mac OS X’s FileVault feature for encrypting home folders is strongly
    recommended for systems whose physical security cannot always be
    guaranteed, such as portables like the iBook and PowerBook. FileVault
    encryption should be enabled for the system and for all user accounts. When
    FileVault is enabled for a user account, files in the user’s home folder files are
    encrypted, and thereby protected from casual viewing if the system is
    compromised.
    However, FileVault may adversely affect disk-intensive tasks
    such as video editing. If delays in disk-intensive tasks interfere with
    operational needs, use of FileVault may not be practical.


    I have been using FileVault on OSx86 for almost a year and it works great. I only keep "sensitive information" in my home folder. All non-sensitive information is stored elsewhere. Again, the NSA's OS X guide is for Panther 10.3, Tiger 10.4 added a secure virtual memory option. I use this on laptop as well and I might start using it on non-performance critical desktop machines.

    One more thing about FileVault, it appears to operate in such a way that it does not immediately "recycle" disk space. So, one has to log out periodically to recover this space.

    DVDs and CDs can also be encrypted, I will talk about this later.

  4. #14
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - pp. 28-29 Additional Security Settings
    ...
    7. The Log out after x minutes of inactivity box should be unchecked
    for three reasons. First, automatically logging out a user can become
    extremely annoying to the user. Second, it can cause operational
    difficulties if a user runs processes that may be killed by the automatic
    logout process. Third, the automatic logout process can sometimes fail
    to complete without intervention, leaving the user with a false sense of
    security. If a program is hung or cannot quit properly, the logout
    process may be blocked from completing.


    So, the NSA recomends that obvious. Require a password to unlock the screen saver, disable automatic login, require password to unlock secure system preferences. It is interesting to note that NSA does not recommend for automatic log-out for some interesting reasons. Again, in Tiger one could also set the "secure virtual memory" option for a performance hit, but I use it on my laptop.
    Last edited by bofors; 03-07-2007 at 06:44 PM.

  5. #15
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p. 30 Bluetooth
    ...
    • Bluetooth, IR ports, CD writers, and any other hardware capability that could
    be dangerous in a secure environment should be physically disabled if
    possible;


    It is quite obvious that no wireless devices should be used in a secure enviroment for at least two reasons: (1) they are inherently less secure than wired devices and (2) they can be jammed. Otherwise, the NSA goes farther here by stating that any such hardware threats to a secure environment should be physically disabled.


  6. #16
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - pp. 32-34 Energy Saver
    ...
    8. Uncheck the checkbox in front of the Wake when the modem detects a
    ring option to disable it.
    9. Uncheck the checkbox in front of the Wake for Ethernet network
    administrator access option to disable it.
    10. Uncheck the checkbox in front of the Restart automatically after a
    power failure option to disable it.


    Personally, I never use sleep on desktop hardware (laptop only). I am not concerned about wasting some power and these features have historically been buggy, which I am sure is even more of an concern on OSx86. Otherwise, the NSA recomends that automatic wake and restart features be disabled for somewhat obvious reasons.

  7. #17
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - pp. 34-35 Sound
    The microphone setting in the Sound panel may carry security implications. This is
    especially important as an internal microphone is standard on many Macintosh
    computers. If the machine also has a Line In jack, then it will be possible to disable
    the microphone in this panel as described below:
    ...
    7. Use a dummy plug (a plug with no wires, not connected to any other devices)
    to plug the Line In jack on the machine.


    It interesting that the NSA sees the audio inputs as a security threat, although that do explictly indicate the nature of the threat, I can imagine two issues: (1) using the computer to electronically eavesdrop and (2) using the audio inputs as some channel to attack the computer.
    Last edited by bofors; 03-07-2007 at 07:29 PM.

  8. #18
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - pp. 36-37 Network
    AirPort and Bluetooth wireless connectivity options should be turned off.
    ...
    Also, uncheck the Internal Modem box if
    present and the modem is not operationally required.
    ...
    Again, all wireless capability, such as AirPort and Bluetooth, should be physically
    disabled in secure environments
    .


    This is pretty obvious, but the NSA recommends that modems be disabled too.

  9. #19
    Newbie Array skeewiff's Avatar

    Join Date
    May 2006
    Posts
    5
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    This forum became boforckint0sh.org



  10. #20
    Advanced Array Alessandro17's Avatar

    Join Date
    May 2006
    Location
    Italy
    Posts
    40
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by skeewiff View Post
    This forum became boforckint0sh.org


    Nobody finds you funny. Not in the least.


 

 
Page 2 of 6 FirstFirst 123456 LastLast

Similar Threads

  1. MacNN: JBL ships OnBeat Xtreme iOS dock with Bluetooth
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-17-2011, 11:00 PM
  2. MacNN: Planon intros DocuPen Xtreme X-Series
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-04-2009, 11:10 PM
  3. MacNN: First Look: See2 Xtreme, USB video card
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-28-2008, 10:40 PM
  4. Xtreme OS X Security
    By bofors in forum Genuine Mac Support
    Replies: 3
    Last Post: 07-13-2008, 12:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 09:54 AM.
twitter, follow us!