Page 5 of 6 FirstFirst 123456 LastLast
Results 41 to 50 of 57
Discuss Xtreme OS X Security at the Using Leopard - Hackint0sh.org; ***CHAPTER 6, Future Guidance*** • Mac OS X v10.3.x Server • Managing Mac OS X ...
  1. #41
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    ***CHAPTER 6, Future Guidance***

    • Mac OS X v10.3.x Server
    • Managing Mac OS X networks
    • Cross-Platform (Mac OS X–Windows, Mac OS X–Linux, etc.) Security Issues
    • Apple Remote Desktop
    • A “Pull-out” User’s Guide, which will include a user’s perspective on using
    keychain effectively for security, settings which users should not change, and
    other security-related instructions for users.
    • More Detailed Configuration of the Built-in Firewall
    • Managing Certificates in Mac OS X
    • IPSec/VPNs under Mac OS X
    • Using SmartCards with Mac OS X
    • Secure File Deletion
    Tools for Checking the Security Configuration of a Mac OS X System
    • Using groups under Mac OS X
    • Using Global keychains


    So, in addition to updating the NSA's guide to Tiger (10.4), discussing the security archetecture of OS X in detail, detailing how to set Mail.app for encryption (and perhaps the use secure IRC sessions) and I mentioned before the development and use of specific OS X security applications, the NSA has some issues which they feel are worth covering. I will also be working on some general OS X network security issues from the standpoint of a small office or home LAN behind a router.


  2. #42
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    ***APPENDIX A, Future Guidance***

    Encrypting Files and Folders
    As described earlier, Mac OS X’s FileVault feature can be used to encrypt a user’s
    entire home directory. However, some situations call for the encryption of
    individual files and folders, not simply the entire home directory
    . The Disk Utility
    program shipped with Mac OS X provides the ability to encrypt disk images
    containing arbitrary files and folders. Like FileVault, it uses the Advanced
    Encryption Standard (AES) with a 128-bit key.


    So, Disk Utility.app can be used to encrypt specific files and folders. I believe that Roxio's Toast also provides the ability to encrypt disks while burning. I will looking into that specific functionality later.

  3. #43
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    ***APPENDIX B, References***

    1. Mac OS X Maximum Security; Ray, John, and Ray, Dr. William C.; Sams
    Publishing; 2003
    ...
    5. “Macintosh OS X Security Technical Implementation Guide (Draft);” Version
    1, Release 0; Defense Information Systems Agency (DISA); 30 June 2003
    6. “Apple Federal Smart Card Package Installation and Setup Guide;” Apple
    Computer, Inc.; 2003


    I think I have an electronic copy of "Mac OS X Maximum Security" hard drive, but I need to look for more up to date OS X security resources. I will also be trying to get a copy of the DISA's “Macintosh OS X Security Technical Implementation Guide" under the Freedom of the Information Act (FOIA). Likewise, I will be FOIA-ing the CIA and NSA for any OS X guides or material that have as well.

    I am going to be compling this information into my own security guide with supporting software that emphasizes OSx86 and issues for the typcial OSx86 developer.

    EDIT: Regarding "Mac OS X Maximum Security" and other OS X security books, it looks like most of these are out-of-date, like four years old. With the pending release of Leopard, the market for a new book looks ripe.
    Last edited by bofors; 03-12-2007 at 03:37 AM.

  4. #44
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default



    As I have mentioned to some people, I am a software developer and I am interested in starting a software company from the ranks of the OSx86 community. Part of this software may include some OS X security products. I am not also planning to an OS X security guide based on what I have started in this thread.

    I have now attached the first draft of my "Xtreme OS X Security" guide (which is just this thread) here. I plan to slowly transform this document is into a serious monograph which accompanies military grade OS X security tools. I maybe talking with the CIA's In-q-tel about financing some of this work: http://www.in-q-tel.com/
    Attached Files
    Last edited by bofors; 03-12-2007 at 04:56 PM.

  5. #45
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Quote Originally Posted by bofors View Post
    ... the NSA states that the initial password is not encrpyted on OS X, I believe this problem was fixed with OS X 10.4 and I will investigate this issue further.
    So, I am looking into this issue now.

    Security has rarely been discussed seriously at InsanelyMac, here is one of the few times it was (I tried to push the issue): http://forum.insanelymac.com/index.p...st=40&start=40

    This page at MacShawdows should cover the initial password encyrption issue on 10.4 (versus the NSA's coverage on 10.3) or least give my some hints: http://www.macshadows.com/kb/index.p...assword_hashes

    EDIT: The MacShawdows page does seem to address the initial password encryption question raised by the NSA. I am now looking for a page that does.



    EDIT2: Bingo, I got it: http://images.apple.com/server/pdfs/...ity_Config.pdf (PDF attached)

    This is still a problem according to Apple:

    Apple's "Max OS X Security Configuration for Version 10.4 or Later"
    ...
    p. 61: You should immediately change the password of the first account that was created on
    your computer.


    So, apparently one should setup OS X with some disposable password which is immediately replaced. Then one should probably setup a user-account for normal use (and use the admin. account on when needed).
    Attached Files
    Last edited by bofors; 03-12-2007 at 04:41 PM.


  6. #46
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default



    "John the Ripper (JTR)" appears to be some kind of OS X password hacking software:

    http://freaky.staticusers.net/ugboar...ic.php?t=16706
    Last edited by bofors; 03-12-2007 at 04:36 PM.

  7. #47
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default



    Instead of going over the OS X security archetecture in detail with Amit Singh's "Mac OS X Internals", I am going to go through Apple's "Max OS X Security Configuration for Version 10.4 or Later" next (now).

    Since the NSA covered Panther 10.3, here is what Apple says is new for Tiger 10.4 (not that MacShadows covers what is new for Tiger 10.4 in terms of password hashing):

    - pp. 9-10: What’s New in Mac OS X Version 10.4

    Mac OS X version 10.4 offers the following major security enhancements:

    - Access control lists. Provide flexible file system permissions that are fully compatible
    with Windows Server 2003 Active Directory environments and Windows XP clients.

    - Secure instant messaging. Your private, secure iChat Server, based on Jabber XMPP
    protocol, integrates with Open Directory for user accounts and authentication.

    - Software update server. By enabling the new Apple Software Update Server,
    administrators can control which updates their users can access and when.

    - Certificate management. Certificate Assistant is an easy-to-use utility that helps you
    request, issue, and manage certificates.

    - Smart cards as keychains. Use a smart card to authenticate to your system or
    Keychain.

    - Secure erase. Secure erase follows the U.S. Department of Defense standard for the
    sanitation fro magnetic media.

    - VPN service is now Kerberized. Use Kerberos-based authentication for single sign-on
    to a VPN network.

    - Firewall enhanced. The firewall service has been enhanced to use the reliable open
    source IPFW2 software
    .

    - Antivirus and antispam. New adaptive junk mail filtering using SpamAssassin and
    virus detection and quarantine using ClamAV.


    From "smart cards" to secure erase, it seems pretty clear that Apple is catering to US military agencies, and I think it is quite obvious that they are using OS X. There is also some evidence that the CIA is using Macintoshes for some applications. This includes that fact the from CIA Director John Deutch was investigated for using an "insecure" Macinstosh to store classified data at home: http://www.fas.org/irp/cia/product/ig_deutch.html

    There is other evidence that the CIA may be using OS X that I will talk about later, however I personally got into an rather heated argument with their In-q-tel front over the issue of OS X versus Windows, so I still think their standard is Windows (plus we know Bill Gates cut some deals with the Bush adminstration to get Microsoft out of legal trouble): http://www.inqtel.org/

    I guess the real question I have about Apple and the US government is can we trust Apple not to put secret "back-doors" or trojans into OS X. Although it is unlikely, I think the answer has to be "no", we can not trust Apple.

    EDIT: With respect to trusting Apple, there is an important caveat. Darwin is open-source, meaning that Apple is disclosing information for us (and everybody) to inspect in order to gain trust. This is an important issue if Apple wishes to win clients who have serious concerns about the US government spying on them. It also means that despite OSx86, Apple is likely to continue to release the code that Semthex, Mifki, DaemonES et al. have been working with.

    - pp.16-17 Security Framework

    Apple built the foundation of Mac OS X and many of its integrated services with open
    source software—such as FreeBSD, Apache, and Kerberos, among many others—that
    has been made secure through years of public scrutiny by developers and security
    experts around the world. Strong security is a benefit of open source software because
    anyone can freely inspect the source code, identify theoretical vulnerabilities, and take
    steps to strengthen the software. Apple actively participates with the open source
    community by routinely releasing updates of Mac OS X that are subject to independent
    developers’ ongoing review—and by incorporating improvements. An open source
    software development approach provides the transparency necessary to ensure that
    Mac OS X is truly secure
    .

    This open approach has clear advantages and a long, well-documented history of
    quickly identifying and correcting source code that could potentially contain
    exploitable vulnerabilities. Mac OS X users can comfortably rely on the ongoing public
    examination by large numbers of security experts, which is made possible by Apple’s
    open approach to software development
    . The result is an operating system that is
    inherently more secure.
    Last edited by bofors; 03-12-2007 at 05:04 PM.

  8. #48
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p.13: Getting Additional Information
    For more information, Apple provides the following resources:
    ...
    - Apple Product Security Mailing Lists website (lists.apple.com/mailman/listinfo/security-
    announce)—Mailing lists for communicating by email with other administrators
    about security notifications and announcements.
    ...
    - Apple Product Security website (www.apple.com/support/security/)—Access to
    security information and resources, including security updates and notifications.
    For additional security-specific information, consult these resources:

    - NSA security configuration guides (www.nsa.gov/snac/)—The National Security
    Agency provides a wealth of information on securely configuring proprietary and
    open source software.

    - NIST Security Configuration Checklists Repository (checklists.nist.gov/repository/
    category.html)—The National Institute of Standards and Technology repository for
    security configuration checklists.

    - DISA Security Technical Implementation Guide (www.disa.mil/gs/dsn/policies.html)—
    The Defense Information Systems Agency guide for implementing secure
    government networks. A Department of Defense (DoD) PKI Certificate is required to
    access this information.

    - CIS Benchmark and Scoring Tool (www.cisecurity.org/bench_osx.html)—The Center for
    Internet Security benchmark and scoring tool used to establish CIS benchmarks.


    So, more links to US government agenices and such. Plenty of resources for me to check out. Here is a more commercially oriented OS X security site: http://www.securemac.com/
    Last edited by bofors; 03-12-2007 at 03:37 AM.

  9. #49
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default


  10. #50
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Apple's "Max OS X Security Configuration for Version 10.4 or Later" (Continued)

    ***Chapter 2 Installing Mac OS X***

    - pp. 21-22

    Though the default installation of Mac OS X is highly secure,
    it can be customized for your particular network security
    needs.

    By securely configuring the different stages of the installation process and
    understanding Mac OS X permissions, you can make sure that your computer is
    hardened to match your security policy.

    System Installation Overview

    If Mac OS X was already installed on the computer, consider reinstalling it.
    By reinstalling Mac OS X, and reformatting the volume, you avoid potential
    vulnerabilities caused by previous installations or settings
    .

    Because there might still be some recoverable data left on the computer, you should
    securely erase the partition that you’re installing Mac OS X on. For more information,
    see “Using Disk Utility to Securely Erase a Disk or Partition” on page 106.

    If you decide against securely erasing the partition, securely erase free space after
    installing Mac OS X. For more information, see “Using Disk Utility to Securely Erase Free Space” on page 108.

    Disabling the Open Firmware Password
    ...
    Note: If you are using an Intel-based Macintosh computer, you cannot use the
    following method to disable the Open Firmware password. Use the Open Firmware
    Password application instead.
    ...
    The X11 X Window system lets you run X11-based applications in Mac OS X. While this
    might be useful, it also makes it harder to maintain a secure configuration.
    Removing additional unused packages not only frees up disk space, but reduces the
    risk of attackers leveraging potential vulnerabilities in unused components
    .


    So, this is pretty obvious for the most part. However, apparently there is an EFI password issue which is supposed dealt with the "Open Firmware Password" application. I will be looking into this later from both the EFI perspective and also the OSx86 BIOS perspective in some detail. Apple's security guide also covers the secure erase options in detail (which I have had questions about for a long time) and I will be covering those later. However, in the meantime, the "7-pass" secure erase option is the US military standard (and the one used in the Secure Erase Trash option in Finder) while the 35-pass is probably overkill (unless you are covering up evidence of high treason in 9/11).

    Last edited by bofors; 03-12-2007 at 05:52 PM.


 

 
Page 5 of 6 FirstFirst 123456 LastLast

Similar Threads

  1. MacNN: JBL ships OnBeat Xtreme iOS dock with Bluetooth
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-17-2011, 11:00 PM
  2. MacNN: Planon intros DocuPen Xtreme X-Series
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-04-2009, 11:10 PM
  3. MacNN: First Look: See2 Xtreme, USB video card
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-28-2008, 10:40 PM
  4. Xtreme OS X Security
    By bofors in forum Genuine Mac Support
    Replies: 3
    Last Post: 07-13-2008, 12:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:59 PM.
twitter, follow us!