Page 1 of 6 123456 LastLast
Results 1 to 10 of 57
Discuss Xtreme OS X Security at the Using Leopard - Hackint0sh.org; EDIT: As I have mentioned to some people, I am a software developer and I ...
  1. #1
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default Xtreme OS X Security



    EDIT: As I have mentioned to some people, I am a software developer and I am interested in starting a software company from the ranks of the OSx86 community. Part of this software may include some OS X security products. I am not also planning to an OS X security guide based on what I have started in this thread.

    I have now attached the first draft of my "Xtreme OS X Security" guide (which is just this thread) here. I plan to slowly transform this document is into a serious monograph which accompanies military grade OS X security tools. I maybe talking with the CIA's In-q-tel about financing some of this work: http://www.in-q-tel.com/




    Xtreme OS X Security...

    Let's start with the NSA's OS X guide: http://www.nsa.gov/snac/downloads_macX.cfm

    Has anyone else seen this?

    Note that this was put out by the "Systems and Network Attack Center" of the NSA.

    Gee, I wonder what to make of that "attack" part...

    But I am sure glad the NSA "helped" with Vista security... (no wonder Shard likes it so much).
    Attached Files
    Last edited by bofors; 03-12-2007 at 04:57 PM.



  2. #2
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    I am going through the NSA's OS X security now and will posting anything worth noting. I have it at it before and still think that most experts here are way beyond the NSA's level of security, but it is worth looking at and I would encourage people new to OS X security to start with it. I will then cover the notes on security by Amit Singh in "Mac OS X Internals" which I have previously linked to on this board.
    Last edited by bofors; 03-05-2007 at 05:04 PM.

  3. #3
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default



    In the meantime, I want to note that the CIA attempts to practice "fail-safe" network security. Essentially they try to run dual networks. The high security network is internal only, it has no Internet connection. This should make it impossible to access using normal means. The CIA this up by broadcasting noise as an electromagnetic barrier to electronic eavesdropping and such. Of course, the obvious problem with the "fail-safe" approach is that it does not protect machines that must be on the Internet to operate, the transfer of data from the internal to the external network is slow and if it relies on the use of portable devices they are vulnerable to interception.
    Last edited by bofors; 03-05-2007 at 05:04 PM.

  4. #4
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    NSA OS X Security Configuration Guide notes (this guide is a little dated, it was released for Panther 10.3, but most of it appears to directly apply to Tiger 10.4):

    ***CHAPTER 2, Initial Installation***

    - p. 10: Internet Explorer – No. Internet Explorer (IE) for the Mac OS is no
    longer being developed, and while support is available now, future
    security updates are not guaranteed and may not be timely. If IE is
    operationally required, caution should be used. It is recommended
    that IE not be used
    .


    Amusing...
    Last edited by bofors; 03-06-2007 at 06:05 PM.

  5. #5
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p. 12: Registration Information
    Any information entered in this screen will be stored and forwarded to Apple
    when the machine is connected to the Internet. This information gathering
    section of the installation process should be skipped.
    To bypass this part of the process:

    1. Press command-Q. This will cause the registration process to end, and the
    information gathering process will be skipped
    .
    2. In the You have not finished setting up Mac OS X dialog box, click Skip
    to bypass the remaining registration and setup process.

    If information had been inadvertently entered during the installation process, it
    should be removed before the system is connected to a network. In Chapter 4,
    “Configuring System Settings,” instructions will be given on how to delete this
    information to prevent it from being automatically transmitted over a network.
    Any information entered in this screen, if not deleted before the system is
    connected to the Internet, will be transferred across the Internet in plaintext to
    Apple. Even if the system is connected only to an internal network, and not the
    Internet, registration information may be transmitted across that network in an
    attempt to forward it to Apple
    . It is very important that no sensitive information
    is entered in these screens.


    Now, you will never have to go through that hassle of entering all that crap when re-installing OS X again. Just hit Command-Q.
    Last edited by bofors; 03-12-2007 at 02:21 AM.


  6. #6
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p.13: 3. Enter the administrator’s password in both the Password and Verify boxes.
    Passwords in Mac OS X can be up to 255 characters long and contain
    uppercase letters, lowercase letters, numbers, and special characters.
    Choosing a password that consists of at least 12 characters, that would not be
    found in a dictionary, and that contains mixed case, numbers, and special
    characters is recommended
    . There are many references available which
    describe how to choose good passwords; therefore, this guide will not go into
    any further detail about choosing a password.


    Here is how I generate both usernames and passwords. I grab a fat phone book ("white" pages - residential), and randomly select some names, addresses and numbers as bases for the usernames and passwords. I then randomly decomposed and recombine them in pieces which fit together in my mind (so they are easier to memorize). I also use "special" characters.
    Last edited by bofors; 03-05-2007 at 05:13 PM.

  7. #7
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p. 15: Downloading and Verifying Updates
    The Software Update panel in the System Preferences panel might pop up to
    indicate any updates available for the system. Software Update will ask if any new
    downloads found should be downloaded and installed. Software Update should not
    be used to automatically perform updates. Select Quit to exit Software Update, and
    continue installing updates manually.

    Updates can be downloaded from http://www.apple.com/support/downloads
    (Figure 1) using a machine designated specifically for downloading and verifying
    updates, and should be copied to a disk for installation. The download should be
    done separately so that file integrity can be verified before the updates are installed
    .

    Another resource for locating current updates for Mac OS X is the Knowledge Base
    article on Apple’s website:
    ...

    Make sure to note the SHA-1 digest for each of these files. The SHA-1 digest should
    be posted on-line with the download.

    Once the software updates have been downloaded from Apple they should be
    checked for viruses and written to a CD. Apple also provides a SHA-1 digest for their
    updates so that the integrity of the update can be verified
    . The SHA-1 digest should
    be checked to confirm the authenticity of the updates. Check the updates using the
    following steps:

    1. Start the Terminal program, located in /Applications/Utilities.
    2. In the Terminal window, issue the following command:
    /usr/bin/openssl sha1 <full path filename>

    where <full path filename> is the full path filename of the update for
    which the SHA-1 digest is being checked. Repeat this for each update.
    3. The pathname of the file will be displayed in the Terminal window followed by
    the SHA-1 digest for that file.
    4. Check the SHA-1 digest for each update against the SHA-1 digest displayed on
    the Apple site. The SHA-1 digest will be displayed in the “Information and
    Download” document for the update. In most cases, this will be the document
    that is displayed when the link for downloading the document is clicked. If
    not, search for the name of the update in the downloads section of the Apple
    support page, and find the “Information and Downloads” document for the
    update to obtain the SHA-1 digest.
    5. The SHA-1 digest for each update should match the digest given on Apple’s
    web site for that update. If it does not, the file was corrupted in some way and
    a new copy should be obtained.


    So, there are several issues. First of all, this now even applies to OSx86 as the lastest security updates are applicable to 10.4.8 installs. In xtreme cases, it certainly is possible for a hostile party to misdirect a security update to a trojan. Downloading from Apple directly should guard against it, hash checking can verify the correct has been received.

    It is unlikely that Apple will want to cooperated in any schemes to comprise OS X.

  8. #8
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    - p. 19: Fix Disk Permissions
    Permissions on files can sometimes become set incorrectly, especially during a
    software installation. Incorrect permissions can cause the system to operate
    incorrectly and even introduce security vulnerabilities
    . Fixing these permissions is
    recommended after performing any software installation on Mac OS X.


    So we should all know that this is an on OSx86. As of 10.4.8, I believe that Disk Utility.app is working correctly in this regard. Note that the NSA is not exactly wrong about booting off an install disk to do this, it is possible that an OS X install could be comprised so the incorrect permissions would be set by Disk Utility.app, however I really doubt they are anywhere near that level. Of course, permissions can be set manually, and the permissions being set by Disk Utility.app can be verified for sanity.

    I just fixed permission on one of my OSx86 10.4.8 install and interestingly enough something odd came. I need to look into later. If anybody has anything to say about this, please speak up.

    Code:
    The privileges have been verified or repaired on the selected volume
    Repairing permissions for “System2”
    Determining correct file permissions.
    parent directory ./Users/Shared/SC Info does not exist
    Permissions differ on ./private/var/log/secure.log, should be -rw------- , they are -rw-r----- 
    Owner and group corrected on ./private/var/log/secure.log
    Permissions corrected on ./private/var/log/secure.log

  9. #9
    Rookie Array joe75's Avatar

    Join Date
    Aug 2006
    Posts
    16
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by bofors View Post
    Here is how I generate both usernames and passwords. I grab a fat phone book ("white" pages - residential), and randomly select some names, addresses and numbers as bases for the usernames and passwords. I then randomly decomposed and recombine them in pieces which fit together in my mind (so they are easier to memorize). I also use "special" characters.
    It seems ironic that a man so concerned with security would just throw his personal information around

    ~John Anderson
    7715 Middlepointe St.
    Dearborn, Michigan 48126
    John Philip Anderson
    215 West Newman Rd.
    Okemos, Michigan 48864

  10. #10
    Professional Array bofors's Avatar

    Join Date
    May 2006
    Posts
    80
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default



    I am going to discussing how to set up OS X for encrypted email usage here later, but I will be finishing with NSA's OS X security manual first and then cover some architectural detail with help from Amit Singh.
    Last edited by bofors; 03-06-2007 at 04:34 PM.


 

 
Page 1 of 6 123456 LastLast

Similar Threads

  1. MacNN: JBL ships OnBeat Xtreme iOS dock with Bluetooth
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-17-2011, 11:00 PM
  2. MacNN: Planon intros DocuPen Xtreme X-Series
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-04-2009, 11:10 PM
  3. MacNN: First Look: See2 Xtreme, USB video card
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-28-2008, 10:40 PM
  4. Xtreme OS X Security
    By bofors in forum Genuine Mac Support
    Replies: 3
    Last Post: 07-13-2008, 12:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 03:51 PM.
twitter, follow us!