Inside OS X Security

Security and Mac OS X is never an easy topic to write about. There's so much emotion, advocacy, and arguing going on that getting to the heart of the matter can sometimes seem impossible. However, once you sort past those issues, the state of security on Mac OS X isn't terribly complicated, nor bad at all. It's not perfect, but it's not the final world in Quake, with pitfalls and monsters behind every corner.

Even with the recent QuickTime Java vulnerability discovered by Dino Dai Zovi at the CanSecWest contest, the Mac isn't suddenly a kitten in a shark tank, waiting to be devoured. There always have been, and always shall be, vulnerabilities in this, or any other operating system and platform. It's a fact of life, and one that Mac users in particular, should approach with more of a sense of equanimity and awareness.

When we're talking about the state of security on Mac OS X, it's useful to use the kinds of threats we hear about or have heard about in the past as a guide to help us focus our discussion. I'll do the same here, moving from the more "human-based" issues to the more "human-excluded" issues. I'm also going to, in the interests of clarity and space, stay out of larger security issues like firewalls, NAC, etc. This article is focusing on Mac OS X and the Mac user as much as possible.

1

Phishing And Social Engineering

Mac users are exactly as vulnerable to phishing and social engineering attacks as any other platform. If you voluntarily give out personal data, passwords, user ids, etc., there's nothing an operating system can do to protect you from the results of those actions. Browsers and e-mail clients are starting to try to incorporate various antiphishing measures, but at the end of the day, this isn't something that can be solved via a purely technical solution. If you give out the keys to the kingdom, as it were, you will have some rather severe barbarian problems.The best way to deal with these problems is awareness and avoidance.

Be aware of the people and entities that would have a legitimate reason to get various kinds of information from you. In the case of passwords, there's no IT department that is even vaguely competent that needs your password to run any kind of test, upgrade, or what have you. Unless you are the sole possessor of the root/directory administrator password, there's no reason for IT or anyone else to need "your" password.

On the networks I run, I can do anything I need without needing a user password. If I need a user to log in as themselves, then I have them do that. I don't know, nor do I wish to know, anyone's password but the ones I have to know to do my job. It's a bad idea on every level to know other people's passwords unless you have a hard, unavoidable reason to do so. I've yet to run into one.

If you give someone your login credentials, especially if they're admin-level access credentials, then there's little the operating system can do to stop them, as they'll not be "hacking" into the box at all. They'll be signing on as a legitimate user: You.

At that point, the operating system is going to let them do whatever those credentials allow for, because that's how it's supposed to work. Even worse, any action they take will look like you took it, because it's happening under your credentials.The same thing goes for phishing. If you click on a link and give someone at random your credit card numbers, Social Security, tax ID, or government ID number, there's nothing the operating system can do to stop them from using that information in a way you don't like. Remember: No operating system in the world can stop someone determined to do something silly. The solution here is simple: Don't do that. Don't enter financial or personal data on because "eBay" says your account is messed up, or someone is waiting for payment on something you didn't bid on.

I get tons of those a week, and I just delete them. If you don't have an Amazon account, then how can your Amazon account be messed up? What you can do is, where possible, report phishing attempts to the organization that the phisher is attempting to spoof. For example, eBay's contact point for such things is [email protected], Amazon's contact is https://www.amazon.com/gp/help/contact-us/report-phishing.html. Both sites have excellent help topics on phishing via the "help" URLs on their respective Web sites to help you learn more about their respective policies. Any organization you do business with should be able to provide you with the same information.

As far as other social engineering, again, some basic common sense works. If "Bob" in IT needs your user ID and password, first, make sure there actually is a "Bob" in IT. Then contact your security person or liaison and make sure that kind of thing is correct behavior.

If your security people don't know that this is happening, they can't do much about it. If all of this seems fairly obvious, well, it is. Not getting phished or engineered is actually easier because you have less to do to avoid it; don't provide the information. Also note there isn't an antivirus or anti-anything around that is able to stop you from giving personal information to people who shouldn't have it.

2

Trojan Horses

By Trojan horses or Trojans, I mean the classic "looks like a free copy of Office, in reality is a script that wipes your home directory" definition. With that in mind, how vulnerable is the Mac operating system to Trojans?

Well, the best answer is, it depends on your privilege level when you run the application. If you're logged in as root, (never really a good idea in the GUI), then you're in the same boat as someone running as a local administrator in Windows.

The particular boat I speak of would be the Titanic. Root is effectively god. Anything you run as root runs with god-like privileges. You run a Trojan as root, there's nothing the operating system can do to stop it. Luckily, Apple disables root login, and makes it at least somewhat inconvenient to enable root.

Unlike Windows, at least Windows XP, you can run a Mac for years and not have to log in as root. (Vista has improved that issue, but Microsoft still gives administrator users too much direct power.) The solution here? Don't do that, i.e., don't log in as root unless you absolutely need to, don't run as root unless you absolutely need to.

If you aren't sure if you need to, the answer is probably "no". As with phishing, antivirus and other similar utilities will do you no good, because once an application is running as root, it's trivial to disable such things.If you're logged in as an administrator, which is the traditional initial account level in Mac OS X, well, you can still shoot yourself in the foot with a Trojan, but you have to at least take some positive steps to do so in some cases. However, admin-level access, even without authenticating as root can still do a lot of damage.

For example, /Applications is read/write for the admin group, as are most of the applications in it. The same holds true for /Library. So even without you authenticating as root via the "Give us your password" dialog box, a Trojan running with administrator privileges can do a lot of damage.Since I've been talking about "damage," I should touch briefly on what I mean by this. While there is still the risk of the "wiped my drive" malware, that's largely fading due to economic reasons.

A dead computer cannot make you money. It is far more profitable, and therefore, far more common these days for malware such as Trojans to, instead of killing your computer and rendering it useless to all, subvert your computer, so that it can become part of a botnet that is then rented out to spammers, other malware users, and the like.

Another use for malware is to install keyloggers and other monitoring tools so that the malware writers can get things like Social Security numbers, financial data, and the like. They can then use that to steal identities, money, find access information for other networks, etc. There's millions of dollars in zombie computers, botnets, and data mining, none in dead computers with erased hard drives and firmware. That's not to say destructive malware isn't still a problem, but that it's not the main focus any more.

If you have a non-administrator account, then you should be safer from Trojans, right? Well, sort of. The amount of damage that a Trojan can do from a non-admin account is fairly small. Now, your home directory can still get wiped out, and if you lose valuable work and you don't have backups, I'm not sure how much better you'll feel that your operating system is safe. But, that's pretty much the extent of it. However, if the Trojan asks you to authenticate as an administrator and you do, then, well, all bets are off, you just gave it root privileges, or close enough to them.So the big question is, how do you protect yourself from Trojans? Well, the best way is to be careful. Once you start running a program, it's just the operating system and blind luck between you and a subverted computer. If you give it elevated privileges, then it's just blind luck.

Hoping for bugs in the Trojan isn't a great strategy here. Don't download software from random sites. Don't use software where you aren't sure about the source. Just because it says "Microsoft Office 2004" doesn't mean it is.

If it's legitimate software, then you can get it from the vendor's site. If you want a software aggregator site, my personal favorite is VersionTracker, at www.versiontracker.com/. In addition to Mac OS X software, VersionTracker also has Windows, Mac OS 9, and Palm software links.

While downloading from a reputable source isn't a guarantee, it does greatly decrease the chances that you'll download malware disguised as something else. (If you download software from random sources on P2P networks, you're playing Russian roulette. Eventually, it's going to hurt you.)

Another tip is to not give out administrator credentials just because a program asked for them. If you aren't sure why it needs them, ask the developer. If the developer doesn't tell you, or you don't like the answer, find another application. If the application is distributed as an Apple Installer Package, you can use a utility like Pacifist to see where every file in that installer is going to go.One note; just because an application is a drag-and-drop installer doesn't mean it's more or less safe than one that uses an installer. It's pretty trivial to code installer routines into an application, and have the files it copies when you first run it live inside the application package itself. The great Reagan quote: "Trust, but verify" applies here.

If the Trojan has been in the wild a few days, then anti-malware can help, but it's not a panacea, and keep in mind that anti-malware consumes a non-zero amount of computer resources, as rather disturbingly stated in this post on thepcspy.

Having processes monitor your files and other processes as closely as antivirus software has to do to work correctly is not going to do nice things to your performance, but then again, neither will malware. So it's a question of your own comfort level and pain tolerance level.

3

Remote Attacks

At this point we get into things that are more targeted at application and operating system weaknesses, a la the QuickTime Java hole that was recently patched in QuickTime 7.1.6. These are things like Web sites that try to do bad things to your operating system or browser when you load them, "traditional" viruses that try to reach out and whack your computer, and scripted or human-driven attacks against your operating system or applications and the like.First, all operating systems and applications have holes. Humans program them, humans aren't perfect, and the code humans write isn't perfect. The idea that any operating system, be it Mac OS X, Vista, Linux, Solaris, HP-UX, z/OS, is perfectly secure is a fantasy. So let's dispense with the idea that any operating system is going to offer some magical protection against attacks.

When it comes to malicious Web sites attacking an unpatched hole, about all you can do is try to mitigate the damage an attack can do against that hole until a patch is released. For example, the recent QuickTime Java hole could be defended against by disabling Java in your browser.

If you wanted to be safer, you also could disable JavaScript, but that tends to break the Internet, at least from your point of view. This is one case where advice like "Don't go to bad Web sites," while succinct, isn't of any great use. For one, you can't tell something is a "bad" Web site until you've loaded it, and it's a bit late then.

Secondly, even if it's a known good site, if they've been cracked, then they could be doing damage and not realize it. Again, all you can really do in cases like this is configure your system to be safer during the vulnerable period, and if you run as an admin, consider setting up a non-admin account. This way, the possible damage is reduced.

4

A Word About Viruses

If you're talking about "traditional" viruses, those are, at the operating system level, literally nonexistent in the Mac OS X universe, and were, by the Mac OS 8 time frame, pretty rare pre-OS X. Note I said at the OS level. Application viruses, such as VBA macros in Office 2004, or JavaScript macros in Acrobat, are still a factor.

Ironically, the upcoming release of Microsoft Office 2008 for the Mac will effectively kill the ability of VBA-based viruses to propagate on the Mac, since it will no longer support VBA. Microsoft Entourage never supported VBA, and so has always been less vulnerable than Outlook to such things. But, if you're using older versions of Office on the Mac, while VBA-based malware can't do much of anything to your operating system, it can make your ability to do work drop rather precipitously.

If you can't do work, the fact that your operating system is humming along quiet and happy is kind of meaningless. Luckily, this is the one area where things like antivirus software shines, and is of the most use. Other things, like setting your application to not automatically run macros, and only accepting documents from known, legitimate sources help, too.

Remote attacks that start from the outside and target your system are a mixed bag. If you're not running Mac OS X as a client operating system, don't turn on anything in the Sharing Preference Pane unless you need it. Then, only turn it on for as long as you need it. Someone trying to gain root SSH access to your system isn't going to have an easy time of it if you have SSH turned off. If you don't have a door, a cracker can't pick the lock.

If you have to run Mac OS X Server or Mac OS X as a server and you have to expose it to the Internet, your best defense is awareness. If you're running a PHP-based application that ties to a MySQL database, know enough about PHP and MySQL that you can properly secure them or find someone who can, and pay them.Lock down such systems as tight as you can while still being able to get work done. When you have a server exposed to the Internet, paranoia and knowledge are your very best friends. Don't assume that just because the base operating system is essentially secure that everything else that ships with the operating system is as secure. There are quite a few Mac OS X and Mac OS X Server boxes that get cracked because of poorly configured PHP/Perl/Web/Database applications. As with Trojans, if the operating system is happy, but your shiny new Intel Xserve is now a V1agr@ spam bot, you're still in a world of hurt.

I don't want to sound like a broken record, but this is a case where ignorance will hurt you. If you're running a MAMP, (Mac OS X, Apache, MySQL, and PHP), then you better know enough about all four to properly secure them. Even if all you are vulnerable to is a denial of service attack, well, that's still your server not able to do work.

If your server operating system is fine, but your applications have been subverted and it's now a spambot, that's going to cause you a lot of problems if that leads to your domain being on various e-mail blacklists. Not being able to send people e-mail can put a crimp in your business plan. As well, collocation providers get flustered and stern when a customer's server suddenly starts sending out spam or attacks as fast as possible.

In addition to knowing what your applications are doing, there are tools like Nessus, Snort, Tripwire, and others that can help you monitor your systems for vulnerabilities and malware so that you can do something about them sooner than later.

Of course, apply security patches as soon as they come out. If you have a good backup, (and of course, as the smart computer user you are, you have good backups), then even if a security update hoses your operating system, you can quickly recover. But with security patches, better safe than sorry applies.Conclusion

There are two things to remember here. Once you get past all the yelling and emotion, Mac OS X is a pretty secure operating system, at least as secure as any other operating system in its class. That's not a magic spell relieving you from any responsibility toward keeping it that way. Again, no operating system can protect against deliberate, determined insecure actions. But with education, some common sense, and keeping your eyes wide open, you and your Mac will have few, if any security problems.