Special Report:
Securing
Mac OS X
by Simon Edwards
Mac OS X opens more potential security holes to hackers. So how do you protect yourself?
Your Mac is at risk from hacker attacks, now more than ever. And if you don't take active steps to secure it you will be used as a Spam gateway, an unwitting accomplice of further hacker attacks or even a stooge in a bank robbery.
This isn't hype, it's reality. When Apple started shipping Macs loaded with OS X it was making a very powerful operating system available to thousands of users. But while people rejoiced in a new user interface and greater stability, many have not realised that by adopting a well-known operating system (UNIX) they have also opened themselves up to a raft of old and new security vulnerabilities.
The reason that Macs have been relatively free of remotely exploitable security holes is because the people who find and use such holes are only interested in the operating systems that they will commonly find on the Internet. Mac OS 9 is not common in comparison with Solaris, AIX, Windows NT and Linux operating systems, which is why the latter have been plagued by hackers for what feels like forever.
But OS X works in much the same way as Linux, Solaris and other UNIX-based systems. It can use the same software and, therefore, inherits the same benefits and vulnerabilities. The solution is not to revert to OS9, though. Instead, read this feature and you'll be able to lock down your Mac OS X machine against the most prevalent attacks.
First line of defence
OS X is a multi-user operating system, which means that many different people can use the computer at different times. Their application settings, e-mail and other files are kept separate so that one user cannot delete another's important data, or read his e-mail. While this means that the system is potentially more secure than a Mac OS 9 system, with regards to local users, the level of that security is only as good as the users' passwords. A recent survey found that 25 per cent of users believe that 'banana' is a strong password. This is incorrect for a number of reasons.
Firstly, banana is a real word that can easily be guessed by a password-cracking tool. Cracking tools work using dictionaries, and only resort to the very slow method of brute-forcing after all dictionary words have been tried. The brute force approach works like this: the cracker starts at 'a' and works through the alphabet, then adds another letter and continues through every permutation of letters, numbers and punctuation marks. This can take months, and it took our 700MHz system 28 days to crack the simple password 'rumble9'.
If you insist on using passwords of less than eight characters (not recommended), at least change them every month. That way you will foil this kind of attack most of the time. You should also use a mixture of capital and lower-case letters, numbers and punctuation marks. 'Mac_+Us3r01' is a good password but 'macuser' is not.
Service included
Programs such as a Web server, FTP server or a remote access utility are known as services. An Internet host is of little use unless if provides at least one service, but by doing so it is exposing itself to attack. A hacker needs something to hack at, and an old SMTP (mail), DNS, or Web server is sometimes all that is necessary. The trick is to run only those services that are really necessary.
Allowing remote access with older versions of Mac OS X meant enabling Telnet. This service lets you log in from a terminal on another computer, be it a Mac, PC or even PDA, and control the server as if using its own keyboard.
While this may seem like a very useful feature, Telnet is not a secure method of working. The problem is that when you log on using Telnet you have to enter your username and password, which is sent across the network (and maybe even the Internet, if you are logging in to a Web server installed in another building). Telnet sends these details in plain text, which can be intercepted by a hacker using a network sniffer. He will see 'user fred.bloggs' followed by 'password BaNa_na9'. Even though Fred has used a strong password, the hacker now knows it and can hack the system.
Mac OS X v.10.0.1 has replaced Telnet with SSH (Secure Shell), which is much better. It encrypts the connection so that instead of seeing the username and password, the hacker just sees digital garbage instead.
FTP also suffers from the same plaintext vulnerability as Telnet. You can replace FTP with the SSH equivalent, SFTP (Secure FTP) or SCP (Secure Copy). For details on setting up and using SSH, see the walkthrough below.
Updates
As we've already seen, updating your software can avoid some major problems. But even if you have a perfectly working Web server with SSH installed, things are not always as safe as they seem. New security holes emerge all the time and you'd be wise to subscribe to the main security mailing lists if you intend your Internet-connected Mac to survive. The best ones include the large selection at SecurityFocus (www.securityfocus.com).
For example, during the month in which this article was written, security updates were released to fix holes found in the Apache Web server, SSH, the Web scripting language PHP, the printing system, Internet Explorer 5.1, crontab, fetchmail, the firewall software ipfw, Telnet and a whole load of others. Failing to updates any of these packages could result in a hacker taking remote control of your computer, which is the ultimate goal for them and the ultimate nightmare for you.
The best way to update your software is to set the Software Update program to check for updates every day, or every week if you only connect to the Internet sporadically. To run this utility open the System Preferences and select Software Update option.
Buffer overflows
Security holes come in a number of shapes and sizes, and you can even create your own if you're not careful. The most common threat comes from buffer overflow attacks. The principle behind these is that a program installed on your system is written in such a way that when an attacker feeds it too much information it crashes.
In an analogy where the computer's memory is an empty glass and the incoming data is a flow of milk, a buffer overflow would occur if you tried to pour a pint of milk into a half-pint glass. Obviously some milk is going to spill onto the table, which results in a mess - or a crash, in the case of a computer system. But a clever hacker can cause the overflowing data to move into another part of the computer's memory, where it will be run. This is how they gain access to your system without even bothering about cracking your passwords.
Firewalls
One way to restrict a hacker's access to your system is by using a firewall. This program decides which information can flow out of and into your system. You can use a firewall to allow Internet users to access your Mac on port 80, which is the networking port used by most Web servers, but to deny access to any other port. SSH usually runs on port 22, so you'll probably want to allow external access to this port as well, if you want to administer the Web server from any Internet-connected location in the world.
But your file sharing ports, networked printer port and ports for other services that should only be available to the local network, not the Internet, need to be blocked off. Disallow all but the most necessary ports for outbound traffic too. That way you prevent malicious applications from sending important data out to an attacker on the Internet (see Viruses and backdoors below).
For a detailed description of setting up the firewall supplied with Mac OS X, see Configuring Mac OX X's firewall with BrickHouse, 19 April 2002, p79.
Wireless networks
While wireless networks are doubtless very cool and quite useful, remember that they increase the range of your network beyond your office. If you don't use encrypted networking (such as with SSH) you might as well stick a network port on the wall outside and wait for the hackers to jack in. There are plenty of tools that hackers can use to locate and crack your wireless network, but with a little care you can make it not worth their while to try.
If you're running a seriously expensive business over a wireless network consider setting up a virtual private network (VPN) to provide the encryption, and place dedicated firewalls between the wireless section of the network and other workstations. By treating the wireless part as an untrusted network, just as you would treat the Internet, you reduce the risk of a wireless attack massively.
Viruses and backdoors
While there are not many viruses that can affect UNIX operating systems directly, they are more than capable to moving through UNIX mail servers and onto the Mac and PC systems further down the chain. If your Mac is being used as an e-mail server you should consider installing an anti-virus program, which will strip out viruses intend on damaging your users' OS 9 Macs and Windows PCs. McAfee and Symantec have released Mac OS X anti-virus programs that will do the job.
The direct danger to Mac OS X systems is that once a hacker has compromised the security, using a buffer overflow attack or by exploiting some other weakness, he will install a backdoor that will allow him to return more easily. You can patch your system until you're blue in the face, but if you don't know about the backdoor you might as well give up.
When a hacker installs a backdoor he may replace some of your useful files with doctored versions that seem to behave properly but are actually helping to hide the hacker's files and activities. For example, he might have placed a stash of useful files in a directory called /hacks. The less command would display this directory, but a doctored version could be made that displayed every directory except this one.
We need a way to discover if files have been changed. CheckMate is a program that can scan essential files and create a special index of them, using checksums (see the Jargon box). If an important file is replaced the checksum will change and CheckMate will notify you that something is up. Knowing that your system has been compromised this heavily will help you save time when trying to work out what's wrong. If you find your basic files have been replaced there is only one thing to do - reinstall. Then install every possible update and run CheckMate again before connecting to the Internet.
File encryption
When you send an e-mail across the Internet it can be read by a large number of people, whether you know it or not. E-mail is created, sent and received in plain text, and passes through a number of systems on its journey to the intended recipient. Hackers with snuffer programs, mail system administrators and people with access to the computer used by your contact can all read the message, which is why sensitive information should always be encrypted.
Files stored on your hard disk should also be encrypted if they are sufficiently important. For example, if you've used CheckMate to generate an index of checksums you'll need to be sure that the hacker hasn't edited it to avoid an alert. Encrypt it and he's locked out. To encrypt e-mail and local files you'll need a good encryption package like PGP or GnuPG. The former is very easy to use and comes with a graphical installer, the latter is free but needs to be loaded from the Terminal command line.
To do this you'll need to download the GNU Privacy Guard file (GnuPGOSX1.0.6r6.dmg.gz) from http://macgpg.sourceforge.net, as well as the Darwin patch, which is called gnupg-1.0.6-darwin. Next, type:
tar -ax gnupg-1.0.6.tar.gz
To copy the Darwin patch into the folder that this creates, patch the software and install it type the following lines in order:
cp gnupg-1.0.6-darwin.diff gnupg-1.0.6/ cd gnupg-1.0.6/ patch -p 1 < gnupg-1.0.6-darwin.diff ./configure make sudo make install
You can now download the plethora of GUI helper tools from the same site. Or download the non-commercial version of PGP from pgpi.com.
Conclusion
If this article has started you worrying about Internet security, it has done its job. But while the Internet can be a hostile place, taking the simple steps listed here will make you almost invulnerable to the most common attacks. Just being aware of the risks puts you in a minority, and it's a good club to join.
Talk the talk
Buffer overflow A common but highly technical type of hacker attack, that is avoided by keeping software on the computer as up-to-date as possible. A successful attack allows the hacker to run commands on your system at the highest possible level of authority.
Checksum A checksum is a code that can be generated to represent a file. It is virtually impossible for two different files to have the same checksum, so it can be thought of as a fingerprint or DNA profile. This makes check summing an ideal technique for detecting if a file has been changed by a hacker.
Encryption The scrambling of a file or message so that it is readable only by the person for which it is intended. Encryption can be used for Internet traffic too (see SSH below), and is most commonly encountered when buying from a Web site - those yellow padlocks are indicative of an encrypted Web session.
Firewall A software program or hardware device that controls the type of network traffic able to pass through it. Usually used to protect computers or even whole networks from the Internet, they are now being installed by some to keep wireless networks safe.
Ports Different Internet services running on the same computer use different ports. This means that someone trying to connect to a system using FTP won't interfere with the Web server on the same machine. FTP uses port 21 whereas Web servers usually run on port 80. Services: A server is a computer that provides services to other users. Examples included POP3 mail, telnet or SSH remote access and Domain Name Services (DNS). Services are controlled by a file called /etc/inetd.conf.
SSH The Secure Shell creates an encrypted connection to your Mac, which means that hackers cannot see what you're up to, or what your password is. SSH can also be used to create virtual private networks (VPNs) across the very unprivate Internet.
Trojan A file that looks like something you want to run, but carries a less pleasant payload such as a computer virus or backdoor that creates a secret entry point for a hacker into your system.
UNIX These days UNIX is considered to mean a type of operating system, rather than a specific one. Solaris, Linux, FreeBSD and AIX are all types of UNIX, or are based on UNIX. Mac OS X is based on Darwin, which in turn is a version of BSD UNIX.
Using SSH
For security purposes, a server is any computer hooked up to the Internet that's capable of providing network services such as Web, FTP or mail. If you want to control your Mac OS X server remotely you'll need to use SSH, which has replaced the less secure Telnet originally shipped with the operating system. If you've never updated your installation you won't have SSH. You are strongly advised to download the very latest updates as soon as possible, particularly if your system spends any time at all connected to the Internet - even using a dial-up modem connection.
In this walkthrough we are assuming that your system is fully up to date and that you want to administer your computer from somewhere else on the local network. There is no real difference between doing this and coming in from the Internet. If you want to do connect from the Net you will need to ensure that any protective firewalls between you and the Internet will allow connections through port 22 or it won't work.
STEP ONE
Enabling remote access
Go to the Sharing System Preferences panel and choose the Sharing option from the Internet and Network section. Tick the Allow Remote Login box, which enables the Secure Shell (SSH) service. This operates on port 22, which is the default used by just about everybody. You absolutely must ensure that you are using Mac OS X version 10.0.1 or later, otherwise your remote access will be provided via Telnet, which is significantly less safe to use. We are using version 10.1.4 here.
STEP TWO
Establish a connection
Here we are assuming that you have two computers connected to the same network, one allowing remote access and that has an IP address of 10.0.0.1. You can determine the IP address of your remote server by going to System Preferences, choosing Network and viewing the settings for Built-in Ethernet. Start a terminal session on the non-remote access Mac (Terminal is available from the Utilities folder) Type: 'ssh username@10.0.0.1'. Use your own username and enter your password when prompted. Answer 'yes' when asked if you want to connect.
STEP THREE
Run commands
You can now administer your computer over the network, or even over the Internet. You'll need to have administrator rights to be able to change the system. These are provided in System Preferences from the Users option. Running 'top' will show you what processes (programs and background operations) are running. You can use the sudo command to run critical commands that require the ultimate level of authority. To reboot the Mac type 'sudo shutdown -r'.
STEP FOUR
Copying a file
Use the scp to copy a file from the server. Here we typed 'scp spge@10.1.22.23:backup backup', which has the effect of running scp, connecting to the server at 10.1.22.23, grabbing a file called backup and saving it as 'backup' on our system. The following line in the screenshot lists all files beginning with the letter 'b'. Using the list command (ls) with the -l switch shows more information, such as the file size, the date of its creation and who has permission to read or edit it.
Further information
Pretty Good
Privacy (PGP) E-mail and general file encryption utility that can make
your files unreadable to everyone but yourself
Free, for personal
use
http://www.pgpi.com
GNU Privacy Guard Essentially a free version
of PGP, you'll also need to download some other utilities to make it extra
friendly to use.
Freeware, even for commercial use
http://macgpg.sourceforge.net
CheckMate Generate and compare
checksums of essential files to discover if a hacker has altered your
system.
Free, while in beta
http://personalpages.tds.net/~brian_hill/checkmate.html
Hints and tips
Watch your logs!
When a hacker takes over you system is won't be quietly, but unless you look through your log files you'll never know what's happened. It is necessary to know how a hacker broke in, even if you are going to reinstall your whole system, because that way you can fix the problem. Reinstalling will just reset your computer and the hacker can come back in the same way he did before. You'll find your logs in the directory called /var/log. Type 'last' from the terminal to see who's been logging in, and when.
Keep an eye on your users
If only you and a couple of other people are using the Mac there should only be a handful of names in the user list accessible from System Preferences - Users. If odd entries appear you can be sure that someone has administrator-level control of your system. If you want to know who's logged in at any one time type: w from the terminal command line to see a list. You should also check the /Users directory to see if any extra sub-directories have been created. This would indicate that someone has gained access to your system.
First Published in MacUser, Vol 18 No 13, 28 June 2002.
The above article is © Dennis Publishing Limited 2002. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.