OS X Network Security [non-rumor Q]

Discussion in 'Mac Apps and Mac App Store' started by GadgetLover, Oct 15, 2001.

  1. GadgetLover macrumors member

    Joined:
    Sep 21, 2001
    #1
    I know that security issues have/are discussed a lot regarding OS X and that, while Unix is prone to problems (right?) OS X has a built in Firewall which can be implemented using BrickHouse, FireWalk, etc. (Note: I have BrickHouse set to block just about every hack and scan that the SW allows). Also, I have dynamic DSL which is only reset (new IP address) when I reboot my Mac or log out (Iguess?).

    That all being said, as "added" security I also never leave Entourage and Explorer running when I'm away from my Mac (ie., sleep mode). Is this necessary, lame, a good idea, what? What do you folks do? Does leaving these apps (or other Internet apps) running give a back-door to hackers or look-e-loos? Of course, I'd rather just leave all my apps running so I don't have to launch crap except for when I FIRST boot up, but I'm really sensitive to security issues. Can someone educate me (and others) here about Mac security, firewall issues, port scans, etc.

    Incidentally, I use(d) Intego Netbarrier on the OS 9 side (their X version is still in development); do I need a firewall SW on the Classic side under X?

    Help!
     
  2. GadgetLover thread starter macrumors member

    Joined:
    Sep 21, 2001
    #2
    Renaming "Apple" Software in OS X

    I also have another Question:

    For organizational purposes, I decided to try renaming all of my Apple software with the prefix "Apple" to distinguish it from other software and make it higher up in the list (not sure if I want to keep this theme, but I'm tryin' it on for size). For example, I renamed Sherlock, "Apple Sherlock" and Disk Utility to "Apple Disk Utility." Anyway, I noticed that I can't rename Print Center (which is fine with me) (most likely because it is always active in the background), but was curious as to whether or not there were any OS X adverse consequences to my actions. Does anyone know, for example, if there would be any OS problems in renaming the iMovie and iTunes folders to Apple iMovie and Apple iTunes? I tried it and so far everything seems to work fine (iTunes still seens to find all my mp3s and loads fine). Anyway, if anyone else has ever renamed an Apple app and had (or not had) problems, please let me know.

    After all, "Apple TextEdit" is MUCH higher up in my application list than "TextEdit" was.
     
  3. evildead macrumors 65816

    evildead

    Joined:
    Jun 18, 2001
    Location:
    WestCost, USA
    #3
    security

    UNIX has security problems?? who says. It is very secure. That is ... if you know your system. I am a UNIX admin and we have no problems with our servers. The people at my company that are running MS servers... well thats another story. They had to close port 80 for the whole company becuse of the MS security holes. Macs are very secure. To test it I left my Mac compleetly open with just the defalt system settings and I turned off my fire wall. Then I Pinged the hell out of it from work and school. I found one open port. it was in the 1500 range... That is with no fire wall. I woundt worrie too much about security. As for the not leaving IE open all the time... I dont know. MS has a lot of security problmes and I wonder how much MS apps on your mac communitcat with the outside world when your not looking. Adobe likes to do that. If your really worried you should get a hard ware fire wall. Get a router and it will take care of all your needs. You can get them for fairly cheep now. Under $90.00 for one with no hub. You could really lock down your system with that.

    as for your second question... I have no idea if changing the app names will do anything. In UNIX systems the name of a file has a lot to do with its functionality ... but I dont know about OS X. But I dought it.
     
  4. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #4
    I don't think there is a problem renaming your apps...

    the only thing I'd avoid is

    don't start filenames with "." (period)

    and... don't add extensions to Application filenames. (.txt, .gif etc...) - not that you would... but all Apps have a .app file extension that's hidden. Beyond that... it's possible things could be hard coded to a filename... but your general apps shouldn't be.

    arn
     
  5. GadgetLover thread starter macrumors member

    Joined:
    Sep 21, 2001
    #5
    thanks

    Thanks, all, for your comments and suggestions -- all are taken under advisement (and I HAVE been thinking about using a router for peace of mind).

    Anyway, cheers!
     
  6. packrat macrumors newbie

    Joined:
    Oct 9, 2001
    Location:
    Australia
    #6
    Re: security

    Actually, nothing could be further from the truth. A unix system can be relatively secure if you disable or control access to virtually every service, and ensure that all the security patches are installed the instant that are available. Oh, and you are lucky enough to have a vendor who actually releases security patches in a timely manner.

    Most people aren't so lucky, in fact I can't think of a single Unix vendor who has done a reasonable and consistent job of this, and most of them do very poorly.

    The two advantages a unix system has over a windows system are firstly, that more competent people are typically in charge of good unix systems -- Unix systems maintained by naive or incompetent people are literally dangerous. The second advantage is transparancy. Most of the components of a unix system are only loosely coupled; people who maintain them are able to easily understand how the parts interact, and to replace components which are unsafe with other alternatives.

    An important point here is that Unix systems 'maintained' by people who do not understand many of the intricacies of security can be an enormous hazard. This is a side-effect of their flexibility and wonderful implementations of remote access and networking services.

    If you want a secure system, you have to look to something which couples a sensible security model (more complex than Unix's God and everyone else paradigm) with a rigorous implementation. Take for example most of the mainframe operating systems or VMS. The existance of these is usually ignored by people who define 'good' as 'better than windows'

    I shall be extremely interested to see how the security of MacOS X turns out in the long run. I think Apple have possible the best grasp in the industry of what it means to support users who don't want to have to deal with the internal workings of a computer system. I think they've also got a much better chance of implementing things well than certain other unnamed companies.


     
  7. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #7
    security

    i don't take chances, and i would never leave those apps running while i am not around ( i just don't know enough to outsmart hackers)

    where i used to work, someone stole identities and somehow got into bank accounts and stole sixty dollars each from some people (some blamed the bank itself!)

    that was before i was a tech but it was a good lesson in security

    also do not have a fax machine connected to the computer in any way, it is the ultimate backdoor, or should i say....front door with a huge "welcome" mat (but that has been more an issue with pcs and i don't know if that relates to Mac), but realize the phone line is a "weak" link in security

    protocols in networking concerning phone lines (or any WAN) is extremely hard for even network techies to figure out, let alone provide security for

    good luck and i hope this helps and try e-mailing some of the senior members/administrators of macrumors (if they have an address) like blakespot, arn, spikey, or newton-man - or others...i hope this "suggestion" is allowed on macrumors and doesn't infringe on personal privacy
     
  8. oldMac macrumors 6502a

    Joined:
    Oct 25, 2001
    #8
    Security: Leaving apps running... (slightly long-winded)

    Security and leaving applications running...

    This is kind of an interesting question, because in all likelihood you'll not know your system is being compromised regardless of whether or not you're sitting at the keyboard.

    However, you could argue that you reduce the risk of being attacked simply by reducing the amount of time that a potential attack point is available.

    ----------------------------------------

    Question 1: What types of applications should I worry about most?

    Applications that have some kind of "server" capability (allowing people or other systems to connect to your machine) are your biggest concern.

    The following applications fall into this category...

    - MP3 / file sharing software (napster, hotline, etc)
    - Instant Messaging clients
    - Web Servers (including personal web sharing)
    - File Sharing
    - Email servers

    It is possible that an application like this may have a bug or "back-door" that allows someone to gain remote access to your machine.

    Ironically, these are also the types of applications that people generally leave running unattended!

    To be safe, turn off your instant messaging and MP3/File sharing software when you're not using it. Also, disable Web Sharing, File Sharing and other services if you don't use them on your machine.

    ---------------------------------------

    Question 2: What about a Web browser?

    You really have little to worry about with a Web browser or email client while you're not using it.

    The nature of attacks on Web browsers generally require the user to actively visit a site that exploits some kind of vulnerability in the browser or a browser extension. (Such as a plugin, java environment, activex function, etc.)

    That being said, I'd recommend quitting your browser after visiting warez sites. :)

    -----------------------------------------

    Question 3: What about an email client?

    Again, email client attacks generally require that someone is using the email software. They generally take the form of a trojan program (commonly known as an "email virus").

    Email viruses are generally avoidable.

    Don't double-click on the attachment that you weren't
    expecting! Especially if it seems designed specifically to entice you into opening it! It might actually be a program that is designed to do something sinister (like wipe your hard drive).

    That being said, there have been cases in the past (one involving Microsoft Outlook last year) that involved attacks which only required that a user "receive" a specially designed email message.

    A successful attack using that vulnerability could have made every other "email virus" problem look trivial in comparison. There was really the potential to wipe the hard drive of almost every PC in the world running Microsoft Outlook within a matter of hours or days.

    Luckily, the problem was fixed and widely distributed before anyone launched a major successful attack using that vulnerability.

    I'd be slightly worried about leaving my email client running. Especially if it's a complicated client such as Outlook* which supports multiple protocols so that it can talk to Exchange, POP, IMAP, etc.

    Safer yet, use a Web mail interface.

    * Note: "Outlook" is a client for Microsoft Exchange mail servers and is different than "Outlook Express".

    -------------------------------

    Question 4: What other things should I worry about?

    You should be especially cautious when using "beta" quality software or software from a source whose reputation you cannot verify.

    Many of the "funny games" that get emailed around are actually trojan programs that allow remote access to a user's machine.

    The Macintosh community is rarely a target because of our limited user base. Make no mistake, we are potentially very vulnerable! It's just that we haven't been targetted.

    ---------------------------------

    Question 5: What about firewalls?

    If you've got a dedicated home connection (such as cable modem), I highly recommend that you pick up a small firewall/router. They're easy to set up, fairly inexpensive (~$100) and offer basic protection from many types of attacks.

    Of course, they also let you share your internet connection with multiple machines!

    ---------------------------------------

    Final Answer...

    If you're really worried about network security when you're away from your machine, unplug the ethernet cord! Alternatively, if you have a router/firewall, turn it off.

    ---------------------------------

    Hope this helps...
    Sorry if it got a little long-winded.

    [Edited by oldMac on 10-27-2001 at 08:04 PM]
     
  9. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #9
    re: old mac

    do you think the mac is just as vulnerable as the pc, or are we really just that insignificant?
     
  10. GadgetLover thread starter macrumors member

    Joined:
    Sep 21, 2001
    #10
    security advice

    Thanks everyone for your comments and advice ... keep it coming ...

    Cheers!
     
  11. joey j macrumors regular

    Joined:
    Oct 19, 2001
    #11
    >I can't think of a single Unix vendor who has done a reasonable and consistent job of this,

    the bsd projects?
     
  12. oldMac macrumors 6502a

    Joined:
    Oct 25, 2001
    #12
    It's difficult to say for *sure* that we're just as vulnerable as PCs, but I would guess that to be true. Possibly even more vulnerable because our systems haven't been thoroughly hacker-tested yet.

    (Windows email viruses are typically written in VB Script. There's little technical reason why they couldn't have been written in AppleScript and worked just as well against the Mac platform.)

    Apple has definitely taken some steps to prevent the kind of email viruses that plagues Windows users over the last couple of years. However, these steps don't seem to be significantly different than the steps that are now built into Outlook for Windows.

    Both systems are still vulnerable to attacks which trick the user into performing an unsafe operation. For example, I can still receive a malicious email attachment. And, if after being warned, I choose to double-click the attachment, it can still wipe out all my important files. (And email itself to everyone in my address book simultaneously.)

    IMHO (in my humble opinion), the best approach to reducing this risk in the future is to execute attachments and other potentially damaging operations in a protected sandbox. (Similar to the Java applet sandbox concept.)

    This could be achieved in several different ways, either by way of a virtual machine where potentially sensitive applications run or by some kind of user permission proxy where the user and/or applications have limited permissions while performing certain operations.

    Long-term, of course, nothing's perfect. We'll always live with the potential of viruses and trojans.

    That being said, Apple has taken some good steps with OS X.

     
  13. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #13
    hackers

    hackers i know don't consider us a factor in the computer world...being only 5 - 10 percent of the market and all

    i guess that is a good thing

    20 years of using a mac and never have been hacked that i know of
     
  14. joey j macrumors regular

    Joined:
    Oct 19, 2001
    #14
    >20 years of using a mac

    Not bad, you living in 2004? Oh really. What's it like there in the future? :p

    more relevant a reply would have included how long you've had your various apple products connected to networks.
     
  15. GadgetLover thread starter macrumors member

    Joined:
    Sep 21, 2001
    #15
    Re: hackers

    Not exactly ... its VIRUSES that are not as much of a concern on the Mac (but ONLY because who wants to write evil code for 5% of the market when you can write it for 95%). IT IS NOT A FUNCTIONALITY THING, IT IS A NUMBERS GAME. Thus, my legitimate question is regarding SECURITY -- whether someone who WANTS TO hack into an OS X system can (and how best to prevent this); not whether it is probable that someone would want to even try.

    Oh, and by the way, the Macintosh wasn't even invented until 1984. (And I doubt that you bought the first one; more likely your first Mac was a MacPlus or Mac SE at best).
     
  16. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #16
    yup apple II+ and IIe

    ok macs since 1984 and apple computers before that...god, i have been calling it a mac for so long i forgot about my apple II machines, which like you say, was an apple product but not a "mac"
     
  17. Anton Szandor LaVey macrumors newbie

    Joined:
    Apr 11, 2001
    #17
    What about proxy's, is their any point in using them with web browsers?
     
  18. oldMac macrumors 6502a

    Joined:
    Oct 25, 2001
    #18
    Proxys

    Proxys, IMHO, are really only useful for 3 things.

    1) To limit your users' access to sites that you don't want them visiting. Such as warez sites, hacker tool sites, porn sites, etc.

    2) To cut access to potentially dangerous sites when something bad happens. For instance, you may want to shut off hotmail and yahoo access when a major virus outbreak occurs. Or, you may want to shut off access to Apple's site when they release a product that erases hard drive partitions. :)

    3) To spy on your employees.

    Hopefully, you have enough confidence and trust in your people to not need items 1 and 3. Item 2 is the best reason to have a proxy.

    Of course, proxys only help if you have hired proactive people to run them. If your sysadmin doesn't know about emerging viruses before your users do, then he might not know how to use a proxy server to accomplish item 2, either.

    Remember also, that there's never been a proxy server made that won't slow down internet access to your network. So, you *will* be hampering employees to some degree by installing a proxy server. Especially, if it has a heavy ruleset. Your mileage may vary by vendor and price paid.
     
  19. GadgetLover thread starter macrumors member

    Joined:
    Sep 21, 2001
    #19
    Re: yup apple II+ and IIe

    True enough, but you forgot your own point -- we were talking about Mac OS X security, so the fact that you have used Apple II's is sorta irrelevant to whether or not an OS "twenty years" more advanced than your first Apple DOS OS is secure. And incidentally, my first computers were Atari 400/800/1200XL (but you never heard of those) and a Timex Sinclaire 1000 (with a whopping 1k!). But to me, all of this is irrelevant to whether someone can hack my mac TODAY.
     
  20. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #20
    sorry for drifting

    ...but i am the stupid hat man with the long essays and also, cool computers you have...you must be a geezer like me

    ...however, back to your post...i am a network engineer and thus not a full feldged network administrator, but even i could tell you if you were truly worried about security, you would not leave your apps running...even basic hackers could break through any "store bought" firewall

    ...for greater security, you have to give up the freedom of being on all the time (which i think is foolhardy)

    ...it is like the problem here we have in the united states where we are giving up some of our civil liberties in exchange for more sucure airports and such

    ...internet and network security is a list of tradeoffs
     
  21. jefhatfield Retired

    jefhatfield

    Joined:
    Jul 9, 2000
    #21
    also UNIX is way more secure than C or DOS

    Windows NT guys like me prefer the use of Linux firewalls or utlizing UNIX-like NTFS configuration over FAT/FAT32 for a more stable and secure system

    and leaving stuff running is not a back door to hackers, but a front door with a welcome mat

    a backdoor would be something more like a peripheral as in a fax machine connected to your computer, which is actually also a front door

    i hope this helps and a good solution to your problem should come from a hacker, not some "network security expert" unless they too were hackers

    so i still say, to be safe, don't let things be running all the time
     
  22. troy wilson macrumors newbie

    Joined:
    Sep 16, 2001
    #22
    you already have a hardware firewall

    if you are running a highspeed dsl connection with a dynamic ip being served to you, the odds are you already have a router that is also a modem (for all intents and purposes). this router (probably a cheap little cisco) has its own hardware firewall. unless you go into the router and change the network addy translation tables, your ports are "closed" to incoming traffic. simple as that. cisco 675 678?

    i host a website/email/ftp server on osx...and also on os9. the servers are constantly getting felt up and violated by some damn MS worm or virus bot. searching for IIS files every 2 minutes.

    even if the most resourceful software company provides us with all the patches and security updates possible, it doesnt do a bit of good if you have home users with always on connections with an infected computer and nary the will to update their software or squash a bug they cant see or realize. you have no need to worry bud, just dont go turning on remote terminal access / apple events or ftp unless you really need them. also, they wont work if you are connected to a cisco router...unless you physically go and open the ports specifically pointing to one machine at your outside ip.

    johnnycatbreath
     

Share This Page