Re: Mac X-Server Security Questions...

[David Haines <david () coresolutiongroup com>]

	I work with primarily Macs but also PCs on a regular basis. I find it 
contrary to my ongoing experiences, and fairly disingenuous to state as 
fact that PC users are more prudent than Mac users: The average user on 
any platform is neither informed nor takes appropriate steps to 
mitigate the numerous dangers of putting their computer on the 
Internet.

	To suggest that OS X is inherently insecure does indeed show a lack of 
experience with it, and this common sort of vendor-specific bias is 
lamentable. Mac-bashing and/or FUD is no more helpful to anyone than is 
MS-bashing and FUD.
        
	For any OS X-based computer, Samba sharing is not enabled by default. 
For that matter, nor is the Apple filesharing enabled. Neither is SSH. 
Those are the only standard ways available to connect to a Mac OS X box 
"out of the box" and they are shut off out-of-the-box. There is still 
of course the dangers of web-based exploits (phishing and dns-poisoning 
are platform-agnostic) and any files that one could potentially 
download via http or ftp.
	Most of the published "exploits" so far require direct (and 
misguided/misinformed) actions by the user sitting at the computer: 
download a file of unknown origin from an unknown source and run the 
installer for it. The rest of these "exploits" are: 1) Issues that 
should be handled appropriately that are common concerns for any 
Unix-based system 2) proof-of-concept and/or companies using snake-oil 
scare-tactics to attempt to generate press coverage and/or revenue.
	Standard precautions for SSH should be taken, as with any Unix-based 
system. Edit the sshd_config file and do not allow login by root. Don't 
even use the root on the computer if you're not well familiar with the 
Unix root-user. Use "sudo" instead.
	Edit /etc/xinted.d/ssh to allow connections from specific IP's only if 
you wish.
	Don't use Norton for anti-virus, continually problematic. If something 
is needed to check against PC-viruses, go with the latest Virex or 
better yet the Open-Source clamav.
	Standard precautions of secure passwords and not using default 
usernames/login apply (ie: not Admin).

	Keep the system up-to-date. Use a decent Firewall. Don't use 
clear-text logins, be it for filesharing or for email.




> On Apr 5, 2005, at 11:20 AM, Brad Berson wrote:
>
> > Now in the PC world nobody in their right mind leaves Windows' file
> > sharing ports open to the Internet
>
>
> So here's where I'm coming from... I've been doing PC stuff for twenty
> years.  I program, I know networking, applications, know Windows inside
> and out, and am fairly conversant in security matters from a Windows 
> POV
> and in general, I think.  For several years PCs have been such a huge
> target that folks in the Mac world have gotten a little too 
> comfortable.
> Only now in the past month I've personally seen two instances of
> completely unprotected OS-X boxes getting almost totally compromised.
>
> The boxes in question have since been rebuilt and put behind firewalls,
> and post-mortem forensics are a bit light because the folks who do the
> Mac work in my organisation went into "oh $#!+" mode, but now I'm
> interested in learning this environment and figuring out how to permit
> access while protecting the system.
>
> As for what happened, the account database was definitely compromised,
> and fairly secure passwords were discovered.  My initial worry was that
> Samba would have some NetBIOS -like hole that permitted account
> enumeration but so far I've seen no supporting evidence, so I'm 
> assuming
> the account list was compromised through one of many vulnerabilities in
> OS-X and its accompanying layered packages.  The scary part is that in
> once instance, a freshly rebuilt box, patched and up to date, went back
> on-line without a firewall and was compromised again in about an hour.
> So we might have had a zero-day issue just to make things more
> entertaining.  So behind closed ports it stays, at least for now.
>
> Now in the PC world nobody in their right mind leaves Windows' file
> sharing ports open to the Internet, yet in the Mac world it seems like
> people leave AFP (and Samba) widely accessible.  I find this
> exceptionally scary.  Then when you tell the folks how scary that is,
> they recoil in horror at the idea of having any obstacle in their way 
> to
> point and click heaven.  So what do we do?  VPN?  What sort of 
> solutions
> are there?  And is there anything special I need to know about OS-X in
> terms of unusual vulnerabilities from an architecture standpoint?  (BSD
> heritage, I know).


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------