Bugtraq mailing list archives
RE: Mac OS X stores login/Keychain/FileVault passwords on disk
From: "Michael Shirk" <shirkdog_linux () hotmail com>
Date: Mon, 19 Jul 2004 07:56:30 -0400
Pretty much it is a security risk to have an Apple laptop or desktop process any classified information. As long as physical access is used as you suggested a lock rack you are fine for 1U Xserves. However, the typical user on a subway with an iBook could be a major risk.
I have set all of the options possible as well as the security setting in OpenFirmware:
setenv security-mode fullBut I need to get a laptop back with a key lock and a cinder block so no one can take it. However, mac laptops are really just attack boxes and not meant to be secure.
:-) shirkdog http://www.shirkdog.us -----Original Message----- From: bt () seifried org [mailto:bt () seifried org] Sent: Saturday, July 17, 2004 8:17 AM To: bugtraq () securityfocus com Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on disk Importance: Low
FWIW: You can enable the security features of OpenFirmware on modern Apple hardware, such that things like "boot from CD", "target disk mode", etc, are all disabled.
FWIW this is utterly worthless.
It adds at least another barrier for people to have to get around to get your data. More information is available via a Google search, but the following URL is a pretty good reference: http://www.mactipsandtricks.com/tips/display.lasso?mactip=3D118
To quote myself: http://www.seifried.org/lasg/system/index.html Unfortunately if you are using Apple hardware you cannot secure the boot process in any meaningful manner. While booting if the user holds down the command-option-P-R keys it will wipe any settings that exist, there is no way to avoid this. About the only security related option you can set is whether the machine automatically reboots or not, this is useful for servers to prevent a remote attacker from changing the kernel for example (which require a system reboot). Hold down the command-option-O-F keys to access the OpenFirmware and from there you need to: go> setenv auto-boot? FalseHowever because a local attacker can easily flush the settings there is no inherent security. If you need to use Apple systems as servers then it is highly advisable to lock them in a cabinet of some sort. As workstations in a public area your best solution is to automate the reloading of the OS to speed recovery time. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Adi Kriegisch (Jul 15)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Theo Van Dinter (Jul 17)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Adi Kriegisch (Jul 24)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Ray Slakinski (Jul 17)
- <Possible follow-ups>
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk johnny (Jul 17)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Kurt Seifried (Jul 18)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Chris Boyd (Jul 19)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk James Goodlet (Jul 19)
- RE: Mac OS X stores login/Keychain/FileVault passwords on disk Michael Shirk (Jul 19)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Theo Van Dinter (Jul 17)