Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Adware/Spyware on Mac/OS X

From: Morrow Long <morrow.long () YALE EDU>
Date: Mon, 4 May 2009 14:15:17 -0400
On May 4, 2009, at 1:39 PM, Gene Spafford wrote:

That is fine to say, but what is actually out there in the wild that
we need to protect against, other than news stories that help to
increase readership? :-)


Gene --

The greatest security risk we've seen to most Macs recently appears to
be a user account compromise via insecure passwords on Macintoshes
where inbound SSH  services have been enabled (and much more rarely
VNC or Apple Remote Desktop).

While these attacks are somewhat automated (we see SSH brute force
attacks on public IPs all day long) we don't believe that they are the
result of Macintosh viruses or worms but are a human-driven process.

In many of these cases the intruders do not necessarily 'break
root' (attain maximum system privilege) but just use a compromised
account to connect
the computer to a "botnet" (e.g. with mIRC and some scripting).

One can (and should) greatly reduce this risk by :

        1.      Getting Mac users to require SSH Public Key Authentication mode
(and disabling password authentication mode)
        2.      Convincing end users that they can live without public IPs (and
use RFC1918 Private IP addresses instead).
        3.      Removing system administrator privileges from end users on Macs
(just as one should on Windows)
        4.      Restricting access to the TCP ports for SSH, VNC and ARD (Apple
Remote Desktop) via firewalls (hardware & software)
                to on-campus hosts (or even more specific groups, subnets and lists
of computers).

Morrow
Previous By Date Next
Previous By Thread Next

Current thread: