Mac OS X Unleashed

Mac OS X Unleashed

By John Ray and William C. Ray

Why Bother with Network Security

Before we can reasonably discuss ways to make your OS X machine more secure, it is important to understand why you should care and what you are facing.

You might be wondering, "Why bother with security?" You've never cared about securing your Mac before. In fact, prior to OS X, security has rarely been an issue for a Mac owner. However, as a Unix-based operating system, OS X brings with it not only the advantages, but also the disadvantages, of a Unix operating system. Unfortunately, one of those disadvantages is security, which has always been a problem for Unix operating systems. This will be unsettling at the beginning, but the simple fact is that nothing can be done to make any network-connected Unix machine (OS X or otherwise) completely secure. To paraphrase one system administrator's feeling about securing a Unix machine, "I'd pull the plug and the network, put the machine in a safe, fill the safe with concrete, lock it, and drop it in the middle of Hudson Bay—and even then I wouldn't be sure."

This take might be a little extreme, but you get the point. If your machine is on a network, and/or the hardware is physically accessible, it's vulnerable to something, somehow. Your best efforts at security are only capable of increasing the effort, time, and creativity required for a cracker to access your hardware—you simply can't make it impossible.

Crackers target anything they can find on your computer or network. Your Mac OS X computer has a variety of server processes running on it that enable it to communicate with the outside world. A single programming flaw in one of these daemons could open administrative access to anyone. If a cracker can't find a way in directly, he can direct attacks on your network hardware, or your ISP's hardware. Switches, routers, and other devices are also susceptible to attack. If your computer has blocked access to outside networks, the intruder might resort to IP spoofing to fake his real location.

The threat of computer break-ins is very real, and a very real concern—even if you're doing everything right. For example, earlier versions of Sendmail (the mail server included on your Mac OS X installation) suffered from a bug that allowed remote crackers to send a specially formatted e-mail to the server and force it to execute pieces of code with full administrator privileges. Imagine it: A person, anywhere in the world, could potentially take over control of your computer by sending it an e-mail message. Even experienced administrators were at risk from this bug. Although Sendmail has since been patched (and doesn't run by default on Mac OS X), this is an excellent example of the type of attack that is possible. For more information about this particular exploit, check out http://ciac.llnl.gov/ciac/bulletins/h-23.shtml.

Note

Crackers, not hackers: There seems to be a popular misconception that the term hacker means someone who breaks into computers. This has not always been the case, and annoys the hackers out there who do not break into computers. To many hackers, the term hacker means a person who hacks on code to make it do new and different things—frequently with little regard to corporate- standard good programming but also frequently with a Rube Goldberg-like, elegant-but-twisted logic.

Hackers, to those who don't break into computers, are some of the true programming wizards—the guys who can make a computer do almost anything. These are people you want on your side, and dirtying their good name by associating them with the average scum that will try to break into your machine isn't a good way to accomplish this.

So, to keep the real hackers happy we're going to refer to the people who compromise your machine's security as crackers in this book. We hope you'll follow our lead in your interactions with the programmers around you.

You might still be wondering, "Why bother?" If the machine can't be made completely secure, why try? When your machine is brand new, and not very customized, perhaps you can afford to have that attitude. Reinstalling the operating system is not all that traumatic at that stage. However, because you have made it to this chapter, you've seen OS X from many angles, and perhaps even implemented some customizations to your system. Hence, you might not feel like doing it all over again.

So, if you can't be completely secure, what can you do? You can be reasonably secure. Exactly how secure is reasonable differs from case-to-case, and depends on a wide range of factors. Later in this chapter, we'll discuss some of these factors, and how to assess your needs. For now, understand that when designing security measures, there is a threshold beyond which expending extra effort does not produce a sufficient increase in security to make that effort worthwhile. You can liken this to the somewhat facetious advice given for how to protect yourself when hiking in bear country—"always hike with someone who runs slower than you do." Your goal in securing your system is to make your machine and your network less attractive than the next guy's system to the cracker. In this chapter, we will look at some ways to accomplish that goal.

Security Assessment

There are a number of factors that you need to keep in mind when assessing what reasonable security means to you. How you weigh each of these factors and the decisions you make regarding implementation details are up to you. There are, however, some good rules of thumb that you can live by. Some of these you might not fully understand, but we recommend that you follow them anyway. Some of them might sound like overt paranoia, until you've been in the trenches for a while. After you've been there, and done that a few times, you'll probably come to realize that when it comes to security, paranoia is usually your friend.

The four questions that you should ask yourself before deciding on a strategy are "Why do I want security?" "Who is going to try to compromise my security?" "How worried about it am I?" and "How much effort do I want to invest in stopping them?"

Because is a perfectly reasonable answer to the first question, but if you have a better answer, such as because my system contains sensitive financial transaction data, your mission in securing your machine will be much more focused.

The answer to the second question will be instrumental in deciding what security precautions are appropriate for your site. If you're trying to secure a system that contains important industrial secrets, you have much more at stake. Therefore, you will also meet a very different kind of cracker than on something like a student-organization Web server at a college.

The answer to the third question should be very. First off, if you aren't very worried, you're putting forth a lot of effort to protect something for which you're not very worried. Secondly, paranoia is an admirable quality in a system administrator. You might not feel like a system administrator, but with your OS X machine, not only have you become a Unix user, but you're also a system administrator. A good system administrator always prepares for the worst possible scenario that she can imagine. The worst, or something closely approximating it, happens to everyone eventually, and it's the paranoid system administrator, who planned for it three years ago, who keeps the system up and running like nothing ever happened. When the job is done right, nobody ever notices that she's done it, and nobody ever says thank you. You might not have many users on your OS X machine, so you might not be in quite the same shoes as your system administrator. Nevertheless, you should take the time to brighten your system administrator's day and say thank you. If you want to make her even happier, let her know that you are taking steps to make your machine reasonably secure.

On the final question, if your answer isn't a lot, you should realize up front that your system won't be very secure for very long. All flavors of Unix are such complex systems that it's impossible to completely debug them and new holes and exploits are being found on a weekly basis. Although there are more interesting things to do on your OS X machine, as a responsible Unix machine owner, you should try to keep up with the latest patches to software and watch the latest developments in the cracker world.

Private Data Versus Secret Data

Understanding the reasons that the data or contents of your system need to be protected is important. If you're proposing to create a secure system for something like a K–12 student-teaching lab network, your main reason for wanting to protect your system is probably simply the principle of the matter. On the other hand, if you're protecting a system that contains important industrial secrets, preventing intrusion is probably more of a necessity. Essentially, this assessment comes down to a question of whether your data is simply private or actually secret. Allowing the disclosure of private data is never a good thing, but you won't find many people with the motivation to try to compromise your system if the data in it is simply private. On the other hand, if your data contains secrets, such as industrial trade secrets, financial records, or some types of highly sensitive personal information, you will find attackers that are much more motivated to crack your system.

The point of this examination goes back to that issue of making your system less attractive than the next guy's. If your system contains only private data, you won't have much trouble making it more secure than the vast majority of other systems out there. If your only concern is the random curious cracker, rather than the dedicated and motivated one, you can make your system unattractive to him with little work.

If, on the other hand, you're in the unfortunate position of needing to defend truly secret data, you might find crackers motivated enough that they won't leave you alone, no matter what you do. Against these individuals, you've little choice but to simply do your best to stay one step ahead of them.

Types of Attackers

We divide the types of attackers you're likely to meet into three subsets. Although it might not seem obvious at first consideration, the variety that you're the most likely to meet, regardless of the type of data you're protecting, are frequently both the most and least dangerous.

The Motivated Cracker

The type of cracker you're probably least likely to meet is the dedicated and motivated professional or amateur cracker with a mission. This person might be an industrial spy trying to discover your company's trade secrets, a student trying to change his grade, or a hobbyist who simply finds your security measures a challenge.

Caution

Obscurity isn't to be relied on, but it sure doesn't hurt!

Many system administrators, and even OS vendors, have historically had a bad habit of attempting to implement security measures based only on the fact that people didn't know about the holes in them. This is a concept known as security through obscurity, and is generally considered a bad thing to rely on. On the other hand, obscurity in addition to other security measures certainly doesn't hurt. Keeping your system and security measures low profile is always a good idea. If you have a system with extra-tight security measures, telling people just how tight they are is the surest way to attract the person who delights in cracking systems "just because."

Rely neither on security through obscurity, nor on the invincibility of your security measures. The best way to motivate a person to try to crack your system just because it's there is to let on that you think it can't be done.

The motivated cracker isn't likely to leave a large amount of evidence of his comings and goings. These types vary between unlikely to do any significant damage (other than observing your data), to making insidious and difficult-to-detect modifications to the contents of your system.

To defeat this type of cracker, you need to understand his motivation, and either remove it or resign yourself to a constant battle to stay ahead. The only way to actually stop these people permanently is to track them down and pursue legal remedies against them.

The Casual Experimenter

The next type of attacker you're likely to meet is the casual experimenter. These individuals don't usually intend any significant harm, and aren't usually very motivated to invade your system. They're frequently just a bit over-curious, and are trying out something that they stumbled across somewhere on the Internet. This doesn't mean that they're not dangerous—their lack of intent can't prevent simple typing mistakes that can be disastrous to a person with root access. Thankfully, these individuals aren't usually too difficult to defend against because they're usually not particularly sophisticated. They also don't tend to be worth investing much effort in tracking down legally.

The Script Kiddie

The most common type of cracker doesn't even deserve to be called a cracker. Historically, crackers have been frequently thought of as Robin Hood characters, with a sort of romantic fascination with their exploits. Not to minimize the impropriety of the legendary crackers' actions, but you can appreciate the creativity and tenacity of these individuals without approving of their actions. By the standards set by the crackers of old, the vast majority of today's crackers barely qualify as cracker-wannabe-wannabes.

Today's prototypical cracker is a young adult with too much free-time who found a cracking script on a Web site somewhere and is trying to use it to show his friends he's an "lEEt HaCkEr dOOd." In fact, these new crackers are called script kiddies.

These individuals are both a trivial and significant concern. If you keep your system up to date, and pay attention to the latest cracking scripts and to the patches against them, you are almost invulnerable to actual intrusion at the hands of these people. They don't generally try anything more complicated than running a script they've borrowed from someone else, so if you keep your system secure against these scripts, you're usually secure against cracker wannabes. This doesn't mean that they're completely innocuous though, as they can still consume your network resources while trying to break into your system.

They can also be very dangerous, however, if you don't keep your system completely up to date because there are so darned many of them, and because they're basically glory-hounds interested in nothing more than self-aggrandizement. To give you a perspective on the magnitude of their numbers, here at The Ohio State University, we see unsophisticated cracking attempts of this sort multiple times every week, directed at the thousands of machines on campus. A Linux machine, installed out of the box and not immediately secured against intrusion, stands a better than 50% chance of being cracked within 24 hours if it's attached to the network here. Fortunately, an OS X machine installed out of the box is a bit more secure, but that does not mean that it is invincible.

Also, because their basic goal is self-aggrandizement, and because they don't get that much glory for using someone else's script, these people are rarely content to break into a system, tread lightly, and leave without a trace. Instead, they're more likely to erase the contents of your hard drive, or replace your corporate Web page with pornography, so they have some evidence to show their "lEEt HaCkEr dOOd" friends.

Securing your system against these attacks is simply a matter of watching every security discussion list and cracker site for signs of trouble and postings of new cracking scripts, and then applying every security patch as quickly as it becomes available. Simple, no? As satisfying as tracking them down and squashing them like the insects they are might be, it's usually impractical. Ninety percent of these attacks come from users with transient accounts, and the best you'll usually do is chase them to a different account. If you do happen to catch one though, please do let the Internet system administration community know—the newsgroup alt.sysadmin.recovery would be a good venue—public lynchings are always well attended.

Types of Attacks

Next, let's look at what methods attackers might use to access your machine. This is especially important if your machine is connected to an unprotected network, or if it serves as a firewall.

Software and OS Flaws

The most common type of attack you will encounter is one that attempts to exploit flaws in application or operating system software. There is probably not much you can do about most software flaws other than hoping that the providers find and fix the problems promptly. Although this is a problem from a security standpoint, the positive side is that if you're spending the time to watch the cracking Web pages and the security mailing lists, you'll know about the problems as soon as the crackers do. With the information you get from these sources, and your understanding of the special risks your site incurs, you can assess whether leaving that software on your machine is an acceptable risk until the vendor fixes it.

You need to be aware that some of these flaws require prior access to your system to exploit, whereas others can be exploited from a remote site over the network. Don't make the mistake of assuming that because no one has actually logged in to your machine, you can't or haven't been attacked.

Brute Force Attacks

Although not a particularly elegant form of attack, the brute force attack is one that you can only partially prevent. In its simplest form, this attack is a cracker attempting to log in to a system by sitting at a machine and iteratively typing attempts at passwords into the prompt. There's not much you can do to keep people from trying this sort of thing.

Keep an eye on the system logs, and you'll see the trivial attempts as they occur. Typically, however, there is much more danger from this sort of attack when a cracker manages to get your password file and can attempt to crack the passwords on his own machine, at his leisure. To prevent this, some systems use a shadow password facility to keep the password file from being readable by a normal user. However, OS X does not have a shadow password facility. Instead, you might want to consider restricting the executable permission on your NetInfo utilities, such as nidump and niutil, to root only.

Denial of Service

Denial of service (DoS) attacks are generally destructive attempts rather than attempts to access your system. When the attacks come from a network of multiple machines, they are known as distributed denial of service attacks. Both types of attacks are targeted at preventing you and your users from using your machines instead of allowing an intruder access. Because this can be effectively accomplished without the aid of your system, there's little that you can do about many of these. Because the denial of service attack rarely results in an actual security violation or illegitimate access of your system, your best defense is detection and elimination.

Although the specific methods employed in different varieties of denial of service attacks vary, they share a common feature—the exhausting of some service or resource that your machines require or provide. Why do people do this? Good question. You might expect this sort of behavior from a disgruntled ex-employee attacking a former employer, or from a student who thinks it's a funny practical joke. Less expected are denial of service attacks that seem to happen as random vandalism, just because the attacker can do it.

Certain denial of service attacks can be mitigated or prevented with software or hardware updates. In general, these updates tend to be installation of OS patches to disallow certain types of connections, or installation of filtering hardware to block certain types of network traffic. Denial of service attacks range from flooding users' e-mail, to absorbing all your HTTP server connections, to running your printer out of paper, to flooding your network with ICMP ping packets. Unfortunately, there's little you can count on to be reliably effective other than constant vigilance and swift retribution.

Caution

Not all denial of service attacks are devoid of security risks. Some attacks are targeted at services that are known to break inelegantly, and that sometimes allow privileged access when broken. Just because a denial of service attack looks relatively harmless, don't allow yourself to be complacent. It could be less harmless than it looks, or it could be a prelude to more unpleasant attacks.

Generally most attacks can be thwarted by taking the following precautions:

Physical Attacks

Many administrators in charge of system security overlook this area of obvious weakness in their security strategy. Computers don't need to be logged in for a person to access their data. A person unscrupulous enough to crack your machines will be just as happy to simply yank a hard drive out of your machine to steal the data on it. These sorts of attacks are usually easy to detect, but can cause significant downtime while critical hardware is replaced.

Although distributed computing and distributed storage are popular in certain environments, if security is a goal, especially data security, you should severely restrict access to all hardware with mission-critical data.

By far the easiest physical attack on your hardware is the power switch or reset button combined with the capability to boot the machine into single-user mode without a password, or to boot off of a device specified at startup, also without a password. When in single-user mode, an attacker can get a dump of your passwords, change your root password, and so on.

Share ThisShare This

Informit Network