Nice read. ...And thanks, Jeff, for the text re-print & link. Regards, Russ Preston
On Sep 19, 2006, at 9:10 PM, Jeff @ SLYN Systems wrote: > (The following is missing charts and stuff-sorry) > > 4 Ways to Stay Safe on an Apple > Our expert delves into the real threats in the Apple world and > outlines simple steps you can take to protect yourself > September 18, 2006 > http://www.smallbizresource.com/document.asp? > doc_id=103940&page_number=1 > > First, there was Apple's massive May security update, which patched > more than 40 vulnerabilities in Mac OS X and QuickTime. Then the > company patched 26 more vulnerabilities in August. Almost > simultaneously, security researchers took advantage of a wireless > driver vulnerability to hack into a MacBook at this year's Black Hat > conference. > > What's going on here? Is the shine off Mac OS X? Is a raft of Windows- > level security issues on the way for the secure-OS darling? > > KEY POINTS > > The Mac security alerts and patches seen lately are a sign that > more people are taking OS X's security seriously and actively looking > for vulnerabilities so that Apple can patch them. > > Mac OS X is highly resistant, but not invulnerable, to attack. > > The real threats in the Mac world are complacency and foolish > behavior on the part of users. > > Relax, that's not about to happen. For starters, the MacBook that the > security researchers hacked into was modified: The vulnerable driver > was for a third-party wireless access device, not the AirPort card > that's built into the MacBook. > > While you should never be blas? or deliberately ignorant of security > issues, the fact is, OS X is as secure as it ever was. What you're > seeing is the natural evolution of the operating system's security as > it becomes more popular. > > Windows Security Vs. Mac Security > Mac OS X is, out of the box, a very secure OS. It is, however, not > magically secure. While some Mac users like to propagate the myth > of "Mac OS X's perfect security," the fact is that like any other > well-designed OS, Mac OS X is highly resistant, but not invulnerable, > to attack. > > This is not to say that it's as bad as Windows at its worst. Early on > in the history of Windows NT 4, Microsoft Office, and Internet > Explorer, Microsoft made some decisions that, while not terrible from > a user's point of view, created the nigh-crippling problems you see > with Windows today. The worst of these is the administrator account > in Windows, and the reliance of too many software packages on that > account. The Windows administrator account is essentially the same as > the all-powerful root account on Unix -- there are no files the > administrator can't access and no actions the administrator can't > perform -- and it's the default account on every version of NT > through XP. So once you're running as root, then > you're...well...root. There's nothing you can't do, and you aren't > going to even get a warning about it. > > The insecurity of this is exacerbated by Windows' very bad habit of, > until fairly recently, not even asking for a password on the > Administrator account. Auto-logon as root, no password needed. There > aren't enough letters in the phrase "That's a Very Bad Idea" to > adequately communicate the "bad idea-ness" of this bad idea. So if > malware gets into your system, then it is running as root. There's > very little any OS can do to stop a software process running with > that kind of authority. > > Apple has never done this. A user who is an "administrator" is not > even close to root, but rather is a part of the OS "admin" group. > That means that, if needed, the user can authenticate and run > processes as root, but is not root on an ongoing basis. In fact, on > Mac OS X, the ability to log on as root is disabled, and positive > steps must be taken to enable this feature. > > It's worth noting that Microsoft has taken a page from Apple in its > upcoming Windows Vista operating system: When that OS is released > next year, users will not be logged in as administrator/root by > default. > > So Why All The Patches? > The Mac security alerts and patches you're seeing lately are not a > sign that Apple is flubbing the security of the OS, but rather that > more people are taking OS X's security seriously and actively looking > for vulnerabilities so that Apple can patch them. This was, > ironically, predicted by Symantec in a much reviled security review > paper back in 2005. In that Internet Security Threat Report, Symantec > predicted that as Mac OS X becomes more popular, there will be more > people looking for vulnerabilities in that OS (for good and ill), and > so of course there will be an upswing in the number of > vulnerabilities found. That's what you're seeing today. > > This is not an inherently bad thing. It can be unsettling, but it's > the best way to reduce vulnerabilities. If the only people looking > for holes in Mac OS X were Apple employees, the OS would be a lot > less secure. Vulnerabilities are not exploits. They're potential > avenues for exploits, which is why it's critical that you keep your > system up to date. > > The truth is, all the malware for Mac OS X thus far has been rather > lame, and not much of a danger to anyone who practices a few common- > sense steps. The real threats in the Mac world are complacency and > foolish behavior on the part of users. > > Protecting Yourself > While Mac OS X is quite secure out of the box, there are some easy > things that you can do to keep yourself safe. > > 1. Stay away from the Sharing preference pane unless you need to > share files. Simply stated, unless you need to share files with > someone, don't enable file sharing. This is a really easy step to > take: Do nothing. By default, all sharing services are disabled in > Mac OS X. Leave them that way. It's rather hard for an attacker to > transfer files to your machine if you never open the file transfer > pathways. > > KEY POINTS > > The Mac security alerts and patches seen lately are a sign that > more people are taking OS X's security seriously and actively looking > for vulnerabilities so that Apple can patch them. > > Mac OS X is highly resistant, but not invulnerable, to attack. > > The real threats in the Mac world are complacency and foolish > behavior on the part of users. > > If you're not sure as to whether you need to enable sharing, I have a > general guideline that can help: If I have to ask, "Should I do > this?" the answer is "no." If I need to do something, then I'll be > sure of it. I find this a solid guide even for my own use, and I've > been in the tech field for 20 or so years. > > In the two images below, you can see the default, secure sharing > settings. If you've turned any sharing services on, and you're not > sure they should still be on, here's what you should see when they're > all turned off. (The Sharing dialog box is the first thing you see in > the Sharing Preference Pane in System Preferences.) > > 2. Don't download strange software. That's not to say "never download > anything without a full source code review," but try to be sure of > your sources. For example, a bunch of people got burned a few years > ago because what they thought was a free Internet download of the > Microsoft Office 2004 demo was really a malicious script that wiped > out their home directory. Of course, the only place this script > existed was on questionable download sites such as Limewire. > > In general, stick to reputable sites for your software downloads. My > favorite is VersionTracker, at. It's a great site, not only for Mac > OS X software, but for Windows and Palm software as well, and is > updated constantly throughout the day. Unlike most P2P networks such > as the aforementioned LimeWire, VersionTracker doesn't allow for > anonymous software postings, and there is at least a basic vetting > process for software. No one can guarantee perfect safety, but > VersionTracker has done a solid job thus far. > > Running program(s) is where you need to be the most careful, as once > you run code, you have no control over what that code is doing. If > you're an administrator user, then that code is running as you. If > you authenticated as root in a security dialog, then that code is > running as root. There's nothing in the world that's stopping a > Trojan horse with root privileges. > > 3. Think before you enter a password. While many applications ask you > to enter an administrator password, particularly during an > installation, you shouldn't just do so because you were asked. If > nothing else, check to see if it's a valid request dialog box. Below > are two images of a legitimate authentication request that I created > via AppleScript to demonstrate: > > There are a number of items that help identify this as a legitimate > request dialog. First, there's the lock icon, with the requesting > application's icon overlaid on it. Next is the text informing you > that the application (Script Debugger in this case) is requesting > your password. Then there's your complete user name already filled > out in the "Name" field. If we expand the "Details" triangle we see > more information that will help you identify this as a legitimate > request dialog: > > KEY POINTS > > The Mac security alerts and patches seen lately are a sign that > more people are taking OS X's security seriously and actively looking > for vulnerabilities so that Apple can patch them. > > Mac OS X is highly resistant, but not invulnerable, to attack. > > The real threats in the Mac world are complacency and foolish > behavior on the part of users. > > Here we see the specific right the application is requesting > (system.privilege.admin), which will give it root access for this > operation and the application requesting the privilege. If the > application name doesn't match the name or the icon at the top of the > dialog, think twice before authenticating. However, there's one more > thing you can check, and that's the location of the application > requesting the privilege. If you click on the blue application name > bubble you can get a path listing for that application, as seen below: > > The path shown for Script Debugger 4 is exactly where it should be: > in the /Applications/Programming/AppleScript/Script Debugger 4/ > folder. (Remember, in Unix nomenclature, "/" is the root level of the > boot drive, and folders are shown with an optional trailing "/".) If > the path shown in this dialog and the path where you think the > application should be are different, again, you might not want to > enter a password here. > > The dialog check isn't perfect, and it's trivial to create a legit > one (I did this in one line of AppleScript), but even the small bit > of checking you can do here is better than blind trust. > > 4. Stay up to date on security patches. While you may not want to > apply security patches the minute they're available (hey, bugs > happen), I'd not wait more than a week to do it. Security patches are > a dead simple way to protect yourself. I'd also stay up to date on OS > versions. While upgrading the OS isn't something you just do, and can > require you to pay for a new version, the truth is, the current > version of the OS always gets more attention than older versions when > it comes to bug fixes and patches. Security is as legitimate a reason > to upgrade as any other, and some security holes may require changes > on a scale that only a new OS version can address. > > If you follow these four tips, and apply some common sense in your > daily Mac usage, the chances of you ever having a problem drop rather > quickly, and stay there. > > So no, there's no looming security nightmare for Mac OS X. All the > headlines mean is that more people are taking Mac OS X and Apple more > seriously from a security point of view -- and that is, in the end, a > good thing. > > ? John C. Welch, TechWeb > > Jeff Slyn, Owner > SLYN Systems & Peripherals > (502) 426-5469 > http://www.SLYNsystems.com > serving Kentuckiana clients 7 days a week since 1985! > > > _______________________________________________ > The next Louisville Computer Society meeting is September 26. > Posting address: MacGroup at erdos.math.louisville.edu > Information: http://www.math.louisville.edu/mailman/listinfo/macgroup _______________________________________________ The next Louisville Computer Society meeting is September 26. Posting address: MacGroup at erdos.math.louisville.edu Information: http://www.math.louisville.edu/mailman/listinfo/macgroup
