1. Mac OSX Security
Allison Sheridan
November 2012
http://podfeet.com
Sunday, November 25, 12 1
2. Definitions
Malware - a generic term to describe anything put on
your machine with the intent to harm
Virus - a self-replicating type of malware that moves from
machine to machine without active participation by the
user
Trojan Horse - malware that masquerades as something
else - e.g. free Photoshop, video codecs
http://podfeet.com
Sunday, November 25, 12 2
3. Agenda
History
Didn’t we used to be safe?
State of the Union
Where are we now? (Some good news)
What practical things can we do to be safe?
Email safety
Software updates
Protecting passwords
Gatekeeper
Anti-Virus
http://podfeet.com
Sunday, November 25, 12 3
4. 2004 - 2007 Blissful Ignorance
2004 - Mostly ignored
Renepo worm is proof of concept
2006 - Denial
Leap-A first ever virus for OSX
2007 - I remember this year
Office Macro Virus ran on OSX, Windows & Linux
(we all blamed it on Microsoft)
Bad Bunny (creepy pornographic bunny) and the first
Financial Trojan for Mac (and Windows) - which also
offered porn
http://podfeet.com
Sunday, November 25, 12 4
5. 2008 - Things star t to heat up
Macs and PCs attacked by poisoned adverts offering
Scareware called MacSweeper and Imunizator - without
which they threatened all your data would be erased
Hovdy-A Trojan stole passwords, opened the firewall and
disabled security settings
RKOSX-A - Helped make more trojans
Video Codec claims - you can't play the video without
this codec…
First time Apple suggested anti-virus software, and then
deleted the suggestion
http://podfeet.com
Sunday, November 25, 12 5
6. 2009 - Your Own Darn Fault
iWorkS-A trojan horse in pirated versions of iWork and
Photoshop
Another video virus MacCinema
How about some more porn? Enjoy your Jahlav trojan
We're all still smug that we're too smart to get infected
http://podfeet.com
Sunday, November 25, 12 6
7. 2010 - Star ting to Get Ner vous
Pinhead trojan allowed hackers to gain remote control -
but again through downloads of legitimate software from
illegitimate sites like iPhoto
Boonana worm uses a Java applet to target Windows,
Mac and Linux
http://podfeet.com
Sunday, November 25, 12 7
8. 2011 & 2012 Hard to Ignore
BlackHole RAT allows hackers to gain remote access
MacDefender hits the scene - pretending to be a
legitimate security application - acquired through a
search engine poisoning campaign
Flashback Trojan hits disguised as an update for Adobe
Flash
Apple acknowledges and provides removal tools
source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004
http://podfeet.com
Sunday, November 25, 12 8
9. What Changed?
Originally malware was plain old vandalism - destroy
your hard drive and leave a signature for bragging rights
Over time, malware has mutated into a multi-billion
dollar business
Hactivism - hacking for political purposes
LOLSec & Anonymous
Digital espionage and sabotage
Stuxnet malware distributed specifically to attack a
Siemens computer system used by Iran’s nuclear
program
http://podfeet.com
Sunday, November 25, 12 9
10. The Big Money - Botnets
Technical bad guy writes some code and infects a lot of
machines (millions) such that he/she can control those
machines at will
Technical bad guy sells the botnet to an extortionist
Extortionist tells a gambling site, “It would be a shame if
your site went down the night before your big
tournament”
If the gambler doesn’t pay up, extortionist tells all the
machines in the botnet to attack the gambling site at the
same time
Creating a Distributed Denial of Service Attack
http://podfeet.com
Sunday, November 25, 12 10
11. Why was OSX Left Alone So Long?
OSX is based on a relatively secure operating system -
BSD with decades of security updates
Remember no OS is truly secure
Secure as compared to Windows
Small number of computers meant less less profit
Remember bad guys need to infect millions of
computers to be Effective
OSX wouldn't have added significantly to the
numbers
http://podfeet.com
Sunday, November 25, 12 11
12. Apple Took Their Eyes Off the Ball
Flashback Trojan didn't have to be as painful as it was
Apple didn't patch Java for months after Oracle
patched - would have saved so many from Flashback
Apple grew complacent after decades of no real threats
Microsoft in contrast became very vigilant
Microsoft have implemented technologies for preventing
exploits of bugs (DEP + ASLR)
Apple has it NOW but they were late to the party
http://podfeet.com
Sunday, November 25, 12 12
13. #1 Thing You can Do to be Safe
When Software Update tells you it’s ready to give you
something - say yes!
Don’t procrastinate when it wants to reboot
With Lion+ resume all windows and applications it’s
much faster to reboot
Allow your applications to update as well
http://podfeet.com
Sunday, November 25, 12 13
14. I Have an Old OS, They Won’t Attack That
Well...that’s not quite true
Apple only updates one OS version back
Mountain Lion is out - Lion is updated but not Snow
Leopard
Older OS’s often contain the same code that just got
patched in the new OS
Vulnerabilities still exist in the old OS so you’re not safe
Best to upgrade say after the first two revs are out
What’s the advantage of waiting?
You know you’re going to upgrade eventually!
http://podfeet.com
Sunday, November 25, 12 14
15. Just Disable Java*
Very few sites use Java these days
Disable in your browsers (Tutorials on how to do that
on Podfeet.com!)
If you ever need Java, reenable on Chrome and then
disable again
Safari automatically disables Java if you don’t use it for
a while (what does that tell you?)
Another option is to keep one browser for Java that
you never use for anything else
* Apple removed Java from all browsers in late October
http://podfeet.com
Sunday, November 25, 12 15
16. Mountain Lion: Now for the Good News
Gatekeeper controls how and what apps you can install
Safer to download apps
Harder to get malware
Highest protection level:
Set Security to allow apps
from Mac App Store Only
Apple reviews each app
If an app slips by, Apple can remove from the store
http://podfeet.com
Sunday, November 25, 12 16
17. What if You Don’t Use the MAS?
You:
Set Security preferences
Allow apps from MAS and
from identified developers
Developers:
Register with Apple, they get a unique developer ID
Digitally sign their apps with this ID
Gatekeeper:
Checks to see if the app is digitally signed and warns
you if it’s not
Result: Unsigned apps never land on your machine
http://podfeet.com
Sunday, November 25, 12 17
18. What if You Know an App is OK?
An app you trust shows this
when you try to open it
You can still open it without
turning off Gatekeeper
Control-click to open the app
Gatekeeper will still warn you but
will give you the option to open
http://podfeet.com
Sunday, November 25, 12 18
19. I Want to Control My Own Destiny!
What if you’re a sophisticated user and want to walk on the
wild side?
Set Security Settings to
Allow from Anywhere
Gatekeeper will give you
one last chance to change
your mind...
Now you’re just as insecure as you were on Lion and before
Personally, I keep it on Mac App Store and ID’d developers
More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html
http://podfeet.com
Sunday, November 25, 12 19
20. So What’s Sandboxing Then?
Sandboxing doesn’t require you to do anything
Sandboxing isolates apps from critical components of
your Mac
Apps as submitted to the Mac App Store must declare
what features they need to access
For example, an address book app would ask for
access to your Contacts
Some apps ask for access they
shouldn’t need - Sandboxing will warn you of this
Why would Chrome need my contacts? Just say no!
http://podfeet.com
Sunday, November 25, 12 20
21. More on Sandboxing
Apple is even Sandboxing its own apps like Notes,
Reminders, Game Center, Mail and FaceTime
Result - if an app is compromised by malicious code, the
damage is limited to what the app is authorized to
access
Any downsides to Sandboxing?
Some of the more creative utilities can never be in the
Mac App Store because they do access core services
For Example: TextExpander 4, AppDelete
http://podfeet.com
Sunday, November 25, 12 21
22. Be Safer in Email
Do you ever get email where the From field says
thief@iwanttostealyourmoney.com?
Of course not!
The From field is VERY easy to fake
Never ever ever EVER click on any links in an email
requesting you update your information at a site
Even if it says it’s from your bank or Google, or Apple
or .gov
Here’s why...
http://podfeet.com
Sunday, November 25, 12 22
23. You Can’t Trust Links
Learn to hover over links
Anyone can fake a link
Example:
See how the link says it’s
from paypal.com?
Hovering reveals it’s actually
from eagleshell.com
Even if hovering shows a link is from the expected
source, I still don’t click them
Enter the URL directly in your browser so you’re positive
it’s the real deal
http://podfeet.com
Sunday, November 25, 12 23
24. Just Disable Flash
Very few sites use Flash these days
For some reason restaurants have Flash menus
Most other sites have swapped to h.264 for video
Disable in your browsers
Flashblock on Firefox addons.mozilla.org/en-US/
firefox/addon/flashblock/
Click to Flash on Safari clicktoflash.com/
Both will stop those annoying animated ads, and make
your system more stable
Another note - you don’t need Adobe Acrobat, you
have Preview!
http://podfeet.com
Sunday, November 25, 12 24
25. Time to Talk Passwords
Don’t panic, this is easier than you think!
Enter LastPass at http://lastpass.com
You select one (last) password then store all the rest of
your passwords in one place
Encryption happens on your machine, not their servers
I’m lazier than just about anyone, and I can use LastPass
Easy to create passwords, easy to enter passwords
Plugins for Safari, Firefox, Chrome
LastPass browsers for iOS!
http://podfeet.com
Sunday, November 25, 12 25
26. LastPass is the Last Password You Need
Save passwords
Save websites
Save license keys
Save credit card info
Create auto-fill
forms - enter your address, phone number, everything a
website is asking for in a few clicks
Concerned it might not be safe to trust LastPass?
Believe noted security expert Steve Gibson:
http://twit.tv/sn/256
http://podfeet.com
Sunday, November 25, 12 26
27. How to Choose Good Passwords
Make sure your passwords are long and complex
It’s not like in the movies...
The longer your password, the harder to crack
The more types of characters, the harder to crack
Upper/lower case, numbers, punctuation
As you add 1 more character to the password each
time you get 64 TIMES (x) more strength
How do we remember these passwords if not using
LastPass to create and store?
Consider http://xkpasswd.net to generate complex and
yet memorable passwords
http://podfeet.com
Sunday, November 25, 12 27
28. Protect the Crown Jewels
Anything financial - banking sites, stock trading sites etc.
Anything which stores your credit card (including things
like your Apple ID, Skype, and store sites like Amazon)
All email accounts
You’d be surprised how connected your emails are
All passwords relating to your work
You don’t want to be the person who allowed your
company’s proprietary information to leak
http://podfeet.com
Sunday, November 25, 12 28
29. Silly Sites
NEVER re-use passwords you use on sites like these
I used the same password on silly site Gawker Media
and Skype
Didn’t change my Skype password - was a silly site
Forgot Skype auto-loaded credits from my Paypal
account
Gawker got hacked
I lost $200 in 1.5 hours
Good news is Paypal and Skype took care of me
http://podfeet.com
Sunday, November 25, 12 29
30. Time for Anti-Virus?
Sorry, but yes
Recommend ClamXav from http://clamxav.com
Non-intrusive, doesn’t slow your system down, adds a
layer of protection
I installed it and messed with the configuration till I got
something that doesn’t annoy me but gives some
protection
Steps to configure ClamXav: http://www.podfeet.com/
wordpress/tutorials/how-to-install-clamxav-anti-virus-for-
mac/
Demo time!
http://podfeet.com
Sunday, November 25, 12 30
31. Special Thanks
Over the past 5 years I’ve been tutored in Security by
Bart Busschots of http://bartb.ie
Pretty much everything I know on this subject is because
of him
Follow him on Twitter at @bbusschots
Listen to the International Mac Podcast which he hosts
with Stu Helm at http://impodcast.com
http://podfeet.com
Sunday, November 25, 12 31