http://podfeet.com

Mac OSX Security

Allison SheridanNovember 2012

1Sunday, November 25, 12

http://podfeet.com

DefinitionsMalware - a generic term to describe anything put on your machine with the intent to harmVirus - a self-replicating type of malware that moves from machine to machine without active participation by the userTrojan Horse - malware that masquerades as something else - e.g. free Photoshop, video codecs

2Sunday, November 25, 12

http://podfeet.com

AgendaHistory

Didn’t we used to be safe?State of the Union

Where are we now? (Some good news)What practical things can we do to be safe?

Email safetySoftware updatesProtecting passwordsGatekeeperAnti-Virus

3Sunday, November 25, 12

http://podfeet.com

2004 - 2007 Blissful Ignorance2004 - Mostly ignored

Renepo worm is proof of concept2006 - Denial

Leap-A first ever virus for OSX2007 - I remember this year

Office Macro Virus ran on OSX, Windows & Linux (we all blamed it on Microsoft)Bad Bunny (creepy pornographic bunny) and the first Financial Trojan for Mac (and Windows) - which also offered porn

4Sunday, November 25, 12

http://podfeet.com

2008 - Things star t to heat upMacs and PCs attacked by poisoned adverts offering Scareware called MacSweeper and Imunizator - without which they threatened all your data would be erasedHovdy-A Trojan stole passwords, opened the firewall and disabled security settingsRKOSX-A - Helped make more trojansVideo Codec claims - you can't play the video without this codec…First time Apple suggested anti-virus software, and then deleted the suggestion

5Sunday, November 25, 12

http://podfeet.com

2009 - Your Own Darn FaultiWorkS-A trojan horse in pirated versions of iWork and PhotoshopAnother video virus MacCinemaHow about some more porn? Enjoy your Jahlav trojanWe're all still smug that we're too smart to get infected

6Sunday, November 25, 12

http://podfeet.com

2010 - Star ting to Get NervousPinhead trojan allowed hackers to gain remote control - but again through downloads of legitimate software from illegitimate sites like iPhotoBoonana worm uses a Java applet to target Windows, Mac and Linux

7Sunday, November 25, 12

http://podfeet.com

2011 & 2012 Hard to IgnoreBlackHole RAT allows hackers to gain remote accessMacDefender hits the scene - pretending to be a legitimate security application - acquired through a search engine poisoning campaignFlashback Trojan hits disguised as an update for Adobe Flash

Apple acknowledges and provides removal tools

source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004

8Sunday, November 25, 12

http://podfeet.com

What Changed?Originally malware was plain old vandalism - destroy your hard drive and leave a signature for bragging rightsOver time, malware has mutated into a multi-billion dollar businessHactivism - hacking for political purposes

LOLSec & AnonymousDigital espionage and sabotage 

Stuxnet malware distributed specifically to attack a Siemens computer system used by Iran’s nuclear program

9Sunday, November 25, 12

http://podfeet.com

The Big Money - BotnetsTechnical bad guy writes some code and infects a lot of machines (millions) such that he/she can control those machines at willTechnical bad guy sells the botnet to an extortionistExtortionist tells a gambling site, “It would be a shame if your site went down the night before your big tournament”If the gambler doesn’t pay up, extortionist tells all the machines in the botnet to attack the gambling site at the same time

Creating a Distributed Denial of Service Attack

10Sunday, November 25, 12

http://podfeet.com

Why was OSX Left Alone So Long?OSX is based on a relatively secure operating system - BSD with decades of security updates 

Remember no OS is truly secureSecure as compared to Windows 

Small number of computers meant less less profitRemember bad guys need to infect millions of computers to be EffectiveOSX wouldn't have added significantly to the numbers

11Sunday, November 25, 12

http://podfeet.com

Apple Took Their Eyes Off the BallFlashback Trojan didn't have to be as painful as it was

Apple didn't patch Java for months after Oracle patched - would have saved so many from Flashback

Apple grew complacent after decades of no real threatsMicrosoft in contrast became very vigilant

Microsoft have implemented technologies for preventing exploits of bugs (DEP + ASLR)

Apple has it NOW but they were late to the party

12Sunday, November 25, 12

http://podfeet.com

#1 Thing You can Do to be SafeWhen Software Update tells you it’s ready to give you something - say yes!

Don’t procrastinate when it wants to rebootWith Lion+ resume all windows and applications it’s much faster to rebootAllow your applications to update as well

13Sunday, November 25, 12

http://podfeet.com

I Have an Old OS, They Won’t Attack That

Well...that’s not quite trueApple only updates one OS version back

Mountain Lion is out - Lion is updated but not Snow Leopard

Older OS’s often contain the same code that just got patched in the new OSVulnerabilities still exist in the old OS so you’re not safeBest to upgrade say after the first two revs are out

What’s the advantage of waiting?You know you’re going to upgrade eventually!

14Sunday, November 25, 12

http://podfeet.com

Just Disable Java*Very few sites use Java these days

Disable in your browsers (Tutorials on how to do that on Podfeet.com!)If you ever need Java, reenable on Chrome and then disable againSafari automatically disables Java if you don’t use it for a while (what does that tell you?)Another option is to keep one browser for Java that you never use for anything else

* Apple removed Java from all browsers in late October

15Sunday, November 25, 12

http://podfeet.com

Mountain Lion: Now for the Good News

Gatekeeper controls how and what apps you can installSafer to download appsHarder to get malware

Highest protection level:Set Security to allow appsfrom Mac App Store Only

Apple reviews each appIf an app slips by, Apple can remove from the store

16Sunday, November 25, 12

http://podfeet.com

What if You Don’t Use the MAS?You:

Set Security preferencesAllow apps from MAS and from identified developers

Developers:

Register with Apple, they get a unique developer IDDigitally sign their apps with this ID

Gatekeeper:

Checks to see if the app is digitally signed and warns you if it’s not

Result: Unsigned apps never land on your machine17Sunday, November 25, 12

http://podfeet.com

What if You Know an App is OK?An app you trust shows thiswhen you try to open itYou can still open it withoutturning off GatekeeperControl-click to open the appGatekeeper will still warn you but will give you the option to open

18Sunday, November 25, 12

http://podfeet.com

I Want to Control My Own Destiny!What if you’re a sophisticated user and want to walk on the wild side?Set Security Settings toAllow from AnywhereGatekeeper will give youone last chance to changeyour mind...Now you’re just as insecure as you were on Lion and beforePersonally, I keep it on Mac App Store and ID’d developers

More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html 

19Sunday, November 25, 12

http://podfeet.com

So What’s Sandboxing Then?Sandboxing doesn’t require you to do anythingSandboxing isolates apps from critical components of your MacApps as submitted to the Mac App Store must declare what features they need to access

For example, an address book app would ask for access to your ContactsSome apps ask for access theyshouldn’t need - Sandboxing will warn you of thisWhy would Chrome need my contacts? Just say no!

20Sunday, November 25, 12

http://podfeet.com

More on SandboxingApple is even Sandboxing its own apps like Notes, Reminders, Game Center, Mail and FaceTimeResult - if an app is compromised by malicious code, the damage is limited to what the app is authorized to accessAny downsides to Sandboxing?

Some of the more creative utilities can never be in the Mac App Store because they do access core services

For Example: TextExpander 4, AppDelete

21Sunday, November 25, 12

http://podfeet.com

Be Safer in EmailDo you ever get email where the From field says thief@iwanttostealyourmoney.com?

Of course not!The From field is VERY easy to fake

Never ever ever EVER click on any links in an email requesting you update your information at a site

Even if it says it’s from your bank or Google, or Apple or .gov

Here’s why...

22Sunday, November 25, 12

http://podfeet.com

You Can’t Trust Links

Learn to hover over linksAnyone can fake a linkExample:

See how the link says it’sfrom paypal.com?Hovering reveals it’s actuallyfrom eagleshell.com

Even if hovering shows a link is from the expected source, I still don’t click themEnter the URL directly in your browser so you’re positive it’s the real deal

23Sunday, November 25, 12

http://podfeet.com

Just Disable FlashVery few sites use Flash these days

For some reason restaurants have Flash menusMost other sites have swapped to h.264 for video

Disable in your browsersFlashblock on Firefox addons.mozilla.org/en-US/firefox/addon/flashblock/ Click to Flash on Safari clicktoflash.com/

Both will stop those annoying animated ads, and make your system more stableAnother note - you don’t need Adobe Acrobat, you have Preview!

24Sunday, November 25, 12

http://podfeet.com

Time to Talk PasswordsDon’t panic, this is easier than you think!Enter LastPass at http://lastpass.com

You select one (last) password then store all the rest of your passwords in one placeEncryption happens on your machine, not their servers

I’m lazier than just about anyone, and I can use LastPassEasy to create passwords, easy to enter passwordsPlugins for Safari, Firefox, ChromeLastPass browsers for iOS!

25Sunday, November 25, 12

http://podfeet.com

LastPass is the Last Password You Need

Save passwordsSave websitesSave license keysSave credit card infoCreate auto-fillforms - enter your address, phone number, everything a website is asking for in a few clicksConcerned it might not be safe to trust LastPass?

Believe noted security expert Steve Gibson: http://twit.tv/sn/256

26Sunday, November 25, 12

http://podfeet.com

How to Choose Good PasswordsMake sure your passwords are long and complex

It’s not like in the movies...The longer your password, the harder to crackThe more types of characters, the harder to crack

Upper/lower case, numbers, punctuationAs you add 1 more character to the password each time you get 64 TIMES (x) more strength

How do we remember these passwords if not using LastPass to create and store?Consider http://xkpasswd.net to generate complex and yet memorable passwords

27Sunday, November 25, 12

http://podfeet.com

Protect the Crown JewelsAnything financial - banking sites, stock trading sites etc.Anything which stores your credit card (including things like your Apple ID, Skype, and store sites like Amazon)All email accounts

You’d be surprised how connected your emails areAll passwords relating to your work

You don’t want to be the person who allowed your company’s proprietary information to leak

28Sunday, November 25, 12

http://podfeet.com

Silly SitesNEVER re-use passwords you use on sites like these

I used the same password on silly site Gawker Media and SkypeDidn’t change my Skype password - was a silly siteForgot Skype auto-loaded credits from my Paypal accountGawker got hackedI lost $200 in 1.5 hoursGood news is Paypal and Skype took care of me

29Sunday, November 25, 12

http://podfeet.com

Time for Anti-Virus?Sorry, but yesRecommend ClamXav from http://clamxav.comNon-intrusive, doesn’t slow your system down, adds a layer of protectionI installed it and messed with the configuration till I got something that doesn’t annoy me but gives some protectionSteps to configure ClamXav: http://www.podfeet.com/wordpress/tutorials/how-to-install-clamxav-anti-virus-for-mac/Demo time!

30Sunday, November 25, 12

http://podfeet.com

Special ThanksOver the past 5 years I’ve been tutored in Security by Bart Busschots of http://bartb.iePretty much everything I know on this subject is because of himFollow him on Twitter at @bbusschotsListen to the International Mac Podcast which he hosts with Stu Helm at http://impodcast.com

31Sunday, November 25, 12

http://podfeet.com

32Sunday, November 25, 12

http://podfeet.com

Blog/Podcast: podfeet.com Email: allison@podfeet.com

Twitter : @podfeet

Slides: slideshare.net/nosillacast/presentations

33Sunday, November 25, 12