Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
OS X Operating Systems Security Businesses Apple

NSA Security Guide for Mac OS X 250

Posted by michael
from the take-a-bite-out-of-crime dept.
An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."
This discussion has been archived. No new comments can be posted.

NSA Security Guide for Mac OS X

Comments Filter:
  • Lex: "It's a UNIX system! I know this!"
  • by American AC in Paris (230456) on Friday October 29, 2004 @10:04AM (#10663103) Homepage
    (voiceover)

    Step 45,328:

    There is no step 45,328. There is no step 45,328...*soft weeping sounds*

  • What about... (Score:4, Interesting)

    by Staos (700036) on Friday October 29, 2004 @10:04AM (#10663112) Journal
    I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

    OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

    About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

    Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

    • Re:What about... (Score:3, Insightful)

      by 0racle (667029)
      I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request. Windows also has a single Ask for Admin form, all you have to do to trigger it is name an application setup.exe and it will ask if you want to run it as Administrator or not and I'm sure thats not the only way.

      Malware is hard to code on Linux and *BSD not because of some standard or non-standard way of asking for access,
      • Re:What about... (Score:5, Informative)

        by Yaztromo (655250) <`yaztromo' `at' `mac.com'> on Friday October 29, 2004 @01:22PM (#10665587) Homepage Journal
        I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request.

        It is my understanding that on OS X, the authorization dialog pops up because a request to a protected reqource/API has been made, as opposed to an application being able to just randomly tell the OS to pop up an authorization dialog.

        The dialog itself always displays the name (and if available icon) of the application making the request, as well as the name of the right being requested. As this is put together only by the OS, you can't substitute one right name when you really want to do something different. And getting one right doesn't automatically permit a process to use any other right on the system -- each right needs authorization.

        It's actually quite a good system, and has been very well thought out. It does, of course, rely on some vigilence by the end user -- if they're entering their password anytime it's being requested without quickly checking to see what is making the request and why, obviously they're going to get into trouble.

        Then again, if I e-mail a bunch of Linux admins and ask them for their passwords, and they send them to me, you wind up with the same end result.

        Yaz.

    • Re:What about... (Score:2, Informative)

      by Englabenny (625607)
      Fortunately internet explorer is discontinued
    • Re:What about... (Score:3, Insightful)

      by evilviper (135110)

      As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

      That would make it EASIER to spread worms/viruses than a normal Unix system, NOT harder. In Unix, attempts to access resources you don't have permissions to, just fail. If it pops up a window that says "would you like to give this program access" then you're just as screwed as the rest of the world...

      • Re:What about... (Score:4, Insightful)

        by Anonymous Coward on Friday October 29, 2004 @11:03AM (#10663687)
        Not sure if this would make it more secure for the OS challenged, but when it asks for administrative permission it asks for a password. If an office admin wants to keep the OS X's in the office secure, just don't give the secretaries the password for their computers. If they need to do anything which requires the password, they have to ask the computer guy and he can say, "So why do you need to see nude pictures of Brad Pitt again?"
      • In Unix, attempts to access resources you don't have permissions to, just fail. If it pops up a window that says "would you like to give this program access" then you're just as screwed as the rest of the world...

        So your position is that it would be safer if it just ran without a security dialog? You might want to rethink that. Only people with admin rights get the security dialog. In your example, the code would just run on a "normal Unix system" without double-checking with the admin. Sounds less sa

      • It's not quite as initially described.

        The authentication dialog only appears if it's explicitly requested by an application. If an application tries to access a resource that it doesn't have permission for, it fails just like on any other UNIX. The application can then, if it desires, ask the OS to pop up this authentication dialog. It's actually fairly limited; the process doesn't get changed permissions at all, but it is allowed to run a subprocess as root. Of course there is nothing that prevents a spyw
    • Re:What about... (Score:2, Interesting)

      by r2q2 (50527)
      I agree, I was running 10.1 and then upgraded to 10.3. There is a whole user interface redo, support for rendevous, a journaling file system much better support for unix, an x windowing system, ipv6 support expose and a host of other reasons why that was a good upgrade. Although I didn't pay full price for it it was one of the best upgrades and I believe I got my moneys worth.
  • by YetAnotherName (168064) on Friday October 29, 2004 @10:05AM (#10663113) Homepage
    Given how entrenched Micro$oft's clutches are into the US Government, a security guide for Windows based systems would be even more useful.

    (I work for NASA; almost everyone in our group has Mac OS X on our desktops and Linux in the server room. Our supervisor is the only Windows user. Yes, he's developing pointy hair.)
  • by general_re (8883) on Friday October 29, 2004 @10:07AM (#10663130) Homepage
    ....actually implementing everything the NSA recommends in its guides will get you a system that is both highly secure and exceptionally inconvenient for its users. It's a useful reference, to see if you've forgotten anything that you particularly want, or anything obvious, but as always, individual admins will have to decide for themselves where they want their systems to lie on the security-usability axis...
  • by Anonymous Coward on Friday October 29, 2004 @10:07AM (#10663137)
    Hmm the pdf is downloading at .6 k/s and dropping. Slashdotting the NSA - this qualifies for some sort of Darwin award, doesn't it? :)
  • File Vault (Score:5, Informative)

    by dumitrius (686430) on Friday October 29, 2004 @10:08AM (#10663144)
    This is simply the encryption of the entire user's home directory. I had this enabled on my powerbook stuffed it with a few gigs of data and it ran fine for a while... maybe like 3 months. Then one day on a reboot the thing silently lost all my personal settings and dropped me into a stock desktop configuration. Was nursing this for a week or two when I started getting garbage in some source files. Was thinking maybe the hardrive was defective but have a hunch the enctyption just went haywire and was getting worse. Turning File Vault off failed with an error. Have reinstalled the os keeping a plain text home dir and things seem dandy.

    Has anyone seen this before?

    • Re:File Vault (Score:5, Informative)

      by eyegor (148503) on Friday October 29, 2004 @10:15AM (#10663205)
      It happened to me too.... I managed to get everything back though. There was a sparse diskimage file that contained my home directory. Once I mounted it, everything returned to normal.

      Your milage may vary.
      • Re:File Vault (Score:3, Interesting)

        by Matey-O (518004)
        think they coulda named it something better than 'sparse diskimage'? I blew away all my settings (yeah, boo hoo, won't do THAT again) cause the diskimage was roughly the size of the two huge AVI's I just threw away and I wasn't getting my diskspace back after emptying the trashcan.

        Name it something like 'Secret Encrypted File' or something...
        • Definitely. It's not immediately obvious what it is. I have had several problems with the encryption (though it's been about 9 months since I last used it.) I figure it's not worth my trouble. My powerbook stays at home most of the time and there's nothing especially sensitive on it.
      • Re:File Vault (Score:3, Informative)

        by suprax (2463)
        Ditto here. Just last week I turned on FireVault and let it runs its course for like 15 minutes. Finally it said reboot but the screen was frozen. Upon rebooting the user could log in but nothing would load at all. It pretty much straight up broke. Luckily I was able to go into single user mode, and could ftp all my data off the machine before reinstalling.

        No more FileVault for me. And this was Tiger (yes I know, its not even beta software but I like to test).
    • Re:File Vault (Score:2, Informative)

      by dema (103780)
      Happened to my boss less than a month ago. Spent a long time trying to recover of lot of his shit (some very important files) and had no luck. Long sotry short, no one at work uses filt vault now (: Maybe this is something that will improve in Tiger?
    • Re:File Vault (Score:4, Informative)

      by Anonymous Coward on Friday October 29, 2004 @10:26AM (#10663302)
      Many people had problems with it first came out. It was caused by the "recovering space" thing not completing before the user logged in again. I still don't trust Apple's default configuration since there are warnings in their own documentation against using a sparse image, which File Vault does.

      I've used this hint [macosxhints.com] for over six months now without problem.

      On the other hand, it's trivial to get the user's password from swap, unless Apple fixed this hole already, so there's not much point to File Vault right now.
      • I've never been a fan of encrypting my entire home directory. I just use Disk Utility to create encrypted disk images for data I want secure. I don't keep a lot of them, but I have about four or five, one for financial data, a couple for projects that have government or HIPAA related data, and some really personal stuff.

        This works well, plus the files get backed up, so if the home directory got corrupted or wiped, I can retrieve everything.
    • FIle Vault is actually an encrypted file system. It mounts your user dir as a volume and accesses the data on that system via the key you create.

      Yes, the nature of this architecture means that there can be zero disk corruption or you won't be able to mount it. So in a normal disk corruption setting, you would lose a few files or somthing. Having your user dir as an encrypted volume forces a sort of checksum on all the data and if even a single byte is incorrect, then the whole thing fails to mount.

      It's ac
    • Lets just rename it Vile Fault...

      (with appol to the Mouseketeer, who in 1984 coined the name VileFision... what happened to him anyway ?)
  • by eventDriven (817686) on Friday October 29, 2004 @10:08AM (#10663145)

    The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.

  • by Anonymous Coward on Friday October 29, 2004 @10:10AM (#10663166)
    Always leave an NSA auto-secure port (9999) open on your machine.

    Disregard any unexplained background executables.

    Always use IE when surfing.

    Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)

  • Alright, we've slashdotted the NSA!!!!!

    Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?
    • by Roadkills-R-Us (122219) on Friday October 29, 2004 @10:45AM (#10663472) Homepage
      They didn't /. us^H^Hthe NSA.

      They /.'d the NSA OS X hacker honeypot. Traffic recording and analysis is proceeding just fine, thank you. As are the webcams. I hope your co-workers don't use that keyboard-- don't you have a handkerchief?
  • Screwed up (Score:5, Interesting)

    by AKAImBatman (238306) * <akaimbatman@gma i l . c om> on Friday October 29, 2004 @10:17AM (#10663222) Homepage Journal
    Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke [slashdot.org]. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

    It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

    Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

    Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?
    • by rdc_uk (792215)
      We cannot comment on the report, because we cannot read the report; because we have /.'ed the server.

      Oh bitter, bitter irony!
      • Re:Screwed up (Score:3, Informative)

        by AKAImBatman (238306) *
        You're telling me there are no Mac users (besides myself) that can see The Mysterious Future(TM)? Very well then. Here's a preview of the next article [geektimelinux.com]. SuSE 9.2 is out. There, I said it. Now prepare something insightful to say. :-)
        • by Otter (3800)
          You're telling me there are no Mac users (besides myself) that can see The Mysterious Future(TM)?

          How I am supposed to afford a Mac and a Slashdot subscription?

          (Just kidding...please don't start posting Dell comparisons..I know already.)

    • by baywulf (214371) on Friday October 29, 2004 @10:26AM (#10663301)
      Lex: "It's a UNIX system! I know how to tokening this!"
      Yacc: "It's a UNIX system! I know how to parse this!"
    • Re:Screwed up (Score:2, Insightful)

      by athanis (241024)
      A lot of users that I come into contact with seem to have a false sense of security. They seem to think that if they have an antivirus software, then their computer would become immune...
      But I think more needs to be done to educate the public that security isn't any single software/component, but rather, a process.. From passwords, to firewalls, to antivirus, to spyware, there are many parts to it.

      I think it's unfair to blame the OS solely. Application developers need to be aware of bugs and potential prob
    • >Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated.

      I don't know whou would argue like that but yeah, you are probably right, it's not in the heritage, at least not on Apple's side. Still, it's very simple: OSX is so secure becasuse it's based on BSD!
    • "Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly."

      Hmm...

      # nmap localhost

      25/tcp open smtp
      1024/tcp open kdm
      6000/tcp open X11


      And that's Debian. Mandrake had about 10 ports open by default, including SUN-RPC and I think it opens NFS and CUPS by default if you choose certain configuration options. Debian also had a whole host of finger, time, echo, etc. ports open by default.

      What's worse? That I
    • As of SP2, RPC no longer allows external access. UPNP and file sharing now only accept connections on the local subnet. The firewall is on by default and it blocks almost all incoming connections.

      XP SP2 is a different OS from the one released in 2001. It's time to start recognizing that.

      Oh, and a preemptive attack on the "Apache is more popular and it's more secure than IIS":

      IIS6 has 2 announced security veulnarabilities since its release over a year ago. Apache2 has more than 20 in the same period, not
      • What is this? Facts? On Slashdot????? Who do you think you are, anyway? Facts are not welcome here. Please do not post these again.
    • MacOSX attacks... (Score:5, Informative)

      by mveloso (325617) on Friday October 29, 2004 @12:30PM (#10664851)
      Attacks on MacOS X will be driven by user interaction.

      The biggest problem for malware writers in MacOS X is that it's hard to remotely attack the box.

      Mac OS 9 and its ilk were pretty much impossible to compromise remotely, because, well, they were designed as single-user OSs with no network services (no network daemons) installed by default.

      Mac OS X isn't quite like that, but it's close. The downside is all those bsd-level things probably have holes of one sort or another. Has anyone actually checked the robustness of Apple's X-11 implementation? .

      OTOH, it's must easier to get the user to click and download something. The "prompt for your admin password" thing is great, but everyone does it without thinking these days, giving any installer root access.

      Once that happens, you can install anything, anywhere, and given the structure of MacOS X you can hide your stuff in places a normal user won't be able to find. The "Opener" guys (see www.macintouch.com) should have edited the rc scripts, not stuck their stuff in /Library/StartupItems.

      Luckily, the web/email based attacks haven't worked so far (unlike on Windows), so you really do need to get someone to run an app. These days that isn't as hard as it used to be.

      Apple could protect against that by doing a system restore/diff after every installer run. It would be useful after-the-fact, and most users may not understand any of it, but it would be nice to have. Or (assuming the metadata stuff works in tiger) you could stash metadata info on the installed files somewhere, then search across your filesystem for matching stuff?

      Ideally (and this is what MS tried) each publisher would sign all their files, and that sig would be part of the file metadata. So you could list, see, and search across it. Malware would bypass that, though, but you never know.
  • by Anonymous Coward on Friday October 29, 2004 @10:18AM (#10663225)
    Since it's a security site, I'd expect it to display a warning and disable the site if you are clueless enough to accept the cookie!

    You gotta start with the fundamentals...
  • Guide for Linux? (Score:2, Interesting)

    by brandonp (126)
    This is very cool, is there also a Security Guide for Linux? Sounds really helpful.

    --
    Brandon Petersen
    Get Firefox! [spreadfirefox.com]
    • Re:Guide for Linux? (Score:3, Informative)

      by Zinho (17895)
      It doesn't look like they're maintaining a current document on Linux. Their comprehensive list of current configuration guides [nsa.gov] does not list any, in any case. I did find their list of archived guides [nsa.gov], which has a guide for Apache 1.3.3 on Red Hat 5.1 - it had the following explanation for why guides get into the archive:

      NSA has developed and maintained configuration guidance for a number of products. Over time these products age, are superceded by newer versions, or are no longer used by it customers. As

  • by finkployd (12902) on Friday October 29, 2004 @10:25AM (#10663288) Homepage
    I finally found something about OS X that I absolutely hate and is making me question the entire OS. OS X has its own digital certificate/private key cache (which also stores passwords, but that is irrelevant), which is convenient for applications that use certificates and private keys for identity (like safari and mail.app). It also has a nice utility for managing this environment (Keychain Access).

    HOWEVER, Apple (for reasons I cannot fathom) has decided to not allow keys and certs to be exported from this cache. This is totally unacceptable and horribly wrong. In this email [apple.com], which confirms my worst fears, Peter Sagerson says it best:

    In Jaguar, private keys are never exportable. This seems kind of silly, since my digital identity should be linked to me, not the platform, the machine or that particular (and transient) installation of the OS. In Panther, Keychain Access has an Export command, but it's never enabled. I don't see a Keychain-level API for key export and the CSSM API doesn't seem to work. So it's hard to tell what the intention is.

    The intention seems to be the very incorrect idea that the digital identity belongs to the computer, and not the person. I have figured out how to move my cert and key to another Mac, that is simple creating a new keychain, copying certs to it, and moving the new keychain file to another machine. However, I still cannot get them out of Apple's proprietary format to move them to any non-OSX platform. I have posted this question [apple.com] to Apple's usually helpful discussion forum, but have received no answer.

    This is most disturbing and calls into question both Apple's competency with regard to security in general, and their intentions with regard to what the user can do with their own data (or in this case, their own identity)
    • Am I the only one who thinks that computers should start shipping with a pack of smart cards? You simply create your identity on the card, then it acts as a universal "computer key" for computers you have access to. i.e. One could think of it as a car key for their computer.

      Such a design would be pretty transparent to users, and could easily fit in with the way they expect day to day things to work. You can even recommend that they make a backup card at card creation time, so that they can stash it in a sa
      • by finkployd (12902) on Friday October 29, 2004 @10:53AM (#10663560) Homepage
        Everyone has USB, why not use this instead of requiring a card reader?

        Excellent idea though, I have been in support of that concept for a while. This could be extended to requiring a password to unlock the private key on the card/usb drive or even have a small thumbprint reader on the card/usb drive itself to unlock the key. This would remove my major complaints about biometrics (ie replay attack)

        These technologies all exist and would be simple, but people simply do not see the need for them so there is no demand (outside of of some rare government, education, and corporation groups). Unfortunately the average joe is content with a digital world that relies completly on his mother's maiden name for authentication :(

        Finkployd
        • Everyone has USB, why not use this instead of requiring a card reader?

          The only reason is that smart cards are cheap. I can pack all the security info I need on a card that costs $1.00 - $5.00 each. In comparison, a USB key has to have a variety of communications electronics that make its minimum price somewhere arounf $15.00 a key.

          So it's really a matter of economics. :-)
    • by MoneyT (548795)
      Well, it's not the best solution, but if you want to move your keychain from one computer to another, just open the Keychains folder in your User library (~/Library)
    • by daveschroeder (516195) * on Friday October 29, 2004 @11:18AM (#10663840)
      Apple is most certainly not tying digital identity to the computer.

      Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

      Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.

      And finally, rumor has it [appleinsider.com] that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.
      • Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

        I mentioned it is possible to copy keychain files. Which is perfectly fine if you are only talking about OS X computers, but that isn't the only OS out there. Calling keychain portable is fine as long as you note that the portability is only extended to other Macs.

        Further, that certificates are even in your keychain at
  • How come the NSA only publishes guidelines for the MacOS? Actually, I think that with the recent onslaught of network vulnerabilities, government organizations would do well to educate the public more about security.

    In fact, where I live (Hong Kong), the government had a radio show where there would be a quick tip about securing your machine. Obviously, the focus was on Windoze, but anything that elevates the awareness of the general public to computer security is a good thing.
    • um... they don't just publish guides for MacOS. NSA has security guides for other operating systems as well. Check the last link in the article summary.
      • I remember hearing a radio show a few months back, maybe it was the show about the spying game on CBC's Ideas [www.cbc.ca], about how OS X is becoming a preferred platform for some NSA-affiliated government spy agencies. Ease of configuration for decent security and quick development platform, unfamiliarity with the platform by many means better stealth, and the fact that many bad guys are OS X switchers too. You won't read that on Apple's switch campaign site.
  • by mbrewthx (693182) on Friday October 29, 2004 @10:42AM (#10663430)
    The infamous CowboyNeal was arrested today at his private hovel. The Department of Homelnd Security issued a statement saying that he was the head of a secret conspiracy to disrupt the online functions of the NSA. There was no comment from CowboyNeal or his attorney a Mr. Taco. But he is said to enjoying Steak Tar Tar with his prison mate Martha Stewart. Mr. Neal's activities apparently caused serious lag in the NSA's end of the month CS tournament.
  • by twalls (789774) on Friday October 29, 2004 @10:51AM (#10663533) Homepage
    Several people have already called the slashdotting. They're still alive and kicking! Gotta give em credit for trying. "Mr. President, we're giving her all we can! She just doesn't have enough bandwidth!" "Well, why not just use one of the other Internets?"
  • by daveschroeder (516195) * on Friday October 29, 2004 @10:53AM (#10663564)
    Corsaire Ltd has an excellent practical OS X security whitepaper [corsaire.com] in this same vein.
  • by sir lox elroy (735636) on Friday October 29, 2004 @11:25AM (#10663912) Homepage
    download to complete, DOH it's now stalled. /me wants to call the NSA and ask if they can mail me a printed version of the document it would be faster
  • To secure your Macintosh, please download the NSA_KEY file and place it in your system directory.

    (For those who missed this way back when, here's a good summary: http://cryptome.org/nsakey-ms-dc.htm [cryptome.org]
  • A Tinfoil Moment (Score:2, Interesting)

    by sockonafish (228678)
    I got curious while waiting for my 300 byte/second download to complete and decided to see what nmap had to say about nsa.gov.

    Shortly after I began, I was unable to access any network resources. Shortly after I stopped, I was able to access things again.

    Can anyone else provide a port scan of the nsa without being DOS'd?
  • According to Netcraft [netcraft.com]
  • The NSA has decided that they don't have the resources to continue putting out new lockdown docs. They're going to let the vendors do it for them. No joke.

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...