View
681
Download
0
Embed Size (px)
DESCRIPTION
Delivered on MacMania 15 in Australia, this talk covers the history of how the Mac used to
Citation preview
http://podfeet.com
Mac OSX Security
Allison SheridanNovember 2012
1Sunday, November 25, 12
http://podfeet.com
DefinitionsMalware - a generic term to describe anything put on your machine with the intent to harmVirus - a self-replicating type of malware that moves from machine to machine without active participation by the userTrojan Horse - malware that masquerades as something else - e.g. free Photoshop, video codecs
2Sunday, November 25, 12
http://podfeet.com
AgendaHistory
Didn’t we used to be safe?State of the Union
Where are we now? (Some good news)What practical things can we do to be safe?
Email safetySoftware updatesProtecting passwordsGatekeeperAnti-Virus
3Sunday, November 25, 12
http://podfeet.com
2004 - 2007 Blissful Ignorance2004 - Mostly ignored
Renepo worm is proof of concept2006 - Denial
Leap-A first ever virus for OSX2007 - I remember this year
Office Macro Virus ran on OSX, Windows & Linux (we all blamed it on Microsoft)Bad Bunny (creepy pornographic bunny) and the first Financial Trojan for Mac (and Windows) - which also offered porn
4Sunday, November 25, 12
http://podfeet.com
2008 - Things star t to heat upMacs and PCs attacked by poisoned adverts offering Scareware called MacSweeper and Imunizator - without which they threatened all your data would be erasedHovdy-A Trojan stole passwords, opened the firewall and disabled security settingsRKOSX-A - Helped make more trojansVideo Codec claims - you can't play the video without this codec…First time Apple suggested anti-virus software, and then deleted the suggestion
5Sunday, November 25, 12
http://podfeet.com
2009 - Your Own Darn FaultiWorkS-A trojan horse in pirated versions of iWork and PhotoshopAnother video virus MacCinemaHow about some more porn? Enjoy your Jahlav trojanWe're all still smug that we're too smart to get infected
6Sunday, November 25, 12
http://podfeet.com
2010 - Star ting to Get NervousPinhead trojan allowed hackers to gain remote control - but again through downloads of legitimate software from illegitimate sites like iPhotoBoonana worm uses a Java applet to target Windows, Mac and Linux
7Sunday, November 25, 12
http://podfeet.com
2011 & 2012 Hard to IgnoreBlackHole RAT allows hackers to gain remote accessMacDefender hits the scene - pretending to be a legitimate security application - acquired through a search engine poisoning campaignFlashback Trojan hits disguised as an update for Adobe Flash
Apple acknowledges and provides removal tools
source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004
8Sunday, November 25, 12
http://podfeet.com
What Changed?Originally malware was plain old vandalism - destroy your hard drive and leave a signature for bragging rightsOver time, malware has mutated into a multi-billion dollar businessHactivism - hacking for political purposes
LOLSec & AnonymousDigital espionage and sabotage
Stuxnet malware distributed specifically to attack a Siemens computer system used by Iran’s nuclear program
9Sunday, November 25, 12
http://podfeet.com
The Big Money - BotnetsTechnical bad guy writes some code and infects a lot of machines (millions) such that he/she can control those machines at willTechnical bad guy sells the botnet to an extortionistExtortionist tells a gambling site, “It would be a shame if your site went down the night before your big tournament”If the gambler doesn’t pay up, extortionist tells all the machines in the botnet to attack the gambling site at the same time
Creating a Distributed Denial of Service Attack
10Sunday, November 25, 12
http://podfeet.com
Why was OSX Left Alone So Long?OSX is based on a relatively secure operating system - BSD with decades of security updates
Remember no OS is truly secureSecure as compared to Windows
Small number of computers meant less less profitRemember bad guys need to infect millions of computers to be EffectiveOSX wouldn't have added significantly to the numbers
11Sunday, November 25, 12
http://podfeet.com
Apple Took Their Eyes Off the BallFlashback Trojan didn't have to be as painful as it was
Apple didn't patch Java for months after Oracle patched - would have saved so many from Flashback
Apple grew complacent after decades of no real threatsMicrosoft in contrast became very vigilant
Microsoft have implemented technologies for preventing exploits of bugs (DEP + ASLR)
Apple has it NOW but they were late to the party
12Sunday, November 25, 12
http://podfeet.com
#1 Thing You can Do to be SafeWhen Software Update tells you it’s ready to give you something - say yes!
Don’t procrastinate when it wants to rebootWith Lion+ resume all windows and applications it’s much faster to rebootAllow your applications to update as well
13Sunday, November 25, 12
http://podfeet.com
I Have an Old OS, They Won’t Attack That
Well...that’s not quite trueApple only updates one OS version back
Mountain Lion is out - Lion is updated but not Snow Leopard
Older OS’s often contain the same code that just got patched in the new OSVulnerabilities still exist in the old OS so you’re not safeBest to upgrade say after the first two revs are out
What’s the advantage of waiting?You know you’re going to upgrade eventually!
14Sunday, November 25, 12
http://podfeet.com
Just Disable Java*Very few sites use Java these days
Disable in your browsers (Tutorials on how to do that on Podfeet.com!)If you ever need Java, reenable on Chrome and then disable againSafari automatically disables Java if you don’t use it for a while (what does that tell you?)Another option is to keep one browser for Java that you never use for anything else
* Apple removed Java from all browsers in late October
15Sunday, November 25, 12
http://podfeet.com
Mountain Lion: Now for the Good News
Gatekeeper controls how and what apps you can installSafer to download appsHarder to get malware
Highest protection level:Set Security to allow appsfrom Mac App Store Only
Apple reviews each appIf an app slips by, Apple can remove from the store
16Sunday, November 25, 12
http://podfeet.com
What if You Don’t Use the MAS?You:
Set Security preferencesAllow apps from MAS and from identified developers
Developers:
Register with Apple, they get a unique developer IDDigitally sign their apps with this ID
Gatekeeper:
Checks to see if the app is digitally signed and warns you if it’s not
Result: Unsigned apps never land on your machine17Sunday, November 25, 12
http://podfeet.com
What if You Know an App is OK?An app you trust shows thiswhen you try to open itYou can still open it withoutturning off GatekeeperControl-click to open the appGatekeeper will still warn you but will give you the option to open
18Sunday, November 25, 12
http://podfeet.com
I Want to Control My Own Destiny!What if you’re a sophisticated user and want to walk on the wild side?Set Security Settings toAllow from AnywhereGatekeeper will give youone last chance to changeyour mind...Now you’re just as insecure as you were on Lion and beforePersonally, I keep it on Mac App Store and ID’d developers
More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html
19Sunday, November 25, 12
http://podfeet.com
So What’s Sandboxing Then?Sandboxing doesn’t require you to do anythingSandboxing isolates apps from critical components of your MacApps as submitted to the Mac App Store must declare what features they need to access
For example, an address book app would ask for access to your ContactsSome apps ask for access theyshouldn’t need - Sandboxing will warn you of thisWhy would Chrome need my contacts? Just say no!
20Sunday, November 25, 12
http://podfeet.com
More on SandboxingApple is even Sandboxing its own apps like Notes, Reminders, Game Center, Mail and FaceTimeResult - if an app is compromised by malicious code, the damage is limited to what the app is authorized to accessAny downsides to Sandboxing?
Some of the more creative utilities can never be in the Mac App Store because they do access core services
For Example: TextExpander 4, AppDelete
21Sunday, November 25, 12
http://podfeet.com
Be Safer in EmailDo you ever get email where the From field says [email protected]?
Of course not!The From field is VERY easy to fake
Never ever ever EVER click on any links in an email requesting you update your information at a site
Even if it says it’s from your bank or Google, or Apple or .gov
Here’s why...
22Sunday, November 25, 12
http://podfeet.com
You Can’t Trust Links
Learn to hover over linksAnyone can fake a linkExample:
See how the link says it’sfrom paypal.com?Hovering reveals it’s actuallyfrom eagleshell.com
Even if hovering shows a link is from the expected source, I still don’t click themEnter the URL directly in your browser so you’re positive it’s the real deal
23Sunday, November 25, 12
http://podfeet.com
Just Disable FlashVery few sites use Flash these days
For some reason restaurants have Flash menusMost other sites have swapped to h.264 for video
Disable in your browsersFlashblock on Firefox addons.mozilla.org/en-US/firefox/addon/flashblock/ Click to Flash on Safari clicktoflash.com/
Both will stop those annoying animated ads, and make your system more stableAnother note - you don’t need Adobe Acrobat, you have Preview!
24Sunday, November 25, 12
http://podfeet.com
Time to Talk PasswordsDon’t panic, this is easier than you think!Enter LastPass at http://lastpass.com
You select one (last) password then store all the rest of your passwords in one placeEncryption happens on your machine, not their servers
I’m lazier than just about anyone, and I can use LastPassEasy to create passwords, easy to enter passwordsPlugins for Safari, Firefox, ChromeLastPass browsers for iOS!
25Sunday, November 25, 12
http://podfeet.com
LastPass is the Last Password You Need
Save passwordsSave websitesSave license keysSave credit card infoCreate auto-fillforms - enter your address, phone number, everything a website is asking for in a few clicksConcerned it might not be safe to trust LastPass?
Believe noted security expert Steve Gibson: http://twit.tv/sn/256
26Sunday, November 25, 12
http://podfeet.com
How to Choose Good PasswordsMake sure your passwords are long and complex
It’s not like in the movies...The longer your password, the harder to crackThe more types of characters, the harder to crack
Upper/lower case, numbers, punctuationAs you add 1 more character to the password each time you get 64 TIMES (x) more strength
How do we remember these passwords if not using LastPass to create and store?Consider http://xkpasswd.net to generate complex and yet memorable passwords
27Sunday, November 25, 12
http://podfeet.com
Protect the Crown JewelsAnything financial - banking sites, stock trading sites etc.Anything which stores your credit card (including things like your Apple ID, Skype, and store sites like Amazon)All email accounts
You’d be surprised how connected your emails areAll passwords relating to your work
You don’t want to be the person who allowed your company’s proprietary information to leak
28Sunday, November 25, 12
http://podfeet.com
Silly SitesNEVER re-use passwords you use on sites like these
I used the same password on silly site Gawker Media and SkypeDidn’t change my Skype password - was a silly siteForgot Skype auto-loaded credits from my Paypal accountGawker got hackedI lost $200 in 1.5 hoursGood news is Paypal and Skype took care of me
29Sunday, November 25, 12
http://podfeet.com
Time for Anti-Virus?Sorry, but yesRecommend ClamXav from http://clamxav.comNon-intrusive, doesn’t slow your system down, adds a layer of protectionI installed it and messed with the configuration till I got something that doesn’t annoy me but gives some protectionSteps to configure ClamXav: http://www.podfeet.com/wordpress/tutorials/how-to-install-clamxav-anti-virus-for-mac/Demo time!
30Sunday, November 25, 12
http://podfeet.com
Special ThanksOver the past 5 years I’ve been tutored in Security by Bart Busschots of http://bartb.iePretty much everything I know on this subject is because of himFollow him on Twitter at @bbusschotsListen to the International Mac Podcast which he hosts with Stu Helm at http://impodcast.com
31Sunday, November 25, 12
http://podfeet.com
Blog/Podcast: podfeet.com Email: [email protected]
Twitter : @podfeet
Slides: slideshare.net/nosillacast/presentations
33Sunday, November 25, 12