Slashdot Mirror

Security Guide for OS X - by the U.S. National Security Agency
Email virus protection - setup SpamAssassin, ClamAV and Amavisd-new with Postfix on OS X
Linux Magazine gives OS X five penguins

The nice thing about this site, as a developer, is that everything I was looking for regarding OS X is all here. Tools, manuals, FAQs, discussion boards, you name it, it's here.

Security Guide for OS X - by the U.S. National Security Agency
Email virus protection - setup SpamAssassin, ClamAV and Amavisd-new with Postfix on OS X
Linux Magazine gives OS X five penguins

The nice thing about this site, as a developer, is that everything I was looking for regarding OS X is all here. Tools, manuals, FAQs, discussion boards, you name it, it's here.

Personally, I switched from grsecurity to SELinux shortly after the incident linked above. While Brad may in fact be quite skilled, I've simply lost trust in him and, by extension, his project.

Would make him look rather silly since the NSA has a Linux distribution...

man, please, grown up..

Enigma was cracked by Rajewski, Rozycki and Zygalski, does it looks like english names?

you're watching too many hollywood movies ;-)

http://www.enigmahistory.org/enigma.html
http://www.bletchleypark.org.uk/page.cfm?pageid=26 5
http://www.nsa.gov/museum/museu00007.cfm

SELinux policies create sandboxes actively and explicitly whereas containers create sandboxes passively and implicitly. Two different ways to acheive the same goal.

One should note that Unix chroot precedes containers, jails, and vservers by many years. Containers, jails, and vservers are the evolution and refinements of the basic classic Unix chroot concept. That is were the real credit resides.

Cracking into NASA is one thing. You're up against propellor-heads and zoomies, nice people who think space is neat. Cracking into the NSA is a whole 'nother ballgame. Those folks are professional paranoids, and while they don't kill people, they certainly know people who do.

See NSA Kid's Page.

Its a 12-week program following the student's third year.

As a participant in the Summer Network Evaluation Intern Program (SNEIP) you will acquire an appreciation of the challenges our Nation faces in network security as it relates to real-world work experiences. You will experience first-hand some of the critical work done at NSA as well as have the opportunity to apply your skills on hardware and software systems to enhance network security and contribute to the security of U.S. information systems.

Sadly, this wont benefit you since the application deadline has passed.

This is a highly-competitive program but they will hire college student who go through the standard battery of background checks (including polygraph). Details can be found here

Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.

1. Have the user sign a document assuming responsibility for any legal liability
2. Have the user sign a document absolving you/IT/Corporation of any responsibility
3. Have the user sign off that you're not going to give their non-standard box priority. Custom solutions require expertise and your best fit, economy of scale is to standardize on "bricks" AND not to shit them when Chief Asshat calls
4. Have the user technically justify their reasons for the request
5. Have the user sign off that they know and recognise what they are doing is against company policy
6. Research, document and educate people to the costs behind their actions - emphasive individual desktop customization/attention is prohibitively expensive. See other bullets for ammunition.
7. Scale the lockdown. Try Power User. Try stripping rights. Give them a gun with no bullets
8. Emphasize your expensive security efforts are concentrated at the network level and based on users not shooting themselves (or the company) in the foot
9. Emphasize that users are their own worst enemy, you're trying to protect them from themselves - the dumbed down modern spyware/viruses use user rights
10. "Encourage" users with administrative rights to attend a responsibility/learning class/session.
11. Use what you have put together to educate YOUR management. The pervasive executive buddy system is fiscally irresponsible and leads to spineless management
12. Go surf the NSA website. Lots more info there.

Quite honestly most any GNU/Linux distro will slow them way down (assuming their not using a hardware keyboard capture device). If they get get physical access to your machine you're screwed reguardless of the OS.

I think this means that your internet connection doesn't originate in China

Are you saying they'ed have a system that recognized the source of a request then responded appropriately? Like foreign journalists get victomsofcommunism.com whilst a resident of Hong Kong gets his door kicked in?
Heh, not that our media folks, showbiz folks or academia actually question the legitamacy of Communism - just specific implementations.

We have nothing to fear but fear itself. Well, sort of.
http://www.amazon.com/exec/obidos/tg/detail/-/0840 379943/103-2263410-8029437?v=glance

Venona Program
http://www.nsa.gov/publications/publi00039.cfm
http://www.cia.gov/csi/books/venona/venona.htm

NSA has Security Enhanced Linux see their web site FMI.

Twelve Step TrustABLE IT:
Virtualised Linux Standard Base (VLSB)
in Virtual Demilitarized Network Zones (VDNZ)
from Trusted Build Agents (TBA)

Back in August 11, 1998, Microsoft's Vinod Valloppillil and Josh Cohen released a memorandum titled Linux OS Competitive Analysis: The Next Java VM?, in which they predicted that Linux would become ubiquitous as a services platform. However, the title of the paper could be even more prophetic.

Consider the following.

[1] It is well known that Linux is quite portable, in fact only NETBSD comes close to the number of hardware platforms supported.

[2] What is less well known is that the Linux kernel has even been ported to run on itself, as client for a virtual Monitor platform, and even to run virtualised on other operating systems including Win2K and XP.

[3] Other operating systems, such as BSD and Sun's Solaris can also use a compatbility layer to run applications compiled for Linux directly, without the need for virtualisation.

[4]The Linux Standard Base Mission Statement is to

To develop and promote a

set of standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux.

[5] The above standard also defines a generic subset of the standards for each hardware platform as a source level application interface. In fact for an application to be certified for the LSB it must be tested on two of the plaforms supported by the LSB, one chosen at random by the testing body. Following the standard, it's not that difficult a job to write portable C and C++ code : Write once, compile for each platfom.

[6] The GNU Compiler Collection's future GCC 4.0 Release Series now divides the task of compiling into two stages based around Static Single Assignment trees. It should be possible to use the new GCC front ends to compile each language into a SSA tree that represents the common generic subset of the Linux Standard Base: [5].The resulting SSA tree for a build could be dumped into files, analogous to Java's JVM intermediate format, and then complied to native code for the target platform: Write once, run everywhere.

Be it open or closed source, every binary or script you execute represents a risk. It is possible to introduce hostile code at any point along the build chain, before the point where the binary is checksummed and the result digitally signed.

[7] It is possible to use constraints built into any Linux or Unix like operating system to isolate and restrict what a binary executable has access to or can do. Even without employing SELinux's manditory access controls or chroot/jail'ed environments, it is possible to run a process under a different user identity and group identity. Unix servers have used this te

If you're thinking Security Enhanced Linux (SELinux), the NSA's working on it.

Note to moderators: both "funny" and "insightful" apply to parent post! Stranger things have happened. Just a thought: maintain public-readonly source repository, use internal subtle-but-evil-injecting-filter and compile, and distribute clean-looking-but-subtle-screwed binaries. Just out of curiosity, I checked NSA site, but it looks they don't even distribute binaries, source code only, and nicely sorted into different packages.

/me thinks SELinux is nice demonstration of the power of open source, showing that contributions can be useful to anyone, competitors/enemies included (and vice versa!), regardless of hidden agendas. Just check if a modification suits you, and apply (or not) as you wish.

This should be self evident to anyone. Admittedly the National Security Agency bothered to make additions to the Linux kernel to make it more secure, and freely returned their work to the open source community. That just shows that the National Security Agency doesn't know anything about National Security.

When I'm concerned about National Security I know I trust a random small commercial software company. It would only make sense that they would be better informed about National Security than some lowly government organisation.

Jedidiah.

check this out. dont put phpMyAdmin on a non-password directory!

Well if you can't break into their site maybe you should try learning with CryptoCat and get the basics right!!

WAIT: Scratch that, they USED to have a really cool kids website.

Wow. If the design of their website doesn't give you a 'Big-brother' impression, nothing will. Seriously... are they GLOATING at the fact that they're an agency which literally nobody knows what they're doing.

Actually, the NSA has a really cool kids website.

WAIT: Scratch that, they USED to have a really cool kids website.

I'm not sure why they killed the old site that had some really cool math puzzles. It was interesting even to adults like myself.

Wow. If the design of their website doesn't give you a 'Big-brother' impression, nothing will.

Seriously... are they GLOATING at the fact that they're an agency which literally nobody knows what they're doing.

Heck, I remember reading somewhere that during WWII, the mere existance of the British equivilant to the NSA was known of by somewhere along the liens of two or three people outside of the agency itself -- Churchill was one of them.

Head over the the NSA and read some of their papers about SELinux, and what it was intended for. It was not intended to be the ultimate secure OS. If you read between the lines, its mre like a bunch of NSA people got so pissed off with the current complete lack of security in commercially available OSs, so grabbed Linux and hacked in Mandatory Access Controls without any real difficulty and turned it back to the community as a demonstration to say "See, it isn't so damn hard to make things a lot more secure".

I wouldn't make any bets as to whether the NSA themselves make a lot of use of SELinux. They won't really tell you what they use. They do certainly know alot about writing secure OS code though, considering how fast they managed to put SELinux together.

Random fact: The NSA web site has never been hacked or defaced. The CIA, FBI, the White House etc. have all been hacked, even if it is rarely and briefly. The NSA... never. You can't tell me it's for lack of trying.

Jedidiah.

Isn't electronic eavesdropping (ELint) NSA's job? This looks again like internal competition within the intelligence community!

This means that there is no law stopping the US government from spying on Europeans, or for that matter European governments from spying on people in the US. A government can even use this to bypass its own privacy regulations by having a friendly government spy on its citizens and getting that information.

It's been known for years that the NSA and GCHQ have a reciprocal agreement where the former spies on UK citizens and the latter spies on US citizens.

Other GNU/Linux distros may not have military grade security like Trusted Solaris 8, but Security Enhanced Linux (SELinux) was developed by the National Security Agency -- surely that's good enough for government work.

It's a bit more complicated than that. If you read the SELinux FAQ:

12. Is Security-enhanced Linux a Trusted Operating System?

No. The phrase "Trusted Operating System" generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. Security-enhanced Linux incorporates useful ideas from these systems but focuses upon mandatory access controls. It is expected that this work would be combined with other efforts (e.g., auditing and documentation) to construct a "trusted" system. The initial focus of Security-enhanced Linux development has been to create useful functionality that delivers tangible protection benefits in a wide range of real-world environments in order to demonstrate the technology.

The NSA itself says that it's NOT one, so on its own SELinux is not good enough for secure US government work, despite its being developed by the NSA.

For truly random data, a Geiger counter is indeed a great device to use. John Walker has built and documented a device called "Hotbits" which he uses to generate truly random numbers.

If you were to accidentally reuse a piece of the key, the plaintext would be quite easy to recover. For more on the subject, and how the FBI knew that the Rosenbergs were guilty, see the NSA's Venona site. For an easier-to-read treatment of the subject, I strongly recommend a third party analysis, such as Venona: Decoding Soviet Espionage in America by John Earl Haynes and Harvey Klehr (Yale, 1999.) In it, the authors explain why the Soviets probably re-used their one-time-pads.

What is also interesting to note is the authors' conclusion that the 'code names' the Soviet agents used actually turned out to be one of the best security measures they used. The people in the messages were identifed by a tedious procedure of compiling a list of suspects, then finding additional information that pinpointed their suspect. Julius and Ethel Rosenberg were identified by their relationship to Ethel's brother, David Greenglass, in a background 'biography' sent to the KGB by their handler. There were at least 20 other moles in the Venona decrypts that were never publicly identified because the NSA could not deduce their real identity from their cover names.

that would be SE Linux developed by the NSA. the official page is here: http://www.nsa.gov/selinux/

CNN Money is reporting a new and improved MyDoom variant which is spread by a hyperlink in email. Clicking the link connects the user to an infected machine, which exploits a recently discovered buffer overflow in Internet Explorer.

What I find more interesting here is that they're moving the virus data "out of band" -- they're no longer transmitting the virus in the message, which may make things harder on the AV companies. How do you filter out all emails that merely contain links to websites? Worse, the links are to infected computers.

Imagine a virus that said: "Check out this cool website I found!" and nothing more? Not a lot to filter out from your email there :/ (then again, SPF should help some...).

Funny thing is, I had this idea and wondered how long it would take for the virus writers to think of it, too. Hrm, only took a few months. Wonder how long it'll take them to generalize this and realize that email isn't the only way to send content to people? Granted, it's one of the most popular, but if the virus writers ever develop the skills to make them adapt to as many services as I can envision... Ugh, at least I'm not on a platform directly affected by this crap (well, except for the nuisance virus emails... meh).

SE linux is a patch for any linux kernel put out by the NSA. so you can install SE on trustix and make it even better. One of the best things about trustix is that virtually nothing is running on a basic install, only postfix. http://www.nsa.gov/selinux/

we're all screwed now...

http://www.nsa.gov/snac/support/WORMPAPER.pdf.exe

But it is good to see the government is adopting some standards that are actually useful. but who wants to guess how much this cost them and how much it should have really cost?

They actually have their own distribution.

NSA has developed and maintained configuration guidance for a number of products. Over time these products age, are superceded by newer versions, or are no longer used by it customers. As such, NSA may choose to discontinue maintenance and archive some of these guides.

NSA has developed and maintained configuration guidance for a number of products. Over time these products age, are superceded by newer versions, or are no longer used by it customers. As such, NSA may choose to discontinue maintenance and archive some of these guides.

Had you not brought down the NSA website, you would find them here.

How about this? There are several linked off that NSA page besides this one.

I look forward to the Fedora SELinux project getting a good workable set of policies so that SELinux can default to being on for Fedora installs. Once that happens the "Linux is more Secure" claim will actually have some serious hard evidence behind it. SELinux and other Mandatory Access Control systems (anything hooking into the Linux Security Module in the kernel really) really are a serious step up in security, and there really is nothing comparable in the windows world.

A good way to think of MAC or SELinux is as a firewall between processes on your machine and the files and devices etc. on your machine. At the kernel level there is a set of rules, at pretty much as fine a grained level as you care to write, as to what can access what. It's well worth readign the FAQ to et a fuller idea of what we're talking about here.

Jedidiah.

Ask them.

Also, It is also believed that NSA programmers have contributed to the linux kernel.

Was "believed" put in there because somebody wants it to sound Really Scary(TM) because it's "believed" rather than "publicly known", or was it put in there because somebody was unaware of SELinux?

Let me add a quick addendum to LanMan's post.

In support of the government's policies on Critical Infrastructure Protection, there is this outreach program between NSA and various educational institutions which is producing just really excellent security professionals. In light of corporate resistance to DHS's attempts to bring the private sector onboard, I think this and similar programs are the best shot we have at securing the civilian sector.

More information can be found here.

--

wow, a reason for me to not be an idiot with HTML...
Great Seal

If you look at the SElinux download page you can read the following tidbit:

The Linux 2.6 kernel already includes the extended attribute (EA) support, the Linux Security Module (LSM) framework, and the SELinux module, but the changes to the SELinux module that have not yet been upstreamed can be obtained from here.

In other words, SElinux comes with the kernel.

I liked this back when Gentoo did it, and I think this is a great trend; having a completely security minded Linux OS (since BSD has been there forever ;))

personally I'm really interested in the Security-Enhanced Linux that the NSA is working on. To have something that complete is really intriquing. Now if they don't have something like apt to keep it steady I dunno...but you have to admit it's got 'wow' factor written all over it!

BCDFY^&D&S^F

Is the grSecurity patch the same thing as SE Linux?

TSol is one of the most secure OS's I've administered. I had the opportunity to speak with one of the kernel developers and the one quote I'd like to convey about what we talked about is "That which is not explicitly permitted is implicitly denined."

However, Linux can have this level of security also. If you go here you will see the webpage for Security-Enhanced Linux (SELinux). Although, it is only a technology demonstration and may not be suitable for a real world environment.

These OS's are based on mandatory access control policies using roles. This is where the quote comes in to play. If you do not specifically give permission for an executable or a user to perform a specific action, that action will fail. There is no root user. Regular users have no rights themselves but are granted roles they can assume. These roles are given the rights and permissions to perform the tasks they have been asigned. You can create a "backup-admin" role so that it will have access to the tape drive and be able to read all files on the system, but not write anywhere but the tape drive and not be able to do anything else.

Now, I have not read if this part of the code will be "Open Sourced" and it was not discussed in the article. However, it has to be deeply embedded into the OS kernel for it to work so I must assume that it will be a part of it.

Mark my words: Mandatory Access Control, Labeled Security, and Role Based Access are the future of secure operating systems. If an operating system does not do these things it will not be considered for use in environments that have a high priority for information security (infosec). IMO, anything that connects to the Internet or a WAN or hosts sensitive data should have infosec as a high priority. If SELinux is not further developed, or a suitable replacement is created, then Linux will fall off the infosec curve.

...but that's nothing to be embarrassed about, ignorance is curable.

The "McCarthy witch hunts" were NOT witch hunts (read the end). McCarthy's basic argument was "should we have people who are communists (many self admitted) in sensitive positions within our government?"

He was not only right, but underestimated the extent of soviet infiltration, as the release of the Venona Project transcripts now reveal (summary here).

Now go and read a book.

That may seem like a reasonable request, but you should know that exploits, especially automated exploits couldn't care less about what version of a service you're claiming to run. They don't even care that it's the right platform.

The attacking system simply establishes a handshake, introduces the stimulus and waits for the response. If they get the desired response (shell, etc), great. If not, oh well, 1 down, 2^32-1 to go :).

Now for the flip side:
As an admin, if you knew you were not playing silly cat and mouse games with your banners, you'd be able to quickly determine which systems are still out of date.

And now for something completely different:
If you really want a secure user space application environment, you should build on a secure foundation. *BSD, UN*X (Solaris, AIX, HP-UX, etc), Linux, Windows, MacOSX, etc all employ a variation of Discretionary Access Control. DAC systems do not provide you the ability to actually enforce a security policy. Hardening an application on a DAC based foundation is akin to building a fortress on a foundation of sand.

If you require the ability to enforce your security policies, you need to start out with a sane and audited hardware base, and add on to it an OS equipped with mechanisms that provide for granular Mandatory Role Based Access Controls. You may consider the SE Linux project a good place to start.