Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Security Guide for Mac OS X

Posted by michael on from the take-a-bite-out-of-crime dept.

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

12 of 250 comments (clear)

  1. What about... by Staos · · Score: 4, Interesting

    I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

    OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

    About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

    Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

    --
    In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
    1. Re:What about... by r2q2 · · Score: 2, Interesting

      I agree, I was running 10.1 and then upgraded to 10.3. There is a whole user interface redo, support for rendevous, a journaling file system much better support for unix, an x windowing system, ipv6 support expose and a host of other reasons why that was a good upgrade. Although I didn't pay full price for it it was one of the best upgrades and I believe I got my moneys worth.

      --
      My UID is prime is yours?
  2. Screwed up by AKAImBatman · · Score: 5, Interesting

    Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

    It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

    Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

    Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?

    --
    Javascript + Nintendo DSi = DSiCade
  3. Guide for Linux? by brandonp · · Score: 2, Interesting

    This is very cool, is there also a Security Guide for Linux? Sounds really helpful.

    --
    Brandon Petersen
    Get Firefox!

  4. Re:File Vault by Anonymous Coward · · Score: 1, Interesting

    I had a File Vault eaten when I first installed 10.3 but since some of their updates to it I have been able to use File Vault pretty well when I have tried it. I don't trust it with anything important though so I don't use it on my adminstartor account or on my work account, which is kind of sad. I prefer to use Encrypted DMG files to store stuff I want private but that I only need occasional access to.

  5. Re:File Vault by twalls · · Score: 2, Interesting

    That's really sad, man. I had that happen and it scared the crap out of me (I've got a 15GB home directory). One day I logged in and it just sort of stared blankly at me with all the defaults. I blinked, told myself I was having a very bad dream, and logged off. When I logged back in, everything was fine and I breathed a huge sigh of relief! I guess I was one of the "lucky" ones. I keep using it and I haven't had any more issues... yet.

  6. Re:File Vault by Matey-O · · Score: 2, Interesting

    think they coulda named it something better than 'sparse diskimage'? I blew away all my settings (yeah, boo hoo, won't do THAT again) cause the diskimage was roughly the size of the two huge AVI's I just threw away and I wasn't getting my diskspace back after emptying the trashcan.

    Name it something like 'Secret Encrypted File' or something...

    --
    "Draco dormiens nunquam titillandus."
  7. Re:Keychain Access Gripe by finkployd · · Score: 3, Interesting

    Everyone has USB, why not use this instead of requiring a card reader?

    Excellent idea though, I have been in support of that concept for a while. This could be extended to requiring a password to unlock the private key on the card/usb drive or even have a small thumbprint reader on the card/usb drive itself to unlock the key. This would remove my major complaints about biometrics (ie replay attack)

    These technologies all exist and would be simple, but people simply do not see the need for them so there is no demand (outside of of some rare government, education, and corporation groups). Unfortunately the average joe is content with a digital world that relies completly on his mother's maiden name for authentication :(

    Finkployd

  8. Re:Keychain Access Gripe by AKAImBatman · · Score: 2, Interesting

    Not really. A reader is a $10-$20 part that can easily be added to any system. An external reader could easily market for $20-$50. The end result is that the smart card is going to be cheaper in the long run. (Keep in mind that each person who uses the computer is going to need two cards/keys. Things get particularly dicey in family situations.)

    If you look at a diagram for a smart card sometime, you'll notice how simple the things are. Basically, they fab small RAM, ROM, and processor chips right onto the card itself. This makes them cheaper to produce than wiring components together on breadboard, then encasing them in plastic.

    --
    Javascript + Nintendo DSi = DSiCade
  9. Re:Keychain itself deisgned to be portable by finkployd · · Score: 2, Interesting

    Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

    I mentioned it is possible to copy keychain files. Which is perfectly fine if you are only talking about OS X computers, but that isn't the only OS out there. Calling keychain portable is fine as long as you note that the portability is only extended to other Macs.

    Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.

    False, if you generate a personal identity cert using a service like Thawte or Verisign (which do this over a web interface) then the private key is generated as a request from their webserver on your machine, and ONLY stored in Keychain. Try it yourself, use Safari and go to Thawte's page and create a personal cert. The cert is downloaded in whatever format you desire, but the key is generated locally and there is NO way to get it out of Keychain (despite the permanently grayed out "export" menu option).

    This kind of situation does not happen on any other OS. (and arguably wouldn't have happened on OSX had I used Mozilla or Firefox to generate the private key).

    Lastly, what happens to the person who maybe generates their private key using, say, openssl and then imports it to keychain? Practicing good security maybe they decide that having multiple private keys is bad and the delete the file assuming that it is possible to export a private key out of Keychain. Is that such an unreasonable assumption? What good reason is there for OSX to not allow you to do that?

    The changes to Keychain you referenced are certainly welcome (since that app has hardly changed at all over the years and could do much more), but I wonder if they will fix the exporting problem? I certainly hope so.

    Finkployd

  10. A Tinfoil Moment by sockonafish · · Score: 1, Interesting

    I got curious while waiting for my 300 byte/second download to complete and decided to see what nmap had to say about nsa.gov.

    Shortly after I began, I was unable to access any network resources. Shortly after I stopped, I was able to access things again.

    Can anyone else provide a port scan of the nsa without being DOS'd?

  11. Re: You spelled it wrong by wheatwilliams · · Score: 2, Interesting

    The Americans spell it one way, and the British (and all other English speaking peoples besides the Americans) spell it the other way. Same with "color" and "colour" and many other examples. It's been that way since the American, Noah Webster, wrote his dictionaries the early 1800s. He not only single-handedly "reformed" English spelling, he also wanted to create a distinction between "American English" and that of Great Britain, possibly for political reasons or a sense of nationalism. http://en.wikipedia.org/wiki/Noah_Webster