Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Security Guide for Mac OS X

Posted by michael on from the take-a-bite-out-of-crime dept.

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

27 of 250 comments (clear)

  1. New Government-Oriented Commercial? by American+AC+in+Paris · · Score: 4, Funny
    (voiceover)

    Step 45,328:

    There is no step 45,328. There is no step 45,328...*soft weeping sounds*

    --

    Obliteracy: Words with explosions

  2. What about... by Staos · · Score: 4, Interesting

    I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

    OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

    About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

    Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

    --
    In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
    1. Re:What about... by Anonymous Coward · · Score: 4, Insightful

      Not sure if this would make it more secure for the OS challenged, but when it asks for administrative permission it asks for a password. If an office admin wants to keep the OS X's in the office secure, just don't give the secretaries the password for their computers. If they need to do anything which requires the password, they have to ask the computer guy and he can say, "So why do you need to see nude pictures of Brad Pitt again?"

    2. Re:What about... by Yaztromo · · Score: 4, Informative
      I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request.

      It is my understanding that on OS X, the authorization dialog pops up because a request to a protected reqource/API has been made, as opposed to an application being able to just randomly tell the OS to pop up an authorization dialog.

      The dialog itself always displays the name (and if available icon) of the application making the request, as well as the name of the right being requested. As this is put together only by the OS, you can't substitute one right name when you really want to do something different. And getting one right doesn't automatically permit a process to use any other right on the system -- each right needs authorization.

      It's actually quite a good system, and has been very well thought out. It does, of course, rely on some vigilence by the end user -- if they're entering their password anytime it's being requested without quickly checking to see what is making the request and why, obviously they're going to get into trouble.

      Then again, if I e-mail a bunch of Linux admins and ask them for their passwords, and they send them to me, you wind up with the same end result.

      Yaz.

    3. Re:What about... by Durandal64 · · Score: 4, Insightful
      What are you thinking? That all other OSes just give you an OKAY button and don't ask for a password to get Admin rights? No, of course not. You always need the password.
      Not quite. Administrators on Mac OS X and Windows are different things. On Mac OS X, an administrator is a user who is allowed to temporarily acquire root privileges through a sudo action. To get these privileges, the user must enter his password. So, if I want to install a program that needs to write files to /Library or anywhere that isn't /Applications (the admin group has full access to the /Applications directory) or my home directory, I need to enter my password. If I choose, I can require authentication for "secure" system preferences, like the login preferences.

      On Windows, if you are logged in as an administrator (not the Administrator account), your account will automatically authenticate during program installations and such, hence why you can make changes to the system settings and install programs without ever being challenged for a password. That is what makes the Windows way of doing things inherently more risky. You don't need to enter your password for administrator actions.
  3. Lack of safety in numbers by YetAnotherName · · Score: 4, Funny

    Given how entrenched Micro$oft's clutches are into the US Government, a security guide for Windows based systems would be even more useful.

    (I work for NASA; almost everyone in our group has Mac OS X on our desktops and Linux in the server room. Our supervisor is the only Windows user. Yes, he's developing pointy hair.)

    1. Re:Lack of safety in numbers by lachlan76 · · Score: 4, Funny

      Had you not brought down the NSA website, you would find them here.

    2. Re:Lack of safety in numbers by general_re · · Score: 4, Funny
      Filanthropy of Modern Man

      I'll put it alongside my copy of Speling Fer Slahsdooters.

      --
      ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
  4. These things make a nice checklist, but.... by general_re · · Score: 4, Insightful

    ....actually implementing everything the NSA recommends in its guides will get you a system that is both highly secure and exceptionally inconvenient for its users. It's a useful reference, to see if you've forgotten anything that you particularly want, or anything obvious, but as always, individual admins will have to decide for themselves where they want their systems to lie on the security-usability axis...

    --
    ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
  5. You Bastards! by Anonymous Coward · · Score: 5, Funny

    Hmm the pdf is downloading at .6 k/s and dropping. Slashdotting the NSA - this qualifies for some sort of Darwin award, doesn't it? :)

  6. File Vault by dumitrius · · Score: 5, Informative
    This is simply the encryption of the entire user's home directory. I had this enabled on my powerbook stuffed it with a few gigs of data and it ran fine for a while... maybe like 3 months. Then one day on a reboot the thing silently lost all my personal settings and dropped me into a stock desktop configuration. Was nursing this for a week or two when I started getting garbage in some source files. Was thinking maybe the hardrive was defective but have a hunch the enctyption just went haywire and was getting worse. Turning File Vault off failed with an error. Have reinstalled the os keeping a plain text home dir and things seem dandy.

    Has anyone seen this before?

    1. Re:File Vault by eyegor · · Score: 4, Informative

      It happened to me too.... I managed to get everything back though. There was a sparse diskimage file that contained my home directory. Once I mounted it, everything returned to normal.

      Your milage may vary.

      --

      Don't anthropomorphize computers, they don't like it.
    2. Re:File Vault by Anonymous Coward · · Score: 4, Informative

      Many people had problems with it first came out. It was caused by the "recovering space" thing not completing before the user logged in again. I still don't trust Apple's default configuration since there are warnings in their own documentation against using a sparse image, which File Vault does.

      I've used this hint for over six months now without problem.

      On the other hand, it's trivial to get the user's password from swap, unless Apple fixed this hole already, so there's not much point to File Vault right now.

    3. Re:File Vault by Daengbo · · Score: 4, Insightful

      I don't trust it with anything important though

      Kind of defeats the purpose, doesn't it?

      --
      Put identity in the browser.
  7. In other news... by eventDriven · · Score: 5, Funny

    The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.

  8. NSA Security Guide by Anonymous Coward · · Score: 5, Funny

    Always leave an NSA auto-secure port (9999) open on your machine.

    Disregard any unexplained background executables.

    Always use IE when surfing.

    Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)

  9. Security, Usability, Reliability by stratjakt · · Score: 5, Insightful

    Pick any two.

    --
    I don't need no instructions to know how to rock!!!!
  10. Slashdotted already? by BandwidthHog · · Score: 5, Funny

    Alright, we've slashdotted the NSA!!!!!

    Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  11. Screwed up by AKAImBatman · · Score: 5, Interesting

    Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke. I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

    It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

    Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

    Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?

    --
    Javascript + Nintendo DSi = DSiCade
  12. Counterintuitive... by Anonymous Coward · · Score: 4, Insightful

    Since it's a security site, I'd expect it to display a warning and disable the site if you are clueless enough to accept the cookie!

    You gotta start with the fundamentals...

  13. Keychain Access Gripe by finkployd · · Score: 5, Informative

    I finally found something about OS X that I absolutely hate and is making me question the entire OS. OS X has its own digital certificate/private key cache (which also stores passwords, but that is irrelevant), which is convenient for applications that use certificates and private keys for identity (like safari and mail.app). It also has a nice utility for managing this environment (Keychain Access).

    HOWEVER, Apple (for reasons I cannot fathom) has decided to not allow keys and certs to be exported from this cache. This is totally unacceptable and horribly wrong. In this email, which confirms my worst fears, Peter Sagerson says it best:

    In Jaguar, private keys are never exportable. This seems kind of silly, since my digital identity should be linked to me, not the platform, the machine or that particular (and transient) installation of the OS. In Panther, Keychain Access has an Export command, but it's never enabled. I don't see a Keychain-level API for key export and the CSSM API doesn't seem to work. So it's hard to tell what the intention is.
    The intention seems to be the very incorrect idea that the digital identity belongs to the computer, and not the person. I have figured out how to move my cert and key to another Mac, that is simple creating a new keychain, copying certs to it, and moving the new keychain file to another machine. However, I still cannot get them out of Apple's proprietary format to move them to any non-OSX platform. I have posted this question to Apple's usually helpful discussion forum, but have received no answer.

    This is most disturbing and calls into question both Apple's competency with regard to security in general, and their intentions with regard to what the user can do with their own data (or in this case, their own identity)

  14. NSA Guide to securing Windows computers by Roadkills-R-Us · · Score: 4, Funny

    Step 1: Pack Windows system in appropriate shipping container
    Step 2:Mark container "Target"
    Step 3: Have courier deliver container to nearest FBI shooting range

    1. Re:NSA Guide to securing Windows computers by patman600 · · Score: 5, Funny

      Sure, just add even more holes to the system...

  15. They're... still... up by twalls · · Score: 5, Funny

    Several people have already called the slashdotting. They're still alive and kicking! Gotta give em credit for trying. "Mr. President, we're giving her all we can! She just doesn't have enough bandwidth!" "Well, why not just use one of the other Internets?"

  16. Another excellent OS X security guide by daveschroeder · · Score: 4, Informative

    Corsaire Ltd has an excellent practical OS X security whitepaper in this same vein.

  17. Keychain itself deisgned to be portable by daveschroeder · · Score: 4, Informative

    Apple is most certainly not tying digital identity to the computer.

    Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

    Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.

    And finally, rumor has it that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.

  18. MacOSX attacks... by mveloso · · Score: 4, Informative

    Attacks on MacOS X will be driven by user interaction.

    The biggest problem for malware writers in MacOS X is that it's hard to remotely attack the box.

    Mac OS 9 and its ilk were pretty much impossible to compromise remotely, because, well, they were designed as single-user OSs with no network services (no network daemons) installed by default.

    Mac OS X isn't quite like that, but it's close. The downside is all those bsd-level things probably have holes of one sort or another. Has anyone actually checked the robustness of Apple's X-11 implementation? .

    OTOH, it's must easier to get the user to click and download something. The "prompt for your admin password" thing is great, but everyone does it without thinking these days, giving any installer root access.

    Once that happens, you can install anything, anywhere, and given the structure of MacOS X you can hide your stuff in places a normal user won't be able to find. The "Opener" guys (see www.macintouch.com) should have edited the rc scripts, not stuck their stuff in /Library/StartupItems.

    Luckily, the web/email based attacks haven't worked so far (unlike on Windows), so you really do need to get someone to run an app. These days that isn't as hard as it used to be.

    Apple could protect against that by doing a system restore/diff after every installer run. It would be useful after-the-fact, and most users may not understand any of it, but it would be nice to have. Or (assuming the metadata stuff works in tiger) you could stash metadata info on the installed files somewhere, then search across your filesystem for matching stuff?

    Ideally (and this is what MS tried) each publisher would sign all their files, and that sig would be part of the file metadata. So you could list, see, and search across it. Malware would bypass that, though, but you never know.