On September 14, 1999, StarNine (now known as 4D Inc.) announced that the U.S. Army’s main Web site, http://www.army.mil, was being served by WebSTAR Server Suite software on the Mac OS. A Windows NT–based server had previously been serving the Army site when it was hacked in late June 1999 by a 19-year-old Wisconsin man. Perhaps old news, but the Web server is still in place running on a Macintosh using WebSTAR.

This sudden switchover caught the attention of everyone. WebSTAR’s press release was plastered all over the news, and Apple ran commercials showing Army tanks surrounding the G3 Macintosh.

WebSTAR for Mac OS X allows for the easy configuration of all the services offered in one package. Even though Mac OS X has the Apache Web server built in, the ease of WebSTAR and the added features/security make it a complete server suite. Last time I checked, the Army wasn’t running WebSTAR on Mac OS X—more than likely it hasn’t passed the tests, as the OS is rather new, or the Army prefers Macs without remote administration methods, so it would be ideal to stick to running WebSTAR on an OS prior to Mac OS X.

Hotsprings, Inc., took over the development of Hotline from Hotline Communications, the recent event has put many questions into the picture as to where this program will go. Both the client and server software are available for download on such sites as VersionTracker.com and Download.com from mirrored locations. Grab your client, put in an alternative Hotline server, and connect.

Hotline is not a Web server or email server; you do not use a Web browser to access it. Hotline is its own server and its own client. Anyone can host a server, run the application, and become an administrator capable of sharing files with the world. You can find anything you want to download somewhere on Hotline. Hotline was first made for the Macintosh, and demand was sufficient for a Windows-compatible version, which is now also available. Let’s go through some of the details.

Hotsprings, Inc., made two products: a server that enables users to connect, and a client application that enables users to chat, send messages to each other, download files, stream media, and post news.

The software is free, and with the tracker system, anyone can find a server to fit their needs. The tracker is a list of online servers. You can search the servers’ descriptions or names to find a server that will fit your needs.

To list all the uncensored servers, open the server window and click the Add Tracker button. Enter tracked.group.org for the name and address. Refresh the list, and you now have access to anything you desire.

For Hotline resources such as news sites, articles, search engines, servers, and trackers, visit http://www.hotspringsinc.com/.

There are two different versions of Mac OS X: the standard package for the client side, and Mac OS X Server, which is intended for use as a server. The difference between the two is that the Server version has added tools and services pre-bundled with it to easily manage a server.

The standard edition of Mac OS X does have the capability to be run as a server. For starters, it comes with an FTP server, Web server and SSH server, and with the right knowledge, additional server functionality can be added. However, the nice, easy-to-use interfaces to configure, set up, and install the server software will be absent, unless third-party developers create them.

The Web server bundled with Mac OS X is the most used and popular Web server in the world—Apache (http://www.apache.org). Adapted to Mac OS X, users can now publish and serve their sites from their own computer with all the functionality of Apache for the Unix platforms. Mixed with PHP and MySQL, the Apache Web server is far from lacking functionality. Mac OS X Server Edition has GUI-based configuration utilities to help manage the Apache Web server. The standard version of Mac OS X doesn’t come with any configuration utilities, so any changes to the server need to be done by command line. Reading the help manual and additional documentation on the Apache Web site will be useful.

Each user has a directory called Sites in his Home Directory where the files are accessible from a Web browser when the Web Service is active. Accessing http://127.0.0.1/~username/ from your Web browser on the local machine will show the files in the users directory. Be aware that files stored within the Sites directory are accessible by anyone if the Web server is active. If you use this directory for only yourself without intending to allow access to anyone else on the Internet, be sure to configure the firewall settings to deny access to whichever post the Web server is running on (generally port 80).

There are Unix variants of Hotline, one of which is called HXD. Mac OS X is capable of running HXD in the background (a daemon) by having the system take care of it; setting up, starting, and stopping the service is done through the Terminal application. HXD is just one example of what is available to run on Mac OS X as server software; Apache is another, and there are still others, such as mail servers and various file sharing servers.

If you have a PowerBook 3400 and are thinking about installing At Ease 4.0, do not enable the floppy disk boot security feature. If you do, your disk volume will become permanently corrupted, and you will be unable to access the disk by any conventional means (including boot floppy, SCSI drives, CD-ROMs, or other methods).

Mac OS machines running TCP/IP and System 7.1 or System 7.8 are vulnerable to a denial-of-service (DoS) attack. When these machines are the target of heavy port scanning, they die (7.1 crashes, and 7.8 runs the CPU to 100% utilization). This was reportedly repaired in OpenTransport 1.2.

Besides the systems themselves being affected from the attack, it is common for third-party server software to also have flaws causing denial of service. In case of constant crashing, look over the log files carefully for something suspicious, then put a stop to the insanity! Report your findings to the developers of the application. Be sure to update your software if new versions are available from the vendor, as the issue may have been tackled previously.

Even the security applications themselves can create security problems. DiskGuard, created by ASD Software and now owned by Intego, is a security application that restricts access to folders, files, and disk drives. In a prior version of the software (1.5.2), users who installed the software found that their drives were inaccessible. The company at the time (ASD Software) released a patch upgrading the software to 1.5.3, resolving the issue. Even with the current version, security software that restricts drive access can be very harmful when misconfigured or tampered with by a vicious attacker.

The current owner Intego (http://www.intego.com) has taken further steps to ensure that the software is understandable and well-documented. New versions of DiskGuard don’t have the problem found in version 1.5.2, but there is still the possibility of administrator error causing lockouts to the computer unintentionally.

Be cautious of how the computer is set up—if it is in a high-risk environment, invoke more restrictions and policies. Make sure the administrator is the only one who knows the password used to administrate DiskGuard; in the wrong hands, it could be used to cause lockouts, making it a very time-consuming task for the administrator to regain access to the system.

For example, a user with enough permissions could load and run a program created by mSec called Disengage (http://freaky.staticusers.net/security/fileguard/Disengage.sit), allowing the person running it to see the results after the program decrypts the user information stored in DiskGuard. Once the user had the administrator password, she could log in as the administrator and have full access to the computer or change the permissions.

Users can contact the software developer to voice their concerns. In the end, it’s a cat and mouse game—the developer will change the encryption method the user information is stored in, and crackers will figure out how it was done and create a new program to decrypt it. The best thing to do is watch user activity on the computer and restrict access as much as possible when in a high-risk environment.

In an advisory, Space Rogue explains the problem, the exploit, and the fix: in short, replace the driver for the drive. The hard disks blocking functionality won’t be fully operational, and the data can be accessed.

MacDNS provides Domain Name Service lookup for networks and runs on Macintosh Internet servers. Unfortunately, MacDNS will die when bombarded with requests at high speed. (The problem was initially discovered when a firewall tried to resolve forwards on each and every URL requested. This flooded the MacDNS server with thousands of requests.) This has now been confirmed as a bona fide DoS attack that can be reproduced by remote attackers. Leo suggests packet filtering. Otherwise, contact Apple for further information.

The default password for Network Assistant is “ZYZZY”. Do us all a favor; change the password so it is not the default. For any type of program which has default passwords, documented or not, change the password right away to avoid unauthorized entry.

If you install 8.0 over earlier versions, the Password Control Panel is disabled, and password protection will not work. To remedy this, either install the patch or install 8.0 clean and keep an earlier version with which to boot. Whenever you want to adjust the password settings, boot with the earlier version.

This is a garden-variety DoS vulnerability in early WebSTAR releases, and has nothing to do with Apple. (In fact, this hole can only be reproduced on a server that is also running NetCloak.) Gold found that if you append certain strings to an URL, the WebSTAR server will crash. Macworld ran a story on this hole, and the folks at that magazine did some testing themselves:

NetCloak is manufactured by Maxum Development. You can contact Maxum for upgrade information at http://www.maxum.com.

Mac OS X has had more security issues discovered and fixed within the last three months than Mac OS 9 has had in the past two years. This is because Mac OS X runs many programs that are for Unix in general, and as much of it is open source, the developers, hackers, and coders can pick at the code inside and out to find insecurities.

If you were to look at a Unix security mailing list there would be 100 times more posts to it than there would be for a Mac OS 9 list. With past Mac OS releases, nothing has really been open source, so the flaws discovered were generally super-probed in order to find them.

Take a look at Mac OS X’s software vulnerability page (http://www.info.apple.com/usen/security/security_updates.html) and subscribe to their mailing list (http://www.info.apple.com/usen/security/). Within each Security Update you install when you subscribe, you will see what is actually being updated. These titles are being updated for one reason or another because of the lack of security. Many of these programs being updated are Unix distributions, so when a version of the software is found to be vulnerable, Apple will have to evaluate the program and see if a security risk exists on their platform. If the risk exists, Apple will make the update available promptly.

Upon finding a vulnerable item in Mac OS X, you should contact Apple’s security team so they can get right on it, and of course email [email protected] with the details so they can be verified.

For instance, I just received an email from a user named Olivier notifying me of a security risk that was just discovered for OpenSSL. This particular vulnerability would require Apple to update many other packages that utilize OpenSSL functionality. The issue was posted to bugtraq by the people who found it—Olivier is just one of the Mac OS X readers who follow up on security, therefore knowing his system is insecure before Apple even announces it. He told me he applied all the necessary changes detailed in the advisory, and his system is no longer vulnerable.

Mac OS X’s first major security glitch affects all systems that have not upgraded to Mac OS X 10.1. The issue revolves around Setuid root applications allowing root access. This was demonstrated in four easy steps:

If the computer has not been patched, the command prompt will be #, representing root, or the owner of the computer, who can do anything. Apple took this issue very seriously and updated the software fixing the hole. New builds of Mac OS X are not affected in the manner described.

Added additional security measures, such as applying the Open Firmware protection described later in this chapter, will increase local user security—they will not be able to boot from any other drive or media without supplying proper passwords.

Mac OS 9 offers many more security features, such as voice authentication. One of the more notable features is the capability to encrypt and decrypt files using the built-in File Security program. It doesn’t offer the highest level of encryption, but it is enough to keep people from opening them and still be quick enough to encrypt and decrypt on the fly.

To encrypt your files on the fly, open the Apple File Security program located in the security folder within the Application folder on the hard disk.

Mac OS X offers much more user security than their previous operating systems. The administrator can add, modify, and delete multiple users through the System Preferences Users control pane. Each user’s account has its own home directory. This is a place where the user’s files are stored and protected by default from other users making changes to them without the proper privileges. The permissions used for the files are the same setup as permissions used in Unix.

Using the Terminal application to access the command line, users can learn more about file permissions via the command man chmod. Users can also change the permissions through the graphical user interface (GUI) of Mac OS X by choosing Information on the particular file or folder and selecting Permissions.

Figure 24.2. Permissions screen for a file or folder.

Owner is the person who owns the file/folder. If you’re looking at one of your own, you should be the owner, and Group defines which group you are associated with. Because I logged in with the administrator account, I am part of the group Staff.

If you have a sufficient permission level, you can change the permissions of the files, allowing the owner Read & Write or Read Only access. The group setting allows you to select what the other accounts in your group can do to the file: Read & Write, Read Only, or None.

The Everyone permission is what everyone can do. These are the users who are not a part of the group, or who aren’t the owner of the file. In Mac OS X, your home directory is set to Read Only for Everyone, meaning that everyone can peek through your files. If you want to restrict all the other users, simply get info on your user folder (by clicking the home button and then going up a directory) and select the Privileges option from the pull-down menu and toggle the settings. Once the changes are selected, they are made. There isn’t a choice to save permissions or cancel, so pay attention to what is being done, in case you accidentally or incorrectly select incorrect permissions.

The root user has permission to change any file permission, or to open or delete any file—essentially, whatever she wants. This user should be protected—in Mac OS X, Apple decided it was wise to disable the root user. Those who really want to enable it can do so by following these instructions (this same method can be used to disable the root account, also):

The Administrator account, which is the first one created when installing Mac OS X, should not be used for everyday normal use. Avoid selecting new users as Administrators when there is no need to do so, and avoid doing everyday tasks as root.

WildPackets, Inc., formerly known as AG Group, has the most outstanding network utility around. EtherPeek is a protocol analyzer for Macintosh that supports a wide range of protocols, including but not limited to the following:

EtherPeek is not your run-of-the-mill protocol analyzer, but a well-designed commercial sniffer. It includes automatic IP-to-MAC translation, multicasts, real-time statistics, and real-time monitoring. EtherPeek also includes integrated support for handling the LAND denial-of-service attack that took down so many servers. If you are in a corporate environment, this would be a wise purchase. Security administrators will love this program for analyzing network activity.

InterMapper is an excellent tool that can save Macintosh system administrators many hours of work. The application monitors your network for possible changes in topology or failures in service. Network management is achieved using the Simple Network Management Protocol (SNMP).

One especially interesting feature is InterMapper’s capability to grab a network snapshot. This is a graphical representation of your network topology. (Network topology is more or less automatically detected, which saves a lot of time.) InterMapper even enables you to distribute snapshots across several monitors for a wider view.

The network snapshot is extremely detailed, enabling you to quickly identify routers that are down or having problems. You can actually specify how many errors are permissible at the router level—when a particular router exceeds that limit, it is flagged in a different color. Clicking any element (whether machine or router) will bring up information boxes that report the element’s IP address, the traffic it’s had, how many errors it’s had, and so forth. If there has been trouble at a particular node, you will be paged immediately. In all, InterMapper is a very complete network analysis and management suite.

InterMapper provides simultaneous support for both AppleTalk and IP. The software has full Mac OS 9 and Mac OS X support and is ready to run on Apple’s 1U rackmountable XSERVE machines with a plethora of user-contributed plug-ins for added functionality.

MacAnalysis is one program that belongs in any administrator’s toolbox for security auditing. MacAnalysis includes over 300 vulnerabilities, and retrieves passwords and information in over 200 different manners. It runs from a Mac, but has the information to scan many operating systems for known holes, reporting and analyzing the results, and giving the administrator insight into his network along with tips on fixing the problems.

Besides the security auditing features and the capability to test the results within the program to prevent false alarms, it also has schedulers and instant updates for the newest security holes available for download from their server through the software.

I said it belongs in any Mac administrator’s toolbox, but it isn’t just a security admin’s tool because of the entire built-in network testing and analysis tools:

In only a few seconds, MacAnalysis finds dozens of ways to exploit a system in many protocols, analyzing your network for any open holes, bugs, or tricks you might not be aware of.

MacSniffer is a graphical front-end for Mac OS X’s built-in tcpdump. With MacSniffer and tcpdump (see Chapter 15, “Sniffers,” for more on tcpdump), you can view Mac OS X’s network traffic to look for network flaws or to analyze traffic.

From the command line, you can access the built-in text-only interface by typing tcpdump , or man tcpdump for instructions. If this screen confuses you, or you just enjoy having the graphic feel to control and change settings, MacSniffer is for you.

MacSniffer’s options include filters to easily sort out traffic, and various view modes for diagnosing the packets being captured. You can choose to view just the headers, or the full ASCII dump of the packet data in real-time.

In short, ettercap is a sniffer, interceptor, and logger for switched LANs used for multiple purposes. Developed on Unix and adapted to Mac OS X requirements, ettercap is simply one of the neatest network analysis tools on the block.

For a while, many people using Mac OS X had to modify the source before ettercap would compile, but currently ettercap compiles flawlessly on Mac OS X.

The ettercap developers keep adding new features to it on a regular basis. Here are some interesting functions that ettercap can show you while analyzing the network traffic. Many of the features of the program offer the capability of looking into and deciphering what the packets are for, so in the wrong hands this program could be dangerous (it can quickly pick out passwords from packets crossing the network). Many of these features will show you why you need to implement encryption in your everyday use. Even earlier standards on secure connections have been found insecure, such as SSH. Using SSH2 connections is recommended when possible.

ettercap also features OS fingerprinting, a connection killer, network scan, and plug-in support. You can find out more on ettercap as well as help forums at its Web site.

Nick Zitzmann’s HenWen is a application developed to easily set up the popular Unix-based Network Intrusion Detection System (NIDS) Snort (http://www.snort.org) on Mac OS X. HenWen makes it possible for Mac users to interact with Snort without using the command line or having to compile the software. The hardcore geeks will always compile and run their software from the original source, but HenWen reaches out for free.

Snort alone is a network intrusion detection system for analyzing traffic in real-time, capable of handling protocol analysis and content matching to detect attacks and probes. Snort has very flexible rule sets; besides functioning as a straight IDS (intrusion detection system), it also can be used as a packet sniffer, and as a packet logging utility, making it very useful for security administrators. For more on Snort, see Chapter 12, “Intrusion Detection Systems.”

StreamEdit is a utility that allows you to modify a stream of TCP or UDP datagrams. The process works by tunneling the data through itself, then allowing you to edit it or apply filters in real time. StreamEdit can be used for many different system administration purposes, but it’s a great application for performing security analysis tests on the network.

The documentation with the application goes over the program step by step in setting up a tunnel for whichever type of stream you wish to analyze or manipulate. StreamEdit is currently on version 1.0b2, but any suggestions or comments should be brought to the attention of the developer, as the program is still in the beta stage.

RADIUS technology is imperative if you run an ISP or any system that takes dial-in connections. Management of user dial-in services can be difficult, confusing, and time-consuming. That’s where RADIUS comes in. Authors of the RADIUS specification describe the problem and solution as follows:

In short, RADIUS offers easy management of a centralized database from which all dial-in users are authenticated. RADIUS implementations also support several different file formats, including native Unix passed files. Lastly, RADIUS implementations offer baseline logging, enabling you to determine who logged in, when, and for how long.

If you’ve ever dreamed of having RADIUS functionality for Mac OS, MacRadius is for you. It is a very refined application, offering you the capability to build complex group structures. In this way, adding new users (and having those new users automatically inherit the attributes of other users) is a simple task. And, of course, all of this is packaged in an easy-to-use, graphical environment characteristic of Macintosh applications.

Currently, the only concern with running a MacRadius server is the physical security of the computer. Keep it out of the reach of others, because if anyone were to gain physical sit-down access to the computer or remote control of it as if they were sitting in front of it, they could use a program that decrypts the administrator’s password. The intruder would then have access to change users’ password, or to make other modifications or additions to the server.

Have you ever dreamt about NESSUS for Mac OS? What about a program (HyperCard Stack) that would automatically scan your Mac OS hosts for security vulnerabilities? If so, you need to get Network Security Guard.

Network Security Guard operates over AppleTalk and checks for the following in versions of the Mac OS prior to Mac OS X:

But wait—there’s more. Network Security Guard has a brute force password cracking utility, so you can test the strength of network passwords, and your reports can be formatted in several ways and forwarded to you over the network. Lastly, you can schedule timed security assessments. All these features make Network Security Guard a great choice. It can save you many hours of work.

The software is unsupported now, as the developer’s site went offline. A more advanced product that is supported and scans for more vulnerabilities is MacAnalysis, which is covered later in this chapter.

Oyabun Tools, released by Team2600, is an application you can use to send remote commands to control your Mac. For example, if you notice your Macintosh server is slowing down and you are not at the office to reboot it, you can use the Oyabun Send to restart the machine. This program does not require any installation—just double-click it! Oyabun Tools consists of two products:

The Oyabun Send tool was made open source, allowing developers to do whatever they choose with the code as long as it is referenced to Team2600. Currently the software does not run on Mac OS X except under classic mode. Users seeking remote control of a server should look into Mac OS X’s built-in SSH daemon.

Silo, created by Logik, a Macintosh security guru, is a remote system analysis tool designed for security and administrative evaluation purposes. It features full documentation, remote concept password and file structure generation, network mapping, OS fingerprinting, and remote system, client, administrative, domain, protocol, and network analysis and monitoring.

Logik is said to be working on a new version of Silo that has Mac OS X support, so keep your eyes peeled and his site bookmarked.

Nmap, short for Network Mapper, is an open source utility that allows for network examination, or security auditing, as you learned in Chapter 3, “Hackers and Crackers.” Of all the classic network utilities that exist for Mac OS 9 and below, nothing can compare to the speed and reliability of Nmap. Luckily for Mac OS X users, Nmap can be installed and run from the command line!

Matthew Rothenberg has developed a GUI front-end application for Mac OS X designed to interface with Nmap called NmapFE. Written in Objective-C, the application is available at http://faktory.org/m/software/nmap/.

Nmap can scan a single host or large network very quickly. The program utilizes raw IP packets to determine the status of hosts on a network. Besides the hosts’ status, it will also determine the hosts’ operating systems, and what type of firewalls are in place, along with which services are running on the computer by using known characteristics.

The help screens and documentation included with Nmap are priceless in getting you started. Need help with the installation of Nmap? Install FINK (http://fink.sourceforge.net/). FINK is a project that ports Unix software and ensures its compatible with Mac OS X. Once FINK is installed, read over its documentation to see how to quickly install Nmap.

Timbuktu Pro 2000 for Mac OS is a powerful and versatile remote computing application. Although not specifically a security program, Timbuktu Pro is a valuable tool for any Web administrator. Timbuktu Pro currently supports TCP/IP, AppleTalk, IPX, and Open Transport. Through these protocols, you can remotely manage any box (or series of them).

With a simple port scan to an unprotected computer running Timbuktu on port 407, the outsiders have inside knowledge of what is running on your network. Because Timbuktu, along with the other remote control administrative utilities, offers so much control, this is a prime target for attempted intruders.

Also note that the Mac OS X Preview release of Timbuktu included a security risk. Users usually found it by simply clicking the About Timbuktu menu before even being logged in, which granted them access to the computer. Netopia quickly released a fix for the paid version of the preview software, accepting it as a security issue. By now this preview release of the software should NOT be running on your system, as newer versions have been released.

IPNetSentry can be downloaded and used immediately, as it is shareware. The developers of this application strongly felt that Mac users should be able to use software first to see if it meets their needs before they dish out the money. Unlike any other firewall for the Macintosh, IPNetSentry does not barricade your computer behind a wall, making it inaccessible from the world. Instead, it works with you, building the rule sets. Of course, you can make your own filters and rules for it to follow. The program watches the type of connections; for instance, if someone port scans your computer, the program notifies you that the attempt has been blocked, and allows you to take the appropriate action.

The developers took this approach because not enough people could configure their firewall properly. Some people were so protected that they didn’t know how to unprotect themselves for a particular port or program—they just took down the firewall completely and forget to put it back online.

IPNetSentry knows when you’re doing something and permits it, as well as alerting you when others are connecting. Indeed, you can test your own firewall by having IPNetSentry’s servers test it and informing you of the outcome. Everything is configurable, and you can be kept apprised of what’s going on with the connections.

Intego’s NetBarrier is a fully functional firewall for the Mac OS. The GUI of the program is very friendly to use and navigate. With all the gauges and valves going up and down as traffic comes and goes, users can get a real feel for what is happening and at what level.

NetBarrier also protects against ping flooding, SYN flooding, port scans, unknown packets, and features localhost hacking with password protection to protect NetBarrier. It also covers pings of death and many of the well-known webworms.

A Symantec product, Norton Personal Firewall offers a great way to protect your Macintosh from intruders. This program has predefined applications and the ports they run on. For instance, if you know you are running ICQ, you simply select ICQ from the list and allow it. This works the same for many of the popular games or known services.

For those users familiar with OpenDoor Firewall by OpenDoor Network (http://www.opendoor.com/), Norton Personal Firewall is based off that code.

I remember many screensavers for Mac OS that just didn’t offer any sort of security, or the ones that did would crash, or could be force quitted in one way or another, disabling the security at hand. One thing to remember about screensaver passwords is that they are meant to protect your computer while you are away for a short period of time. If your computer is set to automatically log in when started, someone could just as easily restart your computer and wait for it to come back up, and the screen would no longer be protected.

I will assume you have multiple users in place, and auto-login disabled when you plan on working in a secure environment (if not, do so!). In the Screen Saver System Preferences window, there is a tab called Activation. You can set the time for the screen to lock automatically. Below that, you have these options:

Upon selecting Use My User Account Password, you will have to enter the same password you use to log in to the system. Without this checked, the screensaver offers no sort of security whatsoever, and is just pretty pixels flying around your screen.

Like Mac OS 9, Mac OS X supports multiple users. This makes it possible to restrict access to your computer by having it protected upon startup, giving the user the option to log out when she is finished without shutting down.

It’s important to note here that there can be only one administrator! Well, there can be more than one administrator, but it’s best to limit it to only one—and don’t get click-happy when creating new users. Granting administrative options by clicking that box when creating a new user will give that user admin privileges to make modifications and changes to the system, including deleting your account, or installing software that could alter the system and allow a backdoor to be put into place. Hope I scared you—be cautious to whom you permit admin privileges. From the command-line view, being an administrator means you’re in the Group Admin.

Create a login and password for each user that’s going to access the system. Advise the users to keep it confidential and private so others do not use it. If the chosen password is weak, it can be cracked very easily. Examples of weak passwords are those that can be found in a dictionary, are short, are the same as the user’s name, or are common knowledge for an insider (friends, family, co-workers). When choosing a password, keep it very private, and do not write it down—just remember it, and don’t use the password to log in to the system as any other password. A good password would be kP@#!3KA, instead of the normal password of your last name or license plate number.

I’d like to recommend that you choose a password up to 18 characters in length, but Mac OS X only stores the first 8 characters for the login password—be sure to mix it with numbers and extended characters. However, in later versions of Mac OS X, this may be fixed. To find out whether this is the case in the version you’re running, set your password for more than eight characters, then log out. When typing your password to log back in, type the first eight characters, then randomly type some other letters—if it works, it’s hasn’t been fixed.

BootLogger is one of the simpler security applications. It basically reads the boot sequence and records startups and shutdowns. It is not a resource-consuming utility. I suggest using this utility first. If evidence of tampering or unauthorized access appears, then I would switch to Super Save (detailed later in this chapter).

DiskLocker is a utility that write-protects your local hard disk drive. Disks are managed through a password-protected mechanism. (In other words, you can only unlock the instant disk if you have the password. Be careful not to lock a disk and later lose your password.) The program is shareware (written by Olivier Lebra in Nice, France), and has a licensing fee of $10.

Empower offers powerful access control for the Macintosh platform, including the ability to restrict access to both applications and folders.

Ferret is a small application that quickly gathers all important information (logins/ passwords) from a system by descrambling all passwords into plain text. It is meant to be used with a startup disk, or when you only have a few seconds of access to the machine. You can also drag and drop preferences onto it to get the information you want from a particular file (for example, when you are only able to access a preference file, and cannot directly access the machine).

Ferret can gather important information from preference files on any mounted volume, including AppleShare-mounted hard drives. Ferret can discover logins and passwords stored in any of the following applications: FreePPP, MacSLIP, OT/PPP (ARA), Internet Control Panel (Internet Config), Netscape Communicator, Eudora, AIM, ICQ, Gerry’s ICQ, Apple File Sharing Registry (Users & Groups), Carracho Bookmarks/Server Data Files, and Hotline Bookmarks/Server Data Files.

Currently, Ferret works with Mac OS 9 and earlier. Word is, the source code was lost, so future development of the program has been halted. As it currently stands, the application is still very useful.

Filelock is a little more incisive than DiskLocker. This utility will actually write-protect individual files or groups of files or folders. It supports complete drag-and-drop functionality, and will work on both 68KB and PPC architectures. It’s a very handy utility, especially if you share your machine with others in your home or office. It was written by Rocco Moliterno of Italy.

Highwinds has been creating security/encryption products since 1999. FullBack is a secure, easy-to-use archiving and backup program for Mac OS 9 and earlier. The deluxe version provides 512-bit, randomly generated encryption keys. Product information is available at http://www.highwinds.com/BackupSystem.html.

Invisible Oasis is a keystroke logger. This application records everything typed into a daily log. The installed extension is invisible, as is the folder where the logs are kept. To see whether you have this extension installed, use a program such as Apple ResEdit and go to Get Info Menu, and navigate to the Preference folder located within the System Folder on the Hard Disk (Hard Disk → System Folder → Preferences). Go into your preference folder, Get Info on the hidden folder and Unhide. You can open the logs with any text-editing program.

Valid uses have been found for keystroke recorders, such as recovering documents after a crash, even before it was saved, and for development/testing purposes to ensure activities happened in the same manner. TypeRecorder is a shareware-based keystroke recording application, currently only for systems prior to Mac OS X. If you don’t pay the shareware fee, a dialog is displayed upon startup, so the program is not intended to be a sleek, hidden, you-can’t-find-me type of spy software.

KeysOff enables you to lock out certain keys, preventing malicious users from accessing the menu bar, using mouse clicks, the power key, or command-key shortcuts. The program also prevents unauthorized users from loading disks. This is one of the most simple, cost-effective, and useful security programs available. Mac OS systems prior to OS 9 have it made when using KeysOff for desktop security—most definitely a favorite for security, and not a favorite of the hackers when all the security is in place, disabling many bypass features.

LockOut, available for both Mac OS 9 and Mac OS X, is an easy-to-use application. It doesn’t pretend to offer a vaulted, secure solution—the documentation states its faults, so users are not fooled by false claims. Another positive aspect to the program is the low price, as Mac computers need some sort of security. Lockout can offer it, and the development staff implement user suggestions with each new version.

Before accessing the Macintosh, a valid password must be entered. While you’re away from the computer and it has been locked out, users may leave messages. If a password is entered incorrectly, LockOut enables the administrator to set up a voice warning to alert the user trying to gain access. When the maximum amount of idle time has been reached, LockOut will reactivate. When the program detects break-in attempts, it can automatically email a address with information about the attempt.

Several security programs use emergency passwords. These are passwords generated by the program in case the admin forgets his password. They usually give the user complete access to a computer.

In theory, you would need all sorts of software registration information for the software vendor to give away the emergency password. In reality, you only need to find the algorithm used to generate the emergency password.

nOGuard is a program that generates emergency passwords for PowerOn Software’s OnGuard 3.1 and 3.3. It was created by mSec.

Password Key logs unauthorized access attempts, locks applications, and temporarily suspends all system operations until the correct password is supplied. Password Key is not Mac OS X-ready; it’s only for use on systems up to Mac OS 9 currently— check their site for more current information.

PowerBook users use the Password Security Control Panel to protect their computers. Displaying a dialog box that requests a password every time the hard drive is mounted, Password Security provides a convenient security measure.

As pointed out by a previous advisory, Password Security generates an emergency password every time it displays the password dialog box. This emergency password gives the same access level to the laptop as the owner’s password does.

This is, of course, a huge security breach, allowing anyone who can figure out the emergency password to access the computer, and even to change the owner’s password. The program PassSecGen (created by a member of the Macintosh security group mSec) generates the emergency passwords for the PowerBook security control panel to gain entry without knowing the real administrator password. This does not to appear to be a risk when using Mac OS X as the operating system.

Secure Delete in the past has been a part of the Stuffit Deluxe package for file compression. Secure Delete does exactly what it says—it deletes the files in a secure manner in which they are not recoverable with software such as Norton Utilities. When deleting a file by dragging it to the trash can, the file remains on the hard disk until the data has been overwritten on the areas of the disk where the original data was. Secure Delete overwrites the erased data blocks on the disk numerous times to ensure a safe deletion.

Stuffit Expander has become a part of the Mac compression lifestyle, offering the capability to expand every type of file. Stuffit Expander comes pre-installed with Mac OS X, so Aladdin decided to offer Secure Delete as a stand-alone deal. It can also be obtained with the Stuffit Deluxe package.

SecurityWare offers physical security devices for all makes and models of Macs to prevent theft and tampering. From iMacs to desktops, there is hardware protection to physically protect your computer, including iBooks and PowerBooks.

Having some sort of physical security is always important no matter what environment you’re in. Once that computer is out the door, it’s gone—the only chance you have after that is Stealth Signal.

You can track lost or stolen laptops with Stealth Signal for a secure recovery. Stealth Signal silently sends information to the tracking servers that are watching your laptop. If for any reason you lose it, simply log on to the Web site and report it stolen. With the help of Stealth Signal, you might be able to recover the computer— although chances are what is on it has more value than the computer itself.

Through their research, the developers at Stealth Signal came to the conclusion that when hardware is stolen, it is usually sold quickly, wiping minimal, if any, amounts of data from the hard disk. This may or may not be the case, depending on who has stolen it. If the computer is connected to the Internet or has a phone line connection, Stealth Signal will make contact with the tracking servers. The computer can be tracked by the IP address used to connect to the Internet. Stealth Signal also has additional security features that they didn’t want me to talk about, but I can assure you that if your computer is stolen and someone is connecting to the Internet with it, they can help recover the hardware.

Stealth Signal is available for Mac OS, Mac OS X and the Windows platform. Connection statistics and other neat information can be viewed from the reporting Web interface.

Single user mode is a startup method you might choose to boot into when in front of the computer. This mode offers root access to the computer without authentication—it exists for emergency cases to fix problems.

To boot into single user mode, during the startup progress hold down the Command + S key. Once you are in and the computer has started up, you will have a black screen (command line) with the # facing you. Before any changes can be made, you must mount the hard disk.

/sbin/fsck –y 

/sbin/mount –wu / 

In single user mode, it’s just you and the machine—no services are started. So, if you need to start services to change information, such as NetInfo, you must load it up.

Full documentation on single user root mode can be found at http://www.securemac.com/macosxsingleuser.php.

For the ultimate paranoiac, Super Save will record every single keystroke forwarded to the console. However, in a thoughtful move, the author chose to include an option with which you can disable this feature whenever passwords are being typed in, thus preventing the possibility of someone else later accessing your logs (through whatever means) and getting that data. Although not expressly designed for security’s sake (more for data crashes and recovery), this utility provides the ultimate in logging. Super Save does not work with Mac OS 9 or Mac OS X, and does not record mouse movement—only keyboard activity.

SubRosa Utilities is a set of security applications, two of which are for encryption. The software-suite consists of three pieces of software, all of which are compatible with the Windows OS, Mac OS, and Mac OS X:

Apple Open Firmware (http://bananajr6000.apple.com/) is the firmware used in Macintosh hardware—all specifications and details can be found at the included URL. For our purposes, we will only cover the password feature of the firmware.

Similar to the PC’s BIOS password, the Open Firmware password protects the system in many levels. Mac hackers know that they have many different ways to bypass internal security while sitting in front of the machine. They can try disabling extensions, booting from a media device or SCSI ID, and they’ll be successful in one way or another. Open Firmware puts a stop to bypassing security by disabling the user from bypassing the operating system’s instructions without supplying the proper password.

The newer Macintosh hardware models come with Open Firmware capable of setting up password support. Apple has also prepared software for Mac OS X to easily set up the password and enable or disable restrictions. For Mac OS X running Firmware 4.1.7+, use Apple’s application Open Firmware Password available for download at http://www.apple.com/downloads/macosx/apple/openfirmwarepassword.html.

The password protection feature of Open Firmware goes beyond standard Firmware specifications; a notable feature is the anti-brute force password attack methods. This means a user cannot keep on entering the password over and over until he finds the correct one—the Open Firmware will stop the user from making further attempts.

There are two ways to bypass the Open Firmware Password, but the first one doesn’t quite bypass it. Instead, it’s a program that will grab the password if the computer is started up. If you’re locked out already, this program will do you no good, but it’s useful if you need to recover the password. The program name is FWSucker, short for Firmware Password Sucker. Keep in mind that if a user on your system is already at the desktop and has the capability to load/run software, she can obtain the Open Firmware Password and make alterations. You can find out more about FWSucker at http://www.securemac.com/file-library/FWSucker.sit. Keep this out of the reach of children—you wouldn’t want someone to obtain the password and then protect the system and lock you out.

The second method for getting around the Open Firmware password is by resetting it. Without knowing the current password, the only way to gain entry is to reset the password. To do so, you will need to open up the computer and add or remove the necessary RAM so the total amount in the computer is different from its original amount, then ZAP the PRAM three times by holding down Command + Option + P + R during startup. After it has been reset, you can replace the hardware with the original components.

Apple did a good job requiring physical access to the insides of the machine to bypass the security. In a multiuser environment (work, lab, school), the computers would be locked anyhow, and someone wouldn’t be able to open the machine up unnoticed.

FMP Password Viewer Gold 2.0 is another utility for cracking FileMaker Pro files. It offers slightly more functionality (and is certainly newer) than FMProPeeker 1.1.

This utility cracks FileMaker Pro files. In any event, FMProPeeker subverts the security of FileMaker Pro files.

Macintosh Hacker’s Workshop (MHW) is a suite of hacking tools that will run under Mac OS 9 and Mac OS X. The program was developed to beat the performance of the existing graphical user interface password crackers for the Macintosh, and under Mac OS X it did indeed offer quicker speeds and better functionality.

MHW includes a wordlist generator used to test passwords. The cracking can be done using wordlists, or by brute force attacks. Many password crackers exist for Unix, but the advantage of using a Unix-based password cracker is purely in the performance.

John the Ripper is a Unix-based password cracking utility, and as mentioned previously, the advantage of using a Unix-based password cracking utility like this is for the performance. Because of all the system resources the program uses to test and audit the password, there is no need to bog it down with graphical user interfaces. This program must be compiled from the command line via the Terminal application.

To start off, go to the Web site listed here and download the Development release (dev) of the program, which supports Mac OS X. Compilation might require you to become acquainted with the user manual or install instructions.

After compilation is complete, run John the Ripper on a Unix password file, or export the password file stored in Mac OS X by using the following command:

nidump passwd . 

The program is well-documented and discussed at the Web site provided. Happy cracking—this has to be one of the quickest password crackers available to run on Mac OS X!

Killer Cracker is a Macintosh port of a password cracker formerly run only on DOS-and Unix-based machines (http://www.hackers.com/html/archive.2.html).

MacKrack is a port of Alec Muffet’s famous Crack 4.1. It is designed to crack Unix passwords. It rarely comes with dictionary files, but still works quite well, and makes cracking Unix /etc/passwd files a cinch. (It has support for both 68KB and PPC.)

Made by System Cowboy of the hacker group Digital-Rebels.org, MagicKey is a password-auditing tool for AppleTalk. The application audits an AppleTalk user’s file for weak passwords or no passwords with the brute force method.

MasterKeyII is yet another FileMaker Pro-cracking utility.

McAuthority is a password-security application that uses brute force to attack a server to gain access to the password-protected areas. This application was made by nulle, one of the greatest Mac hack programmers.

Meltino is a sleekly designed Unix password cracker by the Japanese programmer nulle. This is one of the most popular Macintosh Unix password crackers. This application supports MD5 encryption as well as DES encryption. Meltino also supports the UltraFastCrypt (UFC) algorithm.

Password Killer is designed to circumvent the majority of PowerBook security programs. PowerBooks are the only Apple computers susceptible to the security bypass circumvention, because the security software affected is only installed on PowerBooks.

Caem lets you send mail anonymously with attachment support by utilizing proxy servers and certain mail servers. Some of the advanced features included for sending mail are the capability to build custom message headers and to import/export contacts and data.

Bomba is another mailbombing application. One of the techniques that the program has to send mail quicker is to connect to several mail servers simultaneously with proxy support for privacy.

Bomba is available for download at http://www.team2600.con or at http://freaky.staticusers.net/attack/mailbombing/bomba.sit.

Another Team2600 development, NailMail works on both Mac OS and Mac OS X, delivering what the group considers their fastest mailbombing application ever. You can be the judge of that by going to http://www.team2600.com and downloading the program free of charge.

Created by a Macintosh developer who goes by the alias of Mancow, this is a very slick, easy-to-use mass emailing program that supports HTML email. Spic & Spam has been built for Mac and Mac OS X. You can download it and see screenshots at http://mancow.forked.net/products/spicnspam/.

A different kind of bulk mailer, ATT Blitz is a application that takes advantage of mobile messenger Web site services for many popular cellular services. The program allows the user to send a certain amount of messages to the target’s phone, hiding their IP address by specifying a proxy.

ATT Blitz has been tested to work with AT&T, Verizon, Nextel, Sprint PCS, VoiceStream, and PrimeCo. Many users do not have free messaging services, thus they are paying per message. Bombing someone’s phone with this program is not recommended, but if it ever happens to you—you are aware the program exists. You can download it at http://mancow.forked.net/products/spicnspam/.

No, its not a .com, . net, or .org—it’s http://www.MacVirus.info/, a site devoted to Macintosh virus education and antivirus solutions. Get the latest antivirus definitions, news, and facts about viruses from this site.

Read comparisons between different antivirus products, vendor facts, and get your questions answered about Mac viruses.

Once known as iTools, but now known as .Mac, this once-free service has moved to a yearly service fee. Along with the [email protected] and Web hosting that iTools offered, .Mac offers antivirus solutions for subscribers. The bundled Apple .Mac service comes with hard disk space on Apple’s server to backup onto, as well as the well-known antivirus software title Virex and updated virus definitions.

The Virex application is developed by McAfee, and is available for both Mac OS and Mac OS X. Virex scans emails for infected attachments, archived formats, and easy drag-and-drop checking. Combined with Mac OS X’s pre-existing security features, .Mac’s backup and Virex make for a great combination.

Symantec has a long history and good reputation for their products. Norton’s Anti-Virus for the Macintosh offers the same level of satisfaction as their other products offer. The features of NAV (Norton Anti-Virus) for the Macintosh compare to the other antivirus vendors in that it scans for viruses, and checks email attachments and archived files for viruses hiding within. A popular yet easily forgettable feature of NAV is that the virus definitions are automatically updated via Symantec’s LiveUpdate technology, so having to remember to download new definitions to be protected is in the past.

The Mac OS X version of NAV is lacking a few features, as developers hurry to adapt to the new technology and standards that Mac OS X offers. As reported on VersionTracker.com and other news sites, the Mac OS X version still has a few memory leaks, and the AutoProtect feature isn’t yet what the Mac OS version offered. It will be worked out in due time, and as of this writing there have not been any Mac OS X-specific viruses released into the wild.

VirusBarrier is Intego’s antivirus solution, available for Mac OS now, and with a planned release for Mac OS X in the third quarter of 2002. The developers have truly created a program that runs itself right out of the box. The features offered grow with every version:

This software title can be purchased online or at any authorized Macintosh dealer, or you can download a demo from http://www.intego.com.

Disinfectant definitely has served its purpose, and has been used by thousands of Mac users seeking to detect and remove virus-infected files. The program isn’t Mac OS X ready; in fact, the program has been discontinued completely but can still be found. The program file is small and very quick at doing its job. If you’re running a system prior to Mac OS X, this program is free of charge to use; however, you will want to note that it doesn’t protect against worms, and it doesn’t protect against Microsoft Word macro viruses.

The AutoStart worm affects older Macintosh systems when QuickTime’s AutoPlay feature is enabled in the control panel. In version 2.0 of QuickTime, AutoPlay was enabled by default, so users commonly found themselves with computer problems and errors. After the computers were taken to the shop, it was found that many of them had the AutoStart worm. Users can check to see whether their computer is a victim to the worm and download free removal tools at the following sites:

Webmasters who have ever viewed their Web logs have seen evidence when their site has been hit with such worms as CodeRed and Nimda, as their requests fill the logs. Hopefully, any request from those two worms show up under File Not Found and Not a Valid Request. Whether they actually affect your system or not, the worm is using bandwidth and filling up log files rapidly by requesting files that could be nonexistent.

The Little Dutch Moose is a program for blocking and stopping these worms and illicit requests from arriving at your Mac OS X Web server (Apache) before they are even processed. The program watches over the connections and notices when connections are made in worm- or virus-like methods, and puts a halt to the requests.

Mac OS X users who are taking advantage of the built-in Apache Web server now have a way to protect and prevent against these type of connections, which could lead to denial of service or other malicious activities.

As it stands, Mac OS X does not have any viruses designed for it. Before long (or when someone reads this statement), a new virus might be discovered. Viruses have been sparse for the last few years on the Macintosh; for the most part, we only update our monthly virus definitions to protect against Word macro viruses.

Email, software archives, and Web sites are all great ways to catch a virus, simply by downloading software without being protected. Antivirus software does more than just look for known viruses—it watches the system and its resources, looking for tactics that viruses are known to use. Not being protected is just dumb. Getting an infected file is as easy as downloading a movie from the Internet, so be cautious. Use one of the antivirus solution titles listed above and join their mailing lists to stay advised of current viruses in the wild.

Because of Mac OS X’s Unix core, many are concerned that remote users will gain access because of misconfigured or outdated services, and that access will be granted by software unintentionally. The main concern is a Trojan horse that can backdoor the computer, allowing remote access or sending system files without your knowledge. Set up your firewall to deny connections when you are not allowing others to connect to your computer. One of the easiest ways to ensure that you don’t get hacked is to put up a barrier ensuring that intruders can’t get close enough to try.

You need to detect, isolate, and remove spyware and any unwanted administrator programs that might be plaguing your system without your knowledge. The job of MacScan is simple: Find any sort of software on your computer that can be construed as spyware, and detect any programs that offer remote administration functions you might be unaware of.

MacScan checks the hard drive for all known keyloggers for the Macintosh. It will also isolate any log files created by the keystroke loggers and move them to a secured location. Those log files could have years of your emails, confidential documents, passwords, and other affairs you don’t want recovered.

Ever keep changing your password and feel like someone keeps getting your new passwords every time? If a keystroke logger is installed, all the user has to do is view the log files and search for your old password and look at what follows: chances are, it’s the new password. If someone is capturing every keystroke, you’re no better off than if they knew your password in the first place. They could also be learning the passwords you commonly use for other systems or resources that require your authentication. Before typing in that secret information, make sure someone isn’t snooping on your keystrokes.

Included in the definition of spyware are Trojans and admin utilities. Many Trojans are configured to contact the attacker by email, notifying them of your IP address and other information that lets them know your computer is online and accessible. A firewall can protect intruders from coming in, but you will have to protect your machine to deny access to all ports, because you just can’t tell what port the Trojan may be set up for without analyzing it.

MacScan also detects these known Trojans, offering administrator functions remotely to the computer. Furthermore, when it finds any Trojan, it will notify the administrator of the configured settings, such as email address, passwords, and logins. For example, consider a Trojan horse—if it was set up to email [email protected], you know immediately that the intruder is linked to that email address. You also know what port the Trojan is set to communicate over and the password if any. With a little more research, you can try connecting to your own infected computer, or simply remove the spyware program all together.

Regarding valid system administrator tools such as Apple Remote Desktop and Timbuktu, MacScan does not divulge any passwords, and does not allow the user running the program to remove the admin tools. Instead, it will let the user know the software is running so she can take the appropriate action.

MacScan also has Mac OS X functionality, protecting the system so it is a security resource for everyone interested in keeping their privacy.