|Home » Learning Curve
Oomp-A: Hardening the Arteries Against the Chocolate
OK: so Apple haven't yet put their file system in the trash bin of oblivion where it belongs - what can you do?
- Don't run iChat. This is a weak remedy. Oomp-A only works through iChat but code is preliminarily in place to propagate Oomp-A through mail as well.
- Don't open anything you haven't inspected (obviously). Use a decent file manager like Xfile so you can see what's really on disk and use a utility like Xstrings to inspect it.
- Check your 'InputManagers' directories. You can have them in /Library and ~/Library. If you don't have these, create them now and then change their mode to 0700 and their ownership to root:admin. This will thwart attempts to copy things in them. Additionally change the mode of at least /Library so it is writable only by you (or preferably root). This will thwart attempts to destroy it before recreating it.
- Alternatively mark your library directories as owned and only editable by root. This can only work if especially your own library directory does not need any additional subdirectories on a continual basis.
- Check your library (and input manager) directories on a regular basis.
- Clean out /tmp on a regular basis. OS X will normally clean it out on startups but as OS X doesn't crash, you might run your system for a long time without rebooting. If you have a tough time getting to /tmp with your current file manager - get a better file manager.
- Run this CLIX command to regularly inspect /tmp and your input manager directories.
sudo ls -ailoR /private/tmp /Library/InputManagers ~/Library/InputManagers
- Run an app like GD or Little Snitch to keep track of what's going out from your machine. Traffic through iChat won't stick out but other connections when you're not using your mail client will. If running GD, keep an eye on the ports used.
- Never run as root and disable the root account.
- Never give your admin password to anybody or anything.
- Set your sudo configuration to enable TTY tickets and set the time stamp timeout to zero.
- Send bug reports and other complaints to Apple. Pressure them to remove the 'beige box weaknesses' from OS X. It's about time and you've certainly waited long enough.
Oomp-A was a simple yet ingenious exploit - future exploits won't work the same way. As it's now been proven propagation and infection on OS X are possible, count on lots of new programs carrying malicious payloads. If you're putting new software on your machine, it's your responsibility to inspect what you have before you let it run to make sure it's not going to harm you.
The Chocolate Tunnel
Peeking Inside the Chocolate Tunnel