About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

Mavericks Clicks

Tough times need brave solutions. Tough love from the NSA (updated).


Buy It

Try It

BIG SMOKE (Rixstep) — Tough times need brave solutions. The privacy of Internet surfers has been crushed by worldwide surveillance. You might not be able to control what happens at Facebook, but you can still control what happens on your own file system.

The easiest way to deal with this new knowledge is to ignore it. All is as before. Go on and keep telling yourself you'll be fine.

A remote alternative is to spend a few minutes each day making sure you haven't been invaded - something that's not personal to them - only to you.

Perhaps the worst thing you can do is purchase patent solutions. Applications that promise the world and give you a sand lot.

Where's the Indignation?

One wouldn't expect the Mac community to be in an uproar over the revelation Apple joined the 'ugly nine', giving unfettered access to your personal data to the NSA. And one would be right. There's nary a mention of it in there.

There's nothing to mention because there's nothing happened. It simply doesn't exist.

PRISM? What's that? WHOOSH - it's gone. Life is good.

But hey - if you're fighting the NSA, why not start with their own advice for hardening defences?

Tough Love From the NSA (Updated)

http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf

Most of their stuff (written for 10.6) is pretty basic but it doesn't take long to go through their list and update it.

  • Don't Surf or Read Mail Using Admin Account. This might seem a bit extreme, but it's the NSA talking to you. Your default account is an admin account. Why can this be dangerous? Because there are standard sudo exploits out there. This site's been looking into them for years. These aren't necessarily the fault of Apple. Whose fault it is doesn't matter. Search this site for info on them and when it comes to command line stuff, use CLIX. And always use sudo, never use su. And for goodness sake, make sure your root account is disabled - get an invalid password in there so no one can use it.

  • Use Software Update. Goes without saying. Apple have been pretty good about this, not introducing more headaches, as acquaintances of theirs up the coast near Seattle have often done.

  • Disable Automatic Login and User List. System Preferences → Users & Groups → Login Options pane (unlock if necessary) → automatic login is OFF, display window asks for both name and password, no input menu, no bleating password hints, no fast user switching, guest account disabled, make sure the pane is again LOCKED.

  • System Preferences Security & Privacy. General tab: 'require password for sleep and screen saver' immediately. 'Disable automatic login' should be ticked. (GateKeeper is not a big deal. Keep that at 'anywhere'. Apple aren't protecting you - they sold you out to the NSA.) Privacy tab: disable location services, remove any apps listed. Advanced button: require an admin password to access locked preferences. Firewall tab: firewall is ON. FileVault tab: skip it. (There are better ways.) LOCK.

  • Secure Home Folder Permissions. Goes without saying. The NSA recommend 'sudo chmod go-rx ~'. Do it.

  • Disable Unnecessary Services. A bit high brow, but here's their list of baddies you don't want around if not used.

    Launch Agents

    AgentPlist
    ARDcom.apple.RemoteDesktop.plist
    Remote Control  com.apple.RemoteUI.plist

    Launch Daemons

    DaemonPlist
    ARDcom.apple.RemoteDesktop.PrivilegeProxy.plist
    ARDcom.apple.RFBEventHelper.plist
    Bluetoothcom.apple.blued.plist
    Email servercom.postfix.master
    iSightcom.apple.IIDCAssistant.plist*
    NIScom.apple.nis.ypbind.plist
    User notifications  com.apple.UserNotificationCenter.plist
    VPNcom.apple.racoon.plist
    WebDAVcom.apple.webdavfs_load_kext.plist

    Do like this to disable these dogs (and be careful):

    sudo launchctl unload -w /System/Library/Launch[Agents|Daemons]/[PLIST]

  • Disable Setuid and Setgid Binaries. This isn't always possible. The NSA recommend the following to find the buggers - but note where they start their searches.
    find / -perm -02000 -ls; find / -perm -04000 -ls
    Xscan already has a facility for this - its 'Filters' menu is built according to guidelines in 'Hacking Exposed'. And it'll show you all of them at once, in a single listing which can be exported as well.



    The Bad Binaries. The NSA want you to disable 'set ID' on the following. Do this at your own discretion, using the command 'chmod ug-s [FILE]'.

    FileFunction
    /System/Library/CoreServices
    /RemoteManagement/ARDAgent.app  
    /Contents/MacOS/ARDAgent
    Apple Remote Desktop
     
    /System/Library/Printers/IOMs
    /LPRIOM.plugin/Contents/MacOS
    /LPRIOMHelper
    Printing
     
    /sbin/mount_nfsNFS
     
    /usr/bin/atJob Scheduler
    /usr/bin/atqJob Scheduler
    /usr/bin/atrmJob Scheduler
    /usr/bin/crontabJob Scheduler
     
    /usr/bin/chpassChange user info
    /usr/bin/ipcsIPC statistics
    /usr/bin/newgrpChange group
    /usr/bin/postdropPostfix mail
    /usr/bin/postqueuePostfix mail
    /usr/bin/procmailMail processor
    /usr/bin/wallUser messaging
    /usr/bin/writeUser messaging
     
    /bin/rcpRemote copy
    /bin/rloginRemote login
    /bin/rshRemote shell
     
    /usr/lib/sa/sadcSystem activity reporting
    /usr/sbin/scselectUser-selectable network location
     
    /usr/sbin/tracerouteTraceroute IPv4
    /usr/sbin/traceroute6Traceroute IPv6

  • Firewalls. Your system now has two firewalls. One is accessible through System Preferences (see above). The other is the standby ipfw packet filtering firewall, a much more powerful solution. But setting it up isn't trivial. Use the command 'sudo ipfw show' (to see what's currently allowed) and don't be surprised if you see '65535 0 0 allow ip from any to any'.

    See http://www.freebsd.org/doc/en/books/handbook/ and the man pages for ipfw and pfctl for more information.

  • Disable Bluetooth and AirPort Devices. Those NSA peeps know what they can accomplish. They recommend having an Apple expert remove Bluetooth hardware from your Mac. Barring that (!) they'd like you to remove the following files from your system.

    /System/Library/Extensions/IOBluetoothFamily.kext
    /System/Library/Extensions/IOBluetoothHIDDriver.kext


    They also recommend removing the AirPort card, or you can again disable at the software level by removing:

    /System/Library/Extensions/IO80211Family.kext

    YMMV. A good tip - if you commit to such changes - is to move the files to another location in your own area so you can restore them later if needed.

  • iSight. Ever used it? The NSA again recommend having an Apple technician remove the hardware. You can also mask the camera with tape. They also recommend removing the bundle at:

    /System/Library/Quicktime/QuicktimeUSBVDCDigitizer.component

    But again: move it rather than remove it. And don't try any of this stuff unless you really know what you're doing.

    [There's more info on 10.8 below. Ed.]

    You can also take care of your built-in microphone. Move out:

    /System/Library/Extensions/IOAudioFamily.kext

  • Touch Your Extensions. Because your system vendors are spying on you as never before (checking time stamps all over the place) give them a tickle when you're finished screwing with your system extensions.

    sudo touch /System/Library/Extensions

    There are a lot of caches built up for your convenience; bumping the directory's modified date can advise the system to update those caches.

  • Safari Preferences. Most people should know this by now, and who knows what the default is these days, but Safari should never be set to automatically open anything. And by now you should know better than to have Flash or Java on your system.

    Tip: if you really need Flash, then try the following.

    1. Download Google Chrome. But don't run it yet.

    2. Get out the 'keystone' files. Dig inside the bundle and find them all. You can remove them. The browser will still run. They're part of Google's own spying programme.

    3. Run Google Chrome. Do this only when necessary and exit immediately afterwards.

    4. Run the following script. (Yes Chrome is that invasive. That's why you want Safari.)

      rm -fr ~/Library/Application\ Support/Google/Chrome/Default/Archived\ History ~/Library/Application\ Support/Google/Chrome/Default/Cookies ~/Library/Application\ Support/Google/Chrome/Default/Current* ~/Library/Application\ Support/Google/Chrome/Default/databases/* ~/Library/Application\ Support/Google/Chrome/Default/Favicons ~/Library/Application\ Support/Google/Chrome/Default/Extensions/* ~/Library/Application\ Support/Google/Chrome/Default/History* ~/Library/Application\ Support/Google/Chrome/Default/Last* ~/Library/Application\ Support/Google/Chrome/Default/Local\ Storage/* ~/Library/Application\ Support/Google/Chrome/Default/Login* ~/Library/Application\ Support/Google/Chrome/Default/QuotaManager ~/Library/Application\ Support/Google/Chrome/Default/Top\ Sites ~/Library/Application\ Support/Google/Chrome/Default/User\ StyleSheets/* ~/Library/Application\ Support/Google/Chrome/Default/Visited\ Links ~/Library/Application\ Support/Google/Chrome/Default/Web\ Data ~/Library/Application\ Support/Google/Chrome/chrome_shutdown_ms.txt ~/Library/Application\ Support/Google/Chrome/Local\ State ~/Library/Application\ Support/Google/Chrome/Safe\ Browsing* ~/Library/Application\ Support/Google/Chrome/Service* ~/Library/Application\ Support/Google/Chrome/Temp/* ~/Library/Caches/Google

  • Bonjour. Disable Apple's Zeroconf with the following command and reboot.

    sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add "-NoMulticastAdvertisements"

As there are such great tools out there today which don't rely on system weakness (such as found in abundance on Windows) to compromise you, but which rely instead on tricking you, you need to be very careful what you put on your computer.

Anything Else?

Rich Mogull covered a lot of this for Macworld a month ago. Some of his comments are worth taking to heart, such as:

'When you're the NSA, nothing is safe.'

Keep that in mind.

Lysa Myers also cites the NSA back in August, but the doc she found is a whole OS X version older. And Lysa's writing for an AV vendor, so 'caveat emptor'. (No you still don't need AV on a Mac.) Even Nicole Nguyen cites the same document from the NSA for 10.5 Leopard.

Mogull recommends disabling 'allow user to reset password using Apple ID' as found in System Preferences → Users & Groups. And he has good tips for dealing with iCloud:

'Disable Back to My Mac and Find My Mac, lest someone be able to access or wipe your Mac if they gain access to your iCloud account.'

As for setting a firmware password (be careful) Mogull recommends booting into your recovery partition, as the NSA guide no longer works.

'Boot your Mac into the recovery partition by pressing cmd-R as your Mac is booting. Then select Utilities → Firmware Password Utility and set the password. You will need it whenever you boot into recovery mode or from an external drive.'

Disabling iSight requires more work on 10.8. Go here to get a script for it. Four binaries need to be dealt with now.

/System/Library/QuickTime
/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer

/System/Library/Frameworks
/CoreMediaIO.framework/Versions/Current/Resources/VDC.plugin/Contents/MacOS/VDC

/System/Library/PrivateFrameworks
/CoreMediaIOServices.framework/Versions/Current/Resources/VDC.plugin/Contents/MacOS/VDC

/System/Library/PrivateFrameworks
/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC

What a shame the author couldn't provide the simple shell script so people could see what's really going on.

Also recommended is taking a look at 'icefloor' as a front end for pfctl. Check the source first so you know what's going on.

Anything Else? (II)

Yes. Daily use. The above will help you against stupid and targeted attacks both. Check the WikiLeaks Spy Files 3 collection for additional info on how the bad guys (and their subcontractors) are targeting your Mac. Don't forget the original Spy Files releases.

Several other articles in the Learning Curve can be of use.

This article will explain what's currently wrong with sudo and how you can temporarily fix it. This article will introduce you to Glimmerglass, something that affects your online activities. This article will explain why you can't ever trust Google Chrome with your online passwords. And this article tells you more of what you need to know about staying under the radar of NSA PRISM.

There are tonnes more articles about hardening your Mac in the Learning Curve. Browse through the list or use the site search facility to find what you want.

Mavericks Clicks

The best way to manage security and other settings on an OS X Mac remains this application: CLIX. CLIX has security built into and up to the gills, and now for Mavericks comes with some pretty strong technologies. This article - published four years ago - showed already back then why Apple's code signing for OS X was a waste of time: it can easily be defeated manually, and skiddies can surely find a way to automate the process. And closing the gates as with the iPad and the iPhone is something you definitely don't want (and assuredly don't need).

But CLIX has another way (or two) to ensure integrity. The list is too long to enumerate here, but the methods have been described as 'reverse Houdini': CLIX in effect applies, from the inside, hermetical seals on the outside, and they can't be peeled off as can be done with Apple's code signing technology. Each and every sensitive operation in CLIX is prefaced by an integrity check. CLIX also makes sure your 'security' elsewhere is not lacking, so that setting 'TTY tickets' and removing the sudo grace period can thwart trojans in hiding, but not your use of the application and your own convenience.

See Also
Xfile: Free Test Drive
CLIX: Learn How to Fish

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.