Mac OS X Security

Preface and Disclaimer

This paper presents an overview of the security situation of Mac OS X. The purpose of this paper is to present security in a very easy-to-understand fashion. I firmly believe that there is an absurd amount of FUD about computer security in general, mostly propagated by vendors of antivirus software and their partners. In the case of Mac OS X in specific, it is very difficult to get accurate, non-sensational information about what the real security threats are. This paper began as a genuine effort to figure out, and then convey, what the real status of Mac OS X security is.

Please be aware that I am no security expert (nor am I a hacker), but simply a normal computer nerd with a passion for most things relating to computers and design. I have made every effort to consult the writings of security experts and convey accurate information. If any security ninjas out there find any inaccuracies, please let me know.

With the exception of the section “Out Of The Box Security and Additional Hardening Measures”, the entire report refers to Mac OS X 10.4 and prior versions. Where possible, I state specific versions of the operating system that I am referring to.

I’ve broken up this report into several pages because it is quite long. You can also download the report in its entirety in PDF format.


Enough With the Security FUD

One of my biggest complaints with the security industry in general, is that they seem to thrive on FUD. I find it to be particularily frustrating, because there actually is a lot of really important information there. Unfortunately, to find it you usually have to dig through layers of junk.

It pisses me off that someone like me, who is generally knowledgeable about such things although by no means an expert, can find frequently articles that are either completely wrong or very misleading. While this is merely annoying for me, the reality is that most people just lack the knowledge about computers and security to understand that oftentimes the information they are getting is just crap.

I was particularly annoyed by a recent article in ZDNet. Basically a Windows XP machine was set up on an unsecured wireless network and a security expert demonstrated a hack that downloaded some information from the compromised computers My Documents folder. It took about 11 minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy’s unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

Frightening, yes. Surprising, no. The important part of the article is the fact that the compromised computer was running with SP1 and no protection whatsoever:

[They] connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software…

This article isn’t really news at all. It simply demonstrates that if you put a default Windows XP SP1 install on a network, it is likely to get hacked (and fast). In fact, the “unsecured wireless network” part of this article is completely irrelevant. Granted, it may make hacking easier, but the fact remains; a default install of Windows XP SP1 will get hacked.

So, yes everybody, if you do not have SP2 on your Windows XP install, get it now. If you don’t have it because you pirated Windows, buy a fraking copy, or at least start using some free linux os (like Ubuntu).

I suppose there is no harm in reiterating the point that everybody, regardless of operating systems, should be upgrading their service packs. I do however take issue with the sensationalist tone of the article. Using FUD to increase page views or sell software doesn’t help anyone. This article could have just as easily been written about hacks for XP SP2 or Vista with patches installed. The hack probably would have taken a lot longer and had a lot of things line up perfectly, but that’s not to say it can’t be done. At least that type of article might have been newsworthy or even helpful. Even John Dvorak knows this article is crap.

Password Cracking

Here are some really interesting charts on how long it would take to crack various types of passwords.