Security on the Mac

728 views

Published on

Delivered on MacMania 15 in Australia, this talk covers the history of how the Mac used to

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
728
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security on the Mac

  1. 1. Mac OSX Security Allison Sheridan November 2012 http://podfeet.comSunday, November 25, 12 1
  2. 2. Definitions Malware - a generic term to describe anything put on your machine with the intent to harm Virus - a self-replicating type of malware that moves from machine to machine without active participation by the user Trojan Horse - malware that masquerades as something else - e.g. free Photoshop, video codecs http://podfeet.comSunday, November 25, 12 2
  3. 3. Agenda History Didn’t we used to be safe? State of the Union Where are we now? (Some good news) What practical things can we do to be safe? Email safety Software updates Protecting passwords Gatekeeper Anti-Virus http://podfeet.comSunday, November 25, 12 3
  4. 4. 2004 - 2007 Blissful Ignorance 2004 - Mostly ignored Renepo worm is proof of concept 2006 - Denial Leap-A first ever virus for OSX 2007 - I remember this year Office Macro Virus ran on OSX, Windows & Linux (we all blamed it on Microsoft) Bad Bunny (creepy pornographic bunny) and the first Financial Trojan for Mac (and Windows) - which also offered porn http://podfeet.comSunday, November 25, 12 4
  5. 5. 2008 - Things star t to heat up Macs and PCs attacked by poisoned adverts offering Scareware called MacSweeper and Imunizator - without which they threatened all your data would be erased Hovdy-A Trojan stole passwords, opened the firewall and disabled security settings RKOSX-A - Helped make more trojans Video Codec claims - you cant play the video without this codec… First time Apple suggested anti-virus software, and then deleted the suggestion http://podfeet.comSunday, November 25, 12 5
  6. 6. 2009 - Your Own Darn Fault iWorkS-A trojan horse in pirated versions of iWork and Photoshop Another video virus MacCinema How about some more porn? Enjoy your Jahlav trojan Were all still smug that were too smart to get infected http://podfeet.comSunday, November 25, 12 6
  7. 7. 2010 - Star ting to Get Ner vous Pinhead trojan allowed hackers to gain remote control - but again through downloads of legitimate software from illegitimate sites like iPhoto Boonana worm uses a Java applet to target Windows, Mac and Linux http://podfeet.comSunday, November 25, 12 7
  8. 8. 2011 & 2012 Hard to Ignore BlackHole RAT allows hackers to gain remote access MacDefender hits the scene - pretending to be a legitimate security application - acquired through a search engine poisoning campaign Flashback Trojan hits disguised as an update for Adobe Flash Apple acknowledges and provides removal tools source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004 http://podfeet.comSunday, November 25, 12 8
  9. 9. What Changed? Originally malware was plain old vandalism - destroy your hard drive and leave a signature for bragging rights Over time, malware has mutated into a multi-billion dollar business Hactivism - hacking for political purposes LOLSec & Anonymous Digital espionage and sabotage  Stuxnet malware distributed specifically to attack a Siemens computer system used by Iran’s nuclear program http://podfeet.comSunday, November 25, 12 9
  10. 10. The Big Money - Botnets Technical bad guy writes some code and infects a lot of machines (millions) such that he/she can control those machines at will Technical bad guy sells the botnet to an extortionist Extortionist tells a gambling site, “It would be a shame if your site went down the night before your big tournament” If the gambler doesn’t pay up, extortionist tells all the machines in the botnet to attack the gambling site at the same time Creating a Distributed Denial of Service Attack http://podfeet.comSunday, November 25, 12 10
  11. 11. Why was OSX Left Alone So Long? OSX is based on a relatively secure operating system - BSD with decades of security updates  Remember no OS is truly secure Secure as compared to Windows  Small number of computers meant less less profit Remember bad guys need to infect millions of computers to be Effective OSX wouldnt have added significantly to the numbers http://podfeet.comSunday, November 25, 12 11
  12. 12. Apple Took Their Eyes Off the Ball Flashback Trojan didnt have to be as painful as it was Apple didnt patch Java for months after Oracle patched - would have saved so many from Flashback Apple grew complacent after decades of no real threats Microsoft in contrast became very vigilant Microsoft have implemented technologies for preventing exploits of bugs (DEP + ASLR) Apple has it NOW but they were late to the party http://podfeet.comSunday, November 25, 12 12
  13. 13. #1 Thing You can Do to be Safe When Software Update tells you it’s ready to give you something - say yes! Don’t procrastinate when it wants to reboot With Lion+ resume all windows and applications it’s much faster to reboot Allow your applications to update as well http://podfeet.comSunday, November 25, 12 13
  14. 14. I Have an Old OS, They Won’t Attack That Well...that’s not quite true Apple only updates one OS version back Mountain Lion is out - Lion is updated but not Snow Leopard Older OS’s often contain the same code that just got patched in the new OS Vulnerabilities still exist in the old OS so you’re not safe Best to upgrade say after the first two revs are out What’s the advantage of waiting? You know you’re going to upgrade eventually! http://podfeet.comSunday, November 25, 12 14
  15. 15. Just Disable Java* Very few sites use Java these days Disable in your browsers (Tutorials on how to do that on Podfeet.com!) If you ever need Java, reenable on Chrome and then disable again Safari automatically disables Java if you don’t use it for a while (what does that tell you?) Another option is to keep one browser for Java that you never use for anything else * Apple removed Java from all browsers in late October http://podfeet.comSunday, November 25, 12 15
  16. 16. Mountain Lion: Now for the Good News Gatekeeper controls how and what apps you can install Safer to download apps Harder to get malware Highest protection level: Set Security to allow apps from Mac App Store Only Apple reviews each app If an app slips by, Apple can remove from the store http://podfeet.comSunday, November 25, 12 16
  17. 17. What if You Don’t Use the MAS? You: Set Security preferences Allow apps from MAS and from identified developers Developers: Register with Apple, they get a unique developer ID Digitally sign their apps with this ID Gatekeeper: Checks to see if the app is digitally signed and warns you if it’s not Result: Unsigned apps never land on your machine http://podfeet.comSunday, November 25, 12 17
  18. 18. What if You Know an App is OK? An app you trust shows this when you try to open it You can still open it without turning off Gatekeeper Control-click to open the app Gatekeeper will still warn you but will give you the option to open http://podfeet.comSunday, November 25, 12 18
  19. 19. I Want to Control My Own Destiny! What if you’re a sophisticated user and want to walk on the wild side? Set Security Settings to Allow from Anywhere Gatekeeper will give you one last chance to change your mind... Now you’re just as insecure as you were on Lion and before Personally, I keep it on Mac App Store and ID’d developers More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html  http://podfeet.comSunday, November 25, 12 19
  20. 20. So What’s Sandboxing Then? Sandboxing doesn’t require you to do anything Sandboxing isolates apps from critical components of your Mac Apps as submitted to the Mac App Store must declare what features they need to access For example, an address book app would ask for access to your Contacts Some apps ask for access they shouldn’t need - Sandboxing will warn you of this Why would Chrome need my contacts? Just say no! http://podfeet.comSunday, November 25, 12 20
  21. 21. More on Sandboxing Apple is even Sandboxing its own apps like Notes, Reminders, Game Center, Mail and FaceTime Result - if an app is compromised by malicious code, the damage is limited to what the app is authorized to access Any downsides to Sandboxing? Some of the more creative utilities can never be in the Mac App Store because they do access core services For Example: TextExpander 4, AppDelete http://podfeet.comSunday, November 25, 12 21
  22. 22. Be Safer in Email Do you ever get email where the From field says thief@iwanttostealyourmoney.com? Of course not! The From field is VERY easy to fake Never ever ever EVER click on any links in an email requesting you update your information at a site Even if it says it’s from your bank or Google, or Apple or .gov Here’s why... http://podfeet.comSunday, November 25, 12 22
  23. 23. You Can’t Trust Links Learn to hover over links Anyone can fake a link Example: See how the link says it’s from paypal.com? Hovering reveals it’s actually from eagleshell.com Even if hovering shows a link is from the expected source, I still don’t click them Enter the URL directly in your browser so you’re positive it’s the real deal http://podfeet.comSunday, November 25, 12 23
  24. 24. Just Disable Flash Very few sites use Flash these days For some reason restaurants have Flash menus Most other sites have swapped to h.264 for video Disable in your browsers Flashblock on Firefox addons.mozilla.org/en-US/ firefox/addon/flashblock/  Click to Flash on Safari clicktoflash.com/ Both will stop those annoying animated ads, and make your system more stable Another note - you don’t need Adobe Acrobat, you have Preview! http://podfeet.comSunday, November 25, 12 24
  25. 25. Time to Talk Passwords Don’t panic, this is easier than you think! Enter LastPass at http://lastpass.com You select one (last) password then store all the rest of your passwords in one place Encryption happens on your machine, not their servers I’m lazier than just about anyone, and I can use LastPass Easy to create passwords, easy to enter passwords Plugins for Safari, Firefox, Chrome LastPass browsers for iOS! http://podfeet.comSunday, November 25, 12 25
  26. 26. LastPass is the Last Password You Need Save passwords Save websites Save license keys Save credit card info Create auto-fill forms - enter your address, phone number, everything a website is asking for in a few clicks Concerned it might not be safe to trust LastPass? Believe noted security expert Steve Gibson: http://twit.tv/sn/256 http://podfeet.comSunday, November 25, 12 26
  27. 27. How to Choose Good Passwords Make sure your passwords are long and complex It’s not like in the movies... The longer your password, the harder to crack The more types of characters, the harder to crack Upper/lower case, numbers, punctuation As you add 1 more character to the password each time you get 64 TIMES (x) more strength How do we remember these passwords if not using LastPass to create and store? Consider http://xkpasswd.net to generate complex and yet memorable passwords http://podfeet.comSunday, November 25, 12 27
  28. 28. Protect the Crown Jewels Anything financial - banking sites, stock trading sites etc. Anything which stores your credit card (including things like your Apple ID, Skype, and store sites like Amazon) All email accounts You’d be surprised how connected your emails are All passwords relating to your work You don’t want to be the person who allowed your company’s proprietary information to leak http://podfeet.comSunday, November 25, 12 28
  29. 29. Silly Sites NEVER re-use passwords you use on sites like these I used the same password on silly site Gawker Media and Skype Didn’t change my Skype password - was a silly site Forgot Skype auto-loaded credits from my Paypal account Gawker got hacked I lost $200 in 1.5 hours Good news is Paypal and Skype took care of me http://podfeet.comSunday, November 25, 12 29
  30. 30. Time for Anti-Virus? Sorry, but yes Recommend ClamXav from http://clamxav.com Non-intrusive, doesn’t slow your system down, adds a layer of protection I installed it and messed with the configuration till I got something that doesn’t annoy me but gives some protection Steps to configure ClamXav: http://www.podfeet.com/ wordpress/tutorials/how-to-install-clamxav-anti-virus-for- mac/ Demo time! http://podfeet.comSunday, November 25, 12 30
  31. 31. Special Thanks Over the past 5 years I’ve been tutored in Security by Bart Busschots of http://bartb.ie Pretty much everything I know on this subject is because of him Follow him on Twitter at @bbusschots Listen to the International Mac Podcast which he hosts with Stu Helm at http://impodcast.com http://podfeet.comSunday, November 25, 12 31
  32. 32. http://podfeet.comSunday, November 25, 12 32
  33. 33. Blog/Podcast: podfeet.com Email: allison@podfeet.com Twitter: @podfeet Slides: slideshare.net/nosillacast/presentations http://podfeet.comSunday, November 25, 12 33

×