Security Quest #8 – Leopard Default Insecurity

This article is obsolete. Images and broken external links have been removed.

The default OS X install has always annoyed me with it’s security holes. Since I did a fresh install of OS X 10.5 Leopard it was necessary for me to go through and change those settings. Here’s what I changed.

Under security preferences I enable requiring a logon when returning from sleep or screen saver and disable automatic logon.

 

It’s a minor inconvenience but if my Mac is ever stolen it will prevent them from logging on and using the Mac as me. It also makes it harder to get to the files on disk as they need some technical knowledge and another computer.

On a related note: I enable the Master Password in Firefox. I have to enter the password when I start Firefox but it would prevent someone from easily accessing website using my passwords by simply firing up Firefox.

Because my MacBook travels and is more likely to get stolen I usually enable FileVault, but I haven’t enabled it yet. I’ll enable it once I’ve used the laptop a few days and know it’s stable.

I was surprised to see that the firewall defaulted to “Allow all incoming connections”. This seems like a step back. The biggest single improvement Microsoft made to Windows security was the enable the firewall by default starting with Windows XP SP2. If your behind a home router there’s probably little cause for concern, but a direct Internet connection or a laptop that uses public networks would be at risk.

I set the firewall to block all incoming connections. Leopard will automatically open ports for the OS X services I enable. (This itself sounds like a problem in that it seems there’s not way to block some traffic on the firewall if Apple decides it’s needed.) If I find needed apps are being blocked I’ll change to “Set Access for Specific Servers and Applications” and add the apps to the list.

 

I also went into the Advance button and enabled logging (for curiosity) and Stealth mode.

 

When behind a home router (assuming it’s NAT enabled, almost all are) stealth mode is unnecessary and logging will (hopefully) confirm the Internet doesn’t see your Mac.

Then I went into my .Mac configuration and turned off Back to My Mac. I have nothing against it, but I won’t be using it for awhile and leaving it running seems to be inviting trouble. Some feel that back to My Mac has a security hole. But what it comes down to is how secure is your .Mac account? If it’s got a secure and secret password that’s not used by anyone you don’t want accessing your Mac then it seems fine.

 

I’ll have no problem turning it one once I’m ready to try it out.

The OS X firewall only blocks incoming connections. In the past I’ve used Little Snitch to manage outgoing connections but version 1 is not Leopard compatible and version 2 is still in beta. I’m not installing the beta , I’ll wait for the full release.

Security Vulnerabilities

There was a vulnerability announced in WordPress 2.3. It’s resolved in 2.3.1 and doesn’t appear to exist in earlier versions.

News & Links

 

BBC.co.uk | Technology | PC stripper helps spam to spread – Spammers use strippers and malware to circumvent captchas and spread spam.

Techdirt.com: Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
– TJX even worse than reported with data being used in frauds. From the article: “t doesn’t seem like anything is really done to stop companies from being so careless…”

arstechnica.com: Microsoft security report: Our newer software is more secure – Microsoft has released the third installment of their MS Security Intelligence Report. Newer stuff is more secure.

news.com: McAfee to acquire ScanAlert – McAfee is acquiring ScanAlert. ScanAlert is the keeper of the “Hacker Safe” website security seal.

news.com: Report: U.S. tops list of spam-offending countries – Another report where the U.S. leads the world as the biggest spammer. It’s attributed to the large zombie population.

news.com:: Report: PDF files used to attack computers – PDF file attachments not being used to spread malware.

thereigster.co.uk: World’s most gullible supermarket chain falls victim to online scam – Email scam nets supermarket chain when they switch bank accounts based on an email. They claim due to our internal controls and processes, we were able to quickly discover…”. Perhaps they need better controls on email?