Better Safe Than Sorry Security and OS X

[email protected]

SECURITY An Unexpectedly long Journey…

Agenda •

Threats

•

Protection

•

Configurations

•

“Best Practices?”

•

…

Let’s talk security

Distrust and causion are the parents of security Benjamin Franklin

Then… •

No viruses

•

No malware

•

Secure by design

•

and of course very cool…

Once the market share starts growing, then… There are definitively viruses for Mac out there…

Well, don’t be stupid… Windows users are more aware of security, i.e. more secure…

I have ”friends” who knows how it’s done …

You absolutely need anti-virus protection on Mac…

Now… •

Gatekeeper

•

Application Sandboxing

•

Malware Detection

•

Full Disk Encryption

•

…

Apple Security •

Device Security

•

Platform Security

•

Data Security

•

Network Security

Apple Security Philosophy •

Ease of use

•

Guide the users

•

Secure defaults

•

Freedom to choose

In the Hacker Toolbox ”the quieter you become, the more you are able to hear”

A hacker to me is someone creative who does wonderful things Sir Tim Berners-Lee

Who’s the Hacker? •

Hacking for fun

•

Hacking for profit

•

Governments

•

…

Tools of the trade •

nmap

•

Wireshark

•

Cain & Able

•

John the Ripper

•

Metasploit

•

…

® metasploit

Demo Playing with fire

Device Security Securing the box

Amateurs hack systems, professionals hack people Bruce Schneier

Device Security •

EFI firmware password

•

iCloud locking

•

Configuration profiles

•

Policy management

•

…

Firmware Password •

UI tool on the Recovery HD

Firmware Password •

UI tool on the Recovery HD

•

Prevents modifier keys

•

setregproptool -m full

•

What if you forget it…?!

iCloud Locking •

iCloud / Find My iPhone

•

Can only use 4 digit code

•

Survives reboot / reset pram

iCloud Locking •

iCloud / Find My iPhone

•

Can only use 4 digit code

•

Survives reboot / reset pram

•

…but is it secure?

Demo Setting a Firmware Password

Platform Security Securing the processes

People who are serious ’bout software should make their own hardware Alan Kay

Platform Security •

Application Sandboxing

•

Code Signing

•

Gatekeeper

•

XProtect & Quarantine

•

…

Mandatory Access Control •

Application Sandboxing

•

Entitlements

•

sandbox-exec -n

•

…

openBSM Audit •

Logging above and beyond…

•

system events and user events

•

praudit for reading audit trails

•

…

Demo Roll your own IDS

Data Security Securing the information

There is no castle so strong that it cannot be overthrown by money Cicero

Data Security •

Full Disk Encryption

•

Keychain Access / iCloud Keychain

•

Encrypted Containers

•

Secure Erase

•

…

FileVault 2 •

Rich Trouton has the full story

•

derflounder.com

FileVault 2 •

Rich Trouton has the full story

•

derflounder.com

•

What about performance…?!

before…

FileVault 2 •

Rich Trouton has the full story

•

derflounder.com

•

What about performance…?!

after…

Encrypted Container •

Disk Utility or hdiutil

•

128 or 256-bit encryption

•

Password in a keychain

•

Password in an external keychain

•

…

Demo A ”poor mans” 2-factor authentication

Network Security Securing the traffic

Users will take dancing pigs over security everytime Bruce Schneier

Network Security •

Encrypted traffic

•

Encrypted authentication

•

Firewalls

•

…

Firewalls •

Application Layer

•

Simple UI setup

•

Packet based IPv4 & IPv6

•

CLI or IceFloor 2

•

…

Demo Computer Lockdown, extraordinaire

Encryption Primer Talk is cheap, …if unencrypted

Meet our friends…

Eve Alice Bob

Yes, it’s apple123

Clear text is not a secure way of transmitting secrets on a network…

Do you have the password?

Yes, it’s apple123

Clear text is not a secure way of transmitting secrets on a network…

pwnd!

Thank you!

Yes, it’s ********

We really need to encrypt any secret information before it is sent…

Do you have the password?

Yes, it’s ********

We really need to encrypt any secret information before it is sent…

?

?

Yes, it’s ********

…but, how do we share encryption keys without everyone on the network getting them?

?

?

Let’s do DHX Diffie Hellman Exchange

Do you have the password?

Here’s (x1) Diffie Hellman Exchange Secret * p1 = x1 ! !

Here’s (x1) Diffie Hellman Exchange Secret * p1 = x1

!

x1 * p2 =! x2 !

!

OK, here’s (x2)

OK, here’s x3 Diffie Hellman Exchange Secret * p1 = x1

!

x1 * p2 =! x2 !

! x2 / p1 =! x3

OK, here’s (x2)

OK, here’s x3 Diffie Hellman Exchange Secret * p1 = x1

!

x1 * p2 =! x2 !

x2 / p1 =! x3 !

x3 / p2 = Secret

$#*!…

Thanx!

Crack the Code What is the password on
 the encrypted USB-stick?

Diffie Hellman Exchange… lite Alice first send x1 = 22 729 to Bob… Bob send x2 = 250 019 back to Alice… Alice then send x3 = 14 707 back to Bob…

x1 = secret * p1 x2 = x1 * p2 x3 = x2 / p1 x3 / p2 = secret

”It can only be attributable to human error…” HAL 9000

Practice what you learn

Can you hack it? Setup with security in focus

Can you read the content in
 the PDF in the Shared folder?

Security Setup •

Firmware Password - setregproptool -m full

•

FileVault2 Encrypted

•

Secure Container - 256-bit encrypted

•

Password stored in external keychain

•

Encrypted PDF

•

All passwords 22 characters

•

…

”Dave, this conversation can serve no purpose anymore…”

Goodbye