Better Safe Than Sorry Security and OS X
[email protected]
SECURITY An Unexpectedly long Journey…
Agenda •
Threats
•
Protection
•
Configurations
•
“Best Practices?”
•
…
Let’s talk security
Distrust and causion are the parents of security Benjamin Franklin
Then… •
No viruses
•
No malware
•
Secure by design
•
and of course very cool…
Once the market share starts growing, then… There are definitively viruses for Mac out there…
Well, don’t be stupid… Windows users are more aware of security, i.e. more secure…
I have ”friends” who knows how it’s done …
You absolutely need anti-virus protection on Mac…
Now… •
Gatekeeper
•
Application Sandboxing
•
Malware Detection
•
Full Disk Encryption
•
…
Apple Security •
Device Security
•
Platform Security
•
Data Security
•
Network Security
Apple Security Philosophy •
Ease of use
•
Guide the users
•
Secure defaults
•
Freedom to choose
In the Hacker Toolbox ”the quieter you become, the more you are able to hear”
A hacker to me is someone creative who does wonderful things Sir Tim Berners-Lee
Who’s the Hacker? •
Hacking for fun
•
Hacking for profit
•
Governments
•
…
Tools of the trade •
nmap
•
Wireshark
•
Cain & Able
•
John the Ripper
•
Metasploit
•
…
® metasploit
Demo Playing with fire
Device Security Securing the box
Amateurs hack systems, professionals hack people Bruce Schneier
Device Security •
EFI firmware password
•
iCloud locking
•
Configuration profiles
•
Policy management
•
…
Firmware Password •
UI tool on the Recovery HD
Firmware Password •
UI tool on the Recovery HD
•
Prevents modifier keys
•
setregproptool -m full
•
What if you forget it…?!
iCloud Locking •
iCloud / Find My iPhone
•
Can only use 4 digit code
•
Survives reboot / reset pram
iCloud Locking •
iCloud / Find My iPhone
•
Can only use 4 digit code
•
Survives reboot / reset pram
•
…but is it secure?
Demo Setting a Firmware Password
Platform Security Securing the processes
People who are serious ’bout software should make their own hardware Alan Kay
Platform Security •
Application Sandboxing
•
Code Signing
•
Gatekeeper
•
XProtect & Quarantine
•
…
Mandatory Access Control •
Application Sandboxing
•
Entitlements
•
sandbox-exec -n
•
…
openBSM Audit •
Logging above and beyond…
•
system events and user events
•
praudit for reading audit trails
•
…
Demo Roll your own IDS
Data Security Securing the information
There is no castle so strong that it cannot be overthrown by money Cicero
Data Security •
Full Disk Encryption
•
Keychain Access / iCloud Keychain
•
Encrypted Containers
•
Secure Erase
•
…
FileVault 2 •
Rich Trouton has the full story
•
derflounder.com
FileVault 2 •
Rich Trouton has the full story
•
derflounder.com
•
What about performance…?!
before…
FileVault 2 •
Rich Trouton has the full story
•
derflounder.com
•
What about performance…?!
after…
Encrypted Container •
Disk Utility or hdiutil
•
128 or 256-bit encryption
•
Password in a keychain
•
Password in an external keychain
•
…
Demo A ”poor mans” 2-factor authentication
Network Security Securing the traffic
Users will take dancing pigs over security everytime Bruce Schneier
Network Security •
Encrypted traffic
•
Encrypted authentication
•
Firewalls
•
…
Firewalls •
Application Layer
•
Simple UI setup
•
Packet based IPv4 & IPv6
•
CLI or IceFloor 2
•
…
Demo Computer Lockdown, extraordinaire
Encryption Primer Talk is cheap, …if unencrypted
Meet our friends…
Eve Alice Bob
Yes, it’s apple123
Clear text is not a secure way of transmitting secrets on a network…
Do you have the password?
Yes, it’s apple123
Clear text is not a secure way of transmitting secrets on a network…
pwnd!
Thank you!
Yes, it’s ********
We really need to encrypt any secret information before it is sent…
Do you have the password?
Yes, it’s ********
We really need to encrypt any secret information before it is sent…
?
?
Yes, it’s ********
…but, how do we share encryption keys without everyone on the network getting them?
?
?
Let’s do DHX Diffie Hellman Exchange
Do you have the password?
Here’s (x1) Diffie Hellman Exchange Secret * p1 = x1 ! !
Here’s (x1) Diffie Hellman Exchange Secret * p1 = x1
!
x1 * p2 =! x2 !
!
OK, here’s (x2)
OK, here’s x3 Diffie Hellman Exchange Secret * p1 = x1
!
x1 * p2 =! x2 !
! x2 / p1 =! x3
OK, here’s (x2)
OK, here’s x3 Diffie Hellman Exchange Secret * p1 = x1
!
x1 * p2 =! x2 !
x2 / p1 =! x3 !
x3 / p2 = Secret
$#*!…
Thanx!
Crack the Code What is the password on
the encrypted USB-stick?
Diffie Hellman Exchange… lite Alice first send x1 = 22 729 to Bob… Bob send x2 = 250 019 back to Alice… Alice then send x3 = 14 707 back to Bob…
x1 = secret * p1 x2 = x1 * p2 x3 = x2 / p1 x3 / p2 = secret
”It can only be attributable to human error…” HAL 9000
Practice what you learn
Can you hack it? Setup with security in focus
Can you read the content in
the PDF in the Shared folder?
Security Setup •
Firmware Password - setregproptool -m full
•
FileVault2 Encrypted
•
Secure Container - 256-bit encrypted
•
Password stored in external keychain
•
Encrypted PDF
•
All passwords 22 characters
•
…
”Dave, this conversation can serve no purpose anymore…”
Goodbye