ICE Snow LeopardNo doubt that the Mac OS is a secure system by default, with the appropriate measures it can be a tough bone to chew for malicious hackers.

There are some huge mistakes that shouldn’t ever be made but I see them every day:

password, it’s the best way to be hacked

or easily guessable password is the second worst mistake, your password should be at least 8 (12 is better) characters long, upper and lower case, numbers and non alphanumeric characters. A nice website to test them is www.passwordmeter.com/. Just remember not to use the password that you inputed there in your machine.

A good way to create a password with stronger features is to pick up a band you like, let’s say you’re a Pearl Jam fan, pearjam as a password is 9% strong and easily guessable by your Facebook profile (yes they do use that info to guess passwords). Just typing pearljam and using Shift and alt keys in consecutive order you’ll have PæA®L¯Aµ which is 69% strong, if you replace the first capital A by a 4 the strength increases to 86% and you have Pæ4®L¯Aµ and a robust password.

software is very likely to have a rootkit in it, I remember several times that software and even Mac OS systems where distributed with built in

daily work, it’s better to set up a Administrative account and then a Standard account for daily use

confidential information is asking for trouble.

very hard algorithm, AES 128 or (better) 256, even if your MacBook is stolen the information is safe since, is almost impossible to decrypt it

passwords anywhere, since there are so many passwords to remember Mac OS have a special feature, it’s the Keychain app. Your passwords will be securely stored using the same AES 128/256 bits, also you can use the Secure

information.

push the envelope to a very tighten corporate security environment.

policies, locking down after the invasion is good but testing and finding the holes before is better.

Intrusion Countermeasure Enhancements - ICE Snow LeopardThe Mac OS Server is not that different from is desktop/laptop brother and since it will be the center or part of your company central system it should be locked down and tested:

TOOLSA system administrator can perform proactive security by using tools to audit servers in order to know the existent vulnerabilities, rootkits, file misconfiguration and deployed services, the topology of the network, monitor the network traffic for unusual transferred packets and

different services and by configuring in a simple and correct way the firewall rules.

Nessus (http://tenable.com/products/nessus)

SAINT for Mac (http://www.saintcorporation.com)

Nmap (http://nmap.org/)

tcpdump and nc (included in Snow Leopard)

Wireshark (http://www.wireshark.org)

SSHGuard (http://www.sshguard.net/)

WaterRoof (http://www.hanynet.com/waterroof/)

Rootkit Hunter (http://www.rootkit.nl/)

Most of the times logs are not checked or read due to the high volume and lack of time so Michael Baum and is team came up with the best tool for screening those massive log collection:

Splunk (http://www.splunk.com)

for something wrong, Splunk is your best and fastest friend for this ( and yes I’m a Splunk unconditional fan and a bias one)

The new cat in the alley - Neofelis

implemented for Mac OS X and its purpose is quite different from other tools presented here,

has some known vulnerabilities, so that attackers can enter in the system and then their activities could be recorded by this tool, which allows to

session, store the network packets exchanged during the attack and could reveal which files were modified and what was modified during an attack, besides logging information about

was used to enter in the system. The collected information can be useful to find, the so called

the Operating System after a thorough forensic analysis to the captured data.

It is of the utmost importance that attackers do not know that their activities are being monitored and stored, otherwise the attacker can leave the system or the captured information does

not correspond to real data, since the invader will not want to expose his attack methods and

extensions that hook system calls to hide files, directories, processes, loaded kexts and sockets in order to be stealthy. Moreover, the system contains a backoffice to store all captured data in a permanent format and the communication between honeypot and backoffice is made

port knocking technique to allow only access to the administrator, who has the correct network packet sequence to open a secondary SSH server port, which is not monitored. After administrator connects to the system, the honeypot closes the secondary SSH port, in order to allow the access to only one root user, the administrator.

about new types of attacks, tools and methods. It can be applied to any security related company to obtain informations about new threats, vulnerabilities and also statistical data about attacks and its provenance. However it is not well suited to the common enterprise world, where most of the companies do not want to know about the existent vulnerabilities, but they could want to know statistical information about how many attacks were done against them and sound an alarm when an attack is performed. In this

honeypot, such as Dionaea (nepenthes successor) or HoneyD, once they deploy fake network

they are an excellent tool for alarm in the event of an attack or provide statistical data about attacks.

Useful Links:http://www.securemac.com/

http://sectools.org/

Tiago RosadoEMEIA BDM, Apple ExpertDognædis, Coimbra - Portugalhttp://www.dognaedis.com(+351) 93 442 03 76

is a PhD student of Information Science and Technology in the University of Coimbra and a researcher in Carnegie Mellon University and the University of Coimbra. He developed the Neofelis along side Dognaedis, during his Master’s internship.Email: jmfranco@dei.uc.ptSkype: joao.miguel.franco