Panos Koutsikos

Today was another revolutionary day for Apple Inc. as they began their week long Worldwide Developers Conference in San Francisco with a keynote led by Apple’s CEO, Steve Jobs. Much of the keynote included updates from the development progress of third party applications that will be available with the next OS X iPhone 2.0 software update in early July. Many of the games that were displayed have been ported using Apple’s iPhone 2.0 SDK. The games look truly revolutionary as the device will soon prove to be a leading gaming platform. The SDK will prove to be used to administer a higher level of corporate security with custom enterprise applications. Companies can internally develop applications to be implemented for iPhones as a single authorized device to run the applications. The integrity of enterprise data could be kept separate from applications that connect to the Internet.

The new iPhone 2.0 software will support Microsoft Exchange as well as iWork and Microsoft Office documents. The iPhone 2.0 software will add new functionalities such as the scientific calculator and parental controls. You will have the ability to save images directly to different locations with geo-tagging. Many applications will be doing extensive development that will include the added GPS functionality that Apple has included in the release of the iPhone 3G. Additional language support will include two forms each for Japanese and Chinese and you can even draw Chinese characters. Apple plans to deliver all of the third party applications with the App Store. This is Apple’s way for developers to reach every single iPhone user and even keep 70 percent of the revenues their app produces. 

Apple also released information about the next version of OS X (Snow Leopard). In addition to the press release, Apple has created a new section on its website explaining the focus of Snow Leopard. It is all about making sure that users have a consistent experience across Apple products. Apple will be adding full Exchange support in Mail, Address Book, and iCal because it is in the iPhone. Apple is working on shrinking the amount of hard drive space OS X requires similar to versions of OS X that run on the Apple TV and the iPhone. A new version of QuickTime, QuickTime X which will support ‘all modern codecs’ is also expected.

Last week, Apple also released a very useful document for securing Mac OSX 10.5 (Leopard), ”the world’s most advanced operating system.” After the keynote Apple seeded the seventh version of the SDK for it’s officially accepted 4000 iPhone “beta” developers. We shall now look forward to July 11th for the release of the iPhone 3G and the OS X iPhone 2.0 software update, “the world’s most advanced mobile platform.”

My favorite technical session from the SARMA conference was the Self Cleansing Intrusion Tolerance (SCIT) – A Proactive Risk Management Strategy by Arun Sood, a professor of computer science at the George Mason University where the conference was held.

The IT world requires new techniques to successfully deter cyber attacks on servers through out the Internet. This cat and mouse game between IT security professionals and hackers has become more rampant due to constant discoveries of software vulnerabilities and advanced attack techniques. 

Professor Sood’s research has led to the concept of intrusion tolerance, which is where a system will limit the damage caused by unknown and/or undetected cyber attacks. The old way of intrusion prevention and detection is done with firewalls but require the knowledge of attack modalities and software vulnerabilities. Sood has developed a proactive risk management approach with the use of his Self Cleaning Intrusion Tolerance (SCIT) technique.

The SCIT technique is a balance between security versus availability where a server will have multiple instances of virtualization and real-time server rotation. SCIT is very cost effective and is meant to compliment systems with the rotation of these virtualizations of a server image for only a minute each. This will limit the amount of time a server is actually exposed to the Internet to a one minute interval. This is all the time a hacker can utilize an actual attack on the server before the server virtualization image is then switched to another instance of the same server and restored to a last known good state.

A quickly growing market share proves that Apple computers are really getting popular and many Enterprise environments are quickly looking for ways to secure them. Integration with Microsoft’s Active Directory can really be tricky and third party solutions and the golden triangle must usually be leveraged to merge Macs and PC’s on the same network. I have been doing some research on the best practices of securing Mac servers and clients and found a great article by Derek Currie that has a good set of guidelines to follow. If you are doing a regular security certification or routine and preventative maintenance “in accordance with manufacturer or vendor specifications and/or organizational requirements,” you can follow these steps to guide you through the process:

1) Detail your backup strategy. I consider making backups the #1 rule of computing and the first step in computer security. Apple provides TimeMachine in Mac OSX 10.5 (Leopard).

2) Decide on program to use for storing and protecting passwords. You may want to use KeyChain or 1Password, which is an excellent shareware program.

3) Determine what file encryption you are using to protect critical data.  You can use FileVault or use encrypted disk images created in Disk Utility. Leopard Server offers 256 bit encryption. You shouldn’t need anything stronger. As long as you use a ridiculously un-guessable password, theoretically it would take a lifetime to crack.

Using encryption is one of the most important measures to take in securing a system. Federal servers are now notorious for having been cracked by the Red Hacker Alliance in China, among others. If the data is seriously encrypted, they’re wasting their time. Government agencies and many businesses now demand encryption. Here is a blurb from the SANS Institute’s security newsletter NewsBites Vol. 10 Num. 28 regarding some incredible ignorance at the NIH, coincidentally:

>> On Apr 8, 2008, at 04/08, 5:00 PM, The SANS Institute wrote:

>> NIH Workers May Not Store Sensitive Data on MacBooks

>> (April 4 & 7, 2008) A National Institutes of Health (NIH) agency memo forbids employees from storing sensitive data on MacBook laptop computers.  As of April 4, all NIH laptops running Windows or Linux operating systems must have the Pointsec encryption tool; Windows Vista users may also use that operating system’s BitLocker disk encryption tool.  There is presently a beta version of Pointsec for MacBooks, but not an approved version. The ban on MacBooks holding sensitive data applies to contractors as well as in-house employees.

>> Editor’s Note (Schultz): As said so many previous times, nothing serves as a wake-up call for security as much as a serious security-related incident. (Liston): Note: The issue here is the lack of an approved version of whole-disk encryption, not with OSX itself.

Obviously FileVault would be ‘approved’ if they bothered to notice it was there in Mac OS X!

4) Discuss the fact that Mac OS X uses the PDF document format as part of its foundation, and that any PDF can be locked such that only a user with its password can open it. Explain how locked PDF’s are now often used in the work environment.

5) Discuss your implementation of PGP or GPG (the free Open Source version of PGP) in your work environment.

6) Apple has some security documents relevant to Mac OS X Server:

a) Mac OS X Server - Security Configuration - For Version 10.4 or Later - Second Edition

- If an update is provided specific to Leopard Server, it will be posted on the Security Configuration Guides page:

     b) Mac OS X, Mac OS X Server: Protection for sensitive files when using Apache on an HFS+ volume

     c) Mac OS X: How to keep network computers secure

     d) Mac OS X Leopard - Features - Security

7) Apple also offers their Security-Announce mailing list. You can get it via email or via RSS:

Some security statistics from March 2008 to quote in defense of Mac OS X’s excellent security record:

An excerpt from the Zone-H Statistics Report 2005-2007, the number of registered computer attacks:

Operational System | Year 2005 | Year 2006 | Year 2007

—————————————————–

MacOSX                        2.139                 2.247                1.488

Windows 2003             72.377               183.953            114.137

2) Apple provide references to security related software from third- party vendors at their ‘Macintosh Products Guide’ pages:

Examples:

     a) Go to the Mac Software/Products and Utilities page. In the ‘Sub-category’ popup menu choose       “Security” and hit the Search button. Today there are 135 security related apps listed.

     b) Go to the Mac Software/Servers, Networking & Communications page. In the ‘Sub-category’ popup menu choose “Security” and hit the Search button. Today there are 20 related apps listed.

You could also search for software firewalls, hardware firewalls, etc.

The guidelines in this article were originally written by Derek Currie, posted on April 15, 2008. Derek wrote these steps in response to a request for information on specifications or guidelines for preventative maintenance for XServes and/or OS X Server. Derek took the time to write this detailed response, specifically directed at Enterprise Mac users, on the ‘Mac OS X enterprise deployment project’ email list. These lists are great and I have found some of my best information from reading the detailed responses. Derek also writes in a blog that has lots of great posts relating to Mac OS X Security. Check it out!