The Mac OSX Security Myth

A Heartspring.net interview with Computer Security Expert, Chistopher Hicks of www.fini.net

Heartspring: Early this year we discovered spyware on our computer running Vista. The spyware's mission was to gather text and audio information undetected by the normal user. This intrusion was later confirmed by a security expert. However, our first reaction was to disable all remote connections launched through this Vista computer. This caused the spyware to highjack the password of a MacBook computer in close wireless proximity of the Vista computer. These events got us thinking about the "Mac security myth," prompting an investigation of log files, system directories, and network activity. It took many hours to understand the numerous open-ports, launch agents, launch daemons, as well as, a host of hidden applications running silently in the background. A huge amount to time and effort was spent learning about these ghost (a.k.a. deamon) applications and their security vulnerabilities.

Chistopher: Sorry the education is under such dire circumstances.

Heartspring: Our MacBook password was changed wirelessly by that compromised PC running the Vista operating system. Previously, the MacBook computer was accessing a printer and backing-up files through this Vista computer.

Chistopher: Windows has made the entire world's computers essentially a crime-ridden free-for-all. And it isn't because they're ubiquitous. In the future try cleaning up a Windows Vista computer with software found in this discussion at www.spywareinfoforum.com. It lists some Windows applications that are good. I've used MBAM before with good success.

MBAM is a free scanner for malware such as adware, and spyware. Another excellent free product is AVG which takes care of antivirus and firewall. Many of the widely known antivirus security suites for Windows, such as Norton and Mcafee, are quite slow and cause innumerable incompatibilities. Norton comes on many new computers with a time-limited license so you're either annoyed with 'buy now' messages or silently lose updates and effective projection after a few months. Norton is so buggy they even have to provide a separate download to remove it. F-prot and Sophos make products I respect if you really want to pay for antivirus. Buying AVG is a very good idea too. Malware has become a much bigger problem than viruses in the Windows world in the last five years. Internet Explorer has been a wide hole through which much malware has propagated. Sadly malware also comes packaged with a significant amount of shareware. An entire industry of fake cleanup software exists in the Windows universe that show false positives and require a purchase before cleaning up anything."

Heartspring: Also we had our router firmware hacked. Upon resetting password (offline), router became functionless, factory reset button failed too. Also the MacBook firmware password failed and seemed to be highjacked too.

Chistopher: Paul Makowshi indicates that this is pretty easy to do. If your machine was otherwise compromised, this would be trivial to do as well. http://paulmakowski.blogspot.com

Heartspring: To fix thinks we popped out the RAM on the MacBook computer, thereby resetting the firmware password. Next we bought a new NetGear router. The router's password was set by connecting the router directly to the MacBook, unplugged from the internet modem.

Chistopher: Good work.

Heartspring: Next we "zeroed" and reformatted the hard disk data, reinstalled OS from the original disks that came with the MacBook. Lots of time was spent disabling nonessential services, such as cups, airport, spotlight, bluetooth, shared and remote services, by unloading .plist files. After much trail, error and dozens of re installs we've learned which disabled services break the OS. Since we perform transactions online. We tried not to disable with things like Kerberos, BSD, ocspd, and authorizationhos.

Chistopher: Very good. Reinstalling the OS from vendor media is key to dealing with these things whether it is Linux, Windows, or Mac OS.

Heartspring: Now my network activity appears quite, however yesterday i noticed TimeMachine activity, automountd code trying to connect to "backup.backupdb" to an external IP owned by ViaWest. However, TimeMachine is turned off in via System Preferences. We try to limit this Macbook from connecting to unknown external IPs.

Chistopher: Hmmm. That is suspicious.

Heartspring: A couple of other things that we noticed:

1. Out order time stamps on unedited syslog files.

2. "automontd wants to connect to mach_kernal.RP614v4 on UDP port 111(sunrpc) via IP 204.232.162.88 Unix PID 240, User ID 0 root." (RP614v4 router)

So my two big questions are...

1. How do I learn about configuring portmaps on the Mac ? (Snort software?)

Chistopher: Launch /Applications/Utilities/Netstat.app should show you what ports are open, but that won't tell you who is connecting out from your computer. There may be some internal firewall software for the Mac that allows you to authorize outgoing connections.

The other option is to sniff packets with snort or something else. My preference would be to do this ona Linux computer between the Netgear router and the DSL/cable modem. Turning your Windows print server into a Linux box might be one way to get this moving. If you have a random PC that you can donate that might help as well. I've got some 600Mhz machines that have a few NIC's (network interface controllers) in them that I use for this sort of thing.

I didn't find anything to indicate the timestamp's bug is known, but it could just be that. The 224.* IP's are for multicast (RFC 3171), so the mDNSResponder trying to connect to it isn't surprising. Since multicast is pretty useless for most folks, there's no reason you can't filter out 224.0.0.0/4 at your router. The RFC1918 IP's (10/8, 172.16/12, 192.168/16) can be filtered as well minus the internal block you're using. I like the 10.0.0.0 block since most routers are setup for 192.168.0/24.

Heartspring: 2. How can I understand what's happening in the folder... /private/var/db ?

Chistopher: www.westwind.com/reference/OS-X/invisibles.html might be a start.

Heartspring: Sometimes I'd rather just chop wood and carry water, rediscover the wisdom of home brewed beer.

Chistopher: I doubt there's any wisdom in beer, but I'll leave those discoveries to others.

One of the fun folk wisdom security measures is to take multiple small routers (hopefully from different vendors) and daisy chain them together. This isn't a bad way to mitigate potential exploits and it fits nicely into a "security in depth" philosophy. But many of the vendors share code from Linux or QNX in their routers so it is easy to have one exploit work across several vendors. And most exploits these days work by calling out so having a fortress on the downward path would be useless.

So take the daisy chained router scenario and replace the outermost layer with a Linux box with 2 NIC's. It would look something like the attached image. Your internet connection goes into the Linux box and your WAP gets Internet from the Linux box.

The Linux box should be running Fedora or Ubuntu. Ubuntu has been quite popular lately and probably has a few bells and whistles over Fedora, but I'm much happier in the Red Hat universe.
Attachment file

Then it will need a few things installed on it:

At that point you can watch all of your packets going back and forth and see who your computer is talking to. You can filter out anything imaginable. You can use it is a local web cache.

I've also found that using my local Linux box as a caching name server and ignoring my ISP's name servers is a noticeable performance gain.

Heartspring: Thanks for the great information. We look forward to learning and publishing more about personal computer security.

Health Care Art Gallery - Editorial Policy - Privacy - Funding - Terms of Use - Contact