Forgot your password?
typodupeerror
Operating Systems Books Media Businesses Security Software Book Reviews Apple

Mac OS X Maximum Security 154

Posted by timothy
from the then-he'd-have-to-kill-you dept.
honestpuck writes "Security has long been a concern for Unix administrators who find themselves connected to the sometimes dark and dirty world of the Internet. With the advent of personal operating systems with file sharing, remote login and built-in web servers, and the spread of broadband networks with their always-on connectivity, it should now be a concern for everyone." Specifically, honestpuck is talking here about Mac OS X; read on for his review of Sams Publishing's Mac OS X Maximum Security.
Mac OS X Maximum Security
author John Ray and William C Ray
pages 768
publisher Sams
rating 7
reviewer Tony Williams
ISBN 0672323818
summary Comprehensive but sometimes long winded book that covers securit on your Mac well

It really didn't concern me until one day when I was checking the logs on my Mac OS X box while developing a web app and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server. I then decided I needed to pay attention to security alerts and the help of a book like Macintosh OS X Maximum Security to help me understand and fix any holes.

The Good

The book is divided into four sections. Part 1 is about learning to think about security, covering such topics as physical security and protection from your users and bad guys. Part II, 'Vulnerabilities and Exposures,' covers the various sorts of attack such as password attacks, trojans and worms, sniffers and spoofing. Part III, 'Specific Mac OS X Resources and How To Secure Them,' covers just that, the various servers such as FTP, mail, Apache and SSH and how to go about making them safe. The final part covers attack prevention, detection, reaction and recovery with topics such as firewalls, alarm systems, logs and disaster planning.

Macintosh OS X Maximum Security is a large, extremely comprehensive volume. For the average person who wants to protect a small home network the information it provides is probably overkill. To make matters worse, the style is fairly verbose, particularly in the first section. Of course, if you want to secure a company network then you may need to know all the information -- and so all this background material is useful, if only so you can reach the right level of paranoia and suspicion.

The book is not a 'recipe' book that tells you "take these steps and you will have a secure machine"; rather it takes you through the possible holes and how to fix them. This approach seems much better for security, since it teaches you a respect for the places you have to open up and a methodical approach to doing so that will hopefully carry over beyond the specifics addressed. Any recipe is bound to have flaws since the operating system and the services are all changing, I'm hoping the methods and style this book have imparted to me will last beyond any changes.

The book also deals well with all the Macintosh-specific stuff, informing you well about such topics as Rendezvous, Apple Remote Desktop, using NetInfo and the like. One aspect that isn't well covered is Airport; securing an 802.11 network is barely touched on.

The Bad

The information provided in all areas of the book is quite detailed, and includes many links to further places to look for more (and more recent) information. Once again, for a book in an ever-changing field like security, this is a huge benefit. I would have appreciated some sort of a small website devoted to the book with the links mentioned gathered together and perhaps some notes on how things may have changed since the book's publication. Unfortunately the Sams Publishing site has a broken link to the book and while the authors say "we are creating a security section for the www.macosxunleashed.com website," no such section exists as I was writing this review. Frankly I am disappointed at this, I think with a book on this sort of topic it behooves either the publisher or author to provide a place for errata, discussion and notes. The best you can do is go to Amazon where you can see the Table of Contents and one chapter. [Ed. Note: The site's errata section is currently up and running.]

My only real complaint with the book itself is the huge size, and the long-winded nature of some of the material. I found the first two sections in particular almost tedious and definitely lecturing in tone. I would have rated this book higher if the editors at Sams had taken a large red pencil to slabs of the first section. Overall, I'd say that while not a 'must buy,' this book will have to do till I find something better, and I expect to loan my copy to several friends.


You can purchase Mac OS X Maximum Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Mac OS X Maximum Security

Comments Filter:
  • Question (Score:5, Interesting)

    by devphaeton (695736) on Tuesday August 19, 2003 @11:37AM (#6734357)
    Any UNIX admins messed around wit OS X?

    How secure is it, how secure can it be?

    I've read a few articles describing certain features that it has (ease of use and gee-whiz stuff) that sounded to me like a potential vulnerability.

    It seemed that a lot of these things were enabled by default and wide open.

    I seriously hope this isn't the case. Apple's better than that, right?

    I'm not trolling, i'm asking sincerely. With all the "OS X IS UNIX(tm)!!!" fanfare loudly touted in the press, i'd hate to see a major outbreak of compromised OSX machines to blacken the name of all things *nix.

    Bottom line: If you're on the internet, paying attention to security is mandatory. Regardless of platform.
    • Re:Question (Score:5, Informative)

      by computerme (655703) on Tuesday August 19, 2003 @11:45AM (#6734444)
      everything is turned off by default.

      apple has been very responsive to sec alerts and networking passwords are encrypted.

      you can also ftp over ssh. (sftp) type stuff if you need to move a files over... there is also apple remote desktop and timbuktu to let you control the machine in all its aqua glory..

      i do believe (for what its worth as I am comparing this to win and top tier linuxes) its the most secure out of the box..

      insert blah blah no system is totally secure statement here

      of course this is true, but out of the box and over the past 2 years OSX has been and is a reamrkable product...
    • Re:Question (Score:5, Funny)

      by Halo1 (136547) <jonas.maebe@NospAm.elis.ugent.be> on Tuesday August 19, 2003 @11:47AM (#6734463) Homepage
      I've read a few articles describing certain features that it has (ease of use and gee-whiz stuff) that sounded to me like a potential vulnerability.

      It seemed that a lot of these things were enabled by default and wide open.
      The ease of use and gee-whiz stuff is indeed enabled by default and wide open. All network services (ssh, ftp, samba, apple filesharing, printer sharing aka cups, ...) are disabled by default though.
      • I have OS X 10.2.6 and have been running OS X since before 10.1.

        I do not know what "ease of use" and "gee-whiz" stuff is "wide open".

        This is not meant to be a flame, but I'm curious: what exactly is enabled by default that poses a security risk?
        • I do not know what "ease of use" and "gee-whiz" stuff is "wide open".

          This is not meant to be a flame, but I'm curious: what exactly is enabled by default that poses a security risk?

          Nothing, afaik. The mods just didn't appreciate my irony, it seems :) I just wanted to say that it's true that Mac OS X by default is user friendly and that it has a lot of gee whiz stuff that is readily accessible, but that otoh the standard network security holes are (virtually?) non-existant, as all services are turned

        • All the Rendezvous services (printer sharing, iTunes, iChat et al) are off by default. You have to tell it you're online, you have to tun on msuic sharing.

          It's all off. In the sense that I haven't read the book. Yet.
    • a very good question (Score:5, Interesting)

      by SweetAndSourJesus (555410) <JesusAndTheRobot AT yahoo DOT com> on Tuesday August 19, 2003 @11:56AM (#6734581)
      I think OS X is fairly secure because it's easy to secure.

      Apple releases security updates [apple.com] fairly quickly, and their Software Update system makes them available and easy to install for the average user. If I recall correctly, Mac OS X defaults to checking for updates weekly. Installation of updates may require an administrator password, but other than that it's as simple as a couple of clicks.

      With my FreeBSD system, I subscribe to freebsd-security-notifications to keep abreast of updates. Knowing when updates are available and knowing how to apply them is probably beyond the average user's ability.

    • I've read a few articles describing certain features that it has (ease of use and gee-whiz stuff) that sounded to me like a potential vulnerability.

      It seemed that a lot of these things were enabled by default and wide open.


      Of course they are, OS X is primarily a /desktop/ system. Ill bet that OS X Server is a hell of a lot more secure out-of-the-box, but as far as desktop usability goes, I doubt its half the system plain X is. Security and usabilty are a hard balance to strike (believe me, just setting u
      • dont use telnet or allow anon FTP

        Funny, on my systems, I allow only anon ftp. You are aware that non-anon ftp is just as bad as telnet, security-wise, aren't you? (Referring here strictly to ftp proper, not sftp or any other ftp-over-an-encrypted-channel variants.)
    • Re:Question (Score:2, Insightful)

      by JediJeeper (671434)
      Agreed with the other comments offered already. Apple has really taken the initiative on security and met things pretty squarely. Out of the box it is quite secure, almost everything is locked down via the built in tools. Incidentally, I speak from the experience of being Sys-Admin of many Solaris, Windows and Linux boxes. Most of the things Apple has had to deal with actually derive from security holes that have sprung up in third party products such as Apache and PHP (which are really quite solid products
  • by Anonymous Coward on Tuesday August 19, 2003 @11:39AM (#6734380)
    We need more of these. And more people to read them. How about Outlook Maximum Security?
  • by cK-Gunslinger (443452) on Tuesday August 19, 2003 @11:40AM (#6734395) Journal
    .. when I think of OS X "Maximum Security", I can help but to think of the translucent plastic jail cell they kept Magneto in.
  • by kaan (88626) on Tuesday August 19, 2003 @11:41AM (#6734402)
    From the origial post:

    It really didn't concern me until one day when I was checking the logs on my Mac OS X box while developing a web app and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server.

    I think that pretty much sums it up - IIS can easily be insecure, just like the rest of the Windows world. But why does that mean that the Mac's web server (Apache) should be a cause for concern?

    I've been using OS X for about a year and a half, and I don't see how a "Mac specific" book on security is worth the cash outlay. Sure, there are pretty UI widgets to interface with things like Apache, ipfw, the ftp server, etc., and a how-to book might be useful for a novice. But I don't see why a book like this will distinguish itself given that most of the real security info is way more Unix-centric that it is Mac-centric.

    From what I recall, most of the OS X system defaults were set to reasonable, fairly secure settings, unlike Windows where a basic install will leave a zillion services running on your machine, all of which are listening to the outside world, exposing some heinous portion of the OS to components that have no right messing with it in the first place.
    • by asv108 (141455) <alex AT phataudio DOT org> on Tuesday August 19, 2003 @12:17PM (#6734855) Homepage Journal
      From what I recall, most of the OS X system defaults were set to reasonable, fairly secure settings, unlike Windows where a basic install will leave a zillion services running on your machine

      For fun a decided to compare open ports on default but updated installs of OSX and XP.

      Windows XP Box Port Scan

      Interesting ports on 192.168.1.103:
      (The 1639 ports scanned but not shown below are in state: closed)
      Port State Service
      135/tcp open loc-srv
      139/tcp open netbios-ssn
      445/tcp open microsoft-ds
      1025/tcp open NFS-or-IIS
      5000/tcp open UPnP

      Max OSX Port Scan

      All 1644 scanned ports on 192.168.1.105 are: closed

      Nmap run completed -- 1 IP address (1 host up) scanned in 20.910 seconds

      Gentoo Port Scan

      All 1644 scanned ports on 192.168.1.101 are: closed

      Nmap run completed -- 1 IP address (1 host up) scanned in 0.357 seconds
    • It really didn't concern me until one day when I was checking the logs on my Mac OS X box while developing a web app and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server.

      I think that pretty much sums it up - IIS can easily be insecure, just like the rest of the Windows world. But why does that mean that the Mac's web server (Apache) should be a cause for concern?

      This part had me stumpped too. He was able to "watch" his box trying to be gotten

    • I think that pretty much sums it up - IIS can easily be insecure, just like the rest of the Windows world. But why does that mean that the Mac's web server (Apache) should be a cause for concern?

      His point is that he was simply using his personal computer, and there were people port scanning him. For a good long while (far too long), I was convinced I had security through obscurity. Why would anyone want to crack my computer? He probably had much the same perspective. With his logs, he was clearly wr
  • by cant_get_a_good_nick (172131) on Tuesday August 19, 2003 @11:43AM (#6734424)
    and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server.

    Maybe they were looking for a secure IIS server. Ripley's "Believe it or not" is starting production again, maybe they needed material?
  • by gobbo (567674) <wrewrite AT gmail DOT com> on Tuesday August 19, 2003 @11:55AM (#6734562) Journal
    Just came through the ms.blaster anxiety pox without a drop of sweat, as we're using OS X and one win98 box [now I'm glad that IT was too incompetent to put win2K on it...]. It got me thinking about the last time I saw a mac virus, oh, about 11 years ago, and how easy it was to fix with freeware by John Norstad [northwestern.edu], and about the "Crack a Mac" contest [wired.com] in '97. Things were pretty secure on classic macs. Now, I still feel pretty secure, indicated by the way the gloating bubbled up when I warned compadres to lock down their XP boxes. I'm happy to see that built-in firewall loaded, when I occasionally reboot, and there's always snort if I get paranoid--plus all the other *nixy goodness.

    When I received one box back from servicing today, a botched update completed itself upon booting, and a warning came up that a particular video driver file may be compromising the OS's security, did I want to fix and use, not use, or just use it? Nice. All I have to do is run software update. I want more of that caution built in, but as things stand, keep it up Cupertino.

  • by Anonymous Coward on Tuesday August 19, 2003 @12:02PM (#6734660)
    Forget this book. Use OS9 for a secure server NOT OSX! Its 100% secure according to the massive BugTraq (SecurityFocus) exploit database.

    Thats why many universities, and military websites used mac OS9. OS9 has never had an exploit, while OSX has had at least over 35 or so documented exploits.

    It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

    The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on ample historical evidence.

    In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac (classic Mac OS) exploited over the internet remotely. Scan it yourself, though I believe an uncommon 3rd party mac product from 1995 or so had one exploit.

    I am not talking about FreeBSD derived MacOS X (which already had a more than a 35 exploits and potential exploits in BugTraq) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

    Why is is hack proof? These reasons :

    1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

    2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

    3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.

    4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

    5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

    4> Stack return address positioned in s afer location than some intel OSes. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the b
    • 2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

      And all 98 developers know their code runs as root. Has that helped?
    • by Iowaguy (621828)
      Ok, I'll ask it. I am not an IT guy. I have no idea why the above post is flaimbait? Is it untrue, it seems to check out with my memory of events. Is it because any non-nix is not allowed to have a good feature on slashdot? Just curious.

      -Iowa
      • It's flamebait because it's meant to be flamebait, not necessarily because it's untrue.

        It's an old troll that I think even predates Mac OS X. The AC that posted it probably just pasted it in from his collection of trolls and added a few lines to make it a better fit. Take out the few lines that explicitly refer to Mac OS X and you've still got most of the post. Try the NetCraft link and you'll see that www.army.mil runs Mac OS X.

        Also, lines like this : --- too bad the linux community is so stubborn tha
    • They must have bought the book!!! :-)
    • http://uptime.netcraft.com/up/graph?site=www.army. mil ...is just one of many large SECURE classic MacOS distributed servers.

      Except for the fact that it's not :
      The site www.army.mil is running 4D_WebSTAR_S/5.3.0 (MacOS X) on MacOSX.

    • one place where I used to work had their OS 9 network go down overnight because a book fell off a shelf above the server and was holding the mouse button down!
  • FYI (Score:4, Informative)

    by Srsen (413456) on Tuesday August 19, 2003 @12:09PM (#6734736)
    Apple has a Security Technology Brief which is a somewhat simplified but comprehensive overview of the hardware and software security features of Macs and Mac OS X.

    http://a368.g.akamai.net/7/368/51/edcf434107944a /w ww.apple.com/macosx/pdfs/Security_TB.pdf
  • by Anonymous Coward on Tuesday August 19, 2003 @12:16PM (#6734838)
    The Bad

    The information provided in all areas of the book is quite detailed, and includes many links to further places to look for more (and more recent) information

    Yes, that is quite bad. How dare they provide information in a book. They should have buried it all in a HOWTO with the wrong name on an obscure website.

  • Redundancy (Score:3, Funny)

    by happyfunstuff (259214) on Tuesday August 19, 2003 @12:20PM (#6734891)
    and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server
  • by Anonymous Coward
    I recall, late-98 or so, when a fairly adequate Mac virus actually surfaced. We were thrilled! What more proof did you need that Apple was back, than a virus attempting to take it down?

    Meanwhile, the rest of you can stop with this "juicy target" stuff. There is, have never been, ANY OS more susceptible to virii than Win.

    Back in the 8.5-9.x days, I used to spread my IP address all over Usenet, in hopes someone would bring down my computer, so I could learn something from the genius.

    Now, I won't quite do T
  • by Anonymous Coward
    This valuable post in a larger form was recently downrated a flame by a linux zealot so I repost it here in verycondensed form with nothing but DATA and Informative post info. There is no reason to moderate down informative posts. To not be termed a "flame" I request that no one reply to my post. therefore it is not a troll by the DEFINITION of "troll".

    It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

    The MacOS running WebStar and other webse
    • I used to always ask people who insisted that the classic Mac OS was just as vulnerable as any other OS how they would get around the fact that the classic Mac OS had no command line.

      That usually stopped them fast in their tracks.

      They other thing that I asked anyone who was questioning the security of the classic Mac OS was to name one instance -- just one -- where a classic Mac OS machine had been cracked.

      Of course, they couldn't.

      You've written a nice post. I wish your grammer, spelling, and capitaliz
      • I used to always ask people who insisted that the classic Mac OS was just as vulnerable as any other OS how they would get around the fact that the classic Mac OS had no command line.

        That usually stopped them fast in their tracks.

        They other thing that I asked anyone who was questioning the security of the classic Mac OS was to name one instance -- just one -- where a classic Mac OS machine had been cracked.


        First off, there was a debug level command line, just because you may not have been bright enough
    • First off, the security you state is way out of whack.

      Secondly, who would trust a server that has poor memory management (80s technology), no modern OS features like: Journalled FS, Pre-Emptive Multitasking, Ability to use Large Partitions, Multiple CPUs, More than 2GB of RAM, Etc, Etc, Etc...

      Give us a break, Mac OS9 is technically at the same level as Windows 3.1. Hence why Windows3.1 is not a high risk OS for the internet, there is not much in it to hack short of the Winsock add-on.

      So we should all go
  • Nice review . . . (Score:3, Informative)

    by code shady (637051) on Tuesday August 19, 2003 @12:45PM (#6735196) Homepage
    I've been thinking of picking up this book, specifically because it is geared towards Mac OS X, although i am not overall very fond of the maximum security series.

    Anyone else looking for some good OS X secuity books shoudl chech out the latest edition of Practical Unix and Internet Security published by O'Reilly. I have the second edition, and its a great book, and the third edition specifically mentions OS X and solaris, in addition to the standard *BSD unix and Linux information.
  • Helpful book idea (Score:1, Insightful)

    by tinypillar (695021)
    I'm not going to get into all the 'what is secure and what is not secure' back and forth posted earlier. The reason I think the idea of a MacOS X security book is a good idea, is mostly due to the number of OS 9 users that are upgrading to X. Some of these users have never used a unix environment, and have never really needed to know anything about securing their computers (with 9). At least with a title like this on the shelf, it will bring to their attention that hey, even though you use a Mac, you still
  • Readers interested in MacOS X security may want to check out this recent article at Cryptonomicon.Net: Creating an Encrypted Disk Image no MacOS X [cryptonomicon.net].

  • The book reviewed here is about how to SECURE a Mac OS X system given pre-canned applications. However, for information on how to write secure applications, you'll want more information. Please take a look at the Secure Programming for Linux and Unix HOWTO [dwheeler.com]. It's free to download and redistribute (GFDL), and has lots of information on how to avoid common mistakes.

Support bacteria -- it's the only culture some people have!

Working...