MacSecure.com » News

MacSecure – Missing in Action

john — Tue, 18 Nov 2008 00:46:01 +0000

This blog has been neglected for a bit, but it’s coming back soon.

TrueCrypt for Mac – Version Update !

john — Wed, 05 Mar 2008 05:56:24 +0000

The new revision of TrueCrypt – Version 5.0(a) — has now been released for Mac. Downloads are available here. I haven’t had a change to work with it since I’m traveling, but initial word from some colleagues is that it works as expected.

TrueCrypt Notes

john — Sat, 09 Feb 2008 02:56:16 +0000

Got to do some testing with TrueCrypt on the Mac – and immediately hit a wall. One of the unique features of TrueCrypt is the ability to create a hidden TrueCrypt volume inside of another TrueCrypt volume. The idea is that if you were forced to reveal a passphrase, you give up the passphrase to the ‘outer’ volume, and nobody would know that another volume exists inside of the main one.

This isn’t a requirement for many folks, but the ability to do it is going to be missed for the time being. Regular TrueCrypt volumes are working great though.

More info about TrueCrypt Hidden volumes is available here.

TrueCrypt for Mac – Released

john — Wed, 06 Feb 2008 17:10:22 +0000

A staple on the Windows OS for quite a while, TrueCrypt has finally been ported to OS X. While it doesn’t have a lot of polish yet, it does indeed seem to work like the Windows version does. TrueCrypt has the ability to create an encrypted volume — which can be stored as random data on your disk — essentially hiding the fact that you have any hidden data. If nobody knows you have something encrypted, how would they know to even ask for your passphrase? As a note, TrueCrypt on Windows has been used by folks doing various illegal things over the years, and using it to hide data; real Dateline kinds of stuff. It’s good at what it does, but having it around could make someone think you have something to hide.

Try it out here: http://www.truecrypt.org/downloads.php

Apple Security Update 2007-009

john — Tue, 18 Dec 2007 16:32:10 +0000

Fixing some of the known issues with cups, tar, Safari, samba, etc. Lots of updates in this one.

Apple has more info with CVE’s listed here. SANS also has a blurb about it here. I’ll install tonight and take some notes. Also, coming soon — more tool discussions.

Leopard Crash “Risk”

john — Tue, 11 Dec 2007 18:06:33 +0000

I’d say it’s less ‘risk’ and more ‘real’ at this point — but I’m traveling and I haven’t had much time to look into it yet. Heise has more info available here.

Firewall Rules for Quicktime RTSP Vulnerability

john — Thu, 06 Dec 2007 05:20:15 +0000

See here. Just a quick note: if you read the Symantec advisory regarding the Quicktime RTSP Header Vunerability, they mention blocking certain traffic if you’re worried about the exploit — which appears to be Windows specific at this point. In the interest of being safe though, here is a set of ipfw rules for blocking access as suggested:

01000   0     0 deny tcp from me to not me dst-port 554 out
01100   0     0 deny tcp from me to 85.255.117.212 out
01200   0     0 deny tcp from me to 85.255.117.213 out
01300   0     0 deny tcp from me to 216.255.183.59 out
01400   0     0 deny tcp from me to 69.50.190.135 out
01500   0     0 deny tcp from me to 58.65.238.116 out
01600   0     0 deny tcp from me to 208.113.154.34 out

You can put these in on a command line (via Terminal or iTerm) using ‘ipfw’ or using WaterRoof.

Quicktime Vulnerability – RTSP Headers

john — Tue, 04 Dec 2007 15:16:22 +0000

Symantec is reporting details of a vulnerability in Quicktime 7.2 and 7.3 that is currently unpatched by Apple. Right now the exploits in the wild for this vulnerability appear to only be loading Windows executables, but the suggestion is that OS X systems could potentially be vulnerable as well. Recommended steps until there is a patch include blocking outbound TCP traffic on port 554, or even blocking certain IP blocks that the Windows exploit is known to be sending data back to. The CERT page for this vulnerability is here with tons of details. As a note for anyone running OS X in a corporate environment — SourceFire’s SEU 118 has the Snort signatures for this vulnerability.

“Ultimate” Leopard Firewall Ruleset

john — Tue, 20 Nov 2007 18:45:43 +0000

Rich over at Securosis and some other folks have been working on a set of rules for the Leopard firewall (ipfw) that would be restrictive without breaking everything completely. The ruleset has been tweaked extensively now and takes a lot of things into account. I’ll be testing it out tonight, but it looks great so far. I’ll see if I can import these rules via Waterroof — or if not, just drop them in by hand. Note: Certain values need to be customized to your own environment! Don’t just drop these in and expect it to work 100% !

Mac OS 10.5.1 Update – Security Changes

john — Thu, 15 Nov 2007 19:05:31 +0000

I’m sure the 10.5.1 update (which just rolled out to Software Update today) will be dissected on all of the Mac forums and blogs, but in the Security section of the release notes, there are a few highlights that were noteworthy:

The “Block All Incoming Connections” setting I talked about here has now been changed to read “Allow only essential services.” Without having installed it yet, I believe that’s still going to mean ‘anything running as root, plus the MDNS and a few other things.’
Another change to the Application Firewall related to code-signing and parental controls
Patches for all of the recent security issues.

There are a few other things I’ll need to look at later tonight, but this is a start. I’ll do some of the netcat testing again to verify the firewall change item.