MacSecure.com

TrueCrypt for Mac - Version Update !

john — Wed, 05 Mar 2008 05:56:24 +0000

The new revision of TrueCrypt - Version 5.0(a) — has now been released for Mac. Downloads are available here. I haven’t had a change to work with it since I’m traveling, but initial word from some colleagues is that it works as expected.

TrueCrypt Notes

john — Sat, 09 Feb 2008 02:56:16 +0000

Got to do some testing with TrueCrypt on the Mac - and immediately hit a wall. One of the unique features of TrueCrypt is the ability to create a hidden TrueCrypt volume inside of another TrueCrypt volume. The idea is that if you were forced to reveal a passphrase, you give up the passphrase to the ‘outer’ volume, and nobody would know that another volume exists inside of the main one.

This isn’t a requirement for many folks, but the ability to do it is going to be missed for the time being. Regular TrueCrypt volumes are working great though.

More info about TrueCrypt Hidden volumes is available here.

TrueCrypt for Mac - Released

john — Wed, 06 Feb 2008 17:10:22 +0000

A staple on the Windows OS for quite a while, TrueCrypt has finally been ported to OS X. While it doesn’t have a lot of polish yet, it does indeed seem to work like the Windows version does. TrueCrypt has the ability to create an encrypted volume — which can be stored as random data on your disk — essentially hiding the fact that you have any hidden data. If nobody knows you have something encrypted, how would they know to even ask for your passphrase? As a note, TrueCrypt on Windows has been used by folks doing various illegal things over the years, and using it to hide data; real Dateline kinds of stuff. It’s good at what it does, but having it around could make someone think you have something to hide.

Try it out here: http://www.truecrypt.org/downloads.php

Another month — another RTSP Vulnerability

john — Fri, 11 Jan 2008 19:00:31 +0000

This is making the rounds, but CERT has the dirt. At this early stage it seems like the only “easy” fix is blocking RTSP traffic at a port level on the network, but hopefully something more practical come around in the next few days. More info here as well.

As a note, I’ve got more tool ‘how-to’s that I’m writing now, so more is coming soon.

Apple Security Update 2007-009

john — Tue, 18 Dec 2007 16:32:10 +0000

Fixing some of the known issues with cups, tar, Safari, samba, etc. Lots of updates in this one.

Apple has more info with CVE’s listed here. SANS also has a blurb about it here. I’ll install tonight and take some notes. Also, coming soon — more tool discussions.

Leopard Crash “Risk”

john — Tue, 11 Dec 2007 18:06:33 +0000

I’d say it’s less ‘risk’ and more ‘real’ at this point — but I’m traveling and I haven’t had much time to look into it yet. Heise has more info available here.

Firewall Rules for Quicktime RTSP Vulnerability

john — Thu, 06 Dec 2007 05:20:15 +0000

See here. Just a quick note: if you read the Symantec advisory regarding the Quicktime RTSP Header Vunerability, they mention blocking certain traffic if you’re worried about the exploit — which appears to be Windows specific at this point. In the interest of being safe though, here is a set of ipfw rules for blocking access as suggested:

01000   0     0 deny tcp from me to not me dst-port 554 out
01100   0     0 deny tcp from me to 85.255.117.212 out
01200   0     0 deny tcp from me to 85.255.117.213 out
01300   0     0 deny tcp from me to 216.255.183.59 out
01400   0     0 deny tcp from me to 69.50.190.135 out
01500   0     0 deny tcp from me to 58.65.238.116 out
01600   0     0 deny tcp from me to 208.113.154.34 out

You can put these in on a command line (via Terminal or iTerm) using ‘ipfw’ or using WaterRoof.

Product Review: FileDefense

john — Thu, 06 Dec 2007 03:57:35 +0000

At the end of November, SubRosaSoft released “FileDefense” - a new application for securing Mac OS X computers. SubRosaSoft makes and sells a number of utilities as well as some freeware for Macs; I primarily know of them for their MacForensicsLab and MacLockPick programs. From their website:

“FileDefense is a program that forms the first line of defence in file access. It is a set of programs that provide an easy interface to locking down files and making sure that unwanted access is not given to malicious scripts, applications and services on the your computer.”

My first thought: It sounds a bit like a “Little Snitch” but for files. I’ll come back to that later.

Installation of the App is very straightforward, the typical ‘drag to Applications.’ After either chosing to continue as a Trial or Registering the software, you’re instructed to Restart your Mac.
Upon restarting, I got a few warning messages from programs that were set to run automatically upon login. Here’s a shot of my Google Notifier starting up:

(click for full-size)

It’s helpful to have read the Help file provided with the program (or available in the main GUI window) to understand what each of the options means. I’ll detail it here at least breifly:

Kill - Exactly as you expect — if a program tries to open / modify a file and you get notified, you can select Kill to completely stop that access from happening. The Kill option also Force-Quit’s the offending application.

Allow This - Again, the options are well-named. The Allow This option allows the Application that’s attempting to read / modify the file to complete THIS ONE ACTION. In practice you’ll find that if you’re paranoid and choose the Allow This option, you’ll likely have to select it multiple times. More on this later.

Allow All - The last option is the preferred one for well known applications, basically saying “Allow this program to touch whatever files it wants.”

The window also shows the Process ID (PID) of the program in question, which you can view from a Terminal using ‘ps’ or ‘top’ or a number of other utilities.

The FileDefense manual details a few scenarios where the program would be useful, but it doesn’t take long to see the benefit of it. That being said, like any programs that monitor network access / file reads / program execution, the initial use usually reveals things happening that were not expected. In my case on Startup, I was getting alerted to only the Gmail Notifier and Growl, but not much else. Starting more complex programs like Adobe Photoshop or even Leopard’s Time Machine showed a considerable number of files being touched. If you were to select ‘Allow This’ on either of these, be prepared to hit it many, many times as files are opening and modified.

The Main GUI screen FileDefense has two tabs that control most of the important aspects of it’s use. As you Allow applications and system Services to modify files, the Trusted Applications and Trusted Services tabs get populated with program info, such as:

(click for full-size)

Any program that you haven’t yet Allowed will still prompt you when they initially try to read / write / modify / change permissions on ANY file. This is extremely useful in a world where people are downloading and trying new applications on a regular basis.

FileDefense is a unique program that picks one thing and does it well. I tried writing a few ‘nefarious’ shell scripts and then running them in subversive ways, but no matter what I tried, it always caught them. I’m confident that it would stop any rogue application that misbehaves. Regarding my initial thoughts about FileDefense being sort of like a “Little Snitch” but for files — I think it’s a fair and flattering comparison.

Note: One one of my Macs, the 30 minute demo stopped working after a few reboots, before the 30 minute limit had passed. I notified SubRosaSoft support who is looking into the issue.

FileDefense is a Universal Binary and is available from SubRosaSoft for $59.95.

Thanks to MacSecure reader Rob for suggesting this topic.

Quicktime Vulnerability - RTSP Headers

john — Tue, 04 Dec 2007 15:16:22 +0000

Symantec is reporting details of a vulnerability in Quicktime 7.2 and 7.3 that is currently unpatched by Apple. Right now the exploits in the wild for this vulnerability appear to only be loading Windows executables, but the suggestion is that OS X systems could potentially be vulnerable as well. Recommended steps until there is a patch include blocking outbound TCP traffic on port 554, or even blocking certain IP blocks that the Windows exploit is known to be sending data back to. The CERT page for this vulnerability is here with tons of details. As a note for anyone running OS X in a corporate environment — SourceFire’s SEU 118 has the Snort signatures for this vulnerability.

Mac Used for Wardriving on 60 Minutes

john — Tue, 27 Nov 2007 01:32:36 +0000

Thought it was funny, this past Sunday’s 60 Minutes on CBS aired a segment called “High-Tech Heist” — specifically about credit card fraud and vulnerability in the physical world. They talked to staff at the FBI and showed how easy it is to buy and sell card numbers and ‘full identities’ online — no big shock there. One of the CBS reporters drove around with an InfoSec expert who was using his Mac and KisMAC to do some Wardriving, which was amusing. They talked about cracking WEP, and a few other basic concepts. Interesting. For anyone who wants to play with KisMAC, get it here. More on KisMAC soon.