Securing Mac OS X Lion using Firewall and FileVault 2

Securing Mac OS X Lion using Firewall and FileVault 2

Takeaway: Mac Lion has the features to protect even the most sensitive systems but users should be aware of unintended side effects of both Firewall and FireVault before enabling either.

Apple Mac Lion FileVault

I’d like to show you how to protect your Lion-installed Mac even further via Lion’s Firewall and FileVault software, and explain when it is best to institute these features.

Your users love to feel secure and often times enable features, not knowing what side effects may come of their actions. While their intentions are coming from a good place, doing so can leave a user permanently removed from their files and prevent them from accessing important data on the web. It’s good practice to share these concepts with your users and it will help to prevent future headaches for you, the beloved IT professional.

Lion’s Firewall

Firewalls help prevent unwanted traffic from flowing in and out or your computer systems. The more services you have blocked, the more difficult it is for someone or something to compromise your computer from the outside world. In the workplace, I rarely, if ever, find it necessary to enable the software-based Firewall that Apple ships with its OS. A properly managed network should handle these duties by filtering data at the router level rather than the individual machine. Enabling the Firewall can sometimes have unintended consequences, however, ranging from file-sharing issues, iChat communications not working as expected, not being able to see other machines on the network, and even unexpected disconnects from the Internet are sometimes but not always the result of the Firewall being enabled.

So when is it a good time to use the software-based Firewall? Mobile workers with laptops who frequently attach to remote networks  are the prime candidates. Any machine that can come and go on a managed network is a liability. Portables have a much greater potential to be compromised when away from the mothership and connecting to other public or private networks than they do within the confines of a well-maintained internal network.

FileVault

FileVault is a completely different beast from the Firewall and it’s important to truly appreciate what it is and what it does. Not taking the time to fully understand FileVault before enabling its use can cause a Mac to become unresponsive, prevent users from being able to log into their accounts, even permanently damage and/or lose users’ data. So with that being said, I’ll lay the ground work here for you to consider it’s usefulness, but be sure to further research FileVault fore the particular needs of your environment.

In Lion, Apple has made some significant changes in FileVault 2. Most notably, Apple has changed the policy from encrypting individual users folders to now encrypting the whole drive, removing the standard OS X login and replacing with the EFI login, which is a lower level way of accessing your hardware when logging in, and granting FileVault access rights to a machine on a per user basis. All of this adds up to a faster, more secure way to protect a user’s data using FileVault.

Unlike the Firewall, which has modest repercussions if you enable it, implementing FileVault requires more caution. As discussed before, just enabling FileVault can prevent a user from ever being able to access his data again. Here are a couple of simple questions to determine if FileVault is necessary for users in your organization.

• Is the data on your Mac so sensitive that it must be protected at any cost?
• Is the Mac that you’re considering for FireVault used often for mobile workers?

If your answer is no to either of these questions it’s safe to say that you and FileVault needn’t ever cross paths.

If you answered yes to question one, FileVault should be considered to prevent any from being compromised, especially if there is risk associated with insider threats or physical security in the office is not at the highest level.

Finally, if you answered yes to question two, this is one of the rare times I would consider enabling FileVault even if the answer to question one is no. I say this because it is much more likely for laptops to be compromised, either through loss or theft. In either case, FileVault encryption is there to prevent someone from scouring the data on your machine, and it also makes it very difficult to use and reinstall the OS.

The top 10 hackers of all time

The top 10 hackers of all time

Hackers

Takeaway: Black hat, white hat, or somewhere in between, hackers have had a huge impact on the evolution of information technology. See if you agree that these 10 hackers belong on this list.

Hacking is not a recent invention. In fact, it has been around since the 1930s, although not always associated with computers. Here’s a rundown of some of the most noteworthy hackers in history.

1: Kevin Mitnick

Kevin Mitnick, once considered the most-wanted cybercriminal in the United States, is often touted as the poster child of computer hacking. Kevin mastered an early form of social engineering (scamming operators) and computer hacking to gain access to and modify telephony switching systems. After a very public two-year chase, arrest ,and incarceration, the hacker community collectively rose in protest against what they viewed as a witch hunt.

2: Robert Tappan Morris

On November 2, 1988, Robert Morris released a worm that brought down one-tenth of the Internet. With the need for social acceptance that seems to infect many young hackers, Morris made the mistake of chatting about his worm for months before he actually released it on the Internet, so it didn’t take long for the police to track him down. Morris said it was just a stunt and added that he truly regretted wreaking $15 million worth of damage, the estimated amount of carnage caused by his worm.

3: Vladimir Levin

Seeming like the opening of a James Bond movie, Vladimir Levin was working on his laptop in 1994 from his St. Petersburg, Russia, apartment. He transferred $10 million from Citibank clients to his own accounts around the world. As with most Bond movies, Levin’s career as a hacker was short lived — with a capture, imprisonment, and recovery of all but $400,000 of the original $10 million.

4: Yan Romanowski

Yan Romanowski, also known as MafiaBoy, was arrested in February 2000 for launching a denial-of-service attack that brought down many of the Internet’s largest sites, including Amazon, eBay, and Yahoo. Yan’s lawyer claimed, “If [MafiaBoy] had used all his powers, he could have done unimaginable damage.” It is widely believed that Romanowski is no more than a script kiddie. His attacks, however successful, were implemented using computer scripts that clogged networks full of garbage data.

5: Kevin Poulsen

Kevin Poulsen, known as Dark Dante in the hacker community, specialized in hacking phone systems, particularly radio stations. This talent allowed only calls originating from his house to make it through to the station, assuring him of wins in listener radio contests. His iconic 1991 hack was a takeover of all of the telephone lines for the Los Angeles KIIS-FM radio station, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2. The bold Poulsen was wanted by the FBI for federal computer hacking at the same time he was winning the Porsche and $20,000 in prize money at a separate station. Poulsen spent 51 months in a federal prison, the longest sentence of a cybercriminal at that time.

6: Steve Jobs and Steve Wozniak

The now-famous founders of Apple Computer spent part of their youth as hackers. They spent their pre-Apple days (circa 1971) building Blue Box devices (an early phreaking tool allowing users to make long distance calls without the financial charges) and selling them to fellow students at the University of California, Berkeley.

7: David Smith

Smith’s fame comes from being the author of the infamous email virus known as Melissa. According to Smith, the Melissa virus was never meant to cause harm, but its simple means of propagation (each infected computer sent out multiple infected emails) overloaded computer systems and servers around the world. Smith’s virus was unusual in that it was originally hidden in a file containing passwords to 80 well-known pornography Web sites. Even though more than 60,000 email viruses have been discovered, Smith is the only person to go to federal prison in the United States for sending one.

8: Jonathan James

James gained notoriety when he became the first juvenile, at age 16, to be sent to prison for hacking. James specialized in hacking high-profile government systems, such as NASA and the Department of Defense. He was reported to have stolen software worth more than $1.7 million.

9: George Hotz

While George Hotz may be a renowned jailbreak artist, he’s best known for being named as the primary reason for the April 2011 PlayStation breach. As one of the first hackers to jailbreak the Sony PlayStation 3, Hotz found himself in the middle of a very mean, public, and messy court battle with Sony — perhaps because of his public release of his jailbreaking methods. In stated retaliation, the hacker group Anonymous attacked Sony in what has been the most costly security break of all time. Hotz denied any responsibility for the attack and said, “Running homebrew and exploring security on your devices is cool; hacking into someone else’s server and stealing databases of user info is not cool.”

10: Gary McKinnon

In 2002, a decidedly odd message appeared on a U.S. Army computer: “Your security system is crap,” it read. “I am Solo. I will continue to disrupt at the highest levels.” It was later found to be the work of Gary McKinnon, a Scottish system administrator. Gary has been accused of mounting the largest ever hack of U.S. government computer networks — including Army, Air Force, Navy, and NASA systems. The court has recommended that McKinnon be extradited to the United States to face charges of illegally accessing 97 computers, causing $700,000 in damage. Adding even more interest to McKinnon’s actions is his insistence that much of his hacking was in search of information on UFOs, information he believed the U.S. government was hiding in its military computers.

Scroogle: Adding privacy to Google Search

Takeaway: Google Search is an amazing tool. Even so, to many, it has a dark side. Scroogle may be able to help.

Over the years, I’ve witnessed–from a safe distance–highly-charged debates about search behemoths like Google. The topic most often discussed is whether or not they retain too much Personally Identifiable Information (PII) for too long. Valuable lessons surfaced from those frank discussions, many important enough for me to write about.

Another place where I have gleaned similar information has been in the comment sections of the articles I just mentioned. One example is my introduction to Scroogle.

My first impression was: What an odd name. I didn’t think much more of it. Then a colleague gave his middle-finger explanation of the term. “Oh,” was all naive me could say, “You really think so?”

Scroogle, what is it?

Now I had to find out about Scroogle. First thing that caught my eye:

“Every day Scroogle crumbles 350,000 cookies and blocks a million ads.”

Next thing I noticed, Scroogle does not:

• Pass cookies on.
• Keep search-term records.
• Retain access logs for more than 48 hours.

The website calls Scroogle a scraper. Being from Minnesota, I have this image of a scraper and it is not Scroogle.

Actually, after some study, referring to it as a scraper does make sense. The pertinent search results are “scraped” from Google’s response to the search query. And only that information, no cookies or additional requests, get back to the client’s web browser.

The following slide depicts the steps involved (courtesy of Scroogle):

Behind the scene

The process is simple. You enter your search request in the web browser, like normal. It is sent to Scroogle via a SSL connection — more on that later. Scroogle replaces all your identifying information with that of Scroogle. The search request is forwarded to Google. Google records the IP address and search information issued by Scroogle.

Google then replies with a cookie and the search results. Scroogle sanitizes the data, sending only the search results back to you. Below are the search results for ice scraper using Google:

Next are the results using Scroogle:

Scroogle, the plugin

The website calls Scroogle a browser plugin. Simple enough to implement, but I’d like to expand on the minimal help offered by the website:

• Firefox: This link is to the Firefox add-on. All that is required is to click on the Add-on button.
• Internet Explorer: Microsoft set up Internet Explorer to ask for the desired search engine. Details are at this link. All that is required is to enter http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=TEST where it asks.
• Opera: Click on the following: Tools/Preferences/Search/Add. Pick a new keyword “example” and use http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=%s as the address.
• Chrome: Click on Wrench/Options/Default Search Manage/Add. Then paste https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=%s where an URL is requested.

If you prefer not to alter the current configuration of your web browser, or are using a computer other than your own, Scroogle has a webpage similar to Google, where you can enter search terms.

Back to SSL

The Scroogle website points out why the creators decided to use SSL connections:

“For Scroogle, SSL is used to hide your search terms from anyone who might be monitoring traffic between your browser and Scroogle’s servers. This encryption happens when you send your search terms to Scroogle, and it also happens when Scroogle sends the results of your search back to you.”

The SSL webpage points out another advantage that I was not aware of:

“When the Scroogle results come back from an SSL search, and you click on any of the links shown on that secure page, there is another advantage. SSL does not allow the browser to record the address where that secure page came from and attaches it to any outgoing non-SSL links on that page. Normally all browsers do this and it’s called the “referrer” address.

Using SSL blanks out this referrer, so that any non-SSL site you click on from a Scroogle SSL page won’t know that you arrived at their site from Scroogle. The referrer will be blank, and your log entry at that site will look like any of the hundreds of bots that crawl the web all day and night with similar blank referrers.”

I did not know that until now.

That said, do not let the use of SSL connections lure you into a false sense of security. SSL may or may not be in play after you click on one of the returned search links. It depends on whether the web server advertised in the link is using SSL or not.

Both use SSL

Google also has the option to use SSL. And, Google makes the same claim on how encryption prevents third parties from intercepting transmissions between the user’s computer and Google Search web servers.

My immediate thought: It would be cool if the Scroogle servers talking to Google Search would use their SSL connection. I shot off an email to Scroogle and Daniel Brandt, Founder and President of Scroogle, offered this:

“No, the connection between my servers and Google does not use SSL.

There are two reasons for this:

• The search terms for that hop are carried by the IP address of my server, and the only way they can be associated with the searcher’s IP address would be if someone hacked into my dedicated servers and read my logs. And they’d have to be quick about it, because I don’t keep any logs longer than 48 hours. I’m the only one with access to my servers.

• I do not use DNS to do a lookup of www.google.com. Instead, I randomly select one of their static IP addresses for www.google.com (they have thousands). As you may know, https initiation requires a handshake that certifies that the domain name belongs to the IP address. Since I’m not using “www.google.com” at all, I cannot initiate an https session with Google.”

That makes sense to me. Thank you for clearing that up, Daniel.

Quality of SSL connection

I just happen to be researching a new Comodo website, SSL Analyzer. It is a free web-based scanning tool that checks the security of a web server providing SSL connections.

Included in the summary is information about the certificate and digital signature. Also included, is a list of security protocols and encryption suites supported by the web server.

SSL Analyzer uses the following designations to highlight problems:

• Red: Problem that needs immediate attention.
• Amber: Potential issue that needs evaluation.

With so much emphasis being placed on SSL connections, I thought, why not test them? Here are the results for Scroogle and the results for Google Search. You can see that both have issues. I am not sure I would consider them show-stoppers, but it is something to think about.

Bottom line

Now comes the hard part. After all is said and done, it ends up being a matter of trust. If using Google Search is important, but you are not sure about trusting Google, you may want to think about Scroogle.

How CAPTCHA Works? And a Simple Script in PHP

How CAPTCHA Works? And a Simple Script in PHP

[Note : For this post I'm presuming that you are familiar with CAPTCHA, if not please read this Introduction to CAPTCHA]

CAPTCHA

Today we are going to see how CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) works and how it minimizes automatic sign-up of forms. We will also be creating a simple CAPTCHA script in PHP to illustrate this.

CAPTCHA Example

CAPTCHA Example

Basically CAPTCHA works in the following manner:

1) Create Random Value : Some random string is generated, random values are often hard to guess and predict.

2) Generate an Image : Images are used as these are generally a lot harder to read for computers while being nice and readable to humans. This is also the most important step as simple text in images can be read (and CAPTCHA cracked) quite easily. To make it difficult for them, developers employ different techniques so that the text in the image becomes hard to read for computers. Some create zig-zag lines for background while others twist-and-turn individual characters in the image. Possibilities are many and new techniques are being developed all the time as crackers are always into finding ways to break them.

3) Store it : The random string generated (which is also in the image) is stored for matching the user input. The easiest way to do so is to use the Session variables.

4) Matching : After the above step, the CAPTCHA image is generated and shown on some form which we want to protect from being abused. The users fills in the form along with the CAPTCHA text and submits it. Now we have the following:

1. All submitted form data.
2. CAPTCHA string (from form), input by user.
3. CAPTCHA string (real one, generated by us), from session variable. Session variable is generally used as it can keep stored values across page requests. Here, we needed to preserve stored values from one page (form page) to another (action page-that receives form data).

5) If both match, it's okay otherwise not, in that case we can give the user a message that the CAPTCHA they had entered was wrong and their form could not be submitted. You could also ask them to verify it again.

The following image might illustrates this better:

How CAPTCHA works?

From the above image it's quite clear that when someone requests the form page, the CAPTCHA text is generated and sent back to requesting user, but only in the form of an image. If the requester is a human he'd not have much difficulty reading the image and inputting the text when asked but if it's a bot it might face difficulties guessing whats in the image. In the next step when we match the string generated and the one the user had input, we can restrict automated form submissions.


The following is the code that does this, it'll just output the CAPTCHA image to the browser when the script is requested:

<?php


// The number of characters you
// want your CAPTCHA text to have
define('CAPTCHA_STRENGTH', 5);


/****************************
 *        INITIALISE        *
 ****************************/
// Tell PHP we're going to use
// Session vars
session_start();


// Md5 to generate the random string
$random_str = md5(microtime());


// Trim required number of characters
$captcha_str = substr($random_str, 0, CAPTCHA_STRENGTH);


// Allocate new image
$width = (CAPTCHA_STRENGTH * 10)+10;
$height = 20;


$captcha_img =ImageCreate($width, $height);


// ALLOCATE COLORS
// Background color-black
$back_color = ImageColorAllocate($captcha_img, 0, 0, 0);


// Text color-white
$text_color = ImageColorAllocate($captcha_img, 255, 255, 255);


// Line color-red
$line_color = ImageColorAllocate($captcha_img, 255, 0, 0);


/****************************
 *     DRAW BACKGROUND &    *
 *           LINES          *
 ****************************/
// Fill background color
ImageFill($captcha_img, 0, 0, $back_color);


// Draw lines accross the x-axis
for($i = 0; $i < $width; $i += 5)
    ImageLine($captcha_img, $i, 0, $i, 20, $line_color);


// Draw lines accross the y-axis
for($i = 0; $i < 20; $i += 5)
    ImageLine($captcha_img, 0, $i, $width, $i , $line_color);


/****************************
 *      DRAW AND OUTPUT     *
 *          IMAGE           *
 ****************************/
// Draw the random string
ImageString($captcha_img, 5, 5, 2, $captcha_str, $text_color);


// Carry the data (KEY) through session
$_SESSION['key'] = $captcha_str;


// Send data type
header("Content-type: image/jpeg");


// Output image to browser
ImageJPEG($captcha_img);


// Free-Up resources
ImageDestroy($captcha_img);


?>

*********************