Note: this is Part III of a three part series. The three
articles can be found at:
Most people purchase a computer and assume it is an appliance. They want to play games, surf the Web, send and receive E-mail, write letters, and exchange photos of family and activities. Generally speaking, they “don’t want to do anything fancy,” unaware that each of these tasks is quite complex, and requires far more power than the traditional “computing” tasks for which computers were named. As appliance owners, they want their computer to be almost invisible: something you can ignore if you don’t have immediate need it. They do not want to think about maintenance, and certainly don’t give any thought to security.
But modern personal computers are highly complex machines, highly vulnerable to a variety of threats well beyond what you might associate with common household appliances. The security risks to a computer fall into three broad categories:
Part I of this series (Washington Apple Pi Journal, May/June 2005), discussed the most common security threats to Macs: physical threats. Part II (Washington Apple Pi Journal, July/August 2005) discussed the next most common security threats, mental errors. Now we address the spiritual domain, at once the sexiest, the most talked about, and – for the Mac at least – the least common. But “least common” doesn’t mean there is no threat. What you can’t see, and didn’t knowingly invite in, really can hurt you.
A good firewall imposes order on computer use, much as good architecture imposes order on buildings. When the Grand Trianon Palace at Versailles was built for Louis XIV, the object was to provide a magnificent home with as much light as possible in an age before electricity. Massive windows and airy, open hallways gave the palace a feeling of openness, even on a dreary French day, while keeping the occupants safe from the elements. A firewall, similarly, gives the user a feeling of freedom as they traverse the Internet, while providing shelter from the unsavory elements. (Photo by Lykara I. Charters)
Look in a computer security book and you probably will not find an entry for “spiritual security.” Listen to users, however, and they frequently describe their computers as “possessed,” as “taken over by demons,” and needing “an exorcist” to get rid of the problem. Something “sneaked into” their computer or “broke into” their computer and did all manner of mischief or outright harm.
Apple Computer has benefited from great press in recent years, comparing the relatively robust computer security of Mac OS X to that of Microsoft Windows. Few things “sneak in” to a Mac. Yet the brief, colorful, and increasingly frightening history of computer demons, wizards, and “things that go bump in the dark of your computer” features Apple Computer in a starring role, right from the beginning.
Cracker: an individual who uses stolen information, specialized programs, or specialized knowledge to “crack in” to computer systems. Crackers are bad guys.
Hacker: a programmer that “hacks away” at a problem until he comes up with an elegant solution. The news media has confused this term with “cracker,” much to the disgust of clever programmers everywhere.
Virus: a self-replicating program that inserts copies of itself in other programs or documents.
Worm: a stand-alone self-replicating program that spreads itself across computer networks.
One of the first descriptions of computers as weapons came in Robert Heinlein’s 1966 novel, The Moon is a Harsh Mistress. The novel describes a political revolution on the moon that uses computer warfare as a key weapon in aiding the rebels. The theme linking computers and weapons became so common that, by the time the Mac was introduced in 1984, Apple’s license agreement explicitly, and famously, banned the use of either the hardware or software for nuclear weapons research.
A few years after Heinlein’s novel, in 1971, John Draper, later known more widely as “Captain Crunch,” found a way to use a plastic whistle from a box of breakfast cereal to “attack” phone company computers over the telephone and get free phone service. Draper inspired Steve Wozniak and Steve Jobs to manufacture electronic “blue boxes” for their friends in order to reproduce this trick without a whistle. Draper later went on to write Easy Writer, the first word processor for the IBM PC (also available on Apple II).
John Brunner’s 1975 novel, The Shockwave Rider, described computer “tapeworms,” programs that propagate through a computer network. Computer researchers later formally adopted “worm” as the proper term for this type of program. This was followed in 1979 by Thomas J. Ryan’s novel The Adolescence of P-1, which very accurately describes a computer virus in a story about artificial intelligence. Up to this point, speculative stories about computers were written before the birth of the personal computer.
Then San Diego State University mathematician and computer scientist Vernor Vinge, intrigued by what he could do using nothing more than an Apple II and a modem, imagined life in the future. His 1981 novella, “True Names,” described a world in which computer users envelope themselves in an artificial universe, and then manipulate that universe to influence the real world. The title comes from the use of pseudonyms to hide the identity of the users. Not only did the novella win a huge number of awards, the online community also adopted wholesale the language and culture he described.
The very next year, in 1982, the real world started to catch up with that of science fiction. Elk Cloner, an Apple II virus, had the honor of being the first computer virus found “in the wild,” outside a computer research lab. It transmitted itself through infecting the boot sectors of Apple II floppy disks.
Shortly after the Mac was born in 1984, William Gibson’s novel Neuromancer appeared, in which Gibson coined the term “cyberspace.” It described a future world where computers are little more than commodities, and programmers sustain themselves doing piecework. Meanwhile, the world’s networks are a vast battleground with corporations, governments, and rogue individuals fighting for information and power.
After IBM introduced the IBM PC in 1981, Apple gained competition in the personal computer world, and in 1986 the PC gained its first virus, “The Brain.” Written in Pakistan, this virus also demonstrated the international nature of computer attacks. 1986 also saw the first Trojan Horse program (only 3,200 years after the Greeks introduced the concept), PC-Write. When run, PC-Write (which, like “The Brain,” ran on MS-DOS computers) acted as a functional word processor, but behind the scenes it deleted files and corrupted diskettes.
The next year, IBM’s internal communications network was brought to a halt when a Christmas greeting replicated itself, over and over again, on servers throughout the world. A few months later, in 1988, Robert Morris, a computer science graduate student and son of a National Security Agency computer wizard, unleashed the first computer worm on the Internet, disabling over 6,000 Sun and DEC computers. These two incidents, occurring just a few months apart, alarmed computer experts worldwide, and gave birth to the network computer security profession.
Neal Stephenson’s novel, Snow Crash, published in 1992, describes a vast artificial reality spanning the world networks that has become so complex and so invasive that it brings radical changes to the world economy. Written after personal computers had started to proliferate, the title comes from the way a Mac computer screen looks after a crash: it displays random graphics, much like a broken television set showing “snow.” Two years later, in 1994, the world saw the first non-virus computer network disruption. So many E-mail messages were written about a phony “Good Times” virus that E-mail systems throughout the world were brought to their figurative knees. This incident presaged the coming deluge of spam.
Microsoft’s introduction of Windows 95 in 1995, with its lack of any serious attention to security, brought with it a flourishing crop of “macro viruses” by the end of the year. The success of the virus-enabled Windows 95 and Windows NT paved the way, in 1999, for the “Melissa” virus to infect tens of thousands of computers overnight, mailing itself to people listed in the address books of Microsoft Outlook users. The “Code Red” virus of July 2001 managed to do even better, infecting hundreds of thousands of computers worldwide and causing an estimated $2 billion damage over the course of a month.
A week after the World Trade Center and Pentagon attacks, on Sept. 18, 2001, the “Nimda” virus-worm infected millions of computers worldwide, spreading even faster and more intelligently than “Code Red.” This speed record was shattered on Jan. 25, 2003, when the “Slammer” worm shut down Microsoft SQL Server machines worldwide. This incredibly tiny worm is estimated to have successfully infected over 50,000 computers in less than ten seconds from its release. Not only did it attack large companies with Microsoft SQL Server installations, but also ordinary desktop computers running Microsoft Project or Visio Professional; these packages, usually unknown to the user, include a limited Microsoft SQL Server engine – which was infected. The worm generated so much traffic, trying to infect new machines, that large portions of the Internet were swamped with bogus packets for days.
The current record holder is the “Witty” worm, released on March 19, 2004. Produced just a day after public notice of a software vulnerability, “Witty” attacked and disables tens of thousands of computers. Significantly, it was written specifically to attack one vendor’s computer security software.
In the first six months of 2005, the onslaught of invisible threats increased significantly. Mac fanatics argue, correctly, that most of these threats involve Windows, and leave Macs untouched. So does this worldwide war of ghosts coming in on the wire and demons unleashed on the unsuspecting really pose a threat to Macs?
Yes, the threat is real. But defenses are readily available.
The easiest way to keep random strangers from entering your house is to have a stout door with a lock. And the easiest way to keep strangers from entering your home over a DSL or cable modem line is to install a hardware firewall. Hardware firewalls are inexpensive (starting under $100), and are often bundled with routing and switch functions that allow you to share a single DSL or cable connection with a number of computers in your home or office. The firewalls are usually set at the factory with a reasonable level of paranoia, leaving you to simply change the administrator name and password (if you don’t, someone will guess it and break in) and, effectively, lock your doors and windows.
Unless you are a security wizard, avoid the temptation to get a firewall or router that allows wireless access. It is pointless to build an electronic Maginot Line around your home and then invite paratroopers to drop in behind the fortifications. No matter how much you might want a wireless network for your home or office, statistics show that you probably will not figure out how to keep unwanted ghosts and goblins from dropping in. If you must have a wireless network, consider having it on a separate network, between your broadband connection and the hardware firewall protecting your desktop machines.
What about a software firewall? The software firewall bundled with Mac OS X is excellent, and in Mac OS X 10.4, a few new features – such as logging, blocking UDP traffic, and enabling stealth mode – make it even better. But the Mac OS X firewall has two huge disadvantages: (1) because it is software based, a clever virus, worm or Trojan Horse program could disable it, and (2) the average user probably will not understand enough about how it works to properly set it up. Use it, but not in place of a hardware firewall.
On the other hand, if you have a laptop, not only should you use the Mac OS X firewall – you should actually spend some time learning how it works. Laptops are designed to move, and the more you move, the more you are exposed to evil spirits trying to break in. The Mac OS X firewall may be the only real protection you have.
Any home or office with a broadband connection (DSL, cable modem, T-1, etc.) should be protected by a hardware firewall. But laptops are designed to be portable, and you won't always be able to verify that a broadband connection away from your home or office has any kind of protection at all. In those cases, use the excellent software firewall included with Mac OS X. In this case, the user has shut off remote access except for encrypted connections.
A firewall works by denying access to certain classes of computer services. By default, Mac OS X turns on no services, so a standard install of Mac OS X, combined with the firewall, should offer good protection. Right?
It does up until users start tinkering. The user might want to remotely log into the computer, so they add an exception for SSH to the firewall. The user might decide they want to enable file sharing, so they add an exception for personal file sharing. They may also add exceptions for hosting Web pages, allowing Windows computers to share files on the Mac, allow files to be moved back and forth via FTP, allow remote printing…
Each new exception forces the firewall to allow in more “stuff,” and gives ghosts and demons more of a chance to invade your computer. “But,” you say, “I’m not interested in FTP, or Windows file sharing. All I use my computer for is browsing the Web, maybe some iChat, maybe some E-mail…”
Browsing the Web is easy; no changes to the firewall are required. E-mail also doesn’t require any changes to the firewall. But iChat, especially audio or audio-video iChatting, requires a number of holes in your firewall. In the Windows world, sending harmful programs over chat (or IM or instant messaging) is a huge and growing problem. There is no solid assurance that Macs will forever remain free of similar problems.
So what should you do? If you want the sun in, open the drapes. At night, close them. Similarly, if you want to use file sharing, turn it on only as long as you need it – then turn it back off. If you are using iChat, be aware of the dangers – and turn it off if you aren’t using it. The more network services you have turned on, the more holes you have in your firewall. And the more holes you have, the less the firewall looks like a citadel and the more it looks like Swiss cheese.
Mac OS X comes with a splendid, little understood tool in the Utilities folder called Network Utility. Among many other useful tricks, Network Utility can do port scans -- scanning computers for open ports, representing services that are operating and might possibly be exploitable. To scan your own machine, type in "localhost" and press the scan button.
Installing hardware firewalls and turning off services vastly cuts down on spooks and demons coming across a network. Not all invisible attacks depend on networks, however. Computer viruses, Trojan horse programs, and some worms can be spread by being embedded in a document, by simply residing on a CD-ROM or floppy disk or USB “keychain drive,” or by connecting to a shared disk.
As of this writing, there are no viruses, Trojan horse programs, or worms that have any effect on Mac OS X. Just the same, these malicious programs represent a threat to your reputation if you inadvertently pass them on. It might seem silly to suggest that you need to take steps to protect others from threats that don’t affect you, but you can either look at it in terms practical or eleemosynary. Practically speaking, Windows computers and Windows users vastly outnumber the comparatively small Mac world. Charitably, the Windows world needs all the help it can get.
By the time this reaches print, Symantec should have a Mac OS X 10.4-compatible version of their anti-virus warhorse, Norton AntiVirus for Macintosh, and McAfee will have a similar version of their anti-virus package, Virex. Both packages not only protect Macs from all known Mac OS X viruses (all zero of them), but also the full range of Windows viruses. Both packages use heuristic algorithms to detect and warn against “suspicious” activities that may not match any known virus but could indicate an attack by something new. Both will scan incoming E-mail and Web connections for evil files. Both also will stay resident in memory, constantly checking on activity.
For those in the education, graphics, government, legal, and any other field that requires almost constant exchange of documents with outsiders, either commercial package is almost mandatory. The publishers aggressively compete to be the first to identify new threats and to get new anti-virus profiles out to their customers.
If you don’t exchange documents with outsiders – either because you are a hermit or simply don’t need to – you should consider ClamXav. This open-source antivirus package lacks the heuristic and memory-resident features of its commercial counterparts, and it makes no attempt to find older Mac viruses that predate Mac OS X (Virex and Norton do). But it is regularly, often daily updated with the latest Windows virus signatures, and is easy to install and configure. Plus, it is free.
One of the biggest threats to your Mac is a Windows computer. This isn’t flagrant anti-Microsoft bias, but truth borne out of the fires of hellish combat. If you have one or more Windows computers in your home or office, they are far more likely to be successfully attacked by ghosts and demons, far more likely to be infected by viruses and worms, and far more likely to fall victim to a Trojan horse program.
Professional security firms have tested the relative security of Macs and Windows machines through “honeypots.” A honeypot is basically a standard Mac or Windows computer, taken out of its shipping box and hooked up to a network that is, in turn, connected to the Internet. No attempt is made to change the default settings of Mac OS X or of Windows XP. On average (the security firms quibble over the exact figures), it takes between twelve and forty minutes for a Windows XP machine to be “compromised” by invisible things coming in across the wire. Mac OS X machines, in contrast, sit quietly and spurn all untoward advances.
It is, of course, possible to armor a Windows machine against these threats. But while a Mac user needs to do nothing to Mac OS X to make it robustly secure, a Windows user must constantly check, patch, tweak and configure Windows to keep the ghosts and demons out. This is true at home or in your office, which means that, without constant effort, a computer inside your firewall – your Windows machine – might be taken over and used to launch attacks against everything else, from the inside.
In fact, compromised Windows machines are perhaps the leading cause of successful attacks on Mac OS X machines. In a recent case at a university, a cracker broke into the Windows machine used by a computer lab network manager and found a file listing all the accounts and passwords to the lab’s hundred-plus Macs. Then the cracker cheerfully used the account names and passwords to enter the Macs. No muss, no fuss, no special knowledge: the cracker didn’t need to hotwire the Macs since keys were readily provided.
Maintaining a safe network, at home or at the office, is far more difficult if Windows machines are introduced to the mix. Even a visiting laptop – from a vendor, or a college kid home from school – greatly increases the likelihood that evil things will be let loose.
There is no simple solution to this problem. If you have a Windows machine on your network, you’ll simply have to spend more time securing your environment, and in particular spending time and money securing Windows.
While a brand-new Windows computer can be a threat, an older Mac can also be a threat. Over the past few years, there have been several minor outbreaks of older, pre-Mac OS X viruses in the Mac world. The cause is, invariably, the same: older Macs.
Typically, a user decides that an old Power Mac 7200, say, is taking up too much room on the floor of the closet, so the user gives it to Aunt Jen. Aunt Jen is bright, college educated, and knows nothing of computers, so she accepts the computer in order to E-mail her nieces and nephews.
But the user forgot why the computer went into the closet in the first place. It was becoming unreliable, for no clear reason. It would freeze. It would reboot. It would do strange things. It was, in short, virus infested. And after years of sitting in a dark closet, not bothering anyone, it has been cast loose again on poor, unsuspecting Aunt Jen.
The second scenario is potentially even more harmful. In this case, the user decides to donate the machine to some good cause – a church, a charity, or possibly to a group that intends to use it as a prop in a play. The user decides it is too much trouble to reformat the machine, so also donates old tax records, letters, and passwords to anyone who happens to try and use the machine. This is technically poor mental security (covered in Part II), but the user often doesn’t find out about it until discovering that their online bank records, health records, income tax records, E-mail storage, etc., have been compromised.
Older computers may indeed have good value. But erase the hard drives before you let them leave your custody. Your Aunt Jen and your bank records will both feel safer.
Without doubt, the cheapest, easiest way to keep your Mac in good spiritual health is to regularly check for system updates – and then install them. A shocking number of Mac users don’t update their systems, or update them in such a haphazard and irregular fashion that, were they pets, the owners would be cited for abuse. This is very dangerous, for a computer system update is not only a way to protect your machine, but also a starting point for crackers eager to get into your computer.
The sad irony is that every software update is a roadmap into your computer. If a cracker can reverse engineer the update faster than you can apply the patch, the cracker will know how to get into your computer – and your computer will be defenseless. Every software update starts a race: can the good guys patch their systems before the bad guys break in?
The Software Update preference pane in Mac OS X should be set to check for updates weekly, at a minimum. When an update becomes available, the proper course of action is to install it – not complain that it interrupted what you were doing.
In the Windows world, the situation is so critical that computer security experts and some lawmakers have seriously entertained the idea of making it illegal to operate an unpatched computer. A huge percentage of all computer attacks are actually made by unpatched Windows computers that were remotely taken over by crackers, and then turned into “zombies” to attack other computers. The Mac world, so far, has escaped this problem, but the sheer power of Mac OS X makes it a juicy target: a Mac OS X “zombie” would be several times more dangerous than a similarly infested Windows machine.
Apply security updates. Apply system updates. Unpatched software is by far the greatest “spiritual security” threat there is in the world today.
Keep in mind the lessons of your parents, teachers and religious leaders. Physical security is useless without mental and spiritual security. Mental security is useless without physical and spiritual security. Spiritual security is useless without physical and mental security.
Good security is like good driving. Learn good habits, and drive safely out of habit, not out of a brooding obsession with avoiding accidents. Good habits, once learned, are not burdensome. Don’t dread and fear disaster, but instead enjoy your computer – and make a habit of treating it properly, so you can enjoy it even more.
John Brunner, The Shockwave Rider. This 1975 novel is almost always available in new reprints. Brunner’s description of “tapeworms” will be instantly recognizable to modern computer users.
William Gibson, Neuromancer. First published in 1984, Neuromancer has been almost continually in print since then, and is considered the first “cyberpunk” novel.
Robert Heinlein, The Moon is a Harsh Mistress. This 1966 novel, still in print, deals extensively with how a computer system can be used as a tool for political and military attacks.
Thomas J. Ryan, The Adolescence of P-1. This 1979 novel is currently out of print, but available as a used book through Amazon.com and other sources. It presented the first written description of a computer virus.
Neal Stephenson, Snow Crash. Continuously in print since its publication in 1992, Snow Crash takes its name from how the screen looks on early Macs when they crash, displaying a bitmapped chaos that looks somewhat like a broken television set.
Vernor Vinge, True Names: And the Opening of the Cyberspace Frontier. Tor Books, 2001. Includes the 1981 novella “True Names” plus essays by Marvin Minskey, Danny Hills and others on the themes of artificial intelligence, virtual reality, cryptography, personal freedom and government control.
Bruce Potter, Preston Norvell and Brian Wotring, Mac OS X Security. New Riders, 2003. xx, 385 pp. $39.99. ISBN 0-7357-1348-0.
John Ray and William C. Ray, Mac OS X Maximum Security. Sams, 2003. xviii, 747 pp. $44.99. ISBN 0-672-32381-8.
Mac Security: Physical, Mental and Spiritual. Part I: Physical Security, by Lawrence I. Charters
Mac Security: Physical, Mental and Spiritual. Part II: Mental Security, by Lawrence I. Charters
Blackout: What to Do After the Lights Come Back On, by Lawrence I. Charters
How Strong a Password? by Lawrence I. Charters
How to Crack Mac OS X Passwords, by James Kelly
Securing Your Mac, by Lawrence I. Charters
Security in Depth: Or How to Think About Security, by James Kelly
Security: Mac OS X minds the store
Overview of security technologies in Mac OS X
Apple Product Security
Portal to Apple’s security information, including security updates.
Apple Mailing lists
Of particular interest for security are Fed-talk (Federal Mac user concerns), Macos-x-server (administrators of Mac OS X Server), and Security-announce (Apple’s channel for announcing security updates and concerns).
Mac Security: Fact and Fiction
An article that talks about Mac security concerns in terms of which problems are worth worrying about and which ones are pink elephants.
Microsoft: 10 Immutable Laws of Security
An interesting look at what Microsoft thinks is important when it comes to security
Sponsored by the National Cyber Security Alliance, it has suggestions for home users, education users, and small businesses
National Cyber Alert System
Sign-up page for Cyber security alerts, bulletins, and tips, via E-mail
Well Known TCP and UDP Ports used by Apple Software
Checking for Open TCP Ports
Using a firewall to protect your computer
Symantec Security Check
Invite Symantec to remotely test your security
National Vulnerability Database: A Comprehensive Cyber Vulnerability Resource
Sponsored by the Department of Homeland Security and maintained by the National Institute of Standards and Technology
Securing Mac OS X, by Stephen de Vries
White paper and how-to guide on Mac security
Application Deployment Problems and Solutions (a.k.a. Crappy Apps)
by Scott Doenges and Richard Glaser
A resource center set up by the University of Utah as an aid in setting up secure computer labs.
Mac OS X Enterprise Deployment Project
A resource center started by Mike Bombich (of Carbon Copy Cloner fame) for sharing techniques for widespread deployment (and maintenance) of Macs in an enterprise.
Mac OS X Security – TCP Wrappers
A guide to adding TCP wrappers to Mac OS X. (TCP wrappers are part of Mac OS X, but not enabled. The site tells you how to enable wrappers, which are essentially directives on which remote machines are allowed to talk to your Mac.)
A not particularly active site, but with good security information on the Mac.
Exploring the Mac OS X Firewall, by Peter Hickman
Exactly what the title says it is: an extended look at the Mac OS X firewall.
Securing Mac OS X, by Paul Day
40-page guide to securing Mac OS X 10.3
Mac OS X Enterprise Application Management Best Practices, by Richard Glaser and Philip Rinehart
56-page guide on enterprise management of Macs
A Security Primer for Mac OS X
SANS InfoSec Reading Room
Security papers on Mac OS X security issues, in PDF format. In particular, note “Mac OS X: User Friendlier Security for Unix” and “Macintosh Forensic Analysis Using OS X”
McAfee Virex for Macintosh
Commercial anti-virus package for Mac OS X
Norton AntiVirus for Macintosh
Commercial anti-virus package for Mac OS X
Free, open-source anti-virus package for Mac OS X
NmapFE for Mac OS X
A Mac OS X graphical front-end to the very powerful Nmap (“Network Mapper”) port-scanning tool. It is far more powerful, and more complex, than the Port Scan tool in Apple’s Network Utility.
Ethernet packet analysis tool. Not very sophisticated, but free and educational.
Macintosh OS X Security Technical Implementation Guide, Version 1, Release 1
Developed by the DISA (Defense Information Systems Agency); hosted by National Institute of Standards and Technology
Macintosh OS X Security Technical Implementation Guide Checklist, Version 1, Release 1
Developed by DISA (Defense Information Systems Agency); hosted by National Institute of Standards and Technology
NIST SP 800-53 Database Application
FileMaker Pro runtime database (in Mac and Windows formats) for helping you understand and meet SP800-53 security guidance.
Developed by National Institute of Standards and Technology
Security Configuration Guide for Mac OS X
National Security Administration guides to security for Mac OS X 10.3 and Mac OS X 10.3 Server.
Information on Mac OS X 10.3 and 10.4 compliance with Common Criteria, a set of security standards adopted by over a dozen nations.
National Webcast Initiative
Sponsored by the Department of Homeland Security and the Multi-State Information Sharing Analysis Center, this site hosts periodic, free Webcasts on security topics. Archived transcripts and presentations (usually in PowerPoint) are available for Webcasts you may have missed.