“Assuming that ‘because it’s a Mac, it’s safe’ is no longer wise” is probably one of this book’s most important themes. It has been my experience that too many Mac users “know” that OS X is secure and therefore they have nothing to worry about. This book shows just how wrong that attitude is.
As for me, I liked the book, It is a hard book to read, mainly because of the detail it goes into. Be prepared to spend some time with it.
The biggest problem I had with this book is an inherent problem with printed books in the information age: the information is a bit dated. It was written around OS X 10.2.2 but despite its relative antiquity, it should pretty much apply to the latest version of OS X as well. The tools mentioned throughout the book still exist and will have been updated by now and the links I followed out are still valid.
If you are an OS X user and are at all interested in security then read this book. It gives step-by-step instructions on how to secure a Mac and is actually a good primer on UNIX security in general. It is laid out in four parts: Basic Security, Vulnerabilities and Exposures, Mac Specific Resources and How to Secure Them, and Prevention, Detection and Reaction to Attacks.
Part 1 is a very good primer about policies for anyone needing to set up a network involving Macs or even multiple users on a single computer. It talks about how to write rules and usage guidelines for your users that will not only help secure the system, but will also ensure that your guidelines are enforceable.
Part 2 goes into how to protect your sensitive data from the different types of attacks. It covers the methods and programs that can be used against you and how to stop them.
This section is a very good primer on how to choose a secure password. It has been my experience that Mac users are no different than Windows users in this respect. They don’t know how to choose a password. Most I know will be very surprised at how easy and fast it is too crack the typical password. This section covers the tools that can be used and also list some impressively short times to crack a password. Using an alpha only password with only lower case, in this case asdzxc, a cracking program using the dictionary approach had the password added to the end of a 234,000 word dictionary. It took just 77 seconds to crack the password. changing the rules in the cracking program to force it to try checking variants based on common password patterns still allowed the password to be cracked in just over 21 minutes. This is a must read for just about everyone.
Part 3 provides in-depth information about server resources such as FTP, and File Sharing, and provides tips and tricks to use to protect those services. It provides sample configuration files and explains in line-by-line detail what the files do. Some handy tables list the most common switches and explains what they are for.
Part 4 covers Intrusion Detection and how to react to an attack. It also has coverage of the basics of backing up your data to prepare for disaster and recovery.
In summary, it’s a great book for those serous about understanding security, but most computer novices would be better off spending their money elsewhere. There are several chapters that have useful information for you, but not enough to make it worthwhile. Some UNIX knowledge is required to get the most out of this book. If you have a bit of computer knowledge and would like to learn more about security then I would suggest getting this book. It is a very good primer on security and will teach you what you need to know to secure your system. If you are a fledgling System Administrator then definitely get this book. It will teach you everything you wish you already knew about setting up and securing Mac OS X systems in a network environment.
For more information, or to purchase this book, see it at Amazon.com:
There’s a *lot* wrong with the attitudes of Mactards — the blind assumption of OS X security is just one of them.
I exclusively use two Macs in my daily life, and yet the Steve Jobs Reality Distortion Field has yet to affect me.
Name calling aside your point is valid. But mac users security attitudes are no worse than that of the typical Windows user. I fix problems for Windows users frequently and most of them have absolutely no idea how insecure their system is. Out of the box a Mac is much more secure than a Windows machine. We need to educate the vast majority of computer users in security issues as that would make all our lives a lot less complicated.
// Out of the box a Mac is much more secure than a Windows machine.//
That’s debateable. Yesterday, I setup a new Dell Dimension. After maybe 10 minutes of running “Windows Update,” the system was completely patched.
Two months ago, I setup a new Mac Mini … took about the same amount of time, to run Software Update so that everything was patched.
And … for the life of me … I’ve setup probably 50 PC’s in the last three years, and I’ve *never* experienced the “you-will-be-hacked-within-three-minutes-of-going-online” crap.
I’m starting to wonder how much of that is even true. Has anyone else experienced this? Just wondering.
Just download this pdf,
http://homepage.mac.com/hogfish/.cv/hogfish/Sites/.Public/securing-…
Oh and don’t give your admin password to just anything, don’t use MS or Symantec products or really anythiing that runs as root all the time.
Watch for phishing email scams, run P2P gotten apps in a fake “user” for awhile. Run clamXav to rid the windows malware before passing it on.
Run a port scan once in awhile from a website that offers such service like scan.sygate.com
Clone your boot drive occassionally to a external, keep disconnected, and make file backups daily using Deja Vu (search Apple)
Actually keep two copies, if your first clone gets owned, c boot off a installer cd and Disk Utility erase w/zero all infected drives and reverse clone from second clone.
Watch for suspicious windows asking for your admin password, know what processes are running and what they are, search online for the answers.
Install Little Snitch to block unauthorized network connections
Enable the Mac OS X firewall and log for maximum protection,
Check to make sure no services are running in System Prefs>Sharing
Do not allow others to be or use admin
Use a low level debit card online with funds transfered in person only from another account with no ATM or internet access. this way if money is lost, it’s the banks fault. Microsoft software is everywhere, buisneses are more insecure than the Mac using public in general.
Use longer than 14 character alpha/numeric passwords 45 characters is prefered (botnets create all the password combinations, the more characters the harder and longer it takes to generate a list)
Avoid wireless, even bluetooth (was a electronic warfare tech in the Navy, forget security, your wide open, even your plastic case PC is mine)
Mac OS X is pretty secure, but nothing is 100% safe, a ounce of prevention is cheaper than a ton of cure.
So be safe than sorry.
Edited 2006-02-08 02:05
Some good suggestions but I would take some exceptions to the following.
“Avoid wireless, even bluetooth (was a electronic warfare tech in the Navy, forget security, your wide open, even your plastic case PC is mine) ”
I run a wireless home network and though it would not be impossible to compromise it it would be hard enough that you would either give up or I would find out you were attempting to hack in before you actually did so.. If the proper precautions are taken it is reasonably safe. Also my neighbor is on the City Police force and if you were parked across the street from me for very long you would probably have someone tapping on your window. Besides, I was the one who informed him that he was running a wireless network that was unencrypted. (Daughters friend hooked it up so they could connect a laptop and did not secure it. 🙂 )
Anyway, wireless can be secured well enough for the home user not to have to worry to much.
Play some background music to mask the keyboard sounds, as this can be recorded and your passwords decipered.
Check your USB cables for keystroke loggers
Who still uses hardware to keylog? It’s a lot more common and easier to just slip in software to spy on various system information. Clever trojans and people armed with livecds come to mind.
I think it was a joke, I laughed at least.
This is exactly the attitude this book tries to combat. Complacency is the biggest reason for the mess we are in with regards to security. There is no such thing as a 100% secure OS and for anyone who thinks otherwise, I have a bridge for sale. Contact me.
A good security reference is always good, but there are now more worrisome things.
http://www.securityfocus.com/news/11375?ref=rss
“At the recent ShmooCon hacking conference, one security researcher found out the hard way that such venues can be hostile, when an unknown hacker took control of the researcher’s computer, disabling the firewall and starting up a file server.”
“While such compromises have become common in the Windows world, this time the computer was a Apple PowerBook running the latest version of Mac OS X. The victim, a security researcher who asked to remain anonymous, had locked down the system prior to the conference and believes that a previously unknown exploit caused the compromise. However, in the following weeks, forensics performed on the system did not reveal any clues as to how the PowerBook had been compromised.”
I believe this is first contact between Apple’s security process and hardcore *nix hacking.
My problem with articles like these that are by so called “Professionals” that own websites and talking about Mac OS X security.
And because it’s a reasonably big site, the average joe will believe it.
They will point out a flaw or exploit and fail to mention that this flaw or exploit on a service needs to first be enabled.
The large majority (I’m not saying all, but most of them) are flaws/exploits that are on services that are disabled by default.
Either that or the exploit needs physical access to the machine.
You will always get problems with an OS, it’s a given, there’s always someone out there a little smarter that will find a weird and wonderful away around it.
The thing that does matter, is how easily, and how quickly the fixes/patches/updates are.
I would much rather have the Software Update program jump a few times and easily install it, then waiting months for Windows to fix it, because it’s not within their scheduled time slot to patch it.
That said, there needs to be more teaching into what to do and what not to do in General, not something specific to the OS.
I mean, regardless of the OS, you shouldn’t open attachments without some type of scan or check. Simple things like these prevent a lot of problems, and people need to taught the basics of security.
Would be a lot more useful teaching kids about Security in school than how to use a Word processor.
Edited 2006-02-08 05:39
“They will point out a flaw or exploit and fail to mention that this flaw or exploit on a service needs to first be enabled.
The large majority (I’m not saying all, but most of them) are flaws/exploits that are on services that are disabled by default.
Either that or the exploit needs physical access to the machine.”
Actually, the authors do a very nice job of pointing out these things. They even go so far as to point out vulnerabilities and then list versions of the programs that are effected and tell you where to get the updated version that has been patched. They do not try to scare you into a panic and most of the programs they talk about are freely downloadable open source programs.
If apple needs a book to show that it’s not secure, then windows will need an encyclopedia, even a library to expose all its weaknesses.
As a rule of thumb: Use the least insecure OS if you can. There is no OS that is 100% fool proof; so if you want to be wise simply choose the least insecure OS.
As the writer of this review I have to say I agree with you. For most people the OS is reasonably secure simply because they are not running running multi user/multi machine networks. This is why I stated their money could be better spent elsewhere. There is useful information for them, but not enough to justify the price of the book.
I have been into computers for more years than I care to mention. The book did, however, point out information I had forgotten over the years. I also learned a few things in the process. I liked the book, but then I also thought “Rise and Fall Of The Third Reich” was a good book, and will be referring to it in the future when I am setting up a new home network next year.
The intent of the book was not to show that OS X is insecure, but rather to show you how to make it even more secure than it already is. There are weaknesses in it just as there is in any OS. One of the main reasons I now run a Mac and OS X was because I got tired of dealing with all the problems involved with running Windows. Anyway, it is a very good book on the subject.
This is just an advertisement.
While i do care about MacOSX and its security this whole article looks just like one big advertisement…..paid
by Amazon.
Pitty.
Open mouth, insert foot…
I wrote the article and I have NOT received one dime from anybody. I volunteered my time to write this as a service to OSNews readers. You might at least try to get your facts straight before posting.
“I wrote the article and I have NOT received one dime from anybody. I volunteered my time to write this as a service to OSNews readers.”
The whole article is build up like an advertisent, below you can find the amazon button/link to buy the book.
How does that look?
no hard feelings..its nice of you to write an article but i looked as an advertisement to me.
Edited 2006-02-08 22:46
Actually, I never even looked to see if any of the online stores had a write-up on the book. And I did mention in the review that the cost of book was not worth it for beginners. You could call any positive review of any product an advertisement looking at it that way. You have to realize I haven’t done a “book report” in more years than computers have been in our lives.
We need to start taking articles in here the way they are intended. I see so many articles being ripped to shreds not because of any factual errors, but rather because the person commenting does not agree with the article. And that is the surest way to guarantee that people will not want to submit articles. So far the comments on this article have been quite civil. I wish it were that way all the time. Anyway, I appreciate your responding.
Anyway, down off my soapbox…