Bitcoin Forum
December 09, 2016, 07:29:27 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Mac OS X Security Recommendations  (Read 1393 times)
iamnot
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 25, 2011, 06:31:56 PM
 #1

Looking for some Mac OS X Security Recommendations

1 - Do you use a virus scan and which one?

2 - How secure is 1Password?

3 - Do you use FileVault or TrueCrypt?

Thanks!



 
1481311767
Hero Member
*
Offline Offline

Posts: 1481311767

View Profile Personal Message (Offline)

Ignore
1481311767
Reply with quote  #2

1481311767
Report to moderator
1481311767
Hero Member
*
Offline Offline

Posts: 1481311767

View Profile Personal Message (Offline)

Ignore
1481311767
Reply with quote  #2

1481311767
Report to moderator
1481311767
Hero Member
*
Offline Offline

Posts: 1481311767

View Profile Personal Message (Offline)

Ignore
1481311767
Reply with quote  #2

1481311767
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481311767
Hero Member
*
Offline Offline

Posts: 1481311767

View Profile Personal Message (Offline)

Ignore
1481311767
Reply with quote  #2

1481311767
Report to moderator
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
June 25, 2011, 11:27:19 PM
 #2

Looking for some Mac OS X Security Recommendations

1 - Do you use a virus scan and which one?

Nope

2 - How secure is 1Password?

Very, encrypts everything, with AES 128-bit.
Read here:  http://agilebits.com/products/1Password/user_guide
And here for technical details:  http://help.agilebits.com/1Password3/agile_keychain_design.html

3 - Do you use FileVault or TrueCrypt?

Actually, I use Knox (http://agilebits.com/products/Knox).  Another application from Agile Bits.  But of the two, I'd use TrueCrypt.



 
[/quote]

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
iamnot
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 27, 2011, 02:11:57 PM
 #3

Thanks Rob, I sent you a small tip.  So if you are using both Knox and 1Password, I guess you trust agilebits to not have any backdoors?

I also saw http://www.taoeffect.com/espionage/ which looks interesting because it can encrypt individual folders. I will probably go with Knox since I trust agilebits.
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
June 27, 2011, 02:58:23 PM
 #4

Thanks Rob, I sent you a small tip.  So if you are using both Knox and 1Password, I guess you trust agilebits to not have any backdoors?

Wow nice!  Thanks!  My first unsolicited tip from the forums.  Mucho gracias.

Yes, I've been using 1Password and using AgileBits stuff since it was in beta and have had exchanges with the developers (I used 1Password when it was 1Passwd).  I've never had any issues.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
kgutteridge
Newbie
*
Offline Offline

Activity: 13


View Profile
June 30, 2011, 10:21:34 PM
 #5

Another very happy Agile Bits customer, the great thing is their iOS clients as well in particular for the iPad
catfish
Sr. Member
****
Offline Offline

Activity: 270


teh giant catfesh


View Profile
June 30, 2011, 11:37:25 PM
 #6

Serious Mac user checking in here... currently in my office surrounded by 11 Macs and my first 'mining rig' which is a cheap motherboard mounted on a plank of wood with Meccano Smiley with two PSUs (the second is redundant at the mo) and a Sapphire 5850 ATI graphics card bolted in.

The 5850 was running 260 Mh/sec but then I found how to overclock from the CLI and now it's running 360 Mh/sec. That's saved me the cost of paying £377 for a 5870 for my main Mac Pro...

Remember that the Mac OS is Unix. It's as secure as Linux can be, since Linux is (in general) built for hackers and Mac OS X is (in general) built for 'is it switched on?' types.  Wink

However, many proper hackers worth of the name have found that Mac OS X is one hell of a useful OS - check out the number of attendees at DefCon conferences with Apple laptops running OS X, for example. Equally, distros like Ubuntu are user-friendly enough to compete with Windows. So it's not as cut-and-dried as it used to be.

Both OSes have Unix foundations - and OS X, of course, has the 'real' UNIX certification. They were built as multi-user systems from the ground up. Hacking into a Unix box requires one of two things (in my experience, which without starting a cock-waving contest, runs to 29 years) -

1) a service running on an externally-accessible port which has a *known* vulnerability and hasn't been patched (as per the SSH vuln Trinity used in Matrix Reloaded... yeah, it's a movie, but the scene was incredibly real and I fell out of my cinema seat when a *real* representation of Unix hacking was shown in a film... remember Jurassic Park and the little girl watching some random 3-d BS and claiming 'hey, this is a Unix system' Huh - anyway, I digress);

2) a login with a weak password.

Of the two - number (2) is the most common. With old-school Windows installs built by the non-savvy (no, I'm not flaming Windows, I managed to run a net-facing W2k server for a year before Code Red got me, and you can't do much against zero-day sploits), a poor password would almost always be on the user's account who also had administrator privileges. This wasn't always MS's fault - many games couldn't be installed or run without admin privs. So everyone ran in the localadmin group. Hence guessing a Windows password usually lets you own the machine.

With Unix, it's harder. Yes, if you choose a lame password and there's a service exposed to the internet via port forwarding on your router (you have a NAT router, right?), then a cracker will be able to log in as you - depending on how hard you make it (number of guesses before lockout, logging, sleep time between login attempts, etc.).

Whether the cracker can then *own* your Unix box is then a question of his/her skill. Assuming you don't log in as root, or as an administrative user with full sudo privs, the cracker then has to escalate privileges in order to gain control over the machine.


So... with Mac OS X disabling the root user by default, the advice is very simple - don't use an 'administrative' account as your day-to-day Mac login. Then - and this is the most important factor in all security across ALL operating systems, IMO - choose a crazy-hard password. I know how hackers guess passwords, mainly because I've pen-tested my own systems (oh stop beating around the bush - when I was younger, I used to mess about...) - simply taking a couple of meaningful words (like the name of the website) and substituting numbers for vowels will be caught by my algorithms. So thinking that a password for the 'bitcoinforum' of 'B1tc01nF0rum' is safe... is utterly foolish. However, you'll beat virtually all automated hack tools simply by slinging a couple of symbolic characters at the end or the beginning. So if you must, how about '£B1tc01nF0rum%' and no tool will get it.


It's as easy as that. Mac OS X doesn't enable the root user. When you set up the OS, you set up your own main administrative user for 'admin tasks' - give this a weird name (not 'administrator' or 'admin' or 'localadmin' please) and a *hard* password. Then create a normal user account - NOT ADMINISTRATIVE - again with a password that is hard for the automated tools (even !@password£$ is hard for automated tools....) and use that as your daily GUI Mac login. It's all about how hard your password is.

Then you need to keep up to date with security patches - yes, Apple don't always release fixes immediately, and any system is under threat of zero-day exploits, but with strong passwords and only the necessary ports open, you are safer than 95% of the rest out there.


Anti-virus and 'internet security' packages on Mac OS X? Well, I've run a small company full of Mac boxes 24/7 connected to the Internet since the very first production (heh) Cheetah 10.0 - I've never used, or found any need for, anti-virus or 'internet security'. Just use a NAT router, know which ports are open and which Mac on your network gets sent externally sourced packets from each open port, and then make sure all services that are open to the internet have proper passwords. Strong, hard passwords.

I was the first person in the UK who had a mk1 iPhone running unlocked - on Vodafone's network - but well before then, the jailbreak was necessary... we all know the standard passwords for iPhones, and that was the first thing I changed. It's amazing how many people use 'easy tools' to jailbreak their iPhones, install sshd thinking it'd be cool (without knowing what it is) and leave the passwords as standard... (no, I'm not some elite hacker, I was online with geohot and got his alpha software unlock... he's the genius, not me)


It's really all about passwords and open ports. If you run any non-Apple code as a service, with a port opened to the internet, then do you trust the code? Ask that question. One potential hole that many people see as a 'convenience' is uPNP - this allows the OS to ask the router to punch a hole for the app that requests it. Hence if you download and run malware, it can open a port on your router for you... if you want full control, switch OFF uPNP on your router and only map ports that you KNOW you want and trust.

Other than that, Macs are secure machines for servers. All the well-publicised 'OS X Vulnerabilities!!11!!11' have been virtually ALL holes in web browsers or plug-ins to web browsers. Again, 'internet hygiene' is the same on any machine - think about what you download and choose a browser that displays the *real* URL when you mouse over a link... and check EACH link before you click on it. Equally, with Apple Mail, display the headers... a mail purporting to be an angry email from your online banking service, but whose originating IP address maps to a DSL connection in Brazil, is really rather unlikely to be legit.


If the *real* elite want to break into your machine, they will. It's easier to use social engineering attacks, and probably easiest to simply burgle and steal the physical machine. However with sensible precautions, you won't have anything to fear from script kiddies or even average hackers with a Mac.

In the context of Bitcoin, due to the way it appears to work (I'm a newbie at this), another level of security sounds like having multiple wallet installs on multiple machines you own, all with different passwords, and then spreading your BTC wealth across your wallets. Having a large sum in one wallet, or a large balance held with an online exchange, is risky. In the second case (exchanges), you are delegating the security responsibility to a third party, whose code you may never see.

...so I give in to the rhythm, the click click clack
I'm too wasted to fight back...


BTC: 1A7HvdGGDie3P5nDpiskG8JxXT33Yu6Gct
BitQuestr (BitCoinWorldMarket)
Member
**
Offline Offline

Activity: 76



View Profile
July 01, 2011, 12:54:16 AM
 #7

The other interesting thing that I discovered when researching Mac OSX vunerabilities is that 1Password (among others) takes advantage of a feature in OS X called "Secure Input". This means that only the particular program that is requesting a password can access the input and keystrokes. Hence it makes keyloggers a lot less effective.

While I'm sure it is not infallible, it does add another layer of security that our windows brethren don't have.

I am a huge supporter of 1Password as well. +1

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!