Better Safe Than Sorry

Transcription

1 Better Safe Than Sorry Security and OS X patrik@jerneheim.se

2 SECURITY An Unexpectedly long Journey

3 Agenda Threats Protection Configurations Best Practices?

4 Let s talk security

5 Distrust and causion are the parents of security Benjamin Franklin

6 Then No viruses No malware Secure by design and of course very cool

7 Once the market share starts growing, then There are definitively viruses for Mac out there Well, don t be stupid Windows users are more aware of security, i.e. more secure I have friends who knows how it s done You absolutely need anti-virus protection on Mac

8 Now Gatekeeper Application Sandboxing Malware Detection Full Disk Encryption

9 Apple Security Device Security Platform Security Data Security Network Security

10 Apple Security Philosophy Ease of use Guide the users Secure defaults Freedom to choose

11 In the Hacker Toolbox the quieter you become, the more you are able to hear

12 A hacker to me is someone creative who does wonderful things Sir Tim Berners-Lee

13 Who s the Hacker? Hacking for fun Hacking for profit Governments

14 Tools of the trade nmap Wireshark Cain & Able John the Ripper Metasploit metasploit

15 Demo Playing with fire

16 Device Security Securing the box

17 Amateurs hack systems, professionals hack people Bruce Schneier

18 Device Security EFI firmware password icloud locking Configuration profiles Policy management

19 Firmware Password UI tool on the Recovery HD

20 Firmware Password UI tool on the Recovery HD Prevents modifier keys setregproptool -m full What if you forget it?!

21 icloud Locking icloud / Find My iphone Can only use 4 digit code Survives reboot / reset pram

22 icloud Locking icloud / Find My iphone Can only use 4 digit code Survives reboot / reset pram but is it secure?

23 Demo Setting a Firmware Password

24 Platform Security Securing the processes

25 People who are serious bout software should make their own hardware Alan Kay

26

27 Platform Security Application Sandboxing Code Signing Gatekeeper XProtect & Quarantine

28 Mandatory Access Control Application Sandboxing Entitlements sandbox-exec -n

29 openbsm Audit Logging above and beyond system events and user events praudit for reading audit trails

30 Demo Roll your own IDS

31 Data Security Securing the information

32 There is no castle so strong that it cannot be overthrown by money Cicero

33 Data Security Full Disk Encryption Keychain Access / icloud Keychain Encrypted Containers Secure Erase

34 FileVault 2 Rich Trouton has the full story derflounder.com

35 FileVault 2 Rich Trouton has the full story derflounder.com What about performance?! before

36 FileVault 2 Rich Trouton has the full story derflounder.com What about performance?! after

37 Encrypted Container Disk Utility or hdiutil 128 or 256-bit encryption Password in a keychain Password in an external keychain

38 Demo A poor mans 2-factor authentication

39 Network Security Securing the traffic

40 Users will take dancing pigs over security everytime Bruce Schneier

41

42 Network Security Encrypted traffic Encrypted authentication Firewalls

43 Firewalls Application Layer Simple UI setup Packet based IPv4 & IPv6 CLI or IceFloor 2

44 Demo Computer Lockdown, extraordinaire

45 Encryption Primer Talk is cheap, if unencrypted

46 Meet our friends Eve Alice Bob

47 Yes, it s apple123 Do you have the password? Clear text is not a secure way of transmitting secrets on a network

48 Yes, it s apple123 pwnd! Thank you! Clear text is not a secure way of transmitting secrets on a network

49 Yes, it s ******** Do you have the password? We really need to encrypt any secret information before it is sent

50 Yes, it s ********?? We really need to encrypt any secret information before it is sent

51 Yes, it s ********?? but, how do we share encryption keys without everyone on the network getting them?

52 Let s do DHX Do you have the password? Diffie Hellman Exchange

53 Here s (x1) Diffie Hellman Exchange Secret * p1 = x1!!

54 Here s (x1) OK, here s (x2) Diffie Hellman Exchange! Secret * p1 = x1 x1 * p2 =! x2!!

55 OK, here s x3 OK, here s (x2) Diffie Hellman Exchange! Secret * p1 = x1 x1! * p2 =! x2! x2 / p1 =! x3

56 OK, here s x3 $#*! Thanx! Diffie Hellman Exchange! Secret * p1 = x1 x1! * p2 =! x2 x2! / p1 =! x3 x3 / p2 = Secret

57 Crack the Code What is the password on the encrypted USB-stick?

58 Diffie Hellman Exchange lite Alice first send x1 = to Bob Bob send x2 = back to Alice Alice then send x3 = back to Bob x1 = secret * p1 x2 = x1 * p2 x3 = x2 / p1 x3 / p2 = secret

59 It can only be attributable to human error HAL 9000

60 Practice what you learn

61

62 Can you hack it? Setup with security in focus

63 Can you read the content in the PDF in the Shared folder?

64 Security Setup Firmware Password - setregproptool -m full FileVault2 Encrypted Secure Container bit encrypted Password stored in external keychain Encrypted PDF All passwords 22 characters

65 Dave, this conversation can serve no purpose anymore

66 Goodbye