Better Safe Than Sorry Security and OS X patrik@jerneheim.se
SECURITY An Unexpectedly long Journey
Agenda Threats Protection Configurations Best Practices?
Let s talk security
Distrust and causion are the parents of security Benjamin Franklin
Then No viruses No malware Secure by design and of course very cool
Once the market share starts growing, then There are definitively viruses for Mac out there Well, don t be stupid Windows users are more aware of security, i.e. more secure I have friends who knows how it s done You absolutely need anti-virus protection on Mac
Now Gatekeeper Application Sandboxing Malware Detection Full Disk Encryption
Apple Security Device Security Platform Security Data Security Network Security
Apple Security Philosophy Ease of use Guide the users Secure defaults Freedom to choose
In the Hacker Toolbox the quieter you become, the more you are able to hear
A hacker to me is someone creative who does wonderful things Sir Tim Berners-Lee
Who s the Hacker? Hacking for fun Hacking for profit Governments
Tools of the trade nmap Wireshark Cain & Able John the Ripper Metasploit metasploit
Demo Playing with fire
Device Security Securing the box
Amateurs hack systems, professionals hack people Bruce Schneier
Device Security EFI firmware password icloud locking Configuration profiles Policy management
Firmware Password UI tool on the Recovery HD
Firmware Password UI tool on the Recovery HD Prevents modifier keys setregproptool -m full What if you forget it?!
icloud Locking icloud / Find My iphone Can only use 4 digit code Survives reboot / reset pram
icloud Locking icloud / Find My iphone Can only use 4 digit code Survives reboot / reset pram but is it secure?
Demo Setting a Firmware Password
Platform Security Securing the processes
People who are serious bout software should make their own hardware Alan Kay
Platform Security Application Sandboxing Code Signing Gatekeeper XProtect & Quarantine
Mandatory Access Control Application Sandboxing Entitlements sandbox-exec -n
openbsm Audit Logging above and beyond system events and user events praudit for reading audit trails
Demo Roll your own IDS
Data Security Securing the information
There is no castle so strong that it cannot be overthrown by money Cicero
Data Security Full Disk Encryption Keychain Access / icloud Keychain Encrypted Containers Secure Erase
FileVault 2 Rich Trouton has the full story derflounder.com
FileVault 2 Rich Trouton has the full story derflounder.com What about performance?! before
FileVault 2 Rich Trouton has the full story derflounder.com What about performance?! after
Encrypted Container Disk Utility or hdiutil 128 or 256-bit encryption Password in a keychain Password in an external keychain
Demo A poor mans 2-factor authentication
Network Security Securing the traffic
Users will take dancing pigs over security everytime Bruce Schneier
Network Security Encrypted traffic Encrypted authentication Firewalls
Firewalls Application Layer Simple UI setup Packet based IPv4 & IPv6 CLI or IceFloor 2
Demo Computer Lockdown, extraordinaire
Encryption Primer Talk is cheap, if unencrypted
Meet our friends Eve Alice Bob
Yes, it s apple123 Do you have the password? Clear text is not a secure way of transmitting secrets on a network
Yes, it s apple123 pwnd! Thank you! Clear text is not a secure way of transmitting secrets on a network
Yes, it s ******** Do you have the password? We really need to encrypt any secret information before it is sent
Yes, it s ********?? We really need to encrypt any secret information before it is sent
Yes, it s ********?? but, how do we share encryption keys without everyone on the network getting them?
Let s do DHX Do you have the password? Diffie Hellman Exchange
Here s (x1) Diffie Hellman Exchange Secret * p1 = x1!!
Here s (x1) OK, here s (x2) Diffie Hellman Exchange! Secret * p1 = x1 x1 * p2 =! x2!!
OK, here s x3 OK, here s (x2) Diffie Hellman Exchange! Secret * p1 = x1 x1! * p2 =! x2! x2 / p1 =! x3
OK, here s x3 $#*! Thanx! Diffie Hellman Exchange! Secret * p1 = x1 x1! * p2 =! x2 x2! / p1 =! x3 x3 / p2 = Secret
Crack the Code What is the password on the encrypted USB-stick?
Diffie Hellman Exchange lite Alice first send x1 = 22 729 to Bob Bob send x2 = 250 019 back to Alice Alice then send x3 = 14 707 back to Bob x1 = secret * p1 x2 = x1 * p2 x3 = x2 / p1 x3 / p2 = secret
It can only be attributable to human error HAL 9000
Practice what you learn
Can you hack it? Setup with security in focus
Can you read the content in the PDF in the Shared folder?
Security Setup Firmware Password - setregproptool -m full FileVault2 Encrypted Secure Container - 256-bit encrypted Password stored in external keychain Encrypted PDF All passwords 22 characters
Dave, this conversation can serve no purpose anymore
Goodbye