Security: Questions
Feb. 3, 2009
Feb. 4, 2009
Feb. 7, 2009
Feb. 9, 2009
Feb. 10, 2009
Feb. 11, 2009
Feb. 28, 2009
Mar. 2, 2009
Mar. 3, 2009
Mar. 4, 2009
Mar. 5, 2009
Mar. 23, 2009
Mar. 25, 2009
Apr. 4, 2009
Apr. 7, 2009
Apr. 8, 2009
Apr. 9, 2009
May. 5, 2009
May. 6, 2009
May. 7, 2009
May. 8, 2009
Jul. 21, 2009
Aug. 7, 2009
Aug. 8, 2009
Aug. 10, 2009
Aug. 19, 2009
Aug. 20, 2009
Aug. 21, 2009
Aug. 22, 2009
Aug. 27, 2009
Sep. 21, 2009
Sep. 25, 2009
Sep. 26, 2009
Sep. 28, 2009
Oct. 10, 2009
Oct. 12, 2009
Oct. 13, 2009
Oct. 14, 2009
Newer entries...
Paul Levitt
I was browsing some of my usual sites using Omniweb on my iMac G5 this morning when an alarming popup appeared - a dialog box in German claiming to perform a free virus scan. When I tried to close it, it spawned another page that appeared to be executing a script.
The url of the initial site is:
http://advanced-anti-virus-scanner.com/2009/1/de/_freescan.php?nu=77024209
and the second site is:
http://advanced-anti-virus-scanner.com/2009/1/de/freescan.php?id=77024209
I immediately killed Omniweb, ran software update to ensure I was up to date with 10.4.11 security patches, and rebooted.
I found this alarming because I couldn't tell what initiated the pop-up - I hadn't clicked any links and only had my standard set of tabs open - nothing remotely shady. Omniweb is usually 100% effective at blocking pop-ups.
Has anyone else seen this, and does anyone know if there any security risk from this behavior?
Paul Levitt
Just ran a whois check on that domain:
Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php )
Registrant:
Name: Valensia M Dobbson
Address: 430 S 71th STREET
City: Tacoma
Province/state: NA
Country: US
Postal Code: 95110
Administrative Contact:
Name: Valensia M Dobbson
Organization: NA
Address: 430 S 71th STREET
City: Tacoma
Province/state: NA
Country: US
Postal Code: 95110
Phone: +1.2534757809
Fax: +1.2534757809
Email: ValensiaM@yahoo.com
Technical Contact:
Name: Valensia M Dobbson
Organization: NA
Address: 430 S 71th STREET
City: Tacoma
Province/state: NA
Country: US
Postal Code: 95110
Nameserver Information:
ns1.freehostns.com
ns2.freehostns.com
ns3.freehostns.com
Create: 2008-12-26 03:23:42
Update: 2008-12-30
Expired: 2009-12-26
QueryTimes: 1331
Barry Kahn
Very recently bought a new Macbook for my son (in high school) and wondering if any MacInTouch readers have experience with or educated opinions about Lojack or other programs which are supposed to aid in stolen laptop recovery.
Thanks
Tim Lahey
In response to Barry Kahn's question about Laptop recovery programs, Adeona (http://adeona.cs.washington.edu/) is an open-source program that tracks the IP address and optionally uses the iSight to take a picture (there are two different versions). If the laptop is stolen (and connected to the Internet) one can use this information to find the thief.
However, it doesn't do much good if they reformat the computer, but I doubt the other programs help either.
Douglas Watson
We bought Orbicule's Undercover (http://www.orbicule.com/products/) for my
daughter's new MacBook last spring, to go to college with. No theft has
occurred, yet, so I can't comment on how it works if the worst happens,
but it is easy to install, inexpensive, and unobtrusive, and sounds like
it would work in lots of different ways. With a recent update, if the
machine is stolen it can be located via the Skyhook system as well as the
internet... as well as taking a photo of the thief, and rendering the
computer gradually useless, and some other fun stuff. Makes a LOT more
sense that counting on your 18 year old to lock his or her laptop to a
desk.
Daniel Cohen
I have Undercover from Orbicule, an alternative to Lojack.
This kind of program can easily be defeated, all that's needed is to reformat the hard drive. But this does require the thief to have an installer for the OS.
A firmware password prevents reformatting, but can also be defeated easily.
So such programs are no use against a thief with technical ability, but can help against casual theft. I'm inclined to think that Undercover is worth the money, don't know the costing for Lojack.
Eric S
After discovering that Adeona did not work at all as there have been ongoing issues with Open DHT I looked at Orbicule as well, but had a really big problem with the fact that people at their company had access to my camera. All images, my location etc get stored on their server as well, this is a big problem. I liked Adeona as it respected my privacy, Orbicule does not. I also found that the data is sent to a shared hosting account, not a dedicated server in a secure facility, but a regular shared hosting provider, scary stuff if you ask me.
I ended up buying MacTrak instead www.gadgettrak.com, it sends the data to my Flickr account and my email account with no backdoor for the company. It has use Skyhook's wi-fi positioning:
http://www.skyhookwireless.com/press/skyhookgadgettrak.php
I like that I decide where my photos and network data go, not to a shared hosting provider in Belgium. Doing a few Google searches also revealed this:
http://www.nabble.com/Issues-with-security-software:-orbicule.com-%22Undercover%22-td2759302.html
Really scary.
Dwight Hanson
In September of 2008 my MacBook was stolen. I had Mac Phone Home installed. It does indeed phone home every time the computer accesses the internet. I have relayed every instance to the police where I initially reported the theft. The software does not take a picture nor does it slowly degrade the computer, only reports the IP address. For the past two and one half months the individual is logging in at a SprintPCS address. I would think that Sprint should be able to tie the address to a phone bill. However, nothing so far.
I think either the police department is inept or overloaded.
Peter Schols [Orbicule]
Hi Eric,
Thanks for checking out Undercover!
I would like to point out a few things about our product:
- Undercover is hosted in Colorado, US, on a secure server located in a secure facility. It's not hosted in Belgium.
- We can't access your camera or screen because we need a unique password (the Undercover ID) to monitor your Mac. It's only after you send us your unique Undercover ID (in case of theft) that we can monitor the stolen machine. We are very serious about your privacy: http://orbicule.com/privacy.
- We do have Skyhook Wireless integration: see http://orbicule.com/undercover
- Some other theft-recovery solutions use Flickr to upload their images. Please keep in mind that by uploading images to a public website, the images lose their value in court.
- Undercover does much more than just sending iSight pictures and screenshots to the client: our recovery center gets in touch with the police and law enforcement, sending them information as it becomes available. This expertise is very important to recover a stolen Mac. We don't just provide the software, we provide the recovery service as well, which is at least as important.
- The security claims made in the nabble.com article are either false or have been fixed. Feel free to contact me for more information.
Peter Schols
Undercover developer
Orbicule
Stephen Hart
We had a PowerBook stolen and received a call from a Mac store where a
teenager was trying to sell the laptop. I got the store connected to the
Police at that location and the location of the theft in real time, but
nothing came of it.
I think there must be legal complications in such
a situation.
Our insurance paid for the theft within days and told us not to bother
trying to recover the computer.
Andy Chong
I would like to recommend the Mac anti-theft software from BAK2u, which I been using it since day 1 in NUS (national university of Singapore) bundled with the MacBook Pro since 2007.
It records video instead of photos and comes with skyhook wireless integrate for the student edition.
Not sure if you guys do twitter or blogging - I love the part where you can get alert on your cell too when alert sends out.
Really pleased with their software.
Richard Barrett
The reason that the insurance company tells you to forget about trying to recover the laptop is complex economics. But, lets think this through. They sell you insurance because laptop theft is so prevalent. It is prevalent because it is so lucrative. And, it is safe since the thief can count on never being caught because the insurance pays off, and everyone goes about their business. Meanwhile, Apple (or someone) sells a new laptop. Good for their business. The insurance company raises rates based on their loss experience. Good for their business. And you get a new computer.
You can see that stealing laptops is actually a public service. People who couldn't or wouldn't otherwise have a laptop can obtain one. It provides economic stimulus the insurance and computer manufacturers. And, finally the victim gets a new lap top out of the deal. And of course it supports the doughnut industry because the police don't have to go out on those nagging calls, search pawn shops, or expend effort looking for the computer, since it was replaced. Is this a great country or what?
Stephen Hart
Richard Barrett wrote:
"The reason that the insurance company tells you to forget about trying to recover the laptop is complex economics...."
Richard may be right, if he's a bit cynical. But it doesn't address what I wrote. In my case, I did not "go about my business." I reported the theft; the police even got fingerprints. And because of the equivalent of Open Firmware Password, I was on the phone to a store owner who had the thief (or someone who was trying to sell stolen merchandise) right in front of him.
The problem was not that the insurance had been paid. The problem had to do with overworked police forces in two small-town jurisdictions not being able or willing to coordinate.
Wesley Barnes
I am having a problem with my refurbished, recently-bought macbook. But
[it's unfortunate] that the problem occured after the 90 days.
I
cannot install updates or even do anything without the administrator's
name and password. I set up the name and password when I first got it and
when I log in, it logs in fine, but just when I want to install updates,
it gives me a message saying that "You must type an administrator's name
and password to make changes to Software Update."
And I know for certain that the name and password are correct but it
keeps on giving me this message when I try make any changes. I have even
tried changing the name and password as well but still no luck.
When
I type something that is wrong it would tell me : Sorry, you entered an
invalid username or password.
I tried calling apple but there no use because my 90 day technical phone line is finished.
I have no idea what is going on. If anyone out there can help me I would be ever so grateful.
Thanks
Sterett Prevost
Re: Wesley Barnes
That refurb is still under the 1-year hardware warranty, but phone support stops at the 90-day point unless the extended AppleCare warranty is in effect. You can still purchase & register AppleCare up to the 1-year from purchase point and regain telephone support for the MacBook. AppleCare for laptops is always highly recommended. Two sources for online AppleCare purchase would be Amazon.com and LA Computer Store.com.
Have you booted from the OS Install DVD and used the "Reset Password" utility on it yet?
David Charlap
Wesley Barnes wrote about problems with the administrator password. This Apple KB article may help: http://support.apple.com/kb/HT1274
It explains how to reset a lost password. To reset an administrator password, boot your Mac OS X install CD and choose "Reset Password" from the installer menu.
Roger S. Cohen
Wesley Barnes is having trouble with his Mac's username and password.
Try repairing permissions.
Utilities -> Disk Utility ->
select your hard drive and repair permissions.
If that doesn't work for you, perhaps you will need to backup your data, and then reformat your disk and do a clean OS install.
You could also walk the Macbook into an Apple Store and demo the problem to a Genius. They might just help you, especially if you are just past your 90 days.
Scott Frederick
I am looking for a reliable IPSec VPN client for the Mac (free or
otherwise). My VPN setup with my office utilizes a NetGear FVS318 v2
router. IPSecuritas doesn't work (doesn't seem to have all the settings I
need) and VPN Tracker has not been reliable for me. If another router is
the answer, I am all ears, as long as it is reasonably priced. It needs to
work with PCs as well as Macs. I am using OS 10.4.11 now but will soon
upgrade to 10.5.
Rich Cruse
Wesley
The problem is your user/account does not have administrator privileges. I suspect you have auto log in selected- try logging out (under the blue apple) and you will see two log ins. Somehow you have two accounts set-up. If you can manage to log into the other admin account, try leaving password blank if you can't recall the password or try what others have said which is using the start-up system DVD disc and selecting Password reset.
Anyway, once you log in with the Admin user account, you can open the System Prefs>Accounts and make your other account (the one you use) also an administrator. Check the box that says Allow user to administer this computer.
Log back in with your preferred account and you will be able to install software by using your normal password. You will no longer be asked for a administrator name and password. You can delete the other administrator account if you don't need it.
Elango Elangovan
VPN tracker 5 from equinux works well and is reasonably priced. It comes with pre-set configurations for various devices although I had to custom configure for Juniper. There is also a free trial period.
Glenn Huish
To Scott Frederick-
I played with and gave up on all other patched together workgroup VPN solutions. Flaky and time consuming. If you're willing to deal with Cisco Configuration, I've found their ASA security appliance to be a rock solid, cross platform performer. It performs nearly all of the most important functions of the PIX firewalls, at a very reasonable price point for smaller workgroups. HW pricing is low, with reasonable per-node licensing that would quickly become less reasonable for larger networks. VPNclient is industrial grade, and free while under contract. Worth stepping up to the next class of NetSec devices, IMO.
Rob Packett
Like Scott Frederick, we're looking for a cost-efficient remote-access (vice point-to-point) solution for MacOS X. We've gotten our NetGear FVS318 v2 working partially with VPN Tracker. (Never got IPSecuritas to work.)
We can establish a reliable VPN tunnel to the FVS318 and computers on its LAN. We've not been successful reaching machines on other subnets within our network (i.e., through the router's WAN port) nor to the Internet. We employ a multiple subnet topology, which means routing tunnel traffic across internal (non-VPN) wired routers.
KEY REQUIREMENTS:
+ Final configuration must preclude ANY possibility
of split-tunnel operation to avoid ARP poisoning 'man-in-the-middle'
vulnerability on remote WiFi/Ethernet systems we do not control. Many
vendors tout split-tunnel capability as if it were desirable.
Unfortunately, it opens a severe vulnerability for (marginal?) speed
gain.
+ Flexibility to use any remote entry to the Internet where a
laptop's IP address remains unknown until local DHCP assignment (e.g.,
at customer site or hotspot). Linksys has no Mac solution since they
removed their former feature that allowed remote access from any IP
address. (Confirmed our findings with Linksys L2 tech support.) In
general, we find readily available point-to-point tunneling solutions.
The stumbling block is remote access.
+ Self-contained solution.
I.e., no external party required to effect rock-solid data integrity
(e.g., SHA1 data digest), confidentiality (e.g., AES-128 or better
encryption), and user authentication (router-based okay for now; but,
may migrate to RADIUS, multi-factor auth, et al., as needed).
We've just begun testing the Astaro Security Gateway solution (astaro.com). We know it works with remote PC laptops; however, a MacOS remote-access solution is not obvious yet.
Perhaps MacInTouch should create a Mac OS Remote Access topic?
[See our reader report on Applications > Remote Control. -MacInTouch]
Paul Emerson
IPSec is part of the Mac OS X kernel. IKE (ISAKMP/Oakley) key exchange is handled by Racoon daemon (same thing that's in FreeBSD, do a "man racoon" in the terminal window). Applications like VPN Tracker and IPSecuritas are simply friendly user front-ends to what's already built-in the system. They both use the same underlying system software.
IPSecuritas works great and it's free. Most of the problems I've seen with IPSec on Mac OS X have nothing to do with Mac OS X but rather limited, poorly implemented IPSec solutions on remote access devices. Quite often low end remote access devices offer no flexibility in selecting IPSec options. The GB-250 from Global Technology Associates is a nice little firewall that work great with Mac VPNs, (IPSecuritas has a built-in configuration selection for it).
MacInTouch Reader
In response to Scott Frederick - I had a tough time getting the FVS318 to work with IPSecuritas, but finally figured out the right settings to get it to work. This is a FVS318 running V2.4 firmware and IPSecuritas v3.2 (although it worked in the previous version as well) on 10.5.6 (again, also worked in 10.4 and above).
On Netgear side in VPN settings, create a setup:
Connection Name: RemoteClientConnect
Local IPSEC Identifier: ScottWall
Remote IPSEC Identifier: RemoteClient
Tunnel can be accessed from a subnet
Local LAN Start IP: 10.100.100.1
Local LAN Finish IP: 0.0.0.0.
Local LAN Subnet mask: 255.255.255.0
Tunnel can access a single remote address
Remote LAN Start IP: 10.1.2.3
Remote LAN Finish IP: 0.0.0.0
Remote LAN subnet mask: 0.0.0.0
Remote WAN ID or FQDN: 0.0.0.0
Secure Association: Aggressive Mode
PFS: Enabled
Encryption Protocol: AES-192
Key Group: DH Group 2
Preshared Key: <Secret Key Here>
Key Life: 28800 sec
IKE Life Time: 86400 sec
IPSecuritas configuration:
General Tab:
Remote IPSEC Device: <wan IP or dns name>
Local Endpoint Mode: Host, IP address=10.1.2.3
Remote Endpoint Mode: Network, network address=10.100.100.1,mask=24
Phase 1 Tab:
Lifetime: 28800 sec
DH Group: 1024 (2)
Encryption: AES 192
Authentication: MD5
Exchange Mode: Aggressive
Proposal Check: Obey
Nonce size: 16
Phase 2 Tab:
Lifetime: 28800 sec
PFS Group: 1024 (2)
Encryption: 3DES, AES192
Authentication: HMAC MD5, HMAC SHA-1
ID Tab:
Local Identifier: FQDN, RemoteClient
Remote Identifier: ScottWall
Authentication Method: Preshared Key, <Secret Key Here>
DNS Tab:
empty
Options Tab:
IPSEC DOI, SIT_IDENTIFY_ONLY, Initial Contact
Other combinations may work for things such as lifetimes, encryption, etc. as long as they are the same on both ends. The trick appears to be the identifiers and endpoint addresses. Good luck...
Larry Johnson
In regards to Scott Frederick and Rob Packett: I have a couple of
SonicWall TZ-170's set up in separate offices, each on their own
sub-domain. The devices tunnel nicely... been rock solid in fact. The
tunnel has not dropped in over a year :-)
Although the SonicWalls
allow L2TP VPN I use IPSEC and the previously mentioned VPN tracker 5 from
Equinux. This is in a mixed AD environment with both Macs on 10.4.x and
10.5.x and Windows XPPro. The TZ-170's were not known to be very Mac
friendly out of the box when I researched the purchase, but I got a great
deal on unlimited users and extra VPN licenses so I gave it a try... and
ended up pleasantly surprised.
VPN Tracker worked right out of the box.
Buy one license for the Pro version and configure and deploy the basic
version from that out to everyone else.
Garth Jacobs
I need to secure [anonymize] my IP to browse some sites. It seems it is
available on PCs but not on Mac. Does anyone have advice?
David Henderson
The Onion Router (Tor) with Firefox is a way to accomplish this [IP anonymization].
http://www.torproject.org/download.html.en
Don't forget to read the warnings further down the page.
In particular, note:
"Browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others can be manipulated into revealing your IP address. You should probably uninstall your plugins (go to "about:plugins" to see what is installed), or investigate QuickJava or FlashBlock if you really need them."
Carl Blaise
Greetings: I keep getting these two messages:
"dotmacsynclient wants to use the login keychain ..."
and
"aosnotify wants to use the login keychain ..."
Even when I put in the login keychain and, sometimes, get the dialogue box that asks whether I want to always or simply allow dotmacsynclient and aosnotify to do their respective things, I still get these messages. I think I tried to go into the keychain and add the dotmacsync as one of the programs that can access the keychain but that didn't work (or maybe I didn't do it correctly).
I'm running the latest OSX, using an 2008 iMac, and everything else seems to work well.
Any help will be greatly appreciated.
Peter Farrell-Vinay
I occasionally see the green light come on on my MacBook Pro to indicate the iSight is working. I have not commended it but notice that the recent reports of GhostNet (A Chinese ghost in the machine?) indicate that nice folks in China are opening videocams remotely.
Anyone else seen this on their Macs?
MacInTouch Reader
I have recently had my machine slow to a crawl during normal usage. I used Cocktail the other day to run various scripts and cache-purging routines; I restarted the machine and in single-user mode the the /sbin/fsck -fy routine and my disc was judged trouble-free...
If my Mac had been ensnared within a bot-net, how would I be able to tell? Would something specific show up on Activity Monitor, or would I need another tool to see something suspicious?
For the record, I am running a 2.4 GHz Core 2 Duo MacBook Pro with 4 GB memory and OS X 10.5.6; my IP address is determined by DHCP and I am behind a wireless network whose name is not broadcast, and no network devices are allowed on my network whose mac ID isn't specifically put on a list of allowed devices. My service provider is AT&T.
Steven Wicinski
You would have a hard time determining if you were part of a botnet. Most users would not know what any particular item is in the Activity Monitor.
However, having a program like Little Snitch to tell you what is trying to make an outgoing network connection certainly can help. Although all that does is raise a slew of issues that require you to guess things like "Why, when I connect to my local network, does the OS want to connect to me.com?"
As for slowdowns in general, first thing I jump for is the Activity Monitor sorted by CPU usage. Just the other day I had bzip in there sucking up 50% usage. Closing Preview closed that, but I don't even know why it was open to begin with. I also noticed this morning that iTunes was just sitting there and taking 15% CPU. And the Finder is good an being a runaway process as well.
All in all, I must say, Leopard has not been as solid as you would hope, considering it wasn't such a large change from Tiger.
MacInTouch Reader
Does anyone know what s.ytime.com is all about? I'm relatively new to youtube but I've been uploading videos sucessfully for a couple of weeks. Today when I logged into Youtube with my ibook and attempted to upload a video I got a small popup box that said that there was a server connection failure and was presented a button labeled "disconnect." (I have "block pop up windows" checked in Safari) I clicked on the button and then the usual dialog box came up which lets me select the video file from locations on my hard drive. The only problem was that at the top of the box I noticed a disturbing heading - "select file to upload by s.ytime.com" This looked odd to me so I first quit Safari (version 3.2.1 (4525.27.1) I started it up again and logged into YouTube. I started the process to upload a video and again got the dialog box with the s.ytime.com. heading. Being curious I opened another window in Safari and went to the s.ytime.com web site. It seems to have nothing to do with YouTube or Google as far as I can see. I restarted my ibook and tried again with the same results. Perhaps my fears are groundless but I'm hesitant to proceed further until I have more information about s.ytime.com
lenn collins
You might try running Activity Monitor and see if something is hogging CPU cycles or ram. Also, how much free hdd space do you have?
MacInTouch Reader
This is a second time little snitch intercepted a strange "automountd" UDP connection attempt. (Some kind of remote procedure call, I suppose)
"automountd" wants to connect to Backups.backupdb on UDP port 111
ip 92.242.140.11
dns: unallocated.barefruit.co.uk
I'm not clear on why automountd ever gets called, so maybe this is no big deal.
I asked here and on the Apple discussion board where this could be coming from to no avail. I have no reason to be connecting to barefruit.co.uk that I know of.
Is this a security issue?
(I'm on latest os x and everything.)
David Charlap
A MacInTouch Reader wrote:
"little snitch intercepted a strange "automountd" UDP connection attempt. ... automountd" wants to connect to Backups.backupdb on UDP port 111. ip 92.242.140.11. dns: unallocated.barefruit.co.uk"
No answers, but some information.
automountd is part of the "autofs" system. It is a Sun-RPC-based technology (along with NIS, NFS and several others) which is why it uses the UDP port 111 (the "portmapper" which associates RPC-based servers with dynamically-generated port numbers.
Autofs is commonly used on UNIX/NFS networks. With it, directories ("automount points") are associated with configuration files. Attempts to access anything under the automount points are intercepted by autofs, which tries to mount network volumes to satisfy the access (using the automount point's configuration file to know what volume to mount.) If the automounted volume is not accessed for a few minutes, it will be automatically unmounted.
autofs is typically used for things like user's home directories, which may be on servers scattered throughout the network. It's a waste of resources to mount all those servers at once, but you want all the home directories to be accessible. autofs solves the problem by mounting the ones that are in-use and none of the others.
As for why your autofs is trying to mount a server at barefruit.co.uk, that's interesting unto itself.
If you look at the file /etc/auto_master, you might find something of interest. That's the master file that drives autofs. It usually contains a list of mount points and the config files that drive each one.
If your network is running NIS, you can also try typing "ypcat -k auto.master" to see the network-wide auto_master file, which autofs also uses.
Somewhere in your autofs configuration, something has associated the server "Backups.backupdb" with a directory on your system. When something tries to access that directory, autofs tries to mount the volume.
If you've been blocking the request (via Little Snitch), then perhaps the program trying to access the directory has noticed the failure and written something to the system log. Looking in your system logs for stuff that happened at the time of the access might also be useful.
As for the specifics of barefruit, they appear to be a "DNS correction" service. ISPs configure their DNS servers to redirect failures to them. They then display web pages that (theoretically) try to help you find what you were really looking for. Of course, these services fail miserably when the application in question is not a web browser. The fact that you have one of their IP addresses tells me that perhaps you have one or more misconfigured autofs-controlled mount points. If a directory is associated with a bogus hostname, your ISP's DNS might be redirecting it to barefruit.
Good luck. Let us know if anything here helps.
Andrew Main
"MacInTouch Reader" wonders about Little Snitch alerts describing an
"automountd" UDP connection attempt. Here's a discussion of same from a
year ago:
http://www.macintouch.com/readerreports/security/topic4307.html#d23apr2008
Something to do with Time Machine, apparently, though I've never used the latter or even turned it on. Unfortunately, I never quite figured out what this was about; the same alert still appears several times a week, though now iirc it refers to opendns, which I've been using for the last year instead of EarthLink's DNS servers. I just click Deny; so far there seems to be no adverse result.
There was also a query posted at Objective Development's forum:
http://forums.obdev.at/viewtopic.php?t=996
but
no answer appeared.
(By the way, whenever I see a question from a "MacInTouch Reader", I [wish they would provide a name...].
Jeff Schaffer
Something I've noticed and mostly just lived with since upgrading to Leopard is the frequent (but not always present) inquiry I get along the lines of "Is it OK for Excel to accept internet requests?"
I have the Firewall set to application-specific permissions, and I sometimes get this request, but sometimes I don't. It also can pop up for Mac OS system processes (which is why the recent discussion reminded me about it).
Why does this happen?
MacInTouch Reader
Thanks David and Andrew and the late April security discussion for their helpful comments on automountd. This is a real mystery to me because it hints at a possible infection on my machine.
Anyway I have never used time machine, nor NIS that i know of, and don't have a reason to mount network shares. And nothing seems abnormal in /etc/auto_master shown below (for the little that I know):
+auto_master # Use directory service
/net -hosts -nobrowse,nosuid
/home auto_home -nobrowse
/Network/Servers -fstab
/- -static
Colin Lamb
I am running OS X 10.5.6 on a June 2004 dual 2.0G G5 Power Mac. I have a
Logitech Elite keyboard and I use the Logitech control center software to
assign the "Eject CD" action to one of the extra buttons on the keyboard.
I have the screen saver set to kick on after five minutes or so and I have
the security set to "Require password to wake... from screen saver." Well
enough. Except that I can eject the optical drive by hitting the
reassigned button to eject the CD drive without having to enter the
password. _This does not seem all too secure to me!_ Anyone else notice
this? Is Apple or Logitech aware of this? Fortunately, I am not in a
situation where I need to worry about what's in my optical drive. But,
being as its a good security measure to keep things on a disk you can
eject and lock up - it just seems to me that this is a fairly serious
security problem.
Stephen Hart
Jeff Schaffer wrote:
"Something I've noticed and mostly just lived with
since upgrading to Leopard is the frequent (but not always present)
inquiry I get along the lines of "Is it OK for Excel to accept internet
requests?"
I have the Firewall set to application-specific
permissions, and I sometimes get this request, but sometimes I don't. It
also can pop up for Mac OS system processes (which is why the recent
discussion reminded me about it).
Why does this happen?"
I think what is happening with Office apps (and some Adobe apps) is that the app is checking for updates. To do that it needs permission to accept internet requests (or whatever the language of the warning is).
But I even get such messages in Safari. Perhaps some kind of special
internet access is attempted.
David Charlap
A MacInTouch Reader posted his auto_master file.
The file you provided is the one Apple provided.
The first line (+auto_master) tells autofs to read the auto_master file from your NIS server, which will fail if you aren't using NIS on your network. If you want to make certain, you can type "ypwhich" - if you aren't configured for NIS, the command will hang for a few minutes and then display a "can't ommunicate with ypbind" error. If it responds quickly with a server name, then you are running NIS, and that server is the one it is using.
The second line (/net -hosts...) creates a special "/net" directory that can let you access all NFS servers on your network. If a computer named "foo" is serving an NFS volume named "bar", you can access it at /net/foo/bar, with no further configuration.
The third line (/home auto_home...) creates an auto-mount point called /home - typically where UNIX network home directories will go. The mount points for /home are configured in /etc/auto_home. If you haven't modified the stock Apple distribution, that file will contain one line (+auto_home) telling it to get the mount points from an auto_home file on the NIS server.
The fourth line (/Network/Servers -fstab) is a special entry managing a /Network/Servers mount point that behaves functionally similar to /net, but it uses Apple's directory services to get information about volumes.
The fifth line (/- -static) is another special entry for mounting volumes at the root-directory level. It gets its content from the system's directory services.
For still more information about Apple's autofs, here's an interesting article: Autofs goodness in Apple?s Leopard
James Poulakos
Colin, I'm guessing that Apple made a choice: let the optical drive eject its contents even when the user doesn't enter a password.
Why?
The disc in that drive is not "secured" anyway. You need only pry it out. Anyone close enough to your computer to hit the Eject key is close enough to pry the disc out. Thus, no security advantage comes from disabling Eject when screen is locked.
There is an advantage, however, available to users who want to get a disc back without typing in a password.
I imagine there are lots of legitimate reasons why users would want to get a disc out, without typing or even knowing the password to unlock the screen.
Gregory Tetrault
Colin Lamb said:
"I am running OS X 10.5.6 on a June 2004 dual 2.0G G5 Power Mac. I have a Logitech Elite keyboard and I use the Logitech control center software to assign the "Eject CD" action to one of the extra buttons on the keyboard. I have the screen saver set to kick on after five minutes or so and I have the security set to "Require password to wake... from screen saver." Well enough. Except that I can eject the optical drive by hitting the reassigned button... it just seems to me that this is a fairly serious security problem."
If your Mac is physically accessible, then anyone can use a tool such as a thin flat screwdriver, needle-nosed pliers, or a straightened paperclip (depending on the Mac model) to force your Mac's optical drive tray to open or to yank the disk from a trayless drive. No keystrokes are necessary. Bottom line: if your computer is insecure, then your CD and DVD disks are insecure.
Jesse P
Would love to be directed to discussions/reviews regarding the best rated anti-vir (and firewall) for Mac.
It's not the question of "do I need it" -- just which one is best rated these days on the Mac.
Thanks!
Cyndi Rose
Have loaded MSN Messenger for Mac onto laptop. need security for this
messaging to be HIPAA compliant. On Windows there is a SimP Secway client
that is free for this secure chat. Is there anything like that for the Mac
version of MSN Messenger? and if not will someone please write one for me?
Thanks!! ;)
Andrew Schultz
Cyndi Rose asked about an encryption package for MSN Messenger for the Mac.
There isn't one that I know of but you have some options...
-Run MSN Messenger in Windows on an emulation platform such as VMWare's Fusion, Parallels, or Sun's VirtualBox
-Switch to iChat and use AIM's network. Part of setting up a user in iChat includes asking if you want encryption or not. It uses SSL encryption and point to point connections so the entire connection is encrypted.
-Use the web client Meebo over SSL encryption (have to use https://www.meebo.com) to use MSN Messenger through them. However this connection is only encrypted through the entire connection if the other side is using Meebo or another SSL enabled chat client.
Kimo B. Yap
Adium at least appears to support encryption settings for MSN (encrypt as requested, no encryption, or force encryption).
MacInTouch Reader
Are there any tools other than Remote Desktop or Timbuktu that would let me non-intrusively monitor whether any of the computers on my home network is engaging in p2p downloads? Or, alternately, can I restrict a particular machine by tweaking port options in the home network wireless router (2Wire in this case)? I have all the machines on this network enabled via Mac filtering; I would rather kill the bandwidth of the p2p process on those computers without harming their general access.
John Fallon
Using OpenDNS should let you block P2P on your internal network if you want to change the DNS servers you're using. We've been pretty pleased with them.
Rick Barrett
This list came from Tapeuup on techguys.com
DENY - or block the following ports
kazaa - fasttrack clones
tcp from any to any 1214
udp from any to any 1214
edonkey and clones
tcp from any to any 4661-4672
udp from any to any 4661-4672
winmx and napster
tcp from any to any 6257
udp from any to any 6257
tcp from any to any 6699
udp from any to any 6699
bittorrent
tcp from any to any 6881-6889
udp from any to any 6881-6889
gnutella
tcp from any to any 6346
udp from any to any 6346
eMule is a clone of eDonkey
tcp from any to any 5555
tcp from any to any 4242
tcp from any to any 3306
tcp from any to any 2323
tcp from any to any 6667
tcp from any to any 7778
Robert Rosenberg
Rick Barrett posted a list of ports that if blocked will prevent P2P connections.
For Bit torrent he lists:
tcp from any to any 6881-6889
udp from any to any 6881-6889
This list is of limited usage. While it lists the NORMAL range used for peers to connect to when establishing a connection (the connecting peer uses a random port just like occurs when you connect to any Server) the Client can be configured to use ANY port number it wants to as its Server Port. Thus all blocking this port range does is prevent your client from connecting to any peer whose client has NOT been reset to use act as a BT Peer Server on some port outside this range.
Rick Barrett
Robert is absolutely right that a determined user can force almost any port to be used. If you really want to stop p2p service the solution is more complex.
1. Build a Linux box with two ethernet ports.
2. Install Snort.
3.
Configure Snort to block any p2p packets on the network going to the
external access port.
4. Connect your internet router to the external
access port.
5. Connect the internal access port to a switch or
another router if you are really paranoid.
6. Configure the routers
to block all ports except those you wish to explicitly allow. e.g. 80
for web pages, 25 for sendmail, etc.
That WILL stop the little buggers from sharing a song or movie on the p2p network.
Considering the outrageous fines the RIAA is getting I think any parent should consider this option. $500 and a few weekend to protect your kids might be worth it.
Tom Morrison
Having spent a few years in IT in higher education, I've learned it's not quite that simple. Robert's comments hit the nail on the head. We quickly learned that our "simple" approach based upon to blocking anything but approved ports only resulted in students changing their P2P programs to use ports 80 and 25. Our initial attempts at blocking P2P were temporary at best. We finally implemented a CopySense appliance (~$10K at the time) from Audible Magic and were far more successful at blocking unlawful P2P. That device works by detecting DRM signatures on content and then blocking that content, regardless of port number. By the way, I'm in no way affiliated with Audible Magic.
That being said, it doesn't hurt to put up some barriers. Just don't assume they're totally effective!
If you set up a system and use Snort, you may also want to consider other open source tools to let you see who (IP addr) is moving what traffic. There's a nice package called "Untangle" that appears to provide a myriad of tools and benefits and does not require too much iron.
MacInTouch Reader
We use magicJack, having rid ourselves of our land line recently. This morning a strange call came in very early and we heard some strange tones before the line dropped. Perhaps it was a legitimate call, but it got my mind wondering about something...
Would it be possible for someone who knew your phone number was magicJack-based to dial-in, and use some sort of tone sequence or other command to render the magicJack a gateway into your computer? (the magicJack, for those that don't know, is basically a USB thumb drive and it mounts like a drive volume when you insert it.) Has anyone analyzed the security risks associated with this product?
Charles Stevenson
With an SSD, is a one-pass erase totally secure because there is no
magnetic ghost as with a platter hard disk?
Tom C
I am curious about data persistence in SSDs as well, but the idea of "magentic ghost(ing)" on hard drives and the ability to retrieve data from a drive that has been zeroed in one pass is a myth that refuses to die. Check this site: Multi-Pass Erasure Myth Debunked
I always have a hard time finding the article from Seagate's R&D department that further explains the absurdity of recovering data from a zeroed drive, stating that it takes something on the order of 100hrs to get 100Kb of "data" using a scanning electron microscope and that data is incomplete as there is no way to determine if the 0 being recovered was originally a 0 or a reflection of the current 0 state on the drive after a wipe.
David Charlap
Charles Stevenson wrote:
"With an SSD, is a one-pass erase totally secure because there is no magnetic ghost as with a platter hard disk?"
Not necessarily. Without getting into the possibility of using a magnetic force microscope to read echoes of past data, keep in mind that SSD's don't necessarily do what you think when files are overwritten.
Flash memory has a limited number of write-cycles. After writing to a block too many times, it becomes unable to reliably store data. To work around this, storage devices use "wear leveling" techniques, where data will be relocated when it is overwritten. When a block is rewritten, the new data isn't necessarily written to the same cells of flash memory - it may be written elsewhere, using an internal remapping mechanism so the host computer thinks the data is still in the same place.
So if you write zeros or a random pattern over a file on an SSD, you may actually end up writing that pattern to a completely different piece of flash memory, leaving the old data in its original location. That data may not be accessible through the normal SATA interface, but someone directly examining the contents of the flash memory would be able to find this data.
Unless your wipe utility has the ability to override wear-leveling to overwrite the same memory cells, you can't ever be sure that your data was overwritten. And even then, older copies may be all over the place, so you'd have to do a wipe of the entire device to be sure.
In other words, if your data is so sensitive that this is a concern, you should consider your data un-wipable from the device. Physically destroy it if you no longer want to have it in your posession.
Roger S. Cohen
I use my Mac's function for print to PDF. I would like to change the security settings on the PDF -- password, content copying, etc. Is there a shareware or low-cost software title that can do this?
Victor Leuci
I've been following this [WiFi security] discussion with some interest and
am curious -- how does one go about establishing a VPN tunnel when at a
coffee shop (a not infrequent occurrence for me!).
Bob Murphy
Victor Leuci asked:
"[H]ow does one go about establishing a VPN tunnel when at a coffee shop (a not infrequent occurrence for me!)."
It depends on what kind of VPN you want to get into, and what version of Mac OS X you're running.
My employer has a Cisco-based VPN, and I get into it from my MacBook from all kinds of crazy places. On Tiger and Leopard, I used a utility frrom Cisco, aptly named "VPNClient".
Snow Leopard added built-in Cisco VPN support to the OS itself that let
you avoid the Cisco utility, and adds a nifty menu bar icon for managing
the connection. You can see some instructions [here]:
Configuring
the built-in Cisco IPSec VPN client in Snow Leopard and iPhone.
For connecting to non-Cisco VPNs, you should check around - there's
probably a solution for you. If you need to set up the server end of the
VPN, that's a very different kettle of fish.
MacInTouch Reader
If you have another computer at home connected to the Internet, have it run as a SSH server, then do this:
James Greenidge
I've recently used MacInTouch during a purchase and found this topic very interesting and relevant. My West Virginia home school has been donated 2 G4 eMacs and 11 G3 iBooks and 2 G3 iMacs which our whiz kids helped set up all with Tiger. The setup networks with Airport works well, but your discussion has struck a caution flag with me. We simply can't afford any hardware upgrades. I know it won't be anywhere near your ideals, but what would be the optinum way to maximize the security of our antiquated Airport network? Any notion described in layperson terms would be most helpful.
Thanks and bless you all.
V Holtz
Manny Veloso
VPN tunnels are pretty easy to set up - but you do need something to connect to. You can use a number of providers, like www.publicvpn.com (disclosure: I run publicvpn.com).
Setting up the VPN client is pretty easy, though connectivity can be spotty depending on the WiFi hotspot. In the US WiFi providers are pretty good about allowing VPNs. Overseas, results are mixed.
Gene L
Victor Leuci asked:
"[H]ow does one go about establishing a VPN tunnel when at a coffee shop (a not infrequent occurrence for me!)."
There is an option for those who want to just connect to the net for personal use, not necessarily to get back to work or to your own VPN hardware at home. Subscribe to a VPN service.
There are two that I have used HotSpotVPN and witopia.net.
Both are Mac savy. I currently use wiptopia, since it's cheaper. When you buy the service, you set up an account. Once you connect through the local wifi, you then login and establish the VPN tunnel.
Your traffic is then encrypted.
Two questions I never got answered
First, the services receive your encrypted data and, presumably, decode it to pass on to the net. Implicitly, you have to trust the service. Anyone have any insight to the trustworthiness of either of these services?
I've used the vpn at a small town hotel and a couple of reataurants, with no apparent bad effects.
Second, You have to first connect through the wifi, then open the VPN tunnel. How vulnerable are you until you get it open and can a bad guy intercept your password/ verification with the vpn service?
Lyman Taylor
Doing a VPN from a remote location to access servers/machines/resources local to the "local" network doing a connection to I can see. However, that is in the same boat as doing a HTTPS (TLS/SSL) connection to a remote site in general.
Doing a VPN from a remote location just so you can bounce out onto the "general, big bad" web, isn't necessarily more secure than this remote spot. Folks on a DSL/Cable link to the outside world are on a subset also. Granted your subnet neighbor on the DSL/Cable ISP is more likely to get caught, if your ISP has ARP shenanigans monitored and will actively respond. However, the same underlying mechanism being exploited is still there. Just cutting down the odds, not removing the issue.
The other twist to that is that usually bandwidth to the home is asymmetric. If going to bounce through your home connection then download capped at your home's upload speed. I suppose doesn't matter if in Joe Random's wireless g network.
It would help if Mac OS X had a "seriously lock down firewall and networking because I'm on a public access point" security setting ( like Windows 7 and Vista) than necessarily going to a mode where everyone does VPN back to remote locations just to route back onto the web because concerned about local cohorts on subnet are 'bad guys'. If see a bunch of "me , no me , no me" updates of the ARP entry for the gateway ... someone is playing games.
David Charlap
Gene L wrote (regarding VPN services):
"... Implicitly, you have to trust the service ... How vulnerable are you until you get it open and can a bad guy intercept your password/verification with the vpn service?"
Of course, you have to trust the service. Any security system involves some trusted authority. So it makes sense to do a lot of home work before giving your trust to a third party.
As for session-establishment vulnerabilities, that depends on the VPN technology used. There are ways of securely establishing connections. They generally involve public-key encryption certificates generated by a trusted certificate authority. These will allow you to detect bogus/forged servers (so you know that you're connected to who you think you're connected to) as well as securely establish encrypted connections.
One of the most popular methods is SSL (secure sockets layer). This is
the basis for the HTTPS and SSH protocols, as well as other secure
technologies. IPSEC (secure IP) is another commonly-used technology.
Lyman Taylor
On VPN services,
First, the services receive your encrypted data and, presumably, decode it to pass on to the net.
It isn't encryption as much as authentication that you are paying for with a VPN service. You are paying so that your data goes out onto the internet from a "known" point.
The fact it is encrypted is a side effect of using VPN to authenticate what your gateway is. For example may not be so proactive in validating HTTPS sites, but still vulerable from elsewhere on the internet.
If you are sending data that should be secured then these services don't completely solve that problem. They are just trying to mask the first hop or two you take on the internet. ( enough to dodge a local person in the coffee shop or your ISP provider. )
How vulnerable are you until you get it open and can a bad guy intercept your password/ verification with the vpn service?
The login and all of the VPN traffic can still be intercepted. The login handshake for VPN is encrypted also. Both of the services mentioned leverage TLS/SSL. Perhaps better than sloppily run HTTPS server (or sloppy browser with a bad SSL implementation) but same basic foundation.
They seem to also offer some proxy services (so can get a bit of anonymity(masking of your IP address) ... but that isn't security. If you at some random wifi hotspot with a randomly assigned IP address, you're not really buying something significant in that context.)
Lenn Collins
Re:
First, the services receive your encrypted data and, presumably, decode it to pass on to the net. Implicitly, you have to trust the service. Anyone have any insight to the trustworthiness of either of these services?
The pay VPN services have a good reputation. If it ever got out that one of these pay VPN services released a client's data without a court order they would be out of business very quickly. A pay VPN service that cannot be trusted won't survive.

Comment on this item...