Snow Leopard Security (unwanted snooping)
in [Mac Systems]
|
Prev: Cheap Print Server
Next: Pascal recommendation?
From: Terry Carmen on 16 Mar 2010 13:12 Can anybody point me to a FAQ on Snow Leopard security or toss me a clue? I've disabled the guest account, changed the passwords and disabled anything I can find that isn't necessary, however the snooping continues, so I've obviously missed something. FWIW, this system doesn't need any incoming connections at all. The firewall is turned on, but apparently not "on enough" since sensitive information is being leaked. Securing Linux/Unix and even Windows (more or less) isn't a problem, but there's something on Snow Leopard that I'm apparently missing. There are log entries indicating a firewire connection, but I'm not sure if this is the intrusion method and don't see any way to disable or secure firewire. As long as the machine can find the network printers and the internet, that would about cover it. Is there any (non-gui) way to view the actual firewall rules, and is there any way to disable or secure firewire? Thanks! Terry
From: Barry Margolin on 16 Mar 2010 13:45 In article <36adnbbuSbWJIQLWnZ2dnUVZ_oOdnZ2d(a)giganews.com>, Terry Carmen <terry(a)cnysupport.com> wrote: > Can anybody point me to a FAQ on Snow Leopard security or toss me a clue? > > I've disabled the guest account, changed the passwords and disabled > anything I can find that isn't necessary, however the snooping continues, > so I've obviously missed something. > > FWIW, this system doesn't need any incoming connections at all. The > firewall is turned on, but apparently not "on enough" since sensitive > information is being leaked. > > Securing Linux/Unix and even Windows (more or less) isn't a problem, but > there's something on Snow Leopard that I'm apparently missing. There are > log entries indicating a firewire connection, but I'm not sure if this is > the intrusion method and don't see any way to disable or secure firewire. > > As long as the machine can find the network printers and the internet, > that would about cover it. > > Is there any (non-gui) way to view the actual firewall rules, and is > there any way to disable or secure firewire? > > Thanks! > > Terry It would help if you explained what you think is going on. We can't tell how to stop something if we don't know what it is. -- Barry Margolin, barmar(a)alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group ***
From: Terry Carmen on 16 Mar 2010 15:01 On Tue, 16 Mar 2010 13:45:57 -0400, Barry Margolin wrote: > In article <36adnbbuSbWJIQLWnZ2dnUVZ_oOdnZ2d(a)giganews.com>, > Terry Carmen <terry(a)cnysupport.com> wrote: > >> Can anybody point me to a FAQ on Snow Leopard security or toss me a >> clue? >> >> I've disabled the guest account, changed the passwords and disabled >> anything I can find that isn't necessary, however the snooping >> continues, so I've obviously missed something. >> >> FWIW, this system doesn't need any incoming connections at all. The >> firewall is turned on, but apparently not "on enough" since sensitive >> information is being leaked. >> >> Securing Linux/Unix and even Windows (more or less) isn't a problem, >> but there's something on Snow Leopard that I'm apparently missing. >> There are log entries indicating a firewire connection, but I'm not >> sure if this is the intrusion method and don't see any way to disable >> or secure firewire. >> >> As long as the machine can find the network printers and the internet, >> that would about cover it. >> >> Is there any (non-gui) way to view the actual firewall rules, and is >> there any way to disable or secure firewire? >> >> Thanks! >> >> Terry > > It would help if you explained what you think is going on. We can't > tell how to stop something if we don't know what it is. That's the problem. I don't know what's happening, except that financial information entered and stored only on that machine is becoming known to people in the company who supposedly have no access to it. If this were a Linux box, I'd drop "ACCEPT . . . state RELATED,ESTABLISHED" rule followed by a "REJECT" into IPTABLEs, disable firewire and bluetooth and be done with it, however Apple lists configd, mDNSResponder and racoon as "critical" network services, requires bluetooth for the mouse and keyboard and firewire for the printer. Essentially, nothing should be allowed any access except local logins for a specified local user via the keyboard. I can't be the first person who needs to lockdown a Mac. Is this documented anywhere? Thanks, Terry
From: Doug Anderson on 16 Mar 2010 15:13 Terry Carmen <terry(a)cnysupport.com> writes: > Can anybody point me to a FAQ on Snow Leopard security or toss me a clue? > > I've disabled the guest account, changed the passwords and disabled > anything I can find that isn't necessary, however the snooping continues, > so I've obviously missed something. > > FWIW, this system doesn't need any incoming connections at all. The > firewall is turned on, but apparently not "on enough" since sensitive > information is being leaked. > > Securing Linux/Unix and even Windows (more or less) isn't a problem, but > there's something on Snow Leopard that I'm apparently missing. There are > log entries indicating a firewire connection, but I'm not sure if this is > the intrusion method and don't see any way to disable or secure firewire. > > As long as the machine can find the network printers and the internet, > that would about cover it. > > Is there any (non-gui) way to view the actual firewall rules, and is > there any way to disable or secure firewire? Why do you think there is "snooping" and that sensitive information is being leaked? If you are trying to secure firewire, that implies that someone you don't trust has physical access to the machine. It is virtually impossible to prevent someone with physical access from getting information. After all, they can put in a DVD, boot from the DVD and have admin access. System Preferences -> Security -> Firewall -> Advanced gives you some information, but not a list of all the rules. If you want to look at actual firewall rules, you could simply use ipfw list (from the terminal) right?
From: Terry Carmen on 16 Mar 2010 15:46
On Tue, 16 Mar 2010 11:13:48 -0800, Doug Anderson wrote: > Terry Carmen <terry(a)cnysupport.com> writes: > >> Can anybody point me to a FAQ on Snow Leopard security or toss me a >> clue? >> >> I've disabled the guest account, changed the passwords and disabled >> anything I can find that isn't necessary, however the snooping >> continues, so I've obviously missed something. >> >> FWIW, this system doesn't need any incoming connections at all. The >> firewall is turned on, but apparently not "on enough" since sensitive >> information is being leaked. >> >> Securing Linux/Unix and even Windows (more or less) isn't a problem, >> but there's something on Snow Leopard that I'm apparently missing. >> There are log entries indicating a firewire connection, but I'm not >> sure if this is the intrusion method and don't see any way to disable >> or secure firewire. >> >> As long as the machine can find the network printers and the internet, >> that would about cover it. >> >> Is there any (non-gui) way to view the actual firewall rules, and is >> there any way to disable or secure firewire? > > Why do you think there is "snooping" and that sensitive information is > being leaked? Because people are talking about things that they should have no knowledge of. > If you are trying to secure firewire, that implies that someone you > don't trust has physical access to the machine. It is virtually > impossible to prevent someone with physical access from getting > information. After all, they can put in a DVD, boot from the DVD and > have admin access. I don't believe a reboot is involved since the screen is still locked (screensaver) when the user returns. > System Preferences -> Security -> Firewall -> Advanced gives you some > information, but not a list of all the rules. Yeah, I've been there. Nothing too impressive, since according to Apple it still leaves holes. > If you want to look at actual firewall rules, you could simply use ipfw > list (from the terminal) right? I'll check that next. I only recently learned that the application firewall was in addition to ipfw and not a replacement. Are any inbound network connections (not associated with an existing outbound connection) actually necessary for the machine to operate? Thanks, Terry |