Archive for category: Security

Graham Gilbert has an official post declaring Crypt to be in beta status.  Crypt is a great alternative to many of the paid solutions for FileVaule 2 escrow.  Rich Trouton gave us an early look at Crypt when it was more alpha-ish and it was looking really good.  It has […]

Rich Trouton has a writeup on how to re-enable the Java 6 plugin after the recent Software Update.  This update disables the Web Plug-in piece while leaving the actual Java 6 framework intact.  Many apps still require Java 6 (Crashplan for instance), so for many of us it may be […]

FileVault 2 was a great advancement for encryption on Mac OS X.  It allowed for full disk encryption without the use of a third party product, as well as management using the system keychain or via a tool such as cauliflower vest. One might ask “So how exactly do you […]

In order for an app to run on an iOS device, it needs to be code signed. This proves to iOS that the app has been approved to run on iOS devices. This is true of any apps in the App store, ad-hoc, or enterprise apps. The App store apps […]

Introduction It comes as part of an amazing revolution that the devices we carry are increasingly smaller and lighter. For the first time in history, we have truly mobile devices, including laptops. This also means that they’re more likely to be misplaced or be carried with us in hostile environments, […]

Go directly to step-by-step instructions. 

On July 10, 2011, DigiNotar.nl (a Netherlands CA) issued a fraudulent SSL certificate for the domain *.google.com, which would be valid for all google.com domains. DigiNotar has not been forthcoming about how the attackers were able to obtain the fraudulent certificate, releasing only a PR statement without any content. This means that more fraudulent certificates may have already been issued or may be issued in the future for *.google.com or other domains. While current indications are that it was used to snoop on G-Mail communications in Iran, no one knows what other places it might be used and for what other purposes. 

Furthermore, due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable. 

Microsoft IE, Google Chrome, and Mozilla Firefox already have or have announced plans to very shortly blacklist all DigiNotar.nl certificates. If you are running IE (any version) on Vista, Windows 7, Server 2008, or Server 2008 R2; or an up to date version of Firefox or Chrome, you'll be OK in the near future. This is pretty much a death penalty for the DigiNotar CA. I would have been a bit more forgiving, perhaps, but the actions of the security teams at Microsoft, Google, and Mozilla have convinced me that revoking the trust of the DigiNotar CA is necessary. 

Apple has not yet updated Mac OS X and Safari as of this writing or made any announcements about its plans.  Until Apple releases a security update for this issue, you can protect yourself on an individual Mac computer by following the steps in this article, which includes steps for managing the process via MCX and shell scripting for mass deployment.  

NOTE: Unfortunately there is no equivalent process available for iOS at this point. You can add your own trusted CA certificates via the iPhone Config Utility and Configuration Profiles, but you cannot remove or modify the trust levels for pre-installed system certificates. 

Mac OS X Server's adaptive firewall (afctl) does a good job of catching brute-force login attacks on most services, but it doesn't catch PPTP attacks. The script below checks the system log for such attacks, and then uses afctl to block offending hosts for a week (you can, of course, change the parameters if you wish). I recommend using a cron job to run this script every 10-15 minutes.

Read on for the script… 

A number of you may have noticed the article on ZDNet that stated that Mac OS X now has built in Malware protection (actually, I guess Intego made it public).  Despite the fact that the articles from Intego and then ZDNet were written prior to the release of the actual operating system (in their defense it was only 3 days prior) they have a point. They were also correct in that this isn't using a standard anti-virus engine such as ClamAV (which many think should be included by default in both Client and Server rather than as just a mail plug-in for Server)…  So what is this new anti-malware tool and what's it doing?

This may work on Leopard Server as well, but I haven't tested it. There are several brute-force VPN protocol attacks rampant on the internet, and they may leave your VPN service in an unusable state by flooding it with connection requests. 

Read on for a solution… 

Corsair has updated their series of "Securing Mac OS X" white papers to include "Securing Mac OS X Leopard (10.5)". This is an update of the Tiger version to include "the new security features offered by Mac OS X Leopard."

You can find this, previous versions, and others on their Technical White Papers page. You can download the Leopard PDF directly here.