Friday, April 27, 2007

Dina Dai Zovi: how to secure your OS X machine

DF has a terrific interview online with Dino Dai Zovi. Mr. Dai Zovi demonstrated that he could create a serious exploit on an OS X machine within 12 hours of being invited to do so. That's more than a bit impressive. It is, of course, supremely unlikely that he's located the only such vulnerability. It's possible that OS X is just incredibly vulnerable, but I think few believe that. The take home message for me is that most computers on public networks are quite vulnerable. I hope Schneier will write his own comment.

In the course of the interview Dai Zovi also provided some handy security advice for users and free advice to Apple. I was reassured to learn that I already follow some of it, but I will move some passwords to a new keychain with a timeout. Emphases mine:
Daring Fireball: Interview: Dino Dai Zovi

... I take some extra security precautions such as always running as a non-admin account, using separate encrypted disk images and keychains for different purposes, and isolating data on different machines. I also take some extra precautions that I’m not going to advertise publicly :). I do not, however, run any commercial anti-virus packages.

Gruber: Are there any precautions you think typical Mac users should take that they aren’t now?

Dai Zovi: I would recommend they make their primary user account a non-admin user, I think that is a reasonable compromise between usability and security. I would also recommend that more security-conscious users create a separate keychain with a 5 minute timeout for important passwords. Even if the user is using FileVault, a separate encrypted disk image for sensitive financial or personal documents is another simple and prudent measure to protect your personal information.

Gruber: Do you use FileVault? I don’t. I do store financial and private information on encrypted disk images, but I’m wary of storing my entire home directory on one. I feel like I’m far more likely to run into problems with my disk than I am to run into a security problem, and FileVault can make it harder to recover files if things go south with the drive.

Dai Zovi: I had previously used FileVault on my laptops without much incident when I was traveling and doing consulting. These days, I am no longer doing consulting and traveling less, so I am not using it. I do still use separate encrypted disk images for different types of data.

Gruber: I’ve heard claims that there exist a handful of known Mac OS X exploits amongst security experts. Do you believe – or know – this to be the case?

Dai Zovi: Security experts quite often have exploits for vulnerabilities that they have discovered and the vendor is in the progress of addressing. Some others choose not to report the vulnerabilities that they find. So I would not be surprised if there were a number of OS X exploits floating around, I have already seen evidence of this in the past (i.e. the mach exception ports exploit)...

... Gruber: You had nice things to say in your interview with Ryan Naraine about your experience reporting findings to Apple. Do you think there’s anything Apple should do different with Mac OS X itself that would improve security? (E.g. do you think Apple should change the first-run configuration UI so as to encourage users to create non-admin accounts?)

Dai Zovi: I think Apple is to be commended for proactively releasing updates for internally identified security vulnerabilities, which is a stance that few other software vendors take. Apple should implement some of the security defenses that other operating systems have adopted [jf: I think this includes Vista] such as Address Space Layout Randomization and other stack and heap protections. I think Apple should provide the option to create both admin and non-admin accounts in the first run as well as make it easier to store passwords in non-login keychains.

No comments: