 OSX in depth while this is booting up. We got some stuff to give away. Virus Barrier has a whole bunch of software here and there's some books by O'Reilly and that will be given away more towards the end. Anyway, I started off doing macOS security stuff three years ago. I started Freaks Macintosh archives shortly after the Weasels archive went down. I started it only because all the mac hacking sites were going offline and nobody could afford to keep them online or they were violating terms of service from the free hosting providers. So I decided that I'd put it on and keep it up and since 1997 Freaks Macintosh archives has been up. Along with Freaks Mac archive I started SecureMac.com. That was in 1999. Quaggy, you got to stop. Thank you. That was in 1999. Macintosh security wasn't being noted by any of the news, any of the media. They thought it was a joke. The Macintosh news sites wouldn't even post anything on it because all the Mac people out there would start complaining and hating them. Saying that they work for Microsoft. Mac people who read the Mac news sites are like really Mac people at heart and they don't want to hear anything bad. So SecureMac.com was put up only to show a way that the public could accept it from a security administrator standpoint rather than a hacker standpoint. Both of those sites went offline for about a month because we lost hosting. It's back up now. We have another Macintosh security site, MacintoshSecurity.com that will be up by the end of the week. That's more for Mac OSX and it'll deal a lot integrating with all the other Macintosh security sites and hacking. So last year we briefly talked about Mac OSX. We weren't able to boot in it then either, but this year already since the release of the public, there's been four noted security advisories put out by Apple. After we put together the Mac... Hello? Okay. After we put together the secure installation of OSX for SecureMac.com, Apple released their version of it. They have a security mailing list now which they have neglected to put up in the past. They thought that it wasn't an issue. Those websites are going to be in the vendor area. There's a sheet of those with all the different Macintosh hacking and security. Most recently in the news there's been a couple articles. News.com had OSX boost Apple's security concerns. Wired had Mac's ripe for a hack. Both of these articles from what I've heard got a lot of negative response from the Mac people still, but it's being taken a little bit more seriously. Since OSX on Apple's site, they said it was pretty secure out of the box. We've already been shown that it's not secure all the way. A lot of it is based on the UNIX environment, the BSD, mock kernel. First off with the pseudo being able to gain administration privileges with it. The only reason why that was vulnerable is because they included a old version of pseudo with Mac OSX. A new version was available, but somehow it got mixed up in there. That was fixed in OS 10.04. If you're still running 10.0, then there's patches available by Scott Anguish. He created custom installs. So those are available on that sheet also and on securemac.com. The other thing noted was the Macintosh Java runtime for Java, the ability to copy the person's clipboard running malicious code in Java applet. Apple fixed that. They've been rather responsive with everything that's happened. UNIX, people are used to ETC password where the password files are stored. Mac OS X, it's a little bit different. It uses Net Info. Net Info stores all the account information about the account and the password. There's been security concerns within that dealing with programs like NI Dump and the whole NI family being able to dump the password hash from that file so you could easily crack it with a UNIX password cracking app or the Mac OS classic one, Mel Tino. That issue hasn't been taken care of. There's been a lot of concerns as far as is it really an issue. There's about 15 different ways to gain access to all the account information. NI Dump is one of them and the command for that one is NI Dump password period. P-A-S-S-W-D period and that'll dump the hash file for that. Another place it's stored is in slash var slash backup slash local dot NI Dump. There hasn't been a actual fix for it. People have talked about CH modding NI Dump, but you're dealing a lot with other programs that'll basically give you the same access. So you could CH mod at 550 in usr slash bin slash NI Dump, which I would show you if we had OSX up, but we don't. So perform the basic install for OSX. You're going to be pretty secure. There's four different things running. There's auto mount, syslog, SunRPC and NetInfo, which we talked about. Out of all those, the only one that there's been a concern with is NetInfo. Auto mount are mounts and network volume drives. You could see how that could become useful in the future when more hacks come available for it. So pseudo prior to 1.637 is vulnerable, fixed in 10.0.4. Keeping your computer secure, root is disabled by default, so you're not going to have root password, anything like that. If you want to use root account, you have to use the administrator account to actually set it up. So that makes it a little bit more secure. Once you have the root password enabled, though, basically roots enabled. Setting up firewall. IPFW, Mac OSX comes with built-in firewall functionality. A lot of people haven't been able to deal with it. Still using the command line for it from the Unix interface. So there's programs like Brickhouse out there, which offer a GUI to set up the firewall software. And it's fairly simple. The other thing running is FTP protocol, which you can modify using secure FTP. That software is available on glub.com. That is a secure FTP wrapper. It'll install the TCP wrapper on it and allow SSL connections using secure FTP client. SSH versus Telnet. You're going to want to stick with SSH. Telnet is done in plain text. Anything you send over it, of course, people can sniff. Setting up SSH, it's installed in 10.0.4. Prior to that, you have to get a build. And the URL for that is on the resource paper in the other room. Keeping it secure, like with any operating system, it offers the ability to have log files. And it uses the BSD log file system. Everything is stored in the logs directory under var. So if you keep an eye out for that, you will see when people try to connect your computer, you'll see any access that goes on. If you have somebody on your box that you don't trust, you could see if they're trying to hack into your account from there. As far as security auditing tools for OSX, right now there aren't that many out there. People are porting the security software for it. But the vendors that are out there right now are facing different things because you're dealing with Unix and you're dealing with the Mac platform. So you can't truly port it over without losing the functionality of one part of the operating system. This software here, virus barrier, net barrier, that'll be available quarter three about viruses for OSX. Currently there are not any, but there are virus scanners for it. There is the virus command line scanner and they also have the OSX GUI version of it. But right now you're not going to run into anything like that. In the news it's been the Simpsons virus, which was actually a Apple script that does almost the same ability that the Melissa virus did, emailing the addresses. So at least people have taken concern with it and they're comparing it against other operating systems now, rather than just, you know, it's macOS. There's no hacks out for it. It's secure. Guest up here, his name is Agent OJ. He's from the Macintosh Underground programming group called Team 2600. He's here. He'll be talking a little bit about Team 2600's new program and a little bit about the programming group and where to find them on the web. Well first off I'd like to thank Freaky for giving me the time to speak here. A little bit history about Team 2600. Team 2600 was founded in 1994 by Cybertosh and his friend Sixtime. Back then they were still in high school, constantly arguing with their sys admin over the battle between Windows and Macintosh. They were part of a 2600 news group online and one day the topic came up about some Windows hacks and they decided to put those to use on their school system and ended up hacking about 50 boxes there. And to show their admin up for his battling with them, they wrote, you've been hacked by Team 2600. Get secure. Get a Mac on the startup screen of every computer. After that they decided that hey maybe they should start an actual Mac only underground team and that progressed from there. That was about 1996 that that started and their member base is slowly growing. Now we're at about 10 active members and we are the largest underground Mac only active group that's active right now. We have about 10,000 web visitors a month to our site which is www.team2600.com. We have a wide range of software ranging from port master which is a port utility. We have some port scanners. There's Proxy Bouncer. It's a utility stack proxies on it and it enables proxy support and talk support for any program that doesn't already have it. We also, what I personally worked on is the sub seven project for Macintosh. I ported over the client a few months ago and the announcement today is that the server is almost finished for the Macintosh. Right now it's about 80% finished and there is a preview copy available for anyone who is interested. That should be finishing up within the next couple months. Right now I just have a couple things to demo on the screen that we finally got up. First off I'll show our latest program which is the sub seven client port and basically it's the normal sub seven client but just on Macintosh it has all the features, getting PC info, getting home info, getting passwords, everything that you'd want, the key loggers up and that will be ported generally to the Macintosh. Overall we basically want to keep producing some quality programs. We're recently working on making more utilities for OS 10. There's Yaba which is a vulnerability scanner for OS 10 only and other Unix systems it also runs on those. That's one of our newest programs so we're always looking for new members or interested programmers so check out our website and let us know if you'd be interested. Once again I'd like to thank Freaky for giving me the time to speak here at DefCon. Thank you. All right back to OS X, single user mode, command S during startup that'll drop you into root mode where you can change the root password. The command for that is slash sbin slash mount minus w u slash that mounts the hard drive and read mode then you have to start up the system starter slash sbin slash system starter that starts the net info service that gives you the ability to change the root password. By typing root password without having to verify the original password you can change the password on that and then log out log back in you have root access. There's been a lot of people saying that that really isn't a vulnerability, that single user mode has existed in Unix operating systems as a way for them to get back in just in case they break things. macOS people they're bound to forget their passwords a lot of them are get people asking me all the time how do I get back into this I forgot this password so a way to protect that there's a program out it's on msec.net made by a guy named Maruka it's a patch that patches the system that disables single user mode. Now by doing this you're not going to be able to get back in so if you forget your password you're going to be screwed to some extent. Another way to disable it would be Apple's new ability which is open firmware password protection open firmware offers you a way into the like back end of the operating system where it figures out how things are running and you can enable the open firmware password protection it's basically the same as BIOS password for PC so when you try to get past it it'll ask you for that password to enable that command you boot into it and by doing command option PR no that'll zap the PRAM. OF command option OF thank you that'll let you into the mode from there you could type in let me get my notes up here but by setting this you're not going to be able to get back in it any other way it's not supported by Apple really they don't have any documents on setting the password so once that's set you could be screwed if you forget your password to enable that it is so you type password it will take you into their password prompt from there you do set ENV one word security hyphen mode space full or you could do set n security hyphen mode and then whatever command you want to disable it you login to the same method if you remember your password and you do set ENV security hyphen mode and then you change it back to none. Zapping the PRAM by doing command option PR will not let you back in from it you can boot from the CD by using the SCSI ID if you have a SCSI CD ROM drive that command is on my website right now we're going to talk a little bit about last year we talked about MacPork which was the security analyst tool made by Darksider of team 2600 it was a hit but he didn't have the time to continue with it so another group took on the project it is called Mac Analyst now it is a shareware application it'll let you run it for 10 minutes it is we'll scan any operating system you have their databases updated daily with new vulnerabilities so from your Macintosh you could do security auditing you can see if your friends your ISPs computers are secure some great things about the program though it gets kind of advanced within it there's so many different options for it we don't have a net connection here though from the menu you see you have the standard TCP commands just who is and then you go down here to the security browser you type in the url this is mostly for the CGI scripts that may rely on the system if you do the standard scan it'll tell you what you have running on it and then you use this program right here to verify it it'll execute the command for you so you could actually see if it's just a port open that you have used for something else or if it's actually vulnerable from this list right here you could see that there's quite a lot of different things that it checks for the program is 50 bucks there's many different things built in it there's brute force which will test the account with a password file with the password file and see if it could gain access this tool could be used by anybody they market it for the security administration side but if let's say a hacker got a hold of this I mean this could be their dream tool for the macOS as ICMP logger you could see if people are pinging you if you're one of those people who are on IRC and get attacked all the time supports plugins it's updated all the time it's done by a group of french people so some of the spelling on here is incorrect but they fix it right away okay I have demo mode so up here we have software how many of you run max jesus I remember last year there is about 10 people running max how many of you are running osx jesus all right well the software I have up here isn't osx it's for classic os9 first one is virus barrier now if I throw this out and I hit somebody are you gonna be pissed all right throw it out man this one right here it was opened by customs when it was sent from France everything's in it thank you always entertaining um we'll get to more in a minute but the open firmware password protection is a great advancement in apple's operating system because they have not had anything like that in the past all the security passwords for it you've been able to bypass it by doing shift during startup by bringing up the extension manager by holding space bar disabling anything that you want to from there or even by booting up off of a startup disk or cd open firmware password protection when it's set you won't be able to do all that and you'll keep your computer more secure it's excellent for environments where you have people rebooting your systems trying to hack it all the time school environments because I remember when I went to school the whole mac classroom was full of people trying to get past the security programs they had on it first it was ad ease which was very simple this guy right here was in one of my classes and we sat there just like hacking the network it was pretty damn fun all right so you can play with mac animals keep people entertained by that uh another group orally offered some stuff uh on mac related stuff I got a t-shirt here for coca uh programming language stuff that they got they have a book out on it uh they want you to buy it so I got a t-shirt here I'm gonna throw it out that way won't get far told you porting security related applications thank you porting the security related applications to osx as far as from the unix platform is going to be a lot simpler it's it's going to take some people well it's going to take some people with uh unix experience to understand it a lot of people are used to the real basic programming language uh rather than c or pearl or anything else that's now supported by osx so anybody who's into that wanting to port some apps for it it would be great to put on freaky.staticusers.net my one time plug of the day um there hasn't been that many new macintosh security related applications or hacking apps out for the past year team 2600 has been one of the major players in that uh they've done a great job anything that you want done you go to packet storm you see a program there that you want ported to the mac os you email this guy right here and he'll have it taken care of sorry to put you in that situation um programs for mac os classic new in the year uh first one was done by wedo he's been a macintosh programmer uh with the assistance of deranged cow um that program is called mac smurf it's lets you have the ability to send icmp packets basically an attacking program smurf attack in fact from the mac os for years it hasn't been for years it hasn't been possible nobody's actually done it any application that's been out there hasn't been able to create the icmp packets and forge it um max smurf it lets you do all of the above with it use the broadcast address everything uh you're set with that program what other was mine stuff we got on there jesus no i don't want that one uh ether peg was a program demonstrated it was actually created at uh the mac hack conference uh this program i doubt it's configured for this computer uh but the source code is included you configure it for your ethernet card it'll sit and listen to the packets on the network as any images go by jpegs gifts it'll actually bring it up on your screen and you'll see what they're doing so whether they're you know looking at the nice sites or the dirty sites you got them red-handed so great tool for you know administrations are just people who want free porn for os x enabling more security options on it you have the ability to use gpg which is the equivalent open source of pgp it's gpg mail that has been ported to mac os x there is a install client for it so you could use your pgp ability under mac os x without paying the fees that network associates charges for it um security scanning yabo was one of them that he mentioned the other one is snort is the program snort uh how many of you are familiar with it are you guys just screwing with me anyway that has been ported to uh mac os x it's a security intrusion type tool so slowly and surely we will see mac os x security applications available as far as that there really isn't that much security stuff for os x uh you have a little bit of scripts coming up like that will make the box crash like that um c scripts those are on freaky dot static users dot net second time and does anybody have any questions please say no ipf w is it not installed on your machine try locate 10.0.4 it is there because that's whether or not it's under a different name or where it's located i don't know that right now probably under s bin or something like that but programs like the gui applications for it use that it interacts with that program to configure it so it is on there so we could find that for you okay another t-shirt this is the same one let's see what i could do that's like the second out that way um yes it's under s bin ipf w is under s bin maybe your computer somebody took it off because they didn't want you to set up a firewall yeah try booting anytime any other questions way in the back that's you as far as that one goes uh there that's really the only apache problem that's been noted right now there's it's just simple things like that that end up becoming a problem uh people upgrading from beta version to public version have noted that uh some of their directories are read world rightable by everybody on there just because of some file permissions going on there so if you upgrade make sure that you change you look over all the file permissions make sure that not everybody could access it because well if you let anybody on your box and you're basically a sitting duck i'm not sure about the case in snort where sensitivity matters um we would demonstrate it right now we're having a little bit of problem mirroring it so if anybody again knows any information on that or is there we go all right so first application that we're going to demonstrate is brick house which does use ip f w to configure the firewall settings there's a nice graphic user interface program first rolled out it was free now there's like a ten dollar shareware on it simple programs if you don't want to pay the shareware fee there's other alternatives out there for it all right so let me have a seat here this is what do you do okay another box this one's net barrier this is your uh basically firewall it has a lot of other stuff in it uh for instance it could lock your modem so it requires a password so if you do have any trojans or something like that that happens later on it does lock your modem so it won't be able to dial out god this is gonna rock yeah next time i'll like surf it out there that's all we have all right you get to see the background for os x you don't get to see any of the applications for it so we're still working on that problems after problems all right more questions you could as far as all the development tools like gcc you could get that off of apple's website in their development center uh they just took on i believe it was a free bsd guy to do a lot of the porting form or manage that team so there will be a lot more applications quickly being ported for it uh gcc is not installed by default 10.0.4 it is and it's on the developer cds all right so we have it up on the screen here this is brick house it easily they took out a lot of the functionality in it uh because people were complaining they didn't understand what it was when the program first rolled out it was basically it gave you you could edit the log files for it you could edit the actual settings for it you still can now but they haven't worked into a nice GUI basically filters on off that simple once you close it you save it it's set up uh has ability for airport how many of you are using airport all right the etherpeg program also does support that uh so if you're on an airport network or you're at a airport that supports the airport you could be watching people's images as they go by setting it up is simple itself explains i feel like i'm wasting time here by just looking at it add gateway edit gateway restricted services this must be demo mode port access you can restrict you can uh there's the port mapping tools some of those are available for osx now you could restrict whether or not they allow the connections uh again ssh you could deal with the host allow deny files uh restricting or denying permission for specific services you have all of the unix functionality with a nice macOS interface you want to play with it you can monitor everything that's going on with this it's just like looking at the log file except it brings up the log file for you in a nice pretty background um another thing that i've worked on over the past year was revising a chapter for this book maximum security uh did the macintosh security chapter uh has a lot of new updates in it uh talks a little bit about osx but not because it was done so long ago and a lot of the different hacking programs uh this book is uh in general good book for anybody so i'm gonna give this away right now except this time i'm gonna have my lovely assistant right here bring it to somebody so basically you have to swoo her into giving it who wants it easy enough um i will have more of those books later on i'll be giving them out i got a few extra copies of it set up assistance for it the program makes it so anybody could set up the firewall whether or not you're a pro unix user or you're just the good old mac user uh brickhouse like i said is only one of them if you go to secure mac dot com you'll see other utilities there ssh uh is now supported in it there's ssh administration utilities sshd administrator which allows you to configure ss excuse me ssh the accessibility of it and everything like that all right who else had a question that guy right there yes uh once you have the open firmware password set in there you do need to enter the password in it when you enter the open firmware password mode or when you enter command no you won't be able to reset uh zap the ram anything like that so it is a way to keep you secure mail server none send mail it's built in but it's turned off by default many of the services are turned off because they wanted to make it out of the box secure uh just like disabling group password so far as it stands there hasn't been any noted security issues with send mail for mac os x uh haven't compared anything to prior send mail exploits or vulnerabilities like that so we're standing clear until somebody goes out and hacks it again or finds a bug in it send mail is gonna be there all right this is the this is the command file for it the filter uh this is the file that you could actually go into and set your own uh your own options in there what you're gonna allow what you're not gonna allow the packet sizes that you're gonna allow things like that all right so mac analyst uh i they have given me the option of giving away 10 serial numbers for it so at the end i'll collect your emails of that first 10 people up here we'll get a free copy of it um another thing for the mac there hasn't really been any filtering software one of the first ones out there which works pretty well is content barrier you got kids you got school whatever this program will keep log of everything going on if somebody you could set up your own filters in there so if somebody says how old are you what's your age what's your name things like that if you're a parent you could have it send it to your cell phone you could have it send you an email so you can know when anything's going on like that um this program's going out right now i was never that good at frisbee which side haven't i hit that side deaf is never gonna let me back here again okay nobody saw that and is anybody gonna say anything because if somebody is i mean i could bribe them with this apple script book right here this time somebody could come up for it all right fine you could have a t-shirt too bad here this will get you started a book on their mac OS x stuff all right i'm gonna try to stay away from throwing shit any other questions his question was is there any way to bind net info to specific ports without crippling os x or the services uh to keep it from binding it anybody know the answer to that i haven't oh that guy back there how do you know that info is gone the guy tells me um so what are they going to use to replace it next week 10.0.5 10.1 see we got an inside guy right here maybe we could have him come up here and tell us a little bit about inside osx security come on up all right another question osx and ip sec what is going on with that i want to look at that guy back there again ah i am told several private companies are developing solutions for it solutions for it so watch out for it yeah it's not that hard they just have to go and do it uh bringing in the free bsd guy or the bsd guy george that guy yeah he's gonna he's gonna make it a lot easier for the macOS people to utilize all the functionality of it all right i'm gonna finish up here uh answer this guy's question over here uh tcp wrappers uh osx does come with tcp wrappers in 10.0.4 uh glub.com is so you could wrap the it's a java program it gives you the ability to wrap the ftp protocol all right everybody's leaving thank you very much