 So, I'm here to talk about OSX, and I'm here to talk about a new tool, well, which is really kind of an old tool, which is Bastille Linux, is now ported to OSX. We're in beta, but that means I can show it to you, and it means that you can start testing if you want to help, and sometime next week we'll come out of beta with pretty shiny package installers and stuff, like, you know, and maybe in a couple more weeks after that we'll be ready for all our parents to run this. Well, all of our non-technical parents, because I know a few people in here that have extremely technical parents. Okay, so, oh, there's my bio. Okay, so we're going to look at Bastille soon, but we're going to start by talking about OSX's default security. Okay, this is, I'm not talking about server here. Server is potentially worse and potentially better, but server is very expensive and no one's given me a free copy. If there's anybody here from Apple, I'd love a free copy. Anyway, but what we're going to do is we'll talk about, we'll talk about the OSX machines that you all have, you know, that you all have on your laps. If you're cool, if you're not cool, you know, of course you, no, I'm kidding, you're all cool, otherwise you wouldn't be here, right? We were all called cool as kids for playing with these computer things, right? Yeah. Okay, yeah. So, okay, so what I want to do is we're going to, we're going to talk about OSX security, and we're going to start by talking about the firewall, and this is just, what you're seeing here in me talking about this is like, I got a Mac and for a little while I didn't really look at it. I said it's a Unix box, it's a recent Unix. This means, you know, I know FreeBSD is good, so we're waiting on, we're waiting on power, but I know FreeBSD is good. I've heard this thing's related to FreeBSD. I'm pretty sure the defaults are going to be really, really good. And then I had a friend that, you know, a friend that had a little bit of trouble with a laptop getting hacked on a wireless network, and I said, I'm sure the firewall is good, and I took a look and I said, oh my God, the firewall is not on. And this was, this was like, I said, what do you mean the firewall is not on? And actually a lot of you were saying, well Jay, come on, don't be an idiot. Look, the firewall, you know, the firewall might not be on by default. And I'll be like, okay, well, sorry, I've been in the last five years worth of Linux distributions, FreeBSD, et cetera. The firewall is just kind of a thing that's there and it's on, and we all expect it. And the thing is that's just not me being stupid, but I kind of, one of the things I started doing in building this talk was going around to all the other people speaking in conferences and all the other security professionals at conferences and saying, hey, can I look at your Mac for a sec? And being like, hey, you got no firewall. And I'm talking to really bright people that write some really awesome software, come up with all kinds of great attacks, and they're like, oh my God, I've got no firewall, the emperor has no clothes, what the hell? So, you know, so you think that maybe J is the only one who didn't turn his firewall on, and it turns out I'm not the only one. And if we were to fire up NMAP maybe at a security conference, Port Scanning's legal, you know, we could probably find out that, you know, about 20% of the Mac users, 20% of the security professional Mac users still haven't turned their firewall on. In terms of the rest of the Mac users, the ones who don't, who never heard of this security thing, okay, the number is much higher. Lots of them haven't turned the firewall on. Okay, whatever. You're saying, come on, firewall on, firewall off, whatever. A lot of us just, we expected we'd get a firewall on. So, but let's turn it on and let's see what we see. Okay, some of you don't read, some of you don't read this stuff and I'll tell you what it means. For the rest of you that read this stuff, this is the firewall you get when you click on that little start button. This is the firewall you get. Anybody, anybody seen any problems here? Somebody, somebody want to help me out? Anybody? What's that? The bottom two lines, which I've so helpfully made read. So yeah, this says, okay, I've got a default and TCP firewall and then I've got this allow IP line. And I don't know what that means, except that it means like I'm blocking TCP and ain't nothing else. But it's okay, because no protocols, no, nothing runs on UDP and I seem to be good for nothing, right? I mean, at least that's what I heard at DEF CON last year. I mean, okay, so if you look at Panther, this is as far as it goes. Congratulations, welcome to your firewall. It's time to upgrade a tiger. If you've got tiger, you didn't get UDP filtering by default. You didn't get, you didn't get ICMP. And you only got it if you click the advanced tab. Let's go back to Jay's, you know, wandering around among the speakers and the attendees at security conferences. Hey, can I look at your Mac? How many people click the advanced tab? Well, as I'll show you, we could use NMAP and find out pretty quickly in this room. But what's that? Do it. Do it. Okay, we will, we will, it's cool. So anyway, but most people don't click the damn tab because they say UDP filtering isn't advanced. I kind of expect that's there already. So we click our little advanced tab. I've turned all the demos into slides, okay? So we click our little advanced tab and this is what we got. Oh, you mean I gotta turn UDP filtering on like manually? Okay, so I can do that. I go and I click on the UDP thing. My problem with this, my problem with Apple's firewall is that it's, as I'll show you, the problems that I find in it are either deceptive, that the GUI is kind of deceptive. It says it's doing one thing and does another. Or far, far more likely the firewall configurator designer didn't really grok security, okay? Seemed to just barely get the whole TCP UDP thing. Oh God, Apple's gonna hurt me. So let's check on that block UDP box and let's look at the rules we get out of that. Okay, here's kind of the first set of rules, so let's ignore this and let's go straight onto the second one and let's see if we can read yellow just as well as we read. Red. Okay, so I'm gonna let you take a gander at this for just a second and I'm gonna tell you all what it means. Okay, for all of you for whom this text doesn't make sense, again, I'll tell you what it means. Don't worry. Okay, so the thing is, by the way, all my boxes are unchecked. All the open port things are unchecked. As far as I, the user think, I think I've got no open ports. I've got this firewall, it's default tonight, it's gonna be strong. I didn't say to share my printer, I didn't say to share Windows file shares, I didn't say to share anything. This machine's a notebook, it's going to security conference and I trust in the firewall, okay? Well, only so far. The first thing is, the first problem we found is these two rules. What they say is, if the source port is set to one of two popular protocols, one is 53.53, which is zero conf, bonjour rendezvous, whatever you wanna call it this month, if it's coming from that, then let it in. And the other one says, if this packet's coming from a DHCP server, let it in. Okay, what's weird about that? What's weird is that normally when you let people, like when you open up holes in the firewall, you say, I've got a DHCP client, I'm gonna let it get stuff. You don't say DHCP servers are allowed to do anything they want to me. Does that make sense? It's a little non-subtle, but the short version is, you can attack any UDP-based service. You can punch right through the UDP firewall as long as you set your source port to one of the two magic numbers for Apple. Okay, this is kind of a gaffe, they didn't really, I don't think they really meant this, they don't think they really understood what they were doing, but the short version is, port scan a box on UDP, you don't get anything. Port scan the box again, fixing your source port to one of these two magic numbers. Ah, you see everything, rock on. Okay, but most of you are saying, well, it's UDP, Jay. What do you care about UDP? I mean, what's really on it? Okay, well, you can, what's on UDP first? Anything that users actually configure to run on UDP, but beyond that, there are some default services and these are the things that I'm bringing exploits for. I mean, these are the things that the baddies are bringing exploits to DEF CON for, okay? So our first one is NTPD, that's just, that's what makes my clock work. It's the network time, the NTPD, I mean, it's just not, it's time sink. I've got CUPS, which is printing. I've got Bonjour, which is that weird little thing where my Mac talks to all the Macs around and like tells it that I'm on AM and stuff, okay? And then, well, in my case, I found Microsoft Word listens on that port. So God, I like the Microsoft people too much to like start busting on their software. I don't know if there's gonna be a phone there, but if there was, it would be bad, right? So what I'm saying is these are my four targets. These are my four targets. None of them should really be reachable, arguably Bonjour maybe. But none of them should be reachable because I haven't told my machine I want to operate a print server. I've told my machine I'm not operating a print server. I'm not operating any of this. And the machine's just a little, it's a little friendly. But you're like, well, who cares? You know what, they're never exploits in any of those. And yeah, well, they're, okay, this is the latest, this is the security history for NTPD. We've got four good ones. Well, we've got four in there, a couple good ones in there. CUPS has had a few. Here's a nice little DOS that'll, I can shut down anybody's, I can consume all available CPU resources. I use this one, anybody running a Mac in the room who's on the wireless network, your machine go down. I don't get to own you, I'm not that cool, but I can consume all your CPU resources and that makes me feel cool enough. Okay, now I didn't bring any new fresh exploits because again, I'm Jay, I'm not that cool. I'll tell you how to defend your computers, but I'm not gonna tell you how to attack them. I'm keeping them all for myself. Okay, so, but what else can you get out of the exploits? Well, suppose you don't have the exploits. I still wanna talk to these services. Okay, Bonjour is a fun one. It'll tell an attacker, fire up Nessus and point it to Mac and the Nessus plug-in will pop up and say, hey, I found Bonjour and Bonjour told me some really nice things. It said Bonjour and that's good. Okay, and then it said, by the way, this computer is running OS X 10.4.6. It's missed the last patch or maybe it says 10.4.0. It's never been patched, which is my personal favorite. Okay, it also tells the attacker our hardware and machine name, hardware is kinda good if you wanna tune your exploits and make sure you get the right payload. And then finally it might tell us what programs are Bonjour enabled like iChat or iTunes or whatever. Okay, I'm not a big fan of the UDP blocking here, but I'll talk a little bit more about it. Outside of the hole I just showed you, outside of the whole fixture source port you can hit anything you want, just walk right through the firewall. There's still a hole in the firewall for cups for the printing demon. Even though I told the Mac I'm not operating a print server. It's really weird, I said unchecked. I'm not operating a print server. Okay, uncheck that in the firewall and I get a print server that's accessible by everybody? What's up with that? It shouldn't work like that. Power. Okay, also I get a rule that says anybody can talk to Bonjour. Well, I don't know. That's kind of a, Bonjour is just a protocol that's rough like that. It wants to talk to everybody. It's very, very friendly and you know, I'm not sure the firewall can be faulted for not blocking off access to it. The tough thing is that I think that one of the things we all forget is that we take apples, along with all of our other laptops, but since we want to be really cool, we want to be seen as cool. The apples are the ones we take to the coffee shops and we sit there and we smoke our cigarette. We got our beret on. We're on our apple, right? And we're looking all cool, right? This isn't, we're not on your dad's land anymore. Okay, we're on wireless lands. We're everywhere. So I'm a little more concerned about Bonjour and other really, really friendly services and firewalls that are open and all that. When I go on other people's lands, especially the wireless ones, but I'll talk a little bit more about the UDP thing, but let's look at that other checkbox. Remember, we clicked on the UDP thing, but there was another thing. There was this really cool function called dun dun dun stealth mode. Okay, this is really cool. Apples have stealth mode, enable stealth mode, ensures any uninvited traffic, any uninvited traffic receives no response. Not even an acknowledgement that your computer exists. How cool is that? Apple is so freaking lit. My machine's gonna go on the network, nobody'll be able to even be able to talk to it. It's not gonna talk to anybody. It's not even gonna say it exists. That's how lead Apple is. Okay, okay, so I click on that enable stealth mode checkbox. Okay, any uninvited traffic? No response. Yeah, baby. Yeah, no one's finding this sucker. Okay, what do I get? Well, first I can port scan our target and all those UDP holes mean I get all kinds of answers from that. That's great. What's the other side? ICMP scan. I can ping it and it doesn't work. It doesn't ping. Yes, go Apple. Okay, but what else? I fire up end map. I talked to my friend Fyodor and I say, hey, babe. Hey, can you find machines with only ICMP? I got stealth mode on. He's like, yeah, I got a timestamp. I got a network mask request. Probably get a fear in here and he'll show us a bunch of other stuff but the short version is these are two just simple, simple little flags in end map and any kitty can use them and they're gonna find my box. That's not so stealthy. It's an amazingly non-stealthy stealth mode. It added one rule to our firewall. This is it. It says, don't ping me. Please don't ping me. That's it. Okay, so here are my two end map commands for all the kitties in the room. You're new. This is your very first DevCon. These are your two commands. Have at it. Go after apples. I'm pretty sure none of the Apple users here are putting their machine on the network and hopefully by now, if you had it on the wireless network, you'd turn that off. Anyway, so I just wanna underscore this one more time. Remember the GUI description of stealth mode? Any uninvited traffic? No response. I can get a response with two types of ICMP packets at least. I can do it with a whole bunch of different UDP packets. I'm getting responses. Okay, now this all seems like really basic. I got my Mac. I immediately investigated the firewall rules set and I put in my own custom rules, right? And what are you even talking about? And I will tell you, at recent security conferences, I've just gone and started going to at least all the speakers and as many of the attendees as will let me touch their laptops and said, can I just take a look at your firewall? And most of us don't know this. Nobody's actually, very, very few. I found one speaker out of all the speakers at a recent conference who actually put in his own custom rules. Everybody else? No. Now, part of that's, you know, people who speak at conferences were not that bright. But on top of that, I think that might be representative sample of all of us. And I don't know, but for some reason, we're just expecting a lot more from the Apple and we're not really quite getting it. Okay, I'll show you a couple more firewall rules and then we'll move on and I'll try to show you ways to fix this stuff. I'll show you some other issues outside of the firewall because this isn't just about the firewall. So here's our rules set. Here are our highlighted rules. Here are my problems. First, I've got a rule that opens up for a DNS server I don't run. If I were to put a DNS server on this box, I'd have a rule allowing packets into it. I don't have one on. It's kind of a useless little rule, but whatever. They've drilled a hole for a server I'm not running and I'm pretty unlikely to run on my laptop and they seem to sell a whole lot of laptops. I mean, that seems to be what's everywhere. Okay, what else? I've told the GUI that I'm not sharing my printer and there's a little hole drilled in just to allow people to talk to my printer, even though I've unchecked. No, no printer access. No sharing of the printer, right? I still get a rule. Thanks guys, what's up with that? Okay, I get a rule that's part of Bonjour, which is for SVRLoc and that's still there. Okay, whatever. And then lastly, I've got a rule for Samba that I don't need unless I'm actually doing some Windows file sharing, which I also unchecked. So I'm not quite sure where these things come from. Anyway, the point of this part of the talk is you're not getting a good firewall out of the GUI, okay? You're gonna have to make your own or use somebody else's or actually there are even commercial firewall replacements here. But the new OS export of Bastille Linux, which is increasingly misnamed, is we'll actually create a firewall for you. If you wanted to do this by hand, if you started pulling out your hair or you've shut down your wireless network on your laptop about 10 minutes ago and now you're like, oh my God, I need my fix, I can't get my email or my web browsing, ah! Right? We can actually, we're not supposed to be done already, are we? Okay, we're not supposed to be done. That must be turbo talk. So anyway, if you had to fix your firewall by hand right now at this very moment, so you could get back on and get your web fix, your email fix, or whatever, you could just start removing the rules that get in your way. You could remove those two gaping holes where anything's allowed as long as it comes from the right source port. And then you could remove those other holes we were just talking about. The ones that do Windows file sharing, printer sharing, Bonjour, SVRLoc, okay? So you can fix your firewall, it's actually about six commands. That'll just basically pull the holes out, okay? You have to do all the GUI clicking first, but that'll get you there. Okay, that's just the manual quick. Okay, so I wanted to talk about a couple other issues. The first one was Bonjour. I think I seem to have, I've got repetitive slides, but the Bonjour thing is I can find out what patch level I'm up to, which is really nice. I can find out what patch level someone's up to by just talking to Bonjour on their box. And that's really nice, because if you've got an attacker at a conference and she's trying to figure out which Apple's to hit, now she's already been able to fingerprint them through that UDP thing, right now she can say, okay, what patch level are you? The machine says, I've never been patched, okay? Our attacker comes after us. And now I wanna introduce a new kind of wall of sheep, which I'm hoping people will set up tomorrow, which is the wall of patchless sheep. At least patchless Mac sheep, okay? If I interrogate Bonjour, I can get your machine name. Usually tells the attack of the name of the admin user, since it's like, you know, part of the admin user's name goes in the default machine name. Okay, that's good. I get the account that I needed to brute force. Additionally, the admin's name is also useful for the wall of patchless sheep. What else? I can get your machine hardware type, which, you know, is nice because it means that when I have to choose payload for those UDP exploits, I know which payloads to choose, because I know what hardware you're running. No universal binaries required. That's really cool. And the other, additionally, it makes it a little bit easier to find out which machine you happen to be running in the room, take your picture and put it up on the wall of patchless sheep. I'm sorry, I'm really trying to get my wall of patchless sheep put up. Anybody gonna volunteer to help? Okay, well, fine. Okay, what else? If you're, these are other issues in OSX, not too many. NetInfo, if you're on the system, listen, a couple of versions ago, they weren't actually even shadowing passwords. They're shadowing passwords now, but you can pull up as one user, you can pull up a list of all the other users along with their password length because it'll differ. Here, let me see if I got a slide. Yeah, here you go. I've got a K user, I've got a J user, and you can see they've got different password lengths. So we get our password length. As long as it's under, as long as it's eight characters less, I can figure out what your password length is, which might make it a little bit easier to brute force. Not too much easier. What else? Bluetooth. Okay, this slide's a little wrong. The Bluetooth configuration is not default on. It is default on on every account created after the very first one. So you get your machine from the start, Bluetooth is off, that's great. That user, the first user is an admin user. None of us would run as that user, not as security people, right? I mean, unless we've probably spent too much time fighting run as user and all that, but you don't need to do this. Trust me, I've run this for a couple of years now and I created the second user, non-administrator. I run with that all the time. When I gotta do something administrative, it just prompts me and asks me for an administrator name and password, that's cool. But that first user, could you guys be quiet? Oh, well, I'm screwed. Okay, so the first, you're gonna create a second user and that's really good, and that's second user. That's best practice, we're all gonna do that. The thing we're not gonna notice is Bluetooth got turned back on. It gets turned back on whenever you log in as any other user besides the very first one you created. Even if it's not been turned off, and even if it is turned off, or even if you've turned it on yourself, they're set discoverable by default. Does anybody need their laptop to be discoverable by Bluetooth? Makes it a lot easier to find your machine on the network. Well, not on the network. Kind of, yeah, a little bit easier for the Shmugrip to find your machine. And that's nice, because those are good guys and they should find them. Encryption set off, user auth of Bluetooth is not always perfect. Here's my screenshot, here's Bluetooth for a new user. It's on, it's discoverable. There are a couple more weaknesses I'll tell you about before I introduce Bestial. The first one is every user can see each other's files. I love this kind of stuff. Just put me on an X-Serve, man, come on. Every user gets to see each other's files. Every user can read each other's files. Every user can execute each other's files. The only thing they can't do is write to each other's files. There's a UMask in place, but it's not a good one. Okay, this is really nice. You're on a multi-user system, and I don't know, you get curious. You go and look in your friend's home directory. You find all of his data, maybe you pilfer some of it, maybe you take some, well, okay, that would all be bad stuff. And we wouldn't do that, because this is DEF CON, and we're good people. We're not up to no good. There's no mischief at DEF CON. Okay, so that's not so bad. It's local, I understand. But it's kind of a pain in the butt. What else? Auto-logging's on by default. I guess we're all used to that being bad, but it shouldn't be on by default. Come on, guys. It shouldn't just automatically, I mean, what this means is I install a Mac. It automatically logs on as the administrative user with no help. That's great. I'm gonna leave my machine sitting alone at DEF CON that way, you know, chained to a table, but all you gotta do is turn it off and turn it on and you're admin. Go for it. Okay, what else? Trojan risk. Maybe, I don't know if any of you have played with this, but basically the first user on the system, they're admin and they own all the applications. That means they can Trojan any application they like. Okay, that's not horrible. The tough thing is, I mean, I'm not thinking that they're gonna be really bad. The problem is that what that means is the first user on the system owns everything. So if there's a browser flaw and somebody hits me with one of these little passive pain in the butts, a browser flaw, where they take over my browser and they can execute code, means they can replace all the applications on my system, means they not only have root, but they're just gonna Trojan horse every application on my system from one browser flaw, including all the other users. So, you know, when little Johnny goes to sites you shouldn't be going to at night on the family machine, everyone else gets nailed too. Okay, I just, I don't like that. As I said, we all run as a non-admin user and that's really good. We create a second user, non-admin, that's good. The problem is, our non-admin user, when you go and you have to authenticate to install software, our non-admin user still ends up owning the files that get installed, even though they required administrative privileges to install, and you would think that would mean they'd get installed with the admin group and all that, they actually, with the admin username, they'd all be owned by somebody other than me. Nah, it doesn't go that way. It turns out this is, it's just kind of a weird implementation thing. Okay, so you can fix basically all of this and you can fix it with some simple hardening. And the simple hardening stuff is the stuff you can look up in guides and books. NSA makes a great guide. CIS makes some good guides. Eric Hall helped write the, wrote the CIS guides. He's really done an awesome job. But I will suggest my own tool, which I give away for free, so I, you know, it's not for sale or anything. This is not a vendor, you know. Buy Bastille Linux. GPL free software, which, yeah, it's free. Okay, so Bastille's kind of cool. Bastille's a tool and I'll introduce it right now. Bastille's basically is a tool that can auto the system and it can harden the system. The audit is not to find vulnerabilities, it's to find things you could do if you wanted to harden it, but you wanted Bastille to tell you if this is a good system, really, really good, really, really bad, and what you should do if you wanted to make it better. If you wanted to make it better and you don't want to have Bastille do it for you, you want to look at 100 systems and figure out which is the worst, you can run Bastille's audit thing. Okay, I know we all cringe when we hear audit, but it's okay, we're using it. What else can it do? It can harden systems and kind of fix these problems. And then once you harden, you can go and make sure the problem's got fixed by re-auditing it. Okay, so this is Bastille OS X and you're like, wait, isn't that like Bastille Linux? You're gonna get in trouble with the guy who made that. He's gonna be like, you stole the name. Okay, Bastille is an increasingly misnamed thing. We'll call this Bastille OS X. We'll call it just Bastille just to make it a little less confusing. Bastille's been a pretty popular hardening tool for the last six years. People have found it pretty useful and it doesn't tend to break systems. It actually ships with HPUX as part of their installer. If you buy an HPUX system after, I don't know, a couple years ago, you've got Bastille already on there. Everywhere else we go and install it some other way. It's available for most of the major Linux distros, sometimes through the automatic installation tools. And we're now extending support to Tiger with a native port. We don't have that Cocoa stuff yet. You still need X windows, but that's okay. If anybody wants to make a Cocoa front-end, help. That's how open source works. You get something for free and if you want a hobby, you can help us build something onto it. Bastille's a hardening program for these. For Red Hat, Susa, Mandriva, Ubuntu, Gen2, Debbie and Linux, your distribution here. It may already be there and I may not know. Sometimes that happens. They port, somebody goes and ports it to something and doesn't tell me about it because they don't really have to. It's on HPX, it's on OSX Tiger. So it's kind of a nice, it's a nice little tool. Does anybody use Bastille in here? Okay, so a bunch of you, that's pretty nice. I'm, yeah. Cool, excellent. So for the rest of you, this is what Bastille is. Every, the nice thing is we've got this tool that both hardens and audits hardening. So every single item we harden is also something we can check to see if it got hardened. So, but the thing that people really tend to like out of this is that Bastille's become an educational tool. Okay, I know you're all very senior people and you know everything, but you probably have some people at work that you've been tasked with training and that's really, you know, you're like, wow, this is a hard job. Give them Bastille for a little while. Have them run through it and they'll learn a lot. There are a lot of people who've used this tool, who've used Bastille solely to find out what they could harden and then they've gone and done it themselves. These is an admin training tool. The whole deal for us was that if we train users, if we train admins, they make better choices about security. If we go and say, here's why you need to know. Here's why Telnet's bad. It turns out I can hijack it. It turns out I can sniff your password out of it. Don't use Telnet, use SSH. And so users are like, I'm not turning off Telnet. That's my administrative tool. They now know, okay, I shouldn't do that. And they use this, which is cool. But why do we use a hardening tool? We don't really, I mean, some of us do it because we're required by law to do it. But the rest of us use a hardening tool because it breaks exploits. It turns out if you do hardening, whether that's by tool or by hand, you tend to break a whole lot of exploits out there. And part of that's just you turn off programs that would have gotten exploited on your box. Like maybe that print server I wasn't really using. Part of it's that you configure programs so that they're less likely to be vulnerable. There's all kinds of stuff you can do where you set up access controls. You turn off functionality within a program you're not using. And all of a sudden, lots of exploits don't work. The lion worm, one of the only worms against Linux would, you configure bind well and you were impervious to it, basically. We also do stuff like do containment configurations like jails in the future, like app armor and SE Linux to make it harder for an attacker first to make the exploit work in the first place. And if they do get it to work, to actually get anywhere on your system. If they can't run any commands, who cares that they're on the system? Okay, I know, they'll get somewhere. But I'd like to make it harder for them. Bastille's been pretty effective. We made it just after Red Hat 6 was released before all the exploits. And it turned out that Bastille broke just about every major exploit against Red Hat. That's not because Bastille was rocket science. That's not because I'm hell elite. It's just because this stuff tends to work pretty well. I mean, you could use a hardening guide and you'd get the same kind of results. But it turned out, there were holes in the first few releases of Red Hat. There were holes in bind in the DNS server, the FTP server, send mail server. Whole bunch of, there were a bunch of local privilege escalations. And we could basically take out every single one. And we could do it with steps that we put in place before any of the vulnerabilities were known. Which is nice, cause it means you don't end up chasing patches quite so hard. Cause you're like, okay, there's a patch for this. But it turns out I'm not vulnerable right now. So I can wait until like, you know, I get in this morning to patch that system. Or I can wait until my boss makes me wait. Okay, again, this hardening stuff works. NSA's Information Assurance Directorate. Those are, as far as I can tell, not the spooky guys. They're the guys who tell us how to keep the machines from getting broken into. They did a test and they've done a bunch of tests with Windows and Linux. And they said, okay, I throw a bunch of exploits in a system. They all work. I harden, I throw the exploits again, and it's about 5% still work. Now that 5% box doesn't do much, right? There's, it does a little, but it doesn't do a whole lot. But then again, from the perspective, it doesn't do a whole lot from the perspective of serving. I don't need my notebook to serve. I just need to take it to a conference and not have it on Zord. Okay, so Bastille does this, I'll tell you a little bit more about what Bastille does, and I'll show it to you. Bastille has a separate, that audit mode is a read-only thing. Tells you what's hardened, what's not hardened, and that can be useful. It can be useful. One of the things it does is it scores a system. It gives you a score between zero and 10. Somebody told me about this idea and I said, that's stupid. A score? If you're gonna give me a score, give me like a vector of like 10 scores. Then we'll like put them all together with a weighted average and it'll be cool. And someone said, no, just give me a straight number between zero and 10 and I said, why? And he said, you'll see, it'll work. Okay, so the first reason it's useful is triage. Tells you, you take this, you run about 150 systems or your Amazon and it's 12,000 systems and you figure out which one's the least hardened without having to look at each one individually. Okay, that's the triage thing, it's good. Or you say, wait, everybody's systems, except for that guy, that one admin who won't harden his systems. Everybody else's systems are great and his just suck, right? The triage thing is great. It's also nice for motivation. It turns out you don't need to beat people over the head. You give somebody a score? Oh God, we're a bunch of overachievers in this room usually. You give somebody a score, they'll move. We had somebody who tested the beta, who tested the scoring while it was in beta and it said your system score is 6.5 out of 10. And he said, bullshit. He wasn't a six out of 10 kind of guy. He'd never seen himself as a D student. And so he sat down and he spent 15 minutes by hand hardening his computer and he ran it again and it said 8.5 out of 10. And he said, okay, okay, I can do with a beef for now. That's fine. But this guy was never gonna get around to hardening that system and he did it solely because we heard his pride. I don't care why I make computers better. I don't care why I make computers better. I don't care why I get them to be more secure. If I have to wound some pride, that's just fine, right? That works. It turns out the score thing works. What else is the audit good for? This is the question people always ask me when I teach them how to harden a system. They say, okay, I harden. Now I'm gonna patch. How do I make sure I'm still hardened? And I used to say, well, if you did it automatically, you could rerun the hardening and it would just redo it all. And the guy was like, I don't wanna do that. That might change something. And I said, well, that still won't do that. It won't change anything if you run it a second time immediately after. And he said, well, most people say, okay, that's cool. And some people say, that still makes me feel a little weird. So fine, run the hardening thing, go and do your stuff, patch the system. Now you're worried patches broke your hardening. Run the assessment thing. Okay, run the assessment thing. Now you've got what we call skew detection. You know you harden it to this config. And now when you score against that config, two items have gotten unhardened. So now you know, okay, I know it got broken by the patch. I know it got unhardened by the patch, I can put it back. I don't know, this works pretty well. So I'll show you a little bit about what Bestial actually does. And I'll actually run it for you. Wow, okay, so I'll actually run it for you and show you how it works. The shortest version for OSX, the major things for us to get in place were first, install a fully configurable, non-deceptive, or non-confused. Cause I'm guessing actually that Apple wasn't deceptive, they were confused. Okay, install a good working firewall. By the way, I love Apple. I love OSX and I think it's actually a whole lot better than Linux machines were a while back. I think it does a really good job. I just think it's not good enough and I'm very hopeful for the next version. And I think this is probably gonna be, I think we're gonna see a really nice next version. So with that said, this is what Bestial aims to do. First, get a working firewall in the system, one that doesn't suck, two, deactivate Bonjour if you're willing to. If you're actually using that stuff and you want everyone, you want to broadcast on the DEF CON network, hey, I'm using iChat, love, anybody wanna talk to me? You know, that's cool, you can keep it. What else? We can lock non-root users out of doing that NetInfo thing where they could get a list of user names and password lengths. We can turn off Bluetooth and for Bluetooth, we're gonna make it non-discoverable. So even if you turn it back on or you left it on in the first place, you can actually make it non-discoverable. Those are the major things that were really critical to us to get in there. We've also taken all the old stuff we used to do that we still do for Linux and for HP UX and try to make it work on OS X2. So those are the major things. In terms of hardening Bluetooth, what are we doing? Macs are discovered by default, turn off discoverability and enforce some really good stuff and enforce pairing for everything because pairing is not actually required for the Bluetooth serial link thing. Turn on encryption whenever we can. What else do we do? We'll make a normal user account for you so you don't have to run with admin proges all the time. We'll kill off that user listing at the screens. People don't just sit there and guess your password. Ooh, there's four accounts. One of them is called Guest. Now I know there's a Guest account without even having to check for it. We'll turn that off. We'll turn on home directory encryption. We'll turn off the whole everyone can see each other's files thing, kill off auto log in. These are all things that Bastille does optionally. Okay, it does this optionally. You choose what Bastille does and what it doesn't do. So you don't have to do any of this stuff. You can be like, you know what, leave my machine alone. You can be like, I just want to turn this one thing off. We also educate the admin on this stuff. Okay, in terms of the different pieces, I've got the different pieces but I think what I'll do is stop right here and actually show you Bastille. I'll give you a little demo. Is that a good idea? Yeah. Okay. I'm gonna warn you, the demo gods have been very bad to me lately. Okay, has anybody in here ever experienced the demo gods? Okay, yeah, you know about them. They're not happy gods. They're like, you know, they don't get all the, you know, sitting fat and happy. They're really unhappy people. Okay, so this is Bastille running on my Mac. I promise it's a Mac. And basically each of these things on the left side, that's a little fuzzy, I guess. It's not fuzzy here, but each of these things on the left side is a module. And a module is just a collection of stuff that you might want to do to a system. It's just a grouping. It makes it easier for us. So what happens is, is a check mark place next to each module as you get through all the questions. That way if you hop around, like, you know, I don't know, we're all ADD in here. That way if you hop around left and right, you can know whether you got through all the things in a module before you finish. We'll at least warn you. Okay, so Bastille goes through and it says, okay, we can fix file permissions. And we probably shouldn't put that first because file permissions are probably one of the most boring areas of computer security, right? But they also happen to be really, really good for local privilege escalation, as I've found out a number of times. But this basically just asks about turning setUID off, getting rid of some of the stuff that makes it easier for people to get to root. For people to get to root if they're on your system. What else? We can do things like turn off tracer out entirely or at least make it so you can't run it. I mean, at least make it so you can't run it as a non-root user. This UMask thing. This UMask thing is actually what says, UMask sounds so boring. UMask is actually what says, what permissions every file in the system is created with. UMask is what makes it so that I can go and read every single file that my friends created in their home directories. I can switch it on my home directory, switch it to somebody else's. If you choose our default setting on this, that goes away. So you don't even have to know what a UNIX permission is. That goes away, okay? And we explain. And again, the whole point of Bastille is if you look at this big, there's a question up there that's unfortunately in a horrible color for projectors. But below that question is an explanation. That explanation is the educational bit. And that educational bit says, here's what you need to know about this so you can make a good decision. Listen, people have always said, why did you make it educational? First educational hardening script, why did you think of doing that? It's really useful, but why educational? And I'm not gonna tell you my answer, okay? Cause my answer is kind of boring. Well, educational sounded like a necessary evolution of the hardening tools. Okay, my wife would say, cause Jay's a control freak, okay? He wants you to turn off Telnet. You're like screw that, I'm keeping Telnet. Fine, he'll tell you why Telnet's bad. Okay, you know, whatever. That's why we went educational cause I wanted you to do the right thing and I was gonna tell you what the right thing was. It's kind of authoritarian and bad that way, but I'm much better now. Okay, so we can read that stuff and we can know that the default here is good. And we can do things like making it, we can password protect single user modes so somebody can't just boot directly into root. We can do things like set up TCP wrappers. We can go and put on bad ass messages that say, hey, if you're not supposed to be on my machine, don't log into it, unauthorized access is stupid. And we can hope that that makes it easy to prosecute the kitty that hit us at DEF CON. That didn't happen to me, it's okay. Anyway, and you can create a whole banner thingy. Let's see, those banners are nice. I do a lot of pen tests. That's part of what I do for work is I hack into computers and get paid for it. And I've had a client every now and then and their banners pop up and they say, if you are going on this system against authorization, you'll be prosecuted to the fullest extent of the law. We are a law firm, we are coming after you. Do not phone home, do not pass go. You're going directly to jail. I know that sounds kind of silly, but when I look at that, I kind of stop and like, just wanna make sure this system's in scope, right? Okay, it can also, we can also make sure that some of the core file stuff, some of the weird local escalation or local denial of service attacks don't work. We can go and this is where I have fun. We go and turn off all the different programs running on the system or at least the network ones usually that you didn't need. We ask you, do you need actually this? So you're operating an NFS server or is this a laptop? Are you operating an NFS client or are you not? And we'll go and we'll turn all this off. Here's the question I like. This one says, do you wanna turn off zero conf bonjour rendezvous, this thing that doesn't know what its name is? And you can say, yes, I'd like to turn it off or no, I don't. If you're at a conference, please, please, love of, just turn it off, okay? What else? I can turn off the auto mounting thing so a kitty can't walk up to my laptop while I'm not looking, plug in a USB drive, unplug it, walk off and I won't tell you what that does but it'd be bad. I can turn off some of that other stuff like the time synchronization. We tell you, turning off time sync, like okay, on the one hand, you're not so exposed to vulnerabilities, on the other hand, time sync's kinda good. I like having my clockwork. We can turn off Bluetooth or we can make it not so discoverable if you wanna leave it on. You can turn off the printing demons so that even if the firewall fell back to Apple's current one, you wouldn't have a print server there, okay? If you're printing, you'll need to keep that but if we're here, we're probably not printing so much. And then we've got that firewall thing and our firewall replacement here is very, very simple. Bastille has an extremely complicated firewall that we have for everything but OSX and it assumes that you're building a multi-leg firewall with lots of different networks and you're trying to prevent each of the different networks from hitting the other ones. On the OSX, this tends to be a client operating system and since we don't have server, we really just have a machine that I don't think I've ever seen an Apple working as a firewall. So we've got something that's pretty simple. We assume this is a single-user system. We're going to actually port over Bastille's more comprehensive firewall and let you choose from our simple five-question firewall and our much longer, well, kind of 20-question firewall but it's really simple. We'll fix that firewall for you right out and what we'll do is we'll say, okay, first do you want zero conflict like inaccessible and if you don't want, in addition to that, what TCP ports do you want? 22, I want to ask this agent of this. What UDP ports do you want? I want 631, I want to share my printer. You click okay, you're at this point done and you click okay, we're going to click on save configuration, we're going to click on apply configuration. The next thing is something really ugly that we haven't fixed, we're still in beta but it doesn't actually break anything, it just looks really ugly when you go up and get up at conferences and try to convince people that it's a nice tool that they should try using or beta test for you and that is, okay, Bastille's interface just saved up the configuration and it's about to apply policy and it stops and it doesn't do anything. So that's okay, as our read me will say, you type Bastille minus B, Bastille's got this nice little thing, okay, you've got a front end, that part we're just looking at, ask you all the questions, builds a policy file. You can use that policy file and if you were tweaking a little bit, you could use it to score your system against to see if your system was not only hardened but to use audit, to use the audits thing to see if there were any differences between your policy and your current state, okay, that's cool but we separated the two bits. The part that asks you all the questions and does this auditing stuff from the part that actually does the hardening and the reason we did that was, well, we wanted you to be able to stop right here, take your config file, copied out to 1,000 systems and then run Bastille on 1,000 systems that have to be asked all those questions. Now you have scalability, okay, all you Amazon people can be really happy or all you other people that run lots and lots of Unix, okay? So I can type in this, I can run Bastille and run right into a bug, demo gods or change control or both but trust me, it's gonna get hardened. It's just that it's not yet. So, right, okay, so okay, I don't know how that happened right before I came in here. I ran it one last time and then I undid it just to make sure everything worked. I don't think I changed any code whatsoever and I have no idea and I would have called that demo god. So with that said, Bastille is almost done. I will put the source up on the site, you can download a tar ball, you can run it, it's in beta. Okay, I will fix that bug and I'll put it up tonight, okay? I'll be putting up regular updates for the next few days. We do not yet have either one, a fancy pants Apple installer, much better than anything we're used to on Unix, okay? We also do not have two, a fancy pants just click this button and it starts up. You have to do some command line jobbies, okay? These two things are being worked on by two different Bastille developers, one of them in Arizona and one of them in Maryland. They promised me it'll be done soon. Okay, what does that mean? Awake from now, it's gonna be really, really polished. Right now, well, right now, it's not gonna work. But tomorrow, once I've sobered, no, once I've finished, okay, tomorrow, once all the DEFCON parties tonight are over and I've slept it off, I mean, gotten good sleep, I will fix it and publish new source up to the website and you will have a totally working Bastille for OSX and you can use this before you hopefully put these machines back on the network. So that'll be Monday. Monday? Oh God, how long have I been at DEFCON? God, I thought it was Friday, okay? So yeah, no, no, no, no, I've done some good work at DEFCON. Anyway, if you don't believe me, you can come to the dunking booth tomorrow and dunk me at 12 noon and take out all your frustrations with my code there. Was there a question somewhere over there? How do you download it if you're not on the network? Go find an open BSD, Linux or free BSD system. Go on to the network, I think the driver's in there is safe. Download Bastille and sneak your netted over to your Apple or actually they have Ubuntu for this beautiful hardware, so you can do that. Oh, you can also use a Windows machine. Or God, I don't even have to do it myself anymore. Sorry, Microsoft, I love you. Please keep inviting me to your parties. Yes? What version what? The question is, do we have a version that doesn't require X Windows? The answer is not yet. Doing that requires that we rewrite the front end entirely in this Cocoa stuff and we will do this. Oh, by the way, there's probably a slide asking if any of you want to do this. Anybody want to write me a GUI? That's how we got the last one. We were text based until somebody came around and wrote us the X GUI. So if somebody thinks of it, please write me one. In the Linux version, you can run it in text mode. I think we didn't get curses to compile last time. I'll give it a try. I really don't like this text mode. It makes everything look ugly. Okay, we'll get the text mode thing going. But right now, it requires X. X is on your installed DVD. We cannot distribute X ourselves, but you can probably download it from Apple site. We do require one other thing, which is PearlTK, and we're including that end map style in our download. So when you download this, our installer will install PearlTK if you don't have it already because dependencies are paying otherwise. There was another question way back there. How, from permissions, how are you gonna deal with, could you rephrase? Oh, the question is, if we're gonna go around and change permissions and make them better, won't repair permissions get peaved off at us? Yeah, it will. First, yeah, don't use repair permissions. Just use good ones. Second, okay, first, don't use repair permissions. It may be for that, but I don't really think it's for that. I think that you should go and get OSSEC, or OSIRIS, a great tool from the Schmu group, or even go old school and get Tripwire, and use that to track your permissions. If you think your permissions might be different from the last time you did something, actually use a file integrity checker to check. They're good for change management. They're good for checking to see if you've been owned. By the way, you have to run this stuff. Everyone calls me, like, I think I got owned at DEF CON. Can I use Tripwire now? And you're like, no, Tripwire before DEF CON. Then owned, then Tripwire to check. But you've gotta build that baseline before. Proactive security is good security. Getting owned is bad. I couldn't come up with the bad security thing, so I'm just gonna call it at that. Two questions over there. Yeah, in the front first. Okay, so the question is, could Bastille's changes, or arguably the changes you make by hand to do the same thing? Because Bastille's doing what a good admin with some time on their hands would do by hand. So could Bastille's changes, one, get wiped out by a patch? Answer? Yeah, yeah, this happens all the time. It happens all the time on, like, freaking every operating system. I'm sure there are some really, really good ones where this doesn't happen, but as far as I can tell, it seems to happen on everything, because that's actually a hard problem. So yeah, sometimes your patches will wipe out your hardening. Two things, Bastille creates a config file. You can rerun Bastille anytime you want using the same config file. And the way it's set up is that you could run it. We made part of our testing process is, I should be able to run this a hundred times in a row, and if one of the actions is out of line to the end of a file, we shouldn't add another line to the end of the file. We shouldn't add two lines or a hundred lines. Okay, so you can just run Bastille again. Part two is we have this audit mode, which will actually go and basically say, okay, this is what you said you did. This is your policy file. You can make that into a score file, a weights file that says, if you run the audit, it'll check and see each of the hardening items and see if they're still hardened. But most importantly, the score will be calculated entirely only looking at the items that you actually hardened in the first place. So you'll either get a perfect 10, or you'll be able to see the things that pulled you down from a perfect 10. If you're a perfect 10, nothing's changed, you're still just as well hardened. If you're not, well, something got unhardened and you know to go after it, or to just rerun Bastille. So that was question one. He had a two-parter though. The second part was, oh, God forbid, okay, I shouldn't do that. I should say, oh, DT forbid, okay. DT forbid that Bastille actually in hardening the system makes it so the patches don't deploy properly. Would that happen, Jay? And the answer is, I've never seen it happen, like ever. I've never seen a hardening step actually take out. I mean, that would be a very broken hardening step. And I think we'd hear about it from I don't know about 500 users at once one day. We'd probably get the word out pretty quick. We'd probably tell you, but honestly in six years of maintaining Bastille, I haven't seen that happen. And we've been on, I don't know, something like eight different operating systems. The question was specifically about change route. I'm gonna actually save, I'm gonna cut you off now and take another question. I will take that question the hallway afterwards because I'm gonna run into time soon. But I will say in terms of doing, he says when we build change route jails, for everybody who knows what a change route jail is, when we build change route jails, is not gonna screw with the way patching things work. We don't move anything when we create a change route jail, we just do copies. And so we'll have to make it so that each time you patch, you'll have to rerun Bastille to make the change route keep working. But we won't break anything, okay? You'll end up having an older version of the software in the jail potentially. That's your kind of worst case. But we won't break anything. Okay, there's a question behind you by two people. Yes. Okay, the question is if we fed this back to Apple for inclusion in Leopard and possibly a Tiger update. The answer is yes. We are already talking with Apple about this. They have a, well, they were here so they've got our slides too. But I have been talking to them and I am very much hoping that these things will all become standard. My hope for every operating system is that Bastille will be completely unnecessary. That every hardening step we could possibly take, they take by default and you have to unharden something. This happens slowly over time. Red Hat has gotten significantly better. Everybody's gotten a whole lot better over time. So this, you know, I'm hoping that at some point I'll say Bastille OSX is dead. We have no use for it. Bastille Linux is dead. I'm going to go do something else. You know, I'm going to get a different hobby. This will happen over time. Okay. Next question. There was another one. Raise hand. Oh, the question was, wasn't the Bastille Storm J? What a horrible name for a tool. Are you kidding? Peasants took it over. Yeah, it's a bad name. We didn't mean it. We got a little, we drank a little too much Red Bull when we were looking for a domain name. We meant to call it Bastion Linux. We called it Bastille. Yeah, that wasn't me on the Red Bull but I mean, it's, I can only say I'm sorry. And I'm going to say that darn near any computer, if it has 1,000 or 2,000 peasants, you know, trying to hit it at once, probably going to fall down, right? I mean, at the very least, you've got the denial of service attack. Enough people start sending packets your way. You're ISP can't do anything. It's coming in from all directions. You know, okay. Yeah, next. You on the right? Yes. Have I considered interfacing Bastille with little snitch on the Mac? That's a really cool idea. Little snitch is a little tool that runs and like tells you, hey, this new program is trying to communicate to the internet, right? That kind of thing. And that's a really good idea. Little snitch is kind of a little bit like zone alarm but the idea was that it has caught, it can catch maybe programs phoning home that you didn't know phoned home. We've seen that on different operating systems, different tools. What else did little snitch do? Little snitch will catch some program that just your browser all of a sudden is like, you know, talking to an IRC server. Maybe your browser just took a special kind of shellcode right up the URL. Here. Do standard users have the ability to dump anything out of NetInfo? After Bastille. After Bastille. After Bastille, the idea is standard users don't really get to NetInfo so well, so no. Yeah. I can only give you so much there. We didn't get very far with NetInfo, we got a little bit. We can make it so you can't do the password thing. Okay, next question. Right there. You had your hand up a few times. What strange and horrible way did Apple encrypt user passwords that NetInfo has a clue what length it is? You know, I don't know, that's a really good question too. I, it's SHA-1, but why would SHA-1 really wouldn't be fixed length? Is fixed, well, I mean, SHA-1 shouldn't be variable length based on past, is it? I'm not a crypto guy. I don't know, there's something weird about it, but I agreed that shouldn't, if they were MD5 and there was SHA-1ing, it should be a fixed password length so I should be able to see the password length in this. I don't know why. It looks like it was their SHA-1 implementation. Yeah, but where do they get it? Where do they, how do they know how many stars? Okay, I got eight, I got six, depending. Okay, I'll, I'll pull my laptop out in the hall, we'll find out if I'm full of, which I might just be. Okay, next question. I don't want to end on that one. Okay, next question. Somebody's got a question. You, right there. Oh, hey Kurt. That's a good question. The question is, will the same code work on the server and the laptop version? The answer is I have no idea. I, we're not supporting server just yet. We're not supporting server until somebody joins the Bastille project that has Apple access to OSX server. So if somebody wants to come forward and give us, you know, some kind of nice SSH access into your OSX server, actually it'll probably take VNC. We'd be happy to, you'll be happy for your help. Right now we can't do anything for server. Well, we probably could. A bunch of this will probably work, but I just can't be sure. What's that? What about Darwin? I haven't actually tracked Darwin at all. That's a good question. Maybe we should go and take a look at Darwin because that's not, you know, really, really expensive. The gentleman back here says the same thing I was thinking but didn't want to say because I can't be authoritative on this one. I figured maybe Darwin stopped developing when Apple closed the source. With that said, I don't know. Okay, so I'm going to leave that one alone because that's something I'm definitely not able to speak about with conviction. In the back, yes. Open Darwin closed their doors two weeks ago. Well, it probably was a necessary thing with the Intel switch, but it's unfortunate. Next question. Anybody else? Okay, we really are basically out of time so I'll let any other questions. I'm going to go on the hall right now. Anybody want to come talk? Let's talk.