Chapter 23

Chapter 23. Macintosh

IN THIS CHAPTER

        Establishing the Macintosh as a Server

        Vulnerabilities on the Macintosh Platform

        About File Sharing and Security

        Server Management and Security

        Internal Security

        Password Crackers and Related Utilities

        Anonymous EMail and Mailbombing

        Macintosh OSX

        Tools Designed Specifically for America Online

Thousands of hacking programs exist for the Macintosh, yet many people still believe that security on the Macintosh platform isn't an issue! In the past, Macintosh news sites were such advocates for the Mac OS that they did not want any negative press for Apple. Now times have changed security is being recognized by everyone, and posting a hacking-related story does not mean you are supporting the hackers.

Sites like mSec (http://www.msec.net), http://SecureMac.com and Freaks Macintosh Archives (http://freaky.staticusers.net/, a Mac hacker site) have reported on hacking vulnerabilities since they opened. http://Macinstein.com was one of the first sites to cover Macintosh security issues openly.

In the rest of this chapter, I will cover Macintosh security topics from internal desktop security to Internet security. For now, I want to cover some of the servers available.

Establishing the Macintosh as a Server

Today, it is common to have Macintosh computers in every environment and it is becoming more common to see them used as servers. There are many server software packages available, including IRC, FTP, Hotline, Mail, and Web.

Establishing a Macintosh Internet information server was once a pretty daunting task. Not any more. Today, there are many server suites available that will have you up and running in minutes. I list a few in Table 23.1.

Of the server suites listed, I will only go into detail on two of them, WebSTAR and Hotline.

Of the servers mentioned in Table 23.1, the one that has received the most publicity is WebSTAR. WebSTAR has had substantial publicity about its security features. The first main stream media attention the software package received occurred when a cash reward was offered for anyone who could penetrate the Web server. Most recently, the U.S. Army decided to switch its Web server platform to the Mac OS and run WebSTAR. Before discussing specific vulnerabilities on the Macintosh platform, I want to briefly cover that story.

WebSTAR Server Suite Recruited by U.S. Army

On September 14, 1999, StarNine (now known as 4D Inc.) announced that the U.S. Army's main Web site, http://www.army.mil, was being served by WebSTAR Server Suite software on the Mac OS. A Windows NT based server had previously been serving the Army site when it was hacked in late June 1999 by a 19-year old Wisconsin man.

For more information you can refer to http://www.webstar.com/press/press_releases/pr091499.html.

This sudden switchover caught the attention of everyone. WebSTAR's press release was plastered all over news, and Apple ran commercials showing Army tanks surrounding the G3 Macintosh.

Hotline for Sharing Ideas and Files

Hotline is not a Web server or email server; you do not use a Web browser to access it. Hotline is its own server and its own client. Out of all the Macintosh communities, Hotline seems to be the fastest growing network, with hundreds of servers going up monthly. Anyone can host a server, run the application, and become an administrator who can share his files with the world. Anything you want to download you can find somewhere on Hotline. Hotline was first made for the Macintosh and demand called for a Windows-compatible version, which is now also available. Let's go through some of the details.

Hotline Communications has made two products: a server that enables users to connect and a client application that enables users to chat, send messages to each other, download files, stream media, and post news.

Anyone with an Internet connection can host a server. The software is free, and with the tracker system, anyone can find a server to fit his needs. The tracker is a list of servers that are online. You can search the servers'descriptions or names to find a server that will fit your needs. Any type of file imaginable is on Hotline.

To list all the uncensored servers, open the server window and click the button Add Tracker. Enter tracked.group.org for the name and address. Refresh the list, and now you have access to anything you desire.

For a Macintosh Hacking server where you can find all the hackintosh files, get the Hotline client and connect to the server Freaks Macintosh Archives. The address is fma.dhs.org:1234 or search for FMA on the tracker. From there you can talk to Macintosh hackers, programmers, and power users whose ideas exceed most Mac users. Plus you can talk to some of the original Macintosh hackers like The Weasel, who started the e-zine HackAddict.

Vulnerabilities on the Macintosh Platform

I will now go over some different software vulnerability issues for the Mac OS. I don't believe that you can understand security fully without understanding what the hacker uses and knows.

AtEase Access Bug

Application: AtEase 5.0

Impact: This opens documents with other programs.

Class: Not critical

Fix: Disable the programs that allow this access.

Credit: charlie chuckles

I spoke with charlie chuckles a while ago (in October 2000). He had noticed that no papers had been written on the unusual way of accessing files with AtEase, so he wrote the following:

This is a [problem] for AtEase 5.X When I say the phrase "AtEase," it usually implies some sort of inferiority to everything else. But AtEase isn't really the problem here. It's the applications and some of their round about ways of opening files and the system administrator's not noticing. So I guess it sort of IS an AtEase problem by not covering every single [strange] way that programs ask for files. That was pretty deep.

The first thing I want to cover in here are the older tricks that have been on the market for a while. Everyone knows about the web browser trick (type "file:///drive name/" and read all the files on the drive). That is commonly accessible because all users are given access to some browser in their user folder. There was another trick that I'd seen using Apple Works, but I could never get it to work. I think it's because the person who wrote it was a failure with a wooden leg and real feet.

Now forward! to read/write! Let's pretend you are in a biosphere. Now let's pretend your user has access to MS Word. In version 8 (and the equivalent Excel release and probably the rest of Office) there is a find file function. Here's how to use it:

Launch MS something. File>open. Click the Find button. On the Find Window select the drive you want to search and what you want to search for. If you want all the files list leave the search field empty. It will take a while if there are a lot of files on the drive to be searched (4 minutes for 30,000 on beige g3s). The files will list and you can select what to open with read/write privileges.

I'm pretty sure this works because the method of opening the files was not covered in AtEase. There are other examples of this. In a graphic converter, you can go to file>browse folder and look at the drives with read/write access. Same with Netscape (read only). These are all very [strange] methods of opening and browsing the files. I'm sure there are many other applications that are like them. Keep your peepers on the screen, squire.

AtEase PowerBook 3400 Bug

Application: AtEase 4.0

Impact: Disk drives can be corrupted.

Class: Critical

Fix: Upgrade; the fix is out.

Credit: Unknown

If you have a PowerBook 3400 and you are thinking about installing At Ease 4.0, do not enable the floppy disk boot security feature. If you do, your disk volume will become permanently corrupted, and you will be unable to access the disk by any conventional means (including boot floppy, SCSI drives, CD-ROMs, or other methods).

Denial of Service by Port Overflow

Mac OS Versions: 7.1, 7.8

Impact: Attackers can down the machine by port scanning.

Class: Moderate

Fix: Get OpenTransport 1.2.

Credit: VallaH

Mac OS machines running TCP/IP and System 7.1 or System 7.8 are vulnerable to a denial of service (DoS) attack. When these machines are the target of heavy port scanning, they die (7.1 crashes, and 7.8 runs the CPU to 100% utilization). Reportedly, this was repaired in OpenTransport 1.2.

DiskGuard Bug

Application: DiskGuard

Impact: DiskGuard 1.5.3 can deny even authorized users access to their disk drives.

Class: Serious

Fix: Upgrade

Credit: Unknown

Sometimes, even security applications create security problems. Such is the case of DiskGuard, an extremely popular security program that restricts access to folders, files, and disk drives. It was quite a surprise, then, when users installed version 1.5.2 and discovered that their disk dri ves were no longer accessible. Macworld took DiskGuard's manufacturer, ASD Software, Inc., to task in an article that discussed the problem. The author, Suzanne Courteau, wrote the following:

Security software is supposed to keep the bad guys out, but let you in. In some cases, version 1.5.3 of ASD software's DiskGuard was preventing even a system's owner from accessing their machine. This week the company posted a patch for its security software application; version 1.5.4 fixes several compatibility problems including locked and inaccessible hard drives between DiskGuard 1.5.3 and several Mac systems. If you use DiskGuard on a PowerMac 7200, 7500, 8500, or a PowerBook 5300/5300c, ASD's technical support recommends you upgrade. The patch is available directly from ASD Software (909/624-2594) or from the ASD forum on CompuServe (Go ASD).

More solutions to regain access can be found at http://www.asdsoft.com/Support/Emergency.ssi.

ASD Software, Inc. can also be contacted at the following:

ASD Software, Inc.

4650 Arrow Highway, Ste. E-6

Montclair, CA 91763

Email: info@asdsoft.com

URL: http://www.asdsoft.com/

FWB Hard Disk Toolkit 2.5 Vulnerability

Application: FWB Hard Disk Toolkit 2.5

Impact: Removes drivers for protection to access hard drive.

Class: Serious

Fix: Upgrade

Credit: Space Rouge

In an advisory, Space Rouge explains the problem, the exploit, and the fix. In short, replace the driver for the drive. The hard disks locking functionality isn't fully working any more, and the data can be accessed.

The full advisory written by Space Rouge back in 1998 is at http://www.l0pht.com/advisories/fwb.txt.

MacDNS Bug

Application: MacDNS

Impact: MacDNS is vulnerable to DoS attacks.

Class: Moderate

Fix: None

Credit: Matt Leo

MacDNS provides Domain Name Service lookup for networks and runs on Macintosh Internet servers. Unfortunately, MacDNS will die when bombarded with requests at high speed. (The problem was initially discovered when a firewall tried to resolve forwards on each and every URL requested. This flooded the MacDNS server with thousands of requests.) This has now been confirmed as a bona fide DoS attack that can be reproduced by remote attackers. Leo suggests packet filtering. Otherwise, contact Apple for further information.

Note

Apple has released more documentation on configuration of MacDNS to allow more connections. Full documentation can be found at Apple's Web site, http://til.info.apple.com/techinfo.nsf/artnum/n22035?OpenDocument&software.

Network Assistant

Application: Network Assistant

Impact: Remote users can access your drives and network.

Class: Serious

Fix: Change the default password.

The default password for Network Assistant is "ZYZZY". Do us all a favor; change the password so it is not the default.

Password Security on Mac OS 8.0 Upgrades

System: Mac OS 8.0 with PowerBooks 2400 and 3400

Impact: Password protection will not work.

Class: Serious

Fix: Find patch at http://til.info.apple.com/techinfo.nsf/artnum/n26056.

Credit: Apple

If you install 8.0 over earlier versions, the Password Control Panel is disabled, and password protection will not work. To remedy this, either install the patch or install 8.0 clean and keep an earlier version with which to boot. Whenever you want to adjust the password settings, boot with the earlier version.

Sequence of Death and WebStar

Application: WebStar and NetCloak combined (not WebStar alone)

Impact: WebStar servers with NetCloak can crash after receiving the Sequence of Death.

Class: Serious

Fix: Remove NetCloak or order an upgrade.

Credit: Jeff Gold

This is a garden-variety DoS vulnerability in early WebStar releases, and has nothing to do with Apple. (In fact, this hole can only be reproduced on a server that is also running NetCloak.) Gold found that if you append certain strings to an URL, the WebStar server will crash. Macworld ran a story on this hole, and the folks at that magazine did some testing themselves:

for Mac Webmaster Jeff Gold, frustration turned to alarm when he realized that a mere typo caused his entire Mac-served site to crash. Gold's crash occurred while he was using StarNine's WebStar Web server software and the plug-in version of Maxum Development's NetCloak 2.1, a popular WebStar add-on. Adding certain characters to the end of an URL crashes NetCloak, bringing down the server. To protect the thousands of sites using NetCloak, neither Gold nor Macworld will publicly reveal the character sequence, but it's one that wouldn't be too difficult to enter. After further investigation, Macworld discovered that the problem surfaces only when a server runs the plug-in version of NetCloak. When we removed the plug-in and used the NetCloak CGI instead, the Sequence of Death yielded only a benign error message.

The previous paragraph is excerpted from an article by Jim Heid, titled Mac Web-Server Security Crisis: Specific Character Sequence Crashes Servers. It can be found online at http://macworld.zdnet.com/daily/daily.973.html.

NetCloak is manufactured by Maxum Development. You can contact Maxum for upgrade information:

Maxum Development Corporation

P.O. Box 315

Crystal Lake, IL 60039

Phone: 815-444-0100

Fax: 815-444-0301

Email: info@maxum.com

URL: http://www.maxum.com/

About File Sharing and Security

File sharing is yet another security problem in Mac OS. The degree of the problem depends on what disks and resources are shared out. The Macintosh file sharing system is no less extensive (nor much more secure) than that employed by Microsoft Windows 98.

Sharing can be complex. Your choices will depend on the trust relationships in your organization. Making poor choices can be costly over time. For example, one of my clients runs a telephone solicitation room. In his business, advertising leads are everything. And, because people routinely defect from one company to another, he wanted to take every possible step to secure his databases.

Unfortunately, his network (which included many Macintoshes) was poorly organized. Salespeople had the same level of database access that the copy department did. This allowed salespeople to walk off with valuable ad leads. (And, within several weeks of a defection, his advertisers would be hammered with calls from rival telephone solicitors.)

The programmer who originally set up the network wrote custom client applications for the sales department, which was okay, but he shared out the central file server to everyone. (In other words, clients sent their queries to the file server, and all requests were processed there.) People had been using the system that way for years, and no one wanted to change. My client was in a jam. Ultimately, we solved the program by building him an intranet. The database was moved to a Web server, and I had my co-workers replicate the client interface in HTML.

To prevent disasters like that, you should carefully plot out sharing privileges at the time of installation. (And, naturally, if you don't need file sharing, turn it off. Later in this chapter, I examine programs that can block unauthorized access to folders and control panels, so you can ensure that sharing stays off.) However, perhaps the most important step you can take to keep a Macintosh network secure is this: Educate your users.

Macintosh users are not security fanatics, but that's no crime. Still, a lot of UNIX and Windows NT users ridicule Macintosh users, claiming that they know little about their architecture or operating system. With Apple's release of Mac OSX in 2001, which is based on the BSD platform, that will change. However, we are sure to find new holes and will include OSX as one of many vulnerable platforms. The operating system wars crop up endlessly on Usenet. However, I'll tell you a secret: It's not what operating system you use, but the productivity you demonstrate when using it. The same people who criticize Macintosh users often spend hours (or even days) trying to get their 800MHz machines (and 24meg video cards) to work. They struggle with Plug and Play (which doesn't) and can usually be found with the hood off their box, their hands pressed deep into an endless mess of cables and cards. In contrast, I have only twice seen any of my Macintosh clients with the tops down on their rigs. So, if you use a Macintosh, more power to you.

However, Macintosh users are not very security conscious, and that's a fact. So, anything you can do to change that is wonderful. At the very least, each user should establish a strong password for himself as the owner of the machine. (Macintosh passwords are subject to attack the same as any other password on other platforms.) Finally, (and perhaps most importantly), guest access privileges should be set to inactive.

Mac OS 9 File Security

Mac OS 9 offers many more security features. One of the more notable features is the ability to encrypt and decrypt files using the 56-bit key.

You can encrypt your files on-the-fly. To do so, open the Apple File Security program located in the security folder within the Application folder on the hard disk.

Server Management and Security

Establishing a Web server is a formidable task, but it's nothing compared to maintaining one. This is especially so if the Web server is only a small portion of your network, or if you have to dole out different security privileges to different departments or clients.

There are two paths you can take:

        Hire out for custom programming

        Rely on third-party applications

Custom programming is expensive and time-consuming. If you want to throw up a few Web servers and manage them remotely, I recommend using prefabricated tools for this task. And, if your environment is predominantly Macintosh, the applications that follow are indispensable.

EtherPeek by WildPackets, Inc.

WildPackets, Inc.

2540 Camino Diablo, Suite 200

Walnut Creek, CA 94596

Phone: 800-466-2447

Email: info@wildpackets.com

URL: http://www.wildpackets.com/

WildPackets, Inc., formerly known as AG Group, has the most outstanding network utility around. EtherPeek is a protocol analyzer for Macintosh that supports a wide range of protocols, including but not limited to the following:

        IP

        AppleTalk

        Netware

        IPX/SPX

        NetBEUI

        NetBIOS

        DECnet

        SMB

        OSI TARP

EtherPeek is not your run-of-the-mill protocol analyzer but a well designed commercial sniffer. It includes automatic IP-to-MAC translation, multicasts, real-time statistics, and real-time monitoring. EtherPeek also includes integrated support for handling the LAND denial of service attack that recently took down so many servers. If you are in a corporate environment, this would be a wise purchase.

InterMapper 3.0 by Dartmouth Software Development

Dartmouth Software Development

Dartmouth College

6028 Kiewit Computer Center

Hanover, NH 03755-3523

Phone: 603-646-1999

Email: Intermapper@dartmouth.edu

URL: http://www.dartmouth.edu/netsoftware/intermapper/

InterMapper (developed by Bill Fisher and Rich Brown) is an excellent tool that can save Macintosh system administrators many hours of work. The application monitors your network for possible changes in topology or failures in service. (Network management is achieved using the Simple Network Management Protocol.)

One especially interesting feature is InterMapper's capability to grab a network snapshot. This is a graphical representation of your network topology. (Network topology is more or less automatically detected, which saves a lot of time.) InterMapper even enables you to distribute snapshots across several monitors for a widened view.

The network snapshot is extremely detailed, enabling you to quickly identify routers that are down or having problems. (You can actually specify how many errors are permissible at the router level. When a particular router exceeds that limit, it is flagged in a different color.) Clicking any element (whether machine or router) will bring up information boxes that report the element's IP address, the traffic it's had, how many errors it's had, and so forth. If there has been trouble at a particular node, you will be paged immediately. In all, InterMapper is a very complete network analysis and management suite.

InterMapper provides simultaneous support for both AppleTalk and IP. Check out the demo version at http://www.dartmouth.edu/netsoftware/intermapper/demoForm.html.

MacPork 3.0

MacPork is a small program that enables you to scan a server for tracking holes and exploiting them. MacPork scans more than 271 vulnerabilities and retrieves passwords and information in 175 different manners. MacPork has been designed to find 177 Trojans installed on different servers. MacPork includes an intelligent search engine that can find eventually exploitable servers in two seconds. MacPork knows 66 ways to overflow a system and 86 holes in UNIX protocols (FTP, SMTP, NetBIOS, Finger, Rservices, and RPC). If you are lazy, you can launch 30 simultaneous scans and go to bed. A few hours later, you will have a detailed log. MacPork runs in the background, so that you can do everything else during a scan. An exclamation point icon ("!") in a little window will alert you if MacPork finds something.

Notice that this application is no longer in development; watch the Web site http://freaky.staticusers.net/ for new information.

MacRadius by Cyno

Cyno Technologies, Inc.

1082 Glen Echo Avenue

San Jose, CA 95125

Phone: 408-297-7766

Email: CynoTek@cyno.com

URL: http://www.cyno.com/

RADIUS technology is imperative if you run an ISP or any system that takes dial-in connections. Management of user dial-in services can be difficult, confusing, and time consuming. That's where RADIUS comes in. Authors of the RADIUS specification describe the problem and solution as follows:

Since modem pools are by definition a link to the outside world, they require careful attention to security, authorization and accounting. This can be best achieved by managing a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin). RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.

To learn more about RADIUS, you should obtain RFC 2058, which is located at http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2058.txt.

In short, RADIUS offers easy management of a centralized database from which all dial-in users are authenticated. RADIUS implementations also support several different file formats, including native UNIX passed files. Lastly, RADIUS implementations offer baseline logging, enabling you to determine who logged in, when, and for how long.

If you've ever dreamed of having RADIUS functionality for Mac OS, MacRadius is for you. It is a very refined application, offering you the ability to build complex group structures. In this way, adding new users (and having those new users automatically inherit the attributes of other users) is a simple task. And, of course, all of this is packaged in an easy-to-use, graphical environment characteristic of Macintosh applications.

Network Security Guard

MR Mac Software

P.O. Box 910091

San Diego, CA 92191-0091

Download: http://freaky.staticusers.net/network/NetworkSecurityGuard.sit.hqx

Have you ever dreamt about SATAN for Mac OS? What about a program that would automatically scan your Mac OS hosts for security vulnerabilities? If so, you need to get Network Security Guard.

Network Security Guard operates over AppleTalk and checks for the following:

        Default passwords

        Accounts without passwords

        File sharing

        File permissions

But wait. There's more. Network Security Guard has a brute force password cracking utility so you can test the strength of network passwords. And your reports can be formatted in several ways and forwarded to you over the network. Lastly, you can schedule timed security assessments. All these features make Network Security Guard a great choice. It can save you many hours of work. (Sorry, this application is a commercial one, not shareware. However, it's well worth the cost.) No official Web site for this product has been found. I'm sure MR Mac is still willing to accept money for the commercial product via U.S. Postal Service.

Oyabun Tools

http://Team2600.com

Email: sixtime@team2600.com

URL: http://www.team2600.com/

Oyabun Tools released by Team2600 is an application you can use to send remote commands to control your Mac. For example, if you notice your Macintosh server is slowing down and you are not at the office to reboot it, you can use the Oyabun Send to restart the machine. This program does not require any installation just double-click! Oyabun Tools consists of two products:

Oyabun Send lets you send shutdown/restart/sleep commands over the Internet to other Macs that already have Oyabun Tools Pro installed.

Oyabun Tools Pro lets you send shutdown/restart/sleep commands to other Macs over the Internet. It also lets you set up Macs to receive these commands. This package has everything that comes in the Oyabun Send package.

Silo 1.0.4

Silo, created by Logik, a Macintosh security guru, is a remote system analysis tool designed for security and administrative evaluation purposes. It features full documentation; remote concept password and file structure generation; network mapping; OS fingerprinting; and remote system, client, administrative, domain, protocol, and network analysis and monitoring.

Logik's home page can be found at http://logik.accesscard.org/. Download Silo from http://freaky.staticusers.net/update.shtml.

Timbuktu Pro 2000

Netopia, Inc.

2470 Mariner Square Loop

Alameda, CA 94501

Email: pfrankl@netopia.com

URL: http://www.netopia.com/

Timbuktu Pro 2000 for Mac OS is a powerful and versatile remote computing application. Although not specifically a security program, Timbuktu Pro is a valuable tool for any Web administrator. Timbuktu Pro currently supports TCP/IP, AppleTalk, IPX, and Open Transport. Through these protocols, you can remotely manage any box (or series of them).

Internal Security

Internal security is one of the most important parts of security. Even if your computer is secure from others on the Internet, if someone sits down at your computer for 10 minutes while you are out, your computer is at risk. All your data can be stolen, or your computer can be compromised.

BootLogger

BootLogger is one of the more simple security applications. It basically reads the boot sequence and records startups and shutdowns. It is not a resource-consuming utility. I suggest using this utility first. If evidence of tampering or unauthorized access appears, then I would switch to Super Save.

BootLogger is available at http://freaky.staticusers.net/security/BootLogger.sit.hqx.

DiskLocker

DiskLocker is a utility that write-protects your local hard disk drive. Disks are managed through a password-protected mechanism. (In other words, you can only unlock the instant disk if you have the password. Be careful not to lock a disk and later lose your password.) The program is shareware (written by Olivier Lebra in Nice, France) and has a licensing fee of $10.

DiskLocker is available for download from ftp://ftp.amug.org/.

Empower by Magna

Magna

1999 S. Bascom, Ste. 700

Campbell, CA 95008

Phone: 408-879-7900

Fax: 408-879-7979

Email: mailto:sales@magna1.com

URL: http://www.magna1.com/

Empower offers powerful access control for the Macintosh platform, including the ability to restrict access to both applications and folders.

Ferret

Ferret is a small application that quickly gathers all important information (logins/passwords) from a system by descrambling all passwords into plaintext. It is meant to be used with a startup disk, or when you only have a few seconds of access to the machine. You can also drag and drop preferences onto it to get the information you want from a particular file (for example, when you are only able to access a preference file, and cannot directly access the machine).

Ferret can gather important information from preference files on any mounted volume, including AppleShare mounted hard drives. Ferret can discover logins and passwords stored in any of the following applications: FreePPP, MacSLIP, OT/PPP (ARA), Internet Control Panel (Internet Config), Netscape Communicator, Eudora, AIM, ICQ, Gerry's ICQ, Apple File Sharing Registry (Users & Groups), Carracho Bookmarks/Server Data Files, and Hotline Bookmarks/Server Data Files.

Ferret can be downloaded from http://freaky.staticusers.net/hacking-misc/Ferretv0.0.1b4.sit.

Filelock

Filelock is a little more incisive than DiskLocker. This utility will actually write-protect individual files or groups of files or folders. It supports complete drag-and-drop functionality and will work on both 68KB and PPC architectures. It's a very handy utility, especially if you share your machine with others in your home or office. It was written by Rocco Moliterno of Italy.

Filelock is available from http://hyperarchive.lcs.mit.edu/HyperArchive/Archive/disk/filelock-132.hqx.

FullBack

Highwinds Trading Company, LLC

Telephone: 302-761-9824

Email: support@highwinds.com

URL: http://www.highwinds.com/

Highwinds has been creating security/encryption products since 1999. FullBack is a secure, easy-to-use archiving and backup program. The deluxe version provides 512-bit randomly generated encryption keys. Product information is available at http://www.highwinds.com/BackupSystem.html.

Invisible Oasis

Invisible Oasis is a keystroke logger. This application records everything typed into a daily log. The extension installed is invisible, as is the folder where the logs are kept. To see whether you have this extension installed, use a program such as Apple ResEdit and go to Get Info. Go into your preference folder, which is in your system folder. Get info on the hidden folder and unhide. You can open the logs with any text-editing program.

Invisible Oasis is available for download at http://freaky.staticusers.net/security/keyloggers/InvisibleOasis_Installer.sit.

ResEdit can be found by searching for it on http://www.VersionTracker.com

KeysOff and KeysOff Enterprise

Blue Globe Software

P.O. Box 8171

Victoria, British Columbia

V8W 3R8, Canada

Email: cliffmcc@blueglobe.com

URL: http://www.blueglobe.com/~cliffmcc/products.html

KeysOff enables you to lock out certain keys, preventing malicious users from accessing the menu bar, mouse clicks, the power key, and command-key shortcuts. (The program also prevents unauthorized users from loading disks.) This is one of the most simple, cost-effective, and useful security programs available.

LockOut

Maui Software

Email: development@mauisoftware.com

URL: http://www.mauisoftware.com/#LockOut

LockOut is an easy-to-use application. It does not offer full security but is cost effective.

MacPassword

The industry standard for full password protection on Mac OS, MacPassword is a fully developed commercial application. It not only provides multiple levels of password protection (for both disk and screen), but it also incorporates virus scanning technology. It's definitely worth the money. However, you can always check it out free. The demo version is available at many locations across the Internet. MacPassword is available from ftp://rever.nmsu.edu/pub/macfaq/MacPasswordDemo.sit.bin.

OnGuard Emergency Passwords

Several security programs use emergency passwords. These are passwords generated by the program in case the admin forgets his password. They usually give the user complete access to a computer.

In theory, you'll need all sorts of software registration information for the software vendor to give away the emergency password. In reality, you only need to find the algorithm used to be able to generate the emergency password.

nOGuard is a program that generates emergency passwords for PowerOn Software's OnGuard 3.1 and 3.3. It was created by Prozaq of mSec.

The most up-to-date version is available for download at http://freaky.staticusers.net/security/onguard/nOGuard2.sit.

Password Key

CP3 Software

P.O. Box 4722

Huntsville, AL 35815-4722

Email: carl@cp3.com

URL: http://www.cp3.com/

Password Key logs unauthorized access attempts, locks applications, and temporarily suspends all system operations until a correct password is supplied.

Password Security Control Panel Emergency Password

PowerBook users can use the Password Security Control Panel to protect their computers. Displaying a dialog box that requests a password every time the hard drive is mounted, Password Security provides a convenient security measure.

As pointed out by a previous advisory, Password Security generates an emergency password every time it displays the password dialog box. This emergency password gives the same access level to the laptop as the owner's password does.

This is, of course, a huge security breach, allowing anyone who can figure out the emergency password to access the computer and even to change the owner's password. The program PassSecGen (created by Prozaq, a member of the Macintosh security group mSec) generates the emergency passwords for the PowerBook security control panel.

The most up-to-date version of the Password Security Generator is available for download at http://freaky.staticusers.net/security/powerbook/PassSecGen1.0.sit.

Secure-It Locks

Secure-It, Inc.

18 Maple Court

East Longmeadow, MA 01028

Phone: (800) 451-7592 or 413-525-7039

Email: secure-it@secure-it.com

URL: http://secure-it.com/

Secure-It, Inc., provides physical security products for the Macintosh, including disk drive locks. These prevent anyone from loading unauthorized code onto your machine while you're away from your console. (They make them for PowerBooks, too.)

Super Save 2.02

For the ultimate paranoiac, Super Save will record every single keystroke forwarded to the console. However, in a thoughtful move, the author chose to include an option with which you can disable this feature whenever passwords are being typed in, thus preventing the possibility of someone else later accessing your logs (through whatever means) and getting that data. Although not expressly designed for security's sake (more for data crash and recovery), this utility provides the ultimate in logging.

Super Save is available at ftp://ftp.amug.org/pub/amug/bbs-in-a-box/files/recent/supersave-2.02.sit.hqx.

Password Crackers and Related Utilities

The following utilities are popular password crackers or related utilities for use on Macintosh. Some are made specifically to attack Macintosh-oriented files. Others are designed to crack UNIX password files. This is not an exhaustive list, but rather is a sample of the more interesting tools freely available on the Internet.

Note

Many of the applications that crack FileMaker Pro files are version specific. There has not been a crack for recent versions of FileMaker Pro in years. If you find a old FMP file on disk and it is protected, the FMP-cracking applications in this section would be useful.

FirstClass Thrash!

This is an interesting collection of utilities, primarily designed for the purpose of conducting warfare over (or against) a FirstClass BBS. It has features that could be easily likened to Maohell. These include mailbombing tools, denial of service tools, and other assorted scripts useful in harassing one's enemies. It's primarily used in warfare.

FirstClass Thrash! is located at http://freaky.staticusers.net/attack/FCThrash.sit.

FMP Password Viewer Gold 2.0

FMP Password Viewer Gold 2.0 is another utility for cracking FileMaker Pro files. It offers slightly more functionality (and is certainly newer) than FMProPeeker 1.1.

FMP Password Viewer Gold 2.0 is available at http://freaky.staticusers.net/cracking/FMP3.0ViewerGold2.0.sit.hqx.

FMProPeeker 1.1

This utility cracks FileMaker Pro files. FileMaker Pro is a database solution from Claris (http://www.claris.com). Although more commonly associated with the Macintosh platform, FileMaker Pro now runs on a variety of systems. It is available for shared database access on Windows NT networks, for example. In any event, FMProPeeker subverts the security of FileMaker Pro files.

FMProPeeker is available at http://freaky.staticusers.net/cracking/FMProPeeker.sit.hqx.

Killer Cracker

Killer Cracker is a Macintosh port of Killer Cracker, a password cracker formerly run only on DOS- and UNIX-based machines.

MacKrack

MacKrack is a port of Muffet's famous Crack 4.1. It is designed to crack UNIX passwords. It rarely comes with dictionary files, but still works quite well and makes cracking UNIX /etc/passwd files a cinch. (It has support for both 68KB and PPC.)

MacKrack is located at http://freaky.staticusers.net/cracking/MasterKrack1.0b14.sit.

MagicKey 3.2.3a

Made by System Cowboy of the hacker group Digital-Rebels.org, MagicKey is a password-auditing tool for AppleTalk. The application audits an AppleTalk user's file for weak passwords or no passwords with the brute-force method.

MagicKey3.2.3a can be downloaded from http://freaky.staticusers.net/security/auditing/MK3.2.3a.sit.

MasterKeyII

MasterKeyII is yet another FileMaker Pro cracking utility.

MasterKeyII is available at the following site in Las Vegas: http://freaky.staticusers.net/cracking/MasterKeyII1.0b2.sit.hqx.

McAuthority

McAuthority is a password-security application that uses brute force to attack a server to gain access to the password-protected areas. This application was made by nulle, one of the greatest Mac hack programmers. His Web site went down, and I have not been able to get in contact with him.

McAuthority can be downloaded from http://freaky.staticusers.net/jp/McAuth1.0d6-FAT.sit.

Meltino

Meltino is a sleekly designed UNIX password cracker by the Japanese programmer nulle. This is one of the most popular Macintosh UNIX password crackers. This application supports MD5 encryption as well as DES encryption. Meltino also supports the UltraFastCrypt (UFC) algorithm.

Meltino 2.0.1 can be downloaded at http://freaky.staticusers.net/cracking/Meltino/Meltino2.01_PPC.sit.bin.

PassFinder

PassFinder is a password-cracking utility used to crack the administrator password on older FirstClass systems. This is an important utility as many FirstClass Bulletin Board Systems (BBS) are still running older versions of the software because of the cost of upgrades. The program suite FirstClass is a gateway system, commonly used for serving email, UUCP, and even news (NNTP). In essence, FirstClass (which can be found at http://www.softarc.com/) is a total solution for mail, news, and many other types of TCP/IP based communication systems. It is a popular system on the Mac OS platform. (It even has support for Gopher servers and FTP and can be used to operate a full-fledged BBS.) Because FirstClass servers exist not only on outbound Internet networks, but also on intranets, PassFinder is a critical tool. By cracking the administrator password, a user can seize control of the system's incoming and outgoing electronic communications. (However, this must be done on the local machine. That is, the user must have access to the console of the instant machine. This is not a remote cracking utility.)

PassFinder is available at http://www.neverness.net/archives/hacking/applications/PassFinder.sit.

Tip

Apparently, FirstClass 2.7 does not provide a facility for recording or logging IP addresses. (Reportedly, this simple hole exists in earlier versions.) Therefore, an attack on such a server can be performed in a fairly liberal fashion.

Password Killer

Password Killer is designed to circumvent the majority of PowerBook security programs.

Password Killer (also referred to as PowerBook Password Killer) can be found online at http://freaky.staticusers.net/cracking/Passwordkiller.sit.hqx.

Anonymous Email and Mailbombing

Sometimes you have to send anonymous email. There are things you don't want people seeing and knowing it came from you. Caem lets you send mail anonymously.

Logik, the programmer of Caem, takes his work seriously and updates the program often. You can find updates and news at http://freaky.staticusers.net/reviews/caem3.html.

Mailbombing is the act of sending a lot of email to a person to flood his mailbox. One of the newest, more effective mailbombers is entitled Bomba. I do not suggest sending a mailbomb to anyone. Try sending it to yourself to see how it works. If you have ever received a mailbomb, you understand.

Bomba is available for download at http://www.team2600.con or at http://freaky.staticusers.net/attack/mailbombing/bomba.sit.

Macintosh OSX

With the release of Mac OSX, we will be seeing a lot of new security vulnerabilities. Sites like http://SecureMac.com will be sure to cover them.

There are a few security applications already out for the new OS like Brian Hill's firewall configuration utility BrickHouse. With the OS X interface, you can edit the settings to the firewall to allow/deny specific ports and IP addresses. For a review, go to http://www.securemac.com/brickhouse.cfm.

I suggest reading the document by Peter Heins titled Secure Installation of OSX at http://www.securemac.com/osxsecurity.cfm.

Apple has also prepared a article on making OSX a bit more secure. It is located at http://til.info.apple.com/techinfo.nsf/artnum/n60112.

Apple's OSX is sure to open new opportunities for hackers since the OS is based on the BSD (UNIX) platform. Sites like http://www.securityfocus.com will list security issues that affect Mac OSX because of the structure of BSD platform.

Tools Designed Specifically for America Online

I remember back in the days when AOL was well known for its rooms like MacFilez, MacWarez, and Zelifcam. All those were warez chat rooms on AOL where users and groups such as NEO would freely trade illegally registered files also known as warez. After the Internet was integrated into AOL 3.0 and crackdowns happened, everyone moved off of AOL to Hotline and IRC. All the tools and scripts that were used are at one location: http://freaky.staticusers.net/aol/. I don't suggest using these programs. Your AOL account might be terminated because, in using these programs, you might violate their terms of service agreement.

Summary

In general the Mac OS is more secure than other operating systems because the main security focus in recent years has been on other platforms.

But be careful in thinking that your Macintosh is secure! For every hack that exists for the PC, there is an equivalent hack for the Mac OS. Don't believe me? Take a look at the Mac Hacking CD-ROM Freaks Macintosh Archives Hackintosh v1. It's packed with hacking and security tools, as well as with their exploits, and textfiles to learn more. The CD-ROM even has the Macintosh Security speech from Defcon 7 (a yearly hacking conference held in Las Vegas) in mp3 and Real Video. And with the release of Mac OS X, we are bound to find many more security holes.

Resources

The following list of resources contains important links related to Macintosh security. You'll find a variety of resources, including books, articles, and Web sites.

Books and Reports

Secure Installation of OSX. This article written by mpetey@securemac.com is a good paper to have on hand when installing OSX. Security will become more of an issue as the hackers get to play around with OSX. The article is available at http://www.securemac.com/osxsecurity.cfm.

The $10,000 Macintosh World Wide Web Security Challenge: A Summary of the Network and the Attacks. Chris Kilbourn. digital.forest. (Formatting provided by Jon Wiederspan.) Available at http://www.forest.net/news/challenge.html.mpetey@securemac.comhttp://www.securemac.com/osxsecurity.cfm

Macintosh Security Auditing. This article explains different tools that can be used to audit your network for security problems. One of the main points of the article is that commercial auditing programs do not exist for the Macintosh, so you can use the efficient, free tools that were made by hackers. The article is at http://www.securemac.com/secauditing.cfm.

Macintosh Security Internet Basics. http://Sans.org published this excellent white paper. Written by Patrick Harris, this document covers the basics of Macintosh security. It can be viewed at http://www.sans.org/infosecFAQ/mac_sec.htm.

Macs & CableModems. Everyone has heard about the security issues of cable modems and that cable modem networks are easy targets to be scanned. If you use a cable modem at home or at work, read up on this issue at http://www.securemac.com/secauditing.cfm.

Make Your Mac Hacker-Proof. An excellent article to motivate users to use firewall software to protect their Macintoshes. Also includes some safety strategies for configuration of the firewall. See it at http://macworld.zdnet.com/2000/07/features/online_security_sb2.html

Connections and Protections Cable and DSL Connections and Security Measures. Peter N. Heins (mpetey@securemac.com) describes the difference between DSL and cable and covers security aspects of what the snoopers can see and how. http://www.securemac.com/dslcable.cfm

Apple has set up a developer area devoted to implementation of security on its Web site, http://devworld.apple.com/Mac OS/security.html.

Many firewall documents for the Mac OS can be found at the Firewall Guide Mac OS section, http://www.firewallguide.com/macintosh.htm.

How Macs Work. John Rizzo and K. Daniel Clark. Ziff-Davis Press. 1-56276-146-3.

Voodoo Mac. Kay Yarborough Nelson. Ventana Press. 1-56604-028-0.

Sad Macs, Bombs, and Other Disasters. Ted Landau. Addison-Wesley Publishing Company. 0-201-62207-6.

The Whole Mac Solutions for the Creative Professional. Daniel Giordan, et al. Hayden Books. 1-56830-298-3. 1996.

Building and Maintaining an Intranet with the Macintosh. Tobin Anthony. Hayden Books. 1-56830-279-7. 1996.

Sites with Tools and Munitions

Freaks Macintosh Archives. Warez, security, cracking, hacking. http://freaky.staticusers.net/

CIAC U.S. Department of Energy. http://ciac.llnl.gov/ciac/ToolsMacVirus.html

http://SecureMac.com security site. http://www.securemac.com/

Macman's Mac site. http://www.macman.net/

http://Neverness.net. hacking, phreaking, crypto. http://www.neverness.net/

AOL Specific Tools. Hacking and cracking utilities for use on America Online. http://freaky.staticusers.net/aol/

Hacking Mac's Heaven! Hacking and cracking tools and links from the Netherlands. http://macheaven.terrashare.com/

E-Zines

Macinstein. The ultimate Macintosh resource site on the Net. Search engine, Daily Mac News, Sherlock plug-in, press releases, top sites, message boards, polls, contests and more! Macinstein now has free Web pages for Mac enthusiasts. http://www.macinstein.com/

MacCentral. Extensive and very well presented online periodical about Macintosh. http://www.maccentral.com/

Macintosh Networking Guide. Good http://About.com Networking guide for the Mac OS. Try setting up your own small network with the help of this article! http://machardware.about.com/compute/machardware/msubnetworkguides.htm

MacHome Journal Online. Good, solid Internet magazine on Macintosh issues. http://www.machome.com/

http://SecureMac.com. Macintosh security news and advisories. http://www.securemac.com/

MacAssistant Tips and Tutorial Newsletter and User Group. A very cool, useful, and, perhaps most importantly, brief newsletter that gives tips and tricks for Mac users. Commercial, but I think it is well worth it. A lot of traditional hacking tips on hardware, software, and special, not-often-seen problems. These are collected from all over the world. $12 per year. http://www.macassistant.com/

http://macfixit.com. Troubleshooting solutions for the Macintosh. If there's a issue with anything Macintosh related, you'll find it here. This site has very active responsive message boards for good technical interaction. http://www.macfixit.com/

MacDirectory. This full-color magazine with daily e-news featuring press releases, news, product info, and much more is a must for all true Mac peepz. It frequently covers security issues dealing with firewalls and networking.

MacSlash. MacSlash is a well-organized Macintosh-specific site. This site utilizes the Slashcode, which is the same code used by Slashdot.org. Well worth a daily visit! http://www.macslash.com/.

MacTech. Well-presented and important industry and development news. You will likely catch the latest dope on new security releases here first. Also, some very cool technical information. http://www.mactech.com/

Happle. The Macintosh underground e-zine dedicated to Macintosh hacking, warez, and much more 11 issues of jam-packed Happle! This publication was started by a Macintosh hacker named hackmak, and then soon after taken over by Jambo. Jambo is the only machacker I know who wears a skirt. Seriously though, Jambo is from Scotland, and he plays a bagpipe. To this day, his e-zine Happle is the most downloaded Mac hack zine around. Each issue is filled with articles ranging from coding, phreaking, and cellphones tohacking, cheats, and warez. If you're interested in Macintosh hacking, this would be a good site to read. http://freaky.staticusers.net/textfiles/zines/Happle/ or http://jambo.accesscard.org/