Appendix A. Glossary

Activates user accounting.

A syslog action determines what happens to an incoming log message if it matches a selector in the configuration file. Actions can write to files and devices, forward the messages to remote log servers, and notify logged-in users.

Apple Filing Protocol. The protocol behind Mac OS X personal file sharing.

An enterprise-class Open Source Web server that is usually documented in 1000+ page tomes. Included in Mac OS X as "Personal Web Sharing" and configured with an on/off button.

Address resolution protocol. Used to map between ethernet MAC addresses and IP addresses.

Command-line tool for listing and manipulating (such as setting up a static ARP mapping) a Mac OS X computer's ARP cache.

The act of creating invalid ARP table entries via ARP spoofing. Often for a man-in-the-middle attack.

A third-party tool for monitoring and logging ARP advertisements on a network.

In encryption, a system in which encryption and decryption are carried out with different but related keys. Public key encryption is asymmetric.

Also buffer overrun . A programming error in which data overwrites program code rather than fitting within the allocated storage space. Buffer overflows can sometimes be exploited to gain root access, crash processes, or cause other problems, depending on the process being exploited.

Fires, earthquakes, floods, UFO invasions, and other unforeseen events.

Computer Emergency Response Team Coordination Center (http://www.cert.org/). Started by DARPA, CERT analyzes Internet security risks and provides protection information.

A third-party organization that issues a digital certificate based on a CSR (certificate signing request).

A request that is sent to a CA (certifying authority) to generate a digital certificate.

A character/symbol level transformation applied to a plaintext message with the intent to disguise the content.

The enciphered version of a message or other information.

A transformation applied to change a message from one symbol set to another. The transformation may be at the linguistic or character/symbol level, and is dictionary based.

A real or logical grouping of files and resources to which Apache directives (including security directives) can be applied.

A dry, flat, and often salty bread-like food product. Or, a similarly tasteless person who would do your system harm.

The science and practice of studying cryptographic systems to discover and exploit their weaknesses.

The practice of employing codes and ciphers.

The umbrella science encompassing both cryptography and cryptanalysis.

Common Unix Printing System. The Mac OS X printing system, starting in Mac OS X 10.2, is based on CUPS. CUPS provides a built-in Postscript rasterizer and provides access to previously Windows-only devices.

Common Vulnerabilities and Exposures (http://cve.mitre.org/). A list of names for all publicly known vulnerabilities.

Often called "services," daemons are the background processes that respond to requests made by other software on your system or remote (network) devices.

Distributed denial of service. A denial of service attack launched simultaneously from many (usually compromised) computers.

A virtual "signature" that is included with messages/files and used to verify the authenticity of the transmitted data. The certificate is encrypted by a CA (certifying authority) and contains the owner's public key, along with location and contact information.

A configuration option.

Preparing your computers and critical system components for possible failure.

Rebuilding system critical services in the event of an emergency.

The Mac OS X command-line tool for copying files and folders while maintaining permissions, ownership, and resource forks.

Denial of service. A DoS attack is any attack that causes access to a service to be disrupted ”be it network services (such as a Web server), or local access to a machine.

A command-line incremental backup tool for UFS partitions. Not HFS+-compatible.

Transform (algorithmically) from plaintext at the character/symbol level, with the intent to disguise the content.

Transform from plaintext into an alternate symbol set.

The application of an algorithmic cipher that requires key-exchange for decoding (RFC-2828).

In cryptology, the amount of randomness that is available in the symbol space used for an encryption key.

An Open Source packet sniffer capable of ARP poisoning, password harvesting , and content decryption (http://ettercap. sourceforge .net ) .

An identifier for the portion of the system that is sending the log entry to syslog ”such as the kernel, mail, or FTP processes.

A device or piece of software used to block network access to a service, network, or device.

Fully qualified domain name. The full name for a computer, including host and domain, such as www.poisontooth.com.

Included with Snort, the Guardian script processes Snort output and can create firewall rules to block attacks as they occur.

Someone who has been eating a cracker too quickly without a glass of water. Hackers prefer to devour crackers for breakfast with milk.

A Mac OS X command-line tool for working with disk images. Analogous to the GUI Disk Copy tool.

The default filename for the Apache configuration override file. Placed in any Web-accessable location, the .htaccess file will (if allowed) dynamically redefine the attributes for the enclosing container.

The Apache command-line tool for creating and modifying MD5 Digest password files.

Internet Control Message Protocol. A piece of the TCP/IP suite used to transmit error, control, and status messages between network devices.

Internet Message Access Protocol. A common means of accessing mail stored on a mail server ”often used with cleartext passwords.

The network, electrical power, and other "outside the box" systems required for your computer to operate .

Enables you to detect and react to attacks as they occur ”and before they take down your systems.

The BSD firewall tool. Used to add, delete, modify, and view the active firewall rules.

A protocol-enabling fully encrypted tunneling of information between two points on a network. Often used to implement Virtual Private Networks.

A file system that maintains a log of changes between the current state and last-known working state. A journalled file system can automatically recover disk information in the event of a crash.

A value that modifies the algorithmic behavior of a cipher such that it becomes a nondictionary-based transformation between plaintext and ciphertext symbol sets.

Displays a list of the last user logins based on the /var/log/wtmp file.

Displays user accounting data.

The /var/log/lastlog file stores a record of logins, but Mac OS X does not include a utility to read its contents.

A ranking of the importance of the incoming log message ”from simply informational notifications to emergency warnings.

The default location for Mac OS X “specific services such as AppleShare ”and, for some reason, Samba.

A CUPS command-line tool for editing the CUPS passwd.md5 authentication file.

A third-party product (http://www.psionic.com/) for monitoring logfiles and reacting to potential system problems.

The default location of third-party service startup scripts.

Software that is designed to do or allow harm to your system. Usually not used for damaging software that is intentionally used by the end user for its damaging effect.

Malicious software.

Works by placing a computer in the "middle" of an established connection. Both ends of a connection must be "convinced" that they need to go through the attacking computer to speak to the other side.

In cryptology, some piece of information that a user wishes to hide or exchange in a secure fashion.

Creates an exact duplicate of a volume by simultaneously writing the same information to another disk.

An Apache module that enables basic HTTP authentication to be made against the Mac OS X user database.

An Apache module created to protect against attacks exploiting the Mac OS X case-insensitive HFS+ file system. This module should be installed and active on any Web server serving content from an non-UFS partition.

The Apache SSL (Secure Sockets Layer) module. Required for setting up a secure transport Web server. Included in an incomplete (but functional) form in Mac OS X.

Message transfer agent. The server process charged with receiving and delivering incoming mail (that is, a mail server).

Network address translation. A process by which a server can provide Internet access to a network via a single IP address. NAT has the useful side effect of being an effective firewall for the internal network.

The Mac OS X NAT daemon.

Displays the status of network sockets on the host on which it is executed.

The undisputed king of stealth network scans , NMAP is capable of OS fingerprinting and carrying out over 10 different network probes (http://www. insecure .org).

A mail server that relays (sends) messages for any user, without authentication. Often used to send mass spam without the administrator's knowledge.

An IP packet constructed with a length greater than 65536 bytes (an illegal size ) used to crash, disable, or otherwise disrupt systems running Windows 95, Mac OS 7.x, Windows NT, Linux, Netware, and a wide range of printers, routers, and other network devices.

The original, typically human-readable rendition of a piece of data.

Post office protocol. A common and (usually) insecure means of retrieving mail from a mail server.

A third-party product (http://www.psionic.com/ ) for detecting and reacting to stealth/nonstealth port scans.

A drop-in replacement for the sendmail MTA. Known for its stability, ease of use, and security (http://www.postfix.org).

In asymmetric encryption, the member of a key pair that can (and must) be kept secret for the communication to be secure.

A privileged operating mode in which a network card makes all (visible) traffic available to the host computer, rather than just broadcast and addressed traffic.

An encryption system that uses separate but related keys for encryption and decryption. Also, the publicly visible key that can be exchanged without fear of compromising the transmission when used in such a system.

Redundant array of independent disks. A means of improving disk throughput and/or fault tolerance by combining multiple drives into a single logical volume.

Reversed distributed denial of service attack. A distributed denial of service attack that is invoked against a third-party bystander by spoofing outgoing connections or attacks as though they came from the third party, and redirecting the traffic and wrath of the directly attacked machines against the innocent third party.

The process of checking against known "bad" hosts ”usually open relays and spammers on a mail server ”and blocking access to the individuals in real time.

A file (package) created by Mac OS X to log information about software installed with Apple's Installer.app. Receipt files are located in /Library/Receipts .

A command-line utility for loading dump backups .

A collection of tools used by an attacker to cover his or her tracks by deleting system logs and/or modifying system reporting utilities.

The Open Source Windows-compatible CIFS/SMB file server. Samba works behind the scenes to implement the Mac OS X "Windows File Sharing."

The act of probing a network to uncover its topology, hardware, and active services.

In encryption, a key used in a symmetric algorithm, where the encryption key must be kept secret and secure for the encrypted data to remain secure.

A combination of one or more facilities and levels that are matched against log messages coming into syslog . If the selector matches the level and facility of the message, syslog executes an action .

The MTA included in Mac OS X. Like Apache, sendmail is a very complicated piece of software that requires documentation beyond what is included here.

A means of gaining either total or partial control over an established TCP/IP connection. Session attacks rely on a trusted connection between two computers to be in place, and then works to either modify packets traveling between the machines or take the place of one of the two computers.

Service locator protocol. The Mac OS X protocol for service discovery ”replacing AppleTalk/Ethertalk for browsing.

A Samba command-line tool for creating user/password mappings for Samba logins.

The sendmail restricted shell ”limits the commands that can be executed from a user's .forward file.

Simple mail transfer protocol. The protocol required to transmit messages to a mail server or to relay messages from point to point.

The act of "watching" network traffic while a network interface is in promiscuous mode ”often with the goal of intercepting private information.

A popular Open Source network intrusion detection system (http://www.snort.org/). Snort uses a rule-based architecture for detecting thousands of known network attacks in real time.

Providing false identity credentials for the purpose of carrying out a deceit. In some circles it's considered a requirement that this deceit be with the intent to obtain unauthorized access to a system or its resources; however, recent usage includes such situations as spoofing as a form of system defense.

The study of ways to find or eliminate steganographic messages or signatures from works.

Literally "secret writing." The science of developing and/or applying techniques for concealing one message within another. Used to either transmit the information secretly or make the information difficult to remove from the carrier without complete destruction of the carrier message.

Increases disk read and write speed by reading and writing to two volumes in parallel.

In encryption, a system that uses the same key for both encryption and decryption.

A flood of packets that disrupt system services by forcing a server to allocate resources for a connection but then never complete the process.

A packet used to initiate a TCP/IP connection.

The daemon responsible for providing a central logging repository. Capable of receiving log entries for remote systems, or sending log information to a remote syslog server.

Transmission control protocol. The "TCP" in TCP/IP, TCP is a reliable protocol used by most Internet services (HTTP, SSH, and so on).

Transmission control protocol/Internet protocol. The network protocol suite that makes up Internet traffic.

A command-line tool for logging TCP/IP packet headers. Useful for network diagnostics.

The "shape" of a computer network or communications system. On a modern network this is usually a bus, tree, or combination of the two.

Sometimes Trojan horses. Applications that claim to do one thing, while in fact doing something else ”usually something malicious.

User authentication mechanisms. Used for authenticating user connections to a machine. Additional modules can be installed in /Library/Filesystems/AppleShare/Authentication , but must be present on all machines involved in a connection.

User datagram protocol. Part of the TCP/IP suite, UDP is an unreliable protocol used to transmit information without requiring an acknowledgement .

Located at /var/log/utmp , this file tracks the currently logged-in users.

The default location for most Mac OS X BSD service logfiles.

Viruses are microapplications that can embed themselves in documents or software in such a way that when the documents are opened or the software run, the microapplication also runs. When executed in this fashion, the virus replicates itself into other documents or applications. A key feature to note is that viruses are self-replicating, but require some action on the part of a user to become active and to propagate.

Web distributed authoring and versioning. An HTTP-based file sharing protocol supported in most major operating systems.

Displays a list of the currently logged-in users through the use of the /var/log/utmp file.

Worms are much like self-propagating viruses that do not require any human interaction to allow them to move from system to system or to replicate. Worms also do not require a "host" application in which to embed themselves, though they often propagate themselves by wrapping themselves in some document for the purpose of transmission.

Located at /var/log/wtmp , this file tracks logouts/logins/shutdowns/reboots.