Security and Privacy

Month of Apple Bugs! Part 1: Bugs #1 to #14

Mon, 15 Jan 2007 11:26:53 +0100

<lmh[at]info-pull.com>s Month of Apple Bugs is an amazing possibility for Apple and their users to validate security of their software environment.

Some people may want to get fast to a patch level where the MOA bugs can’t affect his system anymore. Some advices may help:

0. Having the most recent software is a must!
Always update your system using Apple build in “Software Update...”. Also get the most recent versions of software installed on your machine - check out Versiontracker or Macupdate to search for updates regularly.

The MOA Bugs:

1. Local exploits (so far bugs #14, 8, 5) can just be used from a user account on your mac.
Preventing this is by
removing unneeded user accounts using “System Preference” -> “Accounts”.
Make sure you use strong passwords for all users!
Use a application firewall to prevent root kits and trojans from “phoning home”.

2. Most of the yet found Bugs (#13, 12, 11, 10, 9) use errors of OS X methods of handling DMG files (Disk Images).
In most cases it will be enough to prevent Safari from opening “Safe files” per default. This “feature” of Apples browser was also a point of security issues at many occurrences in the past. Disabling is a good idea in general.
Open the Safari Preferences, navigate to “General” and uncheck “Open “safe” files after...”

Now just a DMG that you, or another user, opens can contain malicious code. So use your brain and be skeptical before any double click on an disk image!

3. Here is a way to fix many of the remaining bugs if neccessary: landonf.bikemonkey.org
These patches use “Application Enhancer” which itself is affected by MOAB #8. Keep in mind that using this Software is potentially a opener for far worse wholes than the ones you might be able to patch with Application Enhancer.

BitTORrent and anonymous web experience

Sun, 14 Jan 2007 21:03:25 +0100

This article describes how to setup a Firefox 2 and a the Azureus Bittorrent client to accesses the internet through TOR anonymous network.

It is highly ineffective to run peer-to-peer download data though TOR network as it can’t handle the amount of traffic. This could result in limitations for legitimated users of the network - that is totally unacceptable.

TOR is a service that (mainly) allows its participants to send and receive data anonymous. If it is used and configured correctly there is (almost) no possibility to crack it an figure out your identity.

Download the most recent (beta) version of
Tor & Privoxy & Vidalia bundle for OS X
from this page:
http://tor.eff.org/download.html.en

Also we need a Bittorrent client that is able to use a proxy server:
Azureus
Get it here: http://azureus.sourceforge.net/download.php

Finally the one and only:
Firefox 2.0
from this page:
http://www.mozilla.com/

Now let’s get it running!

Tor is a peer to peer network allowing you a fairly anonymous access on pretty much everything you might be interested in. In this case we just use it for Bittorrent and web browsing but there are many other features that might be interesting for you as well - just have a look at the link-list on the bottom of this page.

Provoxy is a proxy server that can be used to route your traffic “in and out” of Tor network. It is so to say The Link between your applications and the Tor network. Finally Vidalia is a gui front-end that that let you launch and monitor the Tor services.

Let’s start and run this:

Follow the instruction and install the full package.
Run Vidalia to connect to Tor network. After a few second the onion should be green. Just press ‘L’ wile in Vidalia and you should see the message log. After a short period of time it should say something like:

You might want to add Vidalia to your start up items since it needs to run as long as you want access to tor network.

Ok so far, now let’s say just a few things about browsers and anonymity.

Since it is significantly slower to access the Internet through Tor you might not use it all the time with your browser. Also Tor just has an effect if you switch off cookies, java script, java and all other plugins (like Flash etc.). Finally you need to configure a special proxy setting in your browser to access Tor. We can setup Firefox so that it fulfills all this requirements easily without affecting the rest of the system. That’s why I suggest using Firefox for anonymous surfing and not Safari or any other OS X browser. (If you anyway use Firefox you might be interested in this portable version of the Firefox for Tor setup)

Just drop Firefox to your Application folder and run it.

Don’t import anything and “Continue”.

Click the Firefox menu and open the Preferences continue to “Content” and uncheck the “enable JavaScript” and “Enable Jara” boxes.

Go on to the “Privacy” tab and uncheck “Remember what I enter in Forms...” and “Accept Cookies...” It might also be a good idea to advice Firefox to clear your private data when you close it.

Now move to the “Advanced” pane, choose “Network” and click the “Settings ...” button.

Fill the form as shown below:

Click “OK” close the preference pane and you’re done! Activate Vidalia again and press “B” on your keyboard. You should get the Tor traffic monitor which shows you some load information about your tor connetion. Open a website in Firefox and you should get some clear peaks as shown below.

You might notice a “slightly” slower download rate while browsing with your Firefox this is the price you have to pay. Be patient and keep in mind: It is now anonymous - except you enter some personal data on some websites somewhere.

One more funny thing can be done with your browser to avoid uncontrolled traffic passing Tor and hurting your anonymity. If you use a application firewall (as described here) you can deny all outgoing traffic for your Firefox since the browser needs just access to the proxy running at your localhost (127.0.0.1). Your firewall will thus drop all traffic that was send directly by Firefox to the internet and only allow anonymous traffic through Tor.

Now the hard stuff - It might be a good idea to get some basic understanding on how Bittorrent works first. If you start a Bittorrent download your client connects to a so called tracker whose ip address is stored in the .torrent file. This tracker holds a list of all machines currently sharing the desired file. Your ip will now be added to this list on the tracker and your client connects to the other nodes from the list to start downloading the file. You promote your ip address to the tracker and all nodes that you connect to. Since somebody might misuse your ip (let’s say in a court-case) we should keep it as private as reasonable (always the limitations of Tor in mind). The tracker doesn’t need your ip but is definitely the place to easily hunt down copyright violators. It is enough to keep your ip secret to the tracker since all the other clients are also downloading the desired files thought doing the same illegal stuff. But the tracker might just serve you with a well sounding trash .torrent just in order to fish your identity and nail you! This configuration option also keeps the transfer rates high for you which is quite a good feature.

To get this to operate we need a Bittorrent client that is able to use a SOCKS proxy to connect to Tor network. This client is Azureus. It’s a huge monolithic pice of software written in Java which really doesn’t make it a friend for us Macies but this time there is no alternative client to this one. So drag the Blue Frog to your application folder and run the beast!
At first time start Azureus will confront you with a “Configuration Wizard” just click “Next” until you see this:

A slightly modification is needed - set the “User Proficiency” to high. Continue with “Next” keep all setting on their default values until you can press “Finish” and then “Close”...

Now let’s set the really interesting things: Open the “Preferences”

Navigate to “Connection” -> “Proxy Options” and check
“Enable proxying of tracker communication...” and
“I have a SOCKS proxy”
Set
Host to “127.0.0.1”
Port to “9050”
clear the username and password.
Finally uncheck
“Check proxy status on startup”

Click “Save” in the very left bottom corner and you’re done. Close the “Options” by clicking here:

Now you can add .torrents to Azureus and feel little bit more safe. Enjoy!

Read on:
Azureus + Tor Documentation
Tor - The Onion Router Documentation
Privoxy Homepage
I2P alternative anonymous service
Jap Anon alternative to TOR (german)
Heise: Klagewelle gegen Raubkopierer (german)
Hot or Not - how to defeat anonymity in a tor network through clock skew

I wish to thank the developers of the mentioned software esp.
Roger Dingledine and Nick Mathewson.
Folks, please donate!

Don’t tell anybody your mail address

Fri, 27 Oct 2006 19:59:51 +0200

This will show you how to stop applications from sending and receiving data to Big Brother and his near and dear friends like Adobe, Microsoft and Apple...

How often your are asked to enter your email address just because you need a update for some software or want to register on a page for some single impressions or leaf a comment somewhere in a forum.
What are these people doing with all these collected personal data?

There are services out there that just give you a valid instant email address that you can use once or twice and just ignore it it after usage without any hangovers later.

You get it here:
www.sofort-mail.de
www.trash-mail.de
www.mailinator.com
www.discardmail.com

What an application firewall can do for you

Fri, 27 Oct 2006 18:16:06 +0200

This will show you how to stop applications from sending and receiving data to Big Brother and his near and dear friends like Adobe, Microsoft and Apple...

One basic thing you need to do to jump up the stairways to a real secure system is to control the ability of applications to receive and send data through the network. A firewall like the one that Apples build in their operating system is a first step in the right direction. With a few adjustments it will protect your machine.

Let’s start with some backgrounds. Whenever a software wants to transfer data through the internet it needs to put it into a so called packet. This (ip) packet wears like a letter the senders and receivers (ip)address and additionally (tcp or udp) a so called (network) port number that tells the receiving computer which program this packet is associated to. For example a webbrowser like Safari will send end receive packets through port 80 in order to load a page from a server. A mail client will use ports 25 for sending mails and port 110 or 143 for receiving and so on. A firewall decides now according to this information whether a packet is allowed to pass or drops unwanted packets.
If you configure a firewall to generally deny packets on port 21 no software will be able to send emails any more. Additionally an application firewall has the possibility to decide whether to drop or to permit a packet according to the software that wants to send data. So you could allow only Apples Mail program to send emails and refuse this to all others.

First let’s check out a few things about your scenario. If you use a router to connect to the Internet (for example you use a wireless network to connect to the internet) and you experience problems using the OS’ firewall I suggest not using Apples Firewall. Also your router actually should run a well configured firewall! In every case you need to think about your network. It’s only safe if you’re using cable-bound connections or a strong encrypted WLAN and if you know all the other devices and users connected. Make sure they won’t be the origin for an attack against your machine. If you’re sure go on to the section about Application Firewalls below...
If you use a dial-up network or connect your ethernet port to a cable- or DSL-modem you need to setup the firewall.

Open your “System Preferences” and go to the “Sharing” pane. Select the Firewall tab. You should see this:

If your Firewall is “Off” switch it on by pressing “Start”. Mac OS already allows services that you are running on your machine to receive data through your network. Check which ones you are really using and uncheck services you are not sure about.

Go one by pressing “Advanced...”

These settings are useful. If you experience problems for example with Skype, iChat or file-sharing-clients uncheck “Block UDP Traffic”.
Press OK and close the “System Preferences”.

Now let’s talk about outgoing traffic. The System Firewall we just enabled just avoids peoples from outside to actively connect to your system. But an application on your machine is still able to send data and open connections to Big Brother out there.

To control that i suggest using an Application Firewall like Glow Worm FW Lite.

A few words about GlowWorm and alternatives. GlowWorm is currently free, that’s the reason why I suggest it. You will need to fill out the “register” form (as shown) on their download page cause they’re sending a key to your email address that you’ll need to activate the software. They might turn the app to a commercial product soon or later. If you are willing to pay a few dollars for your Application Firewall I can recommend “Little Snitch” by objective development which is doing a great job for me on my machine. The process of installing and configuring of this software is really easy and very similar to what is described here using GlowWorm.

Download and register the most recent version of
GlowWorm FW Lite from this page: http://glowworm.us/securimage/download.php

Open and mount the Disk Image you just downloaded.

Install GlowWorm by dragging it into the “Application” folder and run it.
It’s time to check your mailbox. By now they should have send you a registration code just copy and past this code from your mail to the applications windows as shown below.

Press “Verify & Install” to continue. After a short test you’ll see this message:

Press “Install” - now you should see a message informing you about a successful installation and the beauty of the current day. Just do a control-click/right click on the GlowWorm icon in the Dock and check “Open at Login” as shown below.

You managed to install a firewall and to run it. The pre-configuration of GlowWorm is already fair and good enough for normal use except one small thing:
Select “GlowWorm FW Lite” menu and open the “Preferences...”

Navigate to the “Alerts” pane and deselect “Play alert sound for connection events” as shown below.

Close the “Preferences” window and you’re done.

If an application now tries to connect to the internet GlowWorm will pop up with a message showing who is trying to contact whom.

In this example you see that iWeb for example is trying to connect to a .mac server using a http-connection (Port 80, web). You can decide now if you allow or deny this attempt and how to handle similar events at future occurrences.

You also have the possibility to change, add and remove rules in the “Rules” window of GlowWorm. This is necessary for example to reliably configure a Firefox browser to surf the web anonymously.

Read on about firewalls:
Little Snitch - Tips and Tricks
Wikipedia Firewall
Different aspect of firewalls - OpenNet Initiative
List of services and associated network ports

About passwords

Thu, 26 Oct 2006 18:13:11 +0200

The most important thing is to create safe, memorizable passwords and use them in a sense-full way...

A safe password
1. has at least 8 characters at a total minimum.
2. contains some
small letters (a-z) and
capital letters (A-Z) and
numbers (0-9) and
special characters (!@#$%^&*()•ªº¶§∞¢£™¡ etc.).

But these passwords are heavy to memorize. So help yourself with a simple trick:

1. Tell yourself a simple story like:
My 1st dogs birthday was on the 24th of March 2003

2. The starting letters of each word would be:
M 1 d b w o t 24 3 03

3. Now you could just press shift a couple of times like
M ! d b w o t 24 $ )3

This Password is already safe according to the upper definition. And the only thing you need to remember is the simple phrase about your dog that we started with. Now think about a own phrase and create yourself a safe personal password.

Read on about secure emailing:
Apple about it’s Password Assistant
What Microsoft says about strong Passwords
Strong online Password Generator

Password Generator Widgets for Dashboard
ladyCrypt
Make-A-Pass
Passgen

How to store some really sensitive stuff

Thu, 26 Oct 2006 18:00:17 +0200

This is a very short tutorial on how to create a “place” that nobody is able to look into without a password...

I’m traveling around with a laptop. Lot’s of sensitive data is stored on this device so if it gets lost I have to make sure nobody will be able to access my mailboxes and lot’s of stuff I simply don’t want to show somebody.
Mac OS X Tiger has some simple but mighty facilities just to do this for me.

The easiest way is a system build in feature called “FileVault”. You can find this in the “System Preferences” under “Security” or just search for “FileVault” using Spotlight.

After you press the “Turn On FileVault” button Mac OS will store the content of your complete home directory into a encrypted disk-image, mount and unmount this automatically at login and logout for you. The problem with this feature is it may slow down your system and not all data you have in your home needs to be encrypted.

So you can also create a encrypted disk-image using the “Disk Utility”. Just start this application and select the “New Image” button.

Now this dialog comes up

Just choose a file name, select “AES-128” for “Encryption” and a size and press Create.
In the next step you’ll be forced to enter a password. Make sure to choose a safe one (read this)!
Deselect “Remember password (add to Keychain)” to make sure you always have to enter your password to access files in your safe container.

Now you just need to mount your encrypted disk image just by double clicking on it. It will appear in your Finders sidebar as a normal drive. You can easily create directories and files inside the container. If you press eject nobody will be able to access the content of this drive without entering the password.

Keep in mind that it is a real hard kind of insolvable problem to recover the content from this encrypted drive if you loose your password - the perfect place to safe your private PGP key!

You can also store applications inside this container and run them. For example you could put a portable version of Thunderbird or Firefox there. Doing this you can keep your complete mail and surfing environment safe and secure. Nobody is even able to figure out which mail accounts you’re using, which pages you are browsing to (at least not because of your browser history) or whose email addresses you saved in your address book...

Read on about secure storage:
TrueCrypt does it for Windows and Linux

Private conversation via Mail and GPG

Thu, 26 Oct 2006 16:44:38 +0200

This document will guide you through the installation and setup of GNU Privacy Guide. You will be able to sign, check signed mails, encrypt and decrypt messages using Apples Mail application automatically after following these instructions.

If you want so send a message to somebody. It’s very likely that you simple start up your Mail, create a new message and press the send button. Your message will somehow make it’s way though the internet and reach the receivers mailbox.

What actually happens is that your email client will open a so called SMTP connection to your outgoing mail server. The message will be transfered to this server which will analyze the header of your mail figuring out who is responsible for receiving the message or simply send the message to a relay-server to do this job. Soon or later one mail server will finally open a SMTP connection to the receivers mail server and transfer your message to this host where it again will be analyzed in order to sort the message in the receivers corresponding mailbox. At last somebody fetches the message using either POP or IMAP protocol connections - hopefully the guy that the message was meant for. None of these numerous connections between the servers, your or the receivers PC is (usually) encrypted. Every servers administrator can read the content of the transported message. An attacker can intercept the message between to servers. Even more than that - somebody could have modified the message on it’s way without the receivers or your knowledge - and you don’t even have the chance to figure out.

Look at this typical mail header. I marked the servers that touched the message... count them!

Any admin of those could easily have done what ever he wants with the content of your mail without your or the receivers knowledge. Very early people realized this heavily insecure issues with mail transport and started thinking about cryptographic solutions to to solve this issues.
Today there is a very simple and highly secure way to avoid hassles and improve privacy a lot in your daily email conversations.

I am talking about a beautiful pice of software that was originally developed by Mr. Phill Zimmermann and warranties a Pretty Good Privacy - by name so to say. (I chose PGP because I think the alternative S/MIME which is already supported by Apples Mail is still to much of a hassle - just think about organizing the necessary certificate with your name inside. If you anyway prefer S/MIME look at the link section end of this document)

PGP works after the public-key method. Each user generates a pair of keys. One is private, this one should be stored at a safe place and be protected with a strong password. The other one is public and will be distributed over the Internet for example on your blog or via a network of so called keyservers. On the Mac there is an useful open source implementation of PGP which is called Gnu Privacy Guard.

To start with the installation and setup just download the most recent version of
GNU Privacy Guard and
GPG Keychain Access
from this page: http://macgpg.sourceforge.net/

After you completed the download you will find a file named “GnuPG some verion nr.dmg” either on your desktop or in your preferred download directory.

Double click the .dmg and Install the “GnuPG for Mac OS X” package using the default settings.

Now we need a tool to comfortably manage the GPG keys this will be GPG Keychain Access which should be already downloaded on your hard-disk. Just drop this application to your “Application” folder after extracting from the archive and start it.

You should see this dialog just press “Generate” and follow the upcoming Wizard. If you don’t see the window above use the “Generate” option from the “Key” menu as shown below.

In the upcoming assistant select “DSA and ElGamal” as key type and press “Continue”.

The next screen asks for the length of the key. The longer a key is the heavier it is to break it. On the other hand it will need much more time to generate such a key and to encrypt and decrypt messages later especially on slow machines like handhelds and mobiles. I think a fair compromise is to use 2048 bit (even 1024 is actually safe enough).

After pressing “Continue” you have the chance to set a expiry date. I would give the key a year or something to start with - you can generate a new one easily.

Now enter your name, the email address you want to use the encryption for and some comments. Your public key will be searchable and identifiable by this informations for other users for exampling accessing a public keyserver.
Give a safe password in the next step and Confirm your settings.
 
Just wait a few minutes until the key is generated.

Now let’s adjust some basic GPG settings. Just select “Preferences” from the “GPG Keychain Access” menu.

You will see this window.

Choose “Yes” and follow the Instructions of the up-popping installer. After that open your “System Preferences” and select GnuPG.

You might see a message, informing you that some of your settings need to be adjusted in order to use “UTF-8” string encoding. Select “Please do”, click the Keyserver-Pane and check “Automatically retrieve keys from server while verifying”.

Close your “System Preferences” and you’re done.

It’s very important to have a backup of you key pair - private and public key - at a safe place like an encrypted disk image. If you loose your private key you will not be able to send encrypted mails or to decrypt mails that you received so make sure you have a backup!

Open the “Terminal” application
enter “cd” and press return
enter “tar -c .gnupg > GNUPG_backup.tar” press return
close the terminal and copy the file “GNUPG_backup.tar” to a safe NON PUBLIC location

To restore your keys later just copy the file back to your home and double click it. Mac OS will unpack the keychains automatically. After that all keys should be restored and be usable again by the GNU Keychain Access application and GPG.

Also keep in mind that your home directory is not a save place at all to store your keys. You may want to change your GnuPG home Directory to a directory inside a safe disk image using the GnuPG System Preference pane - the disadvantage is that you have to mount your secure disk in order to use GPG.

After you made a backup copy of your key it’s a good idea to publish it. So that other users can start sending you encrypted messages.

You can start by exporting it into a ascii file using the GPG Keychain application. Just select the public key and choose “Export Key...“ from the “File” menu.

You can send this file by mail or put it on your home-page so that others are able to download it.

An other good method of widely syndicating your public key is to upload it to the public net of PGP-keyservers as mentioned before.

It seems my version of GPG Keychain Access had a bug so I needed to publish the key manually. This is very easy by following these simple steps:

Just figure out the ID of your key. Keychain Access shows you the id as marked in the picture.
open the “Terminal” application
enter (replacing the_keyid by guess what :) “gpg --send-key the_keyid” and press enter

That’s it - your key is published and will be distributed automatically through a network of servers. Others can search these network and automatically receive your key,

The next step is to setup Apple Mail so that it is able to sign, encrypt and decrypt emails automatically. Apple is not including this features into Mail. So we need a plug-in for Mail that can handle the PGP/GPG functionality.

Download the most recent version of
GPGMail Plug-in for your release of MacOS X
from this page: http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html

Open the downloaded file by double clicking on it and install using “Install GPGMail” as shown in the picture below.

After following the instructions of the installer script will give you the chance to start Mail do so and continue to the “Preferences” as shown.

Navigate to the PGP tab on the very right.

Make sure that you use the right Personal Key and select “Always ask me for passphrases”
Go on to the “Composing” pane and check a few settings as marked below:

Close the “Preferences” window and you are ready to go...

All messages you’re going to send will be automatically signed by Mail from now on. The receiver will have the chance to check wether the message has been modified on their way from you to him.

To send an encrypted message that only you and your buddy can decrypt just press “New” button. In the window select “Encrypted” as shown in the picture below.

The yellow asterisk is signaling that the key for testperson@testdomain.net is not in you keychain. You need to add it manually using the GPG Keychain Access tool and it’s import feature. You also can just press “Send” and try to send the message without importing the key to the GPG Keychain first. Mail will realize that a key is missing and popup with this message:

This dialog offers you the possibility to “Search” for the missing public key on a keyserver. Just press “Search” and Mail will search and suggest matching keys from the Network.

Select the key you want to use and click Download.

You also have the possibility to sign a message. This makes sure nobody could change the content of you email during transport between or on involved mail servers. This is a very use full feature which doesn't require the public key of the receiver. Be aware that everybody is able to read you message if you just sign it.

If you received encrypted or signed message and want to decrypt or verify the signature you will need to search for involved keys manually and add them to your keychain using GPG Keychain Access.

Mail will show up a signed message for example like this:

After pressing “Verify” Mail will download the necessary keys and check the signature. If a key is missing just mark the keys number as shown and copy it to the clipboard using the right-click context menu.

Now open the GPG Keychain Access utility and select “Retrieve from Keyserver...” at the “Key” menu.

Enter the ID of the key you want to retrieve. Just past the one we recently copied and press “OK” in the following small dialog as shown.

A Terminal window will opened, GPG will be executed and forced to download the chosen key.

Just follow the instruction and check if a key was imported successfully. If not you will not have any other chance to get the needed key except asking your buddy to send you his public key via email ;-)

Now that you have all necessary public key go back to mail and choose “Message” -> “PGP” -> “Refresh Keys” from the menu bar.

Now try again to press the “Verify” button above your mail. Your should see something like this:

Enjoy and tell others about!

Read on about secure emailing:
Why I Wrote PGP by Philip Zimmermann
Official GPGMail Homepage
Official PGP Homepage (commercial)
Using GnuPG encryption with Mac OS X Mail (an other tutorial)
Wikipedia about PGP
Wikipedia about GPG
Portable Thunderbird with GPG (howto)

Wikipedia about S/MIME
S/MIME and OpenPGP (comparisons, links to specs etc)
S/MIME integration in Mail (apfelwiki, german)
mac devcenter about S/MIME in Mail
Apple about S/MIME in Mail
Dartmouth about S/MIME
.Mac-users get a valid certificate for S/MIME from Apple