Spot-On Security Tips for Mac OS X Leopard

Now that the honeymoon stage with Mac OS X Leopard has passed, the nuances of its daily use are beginning to come to light. Kinks are getting worked out, companies are updating their Mac-compatible software and all kinds of new and useful features are being unearthed. In the past, Mac OS X has been derided for flawed security while at the same time being lauded as an unlikely target for hackers. Did the release of Leopard finally hit the sweet spot of better security without sacrificing functionality?

MORE ON ENTERPRISE MAC COMPUTING

Virtualized Macs In the Enterprise

What Apple’s Leopard Means to the Enterprise

The TCO of Operating Systems: Compare the Big OSes

What is it about Mac OS X that makes it unappealing to hackers and other Internet interlopers? Nick Selby, senior analyst and director of enterprise security practice with The 451 Group, says it’s simply that hackers tend to reach for the lowest-hanging fruit. Selby explains that hackers get the most bang for their buck by developing malicious code designed to infect the most likely combination of software in use today: Microsoft Windows XP or Vista running a version of Internet Explorer’s Web browser. “That’s where the action and the money are,” says Selby. Other combinations—Mac OS X and the Safari browser, for example—just aren’t as widely used and therefore are not worth a hacker’s time to look for holes to exploit.

That doesn’t mean, however, that Leopard users shouldn’t take security precautions anyway. “Targeted attacks by motivated and skilled hackers are generally not stoppable,” says Selby. “Best practices dictate regular patching, updates, firewalls, port blocking and scanning for activity on known botnet channels.”

Ollie Whitehouse, architect with Symantec‘s Advanced Threat Reasearch Team, agrees. “It’s fair to say Mac OS X has not been a significant target for attackers or malicious code authors to date. However, researchers have demonstrated that the potential for susceptibility to the same types of flaws which have plagued Microsoft Windows for so many years does exist to the same extent. We have also seen indications that malicious code authors are kicking the tires with at least one actual attempt through social engineering to get the user to install a Trojan.

“However due to smaller market share, Mac OS X has not been targeted in the same way as Windows. It’s reasonable to expect this to change over time, as Apple’s market share increases and Microsoft improves Windows security,” adds Whitehouse.. Also, there are threats to data which affect all lost or stolen laptops and devices. Even though attackers may not be aggressively targeting Mac OS X, Whitehouse urges IT departments to take responsible steps to protect data while it’s at rest, and also put systems and policies in place to ensure that any valuable data is backed up.

Upgraded OS, Updated Features

Apple appears to have heeded warnings that hackers may be taking a second look at Mac OS X; Leopard boasts a number of security enhancements and new technologies. Whitehouse notes two in particular that have caught his eye: SeatBelt, a new sandboxing technology, and Address Space Layout Randomization (ASLR), a technique that randomly moves the location of key data to make it difficult for attackers to predict where to find it.

“[Seatbelt] limits what an application can do in terms of interacting with the operating system and file system,” Whitehouse says. “This is a good proactive technology against applications which may be compromised at a point in the future, but limits the impact on the operating system. However, it’s clear that it is not as widely used as it could be; if Apple expands the usage to cover a majority of common applications, then it will become a valuable mitigation technology.

“The [ASLR] version in Leopard is currently minimal and provides limited protection at this point. However, it’s an important step as Apple improves the implementation. One hope is it will reach the level of effectiveness of Microsoft’s implementation of Windows Vista,” says Whitehouse.

Cross-Platform Infection on the Horizon

Noticeably missing from Leopard’s security buffet is a method of protecting the system from cross-platform infection when running virtualized environments with its native application, BootCamp. No matter how secure your Mac is, once you fire up a virtual machine running Windows, you leave your system open for invasions through the back door.

Whitehouse notes that although there have been no documented instances of a cross-platform infection, he says it’s simply a matter of time before one does occur. Fortunately, there are a number of precautions IT departments can take to minimize the risks. He suggests using full-disk encryption on at least one of the operating systems so whichever OS is at rest will be inaccessible to the other. Whitehouse also recommends that CrossOver Mac users develop and implement their own sandbox policies and run Windows within those environments. That way, any security compromises won’t affect the host system. Finally, he says, be sure to run consistently updated security systems on both OSs at all times.

According to Selby, strict virtualization policies are a company’s best defense against cross-platform contamination, especially when users are permitted to self-provision their own machines. “Best practices dictate that you make sure Windows is always firewalled, patched and updated,” he says. “Make it a corporate policy.” Selby expects that as more companies trend toward virtualization, vendors will develop virtual machine monitors that will automate the process. But in the meantime, he urges IT departments to make every effort to ensure virtual Windows machines are as buttoned-up as possible.

Close, But No Cigar

Although Leopard has clearly taken steps to make OS X a more secure operating system, Whitehouse says it still has a ways to go. “It’s clear that the new security technologies Apple has introduced into Leopard are first generation. There are many areas they could improve; these include but are not limited to: ASLR implementation, which currently provides little, if any, protection over not having any at all; firewall, which is currently only inbound; and [a better] use of SeatBelt to further minimize the impact of arbitrary code execution vulnerabilities.”

Apple declined to comment on future plans for its security technologies, however the company has issued a 14-page technology brief [PDF] detailing features users can take right now to protect their systems.

Selby says that the security threats continue to evolve and change, so the best defense is a good offense. It all comes down to detailed access management information. “If Bob in Sales suddenly looks like he’s logging in from another country and accessing human resources files, you need to know if it’s really him or if your system is being exploited. At the end of the day, regardless of what platform and OS your company is using, always make sure you know who’s on the network and what they’re doing,” says Selby.