Technical: macOS X Security

Part 1 – Boot Security

  Technical blogs, oh how I loathe thee.  While one hand they are fun to research, and I do enjoy delving more and more into the inner workings of macOS X, To me these posts feel the most like actual work.  I do not get the enjoyment of taking photographs like I do for travel articles.  Or put myself in a well deserved food coma after reviewing a resturant.  It’s just mostly research, typing, and the screen shots that go with the article

They do provide a service to my readers and remain in the top viewed list continuously, so in there in itself is my reward!  Now that I have my belly aching out of the way, let’s start a new technical series on Brent’s World, macOS X Security, which will be a multi part blog on keeping your Mac, and your data safe!  We will begin with the boot loader, utilities available on the recovery partition and the vulnerabilities they impose and how to protect your system from these vulnerabilities.  Subsequent posts will deal with user accounts (Local, and network), file system permissions and access control lists (ACLs), drive and folder encryption, and ending with the sharing options offered with macOS X what they do, and how to lock them down.

So after that long winded preamble, lets dive into the heart of the matter.

Security, security threats, vulnerabilities, hackers, and bad actors.  This is something we hear about daily but as Mac users, especially standalone (devices not part of an enterprise environment.) is something we really take no notice of, these happen to other people, people who own PCs.  If we do anything at all we install an antivirus package such as Sophos and call it a day!  What if I told you there are many more threats out there then just viruses, worms, or ransomware?  Those risks raise exponentially if you are a Macbook or Macbook Pro user, simply because if you lose physical control of the device the thief can attempt to gain access at his leisure.  “So, my device is password protected!”  What if I told you, it is possible to get access to all your data and I don’t even need to enter your password, or that I could change your password from the recovery partition built into your Mac? Let’s take a look at some scenarios, starting from the simple and moving into the more complex.

• The boot loader.

Rebooting or starting a Mac with the option key depressed will invoke the Apple Boot Loader. This will allow me to boot off an external drive such as a thumb drive or external hard drive.  Great for troubleshooting, imaging the operating system, or installing the OS if you have completely replaced the system drive.  It also opens up your system to several vulnerabilities such as allowing an unauthorized individual the ability to take an image of the system drive, or simply copy the data to an external drive

• The recovery partition.
             Holding down Command – R after the startup chime will invoke loading the recovery partition, this is a hidden partition that contains a limited, bootable version of mac OS X that will allow you to set an OpenFirmware password (More about this later), access a shell via the terminal.app, Reinstall Mac OS X from a Time Machine backup, Reinstall Mac OS X, and Disk Utility. The recovery partition utilities are very useful when used for their intended purposes, but if left unsecured, by not setting an OpenFirmware password allow several holes into your system.  Let me demonstrate.

• Single User Mode (SUM)

Holding down Command – S after the startup chime will place the macOS X computer in “Single User Mode” as the root level account (Even if root is not enabled.). The system volume is loaded as read only, but this can be changed by unmounting and remounting it as read/right.  This allows the person who booted the Mac into single user mode full access to any unencrypted data on the drive, the ability to mount removable media to copy this data off the drive.  The possibility of installing malicious code, as well as being able to change system preferences from the command line.   You may also change any user’s password on the system using Single User Mode.

So we have demonstrated 3 vulnerabilities present at the Mac boot loader, what can be done to harden your computer so bad actors will have a more difficult time exploiting these vulnerabilities?  You can set an OpenFirmware password that you will be prompted to anytime you hold down the Command Key during startup.  In order to enter the Recovery Partition, or Single User Mode you must enter the OpenFirmware password correctly.

CAUTION: If you lose your OpenFirmware password, you will need to take your Mac to either an authorized service center, or to the Genius Bar at an apple store to have the password cleared.  While older Macs (Pre-Intel), did have a reset button on the motherboard.  Newer Macs do not.  Zapping the PRAM will not clear the OpenFirmware password.

Let me now demonstrate how to set the open firmware password.

NOTE: If you sell your Mac, make sure you either include the OpenFirware password, or clear if before you deliver the Mac to its new owner.

These are the vulnerabilities that exist on your Mac during the boot process, while these might not have much impact if you are using a desktop Mac, it might be something to think about for mobile users. 

Thank you for visiting Brent’s World, please come back frequently for more great content.  If you wish to be notified by email when new content is posted, please register, by clicking here!

Technical – Top 5 Utilities You Should Have For Your Mac.

   I cannot believe I’m doing this!  I loathe the internet’s fascination with creating top 5 lists for anything!  Next, I will be reporting that dogs and cats are in fact living together.  In our last article, I recommended buying a bigger USB thumb drive than needed for your rescue USB stick where you could create a second bootable partition containing useful troubleshooting utilities. What utilities do I actually recommend you putting on this partition or on your Mac for normal use? In this week’s quickie article, I will rate, and briefly describe my top 5 macOS X utilities.  All the utilities listed here are 3^rd party utilities, so they must be purchased separately.  So let’s get started!

Paragon NTFS – While mac OS X gives us the ability to read NTFS formatted drives and partitions, it does not allow us to write to them. There is a way of enabling writing to an NTFS partition, but it is slow, buggy, and you may lose data.  Neither APPLE nor myself would recommend that method for anything other than an emergency solution.  This is where Paragon NTFS comes in.  Paragon NTFS allows reading, writing, and formatting/partitioning NTFS drives.  You may download and try Paragon NTFS for 10 days, after the 10 day trial you must pay $19.95 to continue using it.  Paragon’s website is found here: https://www.paragon-software.com/ufsdhome/ntfs-mac/

Carbon Copy Cloner – This next utility in my arsenal also highlights an annoyance I have right now with Apple. Did you know that Apple’s own Disk Utility does not like you image devices that are formatted with the new Apple File System (APFS)? Seems hard to believe. Right?  So what are we to do if you need to image a disk that has been formatted or converted to APFS?  This is where Carbon Copy Cloner ‘CCC’ comes in and why I recommend that you put this on your rescue utility disk.  Carbon Copy Cloner has full APFS support for disk images. Great for transferring or making backup copies of your system disks!  Carbon Copy Cloner by Bombich Software is available with a 30-Day trial license, and costs $39.99 for a full license.  You can download directly from Bombichs’ web site here: https://bombich.com/.

Stuffit Expander – If you have been a Mac user for a long time, you would know that Stuffit Expander is the Mac equivalent to Winzip. Stuffit ‘.sit’ archives was the predominant file compression standard before .dmg.  Stuffit could also uncompress .zip archives before mac OS X had the ability built in.  So if the most common format of compressed files in the wild today are now .dmg or .zip files, why would I need to concern myself with Stuffit Expander?  Stuffit Expander has the ability to decompress a wider range of formats than mac OS X can by default, one of those archive types is .rar files.  Which I have a time or 2 had the need to uncompress.  Since Stuffit Expander is free, why not add it to your tool bin? Stuffit Expander can be downloaded from SmithMicro at http://my.smithmicro.com/stuffit-expander-mac.html, or the Mac App Store

Sophos Anti Virus – I would include Sophos Anti Virus to protect yourself from malware, and to run a virus scan on drives without Sophos installed that you may not want to boot off of.

While not exactly a utility I highly recommend installing the Homebrew repository, which will allow you to add additional functionality to your shell environment, such as htop shown below. Additionally you might want to think about installing telnet which was removed from macOS X 10.13 due to security reasons (telnet is a non-encrypted protocol and sends everything in clear text, including passwords.  However it can be very useful for testing ports and protocols, as I am demonstrating below connecting to Google.com’s SMTP server.

Thank you for taking the time to visit Brent’s World, Please come back next week for another great article about Korea.  I visit the Mr. Toilet House Toilet Museum in Suwon!

Don’t miss out on new context when it is posted, register today to be emailed when a new blog is posted.  To register click HERE!

ALERT!! – Major Security Flaw Discovered in Mac OS X High Sierra (10.13.x)

  I was originally going to blog with instructions on creating a macOS X High Sierra boot USB with utility partition but decided to blog instead of the MAJOR security flaw that was discovered in Mac OSX High Sierra (10.13.x).  If you have not enabled and set a password to your root account, someone may authenticate as the root user without providing a password. 

 Additionally If you have the Login Option ‘Display login window as: Name and password’ selected an unauthorized person may be able to bypass the lock screen, logging into your system as the ‘root’ user!  To make this even more scary, once the exploit has been sued, it leaves the root user enabled (If it was previously disabled), with no password assigned.  Leavening the system open to future attacks both at the computer and possibly remotely.

  Apple released an update November 30^th, that should have already installed with no user intervention required.   If for whatever reason you are not able to install the patch for this security flaw, you may temporarily secure your system by enabling the root account and assigning a strong password (See below for instructions.)

  There is a caveat you should be ware of.

  As the security patch affects ALL versions of High Sierra, the security patch will be installed even if you are still running macOS X 10.13, when you update to 10.13.1, the patch will be removed and your system will be vulnerable again.

To verify you have the patch installed.

Open your terminal.app
At your shell prompt type

$ what /usr/libexec/opendirectoryd

If you see the following output you have the security patch installed.PROGRAM:opendirectoryd

PROJECT:opendirectoryd-483.20.7 <FOR OSX 10.13.2>
PROJECT:opendirectoryd-483.1.5 <FOR OSX 10.13>

  Another thing to be aware of, the security patch will disable the root user account, if it was enabled prior to the patch you will need to re-enable it.  I find it to be ironic that one of the things the patch does is disable the one thing that prevented this flaw to begin with, having the root account enabled with a password set.

To Enable/Re-Enable Root User

• System Preferences > Users & Groups.
• Click the lock icon and authenticate as a privileged user.
• Click the ‘Login Options’ button.
• Click the ‘Edit…’ button to the right of Network Account Server:
• Click Open Directory Utility.
• Click the lock icon and authenticate as a privileged user.
• Click Edit > Enable Root User.
• Enter a strong password.
  1. 8-15 Characters
  2. Containing at least 1 capital letter.
  3. Containing at least 1 numeric character.
  4. Containing at least 1 special character.
  5. Do not use names, birthdays, or dates/places of special events.
• Close the windows that were opened.

Hopefully this patch will be included in the 10.13.2 update whenever it comes out!

If you have any comments or questions about this blog or macOS X in general please stop by our forums at www.catracing.org/forum.

Thanks for following Brent’s World!

MacOS X – BASH Scripting

Random Quote Generator v1.1m

I know it has been a while since I have posted a new blog! I deeply apologize, I have been suffering from a severe case of writers block, and have been struggling to come up with a new technical article that is up to the standards I have set for myself!  Looking back at some of the old articles, I realized that one of my favorites is woefully out of date!

For those of you who may be visiting Brent’s World for the first time, I converted a C-Net Amiga BBS Arexx script to BASH v4 back in February 2015 ( https://www.catracing.org/hendrb/fun-with-bash-scripts-random-quote-generator/ ), then followed it up with displaying the output through cowsay for some extra fun, https://www.catracing.org/hendrb/fun-with-bash-scripts-randquote-v1-1/.  For an encore I provided instructions on installing BASH v4 and GNUsed on MacOS X  so Mac users could also enjoy a random quote every time they launched their terminal.app.

So let’s bring the OS X version of randquote.sh up to date, since the previous instructions only covered Linux users.  Please make sure you already have Randquote v1.0, BASHv4 and GNUsed already installed and working.  If you do not please follow the steps outlined here, https://www.catracing.org/hendrb/os-x-installing-gnu-sed/.

We will need to install and test cowsay ( I am installing via homebrew, if using another method, you may skip this step.). 

Launch your terminal.app, and using a privileged account, Home brew does not work from root, or using sudo.

# brew install cowsay

Once this is finished we can test cowsay, use either of the 2 methods (I think method 2 is more fun.)

 $ man cowsay

If cowsay is successfully installed, you should now see the man page displayed.

Let’s now go ahead and throw something at cowsay, and see what happens

$ cowsay “For more GREAT blog articles, go to Brent’s World www.catracing.org”

If cowsay is successfully installed, you should now see the following displayed.

Now that we know cowsay is installed and working, can go make modifications to bring randquote.sh up to v1.1 on your Mac.

Add the following under the original copyright message, and above the note for MacOS X, <CR> denotes a carriage return, if you are cheating by using copy and paste, you will need to remove them.  If you are hand typing the script, simple skip over them.

#
# RandQuote v1.1 (C)22NOV2015 by Brent Hendricks
# Added the ability to display quotes through cowsay.
# cowsay is written by Tomy Monroe (tomy@nog.net)
<CR>

Below the MacOS X note, and above the ## Get Terminal Width comment add the following.  Functions must be written before the main routine of your script.

COWSAY=0
<CR>
## Get Options
<CR>
while getopts “c” OPTION
do
          case $OPTION in
          c)
          COWSAY=1
          ;;
          esac
done
<CR>

Next we will cursor down to the ## Read Quote from Quote file, and add the following.

After gsed -n “${RECORD},+5p” $QUOTATIONS > $TEMP_QUOTATION

Highlight and copy the following, gsed -e :a -e “s/^.\{1,${TERMWIDE}\}$/ &/;ta” -e ‘s/\( *\)\1/\1/’ $TEMP_$

Delete  the line and add the following.

<CR>
if [ $COWSAY -eq 0 ]
then
Paste the line you cut from above. ‘gsed -e :a -e “s/^.\{1,${TERMWIDE}\}$/ &/;ta” -e ‘s/\( *\)\1/\1/’ $TEMP_$’
else
cat ${TEMP_QUOTATION} | cowsay
fi

The rest of the file remains untouched.  The entire listing should look like this.

1 #!/bin/bash4
2
3 # BASH script to display RANDOM QUOTE and center text depending on terminal width.
4 # BASH script and quotation taken from CNET Amiga 2 AREXX PFILE
5 # AMIGA Version Copyright 1992 Jim Selleck and Beverly James Products
6
7 # BASH Script and blog article (C)24MAY2015 By Brent Hendricks
8 # Scirpt and Quotes are public domain, the accompanying BLOG may only be used with permission.
9 # Contact brent.hendricks@catracing.org if you wish to republish the article.
10 # Please visit Brent’s World @ www.catracing.org\hendrb
11 #
12 # RandQuote v1.1 (C)22NOV2015 by Brent Hendricks
13 # Added the ability to display quotes through cowsay.
14 # cowsay is writen by Tomy Monroe (tomy@nog.net)
15
16 # NOTE: In order to make this script function properly with LINUX a compatibility
17 # checking routine was added. If you are using OSX you MUST download and install GNUsed
18 # The easiest way to do this is to install HOMEBREW.
19 # HOMEBREW can be installed by going to www.brew.sh
20 # Once installed use $brew install gnu-sed
21 # This script will automatically use GNU-sed (gsed)
22 # if using OSX.
23
24 COWSAY=0
25
26 ## Get Options
27
28 while getopts “c” OPTION
29 do
30 case $OPTION in
31 c)
32 COWSAY=1
33 ;;
34 esac
35 done
36
37 ## Get Terminal Width
38 TERMWIDE=”$(tput cols)”
39 ((TERMWIDE = TERMWIDE -3 ))
40
41 ## Set file path
42 QUOTATIONS=~/shell_scripts/logon/randquote/quotations
43 TEMP_QUOTATION=~/shell_scripts/logon/randquote/temp_quotation
44
45 ## get number of quoatations
46 QUOTES=”$(cat $QUOTATIONS | wc -l)”
47 ((QUOTES = QUOTES / 5))
48
49 ## Pick A Record
50 RECORD=$((RANDOM % $QUOTES *5))
51
52 ## Read Quote from QUOTATIONS file
53 gsed -n “${RECORD},+5p” $QUOTATIONS > $TEMP_QUOTATION
54
55 if [ $COWSAY -eq 0 ]
56 then
57 gsed -e :a -e “s/^.\{1,${TERMWIDE}\}$/ &/;ta” -e ‘s/\( *\)\1/\1/’ $TEMP_QUOTATION
58 else
59 cat ${TEMP_QUOTATION} | cowsay
60 fi
61 ## Remove $TEMP_QUOTATION scractch file
62 # rm -f “${TEMP_QUOTATION}”
63 exit 0

Save the file, and let’s go ahead and test our modifications to make sure everything works.

First let’s see if we can output the quotation through cowsay.  At your shell prompt, type.

$ ./randquote.sh –c

If everything is working as advertised, you should see the following output.

Just to be on the safe side, let us also test the nomal output without the –c option. At your shell prompt enter the following.

$ ./randquote.sh

If everything is working correctly, we will now replace randquote 1.0 with v1.1.  At your shell prompt type.

$ cp ./randquote.sh ~/shell_scripts/logon/randquote

That is all there is to it!  I hope you enjoyed this weeks MacOS X Technical Blog, and come back next week for more great articles!  If you wish to be notified when new content is posted, you may become a registered user by clicking here.