XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Sun May 26, 2019 7:40 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 16 posts ] 
Author Message
 Post subject: Mac OS X Security
PostPosted: Mon Feb 25, 2019 5:50 am 
Offline
User avatar

Joined: Fri Dec 10, 2010 9:41 am
Posts: 798
Location: Halfway between New York City and Atlantic City
How secure is a Mac from being hacked, and is any vulnerability different if the Mac is powered up but in sleep mode?

Part of the reason I ask is because, sometimes, after waking the computer, the ClamXAV menu bar icon shows that Sentry has been paused. I can't tell whether it went into pause mode when I put the computer to sleep, or it if happens while the computer is waking. The ClamXAV authors are looking into this, but has anyone here noticed the same thing? It doesn't seem serious; I can just resume Sentry again.

Thanks.

_________________
_____________________
MacMini 2.5 GHz Intel Core i5, 16 GB RAM, OS 10.12.6


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Mon Feb 25, 2019 8:26 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:07 pm
Posts: 2644
Location: Inside Flatus Maximus
System Preferences > Energy Saver > Uncheck Wake for ethernet network access, and if this is a laptop, uncheck Enable Power Nap. No more ethernet access capability while your system sleeps. This will prevent Apple updates from downloading while the system sleeps, but if you're sleeping the system you generally don't want it doing things while you're away now do you? ;)

_________________
Official Mac Tech Support Forum Cookie™ (Mint Chocolate Chip)
Guaranteed tasty; Potentially volatile when dipped in WWIII Forum Syrup®
Caution: This cookie bites back.


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Mon Feb 25, 2019 11:00 am 
Offline
User avatar

Joined: Fri Dec 10, 2010 9:41 am
Posts: 798
Location: Halfway between New York City and Atlantic City
Thanks, ST! I've never used the Wake for Ethernet Access or Power Nap options. But it's good to know handling them as per your suggestion is the best way to go.

_________________
_____________________
MacMini 2.5 GHz Intel Core i5, 16 GB RAM, OS 10.12.6


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Mon Feb 25, 2019 11:12 am 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 581
Location: Minnesota, USA
What happens if you have Ethernet activity taking place from the computer such as a large download initiated before leaving the computer but taking an hour to complete (e.g., an OS download)?


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Mon Feb 25, 2019 12:00 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6545
Location: NYC
Squishy Tia wrote:
System Preferences > Energy Saver > Uncheck Wake for ethernet network access, and if this is a laptop, uncheck Enable Power Nap. No more ethernet access capability while your system sleeps. This will prevent Apple updates from downloading while the system sleeps, but if you're sleeping the system you generally don't want it doing things while you're away now do you? ;)

Not sure I follow. First, trivial detail, in 10.12, not seeing "Wake for ethernet network access," just "Wake for Network Access." But I do have this option checked in order to be able to send a magic packet to another Mac on the LAN (ethernet in fact) to wake up for file sharing. Have never had an Apple update downloading involuntarily, either during sleep or not -- at least not a major update. Do get XProtect updates automatically, but no idea if they ever arrive during sleep. Definitely want those anyway.

As for security concerns, as long as you're behind a router, you're not wide open to anything on the Internet, and don't see any issue with allowing that option, or, for that matter, with file sharing if it's over the LAN only.

Besides:

Attachment:
Screen Shot 2019-02-25 at 3.16.03 PM.png
Screen Shot 2019-02-25 at 3.16.03 PM.png [ 95.5 KiB | Viewed 266 times ]


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Mon Feb 25, 2019 4:07 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10500
Location: Caught between the moon and NYC
If you have scheduled tasks, like setting your system to turn on at a certain time or shut off at a certain time, then those tasks won't run if power nap is disabled.


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 5:50 pm 
Offline
User avatar

Joined: Fri Feb 18, 2011 10:38 pm
Posts: 410
MikeHarrison wrote:
How secure is a Mac from being hacked, and is any vulnerability different if the Mac is powered up but in sleep mode?...Thanks.


Console (system Log) might give you a clue as to what is happening during sleep/waking.

I got seriously hacked summer of 2014. It was an arp cache attack. Arp cache was filled
completely with all sorts of strange code. I think it happened during computer sleep,
but not positive on that. ISP's modem was damaged almost useless from the attack
as was two of my routers. I was able to reload firmware on my routers and get them
working again. ISP gave me a new router.

The attack starts from the internet, downloading the package to the boot drives firmware
using undocumented sata commands. It is transferred to the Mac EFI firmware on a reboot.

https://www.computerworld.com.au/article/566601/equation-super-cyberspies-target-macs-malware-too/

https://nsa.gov1.info/dni/nsa-ant-catalog/computers/index.html

Once the code is embedded in the Mac EFI firmware it is next to impossible to remove.

Networking was disabled, most firmware functions were disabled, kernel panicks
kept shutting down the machine. I Tried everything under the sun from booting
from external drives to force reloading firmware.

I finally was forced to replace the backplane board to get up and running again.
(2010 Mac Pro 12 core xeon)

What I learned from this experience:
1. Block multicast addresses from the internet
2. Use a commercial type firewall/router such as WatchGuard.
3. Use a good onboard firewall such as little snitch, handsoff!
and/or or the built in Unix firewall (IPFW). Note:
IPFW HAS BEEN COMPLETELY REMOVED FROM OS X 10.10 YOSEMITE (Developer Preview 1).
IPFW is no more since Yosemite or later.
4. Boot from raid to protect from HD firmware attacks.

Seems as though OS manufacturers and consumer router manufacturers
are no longer interested in internet security anymore. The latest consumer
routers have almost no security setting options available for use unless you
buy their top of the line models that cost almost as much as commercial routers.

I hope your antivirus program only has a software glitch.
I thought you should be aware though that there are some nasty critters
out there that can attack your Mac.

_________________
Mac pro 1,1 - Mac pro 5,1 w/Areca Raid - Macbook pro 8,3 - Snow Leopard, Mountain lion and Mavericks.
"You know, you can't tell which way the train went by looking at the tracks."


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 7:00 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15911
Appreciate the info kjk555. :coffee:


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 8:34 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:07 pm
Posts: 2644
Location: Inside Flatus Maximus
As much as I hate to say it, a firewall isn't going to help much against an ARP attack, as those are embedded DOCSIS protocols (required to even provision a modem). If ARP cache attacks are getting through, your ISP has a misconfigured CMTS and that means its line cards are vulnerable as well. Properly updated modem firmwares and CMTS code will generally keep this from occurring. Either way, it's on the ISP to update their CMTS and the CPE at the user's end.

_________________
Official Mac Tech Support Forum Cookie™ (Mint Chocolate Chip)
Guaranteed tasty; Potentially volatile when dipped in WWIII Forum Syrup®
Caution: This cookie bites back.


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 8:41 pm 
Offline
User avatar

Joined: Fri Feb 18, 2011 10:38 pm
Posts: 410
BDAqua wrote:
Appreciate he info kjk555. :coffee:


Cheap raid for 2006 - 2012 MacPro:
https://www.addonics.com/products/aerd25sn35.php

This is Hardware Raid. (Using Mac Software Raid offers
no HD firmware root kit protection).
I have used these now for 5years with no problems when equipped
with dual samsung 850 Pro SSD's running Raid0.
The only problem I've had is them hanging a bit on Mac's SAS
style HD motherboard connector (installing or removing).
You can easily trim the plastic connector opening
on the snap-25 a bit with an exacto knife so it
will clear nicely when installing or removing the drive.
If installing it the cd Bay you will not need to modify it.

Mac Software Raid is okay though for non-bootable data drives.

_________________
Mac pro 1,1 - Mac pro 5,1 w/Areca Raid - Macbook pro 8,3 - Snow Leopard, Mountain lion and Mavericks.
"You know, you can't tell which way the train went by looking at the tracks."


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 9:31 pm 
Offline
User avatar

Joined: Fri Feb 18, 2011 10:38 pm
Posts: 410
Squishy Tia wrote:
As much as I hate to say it, a firewall isn't going to help much against an ARP attack, as those are embedded DOCSIS protocols (required to even provision a modem). If ARP cache attacks are getting through, your ISP has a misconfigured CMTS and that means its line cards are vulnerable as well. Properly updated modem firmwares and CMTS code will generally keep this from occurring. Either way, it's on the ISP to update their CMTS and the CPE at the user's end.


True, most firewalls are useless to prevent ARP poisioning attacks,
but packet sniffing type firewalls usually reject spoofed packets
such as does the commercial WatchGuard firewall. My WatchGuard firewall
is placed between the computer(s) and the ISP modem.

Since setting up the WatchGuard and blocking the multicast addresses,
I've never seen any false entries in ARP cache.

I also block multicast addresses in the hands off! software firewall and allow
only outgoing connections.

Furthermore, I also spoof my Mac Address, run VPN and turn internet sharing off.

The last couple off years I've been using a business class ISP connection.
The new ISP does a great job of keeping hackers off the line as they actually
have excellent firewall protection between their customers and the internet.
Before I started using them I would get hundreds of hack attempts logged daily
on the WatchGuard log. Now, the WatchGuard log is totally absent of incoming
hack attempts. It is quite boring to read now. :)

_________________
Mac pro 1,1 - Mac pro 5,1 w/Areca Raid - Macbook pro 8,3 - Snow Leopard, Mountain lion and Mavericks.
"You know, you can't tell which way the train went by looking at the tracks."


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 9:37 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15911
Is this the Watchdog you're referring to?

https://support.qubytecorp.com/hc/en-us ... ac-OSX-iOS


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Wed Feb 27, 2019 10:16 pm 
Offline
User avatar

Joined: Fri Feb 18, 2011 10:38 pm
Posts: 410
BDAqua wrote:
Is this the Watchdog you're referring to?

https://support.qubytecorp.com/hc/en-us ... ac-OSX-iOS


I have two of them:
WatchGuard XTM 25 and XTM 25-W

I paid less than $175 each for them. Took a while to find
a good deal on them. The first one was used (almost New).
Guy couldn't figure out how to set it up. He never even registered
it with the factory.
The second one (the wireless one) I just bought last year. It is new
and was a clearance item. They introduced a new Firebox series now.
Actually they reused the Firebox name. The first series were named Firebox.

_________________
Mac pro 1,1 - Mac pro 5,1 w/Areca Raid - Macbook pro 8,3 - Snow Leopard, Mountain lion and Mavericks.
"You know, you can't tell which way the train went by looking at the tracks."


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Thu Feb 28, 2019 12:41 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10500
Location: Caught between the moon and NYC
WG used to have really solid products, then they merged with someone or other and outsourced all the development to southeast asia and oh my god the problems flooded in. Not sure what's happened since, I had them at my last workplace until we abandoned them about 10-15 years ago due to all the unsolved issues that support refused to fix. Pay for a support contract and not have them investigate or solve bugs. Yeah that makes sense.

Personally I like Ubiquiti's gear for now. I keep hoping they'll release 2.0 and move more CLI functionality to the GUI but its been the better part of a year and hasn't made it past alpha and only on some of their hardware platforms at that. Not quite as flexible as using an x86 box and any old firewall distribution you want but for the money its hard to argue.

Edit: Look at that, they released 2.0 in January right while I was in the middle of moving half the company around. Too bad I'm moving half the company again because the &*(#&%*(#$ roof sprung leaks because the old property owner apparently paid off a building inspector to say the roof had up to 8 years left in it, despite springing minor leaks the last 2 years. Now its a deluge.


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Thu Feb 28, 2019 7:22 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:07 pm
Posts: 2644
Location: Inside Flatus Maximus
The issue with having deep packet inspection (DPI) to mitigate an ARP poison attack is that it isn't doable on the consumer end with current gear. You need devices like the WG ones or those from Ubiquiti or Mikrotik if you have anything 400 Mbit/sec or faster. Below that you might get away with no throughput loss, but at ≥400 Mbit/sec, you must have hardware offloading for DPI, and that isn't cheap. So it necessitates either an extra box in between your cable modem and router or a much more expensive enterprise router/gateway solution to mitigate.

Personally, if I had the money to afford gigabit, then I'd likely go with the Mikrotik CCR1072-1G-8S+ or at a minimum the Mikrotik CCR1036-8G-2S+EM, as they actually have worthwihle CPUs and can process the required number of PPS with DPI active for a gigabit account. And as a plus, since they have SFP+ cages, you can connect them directly to a fiber node using an SFP+ optical/fiber adapter module, no ONT needed.

Those seem like overkill, but when you're talking high bandwidth with DPI, it really isn't.

_________________
Official Mac Tech Support Forum Cookie™ (Mint Chocolate Chip)
Guaranteed tasty; Potentially volatile when dipped in WWIII Forum Syrup®
Caution: This cookie bites back.


Top
 Profile  
 
 Post subject: Re: Mac OS X Security
PostPosted: Thu Feb 28, 2019 1:57 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10500
Location: Caught between the moon and NYC
The speed of the connection and the features being enabled is key, but the ER-X is under $100 and can handle around 300-400Mb connections with DPI (though over time the number has risen, when it was introduced it was 100Mb), though you have to use the CLI to enable all the hardware offloading.

It's amazing hardware for the price point, I just wish its CLI was a little more, well, familiar. Its just different enough from Cisco and Juniper and everyone else that I lament the lack of an O'Reilly "nutshell" book for it. I know what I want to do but finding the syntax and commands is always a challenge.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group