Security flaw No. 3: Everybody's an administrator (or not)
Apple has a binary attitude when it comes to modifying system settings, gaining access at the command line to its Unix underpinnings, and installing software: You're either an administrator -- or you're not.
For home users and small businesses, the distinction is probably enough. An unprivileged or normal user can be restricted via parental controls and typically can't create user accounts, enable file-sharing services, or install certain kinds of software. For that, an administrative-flagged account is needed.
But with administrator privilege set, a user can turn on features through switches in System Preferences, such as enabling Samba -- "the Mac version is typically three to six months out of date," Mogull says -- or using the Terminal application to activate any of the thousands of Unix daemons and servers that ship as part of a stock Mac OS X system.
"It's hard to enable those things on Windows," says Thomas Ptacek, a principal consultant at security firm Matasano Chargen, noting that even when such settings are available in Windows, the settings are typically obscure or complicated enough to deter average users. By contrast, a single click might be enough in Mac OS X.
Solution: Limit administrative accounts to users that require them.
Security flaw No. 4: Naive use of Back to My Mac
Mac OS X includes one special service that sounds alarming at first glance -- and can be a real security hole in unmanaged environments. Back to My Mac, a remote access system built into Mac OS X 10.5, requires both a MobileMe account (formerly .Mac) from Apple and administrator privileges. Back to My Mac operates like the GoToMyPC familiar to Windows administrators, although it's less insistent about working around intentional blockades.
While Apple uses IPv6 tunnels, IPsec encryption, and Kerberos tickets to secure connections, starting up such a connection from anywhere on the Internet requires just the password to someone's MobileMe account. With that password, all computers with Back to My Mac enabled can have their files examined or screens remotely controlled.
In a managed enterprise, security experts don't believe that Back to My Mac creates any real risk, despite its feature set. "No enterprise is going to allow something like Back to My Mac unless it's running through a VPN tunnel," Mogull says, at which point it would conform to the enterprise's policy. If users are running Back to My Mac on their own, "it would mean that [IT] royally screwed up" the firewall, he adds.
Matasano Chargen's Ptacek says that Back to My Mac will eventually fall under the category of services that businesses ban their employees from using in the office. "Enterprise users are not allowed to use Gmail or Yahoo Mail," he notes, and Back to My Mac should be treated the same.
Solution: Confirm that Back to My Mac won't work in your environment. Establish a policy that bans its use.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Mimosa™ NearPoint™ for Microsoft® Exchange Server: Email Archiving 101
CRM your salespeople will love
Taking On Demand CRM Integration to the Next Level
Achieving the impossible: Unlimited application scalability
Best Practice in Building an Integrated Information Management Strategy
Delivering the Power of Choice with Microsoft Dynamics CRM
Solve Exchange Mailbox Storage Issues Once and for All
Email Archiving Implementation: Five Costly Mistakes to Avoid
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
AOC Launches 18.5” Widescreen Green 16:9 LCD Monitor in Australia and New Zealand 2008-12-03 15:30:00+11
FrontRange Solutions eases software license management with new License Manager 3.0 2008-12-03 14:56:00+11
Progress Software's Cure for Managing Services-based Applications 2008-12-03 14:42:00+11
S3 Graphics Unleashes Full OpenGL® 3.0 API Support with Beta Driver for Chrome 500 Series GPUs 2008-12-03 14:08:00+11
Informatica Powercenter added to Nec Infoframe Solution Suite 2008-12-03 11:36:00+11
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Buying Guides
Buying Guides
