Hacker News new | ask | show | jobs
by valarauca1 4314 days ago
There was a very good talk at defcon21 (I believe) about Apple Security. It wasn't super in-depth, it basically covered fire-walling.

Basically by default OSX ships with its firewall completely off. Turning on your firewall, blocks most ports except the few that are by default for standard black box mac services. If you turn on enhanced stealth mode firewall, you block pings. Not the entire IMCP protocol, just pings. And nothing else. So you can sync PRNG.

Also there is issues in bonjour's UDP handling which let you consume all CPU resources (pin the processor at 100% remotely, no permissions just UDP spam). Remotely, also bonjour can't be disabled or blocked by the GUI firewall.

:.:.:

A lot of people look at OSX and say, "Hey its a unix, I'm safe." And they aren't. No Unix is safe by default, even OpenBSD requires you watch what your doing.
2 comments
ianstallings 4314 days ago
People should also look into the full disk encryption feature provided, FileVault, because it's turned off by default. It's a little beyond your average security measures but it helps me sleep a little better.
link
artmageddon 4314 days ago
I'm a fairly new OSX user, been on Windows for most of my life and on Linux for a bit. Do you have any suggestions on guides for increasing security?
link
Osmium 4314 days ago
Advice is fairly standard: don't make your main account an Admin account, give your password out sparingly to apps that ask for it, try to use only sandboxed apps (i.e. from the App Store), don't turn on un-needed services (these are mostly in the Sharing pane in System Preferences). If you don't like Apple's default firewall rules, I believe OS X has BSD-standard ipfw installed by default, so you can use that and modify it to your liking.

Mostly, though, I'd say don't panic. Keep OS X updated and you should be fine (inc. Flash if you use it in Safari, and keep rarely-used web plugins disabled by default). Zero-days are always a worry, but you'll never see them coming by definition, so there's not a lot you can do about it...

[Note, I am by no means an expert]

Edit: and, as another poster said, enable FileVault. It's a great, stable and fast (on modern Macs, any slow-down should be imperceptible to the user) protection against casual data theft if someone steals your computer.

link
valarauca1 4314 days ago
I can't offer exactly domain advice. I don't use OSX myself. But I can offer board advice. Learn the options, learn what they do, learn why they do that, and what you gain.

Basically never trust a computer to keep you safe on its own, if it promises to its likely lying (or OpenBSD).

link