Like many Mac users, I’ve been busy this last week installing Apple’s Open Transport Tuner 1.0. This patch blocks a potential denial of service attack that can be launched from Macintosh systems running Mac OS 9 and certain CPU configurations running Mac OS 8.6 – see Geoff Duncan’s piece in this issue for details on the vulnerability and Apple’s fix.
John Copeland, a professor at the Georgia Institute of Technology, identified this potential attack after detecting a port scan on his home network. Credit should go to Mr. Copeland for discovering this vulnerability, but how this information was disseminated and the Macintosh community’s response to it have left something to be desired.
Heads in the Sand — Many of us in the Macintosh community have become smug about network security, and with good reason. For years, Macs have been the most secure platform for deployment of Internet servers, and have proven repeatedly they are almost invulnerable to network attacks or cracking. Although the Macintosh is still the most secure platform for Internet use, we can neither blithely ignore security issues nor overreact when security issues are identified. In this instance, the confusion was spread by Macintosh news and information services and mixed with a good helping of paranoia regarding Y2K cyber-terrorism. This incident highlights that we as a community don’t know how to deal with network security issues, simply because we’ve rarely had to deal with them before.
Looking to other communities can be instructive for us, and show us how the rest of the computing world has been dealing with their network security issues for years.
Stay Informed & Prepared — The CERT Coordination Center at Carnegie Mellon University is the global clearinghouse for network security alerts, advisories, and guidance. The CERT team updates their Web site each time a vulnerability is identified, and they rank the level of vulnerability along with providing links to patches. They also run an announcement mailing list so you don’t have to check their Web site every day.
There are also hundreds of books available that discuss network security. Books published by O’Reilly and Associates are generally of a high caliber. Nearly all of these titles are concerned with the Unix and Windows worlds, but many principles are generally applicable to any platform.
The BugTraq mailing list is also helpful if you’re interested in detailed technical analysis of current computer security issues for any platform.
Another good information resource is the System Administration, Networking, and Security (SANS) Institute. This group runs regular security workshops nationwide and has a Web site full of useful information. Much of their information is geared towards Unix administrators, but that leads me to my next point.
Mac OS X Server and the forthcoming Mac OS X have BSD Unix at their cores. This means once Mac OS X ships and is installed on our Macs, we will be running Unix workstations on our desktops – and we will potentially be just as vulnerable as any other Unix workstation. Although this doesn’t mean you will need to become a Unix system administrator to operate your Macintosh, it does mean you should keep yourself informed of network security topics and respond to issues and alerts in a timely fashion.
Handle Problems Responsibly — For years the Unix community has been dealing with these issues by following some simple steps:
- As issues are identified by end users, programmers, or security professionals, they are reported to CERT and appropriate software vendors
- CERT issues an advisory or alert, and the vendor releases a patch
- Affected users apply the patch, and life goes on
Note that nowhere in this list appear the words panic, fret, worry, or hide. If you’re one of the "lucky" people to identify a network security issue, you should:
- Contact CERT
- Contact the vendor(s) of the vulnerable product(s) involved
- Help them to identify and develop a patch
Also note that this list doesn’t include tasks like alerting the media, publicly speculating on possible ways of exploiting the problem, or suggesting what end users should do. Advising end users and providing accurate information is the job of CERT and the vendors, and they’ve been doing it for years.
Evaluate Reports Critically — Not everyone is a networking expert, and the level of detail available from resources like CERT can be overwhelming. It’s not necessary for everyday computer users to follow the technical minutia of network security problems, but folks should know these resources exist so they’re better able to evaluate problem reports as they arise. When a new network security problem is reported, consider whether the problem report seems responsible and credible to you, whether the problem has been reproduced by trusted third parties, and whether CERT and software vendors have been informed or issued statements. The Internet can spread misinformation and unfounded speculation as rapidly as it can disseminate critical news and software updates – it’s always better to make an informed decision than let haste and trepidation get the better of you. In the immortal words of Douglas Adams (a diehard Mac user), Don’t Panic!
[Chris Kilbourn is President of digital.forest, Inc., a Mac-focused
network service provider specializing in FileMaker Pro database web
hosting, server colocation, QuickTime Streaming, and other Internet