ch20.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,184 行 · 第 1/4 页

	a good idea.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from an article by Alan B. Oppenheimer titled &quot;Getting Your Apple
	Internet Server Online: A Guide to Providing Internet Services.&quot; This article
	can be found online at <A HREF="http://product.info.apple.com/productinfo/tech/wp/aisswp.html"><TT>http://product.info.apple.com/productinfo/tech/wp/aisswp.html</TT></A>.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>The previously excerpted article
	(&quot;Getting Your Apple Internet Server Online: A Guide to Providing Internet Services&quot;)
	is truly invaluable. I endorse it here as the definitive document currently available
	online that discusses establishing an Apple Internet server. It is based largely
	on the real-life experiences of technicians (primarily Oppenheimer and those at Open
	Door) in establishing a large server. The technical quality of that paper is nothing
	short of superb (and far exceeds the quality of most online presentations with similar
	aspirations). 
<HR>


</BLOCKQUOTE>

<P>Certainly, it has already been proven that a Mac Web server can be vulnerable
to denial-of-service attacks, including the dreaded Sequence of Death. In a recent
article by Macworld, the matter is discussed:

<DL>
	<DD>...for Mac Webmaster Jeff Gold, frustration turned to alarm when he realized
	that a mere typo caused his entire Mac-served site to crash. Gold's crash occurred
	while he was using StarNine's WebStar Web server software and the plug-in version
	of Maxum Development's NetCloak 2.1, a popular WebStar add-on. Adding certain characters
	to the end of an URL crashes NetCloak, bringing down the server. To protect the thousands
	of sites using NetCloak, neither Gold nor Macworld will publicly reveal the character
	sequence, but it's one that wouldn't be too difficult to enter. After further investigation,
	Macworld discovered that the problem surfaces only when a server runs the plug-in
	version of NetCloak. When we removed the plug-in and used the NetCloak CGI instead,
	the Sequence of Death yielded only a benign error message.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from an article by Jim Heid titled &quot;Mac Web-Server Security Crisis:
	Specific Character Sequence Crashes Servers.&quot; It can be found online at <A HREF="http://www.macworld.com/daily/daily.973.html"><TT>http://www.macworld.com/daily/daily.973.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Note that this problem was unrelated to Apple. This brings back the point that
I have made many times: When software developers and engineers are developing packages
at different times, in different places, and within the confines of different companies,
security holes can and do surface. This is because acquiring the API is sometimes
not enough. Here is a great example of such a situation: Have you ever used version
1.5.3 of ASD's DiskGuard? If you have, I'll bet you were a bit confused when you
couldn't access your own hard disk drive:

<DL>
	<DD>Security software is supposed to keep the bad guys out, but let you in. In some
	cases, version 1.5.3 of ASD software's DiskGuard was preventing even a system's owner
	from accessing their machine. This week the company posted a patch for its security
	software application; version 1.5.4 fixes several compatibility problems--including
	locked and inaccessible hard drives--between DiskGuard 1.5.3 and several Mac systems.
	If you use DiskGuard on a PowerMac 7200, 7500, 8500, or a PowerBook 5300/5300c, ASD's
	technical support recommends you upgrade. The patch is available directly from ASD
	Software (909/624-2594) or from the ASD forum on CompuServe (Go ASD).
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from an article by Suzanne Courteau titled &quot;ASD Fixes DiskGuard
	Bugs. Problem with Locked Drives Corrected.&quot; It can be found online at <A HREF="http://www.macworld.com/daily/daily.6.html"><TT>http://www.macworld.com/daily/daily.6.html</TT></A>.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>This reminds me of the version of
	Microsoft Internet Explorer that forced a password check on most sites (and to boot,
	refused to authenticate anything the user attempted to use as a password). 
<HR>


</BLOCKQUOTE>

<P>However, all this discussion is really immaterial. Average Macintosh users are
not security fanatics and therefore, their personal machines are probably subject
to at least minimal attack. This will depend on whether they have their disk and
resources shared out. The Macintosh file sharing system is no less extensive (nor
much more secure) than that employed by Microsoft Windows 95. The only significant
difference is that in the Mac environment, you can not only turn off file sharing,
but also pick and choose which files you want to share. This is done by going to
the Sharing Options panel and making the appropriate settings.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find an excellent
	quick tutorial of how to manipulate the sharing settings at <A HREF="http://bob.maint.alpine.k12.ut.us/ASD/Security/MacSecurity.html#Sys7Sharing"><TT>http://bob.maint.alpine.k12.ut.us/ASD/Security/MacSecurity.html#Sys7Sharing</TT></A>.
	Macintosh Network Security. Alpine School District Network Security Guidelines. (I
	have been unable to ascertain the author of this document. Too bad. They did a wonderful
	job.) Last apparent date of modification January 29, 1997. 
<HR>


</BLOCKQUOTE>

<P>Naturally, in a network, this may be a complex matter. Your choices will be made
depending on the trust relationships in your organization. For example, if you are
in a publishing department of a magazine, perhaps you take commercial advertisements
but the copy for these is generated in another portion of the building (or at the
very least, another portion of the network). It may require that you share a series
of folders so that you can conveniently traffic ad copy between your department and
the advertising department.</P>
<P>The file sharing hole is a matter of extreme concern. At the very least, every
Mac user should establish a password for himself as the owner of the machine. Furthermore,
that password should be carefully considered. Mac passwords are subject to attack,
the same as any other password on every password system ever created. Care should
be taken to choose a characteristically &quot;strong&quot; password. If this term
<I>strong password</I> is a foreign concept to you, please review Chapter 10, which
contains a series of references to reports or technical white papers that discuss
the difference between weak and strong password choices and how to make them. Finally
(and perhaps most importantly), guest access privileges should be set to inactive.</P>
<P>But, then, as most experienced Mac users know, file sharing is not the only security
hole in the Macintosh environment. There are obscure holes and you have to dig very
deep to find them. Apple (much like Microsoft) is not nearly as gung-ho about advertising
vulnerabilities on their platform as, say, the average UNIX vendor. Typically, they
keep the matter a bit more isolated to their particular community.</P>
<P>Naturally, MacOS holes are like holes on any other operating system. Today, if
you purchase a brand new Mac with the latest distribution of MacOS, you have a guarantee
of good security. However, again, not everyone uses the latest and the greatest.
For example, do you remember Retrospect? If you have used it (or are now using it)
have you ever seen this advisory:

<DL>
	<DD>When you install the Retrospect Remote Control Panel and restart, Remote is activated
	and waits for the server to download a security code and serial number. If the server
	does not do this, anyone with a copy of Retrospect and a set of serial numbers can
	initialize your system, backup your hard drive to theirs, and then de-initialize
	your system without you noticing.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The preceding paragraph
	is excerpted from an article titled &quot;Retrospect Remote Security Issue&quot;
	(ArticleID: TECHINFO-0016556; 19960724. Apple Technical Info Library, February 1995).
	It can be found on the Web at <A 
HREF="http://cgi.info.apple.com/cgi-bin/read.wais.doc.pl?/wais/TIL/DataComm!Neting&Cnct/Apple!Workgroup!Servers/Retrospct!Remote!Security!Issue"><TT>http://cgi.info.apple.com/cgi-bin/read.wais.doc.pl?/wais/TIL/DataComm!Neting&amp;Cnct/Apple!Workgroup!
Servers/Retrospct!Remote!Security!Issue</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Apple's white papers
	(which admittedly shed little light on security, but are of some value in identifying
	sources on the subject) can be accessed at <A HREF="http://product.info.apple.com/productinfo/tech/"><TT>http://product.info.apple.com/productinfo/tech/</TT></A>
	or at <A HREF="http://til.info.apple.com/til/til.html"><TT>http://til.info.apple.com/til/til.html</TT></A><TT>.</TT>
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Anti-Cracker Tools</B></FONT></H2>
<P>So much for programs that help crackers gain unauthorized access to your system.
Now I would like to detail a few programs that will keep those curious folks out.
<H3><FONT COLOR="#000077"><B>StartUpLog</B></FONT></H3>
<P>Created by Aurelian Software and Brian Durand, StartUpLog is a snooper application.
It begins logging access (and a host of other statistics) from the moment the machine
boots. Using this utility is very easy. It ships as a Control Panel. You simply install
it as such and it will run automatically, logging the time, length, and other important
information of each access of your Mac. It's good for parents or employers.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>StartUpLog is available
	at <A HREF="http://cdrom.amug.org/http/bbs/148690-3.desc.html#startuplog-2.0.1.sit"><TT>http://cdrom.amug.org/http/bbs/148690-3.desc.html#startuplog-2.0.1.sit</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Super Save</B></FONT></H3>
<P>For the ultimate paranoiac, Super Save is truly an extraordinary utility. This
utility will record every single keystroke forwarded to the console. However, in
a thoughtful move, the author chose to include an option with which you can disable
this feature whenever passwords are being typed in, thus preventing the possibility
of someone else later accessing your logs (through whatever means) and getting that
data. Although not expressly designed for security's sake (more for data crash and
recovery), this utility provides the ultimate in logging.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Super Save is available
	at <A HREF="ftp://ftp.leonardo.net/claireware/SuperSave.v200.sit.hqx"><TT>ftp://ftp.leonardo.net/claireware/SuperSave.v200.sit.hqx</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>BootLogger</B></FONT></H3>
<P>BootLogger is a little less extreme than either StartUpLog or Super Save. It basically
reads the boot sequence and records startups and shutdowns. It is a less resource-consuming
utility. I suggest using this utility first. If evidence of tampering or unauthorized
access appears, then I would switch to Super Saver.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>BootLogger is available
	at <A HREF="ftp://ftp.amug.org/bbs-in-a-box/files/util/security/bootlogger-1.0.sit.hqx"><TT>ftp://ftp.amug.org/bbs-in-a-box/files/util/security/bootlogger-1.0.sit.hqx</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>DiskLocker</B></FONT></H3>
<P>DiskLocker is a utility that write protects your local hard disk drive. Disks
are managed through a password-protect mechanism. (In other words, you can only unlock
the instant disk if you have the password. Be careful not to lock a disk and later
lose your password.) The program is shareware (written by Olivier Lebra in Nice,
France) and has a licensing fee of $10.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>DiskLocker is available
	for download from <A HREF="ftp://ftp.amug.org/bbs-in-a-box/files/util/security/disklocker-1.3.sit.hqx"><TT>ftp://ftp.amug.org/bbs-in-a-box/files/util/security/disklocker-1.3.sit.hqx</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>FileLock</B></FONT></H3>
<P>FileLock is a little more incisive than DiskLocker. This utility actually will
do individual files or groups of files or folders. It supports complete drag-and-drop
functionality and will work on both 68K and PPC architectures. It's a very handy
utility, especially if you share your machine with others in your home or office.
It was written Rocco Moliterno (Italy).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>FileLock is available
	from <A HREF="http://hyperarchive.lcs.mit.edu/HyperArchive/Archive/disk/filelock-132.hqx"><TT>http://hyperarchive.lcs.mit.edu/HyperArchive/Archive/disk/filelock-132.hqx</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Sesame</B></FONT></H3>
<P>Sesame is likely to become an industry standard (much as Mac Password has). Sesame
offers full-fledged password protection for the MacOS. First, the utility offers
several levels of protection. For example, you can create an administrator password
and then individual user passwords beneath it. Moreover, Sesame will actually protect
against a floppy boot attack. In other words, whatever folders or files you hide
or password protect with this utility, those options will still be evident (and the
controls still present) even if a local user attempts to bypass security measures
by booting with a floppy disk. This is shareware with a $10 licensing fee and was
written by Bernard Frangoulis (France).