From f7b6e9562cd13d0f43b3215e730979941d0482c1 Mon Sep 17 00:00:00 2001 From: "Dr. Duh" Date: Sun, 17 Apr 2016 18:38:21 -0400 Subject: [PATCH] Create section for related software. Fix #96. --- README.md | 50 ++++++++++++++++++++++++++++---------------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 6f362880..9c1926a0 100755 --- a/README.md +++ b/README.md @@ -47,16 +47,16 @@ If you wish to make a correction or improvement, please send a pull request or [ - [SSH](#ssh) - [Physical access](#physical-access) - [System monitoring](#system-monitoring) - - [Open source monitoring tools](#open-source-monitoring-tools) - [OpenBSM audit](#openbsm-audit) - [DTrace](#dtrace) - [Execution](#execution) - [Network](#network) - [Miscellaneous](#miscellaneous) +- [Related software](#related-software) - [Additional resources](#additional-resources) ## Basics -The standard best security practices apply. +The standard best security practices apply: * Create a threat model * What are you trying to protect and from whom? Is your adversary a [three letter agency](https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/) (if so, you may want to consider using [OpenBSD](http://www.openbsd.org/) instead), a nosy eavesdropper on the network, or determined [apt](https://en.wikipedia.org/wiki/Advanced_persistent_threat) orchestrating a campaign against you? @@ -236,7 +236,7 @@ Enable Filevault with `sudo fdesetup enable` or using **System Preferences** and If you can remember your password, there's no reason to save the **recovery key**. However, your encrypted data will be lost forever if you can't remember the password or recovery key. -If you want to know more about how Filevault 2 works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) [pdf] +If you want to know more about how Filevault 2 works, see the paper [Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption](https://eprint.iacr.org/2012/374.pdf) [pdf] and related [presentation](http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf) [PDF]. and [IEEE Std 1619-2007 “The XTS-AES Tweakable Block Cipher”](http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf) [pdf] @@ -876,7 +876,7 @@ When choosing a VPN service or setting up your own, be sure to research the prot Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See [scy/8122924](https://gist.github.com/scy/8122924) for an example on how to allow traffic only over VPN. ## Viruses and malware -There is an ever-increasing amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! +There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. @@ -1047,14 +1047,6 @@ Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2 ## System monitoring -#### Open source monitoring tools - -[facebook/osquery](https://github.com/facebook/osquery) can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. More information can be found at . - -[google/grr](https://github.com/google/grr) is an incident response framework focused on remote live forensics. - -[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. - #### OpenBSM audit OS X has a powerful OpenBSM auditing capability. You can use it to monitor process execution, network activity, and much more. @@ -1167,10 +1159,32 @@ Consider [sandboxing](https://developer.apple.com/library/mac/documentation/Darw Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? +## Related software + +[Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for Mac OS X. + +[SummitRoute/osxlockdown](https://github.com/SummitRoute/osxlockdown) - audit, and remediate, security configuration settings on OS X 10.11 (El Capitan). + +[Lockdown](https://objective-see.com/products/lockdown.html) - tool for El Capitan that audits and remediates security configuration settings. + +[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. + +[facebook/osquery](https://github.com/facebook/osquery) - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. + +[google/grr](https://github.com/google/grr) - incident response framework focused on remote live forensics. + +[yelp/osxcollector](https://github.com/yelp/osxcollector) - A forensic evidence collection & analysis toolkit for OS X. + +[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. + +[libyal/libfvde](https://github.com/libyal/libfvde) - library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. + ## Additional resources *In no particular order* +[Mac Developer Library: Secure Coding Guide](https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html) + [OS X Core Technologies Overview White Paper](https://www.apple.com/osx/all-features/pdf/osx_elcapitan_core_technologies_overview.pdf) [Reverse Engineering Mac OS X blog](https://reverse.put.as/) @@ -1179,14 +1193,10 @@ Did you know Apple has not shipped a computer with TPM since [2006](http://osxbo [Patrick Wardle's Objective-See blog](https://objective-see.com/blog.html) -[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - [Managing Macs at Google Scale (LISA '13)](https://www.usenix.org/conference/lisa13/managing-macs-google-scale) [OS X Hardening: Securing a Large Global Mac Fleet (LISA '13)](https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-mac-fleet) -[Yelp's forensic evidence collection & analysis toolkit for OS X](https://github.com/yelp/osxcollector) - [DoD Security Technical Implementation Guides for Mac OS](http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx) [The EFI boot process](http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html) @@ -1201,8 +1211,6 @@ Did you know Apple has not shipped a computer with TPM since [2006](http://osxbo [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/) -[Santa: A binary whitelisting/blacklisting system for Mac OS X](https://github.com/google/santa/) - [IPv6 Hardening Guide for OS X](http://www.insinuator.net/2015/02/ipv6-hardening-guide-for-os-x/) [Hacker News discussion](https://news.ycombinator.com/item?id=10148077) @@ -1221,14 +1229,10 @@ Did you know Apple has not shipped a computer with TPM since [2006](http://osxbo [MacAdmins on Slack](https://macadmins.herokuapp.com/) -[SummitRoute/osxlockdown](https://github.com/SummitRoute/osxlockdown) - [iCloud security and privacy overview](http://support.apple.com/kb/HT4865) [Demystifying the DMG File Format](http://newosxbook.com/DMG.html) -[libyal/libfvde](https://github.com/libyal/libfvde) - [There's a lot of vulnerable OS X applications out there (Sparkle Framework RCE)](https://vulnsec.com/2016/osx-apps-vulnerabilities/) [iSeeYou: Disabling the MacBook Webcam Indicator LED](https://jscholarship.library.jhu.edu/handle/1774.2/36569) @@ -1238,3 +1242,5 @@ Did you know Apple has not shipped a computer with TPM since [2006](http://osxbo [Mac Forensics: Mac OS X and the HFS+ File System](https://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) [pdf] [Extracting FileVault 2 Keys with Volatility](https://tribalchicken.com.au/security/extracting-filevault-2-keys-with-volatility/) + +[Auditing and Exploiting Apple IPC](https://googleprojectzero.blogspot.com/2015/09/revisiting-apple-ipc-1-distributed_28.html) \ No newline at end of file