TweetFollow Us on Twitter

Securing Mac OS X

Volume Number: 21 (2005)
Issue Number: 2
Column Tag: Security

Securing Mac OS X

by Paul Day

A guide to security hardening for Mac OS X

Introduction

This article covers numerous methods to harden Apple's Mac OS X, from both a local user and network perspective. It is primarily aimed at the single-user Macintosh client machine owned and used by a security conscious user. Its methods can be equally applied to a multi-user machine; however there are numerous additional security risks presented the moment a Mac OS X machine is made multi-user.

Background

Apple's MacOS has taken a dramatic change from its predecessors ("MacOS Classic"), introducing numerous parts of FreeBSD, NeXT and the Mach (Darwin) kernel into the MacOS environment.

"Keep others out - With Mac OS X, you may never need to worry about http://www.apple.com.au/macosx/features/security/ security again."

A default install of Mac OS X is one of the more secure Unix operating systems from a network-security point of view, with no network services open by default. However, there are still numerous drawbacks to its local and network security which can be addressed by the administrator of the machine.

Root Usage

By default, the root user account within Mac OS X has its password disabled. Throughout this paper, you are required to run a command "as root". The method of doing this is left up to the reader, but possibilities (in order of considered strength) include:

  • sudo <command> as a normal admin user.
  • sudo /bin/bash as a normal admin user and then running the commands.
  • Enabling the root account password, using su to start a shell as root and then running the commands.

Local Security

The following section covers numerous methods to harden security within Mac OS X from a local user perspective:

  • With local physical access to the machine via its console. With interactive local access to the machine via methods such as Secure Shell (SSH) or Apple Remote Desktop (ARD).

The Login Window

The following includes instructions to enable and lock down the GUI login window. By default, Mac OS X automatically logs in rather than forcing the user to authenticate at a login window.

Enabling and locking down the Login Window

To enable the GUI login window, disable password hints, access to shutdown/restart controls and automatic login you can edit the file /Library/Preferences/com.apple.loginwindow.plist as root or use the System Preferences Accounts pane as follows:

  • Apple menu -> System Preferences -> Accounts -> Login options -> Display Login Windows as -> Name and Password
  • Uncheck Automatically log in as:
  • Check Hide the Sleep, Restart and Shut Down buttons
  • Uncheck Enable fast users switching if not used


Securing Login Windows options

Fast user switching is handy on a multi-user machine, however on a single-user machine where it is never used, it is an unnecessary risk (eg, An Apple Remote Desktop root compromise used Fast User Switching).

To disable automatic login on a global basis:

  • Apple menu -> System Preferences -> Security
  • Check Disable automatic login


Disabling automatic login

To enable a text message to be displayed as part of the login window, you will need to edit the file /Library/Preferences/com.apple.loginwindow.plist as root. The file may look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
   "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>DisableConsoleAccess</key>
	<true/>
	<key>LoginwindowText</key>
	<string>Authorized users only.</string>

Note the <string> line below the key LoginwindowText. Insert the text you would like to appear in the Login Window here and finish it with the </string>.

Changing passwords

It is good security practice to regularly change your password, especially as the login window does not presently make of mlock() or encrypted swap and a user with physical/root access to the machine could potentially get your login password from the swap files.

  • Apple Menu -> System Preferences -> Accounts
  • Select your username -> Select the Password field
  • If asked, type in your current password -> Type in a new password -> verify the new password

Screensaver

Mac OS X comes with a built-in screen-saver that includes password locking. This should be enabled to stop someone from using your computer when you step away from it.

To enable the screen-saver:

  • Apple menu -> System Preferences -> Desktop & Screensaver -> Screen Saver -> (Select a screen-saver)
  • Change Start screen saver to 3 minutes

To require a password to exit the screen saver:

  • Apple -> System Preferences -> Security
  • Check Require password to wake this computer from sleep or screen saver


Enabling password locking within screen saver

You may also wish to enable an active-corner to disable the screensaver for times you don't want it to come on after inactivity (e.g. while watching a movie) and, more importantly, to instantly load the screensaver:

  • Apple menu -> System Preferences -> Desktop & Screensaver -> Screen Saver -> Hot Corners
  • Choose a corner, e.g. bottom right -> Disable Screen Saver
  • Choose a corner, e.g. top right -> Start Screen Saver


Enabling a screen saver corner

Keychain

Mac OS X includes a utility for caching commonly used passwords. It should be noted that there is always a risk with caching a password on disk in any form, regardless of the software used.

Keychain stores its passwords on disk in an encrypted form and it is difficult for a non-root user to sniff a password between applications. However, similar to the Login Window, it is possible to get hold of a user's Keychain password with root or physical access to a machine. The best practice is to remember your passwords without storing them.

There are a number of steps you can take to minimise your risk when using Keychain Access. To enable Keychain automatic locking:

  • Applications -> Utilities -> Keychain Access -> Edit -> Change settings for Keychain "login"
  • Check Lock after
  • Change minutes of inactivity to 5 minutes
  • Check Lock when sleeping
  • Save


Configure Keychain Access security settings

By default, Mac OS X makes your Keychain password the same as your login password. It is good practice to keep each password different:

  • Edit -> Change Password for Keychain "login"
  • Type in your current user's login password
  • Type in a new different password twice
  • OK


Changing your Keychain password

Patching

As is generally the case, you should keep your Mac OS X machine regularly patched with the latest software updates, which often include security fixes.

Apple Software Update

Mac OS X includes an automatic software update tool to patch the majority of Apple applications. Software Update often includes important security updates which should be applied to your machine. The tool automatically checks what updates are available and, with major upgrades, can download patches rather than full installations, to minimize the amount downloaded.


Software Update

It is best to configure Software Update to automatically check for updates on a frequent basis:

  • Apple Menu -> System Preferences -> Software Updates
  • Check Check for updates
  • Choose Daily from drop-down menu.


Software Update, automatically check for updates

Your machine will now check with Apple for software updates once a day and notify you when there are new ones ready for download.

Software update can also be run from the command line as root with:

/usr/sbin/softwareupdate -ia
and scheduled to run with:
/usr/sbin/softwareupdate -schedule on

Software update for Fink

If you are using the Fink packaging systems, you may also wish to have the following in root's daily crontab or in /etc/daily:

/sw/bin/fink -y selfupdate
/sw/bin/fink -y selfupdate-cvs
/sw/bin/fink -y update-all
/sw/bin/fink -y scanpackages
/sw/bin/fink -y index
/sw/bin/fink -y cleanup
/sw/bin/apt-get -y update
/sw/bin/apt-get -y install fink
/sw/bin/apt-get -y upgrade
/sw/bin/apt-get -y dist-upgrade
/sw/bin/apt-get -y clean
/sw/bin/apt-get -y autoclean
/sw/bin/apt-get -y check

Other updates

Many other major software packages include their own automatic software update utilities. These may be separate utilities such as Microsoft's AutoUpdate:


Microsoft AutoUpdate

Other packages, such as Omni's OmniGraffle, include automatic updating from within the software package itself:


OmniGraffle automatic software update

You are encouraged to use these tools whereever possible, however specifics are beyond the scope of this paper.

File Encrytion

There are number of major ways of encrypting files within Mac OS X. By far, the most secure method is to use GnuPG; however Apple's FileVault and disk images are much more convenient.

FileVault and encrypted volumes

Apple's FileVault is an implementation of its AES-encrypted volume images that automatically mount as your home directory as you login and decrypt/encrypt data on the fly. Encrypting data on your hard-drive is nothing new but MacOS 10.3 is the first Unix to integrate decryption and mounting seamlessly into the system. From the point-of-view of the user and applications, there is no encryption taking place, beyond a slight performance hit.

To enable FileVault:

  • Apple menu -> System Preferences -> Security
  • Turn on FileVault


Enabling FileVault

Depending on the amount of data in your home directory, it may take a while to convert it into a FileVault. It should be noted here that after encrypting your home directory, it is not securely deleted. It is simply unlinked and hence could be recovered.

You may also wish to set a master password for the computer. The master password should be different to your login (and hence FileVault) password and can be used to decrypt your FileVault in the case of password loss.

From a security point of view, keep in mind that due to a lack of mlock() in FileVault, an attacker with physical or root access can gain your FileVault password and access to your encrypted files.

Encrypted AES disk image

Apple's encrypted disk images don't offer the seamless mounting of FileVault, but do still encrypt on the fly as you write to them. To create an encrypted disk image:

  • Applications -> Utilities -> Disk Utility
  • New Image
  • Save as -> Choose a name for the file system and image file name
  • Where -> Choose a location to save the image file
  • Size -> Choose a maximum size to allow the image to grow to
  • Encryption -> Choose AES-128
  • Format -> Sparse Disk Image
  • Create -> Enter and Verify password
  • Check or uncheck Remember password (add to Keychain)


Creating an encrypted sparse image

It is no less secure to save a disk image's password in the Keychain as Apple's SecurityAgent (the program that takes the password from the user) suffers from the same vulnerability as Keychain itself.

Once you have created the disk image, you can mount it by double-clicking on it in Finder. It will then mount as /Volumes/<image file system name> and an icon will appear on your desktop.

Openssl encrypted files

Another alternative is using openssl and a password to encrypt a file. Openssl does not employ asymmetric keys (i.e. a private and public key) and allows you to just assign a single password to the encrypted file. However, openssl under Mac OS X may suffer a similar vulnerability to FileVault.

To encrypt a file using openssl and the (128bit) blowfish encryption algorithm:

openssl bf -salt -in <plain file> -out <encrypted file> 

Then securely remove the original file:

srm -fm <input file>

Finally, decrypt the file back:

openssl bf -d -in <encrypted file> -out <plain file>
A script to encrypt an entire directory could be:
#!/bin/sh
#
# Script to encrypt a dir and securely remove it.

if [ $# -lt 1 ] ; then
	echo "Usage: $0 dir_to_encrypt"
	exit 1
fi

file=`echo $1 | sed s/"\/"//g | sed s/"\."//g`
dir=$1

echo -n "Checking if $dir actually exists... "
if [ -d $dir ] ; then
	echo "Yes."
else
	echo "No. Exiting."
	exit 1
fi

echo -n "Checking to make sure $file.tar.gz.bf doesn't already exist... "
if [ -e $file.tar.gz.bf ] ; then
	# exists
	echo "Yes. Exiting."
	exit 1
else 
	# doesn't exist
	echo "No." 
fi

echo -n "Checking to make sure tempfile doesn't already exist... "
if [ -e temp.tar.gz ] ; then
	echo "Yes. Exiting. You need to remove temp.tar.gz."
	exit 1
else
	echo "No."
fi
echo "Tarring up directory..."
tar -zcvf temp.tar.gz $dir 
echo "Done."
echo "Encrypting directory..."
openssl bf -salt -in temp.tar.gz -out $file.tar.gz.bf
echo "Done."
echo
echo "Here is what the encrypted archive looks like:"
ls -l $file.tar.gz.bf
echo
echo "Is it safe to securely remove $dir? (y)/n"
read remove
if [ x$remove = xn ] || [ x$remove = xN ]; then
	echo "Ok, exiting without removing it."
	srm -fm temp.tar.gz
	exit 0
else
	echo "Ok, removing $dir securely and exiting..."
	srm -rfm $dir
	srm -fm temp.tar.gz
	echo "Done"
fi
exit

Finally, a matching script to decrypt the archive back to a directory in the current working directory:

#!/bin/sh
#
# Script to decrypt a tar.gz.bf archive

if [ $# -lt 1 ] ; then
	echo "Usage: $0 archive_to_decrypt"
	exit 1
fi

file=$1
dir=`echo $1 | cut -d "." -f 1`
echo -n "Checking if $file actually exists... "
if [ -f $file ] ; then
	echo "Yes."
else
	echo "No. Exiting."
	exit 1
fi
echo -n "Checking to make sure $dir doesn't already exist... "
if [ -f $dir ] ; then
	# exists
	echo "Yes. Exiting."
	exit 1
else 
	# doesn't exist
	echo "No." 
fi
echo -n "Checking to make sure tempfile doesn't already exist... "
if [ -e temp.tar.gz ] ; then
	echo "Yes. Exiting. You need to remove temp.tar.gz."
	exit 1
else
	echo "No."
fi
echo "Decrypting..."
openssl bf -salt -d -in $file -out temp.tar.gz
echo "Untarring..."
tar -zxvf temp.tar.gz
echo "Cleaning up..."
rm temp.tar.gz
echo "All done."
echo
exit

GnuPG encrypted files

Gnu Privacy Guard (an open source version of PGP) allows you to encrypt a file using a public key. You would then be able to decrypt the file at a later date using the private key and the key's passphrase.

Unlike FileVault, GnuPG makes use of mlock() and hence doesn't suffer from the same vulnerability. However, it has had a number of its own security concerns.

This section assumes you have already managed to install GnuPG and have created yourself a public/private key-pair. Numerous resources to help you can be found on the web. To then encrypt a file, you would use:

gpg -r <your key's name> --encrypt-files <filename> 

This will create the file filename.gpg. You should securely remove the original plain-text with:

srm -fm <filename>

Apple's srm is included with OS 10.3 (some users may prefer using the GNU fileutils rm). Similar to the GUN utility shred, srm over-writes the file 7 times with random data before unlinking it from the file-system.

To then decrypt the encrypted file:

gpg -r <your key's name> --decrypt-files <filename.gpg > filename

gpg can also be used with just a symmetric cipher and a single password by using the -c switch.

The two scripts in the section REF _Ref87526463 \p \h \* MERGEFORMAT above cover en/decrypting entire directories and could be easily modified to use gpg instead of openssl.

Configuring Open Firmware Password

Configuring an Open Firmware (OF) password on your Mac will disable any boot keys when your machine is booting. This means a user with physical access to the machine is unable to boot the machine into target-disk mode, from CD-ROM or into single-user mode.

The simplest way to set an OF password is to use Apple's utility, which can be found at http://www.apple.com/downloads/Mac OS X/apple/openfirmwarepassword.html.

The utility asks for your user password so that it can run sudo nvram to set the OF password and then asks for a password to set as the OpenFirmware password:


Setting an OpenFirmware password

To set the password yourself directly from OpenFirmware:

<power-button>
option-apple-o-f
password
<enter your password>
setenv security-mode command
reset-all

You may wish to remove the OpenFirmware password when you are unable to boot the machine properly and need to re-install, back data up using target mode or boot using single-user.

To do this, remove it directly from OpenFirmware:

<power-button>
option-apple-o-f
<enter password>
setenv security-mode=none
nvramrc
reset-all

In an emergency, the OpenFirmware password can also be removed by changing the amount of RAM and then resetting the PRAM three times (press and hold option-apple-p-r while powering up until you hear the machine reboot three times). This is obviously also a potential security risk and for this reason, your machine should be physically secured.

You should also be aware that anyone with root/sudo access to the machine can easily get the OpenFirmware password. Like Sun's OpenBoot, OpenFirmware is unagble to hash the password before placing into non-volatile memory. The hex code of the ASCII password can be revealed with, as root:

nvram security-password

You can then convert the output back to ASCII to get the current OpenFirmware password.

Disabling Fiewire Direct Memory Access

By default, the FireWire protocol gives the FireWire device access to the host's physical memory. This could potentially be used to suck the entire memory contents out of the machine (including your passwords and current working data). Alternatively, an attacker could determine where in memory the screensaver is and insert some random bytes to crash the screensaver, gaining access to the machine.

An undocumented side-affect of enabling an Open Firmware password (see section above) is that it indirectly disables physical memory access for FireWire devices through the IOFireWireFamily kernel driver.

Disabling FireWire DMA appears to have little affect on the performance of FireWire.

Disabling Single-user Logins

A default installation, without an OpenBoot password (or with a subverted OpenBoot password), can be booted into a single-user shell by holding down the "S" key during power-up (or boot disk -s from within OpenBoot). This could be used by an attacker with physical access to read your data, add extra accounts or change your passwords.

The following section introduces a method of ensuring a user must enter a password before being presented with a root-user shell as part of a single-user login. As root:

vi /etc/ttys
:1,$s/secure/insecure/g
:wq

To generate a password for root to use when logging into a single-user booted system we use openssl:

openssl passwd -salt <xy> <password>

Replace <xy> with two random letters to act as salt for the hashing and <password> with the password you want to use for the single-user login. This is completely separate from the local root password, which, if it exists, is stored in the NetInfo database by default.

Now copy the hash that was returned by openssl into your paste buffer, open the file /etc/master.passwd in vi (or your favourite editor) and replace the asterisk (*) next to "root:" with the hash so the file looks something like:

##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:8d4Gfm/Dhzw6Q:0:0::0:0:System Administrator:/var/root:/bin/sh

Write the file to disk (with :wq) and exit vi. You will now be asked for the password when booting into single-user.

Disable Safari Auto-open

Safari, Apple's web-browser, includes a feature where it will automatically launch a number of different file types with their associated application. This could potentially pose a risk with the user unwittingly opening a file without realising it.

To disable the feature:

  • Safari -> Preferences... -> General
  • Uncheck Open 'safe' files after downloading


Disabling Safari auto-open

Removing Other Local Users

There are other vulnerabilities within Apple's Mac OS X 10.3.6 that have not yet been publicly disclosed and hence won't be discussed in this article. However, it should be noted (although probably obvious) that to ensure the security of your Mac OS X machine, you should avoiding allowing any other local users access to your machine, whether by Fast User Switching or SSH.

Removing normal local users

The cleanest and easiest way to remove extra users is by using the Accounts System Preferences pane:

  • Apple menu -> System Preferences -> Accounts
  • Select the other account
  • Click the minus (-) button -> Delete Immediately


Using the Accounts preferences pane to remove extra users

Checking system user accounts

You may also wish to ensure that no other accounts (not shown in the Accounts preferences pane) have been added by an application installation and left with insecure/default passwords. These could be exploited by an attacker allowing them login to your machine.

To do this you need to make changes within the NetInfo database, either via the GUI or the command line. To remove passwords on extra system accounts using the GUI:

  • Applications -> Utilities -> NetInfo Manager -> Domain -> Open -> / -> OK -> / -> users
  • Choose a system user -> Ensure it has no passwd entry
  • If it does have a password entry, click the lock in the bottom left -> authenticate -> select the passwd line -> Delete
  • Close the window -> Save -> Update this copy


Checking for active users in NetInfo Manager

Fix File Permissions

Over time, permissions and ownership of numerous files may become insecure. This is generally caused by installation of packages put together by non-security-savvy software developers.

To try to correct this situation, it is a good idea to regularly use Apple's Disk Utility to fix file permissions. This can be done by:

  • Applications -> Utilities -> Disk Utility
  • Select your / disk-partition
  • First Aid -> Repair Disk Permissions


Repairing file permissions

It can also be done from the command line as root:

/usr/sbin/diskutil repairPermissions / 

The output may look like:

Started verify/repair permissions on disk disk0s3 local
Determining correct file permissions.
We are using special permissions for the file or directory .
   /System/Library/Filesystems/cd9660.fs/cd9660.util.  New permissions are 33261
Permissions differ on ./private/var/log/install.log, 
   should be -rw-r--r-- , they are -rw-r----- 
Owner and group corrected on ./private/var/log/install.log
Permissions corrected on ./private/var/log/install.log
Permissions differ on ./private/var/log/wtmp, 
   should be -rw-r--r-- , they are -rw-r----- 
Owner and group corrected on ./private/var/log/wtmp
Permissions corrected on ./private/var/log/wtmp
The privileges have been verified or repaired on the selected volume
Verify/repair finished permissions on disk disk0s3 local
You may choose to add this to root's or the 
   system cron files, e.g. /etc/weekly.local.

diskutil is unable to automatically correct all insecure/incorrect permissions for you. To list all files with potentially insecure or strange permissions, run the following commands as root and examine (or redirect) the output:

To list all setuid/gid (binaries that run with a user or group ID of someone other than the user running then, commonly root) files:

find / -type f \( -perm -4000 -o -perm -2000 \) \-exec ls -al {} \; 2>/dev/null 

To list all world writable files:

find / -type f \( -perm -2 \) \-exec ls -al {} \; 2>/dev/null

To list all world writable directories:

find / -type d \( -perm -2 \) \-exec ls -ald {} \; 2>/dev/null 

To list all un-owned files:

find / -nouser -o -nogroup \-exec ls -al {} \; 2>/dev/null

Based on the output of these commands, you may choose to change or remove permissions to some files manually. Make sure you are fully aware of the purpose of a file before fiddling with its permissions. Random permission changes may result in an unusable system!

Removing Classic

Some users may have chosen to install Mac OS Classic support. Classic provides Mac OS 9 emulation support within Mac OS X, which allows a user to seamlessly run an old Mac OS application on their new Mac OS X machine.

If you're not actually using any Classic applications, it is best to disable and remove Classic support entirely. Run the following commands as root:

rm -rf /System/Library/PreferencePanes/Classic.prefPane/
rm -rf '/System/Library/Classic/'
rm -rf '/System/Library/CoreServices/Classic Startup.app/'
rm -rf '/System/Library/UserTemplate/English.lproj/Desktop/ Desktop (Mac OS 9)/'
rm -rf '/System Folder/'
rm -rf '/Mac OS 9 Files/'
rm -rf '/Applications (Mac OS 9)'

Securing Bluetooth

Bluetooth is a radio (2.4GHz) data technology that allows a user to wirelessly connect numerous personal devices to allow communication between them. Bluetooth achieves what is sometimes referred to as a Personal Area Network (PAN), allowing you to, for example, have your mobile phone, hands-free kit, PDA and computer all communicating wirelessly.

Unfortunately, Bluetooth has numerous security drawbacks. This section discusses a number of methods to help lock down Bluetooth on your Mac OS X machine. The methods can also be applied to your other, non-Mac OS X, Bluetooth devices (eg, PDA, mobile phone).

Turn it off

If you're not actively using the Bluetooth connection, you should disable it:

  • Apple menu -> System Preferences -> Bluetooth -> Settings
  • Turn Bluetooth Off


Disabling Bluetooth

Put the device in hidden/invisible mode

Your devices only need to be in "visible" or "discoverable" mode when pairing them with your other Bluetooth devices. Once you have paired devices, you should disable visibility. Paired devices are still able to communicate even when not in discoverable mode.

To make your Mac invisible:

  • Apple menu -> System Preferences -> Bluetooth -> Settings
  • Uncheck Discoverable

Note that invisible/non-discoverable mode does not make your device entirely invisible. It simply makes it harder to find.

Turn on authentication

Once Bluetooth authentication is on, devices generally need to then use a common password to pair with another device, although there are vulnerabilities in some vendor's implementation. To turn on password authentication:

  • Apple menu -> System Preferences -> Bluetooth -> Settings
  • Check Require Authentication

Turn on encryption

Turning on Bluetooth encryption means that the majority of data transmitted between Bluetooth devices is encrypted with a common key. This makes it difficult for a third party to sniff the data or use recorded data in "replay attacks". To turn on Bluetooth encryption:

  • Apple menu -> System Preferences -> Bluetooth -> Settings
  • Check Require Authentication -> check Use Encryption

Do not allow auto-acceptance of files

It is best to always be asked for confirmation when accepting a file, stopping a dangerous file or Trojan to be automatically uploaded. To do this:

  • Apple menu -> System Preferences -> Bluetooth -> File Exchange
  • When receiving items: -> Choose Prompt for each file
  • When PIM items are accepted and When other items are accepted: -> Choose Ask

If you never use Bluetooth to push files from another device to your Mac, set it to automatically Refuse all.

Disable file shares

If you do not actively share files from the Mac to your other Bluetooth devices, disable all sharing (read-only and read/write) of files:

  • Apple menu -> System Preferences -> Bluetooth -> File Exchange
  • Uncheck Allow other devices to browse files on this computer


Disabling Bluetooth file sharing

Do not pair with unknown devices

To alleviate the chances of an attacker pairing with your machine, do not pair with an unknown device or allow physical access to your machine to any un-trusted party.

Network Security

The following section describes methods of securing Mac OS X from an external, or network, perspective.

Disabling Services

By default, Mac OS X does not come with any network services enabled. However, some services may have been enabled unwittingly or by installing extra software. This section describes methods of ensuring unknown services are disabled.

Sharing

Apple's Sharing preference pane is a front-end to xinetd and SystemStarter. It is used to enable and disable a number of common Internet services such as SSH (Remote Login) and the Apache web-server (Personal Web Sharing).

By default, Mac OS X 10.3 comes with all the Sharing network services turned off. However, some users may have enabled services unnecessarily.


The Sharing preferences pane

To disable all services:

  • Apple menu -> System Preferences -> Sharing
  • Uncheck any checked service

A very basic description of each service can be read by selecting the service and reading the description provided below the Start/Stop button.

The following table shows the Apple service name, normal Internet service name, and software associated with providing the service:

Apple ServiceInternet ServiceSoftware
Personal File SharingAFP(overTCP)AppleFileServer
Windows SharingSMB/CIFSSamba
Personal Web SharingHTTPApache
Remote LoginSSHOpenSSH
FTP accessFTPtnftpd
Apple Remote DesktopARDARD Helper
Remote Apple EventsEPPCAEServer
Printer SharingLPR/printerCUPS

Table showing hostconfig entries and descriptions

If you must have remote access to your Mac, SSH ("Remote Login") is considered to be one of the more secure methods. SSH can also be used for file transfer by using SCP (Secure Copy) and SFTP (Secure FTP). You can also use it for securely tunnelling other services, for example ARD or VNC. See below for instructions on restricting to particular IPs (either through xinetd or ipfw) and securing the default sshd settings.

inetd

Mac OS X uses the xinetd Internet Super Server for providing a number of IP-based services. Some are enabled/disabled through the Sharing preferences pane while many others (including what are commonly referred to as "useless Unix services") aren't. A list of all services it can provide (from a default installation) can be found in /etc/xinetd/.

A listing of any services that have been enabled (either through the Sharing preferences pane or otherwise) can be found by:

grep disable /etc/xinetd.d/* | grep no

Any services that are not required should be disabled. This can be done by editting the file revealed by the command above and changing the line disable = no to disable = yes. For example, your ssh file may look like:

service ssh
{
	disable = yes
	socket_type = stream
	wait = no
	user = root
	server = /usr/libexec/sshd-keygen-wrapper
	server_args = -i
	groups = yes
	flags = REUSE IPv6
	session_create = yes
}

Once all unnecessary services have been disabled, you can restart xinetd with:

kill -HUP `cat /var/run/xinetd.pid`

If you have disabled every service and want to kill off xinetd entirely:

kill `cat /var/run/xinetd.pid`

If you're choosing to leave a service enabled, you can either restrict what IPs can connect to it within xinetd, or within the ipfw firewall software (see section below). If you decide to restrict it within xinetd, you have the choice of either "allow some, deny rest" or "deny some, allow rest".

As the final line (i.e. above the closing }) within the xinetd configuration file for the service you're restricting, add in your specifications. To "allow some, deny the rest":

only_from = <ip or subnet>, <ip or subnet>, <ip or subnet>
Or to "deny some, allow the rest":
   no_access = <ip or subnet>, <ip or subnet>

Insecure services can also be tunnelled with encryption using SSH. Doing so, you leave the service firewalled to the outside world and tunnel a connection into the machine using SSH. OpenSSH itself also has specific user access controls on top of xinetd's and a firewall. See the section below for specifics on securely using SSH.

OSX hostconfig Services

Mac OS X uses a service start-up system called SystemStarter, which replaces the init scripts most people would be familiar with from Unix System V variants. It does include a number of features not available in init, such as including dependencies in the service, rather than relying on manual ordering within a certain run-level.

A number of SystemStarter scripts source the /etc/hostconfig file to see if they should start or not. This file contains variables we can set to quickly enable/disable services at boot time.

The following table lists items you may find in /etc/hostconfig and a short description of what they're used for:

ServiceDesrciption
AFPSERVERApple File Serving, over TCP for "Personal File Sharing"
AUTHSERVERApple NetInfo Authentication service
AUTOMOUNTAutomatic mounting of NFS mount-points (not to be confused with amd)
CUPSLocal printing services
IPFORWARDINGIP routing for other clients
IPV6IP version 6 protocol support
MAILSERVERThe postfix SMTP mail server
NETINFOSERVERBind to a NetInfo server for directory and authentication access
NFSLOCKSNetwork File System file locking support
NISDOMAINBind to a NIS domain server for authentication
RPCSERVERRemote Procedure Call support for numerous Unix services, such as NFS
TIMESYNCRun NTPd to maintain constant time synchronisation
QTSSERVERApple QuickTime Streaming Server modules
WEBSERVERThe Apache web-server for "Personal Web Sharing"
SMBSERVERWindows file sharing using Samba
DNSSERVERBIND DNS server
COREDUMPSWrites a core dump to disk in the case of a kernel panic
VPNSERVERApple's VPN service daemon (LT2P and PPTP)
CRASHREPORTERApple's crash logging service
XGRIDSERVERAct as a server for Apple's grid computing software, xgrid
XGRIDAGENTAct as a client for Apple's grid computing software, xgrid
ARDAGENTApple Remote Desktop server

Table showing hostconfig entries and descriptions

Suggested services to enable include CUPS (with -YES-) to allow printing and NETINFOSERVER (with =-AUTOMATIC-), which will load netinfod on a stand-alone machine for authentication.

You can enable ntpd for consistent time synchronisation for meaningful logs if you wish. If you choose to disable it, you may wish to add the ntpdate command to /etc/daily or root's crontab:

/usr/sbin/ntpdate -p 8 -u time.asia.apple.com 

Change "time.asia.apple.com" to a local NTP server closer to your location.

Other OSX Services

Finally, some SystemStarter and mach_init.d scripts don't actually refer to an entry in /etc/hostconfig to see if they should be run or not. These scripts require manual examination.

SystermStarter and mach_init store their scripts in three locations: /Library/StartupItems/, /System/Library/StartupItems and /etc/mach_init.d.

An example service that starts from StartupItems without examining a /etc/hostconfig entry is the NFS server, nfsiod, starting from /System/Library/StartupItems/NFS/NFS. To de-activate it, as root you would edit the script and comment out the line that starts nfsiod:

   # nfsiod is the NFS asynchronous block I/O daemon, which implements # NFS
read-ahead and write-behind caching on NFS clients. #nfsiod -n 4 

Apple's auto-mount daemon (ADM - not to be confused with the NFS automount service) is used for automatically mounting CDs and image files. It can be disabled in /System/Libraries/StartupItems/AMD/AMD. It also checks /etc/hostconfig for a AMDSERVER:=-NO-, which can be inserted manually (it isn't included in /etc/hostconfig by default).

A default system is unlikely to have any further items that aren't controlled by /etc/hostconfig. However, third-party applications you have installed may. You may wish to examine the contents of each /System/Library/StartupItems/*/* and /etc/mach_init.d/* file to determine what services start automatically.

Finally, you can check for any services left running by using, as root:

/usr/sbin/lsof | grep LISTEN

Disabling Directory Access Methods

By default, Mac OS X comes with a number of directory access methods enabled, which could be open to exploitation (e.g. the LDAPv3 service accepts an LDAP server from DHCP by default, which could be faked by a rogue DHCP server on the LAN).

For a stand-alone Mac OS X client, the majority of (or potentially all) services are not required. The following is a table of each of the Directory Access methods and a description of its use:

Directory Access methodUse
Active DirectoryWindows 2000 domain file sharing and authentication
AppleTalkApples legacy protocol for discovering file and print services
BSD Flat File and NIS/etc flat files and Unix Network Information Service (NIS) or Yellow Pages (yp) directory and authentication
LDAPv3LDAP directory access and authentication
NetInfoApple's directory access and authentication
RendezvousApple multicast protocol for file, print, chat, music and other network services
SLPService Location Protocol - open standard file and print server discovery
SMBWindows workgroup file and print sharing/serving

Table showing Directory Access methods and their use.

To disable services you don't require:

  • Applications -> Utilities -> Directory Access
  • Uncheck unrequired services


Configuring Directory Access

If you need to use LDAP for directory services (such as an enterprise LDAP email address book), ensure you have disabled the DHCP-supplied LDAP Server option:

  • Applications -> Utilities -> Directory Access -> LDAPv3 -> Configure
  • Uncheck Use DHCP-supplied LDAP Server


Disabling DHCP-supplied LDAP Server

Configuring A Firewall

By default, Mac OS X does not come with its built-in firewalling software, ipfw, enabled. The following section shows how best to enable a firewall on your machine.

Mac OS X's built-in firewall configuration

Mac OS X includes a method for enabling a default set of firewall rules within the Sharing preferences pane:

  • Apple menu -> System Preferences -> Sharing -> Firewall -> Start


Enabling ipfw through System Preferences

By default, the firewall Sharing install isn't is relatively mediocre from a security point of view, but much better than no firewall at all. The following is a list of the rules it adds:

02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
65535 allow ip from any to any

If you have enabled services, they will automatically be allowed through the firewall from 0/0 (everyone). If you have installed a third-party service, you may need to manually add it firewall:

  • New -> Port Name -> Other
  • Port Number, Range or Series: -> Type in the port number/s or range of ports the application needs inbound access for
  • Description: -> Type in the name of the service


Adding an extra service to the firewall

A number of manually-installed services are already listed in the New window under the Port Name menu.

Manual firewall configuration

The following section discusses designing and implementing a manual firewall script using ipfw.

As root, create the a SystemStarter directory and open its parameter's list in your favorite editor:

mkdir /Library/StartupItems/firewall
vi /Library/StartupItems/firewall/StartupParameters.plist
Insert the following into StartupParameters.plist:
{
	Description = "firewall";
	OrderPreference = "None";
	Provides = ("firewall");
	Requires = ("Network");
	Messages =
	{
		start = "Starting firewall";
		stop = "Stopping firewall";
	};
}

Next, edit /System/Library/StartupItems/IPServices/StartupParameters.plist and insert the following between Provides and Uses:

Requires = ("firewall");
So that it reads:
{
	Description = "Internet services";
	Provides = ("Super Server", "Config Server");
	Requires =("firewall");
	Uses = ("mDNSResponder", "Portmap", "NetworkExtensions");
	OrderPreference = "None";
}

This creates a dependency and ensures the firewall has been configured before any network services you've left enabled are loaded. This ensures none of the services are loaded with no protection between them and the outside world.

Finally, open up /Library/StartupItems/firewall/firewall in your editor and, at a minimum, insert the following rule-set. You may wish to add extra rules in the appropriate section from the example rules below this section.

#!/bin/sh

## Declare variables
# Path to firewalling software
FW="/sbin/ipfw"

## Flush any existing rules from the firewall
$FW -q flush

## Outgoing

# Drop MS VPC7 license checking going out 
$FW add deny udp from any to any 21790
# Drop MS Office license checking going out
$FW add deny udp from any to any 2222
# Allow pretty much anything else out
$FW add allow all from any to any out

## Incoming

# Allow all from/to local loopback interface
$FW add allow all from any to any via lo0
# Then deny anything pretending to come from 127 on other ifs
$FW add deny log all from 127.0.0.0/8 to any in

# Allow relevant outgoing connections back in
# Allow half open TCP back in (although not active ftp)
$FW add allow tcp from any to any established in
# Allow related UDP back in
# DNS - UDP/53
$FW add allow udp from any 53 to any 1024-65535 in
# NTP - UDP/123
$FW add allow udp from any 123 to any 123 in
$FW add allow udp from any 123 to any 1024-65535 in
# DHCP - UDP/67
# DHCP request to server back in to client
$FW add allow udp from any 67 to any 1024-65535 in
# DHCP offer from server in to client
$FW add allow udp from any to any 68 in
# Allow the neccesary ICMP in
# (echo reply, dest unreachable, ttl exceeded, IP header bad)
$FW add allow icmp from any to any icmptypes 0,3,11,12

###
### Insert your custom rules here
###

# Reject IDENT/AUTH with an ICMP reply
$FW add reject tcp from any to any 113 in

# Deny (drop without ICMP) the rest and log to /var/log/system.log
$FW add deny log all from any to any

exit

Some rules you may wish to insert could include the following:

# Windows/SMB/Samba client access
$FW add allow udp from any 137-139 to any in
$FW add allow udp from any 445 to any in
$FW add allow tcp from any 137-139 to any in
$FW add allow tcp from any 445 to any in

# PPTP VPN client access
# (replace  with your VPN server's IP)
$FW add allow 47 from  to any in

# H.323 client access (NetMeeting and similar)
$FW add allow udp from 0/0 to 0/0 1720 in
$FW add allow tcp from 0/0 to 0/0 1720 in
$FW add allow tcp from 0/0 to 0/0 30000-30010 in
$FW add allow udp from 0/0 to 0/0 5000-5099 in

# XWindows client in an XNest running in display :1
# (replace  with the Unix box's IP)
$FW add allow tcp from  to any 6001 in

# XDMCP client in an XNest running in display :2
# (replace  with the Unix box's IP)
$FW add allow tcp from  to any 6002 in
$FW add allow udp from  177 to any in

# SSH server
$FW add allow tcp from 0/0 to any 22 in

To determine what TCP or UDP port a service uses (so that you can let incoming requests through your firewall), you can check the /etc/services file:

grep -i  /etc/services

Monitoring ipfw

The final rule in the above script tells ipfw to log any packets hitting the final deny rule before silently dropping them. As root, you can see which packets are being dropped with a command like:

/usr/bin/tail -f /var/log/system.log | grep ipfw

Kernel Twaeking

The following section describes a number of kernel variables that should be set to ensure the most secure network settings. Insert the following into /etc/sysctl.conf to ensure they're at their most secure:

# Verbose firewall logging
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=65535
# ICMP limit
net.inet.icmp.icmplim=1024
# Stop redirects
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
# Stop source routing
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
# Stop broadcast ECHO response
net.inet.icmp.bmcastecho=0
# Stop other broadcast probes
net.inet.icmp.maskrepl=0
# TCP delayed ack off
net.inet.tcp.delayed_ack=0
# Turn off forwarding/routing
net.inet.ip.forwarding=0
# Turn on strong/randomized TCP sequencing
net.inet.tcp.strict_rfc1948=1

They can also be manually entered at the command line (or in another script) at any time with the following syntax as root:

/usr/sbin/sysctl -w =

Securing SSH

SSH (Secure Shell), is provided under Mac OS X using the open-source package OpenSSH. It can be used for a secure remote interactive shell (SSH), secure file transfer (SFTP), secure copy (scp), secure X-windows forwarding (X11Forwarding) and encrypted tunnelling of other IP services.

General SSHd changes

SSHd is highly configurable and can be further locked down from it default settings. Its server configuration file can be found under Mac OS X as /etc/sshd_config and the following changes from the default configuration are recommended:

#Protocol 2,1
(to)
Protocol 2

#PermitRootLogin yes
(to)
PermitRootLogin no

Subsystem sftp /usr/libexec/sftp-server"
(to)
#Subsystem sftp /usr/libexec/sftp-server

Using SSH keys for authentication

It is considered more secure to login with an SSH key pair than a password. A machine that has already been hacked may have a trojanned sshd binary or authentication services which may be able to give a copy of your password to the attacker. If you have the same password on multiple machines (which is obviously not recommended) they may then login to those other machines using your credentials.

On the other hand, logging in with an SSH key does not allow an attacker to gain your password, even if you are using the same SSH key (with same passphrase) to login to other machines. To disable password authentication:

#PasswordAuthentication yes -> PasswordAuthentication no

To generate an SSH key pair on your external machine (assuming it runs OpenSSH):

user@host:~$ ssh-keygen -b 4096 -t dsa -C "Key for user@host Nov 2004"

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/user/.ssh/id_dsa.
Your public key has been saved in /Users/user/.ssh/id_dsa.pub.
The key fingerprint is:
f3:99:d7:05:be:7f:41:42:64:97:b1:e7:d1:41:c9:08 Key for user@host Nov 2004

DSA is considerably faster than RSA for key generation and signing, however some argue that DSS has some potential security flaws in its signing process on machines with low random number entropy.

Ensure you add a pass-phrase to your key to protect it if the remote machine is compromised.

Now put ~/.ssh/id_dsa.pub from the remote machine into ~/.ssh/authorized_keys on your Mac. Your key will now be automatically used instead of a password for SSH, SCP and SFTP remote access to your machine.

Forwarding X11 through SSH

Finally, if you have X11 programs that you want to export back to a remote machine, it is recommended that you use SSH's in-built X11 Forwarding in /etc/sshd_config:

#X11Forwarding no
(to)
X11Forwarding yes
From the client machine, you setup the SSH tunnel by typing:

ssh -X -l username <remote Mac>

Tunnelling other IP services through SSH

SSH can also be used to tunnel an otherwise insecure protocol through it.

For example, you may wish to use a VNC server running on the Mac OS X machine. VNC by itself is not encrypted and it's password is sent plain-text over the network. A somewhat more secure solution to this problem is to leave the SSH port firewalled, tunnel a VNC connection through to the machine and connect to the VNC port on it's loop-back interface.

For example, to make a tunnel through to the remote Mac's TCP port 5900 (commonly VNC), you would do:

ssh -N -L 5900:127.0.0.1:5900 <remote Mac>

This command binds SSH to port 5900 on the localhost and tunnels it, via SSH, to port 5900 on the remote Mac. You would now point your VNC client to 127.0.0.1 (ie, the localhost's loopback interface) on port 5900 and it will securely connect to the VNC server on your remote Mac.

Restarting sshd after config changes

Because Mac OS X spawns sshd from xinetd rather than as a stand-alone server, there is no need to restart anything. Changes you make to sshd_config are read in on the next connection to that service.

Conclusions

With the move from Mac OS Classic's roots to a Unix-based operating system, Apple's Mac OS has undergone massive changes.

While it is one of the more secure Unix operating environments by default, there are a number of methods the administrator of the machine can make use of to harden the environment further.

This article has outlined a number of these methods to secure Mac OS X from a local and network perspective.

References

  • de Vries, Stephen. "A Corsaire White Paper: Securing Mac OS X", Corsaire, 22 June 2004
  • Systems and network Attack Centre (SNAC ), National Security Agency (NSA). "Apple Mac OS X v10.3.x "Panther" - Security Configuration Guide", 2004
  • Beale, Jay, JJB Security Consulting, LLC and GWU Cyber Security Policy & Research Institute. "Locking Down Mac OS X" Delivered at Black Hat USA, 2003.

Paul Day is a Security Administrator who currently works for the University of Western Australia. He primarily deals with security policy and the administration of security in Cisco, Solaris, Linux and OS X based environments. His passions revolve around Unix & network security and optimization.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Macs Fan Control 1.3.1.0 - Monitor and c...
Macs Fan Control allows you to monitor and control almost any aspect of your computer's fans, with support for controlling fan speed, temperature sensors pane, menu-bar icon, and autostart with... Read more
NetShade 6.3.1 - Browse privately using...
NetShade is an anonymous proxy and VPN app+service for Mac. Unblock your Internet through NetShade's high-speed proxy and VPN servers spanning seven countries. NetShade masks your IP address as you... Read more
Dragon Dictate 4.0.7 - Premium voice-rec...
With Dragon Dictate speech recognition software, you can use your voice to create and edit text or interact with your favorite Mac applications. Far more than just speech-to-text, Dragon Dictate lets... Read more
Persecond 1.0.2 - Timelapse video made e...
Persecond is the easy, fun way to create a beautiful timelapse video. Import an image sequence from any camera, trim the length of your video, adjust the speed and playback direction, and you’re done... Read more
GIMP 2.8.14p2 - Powerful, free image edi...
GIMP is a multi-platform photo manipulation tool. GIMP is an acronym for GNU Image Manipulation Program. The GIMP is suitable for a variety of image manipulation tasks, including photo retouching,... Read more
Sandvox 2.10.2 - Easily build eye-catchi...
Sandvox is for Mac users who want to create a professional looking website quickly and easily. With Sandvox, you don't need to be a Web genius to build a stylish, feature-rich, standards-compliant... Read more
LibreOffice 5.0.1.2 - Free, open-source...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
f.lux 36.1 - Adjusts the color of your d...
f.lux makes the color of your computer's display adapt to the time of day, warm at night and like sunlight during the day. Ever notice how people texting at night have that eerie blue glow? Or wake... Read more
VirtualBox 5.0.2 - x86 virtualization so...
VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers... Read more
File Juicer 4.43 - Extract images, video...
File Juicer is a drag-and-drop can opener and data archaeologist. Its specialty is to find and extract images, video, audio, or text from files which are hard to open in other ways. In computer... Read more

ReBoard: Revolutionary Keyboard (Utilit...
ReBoard: Revolutionary Keyboard 1.0 Device: iOS Universal Category: Utilities Price: $1.99, Version: 1.0 (iTunes) Description: Do everything within the keyboard without switching apps! If you are in WhatsApp, how do you schedule a... | Read more »
Tiny Empire (Games)
Tiny Empire 1.1.3 Device: iOS Universal Category: Games Price: $2.99, Version: 1.1.3 (iTunes) Description: Launch cannonballs and blow tiny orcs into thousands of pieces in this intuitive fantasy-themed puzzle shooter! Embark on an... | Read more »
Astropad Mini (Productivity)
Astropad Mini 1.0 Device: iOS iPhone Category: Productivity Price: $4.99, Version: 1.0 (iTunes) Description: *** 50% off introductory price! ​*** Get the high-end experience of a Wacom tablet at a fraction of the price with Astropad... | Read more »
Emo Chorus (Music)
Emo Chorus 1.0.0 Device: iOS Universal Category: Music Price: $1.99, Version: 1.0.0 (iTunes) Description: Realistic Choir simulator ranging from simple Chorus emulation to full ensemble Choir with 128 members. ### introductory offer... | Read more »
Forest Spirit (Games)
Forest Spirit 1.0.5 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0.5 (iTunes) Description: | Read more »
Ski Safari 2 (Games)
Ski Safari 2 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: The world's most fantastical, fun, family-friendly skiing game is back and better than ever! Play as Sven's sister Evana, share... | Read more »
Lara Croft GO (Games)
Lara Croft GO 1.0.47768 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.47768 (iTunes) Description: Lara Croft GO is a turn based puzzle-adventure set in a long-forgotten world. Explore the ruins of an ancient... | Read more »
Whispering Willows (Games)
Whispering Willows 1.23 Device: iOS Universal Category: Games Price: $4.99, Version: 1.23 (iTunes) Description: **LAUNCH SALE 50% OFF** - Whispering Willows is on sale for 50% off ($4.99) until September 9th. | Read more »
Calvino Noir (Games)
Calvino Noir 1.1 Device: iOS iPhone Category: Games Price: $3.99, Version: 1.1 (iTunes) Description: The film noir stealth game. Calvino Noir is the exploratory, sneaking adventure through the 1930s European criminal underworld.... | Read more »
Angel Sword (Games)
Angel Sword 1.0 Device: iOS Universal Category: Games Price: $6.99, Version: 1.0 (iTunes) Description: Prepare to adventure in the most epic full scale multiplayer 3D RPG for mobile! Experience amazing detailed graphics in full HD.... | Read more »

Price Scanner via MacPrices.net

iPad Air 2 on sale for up to $100 off MSRP
Best Buy has iPad Air 2s on sale for up to $100 off MSRP on their online store for a limited time. Choose free shipping or free local store pickup (if available). Sale prices available for online... Read more
MacBook Airs on sale for $100 off MSRP
Best Buy has MacBook Airs on sale for $100 off MSRP on their online store. Choose free shipping or free local store pickup (if available). Sale prices for online orders only, in-store prices may vary... Read more
Big Grips Lift Handle For iPad Air and iPad A...
KEM Ventures, Inc. which pioneered the extra-large, super-protective iPad case market with the introduction of Big Grips Frame and Stand in 2011, is launching Big Grips Lift featuring a new super-... Read more
Samsung Launches Galaxy Tab S2, Its Most Powe...
Samsung Electronics America, Inc. has announced the U.S. release of the Galaxy Tab S2, its thinnest, lightest, ultra-fast tablet. Blending form and function, elegant design and multitasking power,... Read more
Tablet Screen Sizes Expanding as iPad Pro App...
Larger screen sizes are gaining favor as the tablet transforms into a productivity device, with shipments growing 185 percent year-over-year in 2015. According to a new Strategy Analytics’ Tablet... Read more
Today Only: Save US$50 on Adobe Elements 13;...
Keep the memories. lose the distractions. Summer’s winding down and it’s time to turn almost perfect shots into picture perfect memories with Elements 13. And get the power to edit both photos and... Read more
1.4GHz Mac mini on sale for $449, save $50
Best Buy has the 1.4GHz Mac mini on sale for $50 off MSRP on their online store. Choose free shipping or free local store pickup (if available). Price for online orders only, in-store price may vary... Read more
12-inch 1.1GHz Gold MacBook on sale for $1149...
B&H Photo has the 12″ 1.1GHz Gold Retina MacBook on sale for $1149.99 including free shipping plus NY sales tax only. Their price is $150 off MSRP, and it’s the lowest price available for this... Read more
27-inch 3.3GHz 5K iMac on sale for $1849, sav...
Best Buy has the 27″ 3.3GHz 5K iMac on sale for $1849.99. Their price is $150 off MSRP, and it’s the lowest price available for this model. Choose free shipping or free local store pickup (if... Read more
Worldwide Tablet Shipments Expected to Declin...
Does Apple badly need a touchscreen convertible/hybrid laptop MacBook? Yes, judging from a new market forecast from the International Data Corporation (IDC) Worldwide Quarterly Tablet Tracker, which... Read more

Jobs Board

*Apple* Music, Business Operations - Apple (...
**Job Summary** This role in Apple Music and in iTunes is working with…the songs that we all enjoy listening to in Apple Music. Your job will be to work wit Read more
Hardware Systems Integration Engineer - *App...
**Job Summary** We are seeking an enthusiastic electrical engineer for the Apple Watch team. This is a design engineering position that entails working with Read more
Engineering Project Manager - *Apple* TV -...
**Job Summary** The iTunes Apps project management team oversees iTunes, Apple TV, DRM and iOS Applications. We are looking for a project manager to help manage and Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail Online Store: Customer Insigh...
**Job Summary** Apple Retail (Online Store) is seeking an experienced e-commerce analytics professional to join the Customer Insights Team. The Web e-Commerce Analyst Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.