Category Archives: Mac

Restricting File Sharing Apps

File sharing services like Dropbox and SpiderOak are great for easily syncing files between computers. SpiderOak even offers Zero-Knowledge Privacy, where they cannot decrypt your files.

Unfortunately, the default settings increase your computer’s attack surface. Both Dropbox, SpiderOak, and I assume most cloud storage providers include a "LAN Sync" feature. This speeds synchronization of files between computers on a LAN by allowing the computers to send files directly to each other without relying on the internet connection. To do this, the synchronization applications must accept outside connections. If you go to a coffee shop or hotel networks, a malicious user could send packets to these applications. While I’m sure the developers made an effort to write good applications, I’m sure these have not been tested for vulnerabilities as extensively as OpenSSL and Windows SMB. At least in client mode, the application should only be connecting to the trusted server (unless there’s an active man-in-the middle attack). Disclaimer: I am not aware of vulnerabilities in these programs. This is just about mitigating a potential risk.

It’s easy to stop these programs from accepting connections. In Dropbox for Mac, click the Dropbox icon, click the gear, click ‘Preferences…’, click the Network tab, and uncheck ‘Enable LAN Sync’. In SpiderOak for Mac, click the SpiderOak icon, go to Application, click Preferences, click Network, and uncheck ‘Allow LAN-Sync’.

Redeem an iTunes eGift in the Mac App Store

If you receive an iTunes gift via email, but don’t want to open iTunes, do the following to redeem the gift in a different program (e.g. App Store or iBooks):

  1. Open the email with the iTunes gift
  2. Right Click on the "Redeem Now" button and copy the link. The menu option is usually called something like "Copy Link" or "Copy Link Address…"
  3. In a text editor paste the link. The link should look something like https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/com.apple.jingle.app.finance.DirectAction/freeProductCodeWizard?code=XABCD1234ABCD12X&mt=1M
  4. The gift card code (same as scratching off a physical gift card) is the text between "code=" and "&mt". In this example it is XABCD1234ABCD12X (not a real gift card code)
  5. Paste or type this code into the Redeem page of any of Apples app stores

Configuring Chrome’s SSL/TLS

As of version 34.0.1847.116, Google Chrome defaults to the following ciphersuites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Overall I think the list is pretty good. I’d rather not use the ciphersuites in red, because of the MD5 message authentication and the DSS site authentication. I also think it is very unlikely these will prevent you from accessing any common sites. The more security conscious users will probably want to disable the orange cipher suites as well, because RC4 and TDES are both weaker than AES. As you make changes, the SSL Labs Client Test is an easy way to see which ciphersuites are enabled. It also gives you the hex code for each ciphersuite, which is used to disable them.

Unfortunately Google Chrome doesn’t have a nice interface for configuring ciphersuites like Firefox and Opera, so you need to use command line switches to selectively disable ciphersuites. I have instructions for using command line switches on Windows and MacOS.

To disable the red ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032

To disable the red and orange ciphersuites, add the following switch:

--cipher-suite-blacklist=0x0004,0x0032,0x0005,0x000a,0xc011,0xc007

If you’re concerned about the NSA, the following disables all ciphersuites without perfect forward secrecy:

--cipher-suite-blacklist="0x0004,0x0005,0x000a,0x0035,0x002f,0x009c,0x0032

I also recommend disabling SSLv3.0 with the following switch:

--ssl-version-min=tls1

Chrome for Mac CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on MacOS X, it is pretty easy to launch Chrome with these command line options. Unfortunately MacOS doesn’t make this as seamless as it should be. I looked at a few different proposed methods, and using Automator seemed like the best combination of ease, stability, and MacOSness.

  1. Launch Automator from /Applications
  2. Click ‘New Document’ in the bottom right of the ‘Open’ dialog.
  3. Select ‘Application’ and click ‘Choose’
  4. Select ‘Utilities’ from the left column
  5. Drag ‘Run Shell Script’ from the next column to the workflow area
  6. Replace cat with
    args='--args --ssl-version-min=tls1' #single place to update command line switches
                                         #--args is a switch to 'open', not Chrome
                                         #--ssl-version-min=tls1 disables SSLv3.0
    if [[ -r "$1" ]]; then # check if a readable file or directory was passed as input
       open -a "Google Chrome" "$1" $args #open Chrome and pass it a file or directory
    else
       open -a "Google Chrome" $args #open Chrome normally
    fi
  7. Change the ‘Pass Input’ drop down to ‘as arguments’
  8. Save the workflow as an Applications. I named mine ‘Launch Chrome’
  9. (optional) Chang the Icon
    1. Get Info for Google Chrome
    2. Click on the icon in the top left
    3. Select Copy from the Edit menu
    4. Get Info for ‘Launch Chrome’
    5. Click on the icon in the top left
    6. Select Paste from the Edit menu
  10. Opening Launch Chrome opens Google Chrome or brings it into focus. Dropping a file or directory on Launch Chrome opens the file or directory in Chrome.

Automator Screenshot:
ChromeMacLaunch

Installing Wireshark on MacOS X

Installing Wireshark on MacOS X isn’t hard; however it isn’t as straightforward as on other platforms.

  1. Download and install XQuartz. While no longer officially supported by Apple, XQuartz was spun out from Apple as an open source project.
  2. Download and install WireShark
  3. Launch Wireshark
    • You might be prompted for the location of your X11 viewer (XQuartz). It is browse to /Applications/Utilities
    • Wireshark will prompt you that it will take a while to build the font cache. It’s not kidding. I had absolutely no indication of activity, then after a few minutes, Wireshark appeared.
  4. Begin capturing packets – make sure you are only sniffing packets in a location where you are authorized to run a packet sniffer (e.g. you own private network)

Other Notes

  • You can keep the Wireshark icon in your doc; however, clicking on the icon will not always bring Wireshark into the foreground. If clicking on the Wireshark icon doesn’t bring it into the foreground, try clicking on the XQuartz icon.
  • Wireshark is still a Windows/Linux program, so the menu bar is inside of the main window.