Rotten Apples: OS X 101
by Secure Panda
After reading NerveGas Jr's article "Accessing Admin Privileges: A Quest Through One of Mac's Backdoors" in 32:4, I was mildly disappointed.
The Apple computer is a thing of beauty and security, and especially in this time of intense debate about privacy and encryption, I feel it's important that people understand these machines in more detail.
To this end, I propose to discuss the history and basic structure of the recent iterations of Apple's operating systems. I will also try to explain some of the security features that Apple now incorporates into their systems, and dispel some of the myths that are prevalent in the Apple community.
History 0x1
Apple's current operating system on both Mac computers and i-Devices is named Darwin, and is actually mostly BSD with some proprietary components.
It evolved from NeXTSTEP, after Apple bought it in 1997.
Starting with OS X in 2001, Apple has built all of its major OSes from this core Darwin kernel.
Older versions were designed to run on PowerPC architecture, with Apple switching to Intel-based processors in 2006 and dropping official support for the older chips around that time.
In 2007, the iPhone was released using a build of Darwin specifically for ARM architecture.
For the "Modern Era" of devices that I'll be focusing on, this will encompass everything from OS X 10.6 to the present x64-based operating systems (as of March 2016).
Basic Structure 0x2
The system structure of Darwin is identical to most UNIX-based systems, for obvious reasons, and is usually not fully accessible on iOS.
The root filesystem in OS X contains only four non-hidden folders: Applications, Library, System, and Users.
Within the Users folder, each user on the system has a folder to contain their data, libraries, and settings.
Starting with 10.7, the user library (~/Library) has been hidden, requiring one of two methods to get there (more on this later).
With the release of OS X 10.11 (iOS 9), Apple introduced a new feature called System Integrity Protection (SIP) or Kernel Patch Protection (KPP) which introduces kernel checks.
If the system fails the check (usually a hallmark of a jailbroken iOS device or a Hackintosh), then the kernel panics and halts.
Security 0x3
NerveGas Jr. already explained the "official" way to reset the password on a computer, and also went over how to enable the root user, as well as setting a firmware password using the recovery mode.
What if I don't have a recovery mode (due to botched install or computer running 10.6 or earlier)?
The solution is to use Single-User Mode!
Start the computer up holding "Command" and "S" and it will bring you to a lovely CLI with a root prompt.
Make sure you mount the drive, and you can reset any password or enable the root user from here.
This doesn't give you access to the passwords for that account.
FYI: Apple secures all of that using a keychain file that's tied to your admin password. When you reset it, if you don't know the old password, kiss those saved passwords goodbye.
About that firmware password: it isn't that hard to get rid of. Change the amount of RAM in the machine, PRAM it twice, and you'll be able to get into whatever you needed into.
This works on any version of OS X, and if you really can't figure out how to get into the machine, iFixit.com has detailed breakdown guides.
A quick note on FileVault, Apple's full-disk encryption: original FileVault isn't extremely difficult to remove from the computer.
FileVault 2 (a.k.a., FileVault after 10.7) is significantly harder to get past.
You can still erase the drive, but if you don't know the password or recovery key, you're out of luck. You'll have to take it to the store or call and deal with senior-level techs (who have to deal with engineering) to get it unlocked. This wouldn't be an issue, but 10.10 and later enables FileVault by default on laptops that are plugged in during initial setup. This can be a huge headache for folks who don't have a backup but forgot their password.
Myths and Shenanigans 0x4
I hate people that claim Apple computers don't get viruses.
They do, but because of Apple's market share (around four percent of computers worldwide), it's not usually worth the time of organized criminals to develop threats for these machines. The real threats to Apple occur from the use of the kernel for both X64 and ARM architecture: many of the vulnerabilities that exist within OS X will also exist in iOS.
iCloud is mostly secure.
"The Fappening" happened because famous people used real answers to their security questions. If all someone needs to know to get access to your account is your mother's maiden name and the name of your first pet, you probably shouldn't answer those questions in public interviews, just sayin'.
Steve Jobs was a jerk. The whole world already knows it. Get over it.
Conclusion 0x5
When I first got into Apple hardware and software, I was not a big fan.
I thought the computers were expensive, ugly things. After working with them for several years now, I've come to appreciate the effort that goes into making these computers. You can do just about anything on a Mac that you can do on a PC, but I'd personally prefer that more folks learn about their computers instead of swallowing the hype or ignorantly bashing something they've never used.
I'd like to do an article on iOS if I can find the time.
The phones are simply fascinating, and the jailbreak community is fun and vibrant.
Shouts to my wife and son (who despite my best efforts, can already navigate my iPhone at 2), my friends at Apple, and the folks who inspired me to write this.
Props to NerveGas Jr. for the primer.
Keep on Hackin'!