Recently I decided to sit down and futher lock down my personal AWS account. I haven’t used it for much other than S3 storage of macOS installers and in turn had not configured things as securely as I would have liked. The following post walks you through how to lock down an AWS account that is used by a single user. A lot of the recommendations apply just as much to an account with multiple users as well.
In my previous post I covered my “Classic” Mac OS emulator set up. One of my goals of getting the emulator set up was to be able to look at and analyze viruses that affected older versions of Mac OS. I think taking a look at old viruses is interesting for two reasons. First, it provides a good overview of 68k assembly. Second, it provides an interesting perspective on the history of malicious software. The first virus I decided to look at is called INIT 29.
Before macOS, and before OS X, there was just Mac OS. This is often referred to as “Classic” Mac OS. It includes System 1 all the way up to Mac OS 9.x. I started using a Mac with System 6 on a Macintosh Classic. Then I moved up to a Macintosh IIsi running System 7. Finally, after the PowerPC transition, I used a Power Macintosh 8500 which ran all of the later versions of “Classic” Mac OS. I was recently having a conversation with another developer who grew up using Macintosh computers and we were both reminiscing about some of our early development experiences on Mac. While System 6 was the first Mac OS version I used, I didn’t start really writing Mac apps until the Mac OS 8 era. This got me thinking that it might be interesting to spend some time re-learning “Classic” Mac OS app development.
The recent Objective by the Sea v3.0 conference had a lot of great talks. Two that stood out to me were Abusing and Securing XPC in macOS Apps by Wojciech Reguła and Job(s) Bless Us! Privileged Operations on macOS by Julia Vashchenko. Both talks discussed different aspects of XPC services and the types of security bugs that can occur in them. There were some great best practice recommendations that both speakers shared for securing your own XPC services. One of those recommendations was to use the audit token rather than PID when checking the connecting process. Since the audit token APIs aren’t public I thought it would be interesting to take a closer look at what audit tokens actually are and where they come from.