Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Getting Ready for macOS Sierra: Upgrade Securely - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Getting Ready for macOS Sierra: Upgrade Securely

Downloadable PDF with screen shots

Apple is expected to release the next version of its operating system on or around September 20th, 2016 [1]. The current version of OS X, 10.11, or also known as “El Capitan” has been updated several times with various bug fixes. Currently, you should be running 10.11.6. It is possible that when Apple releases “Sierra”, another bug fix and security update will be released for “El Capitan”.

To find what version of OS X you are running, select “About this Mac” by clicking on the  logo in the upper left-hand corner.

We will cover the upgrade process only at this point. Most users will receive macOS Sierra as an Upgrade and not install it from scratch. But I bet some of the tips here apply to regular installs as well. To make this guide as generic as possible, I used a plain install of OS X El Capitan without any significant adjustments (I swapped backgrounds for a plain blue one to make the screen shots simpler).

I will not cover features that remained the same (e.g. FileVault).

The initial upgrade via the App Store is simple, and there are no options to choose. You download and install macOS Sierra and reboot your system once you are done. We start this guide after the first log-in after the upgrade.

Please only update via the App Store. Do not download macOS Sierra from any other sources. Make sure to make a full back up before you initiate the update.

If multiple users use a system, then each user has to follow the same procedure.

iCloud Credentials

After logging in, you are asked for iCloud credentials. There is an option to skip this step, but I opted for entering iCloud credentials. Many of the privacy issues with OS X are related to iCloud. But at the same time, many features are linked to iCloud. I doubt many users will disable iCloud.

iCloud Keychain

Next, you will be asked to set up iCloud Keychain. I opted against this. The iCloud Keychain will synchronize your OS X keychain across devices. You may still use the keychain locally without synchronization. According to Apple, the keychain is encrypted before it is uploaded to the cloud [2]. But anybody with access to your iCloud password will be able to access your keychain and with that, all passwords stored in your keychain. Please make sure to use a strong password and enable two-factor authentication before enabling the iCloud Keychain. Apple requires that you set-up a “Security Code” when setting up the iCloud Keychain.

iCloud Shared “Document” and “Desktop” Folder

During your first login, you are asked if you would like to store files from the “Documents” and “Desktop” folder on your iCloud drive. I opted out of this option. This feature may expose files to iCloud that you are not willing (or authorized) to share on cloud-based services.

Siri

macOS Sierra comes with Siri enabled by default. Not everybody may be comfortable with having Siri listen in. Just like on iOS, Siri uses a cloud-based service to analyze voice commands. Siri was disabled by default for me, and you can remove the Siri icon from the dock by right-clicking it and selecting “Options” => “Remove from Dock”. Siri can also be managed from a dedicated settings dialog.

To verify that Siri is disabled, check the “Siri” dialog in “System Preferences”. The “Enable Siri” checkbox should be unchecked. Siri will only listen in, and analyze sound if it is invoked by clicking on the Siri icon in the toolbar (upper right-hand corner of the screen)

Apple Watch Screen Unlock

If you own an Apple Watch, and upgraded it to WatchOS 3, then you will be able to unlock your system using your watch. Connecting your watch will only work if you have two-factor authentication enabled for your account, and your watch has to be secured with a passcode. By default, the feature is turned off. You should be able to enable the Apple Watch unlock in the “Security & Privacy” part of the Settings dialog. But lacking a compatible watch I wasn’t able to see the dialog.

Continuity / Universal Clipboard

Continuity existed in OS X El Capitan and allows sharing content between iOS and OS X devices. There is also a cross-device Clipboard to copy/paste between devices. The clipboard could expose sensitive content to other devices, for example if you copy/paste passwords from a password wallet type application. There appears to be no easy way to disable these features. For them to work, you need to link all devices to the same iCloud account, and then enable Wi-Fi as well as Bluetooth on all devices.

Optimized Storage

macOS Sierra can move files to iCloud to save disk space. For files like iTunes movies and music, which you downloaded from Apple, this is probably less of an issue. But it may also affect other files that haven’t been opened in a while. To review optimized storage settings, click on “About this Mac” in your  menu. Then select “Storage” and click on the “Manage” button. The “Recommendations” menu will allow you to turn on some of these features. To turn them off, you will need to disable them in your iCloud settings, or for the automatic trash delete, in Finder’s preferences (“Preferences” => “Advanced”)

Gatekeeper

Gatekeeper limits which applications a user may execute. OS X El Capitan had three settings: “Mac App Store”, “Mac App Store and identified developers”, and “Anywhere”. macOS Sierra lost the last option. Instead, if you try to launch an unsigned application, you need to open the “Security & Privacy” dialog, and then you will have to allow the application to run. You will only have to do this the first time you run the application. This behavior is identical to OS X El Capitan. macOS Sierra also re-labeled the options to “App Store” instead of “Mac App Store”. 

A quick way to open applications the first time is to right click on the application and selecting “Open” from the menu, instead of just double-clicking it. If you right-click and “Open”, a dialog will pop up allowing you to override the Gatekeeper configuration. The dialog will show the hostname for the website from which the application was downloaded.

Summary

The privacy and security changes in macOS Sierra come from its tighter integration with iCloud. Cloud integration is an industry wide trend and not just specific to Apple. Which documents and what data you want to share with cloud services should be carefully evaluated, and the security of cloud accounts will become more and more important. Two-factor authentication is an absolute must, no matter if it is iCloud, Dropbox or OneDrive. Traditional passwords are too easily lost in phishing attacks. Phishing attacks against cloud credentials can be very targeted and convincing. Two-Factor authentication provides some protection against these attacks.

Many of the existing security features in OS X remain the same, like for example FileVault and various other iCloud based services like “Back to my Mac”. Please consult various OS X hardening guides for advice.

[1] http://www.apple.com/macos/sierra/
[2] https://support.apple.com/en-us/HT202303

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3391 Posts
ISC Handler
I saw a lot of people having problem with their Wi-Fi after updating to macOS. This guide might help http://www.cydiageeks.com/fix-slow-wi-fi-issues-macos-sierra-upgrade.html
Anonymous
I see the macOS Sierra 10.12 security content bulletin is out - in case we were wondering IF we should update..
https://support.apple.com/en-us/HT207170

Another advice is to look at the update pages for your "critical apps" - and update these apps _before_ upgrading the Mac OS.
One such example is Citrix Receiver https://receiver.citrix.com which was updated to version 12.3 on the day of the Sierra release to add "support for macOS Sierra". Just-in-Time compilation??

If there is not an update avaiable you should wait - or uninstall the component if you CAN'T.. I am currently waiting (at least a short while) for an updated version of my anti-virus before I upgrade. If your security software (?!) does not support Sierra you should wait, or uninstall and be more careful while you run without it. (But are you going to be careful?? My guess is that you are going to press every new shiny button in the new OS.. So if you can - wait - you do not want to play without protection...)

But I guess Dr.J covered all of this in his podcast for today, which I just realized I did not listen to yet...

Good Luck! dotBATman.

PS: https://uit.stanford.edu/service/helpdesk/sierra is a PERFECT example of how IT should support such transitions. I hope they don't mind the link.

PPS: I upgraded to Safari 10.0 for El Capitan today. Quite a few security updates here too. https://support.apple.com/en-us/HT207157
dotBATman

66 Posts

Sign Up for Free or Log In to start participating in the conversation!