InfoSec: Ethically Mining OS X Endpoints for User Identities

In the world of IT, things are rarely organized. Moving between large Fortune 500 companies and small silicon startups, I’ve seen this first hand. Managing a fleet of devices is no easy task. Coupled with supporting the end-users, you’ll often find yourself downstream of the open flood gates of distractions and political compromises. As an IT administrator, you cannot kill productivity. You must adapt to your users.

As an IT administrator, you cannot kill productivity.

Sometimes, this compromise comes in the form of purchasing Microsoft Office for your Mac’s, or letting a Windows machine on your network (after you bleach it, lock it down, and prevent network access, of course!). Other times, it comes in the form of letting your end-users manage their devices by giving them local admin rights.

If an employee has admin access, they can easily change their primary device username, which makes this difficult to troubleshoot. The employee would also have the ability of editing the hostname of the device as well, although this is usually automatic thanks to OS X if you’re not bound to a domain so the device can feel like it fits in with the cool kids on the network. You can see this first hand if you’ve ever connected into a poorly configured OpenVPN instance on AWS.

So the question is, if you don’t have an IT team or resources available to manage your fleet of endpoints, what can you do?

Attributing Users to Devices


Using OS X Metadata

The physical device provides a lot of information about itself. Some of the data could reference the end user, but most of it will attribute the device itself. This is important in it’s own way. If you are smart enough to keep track of asset management, who is assigned what device, having one bit of the puzzle can go a long way.

keep track of asset management, who is assigned what device, having one bit of the puzzle can go a long way

For example, if you have an infected device on your network it must have an IP address. For an IP address to be assigned, it must has a MAC address. This is the physical serial number of the WiFi or Ethernet adapters. This MAC address is unique to each device, and adapter manufacturer. This means, if you see bad traffic or suspicious activity coming from an IP address, you can track it all the way back to the physical device by mapping the IP -> MAC -> Device -> User chain.

Chain: IP > MAC Address > Device > User

Another example could be the username or hostname assigned to the device. I trust these like a politician since they can be influenced by an attacker or the end-user. Two other simple attributes that can’t be influenced externally are the device make/model and serial number/UUID.

In the below example, you can see how simple it is to gather some of the noted information and just keep it for your records. Just remember, hostnames and usernames are change.

With the use of the above utility, good record keeping alone with no engineering overhead provides almost enough data to respond to any event. It’s important to think about your device assignment and roll-out plans before the company grows too big.


Chrome Browser Profiles

I am a huge advocate of ethical attribution. In a very generic summary, attribution is the ability to explain why events happened by linking credit of ownership to those events. Many employees have a paranoia of big brother thanks to a smudged InfoSec track record bred by unethical actions. This line of ethical vs unethical is a very fine line.

For example, when a user logs into a Chrome profile, that email address is stored in the users’ ~/Library directory. The same goes with any synced iCloud accounts. Many people don’t realize how easy it is to gather this information.

For the example below, the line between unethical and ethical is one line of code. Validating the hd, or Hosted Domain, field stored in the json attributes. This field is the Google Apps domain of your account.

If you don’t create a Chrome Profile, but log into GMail, this will not find the information. This only works for Chrome Profiles.



For those companies where Safari runs the browser battles, the Chrome solution won’t work. If an employee logged in with iCloud, and it’s hard not to on a Mac, this would be considered an alternative.

Below we show an example of mining the iCloud email addresses. The response would output any iCloud registered email addresses. This includes your personal email address used for your AppleID and your email, if you created one.

Once obtained, you can easily take the AppleID or iCloud address and check both Facebook and Google+ for registered accounts for the email addresses. Most people use the same email account across all the services, which makes it easier for the administrator.

It can be very scary as an end-user having your employer collect your iCloud email, unless they force you to use a company iCloud account (i.e., with your company email address). With caution and bounds, this may be a cultural shock but should work and be acceptable.

Protect Yourself: Prevent yourself from being searched via your E-Mail address on Facebook

To prevent yourself from being searched via an E-Mail on Facebook (which I strongly suggest), you can follow the steps Facebook outlined here:


I’ve been on both sides of the spectrum; advocating for privacy and transparency for end-users when IT abused the rollout of Prey, a device tracking platform, but also as Security leadership during an event in a disorganized network.

Remember to always read your employers acceptable use policy or consult counsel if you have any questions or concerns. If work gives you a laptop, remember they own it.

forgetting to inform your users of the information collected will plant a seed of doubt

As long as an employer is collecting business-related metadata, I feel it’s totally acceptable as long as there is transparency. Forgetting to inform your users of the information collected will plant a seed of doubt, and that is an InfoSec admins worst nightmare.

Don’t be that guy.