© Lawrence I. Charters
Washington Apple Pi Journal, Vol. 33, no. 5, November-December 2011, pp. 11-14.
Security of Macintosh computers hasn’t been much of a concern over the past decade. Mac OS X is a difficult target compared to most versions of Windows. Yet there have been occasional threats, prompting the publishing of a three-part series on Mac Security in 2005: “Mac Security: Physical, Mental, Spiritual.” Those articles, on the Washington Apple Pi Web site, are still valid today:
http://www.wap.org/journal/security/default.html
But things are changing. Windows 7 has better security than any version of Mac OS X up to Snow Leopard (Mac OS X 10.6). While Lion (Mac OS X 10.7) may have the lead for the moment, Mac OS X is increasingly becoming a target for criminals and vandals, and a number of sensational headlines over the past six months prompted Pi management to schedule an entire General Meeting devoted to security in June 2011. What follows is an outline – just an outline – of that presentation. The presentation, by the way, is available as an audio and a video podcast from the Pi Connect Web site, https://connect.wap.org/
Name your mac
When you first set up your Mac, it asks you for your name, and if you do nothing to change things, the initialization process will name your Mac something like “Lindsey’s Mac” (if you gave your name as Lindsey). Since your Mac broadcasts the name across the network or, in the case of wireless networking, over radio, there are two things wrong with this: it tells potential attackers that Lindsey’s machine is nearby, and it tells the attackers the machine is a Mac.
Deer defend themselves by blending in, so blend in and don’t broadcast anything valuable. Go into the System Preferences > Sharing preference pane and rename your Mac. Name it after a favorite goldfish or character in a novel. Name it after the Zen term for one-hand clapping. Name it anything that isn’t obviously associated with you, and doesn’t scream “Mac.”
Name your hard drive
The installation process also automatically names your Mac’s hard drive “Macintosh HD.” Again, this is bad, since it is possible to transmit the name across a network. Knowing the name of the hard drive can also make some types of evil scripts easier to execute, since the attacker doesn’t need to guess at the name of the volume.
The name of the hard drive can be the same – or different – from what you set up in the Sharing preference pane. Simply click on the name of your hard drive, wait for a second, and then type in a new name. For a variety of reasons, it is recommended that the name consist only of letters and contain no spaces, punctuation, or anything else.
Don’t install unnecessary software
If you don’t know what a piece of software does, don’t install it. For example, when you first install Mac OS X, you are given the option of installing X Window. If you don’t know what X Window is, don’t install it. (X Window, by the way, is a graphical interface used by traditional Unix computers, but it bears no resemblance to the Mac interface and even Unix gurus have a love-hate relationship with it.)
Be very wary of shareware or freeware that installs things in the menu bar, or installs System Preference panes, or wants Internet access. Mac OS X can become unreliable if software is inserted into the menu bar or System Preferences, and such software can even prevent proper system updates.
As for software that wants Internet access, ask yourself: why? The little utility or game or whatever may say it is checking for updates, but it could very well be transmitting your personal information. Install software only after vetting its legitimacy; ask on the Pi’s TCS forums or at a General Meeting.
If you don’t use a piece of software, trash it. Outdated software packages are prime targets for exploits by hackers.
Use unique account names
If your name is Bob, the log-in name for your machine should not be “Bob.” It is far too easy to guess. A first initial and full last name is more secure. Or a first name and last initial. Or something random, like “Berrybush.” Logging into your Mac requires both an account name and a password; don’t make the job easier through an obvious account name.
Under absolutely no circumstances use an account name of “Admin” or “Administrator” or (horrors) “root.”
Use unique passwords
Forget all the nonsense you read about creating gibberish, impossible-to-remember passwords with mandatory upper and lower case characters, numbers, special characters, etc. Complex passwords make security harder, since people won’t remember them.
Instead, use long passwords — 12 or more characters – avoiding simple dictionary words or words that can be associated with you. If you like to fish, “fisherman” is an obviously poor password (a dictionary word, too short and directly connected to you, personally). But “Lake fisherman” is easy to remember, easy to type, 14 characters long (the space not only counts as a character but increases the complexity for cracking programs), and secure. “Fishing in 2011” is even more secure.
Passwords should be unique; never use the same password for more than one service. If you believe this is too complicated, then vary the password by the service involved. For example, use “Fishing in 2011 FB” for Facebook and “Twitter Fishing in 2011” for Twitter. That way, a hacker who steals account names and passwords on one service can’t use them to hack your computer or your account on another service.
You can check password strength using the built-in Password Assistant in System Preferences > Accounts (or Users & Groups) or use one of these Web sites:
http://www.passwordmeter.com/
https://www.grc.com/haystack.htm
Store passwords securely
It is ever so tempting to use a PostIt note stuck on the monitor to store passwords, but don’t. Use something like the commercial utility 1Password, or Apple’s Keychain (which can also store encrypted notes), or create an encrypted disk image using Apple’s Disk Utility.
One big advantage of an encrypted disk image: you can E-mail it to yourself, store it on your MobileMe site, or put it on a USB drive, so you have access to it in multiple locations. Obviously, the password to the encrypted disk drive should be both impossible to guess but still easy to remember, so try for a phrase you are unlikely to forget, such as “Mary had a little lamb” or “Four score and 7 years ago” or “An apple a day” or “I still don’t forgive John for dumping me.”
Disable automatic log-in
It is absolutely vital that you disable automatic log-in for laptops, iPads, iPhones, and iPod touchs. These portable devices are not only portable, but also easy to steal, and they contain great quantities of personal information, from your address book to your income tax returns. You don’t want to make it easy for the thief to break in.
You should also disable automatic log-in for desktop machines at home. While the risk is lower, forcing someone to log in helps keep out children, relatives, visitors, the maid service, the plumber, the painter, the house burglar, etc.
Every user should have an account
Every user should have their own account. Yes, that means:
- A separate account for you
- A separate account for the spouse
- A separate account for each child
- A separate account for visitor
No exceptions. You don’t share toothbrushes; don’t share accounts, either.
Delete unused accounts
When your child moves out, or when your guest leaves, delete their account. Unused accounts are a common vector for taking over computers.
Disable “Allow guests to connect to shared folders”
What was Apple thinking when they enabled this by default? Disable it.
For laptops, always set a master password
The Master Password (set in System Preferences > Security in Mac OS X 10.6 and earlier) gives you access to the computer if you forget a password. But — not setting a master password can allow someone else to deny you access to your own computer by setting the master password and then encrypting your machine.
Disable Bluetooth
Disable Bluetooth if you are not using it. If you are using it, turn off “Discovery” after you’ve synced your devices. While it is amusing to sit in a coffee shop and use a Bluetooth mouse to play with other people’s laptops, the victims don’t like it, and you won’t like it, either.
Disable AirPort
If you aren’t using wireless networking, disable it. Wireless is convenient. Wired networking is infinitely more secure – and faster.
Create an admin and a standard user account
The admin account should only be used for things like system updates
The standard user account should be used for day-to-day activities.
The accounts should have different names and of course different passwords.
Careful about MobileMe
Do not set up MobileMe for admin accounts. Make sure your MobileMe password is strong; change it on your birthday. Make sure the MobileMe password is unique and not shared by any other service.
Make sure the system time, and date, are correct
The System Preferences > Date & Time preference pane offers to automatically sync your Mac’s clock with an accurate time server. Use it. Accurate time is vital for syncing between machines, syncing MobileMe services, and other routine chores. It is also vital for Time Machine backups, system updates, and many kinds of security checks.
Install all system updates
Before installing major system updates, check your computer’s health (run Disk First Aid and ask it to Verify Disk). And then – install the system updates.
Install all system updates.
“But I heard rumors,” you protest, “that the new update melted pet kittens.” Ignore the rumors; system updates are vital for security, whereas rumors are just rumors.
Set password for the screen saver
Set your screen saver for a reasonable period (it should come on after 10-15 minutes of idleness). Use the Security preference pane to require a password for access after the screen saver is activated. Set a Sleep corner for the screen saver (recommended: lower left corner).
Being able to force the screen to “sleep” and blank your desktop is a valuable privacy and security feature, but only if you set it up and use it.
Set security preferences
The System Preferences > Security preference pane has several options, some of them mentioned before.
- Set Require password to wake from screen saver
- Disable automatic log-in
- Set a master password on laptops
- Turn on firewall
- Optional: turn on stealth mode (under Firewall settings)
Turn off everything in sharing
Turn off file sharing, screen sharing, web sharing, etc. These should be turned on only when needed — then turn them off again.
Enable check for updates
In the System Preferences > Software Update pane, “Check for updates – weekly” should be enabled. When prompted by a new update, read the message; don’t just dismiss it as an interruption.
Configure Time Machine
Follow these steps:
- Get an external drive.
- Turn on Time Machine
- Make sure it is backing up.
- Ignore it. Don’t fiddle with it.
If you have a laptop, a Time Capsule is even better: it combines wireless networking and wireless backup all in one box.
Safari
Disable “Open safe files after downloading.” Make sure downloads are always downloaded to “Downloads” folder. Apple goes out of its way to segregate downloads (which may be potential vectors for attacks) from everything else, so don’t mess this up by changing the settings.
Virus Checkers
If you are required by work to have a virus checker, install whatever your employer requires.
For everyone else: if you want to have a virus checker, try VirusBarrier Express, free from the Mac App Store. VirusBarrier Express can be configured so that it only runs manually, rather than all the time. If you have a concern, run it; otherwise, ignore it.
The first time I ran VirusBarrier Express, I was surprised to find viruses on my computer. My Google gmail account had, in the spam folder, a dozen messages containing Windows viruses. These represented no threat at all to Mac OS X, but I promptly deleted them, anyway.
And in conclusion
It is worth knowing that the very first computer virus ever released in the wild was aimed at Apple computers — Apple II computers. The year was 1981. Thirty years later, viruses are not a threat to Mac OS X, but there are other, more potent and more subtle dangers. You can protect yourself, but only if you correctly parse that phrase: you can protect yourself. Nobody else will.