Security of Macintosh computers hasn’t been much of a concern over the past decade. Mac OS X is a difficult target compared to most versions of Windows. Yet there have been occasional threats, one of which prompted the Washington Apple Pi Journal to publish a three-part series on Mac Security in 2005: “Mac Security: Physical, Mental, Spiritual.” Those articles, on the Washington Apple Pi Web site, are still valid today:
http://www.wap.org/journal/security/
However, the situation is changing. Windows 7 has better security than any version of Mac OS X before Snow Leopard (Mac OS X 10.6), and Mac OS X is increasingly becoming a target for criminals and vandals. A number of sensational headlines over the past six months prompted Pi management to schedule an entire General Meeting devoted to security in June 2011. What follows is an outline – just an outline – of that presentation. The full presentation is available as an audio and a video podcast from the Pi Connect web site, https://connect.wap.org/
When you first set up your Mac, it asks for your name, and if you do nothing to change things, the initialization process will name your Mac something like “Lindsey’s Mac” (assuming you gave your name as Lindsey). Since your Mac broadcasts the name across the network or, in the case of wireless networking, over the radio, you now have two problems: potential attackers learn that Lindsey’s machine is nearby, and that it is a Mac.
Deer defend themselves by blending in, so blend in and don’t broadcast anything valuable. Go into the System Preferences > Sharing preferences pane and rename your Mac. Name it after a favorite goldfish or character in a novel. Name it after the Zen term for one-handed clapping. Name it anything that isn’t obviously associated with you, and doesn’t scream “Mac.”
The installation process also automatically names your Mac’s hard drive “Macintosh HD.” Again, this is bad, since it is possible to transmit the name across a network. Knowing the name of the hard drive can also make some types of evil scripts easier to execute, since the attacker doesn’t need to guess at the name of the volume.
The name of the hard drive can be the same as, or different from, the name you gave your computer in the Sharing preferences pane. Simply click on the name of your hard drive, wait a second, and then type in a new name. For a variety of reasons, it is recommended that the name consist only of letters and contain no spaces, punctuation, or anything else.
If you don’t know what a piece of software does, don’t install it. For example, when you first install Mac OS X, you are given the option of installing X Window. If you don’t know what X Window is, don’t install it. (X Window, by the way, is a graphical interface used by traditional Unix computers, but it bears no resemblance to the Mac interface, and even Unix gurus have a love-hate relationship with it.)
Be very wary of shareware or freeware that installs items in the menu bar, or installs System Preferences panes, or wants Internet access. Mac OS X can become unreliable if software is inserted into the menu bar or System Preferences, and such software can even prevent proper system updates.
As for software that wants Internet access, ask yourself: why? The little utility or game or whatever may say it is checking for updates, but it could very well be transmitting your personal information. Install software only after vetting its legitimacy; ask on the Pi’s TCS forums or at a General Meeting.
If you don’t use a piece of software, trash it. Outdated software packages are prime targets for exploits by hackers.
If your name is Bob, the login name for your machine should not be “Bob.” It is far too easy to guess. A first initial and full last name is more secure. Or a first name and last initial. Or something random, like “Berrybush.” Logging into your Mac requires both an account name and a password; don’t make the job easier by using an obvious account name.
Under absolutely no circumstances use an account name of “Admin” or “Administrator” or (horrors) “root.”
Forget all the nonsense you read about creating gibberish passwords with mandatory upper and lower case characters, numbers, and special characters. Complex passwords make security harder, since people won’t remember them.
Instead, use long passwords -- 12 or more characters – avoiding simple dictionary words or words that can be associated with you. If you like to fish, “fisherman” is obviously a poor password -- a dictionary word, too short, connected to you personally and directly. But “Lake fisherman” is easy to remember, easy to type, 14 characters long (the space not only counts as a character but increases the complexity for cracking programs), and secure. “Fishing in 2011” is even more secure.
Passwords should be unique; never use the same password for more than one service. If you believe having several passwords is too complicated, then vary the password by the service involved. For example, use “Fishing in 2011 FB” for Facebook and “Twitter Fishing in 2011” for Twitter. That way, a hacker who steals account names and passwords on one service can’t use them to hack your computer or your account on another service.
You can check password strength using the built-in Password Assistant in System Preferences > Accounts (or Users & Groups) or use one of these web sites to check on how safe a password is:
https://www.grc.com/haystack.htm
It is ever so tempting to use a Post-it note stuck on the monitor to store passwords, but don’t. Use something like the commercial utility 1Password, or Apple’s Keychain Access (which can also store encrypted notes), or create an encrypted disk image using Apple’s Disk Utility.
One big advantage of an encrypted disk image is that you can email it to yourself, or store it on your MobileMe site, or put it on a USB drive, so that you have access to it in multiple locations. Obviously, the password to the encrypted disk drive should be impossible to guess but easy to remember. Try for a phrase that you are unlikely to forget, such as “Mary had a little lamb” or “Four score and seven years ago” or “An apple a day” or “I still don’t forgive John for dumping me.”
It is absolutely vital that you disable automatic login for laptops, iPads, iPhones, and iPod touches. These portable devices are not only portable, but also easy to steal, and they contain a great deal of personal information, from your address book to your income tax returns. You don’t want to make it easy for a thief to break in.
You should also disable automatic login for desktop machines at home. While the security risk is lower than with a portable device, forcing someone to log in helps keep out children, relatives, visitors, the maid service, the plumber, the painter, the house burglar, etc.
Users should have their own accounts. Yes, that means:
No exceptions. You don’t share toothbrushes; don’t share accounts, either.
When your child moves out, or when your guest leaves, delete the account. Unused accounts are a common vector for taking over computers.
What was Apple thinking when they enabled this by default? Disable it.
The master password (set in System Preferences > Security> FileVault in Mac OS X 10.6 and earlier) gives you access to the computer if you forget a password. But -- not setting a master password can allow someone else to deny you access to your own computer by setting the master password and then encrypting your machine.
Disable Bluetooth if you are not using it. If you are using it, turn off “Discovery” after you’ve synced your devices. While it is amusing to sit in a coffee shop and use a Bluetooth mouse to play with other people’s laptops, the victims don’t like it, and you won’t either.
If you aren’t using wireless networking, disable it. Wireless is convenient. Wired networking is infinitely more secure - and faster.
The admin account should be used only for things like system updates.
The standard user account should be used for day-to-day activities.
The accounts should have different names, and of course different passwords.
Do not set up MobileMe for admin accounts. Make sure your MobileMe password is strong; change it on your birthday. Make sure the MobileMe password is unique and not shared by any other service.
The System Preferences > Date & Time preferences pane offers to automatically sync your Mac’s clock with an accurate time server. Use it. Accurate time is vital for syncing between machines, for syncing MobileMe services, and for other routine chores. It is also vital for Time Machine backups, system updates, and many kinds of security checks.
Before installing major system updates, check your computer’s health. Run Disk Utility and ask it to Verify Disk. Install the system updates only after Disk Utility has given your drive a clean bill of health.
But install all system updates.
“But I heard rumors,” you protest, “that the new update melted pet kittens.” Ignore the rumors; system updates are vital for security, whereas rumors are just rumors.
Set your screen saver for a reasonable period (it should come on after 10-15 minutes of idleness). Set the Security preferences pane to require a password for access after the screen saver is activated. Set a Sleep corner for the screen saver (recommended: lower left corner).
Being able to force the screen to “sleep” and blank your desktop is a valuable privacy and security feature, but it only works if you set it up and use it.
The System Preferences > Security preferences pane has several options, some of which were mentioned above:
Turn off file sharing, screen sharing, web sharing, etc. These should be turned on only when needed -- and then turned off again.
In the System Preferences > Software Update pane, enable “Check for updates - weekly.” When prompted by a new update, read the message; don’t just dismiss it as an interruption.
Follow these steps:
If you have a laptop, Apple’s Time Capsule is even better; it combines wireless networking and wireless backup all in one box.
Disable “Open safe files after downloading.” Make sure downloads are always downloaded to the “Downloads” folder. Apple goes out of its way to segregate downloads (potential vectors for attacks) from everything else, so don’t mess this up by changing the settings.
If you are required by work to have a virus checker, install whatever your employer requires.
For everyone else: if you want to have a virus checker, try VirusBarrier Express, free from the Mac App Store. VirusBarrier Express can be configured so that it only runs manually, rather than all the time. If you have a concern, run it; otherwise, ignore it.
The first time I ran VirusBarrier Express, I was surprised to find viruses on my computer. My Google Gmail account had, in the spam folder, a dozen messages containing Windows viruses. These represented no threat at all to Mac OS X, but I promptly deleted them anyway.
It is worth knowing that the very first computer virus ever released in the wild was aimed at Apple computers -- Apple II computers. The year was 1981. Thirty years later, viruses are not a threat to Mac OS X, but there are other, more potent and subtler dangers. You can protect yourself, but only if you correctly parse that phrase: you can protect yourself. Nobody else will.