About Me

Aside from the occasional initiation into the Dark Brotherhood, I spend my time telling people how to fix their Macs. Not that they are broken, but hey, every step closer to Linux is a positive one. Security and stability, brothers.

Monday, August 30, 2010

Make use of encryption options

Mac OS X offers a number of options for encrypting your data to prevent access to it if your Mac is lost or stolen. I've already touched on a couple of these, but the biggest example is FileVault, which can also be activated and managed from the Security pane in System Preferences.
FileVault converts your entire home folder into an encrypted disk image. The image is mounted and accessible only when you are logged in. At all other times, it is unreadable. FileVault uses industry-standard encryption, and if you use Time Machine, any backups of your home folder's contents are equally encrypted.
Note: FileVault must be enabled by each user who wants to have an encrypted home directory. Each home directory will be encrypted as a separate disk image file.
FileVault supports the use of a master password as a safety net that can be used to reset user passwords and access encrypted home folders if users forget their passwords. If both a user password and a master password are lost or forgotten, however, there is no way to retrieve data from the encrypted home folder.
To enable FileVault, launch System Preferences, select the Security pane, and then select the FileVault tab. You can set or change a master password using the Change button next to the master password description. (You must be an administrative user of the computer to do this, and you must know the current master password if one is already set.)
Next, click the Turn On FileVault button. Enabling FileVault for the first time can take a significant amount of time because the entire contents of your home folder are copied into a newly created encrypted disk image. If you have tens or hundreds of gigabytes of data, this could take hours or even days (much like an initial Time Machine backup).
For this reason, it's easiest to set up FileVault when you first create a user account (and thus there is little data in the home folder). During this initial copy, you will also need to ensure that you have at least as much free space on your hard drive as the size of your home folder, since all the data will be copied. Once enabled, FileVault encrypts and decrypts items on the fly when you log in or log out, and it generally won't slow down performance significantly.
Disk Utility also lets you create encrypted disk images. Disk images look and act like virtual hard drives and can be created as blank images or copies of existing disks or folders. Mounting an encrypted disk image and accessing the contents requires a password. This makes encrypted disk images helpful if you want to secure only a portion of your files, if you need to securely store files outside your home folder, or if you need to securely share files by e-mail or other mechanisms.
To create an encrypted disk image, launch Disk Utility, and click the New Image button in the tool bar. You can select the size, name (which will be displayed as a disk/volume name when image is mounted), file name and location of the image file itself, and various other disk format options (which can typically be left as their default selections). To enable encryption, choose 128-bit or 256-bit AES encryption from the Encryption pop-up menu.
After you've made your selections, click the Create button. When Disk Utility creates the image, it will prompt you to enter and verify a password that will be required to open the disk image file. The password assistant is available in this prompt (in the form of a button with a key icon, just as when changing a user account password).

Disable unused network interfaces

If you look in the Network pane of System Preferences, you'll notice that most Macs include multiple network interfaces, such as Ethernet, AirPort/802.11, FireWire and Bluetooth. In theory, any active network interface could be used to access your Mac in a remote attack -- particularly wireless technologies, which don't require a physical connection to a network.
For this reason, it's a good idea to disable any interfaces you're not using to connect to a network or the Internet. To do so, launch System Preferences, and select the Network pane. Select each interface you want to disable, and for each one, select the button that looks like a gear at the bottom of the interface list, and choose Make Inactive from the pop-up menu.
This disables the interface, but doesn't delete it -- so you can easily change it back to Make Active to restore access to the interface.

Set a firmware password

The biggest security risks occur if your Mac is stolen or physically compromised. Even if thieves can't log into your account, they can gain access to the data on your Mac using one of the many special start-up modes built into all Macs, such as booting from an install DVD and resetting your password, using Target Disk Mode to make your Mac act as an external hard drive, or booting into the Unix-style Single User Mode.
You can, however, place a firmware password on your Mac. This password is written into the firmware chips on the Mac's motherboard using either the Open Firmware standard on PowerPC Macs or Extensible Firmware Interface (EFI) on Intel Macs. Regardless of platform, the free tool from Apple for implementing a firmware password is called the Open Firmware Password Utility. Apple provides complete steps for setting a firmware password on its support site.
If you or anyone else tries to use a special start-up mode, the user will be required to enter the firmware password. This can significantly secure personal, business or educational Macs against tampering. However, be warned that if you forget a firmware password, there is no way to reset or remove it

Don't display usernames or password hints at log-in

By default, Mac OS X's log
-in window displays a list of all users on a Mac (or all users who can access a Mac in a network). This makes it easier for anyone who has physical access to a Mac to gain access to it, since they need only guess a password. Disabling the display of users adds another layer of security because it requires that a malicious user know the username associated with an account.
Another simple act to help secure an account is to disable password hints (which Mac OS X will normally display to help you remember your password after three failed log-in attempts). This significantly undermines the security of using a password and should always be disabled.
Both of these options can be configured in the same Accounts pane where you disabled automatic log-in. To disable password hints, simply uncheck the box next to "Show password hints." To choose not to display usernames in the log-in window, select the "Name and password" radio button next to "Display log-in window as," which means users will have to type both a username and its password to log in.

Disable automatic log-in

As part of the Setup Assistant that runs when you install Mac OS X or start up a new Mac, Mac OS X enables automatic log-in for the first user account that you create -- which means you can log in without providing a username and password whenever you start up.
While automatic log-in is convenient, particularly if you're the only user of your Mac, it also means that anyone who has physical access to your Mac can simply restart it to gain full access to your account and your files. This is a particularly significant risk for Mac laptop users.
You can disable automatic log-in in the Accounts pane of System Preferences by clicking the Login Options button at the bottom of the user accounts list on the left. The automatic log-in option appears at the top of the area on the right; select Disabled from its pop-up menu.

Use secure passwords

User passwords are one of the foundations of security. If you use a password that is simple or easy to guess, you're just asking for someone to break into your computer or user account.
Mac OS X includes a password assistant that automatically generates random passwords according a specified level of complexity; it also checks the complexity of passwords that you create. Make use of this feature whenever you need to generate a password -- for Web sites or other services as well as for your Mac OS X user account.
To get to the password assistant, go to the Accounts pane in System Preferences, select a user account, click the Change Password option, and then click the button with a key icon next to the New Password field.
The password assistant can create secure passwords. Click to view larger image.
Even the most complex password can be cracked, however, so remember to change your password frequently. If you don't trust yourself to remember, try setting a monthly reminder in iCal.

Don't allow remote guest access or enable Leopard's guest account

Macs have always supported guest access for file sharing, in which a remote user can connect to a Mac without providing a username, password or other identifying information. The idea of allowing remote access to your Mac has always been fraught with potential for security compromises. It should never be allowed because it presents a grave security threat that could prevent you from easily tracking the source of a breach.
In Leopard, Apple extended guest access to the local level: Users can log in and use a Mac with a guest account that requires no username or password. The idea of a guest account is a convenient one. If you have friends or family visiting, you can let them use your Mac without allowing them access to your user account or files. When they log out as a guest, their home folder and any files they created are automatically deleted.
There are, however, some system directories, such as the Unix /tmp directory, that the guest account can write data to that may or may not be deleted at logout (or forced restart). The guest also has access to any installed applications, which could be used to perform malicious actions from your computer. If you must use the guest account, limit its access using Parental Controls.

Disable the guest account.

You can turn off both the guest account and remote guest access in the Accounts pane of System Preferences in Leopard. Select Guest Account on the left, then uncheck both "Allow guests to log into this computer" and "Allow guests to connect to shared folders."
If you'd rather keep the guest account but limit its access to files and apps, keep "Allow guests to log into this computer" checked and click the Open Parental Controls button for options.


The limited number of viruses that target Mac OS X often leads Mac users into a false sense of security. Although there are few Mac viruses out there now, that doesn't mean there will never be a virulent form of malware that threatens the Mac. And the lackadaisical approach of assuming that Macs can't be infected by a virus increases the chances of widespread infection and damage when (not if) such a virus is developed and released into the wild of the Internet.

Besides, even if it doesn't affect you directly, you might receive and inadvertently pass on a Windows-specific virus. The most common of these are macro viruses found inside Office documents -- some of which have a limited ability to affect machines with a version of Office for Mac that has macro support enabled.

Finally, if you are running Windows -- either in a dual-boot configuration with Apple's Boot Camp or under a virtualization tool such as Parallels Desktop -- your Mac is just as susceptible to viruses as any PC. In fact, if you have a Windows operating system on your Mac, you should really consider virus protection for both Mac OS X and Windows.

When it comes to antivirus programs for the Mac, a good open-source option is the Unix-based ClamAV (which works with Mac OS X but is command-line based) and its Mac graphical user interface port ClamXav.

Disable automatic opening of "safe" downloads in Safari

Probably one of the biggest Mac holes is in Apple's Safari Web browser, which downloads files that you click on or that are embedded in a Web page. That presents a problem because, by default, Safari is designed to open "safe" files as soon as they've been downloaded. Unfortunately, the definition of "safe" includes package-installer and disk image files, which can contain malware. If the malware files are embedded in a Web site, they could be downloaded and opened automatically.

Apple has done a good job of combating the potential damage in Mac OS X Leopard, which automatically detects disk images and applications that have been downloaded from the Internet via Apple's applications (Safari, Mail and iChat). However, to be truly safe, one of the best and easiest things you can do is disable the automatic opening of such files in the Safari preferences.

Disable automatic opening of downloads.
Click to view larger image.
From the Safari menu in the menu bar, select Preferences, click the General tab, and uncheck "Open 'safe' files after downloading." From now on, you'll need to manually open downloaded files by double-clicking them in your Downloads folder or in Safari's list of downloaded items.

Make sure not to click the "Do not show" option in the warning dialogs that Leopard displays when you open downloaded files; that way, you'll always be warned the first time each downloaded item is opened. (Note: This tagged file feature was introduced in Leopard and doesn't apply to earlier versions of Mac OS X.)

A similar security feature in Leopard is support for code signing, which places a digital signature in application files; your Mac checks them at launch to be sure that they haven't changed and alerts you if they have. Although many third-party applications don't yet support this, it is a powerful feature, and you should pay attention to any such warning. As with the tagging of downloaded files, do not click the "Do not show option" if you do see one of these alerts.

15 steps

One of the commonly touted advantages to using a Mac is that it's more secure and less prone to malware than a PC running Windows. It's easy to see where this attitude comes from: The prevalence of viruses and network attacks against Windows machines is greater by several orders of magnitude.

In fact, a recent Trojan horse hidden in a pirated copy of iWork '09 that circulated on peer-to-peer file-sharing sites was big news because it was the first Macintosh malware to be widely circulated on the Internet (though there have been a handful of proof-of-concept malware iterations over the past few years). But the much lower rate of malware and network attacks isn't proof that the Mac is immune to such things.

Indeed, there has been an ongoing debate over the years as to whether Mac users truly have more-secure machines or simply enjoy "security through obscurity" because they represent a relatively modest fraction of all computer users. While this debate will continue -- and there are valid arguments on both sides -- this article isn't about that debate; it's about a pair of simple questions: "How safe is your Mac?" and "How can you make it safer?"

The truth is that Apple Inc. does provide a pretty safe platform. The company leverages a number of advanced technologies to keep users and their data safe from harm. For a detailed list, see this Apple white paper (download PDF). But no system is perfect, and there are a number of security holes -- many of them easily closed -- that are common on Mac OS X systems. Here are 15 ways to fix the most frequently exploited security risks and protect your Mac.