The recent security issues that have affected Windows users have led the media--and sometimes even Mac-specialized publications--to talk about the shortcomings of the Windows security scheme and to provide surprisingly detailed advice.
So far, Mac users indeed have been luckier. Mac OS X is relatively secure out of the box, and Apple has been good about providing easily installable security updates as needed.
Unfortunately, some Mac users forget that security is more than just applying the occasional patch. It is a continuously evolving quest that requires additional steps to make their systems more secure. Luckily, the Unix foundation of Mac OS X, Darwin, has provided us with powerful tools that we can leverage to help our computers remain secure in an otherwise dangerous world.
In this article, I'll take a hands-on approach to what I call "security through common sense," the basic security steps that every single Mac user should take.
Security is a touchy topic and nobody owns a definitive security answer. This article presents the steps that I would personally recommend, but my views may differ from those of your network administrator, company, or school--either because you need a greater level of security, or because the organization relies on other, internally tested, solutions. In any case, please consult your IT department before implementing these steps.
If you handle very sensitive data, I would advise you to seek professional advice. Using a Mac is an excellent way to protect data--since they are extremely secure--but you may need to implement industrial-strength firewalling and intrusion-detection software. This is obviously out of the scope of this article.
I have tested the third-party software I link to on my own machines. However, please understand that I have no "insider knowledge" about these applications and that I cannot endorse them.
Many Mac and computer users in general do not take additional security steps to protect their data because they have the feeling that they have "nothing to hide" or that they do not store any valuable information on their computers.
Unfortunately, this comforting theory overlooks the fact that most of the time, hackers don't try to attack your computer or your network because you are who you are. Indeed, most of the time, attacked computers are chosen semi-randomly: because they have detected that you have an unusual amount of traffic; because you run an unprotected Windows 95 computer somewhere on your network that makes it easy to crack; and so on.
Some people will try to break into your computer "for fun." However, nowadays, many exploits have a unique goal--turn the computer into some kind of zombie that the attacker will be able to steal confidential information from (can you swear that your credit card number isn't stored somewhere on your computer?), or perform illegal actions in your own name. Therefore, in most cases, hacking a computer is worth the time and effort spent, even if the person who tries to break in has no idea who you are.
Even worse, in some countries, not having any protection in place can be seen by the law as an implicit approbation of what other people could do on your computer without your knowledge--the good old "this person wasn't protected, this shows that he didn't mind what could happen." Would something go wrong, being able to prove that your computer was indeed protected may be a good way to show your true intentions.
Now that we have discussed a bit about why security is important, I'm going to walk you through the basic steps of securing your Mac. This first part will give you an overview of things you might know already, but maybe include a new wrinkle or two.
Most security issues nowadays rely on simple social engineering techniques--convince a user to download an application or run a special command that opens a breach in the security systems that have been set up. That's how most Windows viruses propagate, and we've all seen how effective this approach is.
Since you are reading Mac DevCenter, you probably know the Mac OS X basics that are explained in books like Mac OS X Panther: The Missing Manual. In that case, I would recommend that you have a look through the excellent Running Mac OS X Panther by James Duncan Davidson to learn more about the underpinnings of Mac OS X.
By knowing Mac OS X better, you will be able to avoid common mistakes--like turning on Windows file sharing and FTP services "just in case." This may sound silly but this is the most essential step towards good security and will allow you to react in an efficient manner to incidents and potential issues.
Of course, we assume that you already know that you are not supposed to open unknown emails attachments, run strange applications, and so on. You should exercise the same caution on your computer that you would in the real world when dealing with strangers, let's say on a dark street at around 3:00 a.m.
As a concerned citizen of your country, you are already trying to keep up with the current events, on a local, national and international scale. That's great! But do you do the same when it comes to computer-related news?
Indeed, the best way to defeat social engineering and to avoid issues is to be aware of what's going on in the security world.
Luckily, this can be done in very simple ways. This page provides you with simple tips to learn more about security issues as soon as they are discovered. I would highly recommend that you subscribe to Apple's security-announce mailing list as well.
Also, you may want to keep an eye on the recent virus outbreaks and security issues. Indeed, even reading about Windows- and Linux-only viruses and trojan horses will give you a good idea of what's happening on the network and how social engineering works. A good place to start is this page.
Would a Mac virus be discovered, you will then notice it immediately and be able to take the appropriate steps.
In this article, we're going to focus on network-born threats. However, there can be no network security if anyone can sit in front of your screen, alter your settings, and then use the new setup to attack you remotely.
Therefore, I would recommend that you have a look at this Mac DevCenter article on setting up a firmware password.
You should also turn automatic login off, and make sure that authentication is required to alter the settings of most preferences panes--this can be all done through the "Security" preferences pane. Also, get into the habit of using the "Lock screen" feature--available through the Keychain menu--whenever you step away from your keyboard, even for a few minutes.
Finally, you may want to have a look at FileVault and decide whether or not you want to run it.
The Mac OS X development team does its absolute best to provide you with a secure operating system and may release, from time to time, security updates--even when there's no known exploit.
I would recommend that you apply these updates as soon as they are released, to make sure that you do not give time to attackers to exploit a known vulnerability. Indeed, it is now quite easy to find software on the Internet that will automatically try to break into computers and report all the vulnerabilities found in a specific machine, along with tips about how to use them. In many countries, such software is perfectly legal and some authors update their applications daily!
The most convenient way to update your applications is, of course, to use the "Software Update" preferences pane, available through the "System Preferences" application. It will take care of finding the updates you need, then download and install them, making securing your computer very easy. Unlike some update mechanisms featured by other operating systems, "Software Update" checks that the files that it downloads indeed come from the Apple servers--and not from any server that claims to be Apple.
For maximum security, you may want to download updates manually from the recently redesigned Support downloads page. The main advantage is that you will be given the option to manually test the authenticity of the file you download--an added security--by using the "md5" utility. The main drawback is that updates are usually posted on the downloads site with a slight delay--24 hours in most cases.
md5 is a Unix command-line utility that allows you to read the "checksum" of a file. Like fingerprints, checksums are unique identifiers that correspond to a specific file and it is highly unlikely--some say virtually impossible--to find two different files with the same checksum. Would the checksum provided by md5 on your Mac and the one provided by Apple on the downloads site match, you can be virtually sure that you have downloaded the right file and that it has not been altered during the download.
To check a file's md5 checksum, simply open a Terminal window and type the following command: "md5 /path/to/the/file". Then, press return and compare the string returned with the one displayed on the download page.
md5 checksums now have known flaws that could potentially allow someone to forge an altered file with the same checksum. This is, however, very unlikely and md5 is still widely seen as a safe way to check the integrity of files--provided, of course, that the web site that is used as a reference hasn't been hacked too!
As important as it is to keep your operating system up to date, you should also not forget to update your applications.
Many applications are updated frequently for security reasons, including third-party web browsers, email readers, and Microsoft Office. As long as you are running them, it is extremely important to update them too, since they could potentially allow an attacker to run malicious code on your computer--consider macro viruses, for example.
Many software authors now provide you with software update-like features but, unfortunately, very few have actually implemented security checks in them. Therefore, I would recommend that you use these features to check if an update is available on a regular basis but go to the actual application site to download it. If the authors do not provide an md5 checksum, you may want to ask them to get into the habit of posting one.
Software Update will usually notify you about updates to the Apple applications you have installed on your computer, even if they are not bundled with the standard Panther installation.
It may sound silly but the easiest way to break into most computers is to politely ask the computer to be given the permission to enter! And how do you do that? By guessing the passwords set by the authorized users. Indeed, in most cases, computer users use relatively weak passwords that do not protect them efficiently and that can be guessed easily--remember that hackers can use programs that try a few thousand passwords per minute!
Would an attacker use this method, no firewall or security system could really detect its presence and stop him since, for the computer, this person is you.
Luckily, picking a good password isn't too difficult, as long as you at least follow some basic guidelines:
As surprising as it can be, the user password is, in many cases, the weakest link in a security system.
Of course, would you rely on the "Keychain" to hold your various passwords securely, you should be extra careful when picking this one--and it should not be the same as any of the passwords that are stored inside of it. Panther users will notice that the "new keychain" creation dialog now features a password checker, available through the "i" button.
To use it, click on the button once you have entered the password in the "Password" field of the dialog--you do not need to enter it twice at this stage. You can then alter your password and see the new security rating appear "live" in password checker window. Follow the given recommendations until the bar turns completely green--there should be no remaining trace of red, orange or yellow--and there are no recommendations in the lower part of the window.
Now that you have found a relatively secure password, you should also make sure that nobody knows it... The same applies to your other accounts since a malicious user could try to use them to break into your computer --put a malicious program in your email inbox, for example--or steal your identity.
The first rule is to have separate passwords for everything. Rely on the Keychain application to provide these various passwords to the applications or online forms that need them if you cannot remember them but make sure that someone who has your AIM password ( never encrypted ) cannot log into your computer remotely or check your mails!
Never reveal this password to anyone, especially if you are requested to send it through an unencrypted channel (web page, mail, instant message, phone... ) or receive a message with links to follow--these are usually scams that attempt to redirect you to a fraudulent site. You should not send passwords via a network, even to trusted individuals since they can be easily sniffed during the transfer over the wire--or worse, a wireless network.
Do not write your passwords down. Would you need to do it, lock them into a bank safe where you will be able to find them if needed but do not keep them on you or around your computer--no, not even under the keyboard!
If possible, try to create multiple keychains on your Mac in order to group passwords and unlock the passwords sets on an as-needed basis. In order to do that, use the "Keychain Access" utility, located in your Utilities folder. While you create and manage your keychains, be sure to use the "View" menu to display the keychain menu item in your menu bar : that way, you will be able to lock and unlock keychains on-the-fly. Once a keychain is locked, your passwords are safely stored into an encrypted file.
Protecting passwords in a locked file will not only prevent local and remote malicious users from using them but also potential trojan horses --since you are required to provide your password to decrypt a keychain. Of course, as soon as you decrypt a keychain file to use a password, your password is at risk but this limits the periods of exposure.
Inside a keychain you should also set up strict access rules for the various items and restrict their use as much as possible. Such settings can be found in the lower half of the Keychain window.
The "Keychain" application has a frequently forgotten feature : secure notes. Secure notes work exactly as password items and enjoy the same level of protection but allow you to enter an unlimited amount of text. In order to create one, simply use the "Note" button or the "File" menu. Notes are a good way to store relatively sensitive information but you may want to create "notes only" keychains for the sake of organization and security.
A common password security issue is posed by mail readers that do not use SSL to connect to the server. You may want to have a look at this article from Jason McIntosh about secure mail reading. Would you find that your provider does not support any kind of secure mail reading--a surprisingly common situation --, consider switching to another as soon as you can. Apple's very own .Mac mail services do offer secure Mail reading through SSL, and are fully integrated with Panther's Mail.app.
You may even want to go one step further and follow these steps to enjoy truly secure mail reading--although this has nothing to do with the protection of your mail password, such methods can defeat social engineering attempts.
Passwords can be sniffed and intercepted in countless ways and you should never trust the same password over a long period of time. Change your password regularly, and try to create new ones each time--for example, avoid sequential passwords like Password01 > Password02.... These are easily crackable.
Unlike many other Unix--and especially Linux--distributions, Mac OS X ships with all services and potentially dangerous daemons turned off by default. Most of them can be turned on by using the "Sharing" preferences pane, available through the "System Preferences" application.
As soon as you turn a "service" on, you start a daemon that will continuously listen for connections on a given port and reply to them. For example, turning "Remote login" on will launch the sshd daemon that will allow anyone to establish a connection to your Mac through port 22. Would a malicious user know your password, he will be in, and legally!
Some of these services turn your Mac into a server, raising a new class of potentially important security issues. Therefore, you should not turn these services on unless you really need them.
Of course, most of these daemons run as nonhuman users on Mac OS X. In other words, they run as if they were a separate user on your machine with very limited privileges. This makes using them to break into your computer more difficult, especially if you make sure that you always use the latest versions of them.
However, such daemons can always be used to gain some interesting information about your computer and to launch DoS ( Denial of Service ) attacks quite easily--for example, repeatedly request SSH logins or file sharing to slow your computer down.
Would you need to run a "dangerous" service--i.e. a widely known, insecure one, like FTP or Windows File Sharing --, you may want to dedicate a specific machine on your network and to use it as a file server. On properly firewalled networks, place this machine outside of the firewalled zone--provided that its contents are to be known by the whole world, of course : this will make connecting it to the Internet and serving data much easier while protecting the rest of your network.
For the same reason, avoid sharing your internet connection through the "Internet" tab since this grants legitimate access to other computers on your network and launches server daemons on your Mac too. Of course, this is not an issue when working with trusted computers and individuals but should not become a common practice in public places.
However, making sure that you didn't turn on any dangerous service at the operating system level is sometimes not enough since some applications can run their very own server services.
Some group work applications can turn your Mac into a file sharing server, for example. Some webcam drivers have a web server function that allows remote users to connect to your machine to see the images you publish. Of course, some of these applications are well written but you should always consider the security risk associated with running servers, even if this does not happen at the OS level--since the effect is, ultimately, the same or worse.
Without discussing the legal aspects associated with peer-to-peer networks, let's not forget that many such applications have been known for installing spyware or featuring flawed security systems. Would you insist on using them--to share files legally, of course--you may want to follow the procedure mentioned above.
Some applications are known to raise constant security issues--I won't give names but I am sure you see what I mean. Whenever possible, try to avoid these application and to rely on more secure alternatives. The open source community has released some great, fully functional alternative applications that can integrate perfectly into your existing workflow.
Wireless networks protected by WEP are inherently insecure as this excellent article proves--please, do not attempt to reproduce the steps outlined in it before making sure that it is legal in your country, even on your own network. Therefore, you may want to rely on better methods like WPA. Apple recently released an AirPort update that allows you to use this updated security method, even in mixed AirPort / AirPort Extreme environments. More information may be found here.
Now that you are sure that you do not allow people in too easily, you may want to make sure that you lock them out, by using a firewall.
As silly as it may seem, a software firewall is no stronger than the operating system it runs on--as the ever increasing Windows security issues show.
Therefore, it is important to get a hardware firewall that will provide a first layer of security for your network by making it "stealth"-- i.e. not responding to various probes--and warning you in case someone really tries to break in.
No hardware firewall is 100% secure but, by applying the security updates provided by your vendor, you should be able to keep most wannabe evildoers out of your LAN.
Also, using a hardware firewall to protect your network will allow you to worry less about the security mistakes that some users may commit on their Macs--although this should not give a false sense of security either.
There are many, many types of firewalls and all of them have their strengths and weaknesses. However, you may want to make sure that you follow these rules :
Some firewalls can act as routers and modems, making creating a network very easy. Of course, you should pick one using Ethernet--I still have to see one that doesn't but you never know what can pop up at a computer store.
Surprisingly, few Mac OS X users know that their operating system of choice comes with a built-in, time-tested, industrial strength firewall that they can turn on by simply using the "Sharing" preferences pane.
Here are the detailed steps to follow.
The firewall used by Mac OS X is called "ipfw" which stands for "ipfirewall". Its job is fairly simple--close ports and prevent remote hosts and applications from connecting to them. Some users may argue that the interface provided by Apple does not allow a lot of fine-tuning : this is true, but is done on purpose to allow even newcomers to benefit from reliable security settings, without having to worry too much about settings.
Of course, by turning your firewall on, you are preventing some applications from establishing a connection with your computer. This is not likely to interfere with most of your workflow but can, under some circumstances, prevent a few network-aware applications from working, especially Rendezvous enabled ones--iChat over Rendezvous, for example. To avoid this, you can open the necessary ports by checking the corresponding box in the "Allow" list. Just keep in mind that, the more ports you open, the less effective your firewall will be--but it sure is far better than disabling the firewall altogether.
Unfortunately, ipwf does not feature instant warning and will only write its warning messages to a log, accessible through the Console utility. This has the advantage of not disrupting your workflow but, unfortunately, does not allow you to react in a timely manner to some attacks since you are probably not constantly monitoring the logs.
Many companies now sell third-party firewalling solutions that do not rely on ipfw in any way... These firewalls provide you with instant notification systems and are generally more "friendly" for a new user. However, they need to add "kernel extensions" to your installations --files that act as a very low level in your operating system to add features. While a very well written kernel extension can work perfectly, be aware that you will need to update them frequently and to pay attention to potential compatibility and stability issues.
Many firewall companies will provide online tests that will try to "test" your firewall. For example, you may want to have a look here. Of course, most of these tests are linked to advertisements for the company's products and none of them will replace a good security audit. However, they still can provide you with some valuable information.
A few Mac users unfortunately sometimes think that they do not need to worry about viruses since "there are no viruses for Mac OS X."
First of all, this is not entirely true and some macro viruses can travel cross-platform. However, even if this really were the case, you should still scan your computer regularly. That way, you will not only be able to stop PC viruses before you forward them to your PC friends inadvertently but also will be able to react very quickly in the event of a massive Mac compatible infection.
Again, there are many anti-virus solutions out there and many companies sell anti-virus software with more or less identical features. However, since many .Mac members will use Virex, this is the program I am going to focus on. Would you already rely on another product, you should be able to adapt most of this advice.
The default Virex preferences are curiously set up and you may want to change them a bit.
The first thing to do is to make sure that Virex performs an "advanced scan of applications and macros." Heuristic scanning is a method of scanning the files that attempts to recognize the characteristics of viruses, even if they are not listed in the virus definitions. This slows the scan down a bit but definitely provides an extra layer of security you shouldn't live without.
Of course, no anti-virus software, even with the best heuristic scanning capabilities can protect you in an efficient manner if you do not update your anti-virus definitions. McAfee, like most anti-virus companies, updates its Mac definitions once a month--and, let's face it, this is not enough to stop PC or Unix viruses. Would you be ready to use the Terminal, there is a way to update your definitions a lot more often! Here's how.
Note: This paragraph assumes that you are comfortable with the Terminal.
Virex allows you to automate scanning each time that you log in.... This may be convenient for some users but you may want to scan your hard drive at another time every day.
Ideally, you should scan your hard drive every day during your lunch hour : at this time, the computer is probably almost idle so the scan can go more quickly and it won't interfere with your daily routine.
Also, would Virex find an infected file, you will be able to see it almost immediately and take the appropriate steps.
Since Mac OS X is a UNIX-based operating system, it allows you to automate tasks by using a built-in component called "cron". You will need to edit the system's cron file to automate Virex.
Since this file already contains some important system information, you may want to use caution while you edit it: you definitely don't want to disable the Mac OS X maintenance tasks.
Follow these steps carefully in your terminal. In our example, the scan will run at 1 PM every day. Feel free to choose another hour, knowing that the command reads:
minutes hours day of the month month weekday A "*" says "any"
0 13 * * * root /usr/local/vscanx/vscanx -rv --secure / >/Applications/virexreport.txt
Note that the stars and numbers are separated by "tabs" and not by spaces. To check if the line has been entered correctly, makes sure that it aligns perfectly with the ones already existing in the file.
Now, enter Control X to exit, then enter Y and return to save the file to the disk.
Every day at 1 PM, Virex will run in the background as root and scan your computer. Once it is done, it will create a text file in your Applications folder, containing the report. Make sure that you read it carefully every day to make sure that your system wasn't infected and to know more about what happened. Once you have read it, delete it. That way, if the next day the test crashes and does not produce a report, you will notice it instead of reading the old one, thinking that it is the latest status of your system!
Since the root user is, according to the Unix permission scheme, all powerful, most attacks and exploits are targeted at it. Therefore, for security reasons, Apple has disabled it and only allows you to temporarily gain root privileges by entering your administrator password.
Some advanced Unix users may need to enable the root account to perform some complex administrative tasks but you should not do it, even if some tutorials suggest it. Doing so is not creating a security issue in itself but will make breaking into your system much more rewarding!
To temporarily execute commands in the terminal with root privileges, simply add "sudo" in front of all the commands you want to execute with super user privileges.
Some security tutorials even recommend that you create another, simple user, account for your everyday work. If you feel comfortable about doing it, it may indeed be a good idea. However, it can be a real issue for users who often install or compile applications on their Macs-- since such operations require administrative privileges.
Now that your computer is properly firewalled, that you have a solid anti-virus protection and that you use secure passwords, you have achieved a security level that every single Mac user--and computer user in general--should at least have.
However, there are still ways to go a bit further without disturbing your workflow too much... If you are willing to have a look at a few other cool applications and technologies, here we go!
While you are using your Mac, many, many applications constantly try to access the internet, to either get information or send some. The problem is that some of them may, along the way, send some details that you deem confidential--or be simple Trojan Horses.
To avoid this, you can install "reverse firewalls" that monitor outgoing connections and provide you with live alerts, allowing you to accept or deny attempts.
Of course, such third-party products are not perfect since you have to trust the authors and that they too, install kernel extensions to provide you with alerts.
However, the best of them can be a real help--give it a try and you will be surprised to see how many applications try to establish connections without your permissions!
One application in this category that is widely known in the Mac community is Little Snitch--but it's not the only one and you may want to look at other options and their various feature sets first.
Before installing them, though, you should be aware that such products may sometimes interfere with Mac OS X in itself--they can prevent fast user switching from working, for example. Luckily, since their authors are at hard work to improve them, compatibility issues disappear pretty quickly.
On a more legal note, keep in mind that preventing some applications from connecting to their authors site for registration and license controlling purposes may be unlawful in your country. You may want to check with your legal advisor or the authors of the application first.
Reverse firewalls are likely to generate many alerts when you first install them. You should take the time to fine-tune their rules to ensure maximum security. For example, allowing an application to establish "any connection" can be tempting but it entirely disables the protection that you could enjoy against this application--even if the application is trusted, remember that everything is hackable.
An important point to check is whether or not your reverse firewall can protect itself against malicious applications that would try to alter its database. Most of them won't have a very secure self-check system but you should make sure that there is one to increase your security.
Let's say that someone has broken into your computer and has begun to alter various configurations files to use your computer as a base for his unlawful activities.
Luckily, there are some applications out there that can regularly calculate the checksum of your files (see the md5 information above) and compare it with a list of known-good files. Such a system can certainly be defeated by altering the reference database but it will provide you with an extra layer of security--and can be a real life saver under certain circumstances.
Brian Hill, author of the world famous Brickhouse has released an application called "CheckMate" that acts the same way and that can check on a regular basis if any of your system files--or data files of your choice-- were altered without your consent.
Here is how to use this application.
To make sure that CheckMate runs normally, you can have a look at the system log, by using the "Console" utility.
The fact that an application like CheckMate reports an integrity check error does not necessarily mean that you have been hacked. Indeed, updating the prebinding of files--a task commonly performed by installer-- can alter the checksum and cause an alert to appear.
Before worrying about an alert, you should always ask yourself whether there was a reason for which the file was modified.
There are many applications like CheckMate and each has its own strengths and weaknesses. By going through their respective feature sets, you will be able to find the one that best fits your needs. For example, do you need a GUI or do you prefer the Terminal? How secure should the application be? And how easy to use?
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to the Mac DevCenter
Copyright © 2009 O'Reilly Media, Inc.