Securing Your Mac

A recent Reuters article, Macintosh Hacker Attacks Are on the Rise, pointed to the rising number of attempted hacking attempts targeting Apple Computer Inc.’s Macintosh OS X operating system, according to a report from anti-virus software vendor Symantec Corp.

“Contrary to popular belief, the Macintosh operating system has not always been a safe haven from malicious code,” said the report, which was issued on Monday, March 21.

“It is now clear that the Mac OS is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various Unix-based operating systems.”

While most people worry about hackers accessing their Macs over a network, it’s much easier for someone to just walk up to a computer and browse its files. That’s especially true if it’s a laptop, or if it’s in an office, a dorm, or another space where people mill around.

1. Turn Off Your Mac at Night

While this suggestion won’t protect your Mac while you’re working, it pays to remember that hacking your computer is impossible when your computer is not connected to the Internet. Hence, turn off your modem or your computer when you go to bed.

2. Turn Off Automatic Login

When you choose automatic login, you get to skip entering your password when you start up your Mac. But automatic login also allows anyone to start up your Mac and access your files. If you have it turned on, go to OSX’s Accounts preference pane, click on Login Options, and deselect Automatically Log In As user name.

3. Require a Password for Waking your Mac from Sleep or a Screen Saver

Your screen saver looks cool and hides your work, but anyone can press a key to deactivate it and get total access to your Mac. The same is true when your Mac is asleep. Protect against this by going to OSX’s Security preference pane and selecting Require Password To Wake This Computer From Sleep Or Screen Saver.

4. Lock Your Keychain

It’s handy that the Mac’s Keychain application stores your passwords for Web pages, network volumes, e-mail accounts, and more. Even better, when you browse the Web, the Keychain can help Safari autofill password fields without asking for any confirmation.

But what happens if you step away from your desk? Someone else could access everything from your online banking site, to your .Mac e-mail, to accounts at online retailers - without needing to know your passwords.

Protect yourself by changing your Keychain settings. Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity, or change the time limit to 1 minute if you’re really paranoid. Then select Lock When Sleeping for more security.

5. Change Your Keychain Password

By default, the Keychain password is the same password you use to log in to your Mac. Even if you’re the only administrator, others could potentially start up your computer with an OS X installation CD and reset the administration password. If they did that, they could reset all the user account passwords and effectively access your keychain. To protect against this, you need a Keychain password that’s different from your user password. Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.

6. Store Your Sensitive Files in an Encrypted Disk Image

If you have only a handful of sensitive files, as opposed to a Home folder chock-full of top-secret information, it’s easy to store them in a password-protected encrypted disk image. When you want to mount an encrypted disk image, you need to enter a password. When you’re finished working with its files, just eject the disk image. For detailed instructions, see “Protect Data in Panther,”; Working Mac, June 2004 and my post Creating Protected Archives.

7. Completely Erase Sensitive Files

If you’ve worked on files that you don’t want others to see, you can delete them when you’ve finished. But they aren’t completely deleted - bits and pieces of your files remain on your hard disk, and some file-recovery programs could let another user access them. To completely delete sensitive files, select Finder: Secure Empty Trash. This not only deletes the files but also overwrites them so no one can get at them with file-recovery software.

8. Use FileVault

The ultimate level of protection for your files is to encrypt them. In addition to storing some files in an encrypted disk image, (as explained earlier), FileVault, the feature built into Panther that encrypts your home folder, provides total protection even if someone steals your Mac and removes your hard disk. However, an administrator can reset the FileVault password, so your files are not protected from everyone unless you’re the administrator. (Your user password opens FileVault, so if you’ve left automatic login on, this protection isn’t worth squat.)

To access FileVault, go to the Security preference pane. FileVault creates an encrypted disk image of your entire Home folder; instead of you creating one manually, as mentioned earlier, and moving individual files into it, the operating system handles this, mounting the disk image when you log in and unmounting it when you log out. But when you use FileVault, all your files are encrypted - your photos, music files, movies, and anything else in your home folder.

Early versions of Panther had problems with FileVault that caused data loss, but Apple seems to have resolved these, and FileVault seems safe to use now.

9. Set an Open Firmware Password

As the truly paranoid know, there are three ways to get around a login password: start up the Mac from an OS X installation CD, boot a Mac in target mode while it’s connected to another Mac, or start up a Mac from a network server. So if someone gets physical access to your Mac and has the right tools, he or she can access anything that’s not encrypted.

If you want to prevent users from gaining such access, you can set a low-level password that must be entered even before your Mac begins booting. Open Firmware is special code that is not part of OS X - it’s actually in a chip in your Mac. Like a PC’s BIOS, this chip runs before anything else at startup.

It’s not infallible, but it provides solid protection when your Mac lives in a location that’s accessible to the public. See the Apple technical article “Setting up Open Firmware Password Protection in Mac OS X 10.1 or Later” for more on setting an Open Firmware password.

Other Prudent Behaviours

• Download only from reputable sources. I download only from download.com - run by CNET. The CNET editors keep an eye out for black sheep, so you know that their listings only feature legitimate sources.
• Backup your entire computer system - on DVD and on an external harddrive. It’s not a matter of if your system crashes but when. You’ll thank yourself once disaster strikes.
• Modify your online behavior: Check out CNET article by Bruce Schneier, Who says safe computing must remain a pipe dream? and PC World column Zombie Repellent by Michael Desmond.
• On a Macintosh: Repair permissions regularly, and clean out your computer. Onyx and Mac Janitor.
• Have automatic software updates enabled (Win and Mac), patch any security flaws immediately.
• Abandon Microsoft Internet Explorer. Due to its myriad of security flaws, it’s just better to switch to a more robust browser such as Firefox. Check out the comparison of IE vs. Firefox.
• Turn off your computer at night. If your computer or modem doesn’t run, your system is safe from third parties. Simple as that.
• Protect your privacy while surfing the Internet. Read more.
• Read the related article, Securing Your Computer At Home.

Related Articles