11 Foolproof Ways to Make Your Mac Secure

news

Posted 05/24/2007 at 2:39:33am | by Brian Maggi

"What, me worry?" Well, maybe you should - it's a wild, wild Web out there.

If you think OS X is secure enough as it is, you're probably not looking at the bigger picture. No matter how much more secure your Mac is compared to a Windows PC, no machine is totally immune. You still need to be alert and vigilant when you venture past the safer confines of OS X and out onto the Internet. With our tips, you can think different by being more secure.

One of the many joys of using a Mac is not being plagued by the constant onslaught of viruses and security patches that our Windows-using friends must tolerate just to get through the day. Ask a Mac user what he does about security and he'll probably brag about doing nothing. We understand security can be a real buzzkill - and we're not donning our tinfoil hats yet. It's just that we expose ourselves to more and more risks as we continue moving into the uncharted territory of working - and living - online. Hackers, virus writers, and scam artists make it their business to come up with new ways to commit cybercrime and wreak havoc on the Web and on people's individual machines - yes, even Macs.

Know Your Enemy. The two major types of security risks are inbound and outbound. Inbound threats are direct attacks on your computer, either through hacking or with malicious programs like viruses and worms. Outbound threats involve malicious software that has been unwittingly installed on your machine in hopes of transmitting confidential and personal data through snooping, fraud, or theft.

Hackers, viruses, and other security threats do the most damage when they have unlimited access to your Mac. They rely on system vulnerabilities, like an easy-to-guess password or an insecure network port. By default, OS X is configured with these holes closed. Compare that to Windows, which forces users to close security gaps themselves or to have someone do it for them.

Viruses, Trojan horses, worms, and spyware - collectively known as malware - are household words to Windows users. According to the McAfee Avert Labs, in March there were more than 236,000 known malware programs, and only seven of them targeted OS X. (A bizarre footnote to this is that some Windows apologists are likely to see this as a selling point!) Still, before you gloat about having the good sense to use a Mac, you should know that malware isn't unheard of on the Mac OS. Windows and OS X are permission-based operating systems. That means that software, like users, needs administrative privileges to access sensitive parts of the OS. Before Vista, most Windows programs had administrative privileges by default. But in OS X, apps do not have such privileges. Theoretically, you could override such settings and make your Mac a viable breeding ground for viruses.

Most network traffic travels "in the clear," meaning it's not encrypted. When you're on a network - which you are when you're surfing the Web - a snooper employing one of the many readily available packet sniffers could easily "eavesdrop on" and capture what you're sending and receiving, including passwords.

More...

Don't Be Fooled. The term phishing describes outbound threats that combine email and websites designed to trick you into giving up your usernames and passwords. For example, you might receive an email that looks like it came from PayPal or Amazon. The email has the corporate logo, and looks just like other emails from those companies. The message may link to a legit-looking website where you log in with your username and password. That's all it takes - the phishers now have enough to attempt more heinous activities, such as taking over your real PayPal or Amazon account. It could be months before you realize what has transpired.

And with all this cybercrime going on, it's easy to forget the most low-tech methods of the bold and brazen - physical force. One doesn't need much in the way of programming skills to walk up to your machine and start clicking around.

From the get-go, Mac OS X provides substantial security. Here's how to keep it that way - and extend your feeling of protection when you venture online - without making major sacrifices in cost or convenience.

- - - - - - - - - - - - - - - - - - - -

AN OUNCE OF PREVENTION

Try these tips for keeping hackers, phishers, and other cybercriminals at bay.

Strong Passwords
As unoriginal and obvious as it sounds, it's still true: Passwords should not be easy to guess - or crack. That means using a mix of capital and lowercase letters, numbers, and symbols (like @ for A, or ! for I or L). Better than trying to spell something recognizable is to use passwords that look like gibberish. And don't use the same password across all of your various accounts.

Having trouble coming up with a password? Let your Mac do it for you. A little-known tool called Password Assistant can generate a password for you. Access the Password Assistant in System Preferences' Security pane. Once there, click Set Master Password and then click the question mark icon next to the Master Password field. You can copy and paste (or write down) the password that's generated, and then cancel the operation.

Don't tax your own brain. Let OS X's Password Assistant come up with an inscrutable password for you.

Check Your Email Setup
Every time you check email, everything - including your address, mail server, and password - is sent over the network. A lot of people use the same password for everything. So if a snooper gets your email password, he could comb through your messages to figure out what services you use and try logging in to those accounts with the same login info.

If you're on an insecure network, such as a Wi-Fi hotspot, don't check your email if your email app doesn't encrypt passwords during authentication. Apple's Mail, for example, does not encrypt your password, but Mozilla's Thunderbird does - and so do most Web-based email services. In Thunderbird, go to Tools > Account Settings > Server Settings and select Use Secure Settings. Of course, this will only work if your ISP or email provider's POP or IMAP email services support this feature. (.Mac supports this security measure.)

Yahoo Mail now also offers what's called a "sign-in seal." The seal is a customized graphic or text block you create that will only show up when you log in. If you get a message that sends you to a purported Yahoo login page and the sign-in seal is missing, you know it's a phishing scam. Google's Gmail uses SSL (secure socket layer) encryption to shield your password by default, and users can also log in via a secure HTTPS page at https://mail.google.com.

Keep a Short Leash on the Keychain
The Keychain is unbelievably convenient. One password is all you need for a single point of entry. On the flip side, what if someone cracks that single, convenient password? Even worse, what if someone accesses your machine while the Keychain is unlocked?

Always lock your Keychain when you leave your machine unattended. Launch the Keychain Access utility (Applications/Utilities) and click the lock icon in the upper left, or turn on "Require passwords to wake this computer from sleep or screen saver" in System Preferences' Security pane.

Resist the temptation to add passwords to the Keychain at all. That way, your logins are protected by two layers of password protection.

Say Buh-Bye to Free Wi-Fi
Free Wi-Fi is a great way to attract customers to a coffee shop, but you could be inviting trouble by not securing your wireless home or office network. A freeloader piggybacking off your Wi-Fi network and hoarding bandwidth is merely a nuisance, but it's a huge problem if the visitor is there to steal passwords or distribute spam.

If you have an Apple AirPort base station or other Wi-Fi router, turn on password protection. Also opt for the WPA (Wi-Fi Protected Access) encryption in your router's security preferences. Another good idea is to change the router's SSID (Service Set Identifier) or device name to something other than the default, which is usually the device's brand name. Knowing the type of router could be an easy starting place for a Wi-Fi interloper. With Apple's AirPort Extreme Base Station, you can also keep the network's name hidden, so that users who log on are required to type in the network's name precisely, in addition to a password, to gain access. For more on Wi-Fi security, see "Wi-Fi Should I Care?".

Keep OS X Current
Back in January, a project called the Month of Apple Bugs (MOAB) grabbed a few headlines. The goal was to find vulnerabilities and flaws in the Mac OS and publicize them on the MOAB site (projects.info-pull.com/moab/). Not surprisingly, this project generated a lot of heated discussions. Some saw it as the ultimate gesture of customer advocacy, while others felt it was an irresponsible airing of OS X's dirty laundry. Regardless, the folks behind MOAB did come up with 31 bugs.

Apple has since fixed some of these bugs and continues to fix others. We're not suggesting that you blindly trust Apple, but if you're looking for bug fixes, your safest bet is to get them directly through the OS using the Software Update utility in the Apple menu.

More...

Proactive Protection
In 2006, more than 223,000 new phishing sites appeared, according to the Anti-Phishing Working Group. Given each new scam's average lifespan of five days, it would take 24-hour surveillance to keep up on new threats. That's why Symantec developed Norton Confidential for Macintosh ($49.99). Confidential safeguards your Mac and your Internet activities by locking down sensitive system files and proactively guarding your information from identity thieves.

The last thing you want is to have someone else make things insecure. Lock up System Preferences, don't give users admin privileges, and consider utilities that prevent network users from risky activities.

Intego's comprehensive Internet Security Barrier X4 Antispam Edition ($89.95) includes firewall, antivirus, and antispam protection. Since Intel-based Macs can run Windows (via Apple's Boot Camp or Parallels Desktop for Mac), they become susceptible to an entire range of Windows threats. Virus Barrier x4 Dual Protection ($79.95) can protect both environments simultaneously.

Meanwhile, Open Door Networks' DoorStop X Security Suite 2.0 ($79), enhances OS X's built-in firewall by making it much easier for mere mortals to manage and interpret potential security threats. The suite combines the DoorStop X Firewall (available on its own for $49), the Who's There? Firewall Advisor ($39), and Internet Security for Your Macintosh ($10), a book in PDF format on Mac security that helps you make better use of the DoorStop software. The Firewall Advisor essentially translates the details of attempted security breaches and other network activity into plain English.

For ongoing Mac security news, check out SecureMac, a site dedicated to all things Mac security. Open Door Networks' blog is another up-to-the-minute source of Mac-centric security news and updates.

See what ports your apps are using in DoorStop X Firewall.

- - - - - - - - - - - - - - - - - - - -

STRESS-FREE SECURITY

Wi-Fi Should I Care?
We've all felt the thrill of discovering a Wi-Fi hotspot - watching those black bars in the top right of the screen zoom up to full power. While it's not a good idea to let others glom on to on your own Wi-Fi network, temptation is hard to resist when it's the other way around. Beware: The transmissions between your Mac and the wireless router can be picked up by packet sniffers. Packet sniffers are used to monitor and troubleshoot network traffic. System administrators depend on them to keep things running smoothly. But someone intent on stealing information could use a legitimate app or a hacker-created utility to view and record unsecured Wi-Fi traffic.

So it's a good idea to protect the information you send while using a public Wi-Fi network by encrypting it. You can still shop or bank online, since most of those sites safeguard the transmission of your account and credit card info with SSL encryption (look for "https" in the URL, as well as the padlock icon in one corner of your browser window). However, SSL may not cover chat, email, files, or database transactions.

To truly safeguard your data when using a Wi-Fi connection, use VPN (Virtual Private Network) software to create a secure "tunnel" into an office or corporate network. Your Mac came with a built-in VPN client, but it doesn't support standard IPsec (IP security), which means it might not be compatible with your company's VPN gateway.

Equinux's VPN Tracker ($89.90) is a Mac VPN client that supports IPsec and is compatible with more than 300 gateway solutions, including those from Cisco, Sonicwall, and Juniper.

Finally, you can add another layer of protection by making sure that Mac OS X's built-in firewall - or a third-party firewall or Internet security suite - is turned on. In System Preferences' Sharing pane, click the Firewall tab, then click Start to turn it on. If you want to allow some activities, like iTunes Music Sharing, click the boxes in the list under "Allow." To tighten security even more, click Advanced and select Block UDP Traffic and Enable Stealth Mode. Just keep in mind that some applications use UDP (User Datagram Protocol), a networking protocol. So blocking UDP traffic could disable your ability to play online games or to use VoIP (voice over IP) services such as Skype.

OS X's built-in firewall can protect your Mac from incoming threats.

More...

Lock Down Your Mac
Most Mac users know someone who's had a notebook stolen - or they've been victimized themselves. MacBooks and MacBook Pros are especially attractive because of their high resale value. So MacBook owners have to be extra vigilant about securing their notebooks.

First - and, yes, it's a shame we even have to mention this - you should never take your eyes off of your laptop. Improve your odds by sitting away from main entrances and exits. If you use your notebook in public places often, consider a physical security device like a cable or an alarm. Kensington's MicroSaver line includes notebook locks ($29.99 to $69.99) that are subtle enough so you won't look out of place when you wrap them around a table leg. The keyed and combination locks work with the built-in Kensington security slot on your MacBook or MacBook Pro. (Kensington makes locks for desktop machines too.)

If the unthinkable should happen, you'll appreciate having protected your 'Book with Orbicule's Undercover ($39). This theft-recovery system goes to great lengths to help you get your 'Book back. Not only will Orbicule help you track a stolen notebook, Undercover can snap pictures of the thief in action using your 'Book's built-in iSight camera. If your Mac notebook came with an Apple Remote, you might also try Orbicule's beta software TheftSensor (free). It works with the 'Book's motion sensor so that once you press Play on the remote, any time the notebook is moved, an alarm will sound. It's not exactly subtle, but it's a deterrent.

Keep thieves from helping themselves to the five-finger discount on a new MacBook (yours) with a Kensington MicroSaver lock.

Create Your Own Secure File Vault
Let's say you want to password-protect a folder or a bunch of disparate files on your Mac. Maybe it's because you want to save this collection of files on a shared resource like a file server or an external drive, but you don't want anyone, even your system administrator, to open it. The solution: Create an encrypted disk image to protect your valuable information.

A disk image has a .dmg file extension. When you double-click a disk image, it appears on your desktop as if it was an external drive. A mounted disk image behaves like an external drive. You can copy files to and from it. And when you're done, you just drag it to the trash and it unmounts like an external drive, yet leaves the DMG file intact. To create an encrypted disk image, we'll make a new image, give it a password, and save it. Here's how.

Step 1: Open Disk Utility (/Applications/Utilities). Select File > New > Blank Disk Image or just click the new-image icon. Enter a name for your disk image. Since you'll be using this to save sensitive information, we recommend not calling it "My Credit Card Numbers" or "All My Passwords."

In Disk Utility, a new file is a new volume.

Step 2: Choose a location for your disk image. You can save it anywhere on your Mac, or on an external hard drive or network volume. Pick a size that's going to be big enough to hold your files. The easiest route is to choose a preset for recordable media such as CD-R or DVD-R. This way you know it will fit if you want to burn a backup.

Choose a size for your vault that's big enough to hold the files you want to hide from prying eyes.

Step 3: Under format, choose Read/Write so you can add or delete files from the disk image. For Encryption, choose AES-128 (Recommended). Now click Create. You'll be prompted to create a password for your disk image. You can come up with your own, or let the Password Assistant help you by clicking the key icon. Uncheck the "Remember password (add to Keychain)" option.

Also: Don't forget or lose the password to your disk image, or you won't have any way to access its contents.

Click the key icon to call up the Password Assistant, which can generate an unlikely password to protect your file vault.

COMMENTS: 11

TAGS:

COMMENTS