Security Tips

osxtips-x-256

1. Gatekeeper

Gatekeeper’s control resides under Preferences/Security & Privacy and it’s main function is to allow the user to control which apps can be run without further escalation and or attention. For example it is by default to ‘Mac App Store and identified developers’ so if you download an application that doesn’t meet this criteria you will not be able to run the application immediately or more so accidentally.

You can either change the preference to ‘Anywhere’ (not recommended) or simply right click (or control click) on the App instead of the normal single double click to open it.

2. Software Updates

Updates often gets overlooked as a security measure; however fundamentally you want to keep your Mac updated with the latest and greatest updates. Most often users don’t update their Macs to the latest because the update has phased out their application from working, or the user feels they are too busy to update their Macs. Don’t be that user. Instead inquire with the software developer’s support system to find out what they are doing about their incompatible product – many often become aware of this issue through their internal testing and generally try to push out a patch or updated version quickly. If they lag see if you can find an alternate product until they update. It’s always good to have another good product on standby.

3. FileVault 2

Laptop and even Desktop encryption should be automatic nowadays. Losing a few thousand dollars of hardware is much better than losing all your data to someone later to find it pasted all over the Internet or worse sold on the blackmarket. Use whole disk encryption any chance you get.The rewards far outweigh the risks.

4. Privacy Controls

Privacy is important and shouldn’t be taken for granted. Make sure you keep track of whom is keeping track of you by tuning your privacy controls accordingly.

5. Firewall

The firewall interface under Preferences/Security & Privacy is very basic, there are a few third party interfaces available however keeping things simple is a good practice. Be sure to use the firewall to tune it to your needs whether it be at home, work or travel. You may think you have nothing to hide, however you have plenty to steal.

6. Password Assistant

Face it, for most creating a good password is hard. It involves a lot of thinking not only to come up with one that you don’t already use, but then remembering it without having to write it down is a task within itself. This is where Keychain Access is your friend, use it. Inside Keychain Access is a handy tool named Password Assistant you can use it to quickly come up with a password and you can save it in your keychain to use on various logins.

7. Anti-phishing

For those that use Safari (6.0.2 ) over Chrome or Firefox you may have to make a firewall adjustment otherwise Safari may not be able to communicate correctly to receive updates from the The Google Safe Browsing Service, therefore leaving your browser out of date and more vulnerable.

8. iCloud Mac locator and remote wipe

For those that use iCloud your Mac can be enabled similar functionality as your iDevices for communicating with your Mac if it gets lost or stolen once it is reconnected to a network. It certainly is better than nothing, howeveryou have less to worry about if you use FileVault2 to encrypt your Mac.

9. Secure Empty Trash

Another feature the Mac users may forget to use often especially on USB keys is the Secure Empty Trash Feature. By default files are simply marked for deletion and not really deleted making file recovery simple for an attacker. Using Secure Empty Trash things get much more difficult to recover.

10. Control Access

Make sure you are the only person accessing your account by requiring a password immediately after sleep or screen saver begins. Enable a hot corner to activate the screensaver and get used to hitting that hot corner before leaving your Mac. Get used to doing this at home and it will come naturally everywhere else.

In conclusion…

Mountain Lion comes with a plethora of integral security features not really meant for the user to control such as file screening, sandboxing and runtime memory protection and without an interface to monitor or view users don’t think about it and just trust it. However as you could see in the Anti-Phishing example above with Safari unable to update for the last 82 days it becomes curious as to what else may not be working as designed. 😉

Online Resources Mentioned Herein:

http://www.apple.com/osx/what-is/security.html
http://support.apple.com/kb/HT5501
http://www.apple.com/support/security/guides/
http://www.apple.com/support/icloud/find-my-device/

Basic Mac OS X Security !

Tip #1: The Administrator is Not for Daily Use

Contrary to what Apple does with the setup program, the administrator account is not viable for daily use. There are too many things this account can do that you don’t want a script to be able to, such as cleaning out /Applications or various folders within /Library.

Instead:

  • Go make another account in System Preferences
  • Make it an administrator
  • Login with the new account and remove administrator rights from your original account
  • Log back in with the original account

Now when you’re prompted to enter a password to do something creative, use the admin account name. This has the added benefit that people that walk up to your computer can’t do bad things to the system, either (just your account, so keep reading).

Tip #2: System Preferences is Not for Daily Use

You can do some crazy stuff in System Preferences. Happily, Apple realized this and added some settings to protect the system from random idiots (driver or passengers). You’ll want to use these to lock System Preferences out to roaming users that happen to get a hold of your computer. Open System Preferences and go to the Security pane. Review the following as you make the changes.

  • Require password to wake this computer from sleep or screen saver: This does exactly what it says. If you put the computer to sleep or have a screen saver setup then you’ll be asked for your user account information to unlock the computer. Use this, especially on portables. Of course, a restart will make this go away, so …
  • Disable automatic login: This completely disables automatic login. Your system will startup to a login panel with a list of names. This is the most secure option because it doesn’t make the computer usable from a cold boot. If you know the system will log you in as a user with a restart, any security measure meant to prevent someone from having user-level access can be defeated with a reboot. Turn this on to prevent that.
  • Require password to unlock each secure system preference: Notice how a lot of preferences have that lock at the bottom (like Network, Security, and Accounts)? Turning this on locks all of those by default, requiring an admin password (even for the admin user) to unlock. If you don’t do this, anyone can come right back to this preference pane and turn all of these settings off. Check it.
  • Log out after __ minutes of inactivity: More annoying than useful to me, but if you tend to walk away from your computer and don’t mind losing your place in your work, turn this on. Locking the screensaver works well for me, instead.
  • Use secure virtual memory: Turn this on. If this is off, then any time you enter a password it’s possible the system will write that password out in a block of memory it’s dumped to a file in /var/vm and, thus, makes the password recoverable. Using secure VM means those files are encrypted and it’s near-impossible to discover a user’s password from the swap files.

Tip #3: Turn off Services You Do Not Use

Go to System Preferences, then Sharing. Uncheck everything you’re not using, even if you think you will. Turn it on when you need it and turn it off when you’re done.




Tip #4: Outbound Calls Only, Please (Firewall)

Some look at Apple’s firewall as useless because it automatically pinholes running services and doesn’t allow some users in while locking some users or or whatnot. It’s not a commercial-level firewall (GUI) but it does do something very well: it prevents ports opened by rootkits or trojans from being accessible. Turn on the firewall and unauthorized listeners will be blocked.

It also makes our SSH hack above useless by blocking 2200 by default.  Click on New and pick Other from the menu and add 2200 as an option and check it and any other services you want to offer.

Tip #5: Freeze the Credit Card (Keychain)

The Keychain is the most dangerous moment of brilliance I’ve ever seen. On one side, it knows your passwords to everything and lets you get away with being human while still being secure. On the other, it lets you get away with being human while being insecure. If you walk away, I can connect to just about any password-protected service you have access to and the computer will fill in the password for me.

Yet, it has controls (again, turned off by default) that let you get around this. In Keychain Access, go to Edit and then to Change Settings for Keychain. You can do two things here: set an idle timeout, or tell it to lock on sleep. I prefer just locking on sleep, myself, because I rather depend on the screensaver to do the idle locking for my systems. Sleep, however, especially for portable users, means that the person waking the computer may or may not be the owner, and that’s prime time to start asking for passwords. Until a password is entered you won’t be on IM, or checking mail, or whatever else. Programs that use passwords will be locked from getting new data.

If your keychain password is different from your account password then you have an even greater level of security as the screensaver password won’t work for the keychain, and vice-versa.

Tip #6: Make a Good Password

The best password I’ve ever seen was someone that memorized a Windows license key and moved the sections around. Almost pure randomness, but ordered enough to remember. There are easier ways, and things you already know. For instance, do you know your car’s license plate? Know the plates of previous cars? Combine them in a memorable fashion, such as breaking them in half and merging two plates together.

Another popular method is to take two longish words and misspell them. That would result in something like “twinkel%unihorn” or “rut]row” or the like. Easy to remember, and hard to guess.

If that’s too simple for you, Keychain Access has a tool that helps make passwords, but since there’s no emotional investment in them they can be hard to remember (though, there is a phonetic method that makes near-English words as passwords). To get there pick New Password Item from the File menu and click on the lock icon (just one way; there are other ways to get to the assistant).