Protect your Mac

More Stories in this Series

Protect your Mac

10. Encrypt important files

If you have sensitive files on your Mac— especially a laptop Mac—consider protecting them with encryption. No one can read or copy your encrypted files—even if they hack into your Mac or remove your hard drive. (To ease the pain of a stolen laptop, see “When Your Laptop Goes Missing.”)

Protect a few files If you have only a handful of files to protect, consider creating an encrypted disk image and adding those important files—your Quicken file, for example—to it. (See “Disk Utility’s Hidden Talents” for instructions.) Mount this disk image and enter your password when you need to work with the files. Eject the disk image when you’re done. That’s it.

Protect your entire user folder If your user folder is full of confidential documents—say, all your clients’ tax records or the secret plans for your new invention—consider using OS X’s FileVault feature instead. After you activate FileVault, all you need to do is enter your login password to begin your work—then you can open files, work on them, and save changes without noticing a thing. Close a file, and it’s automatically encrypted again.

Open the Security preference pane and click on Set Master Password. In the sheet that appears, fill out the password fields and click on OK. Then click on Turn On FileVault. (It might take quite a while to encrypt your files.) Conveniently, FileVault’s master password also works as a kind of backup account password—you can use it to unlock your account or any other account on your Mac. But be careful: forget your master password, and your files will be completely inaccessible.— KM

11. Use a firewall

Do you connect to the Internet with an always-on connection? If so, one of the easiest things you can do to enhance your Mac’s security is to turn on Apple’s built-in software firewall. A firewall is a tool—either hardware or software—that prevents unauthorized access to a computer or a network.

Turning the firewall on is an absolute necessity if your Mac is plugged directly into your cable or DSL modem (as opposed to being connected via an AirPort or some other kind of router). If you plug your computer directly into your modem, it has a public Internet address that makes it potentially visible to everyone.

To fire up your firewall, open the Sharing preference pane. Click on the Firewall tab, click on Start, and then click on the Advanced button. In the sheet that appears, select the Enable Stealth Mode option. This makes your computer almost invisible on the Internet, so hackers will be less likely to attack. OS X’s built-in firewall will do the job for most people.— Jeffery Battersby

12. Protect your wireless network with WPA

If your wireless network doesn’t use encryption, it’s easy for ne’er-do-wells to intercept data passing through the air. To protect your passwords, e-mails, and so on, turn on encryption and make sure you’re using WPA (Wi-Fi Protected Access) or WPA2. An early form of wireless encryption, WEP (Wired Equivalent Privacy), used weak algorithms —the mathematical formulas that determine how data is concealed. (A team of FBI agents cracked a 128-bit WEP key in three minutes at an Information Systems Security Association meeting last year.)

To use WPA Personal (the home version), it’s best to have OS X 10.3.9 or higher. You also need an AirPort or AirPort Extreme card and an AirPort Extreme Base Station or an AirPort Express. (The original AirPort Base Station can’t be upgraded for WPA support.) Many other base stations, from companies including Linksys and Buffalo, support WPA, too.

Update your base station First, confirm that your base station is up-to-date, by launching AirPort Admin Utility (/Application/Utilities) and selecting your base station. If the firmware version number is less than 5.7 (Extreme) or 6.3 (Express), visit Apple’s AirPort Support page, download the newest firmware for your device, and follow the instructions for upgrading.

Protect the Airwaves  To safeguard your wireless network you must turn on encryption. An early form of wireless encryption, Wired Equivalent Privacy (WEP), was easy to crack, so make sure to use WPA (Wi-Fi Protected Access) or WPA2 instead.

Lock it down Next, in AirPort Admin Utility, select the AirPort tab. Click on the Change Wireless Security button; then select WPA Personal from the Wireless Security pop-up menu. In the Encryption Type pop-up menu, choose WPA Only or WPA And WPA2. (If you choose WPA And WPA2, Macs with original AirPort Cards might not be able to connect.)

Enter a password—preferably something that’s about 20 characters long and isn’t entirely composed of words found in a dictionary. Enter the password again to verify your typing and click on OK. Click on Update to apply the settings; the base station will reboot.— Glenn Fleishman

13. Encrypt your wireless hotspot sessions

Millions of people use public Wi-Fi hotspots, which typically lack any useful protection for data. Unless the hotspot network uses a corporate form of Wi-Fi encryption—like the one offered optionally by T-Mobile HotSpots —a person using packet-sniffing software could grab your passwords, e-mail messages, or info as it flies through the air.

Protect e-mail Most Mac e-mail programs include support for SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, which hides data as it travels between your browser and your ISP’s servers. (To turn SSL/TLS encryption on in Mail, go to Mail: Preferences, click on Accounts, select the account you want to protect, go to the Advanced tab, and enable the Use SSL option.)

But you also need an Internet service provider or a mail host that offers this type of secure connection—such as .Mac ($100 per year) or FastMail.fm ($20 per year). If you don’t want to slog through configuration details, PGP’s $99 PGP Desktop Home 9 (   ) offers a unique option. It does the work for you: intercepting your mail connections, determining whether your ISP handles secure e-mail, and setting up the correct connection.

Protect FTP sessions If you need to copy files back to an office server while you’re on the road, consider encrypting your FTP sessions using Secure FTP (SFTP). Many service providers now offer SFTP, and most Mac FTP programs include SFTP support.

Protect your surfing Banks and commerce sites already use SSL to protect your financial information when you access their Web sites. But thieves can try to get around this when you’re at a hotspot, by simulating the real hotspot with their laptop (creating an “evil twin”) or misleading your computer into passing data to the wrong site (Address Resolution Protocol [ARP] “poisoning”).

Enter your user name and password only on pages that are protected by SSL and have the exact domain name you recognize. A few sites let you enter your login details on an unprotected page and then redirect you to a secure site. That’s a ticket to disaster if a hotspot villain is nearby.

You can bypass evil twins and ARP poisoners while also enjoying encrypted browsing of all pages by using a secure proxy, which is typically layered on top of an anonymizer. Anonymizers are designed to keep your surfing habits private; a secure proxy keeps the content of your surfing private, too. A secure proxy requires that you configure your computer to send its Web requests over a secure connection to a remote server. The server acts as an intermediary as you visit Web sites.

Only Secure-Tunnel seems to support OS X, in its case via Safari and other browsers’ proxy settings. The service’s simplest option—the $35-per-year Silver package—is Web based and allows anonymous, encrypted surfing.

Protect everything If you do a lot of work on-the-go, consider securing all your wireless hotspot activity at once by using a Virtual Private Network (VPN) connection. VPN software captures all the data flowing out of your programs and then puts that data into a secure tunnel that extends from the virtual network, through the local network, out to the Internet. Check out HotSpotVPN (starting at $9 per month), personalVPN ), and PublicVPN ($60 per year).— GF

14. Don’t click on links in unsolicited e-mail messages

While spam may be the scourge of the Internet, phishing is its biggest scam. You undoubtedly receive e-mails—purportedly from banks, eBay, PayPal, Amazon.com, and others—asking you to confirm your account or re-enter your credit card information. Don’t click on those links.

Legitimate banks and online vendors will never send you an e-mail asking you to confirm account information in this manner. Instead, these links take you to counterfeit Web sites that look exactly like legitimate sites but send your account information or credit card numbers to organized crime groups or petty scammers.

When in doubt, check the supposed senders’ Web sites: most of them track bogus messages like these. You can also check the e-mail message’s link itself to see whether it leads where it says it does. If you’re running OS X 10.4, hover over the link and the true URL will appear. ( Click here for more tips.)— KM

15. Protect sensitive e-mail from prying eyes

It’s relatively easy to sniff —or capture—Internet data, since it goes over many unprotected servers. And anyone listening in on the telephone line running out of your home, office, or ISP can intercept your files. You probably couldn’t care less if the data you’re sending consists mainly of photos of your cat, but you have reason to be concerned if you’re sending top-secret information, or if you work with private health, financial, or legal records.

There are a few ways to send files via e-mail or the Internet in total security. You can purchase an encryption program such as PGP’s versatile PGP Desktop Home to use with your e-mail client. You can use a Web-based encrypted e-mail service. (Most charge a modest monthly or yearly fee; see a complete list.) If your recipients use Macs, you can also just send files as an encrypted disk image. Don’t send the password with the disk image: give it to the recipient by telephone, fax, or iChat.— KM

16. Practice private surfing

Search-engine records, cookies, Web bugs, and a host of other elements all make it possible for Webmasters, your boss, or marketers to see what you’ve been perusing. Some Web sites require registration so they can follow your every click; others simply use cookies to track your page views. It helps to delete your browser’s cache history on your end. (Programs such as Allume Systems’ $30 Internet Cleanup 3 [   ] remove that and more automatically.) But server records remain.

You don’t have to be avoiding the paparazzi or the law to want some privacy online. People feel strongly about keeping many legitimate activities to themselves. Google’s recent battle with the U.S. Department of Justice highlighted the potential for search engines’ online databases to become surveillance tools in the United States. The government subpoenaed data including Google users’ search queries, leading privacy advocates to fear further demands for IP addresses leading back to individual users.

Idle Chatter When you send iChat messages in the clear, anyone on the same network, wired or wireless, can use a tool as simple as Stairways Software’s Interarchy to eavesdrop…

If all that leaves you leery, consider using a secure proxy or a simpler anonymizer when you want to surf privately. Many Web sites act as anonymizers, some for a subscription fee (see a list at macworld.com/ 1285). To elude registration on Web sites, check out BugMeNot, which stores a database of shared user names and passwords that you can use instead of creating your own.— KM

17. Keep your chats to yourself

Apple’s iChat is a quick, easy way to correspond with other people. But be aware that if you use a hotspot or a campus Ethernet network, others on the network might be able to tap your talk.

Apple added a Secure iChat feature to the .Mac service in October 2005. To use Secure iChat, you and the person you want to chat with must both have at least OS X 10.4.3 (which includes iChat AV 3.1) and a .Mac membership. Secure iChat works only for one-on-one text chats. If you meet all those criteria, select iChat: Preferences, choose your .Mac chat account, and click on the Security tab. If you see the message “iChat encryption is enabled” at the bottom of the window, you’re set. If you see “iChat can enable encryption,” click on the Encrypt button.

… But if you use .Mac-based encryption, hackers will be able to read only your chat partner’s IM handle.

People without .Mac accounts have other options. For $40, you can get the starter bundle of two licenses for Intego’s ChatBarrier X 3 (   )—enough for you and a companion to chat securely. You may already be considering PGP Desktop Home 9 for its many encryption skills; it can also secure chats between two users who both have the software installed.— GF

18. Back up your files

Whether your Mac catches a virus, your network gets hacked, or you lose your files or your laptop, only regular backups will ensure that you don’t lose anything important. Check out Back Up to Stay Ahead for general guidelines. And read our latest reviews of backup software, including CMS Products’ $79 BounceBack Pro (   ) and EMC Insignia’s $129 Retrospect 6 (   ).— KM

[ Mark H. Anbinder is a senior technical consultant at Cornell University and a contributing editor of TidBits. Jeffery Battersby is a network analyst at the law firm of Finkelstein & Partners in Newburgh, New York. Glenn Fleishman writes daily about Wi-Fi at Wi-Fi Networking News. Kirk McElhearn is a coauthor of Mastering Mac OS X, Tiger Edition (Sybex, 2005); visit his blog Kirkville. ]

Subscribe to the Help Desk Newsletter

Comments