Protect your Mac

More Stories in this Series

Protect your Mac

We’ve said it before and we’ll say it again: Your Mac is the safest personal computer on the market. Even though we’ve had a couple of scares this year, there are still almost no Mac viruses. According to research done by Sophos (a maker of antivirus software), at press time there were only four known OS X viruses, compared with roughly 80,000 on Windows.

But let’s face it—we live in a dangerous world, and not all of those dangers (especially those to your privacy) are platform-specific. Here’s how to keep your personal information out of the wrong hands—and keep your Mac out of trouble.

Seriously consider using antivirus software

Is antivirus software worth the money and hassle? You might decide to take your chances and bet that malware authors will never target the Mac, but seriously consider installing and running antivirus software, especially if you engage in “risky” activities—browsing a variety of Web sites, exchanging files with other people via email or servers, or downloading third-party software.

Choose the tool your company or college provides, or find an antivirus program on your own. (Skeptics should note that there’s a free, open-source option— ClamXav 1.0.3.) Just make sure to install the software, scan regularly, and update religiously. Outdated antivirus software is almost as bad as none at all.—Mark H. Anbinder

Always install Apple’s security updates

Half of the computer-security battle is staying up-to-date. Apple and makers of security programs do a good job of keeping their software updated to handle new problems, but if you don’t download and install updates, they won’t do you any good.

Mac OS X Security Updates include fixes not only for OS X but also for the various tools Apple provides with each Mac. For example, the first Security Update of 2006 fixed security flaws in the PHP scripting feature of the built-in Apache Web-server software that comes with every Mac. Before this patch, PHP (once activated) could have been used to run software on your Mac covertly.

Make sure your Mac’s Software Update preference pane is set so that your Mac checks regularly for new software. Checking weekly should be sufficient for most people. But if you often visit unknown Web sites or use personal file sharing or Web sharing, you should check daily.—Mark H. Anbinder

Open files only from known sources

A Trojan horse claims to be one thing—risqué photos of a celebrity, for instance—but is in fact a program with hidden plans for your computer. Double-click on it out of curiosity, and it leaps into action—with destructive, or at least annoying, results. This year brought the first OS X Trojan horse— Leap-A, also known as Oompa Loompa, which posed as photos of Apple’s upcoming OS release, Leopard (OS X 10.5).

The easiest way to minimize your risk is to do what Windows users have done for years—regard unknown files with skepticism, especially unexpected email attachments and odd files arriving via an instant-messaging program. If you’re not sure what a file is, and if it arrived without warning, ask the sender whether it’s legit. Also, get in the habit of downloading software only from known sources. If you’re worried that you might already have hidden malware on your computer, see “Intruder Alert!” for ways to check.—Mark H. Anbinder

Watch for macro viruses in your Office documents

Office macros are scripts that let you simplify or automate repetitive actions, but miscreants can also use them to spread misdeeds between computers and across platforms. A document from a Windows-using friend, for instance, could include a macro that turns all your Microsoft Word documents into locked templates.

Good Macro, Bad Macro  Microsoft Word warns you whenever you open a document that contains macros. Note that not all macros are bad; before you enable the macros, just ask the person who sent you the file whether it’s supposed to contain them.

Word and Excel now warn you, by default, when you try to open a document that contains macros. When you open a new document that contains embedded macros, whether it’s from a trusted source or not, check with the person who sent you the file to make sure the macros are OK.—Mark H. Anbinder

Use a standard account for everyday work

When you install OS X or set up a new Mac, the first user account you create is an administrator account. This account has great power to alter your system. OS X requires that you enter your password to make most, but not all, changes to the system. The exceptions are what tricky malware creators can exploit.

If you are logged in to the administrator account, the recent Leap-A Trojan horse, for example, could install itself in the System folder, affecting all your Mac’s users and possibly infecting many applications. If you’re logged in to a standard account, Leap-A could affect only that account and applications that you have installed by dragging them into the Applications folder.

So create a standard user account in the Accounts preference pane (don’t enable the Allow User To Administer This Computer option), and use it for your day-to-day work. You’ll have to enter your administrator user name and password from time to time—when installing software, for instance—but you’ll have a safety net.—Kirk McElhearn

Turn off automatic login

When you use OS X’s Automatic Login feature, there’s no need to select your user name and enter your password in the Login window when you start up your Mac. That’s convenient at home, but if you work with a laptop or a publicly accessible computer in an office, it can expose all your personal documents to anyone who presses the power button.

To turn off this feature, go to the Accounts preference pane and click on Login Options. (If the button is dimmed, first click on the lock icon and enter your administrator password.) Deselect the Automatically Log In As User Name option.—Kirk McElhearn

Lock your screen when you step away

If you require a password at login, your Mac is protected when you log out or turn it off, but what about when you just step away? When you go to lunch, anyone can come by your desk, press a key to wake your computer, and access your files. Prevent this by requiring a password when anyone turns off the screen saver or wakes your Mac. In the Security preference pane, select Require Password To Wake This Computer From Sleep Or Screen Saver. Click here to find out about more ways to lock your screen.—Kirk McElhearn

Give your Keychain its own password

OS X includes a nifty utility that stores all your passwords for applications, servers, and Web sites. Your Keychain is your central repository for passwords; it unlocks as soon as you log in to your Mac. Unfortunately, this means that anyone who can access your Mac will be able to open your password-protected items. If you use Safari’s AutoFill feature, that could include your bank account, your Amazon account, your .Mac account, and more.

What’s the Password?  Your Keychain stores all your passwords and, by default, unlocks when you log in to your Mac. Beef up its protection by giving it a password of its own, and use Password Assistant to make sure you pick a good one.

Solve this by giving the Keychain a password that’s different from your user-account password. Open Keychain Access (/Applications/Utilities) and select Edit: Change Password For Keychain “ User Name ”. (In some cases, you might see the word Login instead of your user name.) In the Current Password text field, type your login password. Type a new password in the New Password field and again in the Verify field. Click on the key icon next to the New Password field to bring up the Password Assistant window. Here you can test how secure your password is and get ideas for better ones. In the Type menu, choose Memorable, Letters And Numbers, Numbers Only, Random, or FIPS-181 Compliant to get suggestions.—Kirk McElhearn

Lock the Keychain when it’s not in use

Once your Keychain is unlocked, it usually stays that way until you log out or shut down your Mac. For more protection, set the Keychain to lock when it’s inactive. Open Keychain Access and select Edit: Change Settings For Keychain “ User Name ”. (In some cases, you might see the word Login instead of your user name.) In the Keychain Settings window, select the Lock After Number Minutes Of Inactivity option, and choose a number of minutes. Also choose the Lock When Sleeping option.

If you prefer manual control, select Keychain Access: Preferences, and choose the Show Status In Menu Bar option. A small lock icon will appear in your Mac’s menu bar. This icon shows you whether your Keychain is locked. You can also lock and unlock it from this menu.—Kirk McElhearn

Encrypt important files

If you have sensitive files on your Mac— especially a laptop Mac—consider protecting them with encryption. No one can read or copy your encrypted files—even if they hack into your Mac or remove your hard drive. (To ease the pain of a stolen laptop, see “When Your Laptop Goes Missing.”)

Protect a few files If you have only a handful of files to protect, consider creating an encrypted disk image and adding those important files—your Quicken file, for example—to it. (See “Disk Utility’s Hidden Talents” for instructions.) Mount this disk image and enter your password when you need to work with the files. Eject the disk image when you’re done. That’s it.

Protect your entire user folder If your user folder is full of confidential documents—say, all your clients’ tax records or the secret plans for your new invention—consider using OS X’s FileVault feature instead. After you activate FileVault, all you need to do is enter your login password to begin your work—then you can open files, work on them, and save changes without noticing a thing. Close a file, and it’s automatically encrypted again.

Open the Security preference pane and click on Set Master Password. In the sheet that appears, fill out the password fields and click on OK. Then click on Turn On FileVault. (It might take quite a while to encrypt your files.) Conveniently, FileVault’s master password also works as a kind of backup account password—you can use it to unlock your account or any other account on your Mac. But be careful: forget your master password, and your files will be completely inaccessible.—Kirk McElhearn

Use a firewall

Do you connect to the Internet with an always-on connection? If so, one of the easiest things you can do to enhance your Mac’s security is to turn on Apple’s built-in software firewall. A firewall is a tool—either hardware or software—that prevents unauthorized access to a computer or a network.

Turning the firewall on is an absolute necessity if your Mac is plugged directly into your cable or DSL modem (as opposed to being connected via an AirPort or some other kind of router). If you plug your computer directly into your modem, it has a public Internet address that makes it potentially visible to everyone.

To fire up your firewall, open the Sharing preference pane. Click on the Firewall tab, click on Start, and then click on the Advanced button. In the sheet that appears, select the Enable Stealth Mode option. This makes your computer almost invisible on the Internet, so hackers will be less likely to attack. OS X’s built-in firewall will do the job for most people.—Jeffery Battersby

Protect your wireless network with WPA

If your wireless network doesn’t use encryption, it’s easy for ne’er-do-wells to intercept data passing through the air. To protect your passwords, emails, and so on, turn on encryption and make sure you’re using WPA (Wi-Fi Protected Access) or WPA2. An early form of wireless encryption, WEP (Wired Equivalent Privacy), used weak algorithms —the mathematical formulas that determine how data is concealed. (A team of FBI agents cracked a 128-bit WEP key in three minutes at an Information Systems Security Association meeting last year.)

To use WPA Personal (the home version), it’s best to have OS X 10.3.9 or higher. You also need an AirPort or AirPort Extreme card and an AirPort Extreme Base Station or an AirPort Express. (The original AirPort Base Station can’t be upgraded for WPA support.) Many other base stations, from companies including Linksys and Buffalo, support WPA, too.

Update your base station First, confirm that your base station is up-to-date, by launching AirPort Admin Utility (/Application/Utilities) and selecting your base station. If the firmware version number is less than 5.7 (Extreme) or 6.3 (Express), visit Apple’s AirPort Support page, download the newest firmware for your device, and follow the instructions for upgrading.

Protect the Airwaves  To safeguard your wireless network you must turn on encryption. An early form of wireless encryption, Wired Equivalent Privacy (WEP), was easy to crack, so make sure to use WPA (Wi-Fi Protected Access) or WPA2 instead.

Lock it down Next, in AirPort Admin Utility, select the AirPort tab. Click on the Change Wireless Security button; then select WPA Personal from the Wireless Security pop-up menu. In the Encryption Type pop-up menu, choose WPA Only or WPA And WPA2. (If you choose WPA And WPA2, Macs with original AirPort Cards might not be able to connect.)

Enter a password—preferably something that’s about 20 characters long and isn’t entirely composed of words found in a dictionary. Enter the password again to verify your typing and click on OK. Click on Update to apply the settings; the base station will reboot.—Glenn Fleishman

Encrypt your wireless hotspot sessions

Millions of people use public Wi-Fi hotspots, which typically lack any useful protection for data. Unless the hotspot network uses a corporate form of Wi-Fi encryption—like the one offered optionally by T-Mobile HotSpots —a person using packet-sniffing software could grab your passwords, email messages, or info as it flies through the air.

Protect email Most Mac email programs include support for SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, which hides data as it travels between your browser and your ISP’s servers. (To turn SSL/TLS encryption on in Mail, go to Mail: Preferences, click on Accounts, select the account you want to protect, go to the Advanced tab, and enable the Use SSL option.)

But you also need an Internet service provider or a mail host that offers this type of secure connection—such as .Mac ($100 per year) or ($20 per year). If you don’t want to slog through configuration details, PGP’s $99 PGP Desktop Home 9 (   ) offers a unique option. It does the work for you: intercepting your mail connections, determining whether your ISP handles secure email, and setting up the correct connection.

Protect FTP sessions If you need to copy files back to an office server while you’re on the road, consider encrypting your FTP sessions using Secure FTP (SFTP). Many service providers now offer SFTP, and most Mac FTP programs include SFTP support.

Protect your surfing Banks and commerce sites already use SSL to protect your financial information when you access their Web sites. But thieves can try to get around this when you’re at a hotspot, by simulating the real hotspot with their laptop (creating an “evil twin”) or misleading your computer into passing data to the wrong site (Address Resolution Protocol [ARP] “poisoning”).

Enter your user name and password only on pages that are protected by SSL and have the exact domain name you recognize. A few sites let you enter your login details on an unprotected page and then redirect you to a secure site. That’s a ticket to disaster if a hotspot villain is nearby.

You can bypass evil twins and ARP poisoners while also enjoying encrypted browsing of all pages by using a secure proxy, which is typically layered on top of an anonymizer. Anonymizers are designed to keep your surfing habits private; a secure proxy keeps the content of your surfing private, too. A secure proxy requires that you configure your computer to send its Web requests over a secure connection to a remote server. The server acts as an intermediary as you visit Web sites.

Only Secure-Tunnel seems to support OS X, in its case via Safari and other browsers’ proxy settings. The service’s simplest option—the $35-per-year Silver package—is Web based and allows anonymous, encrypted surfing.

Protect everything If you do a lot of work on-the-go, consider securing all your wireless hotspot activity at once by using a Virtual Private Network (VPN) connection. VPN software captures all the data flowing out of your programs and then puts that data into a secure tunnel that extends from the virtual network, through the local network, out to the Internet. Check out HotSpotVPN (starting at $9 per month), personalVPN ), and PublicVPN ($60 per year).—Glenn Fleishman

Don’t click on links in unsolicited email messages

While spam may be the scourge of the Internet, phishing is its biggest scam. You undoubtedly receive emails—purportedly from banks, eBay, PayPal,, and others—asking you to confirm your account or re-enter your credit card information. Don’t click on those links.

Legitimate banks and online vendors will never send you an email asking you to confirm account information in this manner. Instead, these links take you to counterfeit Web sites that look exactly like legitimate sites but send your account information or credit card numbers to organized crime groups or petty scammers.

When in doubt, check the supposed senders’ websites: most of them track bogus messages like these. You can also check the email message’s link itself to see whether it leads where it says it does. If you’re running OS X 10.4, hover over the link and the true URL will appear. ( Click here for more tips.)—Kirk McElhearn

Protect sensitive email from prying eyes

It’s relatively easy to sniff —or capture—Internet data, since it goes over many unprotected servers. And anyone listening in on the telephone line running out of your home, office, or ISP can intercept your files. You probably couldn’t care less if the data you’re sending consists mainly of photos of your cat, but you have reason to be concerned if you’re sending top-secret information, or if you work with private health, financial, or legal records.

There are a few ways to send files via email or the Internet in total security. You can purchase an encryption program such as PGP’s versatile PGP Desktop Home to use with your email client. You can use a Web-based encrypted email service. (Most charge a modest monthly or yearly fee; see a complete list.) If your recipients use Macs, you can also just send files as an encrypted disk image. Don’t send the password with the disk image: give it to the recipient by telephone, fax, or iChat.—Kirk McElhearn

Practice private surfing

Search-engine records, cookies, Web bugs, and a host of other elements all make it possible for Webmasters, your boss, or marketers to see what you’ve been perusing. Some Web sites require registration so they can follow your every click; others simply use cookies to track your page views. It helps to delete your browser’s cache history on your end. (Programs such as Allume Systems’ $30 Internet Cleanup 3 remove that and more automatically.) But server records remain.

You don’t have to be avoiding the paparazzi or the law to want some privacy online. People feel strongly about keeping many legitimate activities to themselves. Google’s recent battle with the U.S. Department of Justice highlighted the potential for search engines’ online databases to become surveillance tools in the United States. The government subpoenaed data including Google users’ search queries, leading privacy advocates to fear further demands for IP addresses leading back to individual users.

Idle Chatter When you send iChat messages in the clear, anyone on the same network, wired or wireless, can use a tool as simple as Stairways Software’s Interarchy to eavesdrop…

If all that leaves you leery, consider using a secure proxy or a simpler anonymizer when you want to surf privately. Many websites act as anonymizers, some for a subscription fee (see a list at To elude registration on Web sites, check out BugMeNot, which stores a database of shared user names and passwords that you can use instead of creating your own.—Kirk McElhearn

Keep your chats to yourself

Apple’s iChat is a quick, easy way to correspond with other people. But be aware that if you use a hotspot or a campus ethernet network, others on the network might be able to tap your talk.

Apple added a Secure iChat feature to the .Mac service in October 2005. To use Secure iChat, you and the person you want to chat with must both have at least OS X 10.4.3 (which includes iChat AV 3.1) and a .Mac membership. Secure iChat works only for one-on-one text chats. If you meet all those criteria, select iChat: Preferences, choose your .Mac chat account, and click on the Security tab. If you see the message “iChat encryption is enabled” at the bottom of the window, you’re set. If you see “iChat can enable encryption,” click on the Encrypt button.

… But if you use .Mac-based encryption, hackers will be able to read only your chat partner’s IM handle.

People without .Mac accounts have other options. For $40, you can get the starter bundle of two licenses for Intego’s ChatBarrier X 3—enough for you and a companion to chat securely. You may already be considering PGP Desktop Home 9 for its many encryption skills; it can also secure chats between two users who both have the software installed.—Glenn Fleishman

Back up your files

Whether your Mac catches a virus, your network gets hacked, or you lose your files or your laptop, only regular backups will ensure that you don’t lose anything important. Check out Back Up to Stay Ahead for general guidelines. And read our latest reviews of backup software, including CMS Products’ $79 BounceBack Pro and EMC Insignia’s $129 Retrospect 6.—Kirk McElhearn

Subscribe to the Best of Macworld Newsletter