Fifteen easy fixes for Mac security risks
Use Keychains wisely
The Mac OS X Keychain is a feature that securely collects passwords for a vast number of functions—including e-mail and instant messaging accounts, Web services, Wi-Fi networks and file servers. The Keychain stores this information in encrypted format and is decrypted only when you provide a master password.
Keychains can also contain encrypted notes (such as bank account information) and security certificates, all of which can be accessed and managed from the Keychain Access application in the Utilities folder on your Mac. In the Keychain Access window, right-click or control-click on an available Keychain to change the password, lock the keychain or alter settings that will cause the keychain to lock automatically. You can also create or delete Keychains here.
By default, each user account has a Keychain associated with it that is unlocked with the user’s password at log-in. If a user’s password is reset through a method other than the Accounts pane in System Preferences (such as by an administrator account or from the Mac OS X Install DVD), the account and Keychain passwords will become out of sync. You can fix this by manually changing the Keychain password to match your log-in password, or you can reset the Keychain using Apple’s Keychain First Aid feature, which can also help troubleshoot other types of Keychain problems.
Keychains offer both security and convenience. You can improve security by using multiple Keychains (each of which contains different information) with different passwords or by simply changing your account’s Keychain password. This ensures that even if your user account password is compromised, the data in your Keychain(s)—including passwords to other services—will remain securely encrypted. As with a firmware password, if you forget a Keychain’s password, its contents will be irretrievable.
Get the most out of Leopard’s firewall
Mac OS X has included an optional firewall for some time, traditionally based on the open-source Unix ipfw firewall. Leopard introduced a newer, dynamic firewall option. This new firewall (click the Firewall tab in the Security pane in System Preferences) is straightforward, which is helpful for users who simply want their computers protected without having to create and manage complex firewall rules.
You can choose to block all incoming traffic, which prevents your Mac from accepting any data that it didn’t explicitly request, such as a Web page. You can also allow only core system services to accept incoming data or allow access based on specific applications or system processes.
More on Mac firewall options from Macworld
This last option is the most commonly used, and it will cause Leopard to alert you any time an application wants to accept nonrequested incoming data. If you allow incoming data for an application, it gets added to the list of allowed applications. Applications such as iChat require incoming connections to function properly.
You can use the list in System Preferences to selectively remove applications from the allowed list or even just as a quick way of verifying which applications are on the list. You can also change an allow rule into a block rule, which will prevent an application from receiving incoming data or asking you to allow access.
Two other options—enable logging and enable stealth mode—are available via the Advanced button. Logging, as you might guess, logs all traffic that is received by your Mac and how that traffic is filtered. Stealth mode will cause your Mac to ignore ping requests from other computers and prevent outside users from easily detecting your Mac on a network. This increases security but can also limit the effectiveness of remote troubleshooting of network problems.
Leopard’s new dynamic firewall interface is really a simple way to establish basic firewall rules. Connections are still evaluated based on the network port numbers used by each request, but the firewall has been made much simpler for everyday users to enable and configure. For power users, the full ipfw suite, which lets you develop much more complex firewall rules, is still included as part of Leopard and can be accessed via the Terminal. And as with any computer, you can use port-scanning tools to verify the effectiveness of your firewall configuration in shielding your Mac.
One reason to understand and use the firewall is the common use of public Wi-Fi networks. Such networks are often unprotected, meaning that any data you exchange over the network can easily be snooped on. However, it also means that any malicious user connected to the same network has the capacity to port-scan your Mac and attempt to determine vulnerabilities. Working with the firewall and enabling stealth mode are two good ways to protect your Mac in these situations.
Delete files and erase disks securely
While you may think that you’re permanently deleting files when you empty the Trash or erase a disk using Disk Utility, the truth is that you aren’t. You’re really just marking the disk sectors where files were stored as available to store new data. Until the disk space occupied by the “deleted” files is overwritten at least once, many hard drive recovery and forensic tools can recover deleted files.
Fortunately, Macs offer a couple of ways to ensure that deleted data stays deleted. First up and simplest is the Secure Empty Trash command, located just under the normal Empty Trash command in the Finder’s File menu. This performs a simple overwrite of the disk sectors containing any files being trashed. In some instances, serious forensic investigators could reconstruct files that have been overwritten with a single pass, but for most users, this option offers ample security by preventing easy recovery of deleted items.
If you really want to ensure that items can’t be recovered, Disk Utility’s secure-erase features allow you to erase an entire disk or the free space of a disk, which includes both disk space that was never used and space where files had existed before being deleted.
Whether you’re erasing the entire disk or just the free space, you can choose to securely erase data with a single pass of blank data (also known as zeroing out a disk), seven passes or 35 passes. A seven-pass erase meets U.S. Department of Defense standards for secure data removal; a 35-pass erase typically takes hours or days to complete but will ensure that nothing is recoverable. When erasing an entire disk, click the Security Options button to choose the number of passes; when erasing free space, click the Erase Free Space button to see these options.
To use either feature, select the hard drive or volume that contains data you want to erase securely in the list to the left of the Disk Utility window, then select the Erase tab on the right side. If you want to erase only free space, click the Erase Free Space button.
To erase an entire disk/volume, click the Security Options button, select the number of passes to be made, and choose the appropriate disk format and the name for the newly erased disk. Then click Erase to erase the disk. (Note: You can’t erase the start-up disk that a Mac is using — if you want to securely erase the primary/startup drive, you’ll need to boot from an alternate disk, such as an external hard drive or the Mac OS X Install DVD.)
Don’t share anything you don’t have to
Macs offer users a lot of ways to share information. The Sharing pane in Leopard’s System Preferences offers 11 different choices (though one them, Xgrid computational cluster sharing, isn’t likely to be used by the majority of people).
The list ranges from general file and printer sharing to remote log-in and control of your Mac using Leopard’s screen sharing, Apple Remote Desktop, and secure shell (SSH) command-line access. Even personal Web site hosting (Internet sharing) and Bluetooth sharing are supported, as are Remote Apple Events, which allow applications on one Mac to trigger actions on another.
The simple advice here is “Don’t enable any type of sharing you’re not actively using.” Every time you enable sharing of any service, it opens up an avenue for someone to remotely access and/or manipulate your Mac. This could mean accessing shared files or taking complete control of the computer. If you need to share something, then by all means do so—but if not, keep everything as locked down as you can.
Another danger is the Back to My Mac service offered by Apple’s MobileMe, which lets your MobileMe account automatically connect you to your Mac using file, printer or screen sharing over the Internet. This is a highly convenient feature, but not only does it rely on leaving sharing services running and open; it also relies on making those services accessible from the Internet at large. If your MobileMe account is compromised, then so is your entire Mac.
If you need to enable sharing, and chances are that you will at some point, do it in as restrictive a manner as possible. Virtually every sharing service offers at least minimal controls. In the case of DVD and CD sharing, you can opt to have your Mac ask you before allowing remote access. In the case of many services that are user-based, you can choose which users are allowed to access the service remotely.
Most importantly, in the case of file sharing, you can designate both which folders are shared and who has access to those folders. Even though the default setting is to allow all users access to the general Shared folder and to allow everyone access to the Public folder inside each user’s home folder, you can add and remove specific folders from the list of those being shared. Share only what is needed, and limit access to as few users as possible.
Also, keep in mind that anyone connecting to a remote Mac using an administrative account will be able to mount not just the explicitly shared folders, but any connected hard drive. This is another reason to disable file sharing if it isn’t needed and to be sure you use good password policies for admin users. (It’s also a good reason to create administrative accounts with names other than “admin” or “administrator.”)
On a final note about file sharing, Mac OS X supports file sharing with three different protocols: AFP (the native file-sharing protocol for Macs), SMB (the native protocol for Windows) and FTP. You can select which ones to enable using the Options button in the Sharing pane in System Preferences.
SMB must be enabled for individual users because it stores passwords in less secure form on your Mac (though it still encrypts their transmission over the network). FTP should be avoided because it offers no encryption whatsoever. Again, limit the protocols to those you need, and leave the others disabled.
Bonjour is Apple’s zero-configuration networking system that allows Macs ( and PCs and iPhones) to automatically broadcast resources they are sharing over a network and to discover resources shared by other devices. Bonjour can be used for file sharing, printing (many printers ship with Bonjour built in), sharing of iTunes libraries, instant messaging without the use of an IM service, and many other things.
Since Bonjour works by your Mac broadcasting its presence and its available shared resources, it can easily alert malicious users not only to its location, but also to vectors that can be used to target it for attack. Most applications that support Bonjour also allow you to disable Bonjour broadcasting, though you may need to dig around in their Preferences to find the option.
As with sharing services, if you don’t need Bonjour for an application, turn it off. If you want to see which applications on your Mac are actively advertising themselves using Bonjour, check out the open-source Bonjour Browser, which lists the various Bonjour services actively running at any one time. You can use this to determine which applications to disable Bonjour support in. (One of the most common is iTunes, which uses Bonjour to share libraries, locate/sync to Apple TVs, and remotely control Apple’s Remote application for the iPhone and iPod Touch.)
You can even go a step further from the command line, where you can disable Bonjour as a whole. Ali Karbassi provides instructions on his blog.
Keep your software up to date
The most important security option available to Mac users is keeping software up to date. This applies to Mac OS X itself, Apple-branded applications and any third-party apps on your system. Maintaining an up-to-date operating system and application set means that publicly known vulnerabilities are more likely to have been patched in the software on your system.
The Mac’s built-in Software Update feature checks for updates to OS X and Apple applications on a weekly basis by default, and it notifies you when updates are available—which lets you choose whether to download and install them all immediately or to wait until a later time.
You can also choose to check monthly or daily, or disable automatic checking altogether (not recommended), using the Startup Disk pane in System Preferences. Another option is to have critical updates such as security updates downloaded automatically; you’ll be informed when the download has been completed and is ready for installation.
The Software Update pane also lets you check for updates at any time (which can also be done via the Apple menu) and view a list of updates that have been installed on your Mac.
Most third-party apps include an option to check for updates each time they are launched. This should be left enabled because updates often improve performance, stability and security. VersionTracker Pro ($30 for up to three Macs) and the free App Update Dashboard widget are two utilities that can help ensure that all applications on your Mac are up to date.
Although this article covers the most common ways in which Macs are left vulnerable, it is by no means a complete guide to Mac security. More information is available from the following sources:
- Corsaire ‘s “Securing Mac OS X Leopard” white paper (download PDF)
- Apple’s Mac OS X Security Configuration Guides
- Mac OS X Security Updates
- Home PC Firewall Guide’s Macintosh Security Guide
- Intego’s Mac Security Blog
- Macworld’s Mac Security SuperGuide ($9.99 for PDF)
[Ryan Faas is a frequent Computerworld contributor specializing in Mac and multiplatform network issues.]