Mac security: user error
Some security problems are due to user error (or user laziness). It’s not that hard to practice good system security on your Mac. But a surprising number of people—including some who should know better—don’t. Here are some basic tips on practicing safe computing.
The Threat A few months ago a close friend called me. A criminal was posing as him, passing bad checks, transferring funds out of bank accounts, and changing passwords. Fortunately, the nefarious activity was discovered early, and my friend worked with his banks and other providers to stop the attack and recover the lost funds. Piecing together what happened, I discovered the root problem: my friend had been using the same single password for most of his banks, e-mail, and other online services.
Even some of my colleagues in the security business have fallen into the same bad habit. It’s understandable: It’s certainly easier to remember just one password for everything. But the risk is that, once that one account is compromised, all the others are too.
While banks and other major providers have controls in place to keep your passwords safe, other services aren’t always so diligent. An attacker might find your username and password in a support forum he hacked, then try that combination with other major online services (e-mail, retailers, auction sites, banks) to see if one will accept those credentials.
What You Can Do Use a password management tool like Agile Software’s 1Password ( ). Such tools securely encrypt and store all your passwords. They can also generate random, strong passwords of nearly any length, which are effectively impossible for attackers to crack.
I still have to remember a few passwords, such as for my iTunes account. But the vast majority of my passwords are now long, random, and unique for every site, all of them managed by 1Password. By the way: We changed my friend’s passwords and switched him to a password manager. He hasn’t experienced any problems since.
Sharing too much
The Threat Out of the box, new Macs expose few network services, and file sharing is disabled. But many power users quickly expose these services and turn on sharing, opening themselves up to potential exposure over the network.
You can turn your Mac into a wireless router, take control of it over the Internet, share your iTunes and iPhoto libraries, or open up a web server with only a few clicks in your System Preferences. If you are on a secure home or office network, opening up such services is rarely a problem. Airport Express and other routers usually include a basic firewall that prevent outside access to your Mac; that protection is usually enough.
But problems can crop up when you leave your safe network. If your Mac’s network services are exposed when you enter the world of open networks—in hotels, airports, schools, and wireless hot spots—your Mac could be exposed to anyone on that network.
What You Can Do There’s an easy way to instantly turn off all network services without disabling them one by one: In the Security preference pane, select the Firewall tab then click Advanced and then select Block All Incoming Connections.Even if you have enabled services in the Sharing preference pane, in iTunes, or in other programs, the firewall will now block incoming access. Enable this option before you use public networks; it should keep you safe.
Unencrypted personal data
The Threat If bad guys gain access to your Mac itself—whether over your Internet connection or by physically possessing your Mac—they can possess all your crucial personal information—credit card, Social Security or Tax ID numbers, account passwords and so on.
Financial management software, plain-text password cheat-sheets, and e-mail messages are all ripe sources of confidential information. They’re the first things any attacker will seek out when he gains access to your Mac. If he finds what he wants, the effects can be costly and long-lasting. This is a case where the risk is low, but the potential cost is so high that precautions are worthwhile.
What You Can Do Depending on the information you want to protect, there are two helpful tools built into OS X itself.
If you want to store discrete bits of information—Social Security numbers, for example—your keychain is a good place to do it. When you launch Keychain Access (Applications -> Utilities -> Keychain Access), you’ll see a Secure Notes in the left-hand sidebar. That’s where you can save things like SSNs and other information you can type in.
If you want to protect entire files, use Disk Utility to create an encrypted disk image, which you can store or move anywhere and access with a password. In Disk Utility (Applications -> Utilities -> Disk Utility), click New Image in the toolbar, specify a location and size for the file, give it a name, and select your encryption option (128-bit or 256-bit ; both are very secure).
This new image file will act just like a removable hard drive: You double-click it to mount it then enter the password you specified. If you use financial management software or keep scans of family documents, your disk image is a great place to keep that data. It’s also a good place to store personal data if you share your Mac user account with others.
The Threat There are plenty of ways bad guys can destroy your data; it’s not that hard to accidentally do it yourself. While losing applications or rebuilding a system is painful, losing something irreplaceable like all your family photos is the digital equivalent of your house burning down. So the most important thing you can do keep your data safe is to back it up regularly.
What You Can Do I recommend a multiple-backup strategy, with both on and off-site backups. The costs are higher, but the safety is worth it to me. (I’d be devastated if I lost all the photos of my daughter.) I use Time Machine to backup most of my system locally. I also use CrashPlan to back up really important files (my entire iPhoto library, my Documents folder) offsite. And I use IMAP accounts for my e-mail, so copies of my messages are stored on my providers’ servers. For more suggestions regarding a backup strategy, see our roundup of online backup services and "The No Worry Backup Plan".)