Mac Security: Fact and Fiction

Mac users don’t need to worry about viruses.

FALSE We’ve enjoyed a long, glorious stretch without serious malware affecting our platform. But that doesn’t mean we can afford to let down our collective guard. If there is a virus attack, those of us who have good, up-to-date antivirus software installed will have the best odds of escaping unscathed.

Mandatory Measures If you don’t have antivirus software installed, see “Select Your Shield” for help. If you can’t name your antivirus program even though you’re just positive you’ve got one installed, you’re halfway there. But this is a telltale sign that you haven’t used it recently enough.

Just as important as having the software is making sure its virus definitions —the frequently updated information that antivirus software uses to recognize a virus—are recent. The best way to do this is to check for definition updates regularly. If you use a product that has an automatic update feature (all the programs described in “Select Your Shield” do), make sure it’s turned on and set to a frequent update schedule. Weekly updates should be adequate for most users, but if your computing involves accessing lots of files from lots of sources—whether via e-mail, file servers, or Web downloads—then daily updates might be a better idea.

Stay Alert Don’t open unexpected e-mail attachments until you’ve confirmed that they’re from the sender they appear to be from. Research from Sophos shows that one in 18 e-mails circulating during the month of November 2004 contained viruses.

Most malicious scripts affect only Windows machines, so if you click on one by accident, nothing will happen. But if you use Microsoft Word or Excel, you’re vulnerable to some platform-agnostic macro viruses. Protect yourself by turning on the Warn Before Opening A File That Contains Macros option in each program (under program name : Preferences: Security), but be aware that not all macros are malicious. The person who sent you the document might have included a useful macro on purpose.

To further reduce the risk of infections, don’t download free software or shareware from anywhere but reputable sources such as VersionTracker.com, MacUpdate, or the Apple software download page.—MARK H. ANBINDER

You’re vulnerable to Windows viruses if you run emulation software.

TRUE If you’re running Microsoft’s Virtual PC or another emulation product and running Windows, your Windows environment is susceptible to all the maladies that a stand-alone Windows PC is. Virtual PC and similar tools don’t merely let you access Windows-created documents and run software intended for Windows machines; you’re actually running the Windows operating system.

Virtual PC, Real Viruses You can minimize the risk by keeping your Windows environment meticulously up-to-date via Windows Update, by turning on the built-in firewall in Windows XP’s Security Center, or by installing your own firewall. (Yes, that might mean running a Mac firewall and a Windows firewall.)

Also helpful is avoiding some of the security holes that leave Windows users open to viruses and other malware. For starters, don’t use Virtual PC’s Virtual Switch network setting, which lets your virtual Windows computer act as though it were hooked directly to your network. If you put Windows right on your network with its own IP address, it’s vulnerable to any network-based attacks, such as those that exploit Windows file-sharing vulnerabilities. (Once Windows has been compromised, portions of your Mac’s hard drive that have been shared within Virtual PC might be accessible.)

Instead, use Virtual PC’s shared-networking scheme. (Select Shared Networking in the Networking tab of each virtual PC’s Settings dialog box.) This offers protection similar to that of a company firewall or a home broadband router, separating your computer from the Internet at large.

Finally, if you’re running Windows, you need antivirus software installed in Windows, not just on the Mac side. See Macworld’ s sister publication PC World for recommendations.—MARK H. ANBINDER

Mac users don’t need to worry about spyware.

TRUE Breathe a long sigh of relief. Spyware —programs that record information, such as browsing habits or keystrokes, and send it to a remote server—runs rampant on Windows, but there are currently no real spyware programs that affect the Mac. There are several programs that can monitor what you do by taking screenshots at different times and recording your keystrokes (for example, Camp Software’s $29 KeystrokeRecorder X, Red Byte Software’s $46 MonitorerX Pro 2.0, and Rampell Software’s $35 TypeRecorder X 2.1. But these programs are designed for people who want to monitor the activity of their Mac’s users: businesses, schools, or parents may purchase and install these programs to keep tabs on employees, students, or children.

If you’re a nonadministrative user of a Mac on which an administrator has installed this type of program, there’s not much you can do about it: you’re not allowed to remove the software, since you don’t have administrative rights. The best you can do is ask why it’s there.—KIRK MCELHEARN

Sending chat messages is akin to throwing notes on loosely wadded paper across a crowded classroom.

TRUE If you use any of the popular instant-messaging applications for OS X—iChat, AOL Instant Messenger (AIM), and MSN Messenger—your messages can be read easily by someone watching your network traffic. That sounds like the work of sophisticated computer hackers, but all it takes is access to your network (in your company, at home, or at a public Wi-Fi location, for example) and a packet-sniffing utility such as Brian Hill’s free MacSniffer or Stairways Software’s $39 Interarchy. (Terminal wizards can use the Unix com-mand

tcpdump

For example, the window at the left of “Network Obfuscation” displays a snippet of text sent by iChat as it appears in Interarchy’s Traffic window. Looking past the HTML coding (which iChat uses to define balloon color and text formatting) and

«spc»

Keeping Risk in Perspective Before you swear off instant messaging forever, ask yourself a few questions. Is it really likely that someone is scanning your network’s data packets? You’re probably safer chatting with a friend from a single Mac at home than from a laptop connected to a free Wi-Fi network in a busy coffee shop. Also, does your conversation contain top-secret information? If most of your chats concern lunch take-out options, you probably needn’t worry.

It’s when you’re discussing information that’s private or proprietary that chatting can become the weak link your competition is waiting for.

Can Software Help? Fortunately, there are several ways to make your chats private. iChat users can purchase Intego’s $40 ChatBarrier X3 10.3.2 (   ; November 2004 ). If both chat participants are running ChatBarrier X3, a padlock icon will indicate that the connection is secure. Someone using packet-sniffing software will see only encrypted text (as shown in the second screenshot).

Another option is to use software that’s designed to deliver encrypted text. BitWise (subscription model or limited free client) encrypts every message. However, you can use it to chat only with other BitWise users. If that won’t do, the open-source Fire client not only lets you chat securely with other Fire users but also lets you have unencrypted chats with others.

Finally, if you just need to send snippets of secure information, consider encrypting individual messages with a program such as PGP —which stands for “Pretty Good Privacy” (variously priced packages, including a freeware version). Recipients of PGP-encrypted messages must decrypt the text on their end. (Think super-secret decoder ring.)—JEFF CARLSON

When I’m using a wireless network at home, I’m totally safe.

TRUE and FALSE Wireless Wi-Fi networks use radio waves, which often extend well beyond the four walls of your home. That’s no big deal if most of the inhabitants of your neighborhood are crickets, but if you live in an apartment building or a dense urban area, it’s easy for a neighbor or a visitor to a nearby business to hop onto the network. Less frequently, people might make it their mission to enter your network and try to access your computers.

Because you’re not a Windows user, there’s no current need to worry about people on your AirPort network corrupting your computer with viruses or malevolent programs. So far, there’s no such animal that doesn’t also require an administrative password. But you should be concerned if your network has no protection. In that case, someone could try to connect to your computers and browse your shared folders.

By default, guests can connect only to the Public folder in each user’s Home directory, which means they can see only files that you’ve placed there on purpose. If you don’t want uninvited guests to access that, secure your computers. Go to System Preferences: Sharing: Services, and turn off Personal File Sharing, Windows Sharing, Personal Web Sharing, and FTP Access.

Locking Down the Airwaves If you don’t want to risk anyone connecting to your computer, turn on wireless security. Under AirPort, you can enable WEP (Wired Equivalent Privacy). It’s not the best security standard, but it will rebuff all but determined crackers. If you use AirPort Extreme and all of your computers are running Panther or Windows XP, you can opt for the stronger WPA (Wi-Fi Protected Access). Here’s how to turn WEP or WPA on:

1. Launch AirPort Admin Utility (Applications: Utilities).

2. Connect to your base station. (Configure all base stations this way if you have more than one with the same settings.)

3. Click on Change Wireless Security.

4. Choose WPA Personal or 128-bit WEP.

5. For WPA, enter a long passphrase that contains letters and numbers in the Network Password field, and verify it by re-entering it in Verify Password. A phrase like “M*y ct hAZZ fleez9!” is better than “My cat has fleas.” The former has no words a cracker can discover using a dictionary attack (when a program tries to find a password by combing through and combining all the words in a dictionary).

6. Click on OK.

7. Click on Update to restart the base station.

On each computer that connects to this base station, use the AirPort menu to connect, choose the method of encryption that you chose in the AirPort Admin Utility, and enter the passphrase. Change it regularly for greater security.—GLENN FLEISHMAN

When I’m using a public hotspot, all of my passwords are being stolen.

TRUE It’s not literally true that your passwords for e-mail, FTP (File Transfer Protocol), and Web sites are always being nabbed whenever you use Wi-Fi in a coffee shop, a hotel lobby, or an airport. But the potential is so high that you might as well consider it to be true.

People connecting to the same Wi-Fi network can see all the data passing over it if they have readily available free packet-sniffing software installed, and they can snatch your passwords, e-mail messages, and files out of the air.

Safe Passage for Particular Data If you lug a laptop around for business or for pleasure, you can secure your Internet activities one by one. For instance, encrypt your e-mail using a Web mail service that supports SSL (Secure Sockets Layer) for browsing or that can secure POP, IMAP, and SMTP with SSL. All major Mac e-mail clients include SSL support. In Apple’s Mail, go to the Accounts pane in Preferences and select the Use SSL option in Account Information: Server Settings (outgoing e-mail) and the Advanced tab (incoming e-mail). Another option is FastMail (free to $40 per year, depending on service level), which offers secure browsing and secure e-mail.

Web designers often need to transfer files to update Web sites while on the road. You can encrypt FTP using SFTP (Secure FTP). If you’re running your own FTP server on OS X, turn on SSH (Secure Shell) on the machine that has the file repository. Go to System Preferences: Sharing: Services and turn on Remote Login and FTP Access. There is an increasingly large number of Web hosts that also support SFTP for transferring files. You need an SFTP-equipped FTP program such as Interarchy, too, on the computer that’s connected to your repository.

When you shop or bank online, your data is almost always already secured with SSL. But if you hate the idea of your surfing being observed, use a service such as Secure-Tunnel, which offers free anonymous surfing. Secure surfing costs $8 per month.

Private Networks in Public Places If you want a more comprehensive way to protect your wireless activities when you’re out and about, consider securing your sessions with a virtual private network (VPN) connection. A VPN encrypts all the data that enters and leaves a computer over a network connection, such as AirPort, preventing all snooping.

VPNs aren’t just for corporations anymore. OS X Server 10.3 (Panther) includes both flavors of VPN servers currently in wide use. The regular version of Panther includes a VPN client. (Go to Applications: Internet Connect, and select File: New VPN Connection).

If you don’t have your own Panther server, subscribe to a VPN service—for example, HotSpotVPN. This site charges $9 per month for unlimited VPN connections to its VPN servers located at high-speed data centers, from which your Internet traffic is then relayed out to the rest of the world.

Pick a Secure Connection Finally, at Starbucks, FedEx Kinko’s, Borders, and other T-Mobile HotSpot locations, you can connect to the Internet securely from within Panther through T-Mobile’s 802.1x service, a for-fee network that lets you log in without using the typical gateway Web page that greets you. Instead, you log in just as you would to a dial-up network. The hotspot’s login server then automatically provides your system with a unique encryption key that protects your data from everyone on the same network.—GLENN FLEISHMAN

The Mac’s default security settings are all you need to protect your computer from hacker attacks.

FALSE Hackers attempt to attack your computer over the Internet by finding open, unsecured ports and exploiting them. A port is nothing more than a door through which computer data can be passed. Every computer has thousands of them, and every open port is a potential entry point.

Mind you, open ports are a necessary part of your daily computer experience. Every time you open a Web page, you’re using port 80. Every e-mail you send goes through port 25. Sharing your iTunes music library? You’re using port 3689. Open isn’t necessarily bad—as long as your Mac’s operating system and the application using the port verify that only legitimate data is being passed through those ports.

Hackers attempt to find open ports by trolling the Net, sending out messages that your Mac understands as “Hey, anybody there?” When such messages hit your Mac (even if they hit a closed port), it behaves like a puppy dog, happily barking back, “Yep, I’m here!” That response lets hackers know there’s something out there they can attempt to exploit. They’ll then use port-scanning software to discover an open door they can get into.

To prevent this from happening, you need a firewall. A firewall is simply a piece of software or hardware that stands between your computer and the rest of the world, making sure that every piece of data coming or leaving through an open port on your Mac goes only where it’s supposed to.

OS X has a firewall that’s turned off by default. You can change that by going to System Preferences: Sharing: Firewall, and then clicking on the Start button. Frankly, there’s no reason not to turn the firewall on if you always have your Mac connected to the Internet. As soon as you start the firewall, all the ports on your Mac are stealthed. Stealthing a port makes your Mac behave like your high-school crush who ignored you no matter how many times you tried to make small talk in the halls. You made your presence known, but you weren’t even getting the time of day. Any legitimate ports that are open on your Mac will allow data to pass through and work normally, but to the rest of the world, your Mac becomes invisible.

However, for some people, the Mac’s built-in firewall isn’t the best option. To find out if you’re one of those users, see “Raise the Wall.” —JEFFERY BATTERSBY

Your personal information is in danger when you surf the Web.

TRUE But not, perhaps, in the way you think. Most people imagine some nondescript virtual basement, where slovenly hackers work in the dark, drinking Jolt cola and waiting for you to slip up so they can get at your bank statements, credit card numbers, and passwords.

But more often, your surfing will result in the smaller annoyance of spam. For instance, some sites require that you register, and then they sell your e-mail address to others. The best way to prevent this is to create disposable e-mail addresses that you can use when you register. If you have a .Mac subscription, for example, you can create aliases, which are different e-mail addresses that funnel mail into your account. These are linked to your main e-mail account, and you can delete them at any time.

Be John or Jane Doe Another option is to avoid registering by using a service such as BugMeNot.com. If you go to this Web site, you can find user names and passwords for all sorts of Web sites. These aren’t shopping sites—you won’t find someone’s user name and password for Amazon.com. But you’ll find the login information required to access newspapers and other information sites that use registration to track what you view.

Fooled by Phishing More-serious security breaches usually happen because you’ve inadvertently given your data to the wrong person. For instance, phishing is when malevolent people send e-mail messages pretending to be eBay, PayPal, your bank, and so on. The message asks you to “confirm” your account by entering your social security number, credit card number, or other sensitive information.

These messages try to trick you into giving your personal information away so hackers can exploit it. Don’t ever click on a link in an e-mail like this. Also, turn off HTML display in your e-mail program so you can check the validity of such links. For example, if you get a message from eBay or PayPal that asks you to enter your information, look at the actual link. Very often, you’ll see that it contains a domain name in another country, such as Korea or Russia ( .kr or .ru ), or you’ll see a numerical address, such as 192.168.123.456 instead of www.ebay.com. If you’re ever in doubt, go directly to the Web site in question and contact customer support to confirm the message you receive.—KIRK MCELHEARN

As long as you have separate user accounts, your personal information is safe when you share your Mac with others.

FALSE OS X uses file permissions to keep track of who can read, write, and execute each file on the Mac. This is essential because it ensures that one user can’t access another’s files. But the system depends on the computer’s administrator, who has total control over all the files and who must set up permissions correctly. You can’t completely protect your files unless you are the only administrator.

Even if you’re the only administrator, or if your administrator has set up user accounts very carefully, others can access your stuff unless you’re careful. For instance, anyone in your office, home, or dorm can saunter up to your desk, sit down, and start searching through your personal documents if you walk away without logging out. Anyone with an OS X installation CD can start up your Mac with that CD and use its utilities to reset the administrator password.

If you have any truly sensitive files on your Mac—from company financial plans to your top-secret spy stuff—the best way to protect them from prying eyes is to encrypt them (see “8 Ways to Protect Your Mac Right Now” ).—KIRK MCELHEARN

[ Mark H. Anbinder is a senior technical consultant at Cornell University and a contributing editor of TidBits. Jeffery Battersby is a network analyst at the law firm of Finkelstein & Partners in Newburgh, New York. Jeff Carlson is the managing editor of TidBits and the author of several books about the Mac, including iMovie 4 and iDVD 4 for Mac OS X: Visual QuickStart Guide (Peachpit Press, 2004). Glenn Fleishman wrote “Take Control of Your AirPort Network” and writes daily about Wi-Fi at Wi-Fi Networking News. Kirk McElhearn is the author of several books, including iPod and iTunes Garage (Prentice Hill 2004). His blog, Kirkville, talks about Macs, iPods, and much more. ]

Sidebar: Mac Attacks

Still wearing a smug look because so few viruses affect the Mac? It’s not unjustified. No virus outbreaks affected Mac users in 2004, and the other security incidents in our recent past are largely hypothetical:

• MP3Concept (April 2004) Intego confused the Mac community by announcing that VirusBarrier would protect against the “first Trojan horse” affecting Mac OS X. In fact, a harmless proof-of-concept utility, not an actual Trojan horse, had been developed.

• Opener (October 2004) A malicious shell script first reported on MacInTouch, Opener disables a Mac’s firewall, turns on file sharing, creates a new user account with admin privileges, and more, but only if the Mac’s user installs and runs the script and enters an administrator password when prompted to do so. Enter your administrator password only if you know why you’re being asked to and only if you trust the source of the software that’s asking!

Your Defense? Security Updates Meanwhile, Apple has patched a number of vulnerabilities that haven’t yet been exploited. For instance, Security Update 2004-05-24 prevents the inadvertent execution of malicious code via certain types of URLs, and it adds a warning before launching an application for the first time as the result of double-clicking on a document.

Always stay on top of OS X’s Software Update feature. To make sure that you have it turned on and set to check weekly or daily, go to the Software Update preference pane in System Preferences.—MARK H. ANBINDER

Sidebar: Security, NSA-Style

From breaking codes to collecting intelligence on terrorist organizations, the National Security Agency (NSA) is paid to be really paranoid. Download its guide to bullet-proof OS X security.