Security

Mac Security Reality Check: User Error

Some security problems are due to user error (or user laziness). It's not that hard to practice good system security on your Mac. But a surprising number of people--including some who should know better--don't. Here are some basic tips on practicing safe computing.

Poor passwords

The Threat A few months ago a close friend called me. A criminal was posing as him, passing bad checks, transferring funds out of bank accounts, and changing passwords. Fortunately, the nefarious activity was discovered early, and my friend worked with his banks and other providers to stop the attack and recover the lost funds. Piecing together what happened, I discovered the root problem: my friend had been using the same single password for most of his banks, e-mail, and other online services.

Even some of my colleagues in the security business have fallen into the same bad habit. It's understandable: It's certainly easier to remember just one password for everything. But the risk is that, once that one account is compromised, all the others are too.

While banks and other major providers have controls in place to keep your passwords safe, other services aren't always so diligent. An attacker might find your username and password in a support forum he hacked, then try that combination with other major online services (e-mail, retailers, auction sites, banks) to see if one will accept those credentials.

What You Can Do Use a password management tool like Agile Software's 1Password ( Macworld rated 4.5 out of 5 mice ). Such tools securely encrypt and store all your passwords. They can also generate random, strong passwords of nearly any length, which are effectively impossible for attackers to crack.

I still have to remember a few passwords, such as for my iTunes account. But the vast majority of my passwords are now long, random, and unique for every site, all of them managed by 1Password. By the way: We changed my friend's passwords and switched him to a password manager. He hasn't experienced any problems since.

Sharing too much

The Threat Out of the box, new Macs expose few network services, and file sharing is disabled. But many power users quickly expose these services and turn on sharing, opening themselves up to potential exposure over the network.

You can turn your Mac into a wireless router, take control of it over the Internet, share your iTunes and iPhoto libraries, or open up a web server with only a few clicks in your System Preferences. If you are on a secure home or office network, opening up such services is rarely a problem. Airport Express and other routers usually include a basic firewall that prevent outside access to your Mac; that protection is usually enough.

But problems can crop up when you leave your safe network. If your Mac's network services are exposed when you enter the world of open networks--in hotels, airports, schools, and wireless hot spots--your Mac could be exposed to anyone on that network.

What You Can Do There's an easy way to instantly turn off all network services without disabling them one by one: In the Security preference pane, select the Firewall tab then click Advanced and then select Block All Incoming Connections.Even if you have enabled services in the Sharing preference pane, in iTunes, or in other programs, the firewall will now block incoming access. Enable this option before you use public networks; it should keep you safe.

Unencrypted personal data

The Threat If bad guys gain access to your Mac itself--whether over your Internet connection or by physically possessing your Mac--they can possess all your crucial personal information--credit card, Social Security or Tax ID numbers, account passwords and so on.

Financial management software, plain-text password cheat-sheets, and e-mail messages are all ripe sources of confidential information. They're the first things any attacker will seek out when he gains access to your Mac. If he finds what he wants, the effects can be costly and long-lasting. This is a case where the risk is low, but the potential cost is so high that precautions are worthwhile.

What You Can Do Depending on the information you want to protect, there are two helpful tools built into OS X itself.

If you want to store discrete bits of information--Social Security numbers, for example--your keychain is a good place to do it. When you launch Keychain Access (Applications -> Utilities -> Keychain Access), you'll see a Secure Notes in the left-hand sidebar. That's where you can save things like SSNs and other information you can type in.

If you want to protect entire files, use Disk Utility to create an encrypted disk image, which you can store or move anywhere and access with a password. In Disk Utility (Applications -> Utilities -> Disk Utility), click New Image in the toolbar, specify a location and size for the file, give it a name, and select your encryption option (128-bit or 256-bit ; both are very secure).

This new image file will act just like a removable hard drive: You double-click it to mount it then enter the password you specified. If you use financial management software or keep scans of family documents, your disk image is a great place to keep that data. It's also a good place to store personal data if you share your Mac user account with others.

No backups

The Threat There are plenty of ways bad guys can destroy your data; it's not that hard to accidentally do it yourself. While losing applications or rebuilding a system is painful, losing something irreplaceable like all your family photos is the digital equivalent of your house burning down. So the most important thing you can do keep your data safe is to back it up regularly.

What You Can Do I recommend a multiple-backup strategy, with both on and off-site backups. The costs are higher, but the safety is worth it to me. (I'd be devastated if I lost all the photos of my daughter.) I use Time Machine to backup most of my system locally. I also use CrashPlan to back up really important files (my entire iPhoto library, my Documents folder) offsite. And I use IMAP accounts for my e-mail, so copies of my messages are stored on my providers' servers. For more suggestions regarding a backup strategy, see our roundup of online backup services and "The No Worry Backup Plan".)

Risky downloads

The Threat While there is virtually no malicious software for Macs circulating in the wild, what little Mac malware we do see is almost always hidden in illegitimate software.

Right now, the most common source of Mac trojans is pirated software downloaded from the Net. In 2009, attackers released illegal copies of Apple iWork '09 and Adobe Photoshop that were soon circulating on file-sharing networks. Some users were infected when they downloaded and installed these pirated programs; others obtained and installed "free" copies from friends and became infected that way.

The next most common sources of infection are sites that ask you to download new QuickTime plugins or special applications to look at pictures or videos of people in various states of undress.

Lastly, we do sometimes see trojans planted in free software, especially gambling software and simple games. These, like the other trojans, tend to appear on less-popular sites or online forums.

What You Can Do Use your common sense. Don't try to find free copies of commercial programs. Don't download random QuickTime plugins or video viewers unless you know, with absolute certainty, that the source is legitimate. When downloading software, avoid forums or sources that are off the beaten track. If there's any doubt about a program, do a quick online search for it and see if it also appears on more mainstream download sites.

Another help: Snow Leopard includes a basic trojan check as part of its File Quarantine feature. A dedicated antivirus solution would provide more robust protection. But since the odds of encountering malicious Mac software are so low, I don't recommend that investment unless you have special needs. (See "Mac Security: Antivirus" for more on what those needs are.)

Antisocial networking

The Threat If the Internet is the Wild West of the digital world, social networking sites are the seedy saloons.

Criminals love social networking sites; they're cross-platform, based on trust, and often full of security flaws. We've seen social networking worms propagating through friend's lists, attackers stealing contact e-mails for spam, fake advertisements, and direct browser attacks to take over systems. And once you start installing widgets and applications on a social site, you are essentially allowing arbitrary programs to run inside your browser with full access to your information.

What You Can Do When posting information on a social networking site, don't put anything up there that you wouldn't want the whole world to see. Also carefully consider the applications you allow the site to install--especially on Facebook, where you can't always control the information an application accesses.

You might also consider using a single-site browser (SSB) for the site. Using a tool like Prism for Firefox, you can create a stand-alone browser specifically for that site; that way, any potential attacks are isolated to that SSB. Just install the Prism add-on in Firefox, navigate to the social networking site, and select Tools -> Convert Website to Application. A browser just for that site will be placed in your Applications folder.

Peer-to-peer sharing

The Threat Peer to peer (P2P) file-sharing can be a great way to distribute or download large files. But researchers have found reams of sensitive information on P2P networks. For example, there have been cases of public employees placing sensitive legal and government documents on home computers that were also running P2P software; those files turned up on the P2P networks. In my own research, I've seen everything from tax returns to scans of passports.

It isn't that P2P file-sharing itself is evil (despite what the recording and motion picture industries might claim). It's just that it's all too easy to inadvertently share things you shouldn't.

What You Can Do If you use P2P services, stick with popular programs (such as Azureus) and make sure you configure it to share only folders that contain no sensitive files. Many of these programs automatically share whatever directory you set as your own download destination, so it's best to create a directory specifically for P2P usage, and occasionally check your application preferences.

Subscribe to the Security Watch Newsletter

Comments