Mac Skeptic: More on Mac Security

In the weeks since my last column, three Mac security exploits cropped up and have received a lot of attention (not that I'm saying "I told you so"). However, like the ones before them, they have proved to be not very threatening, albeit in varying degrees. And all three have been addressed by a security patch that Apple released on March 1.

The first vulnerability involved the Leap.A worm, also known as the Oompa Loompa worm. This turned out to be pretty hard to get and pretty hard to pass on, as two Macworld writers found. Like so many other worms, Leap.A relied on tricking users into downloading and opening a suspicious file. If you ignore file attachments that you don't expect or that look suspicious, you'll protect yourself from the vast majority of Internet crud, especially the kind that arrives via e-mail. I like to think of this as the second rule of safe computing. The first? "If it sounds too good to be true, it is."

The second security problem, also a worm, was basically toothless; its perpetrator says he created it as a "proof of concept" to raise awareness of OS X security issues. The worm, known as Inqtana.A, exploited a hole in the Bluetooth software in OS X 10.4 (Tiger) that had been patched last year. Inqtana.A deactivated itself after February 24, 2006. The moral of the Inqtana.A story: Keep your operating system up-to-date and don't accept unknown files, whether they come to you in e-mail, iChat, or beamed from someone's Bluetooth phone.

The last one of the three, a vulnerability in Apple's browser Safari, had the most potential for damage. By default, Safari is set to automatically open "safe" file types, such as movies and music, after they've been downloaded. Before Apple closed this hole, malicious scripts could be disguised as an innocuous file type and set to automatically run upon download. Unchecking the "Open 'safe' files after downloading" box in Safari's General Preferences pane also closes the security hole. Browsers other than Safari were not affected.

Safe Wireless Surfing in Public

Hackers who want your passwords and credit-card numbers don't care whether you're using a Mac or a PC. Either way, if you use a Wi-Fi network, you're making their task easier. You should definitely enable whatever encryption your home network supports, be it WEP or WPA. This prevents unauthorized users from hopping onto your network and possibly snooping on your communications and getting into your hard drive.

But what how do you keep your business to yourself when you're using the Wi-Fi at your corner coffee shop? It has to be unprotected for you to use it, unless you have to ask for the password at the counter, along with the key to the bathroom. Even in that case, you're sharing a network with people you don't know. Having your software firewall turned on is the obvious first step; see last month's column for how to enable the OS X firewall. Here are some other tips:

Protect What You Don't Want to Share. Use your firewall to close off access to all the ports that you don't need open, including file sharing. You might also consider password-protecting or encrypting all or some of your hard drive. As I mentioned last month, OS X's FileVault does the job, but too thoroughly for my taste. I'd choose a program like PGP, which lets me choose which folders to encrypt.

Keep the Confidential Stuff at Home. If you don't want someone grabbing your financial data out of the air, save your Internet shopping and banking for your secured home network. In addition, make sure the sites with which you transact business use Secure Sockets Layer encryption. And if you're chatting or e-mailing, confine it to material you wouldn't mind having your mother (or your boss) see--as with almost any Internet communication, it could have a second life that you don't intend.

Stop Shoulder-Surfing. Snooping doesn't always require high-tech gear. As I just mentioned, it's unwise to work on super-secret company plans in public--but if you must, be aware of what's going on around you. Make sure no one's looking over your shoulder.

Use Wi-Fi Sparingly. Whenever you don't need it, turn off your Wi-Fi card. You'll block access to your laptop and conserve battery life.

Security Help in Plain English

The firewall built into OS X is the silent type. You can use its advanced settings to turn on logging, but you have to take the initiative to set it up and then view and interpret the log. I checked out Open Door Networks' DoorStop X Security Suite, which does quite a bit more than OS X's firewall.

Open Door Networks' suite consists of DoorStop X Firewall, Who's There Firewall Advisor, and "Internet Security for Your Macintosh," an e-book that's integrated with both programs. The suite is priced at $79, and each element can be purchased separately. The components are available as free, 30-day trial downloads.

The e-book, written by Alan Oppenheimer and Charles Whitaker, is especially helpful. Detailed but written for nongeeks, it has a commonsense approach and answered a bunch of my "but what about..." questions. For example, it explains how to configure, test, and troubleshoot a personal firewall.

DoorStop X Firewall is meant to replace OS X's built-in firewall. When you install it, you are directed to disable the OS X firewall. DoorStop X's controls look much like those in OS X's firewall, with the added benefit that you can choose to give selected IP addresses access to your computer's ports; for example, you could open file sharing to all the IP addresses on your home network. In addition, DoorStop X identifies ports by their number and an icon, as well as their English-language name.

Who's There Firewall Advisor shows you what's in your firewall's log file in an easy-to-read, easy-to-filter interface. For any access attempt, you can search the WHOIS database to find out who owns the connected IP address; you can draft an e-mail to the network administrator of the connected IP address; you can view a map of where the network is physically located; and you can view which service (e.g., file sharing or printer sharing) that the attempted access was made on.

While I'm not sure whether I need all the tools offered by the DoorStop X Security Suite, I found the $10 e-book invaluable.

Comments or questions? Drop a line to The Mac Skeptic.