Apple ® section

Mac OS X Security

Mac and Linux users aren't used to turning on the news and hearing about security threats that affect us. The Linux stuff doesn't get reported because Linux is too geeky, and the Mac threats have been generally absent because there haven't been many.

Well, two Mac issues popped up last week and caused a bit of excitement. The second of the two was really bogus, and probably never would have had any legs at all if the other one hadn't happened. From http://www.f-secure.com/weblog/:

Inqtana.A has not been met in the wild and it uses Bluetooth library
that is locked into specific Bluetooth address and the library
expires on 24. February 2006. So it is quite unlikely that Inqtana.A
would be any kind of threat.
 

Yeah, that and the fact that it's already patched.

The other thing (and it is just a "thing" - it's really not a virus and it's barely a trojan worm) was quite exciting to some:

Virus Attacks Mac OS X Users (link dead, sorry) :

Some owners of Mac computers have held the belief that Mac OS X is
incapable of harboring computer viruses, but this will leave them
shell-shocked, as it shows the malware threat on Mac OS X is real,
said Graham Cluley, senior technology consultant for Sophos, in a
statement. Mac users shouldnt think its okay to lie back and not
worry about viruses.
 

Ayup. Mac users should really worry about this one. It's a picture. It doesn't "attack"; somebody has to send it to you or you have to deliberately go download it. You have to uncompress it, and then click on it. Even then, if you aren't running as an Admin user, it doesn't get to do anything harmful. There's a full writeup of it at New MacOS X trojan/virus alert, mostly a non-event.

It is true, however, that Mac (and Linux) folk tend toward being too lax about security. There are things you should be doing to protect yourself no matter what OS you are running. I'll just run over some of them quickly here. There's a good article at Mac Geekery - Basic Mac OS X Security but I am a bit more draconian:

Don't carry a loaded gun around the house

What I mean here is don't be root. On Mac OS X, the root account isn't even enabled by default and ordinarily you'd want to leave it that way (use "dsenableroot" to enable or disenable it).

Don't even run as an Administrator account except when you need to. That's a lot easier to do on Mac than it is on Windows (and there is no such thing on Linux in general), and Fast User Switching makes it painless to login as an Administrator when you do need it. The point is to keep the firearms put away and locked up so they aren't available for use.

If you have been using an Administrator account, don't switch your account to a non-admin account as suggested at the Mac Geekery article. Just make a new account and start using that. Copy your files as you find you need them and you'll also accomplish a nice house-cleaning.

Lock the doors

While you are logged in as an Administrator, visit the Security Pane in System Preferences and tell it to lock everything - check off "Require password to unlock each secure system preference". That's important and should be automatic. You might also consider disabling automatic login and requiring passwords to wake up from sleep, but those things are more for protecting against unauthorized use than virus and worm attacks.

While you are in there, check Sharing and make sure you aren't running services you don't need to run and that the firewall is enabled. You DO have a hardware firewall also, right?

"t00r" is not a password

Your passwords need to be really tough and you should not be using the same password all over the internet. Yeah, I know that means a lot of passwords, but it doesn't have to be that hard. For example, for the dozens of sites that I need passwords for but that aren't particularly critical if hacked (meaning that you could pretend to be me for a comment or whatever but can't steal money), I use two basic passwords and add in part of the site name. For example, I might use "fru%78hfg" as one password. When I visit xyz.com, my password is "fru%xyz78hfg" but if I visit abcsoftware.com, it's "fruabc%hfg". The positioning of the "%" is determined by the alphabet position of the "a" in "abc"; under "m" means position before the %, "n" on up means insert three characters after the %. This gives me unique passwords for each site, but I know what they are.

No automatic passwords, thanks anyway

In Applications, Utilities is the "Keychain Access.app". If you opened that up on my machine, you'll find that it doesn't know a single password. That's partially a security measure, but it's more of a convenience: I remember my own passwords because I want to be able to use them anywhere, anytime. I was working with someone the other day who wanted to check their Gmail and had to go back to their office to do it - they had no idea what their password might be! I know my passwords and can access whatever I want from wherever I am.

Macs are basically secure, and Mac users don't have the constant problems that plague Windows. But Macs are not immune to security threats, and you shouldn't be lazy and complacent about protecting yourself.

3 comments

More Articles by Anthony Lawrence - Find me on Google+

Click here to add your comments




Mon Feb 20 14:48:36 2006:   anonymous


What's your opinion on the 3-part post on Leap-A at Rixstep?

http://www.rixstep.com/1/20060216,00.shtml

http://www.rixstep.com/2/20060216,00.shtml

http://www.rixstep.com/2/20060216,01.shtml

He's usually keen to bash Microsoft (with good reason, of course), but he doesn't let Apple off the hook here.

Yes, Leap-A/OOmp-A is not a big problem, but is it fair to say that it is a bad omen? Also, do you think the following comments are fair, or not?

1. "... what Oomp-A lacks in carefully crafted coding it more than makes up for in incisive analysis of the inherent weaknesses in OS X."

2. "The Oomp-A exploit will not work on NeXTSTEP. It will not work on Unix. It will only work on Apple's less than shiny OS X."

3. "Lovely OS X allows anyone to disguise a file with a custom icon - something Windows, notorious for its security breaches, simply can't accomplish."

4. "Without Apple's inexcusable file system HFS, Oomp-A would not be able to carry out its appointed tasks. Data is transfered from data forks into resource forks and executable code is run right out of resource forks - Oomp-A is, thanks to OS X, several executables in a single file."

Do you think HFS is a mess, and really Apple should have dumped Classic and Carbon, so that it shouldn't have been necessary to use it? Do you think Apple really ought to have used Reiser, as he says?





Mon Feb 20 15:15:21 2006:   TonyLawrence


I think Apple had some good ideas with HFS, but they need to do more.

For example, I suggested at http://aplawrence.com/MacOSX/case_sensitivity.html that they should allow case sensitivity etc. on a directory by directory basis. The exact same thing could be done with resource forks and because they are a potential security risk, it might even be a good dea to require confirmation of their creation when installing new software. Here for example, you might have cause to wonder if unpacking a supposed picture suddenly asked you if it's ok to create a executable resource fork.

So, no, I don't necessarily think they should have gone with Reiser, but I do agree that if they aren't going to do more with HFS, Reiser might well be a good alternative.







Mon May 30 18:25:15 2011:   TonyLawrence


As there are now true "drive by" OS X exploits that do NOT require user interaction, it is more important than ever not to run an Administrative capable account. As i said, just use a different account - leave the admin for when you really need it.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.