A Security Primer for Mac OS X

The recent security issues that have affected Windows users have led the media--and sometimes even Mac-specialized publications--to talk about the shortcomings of the Windows security scheme and to provide surprisingly detailed advice.

So far, Mac users indeed have been luckier. Mac OS X is relatively secure out of the box, and Apple has been good about providing easily installable security updates as needed.

Unfortunately, some Mac users forget that security is more than just applying the occasional patch. It is a continuously evolving quest that requires additional steps to make their systems more secure. Luckily, the Unix foundation of Mac OS X, Darwin, has provided us with powerful tools that we can leverage to help our computers remain secure in an otherwise dangerous world.

In this article, I'll take a hands-on approach to what I call "security through common sense," the basic security steps that every single Mac user should take.

Disclaimers

Security is a touchy topic and nobody owns a definitive security answer. This article presents the steps that I would personally recommend, but my views may differ from those of your network administrator, company, or school--either because you need a greater level of security, or because the organization relies on other, internally tested, solutions. In any case, please consult your IT department before implementing these steps.

If you handle very sensitive data, I would advise you to seek professional advice. Using a Mac is an excellent way to protect data--since they are extremely secure--but you may need to implement industrial-strength firewalling and intrusion-detection software. This is obviously out of the scope of this article.

I have tested the third-party software I link to on my own machines. However, please understand that I have no "insider knowledge" about these applications and that I cannot endorse them.

Why Should I Protect My Mac?

Many Mac and computer users in general do not take additional security steps to protect their data because they have the feeling that they have "nothing to hide" or that they do not store any valuable information on their computers.

Unfortunately, this comforting theory overlooks the fact that most of the time, hackers don't try to attack your computer or your network because you are who you are. Indeed, most of the time, attacked computers are chosen semi-randomly: because they have detected that you have an unusual amount of traffic; because you run an unprotected Windows 95 computer somewhere on your network that makes it easy to crack; and so on.

Some people will try to break into your computer "for fun." However, nowadays, many exploits have a unique goal--turn the computer into some kind of zombie that the attacker will be able to steal confidential information from (can you swear that your credit card number isn't stored somewhere on your computer?), or perform illegal actions in your own name. Therefore, in most cases, hacking a computer is worth the time and effort spent, even if the person who tries to break in has no idea who you are.

Even worse, in some countries, not having any protection in place can be seen by the law as an implicit approbation of what other people could do on your computer without your knowledge--the good old "this person wasn't protected, this shows that he didn't mind what could happen." Would something go wrong, being able to prove that your computer was indeed protected may be a good way to show your true intentions.

The Basics

Now that we have discussed a bit about why security is important, I'm going to walk you through the basic steps of securing your Mac. This first part will give you an overview of things you might know already, but maybe include a new wrinkle or two.

Know Your Computer

Most security issues nowadays rely on simple social engineering techniques--convince a user to download an application or run a special command that opens a breach in the security systems that have been set up. That's how most Windows viruses propagate, and we've all seen how effective this approach is.

Since you are reading Mac DevCenter, you probably know the Mac OS X basics that are explained in books like Mac OS X Panther: The Missing Manual. In that case, I would recommend that you have a look through the excellent Running Mac OS X Panther by James Duncan Davidson to learn more about the underpinnings of Mac OS X.

By knowing Mac OS X better, you will be able to avoid common mistakes--like turning on Windows file sharing and FTP services "just in case." This may sound silly but this is the most essential step towards good security and will allow you to react in an efficient manner to incidents and potential issues.

Of course, we assume that you already know that you are not supposed to open unknown emails attachments, run strange applications, and so on. You should exercise the same caution on your computer that you would in the real world when dealing with strangers, let's say on a dark street at around 3:00 a.m.

Stay Up to Date with Security News

As a concerned citizen of your country, you are already trying to keep up with the current events, on a local, national and international scale. That's great! But do you do the same when it comes to computer-related news?

Indeed, the best way to defeat social engineering and to avoid issues is to be aware of what's going on in the security world.

Luckily, this can be done in very simple ways. This page provides you with simple tips to learn more about security issues as soon as they are discovered. I would highly recommend that you subscribe to Apple's security-announce mailing list as well.

Also, you may want to keep an eye on the recent virus outbreaks and security issues. Indeed, even reading about Windows- and Linux-only viruses and trojan horses will give you a good idea of what's happening on the network and how social engineering works. A good place to start is this page.

Would a Mac virus be discovered, you will then notice it immediately and be able to take the appropriate steps.

Ensure Local Security

In this article, we're going to focus on network-born threats. However, there can be no network security if anyone can sit in front of your screen, alter your settings, and then use the new setup to attack you remotely.

Therefore, I would recommend that you have a look at this Mac DevCenter article on setting up a firmware password.

You should also turn automatic login off, and make sure that authentication is required to alter the settings of most preferences panes--this can be all done through the "Security" preferences pane. Also, get into the habit of using the "Lock screen" feature--available through the Keychain menu--whenever you step away from your keyboard, even for a few minutes.

Finally, you may want to have a look at FileVault and decide whether or not you want to run it.

Keep Your System Up to Date

The Mac OS X development team does its absolute best to provide you with a secure operating system and may release, from time to time, security updates--even when there's no known exploit.

I would recommend that you apply these updates as soon as they are released, to make sure that you do not give time to attackers to exploit a known vulnerability. Indeed, it is now quite easy to find software on the Internet that will automatically try to break into computers and report all the vulnerabilities found in a specific machine, along with tips about how to use them. In many countries, such software is perfectly legal and some authors update their applications daily!

The most convenient way to update your applications is, of course, to use the "Software Update" preferences pane, available through the "System Preferences" application. It will take care of finding the updates you need, then download and install them, making securing your computer very easy. Unlike some update mechanisms featured by other operating systems, "Software Update" checks that the files that it downloads indeed come from the Apple servers--and not from any server that claims to be Apple.

For maximum security, you may want to download updates manually from the recently redesigned Support downloads page. The main advantage is that you will be given the option to manually test the authenticity of the file you download--an added security--by using the "md5" utility. The main drawback is that updates are usually posted on the downloads site with a slight delay--24 hours in most cases.

md5 is a Unix command-line utility that allows you to read the "checksum" of a file. Like fingerprints, checksums are unique identifiers that correspond to a specific file and it is highly unlikely--some say virtually impossible--to find two different files with the same checksum. Would the checksum provided by md5 on your Mac and the one provided by Apple on the downloads site match, you can be virtually sure that you have downloaded the right file and that it has not been altered during the download.

To check a file's md5 checksum, simply open a Terminal window and type the following command: "md5 /path/to/the/file". Then, press return and compare the string returned with the one displayed on the download page.

md5 checksums now have known flaws that could potentially allow someone to forge an altered file with the same checksum. This is, however, very unlikely and md5 is still widely seen as a safe way to check the integrity of files--provided, of course, that the web site that is used as a reference hasn't been hacked too!

As important as it is to keep your operating system up to date, you should also not forget to update your applications.

Applications

Many applications are updated frequently for security reasons, including third-party web browsers, email readers, and Microsoft Office. As long as you are running them, it is extremely important to update them too, since they could potentially allow an attacker to run malicious code on your computer--consider macro viruses, for example.

Many software authors now provide you with software update-like features but, unfortunately, very few have actually implemented security checks in them. Therefore, I would recommend that you use these features to check if an update is available on a regular basis but go to the actual application site to download it. If the authors do not provide an md5 checksum, you may want to ask them to get into the habit of posting one.

Software Update will usually notify you about updates to the Apple applications you have installed on your computer, even if they are not bundled with the standard Panther installation.