[DM-MUG] Josh More on Mac OS X Security

Victoria L. Herring vlh at herringlaw.com
Wed Jan 23 06:50:30 CST 2008 

We had a fascinating meeting last night [reminder, it's every fourth 
Tuesday at 7p at Haddock Computer, on 73rd St.] on Security for your 
computer running Mac OS X.  Josh is a security specialist at Alliance 
Technologies and while at times the concepts were a bit arcane for 
most, he was very clear and helpful in bringing them to the rest of 
us.  Great job and I'm going to summarize the meeting in the 
following bullet points:

Mac OS X is no more secure than any other OS, and it too needs to 
have protective steps taken to prevent theft, breakage, hacking and 
the like.  The test of how paranoid you need to be and how secure you 
should be is:  how and where is your data stored and how could 
someone use it against you?  If your on line banking records are on 
your computer, they're not safe if you don't take steps to protect 
them.  If your personal family information, health history, etc., is 
on your computer, it's not safe if you don't take steps to protect 
it.   If your business records are there, you have obligations to 
those clients or businesses to protect them from access by others. 
If you have written the Great American Novel, the Greatest Piece of 
Music, its special nature is compromised if it's not secured.  In 
other words, it's NOT paranoia, it's a necessity to be concerned 
about security whether you're a home user or someone with other needs 
as well.

There are Command Line [Terminal] steps that can be taken to really 
make an OS X machine secure against dangers, but those are not for 
the faint of heart and probably better done by someone used to the 
steps needed [I know my rule is don't mess with Terminal - 
fortunately, there are lots of free and shareware applications that 
can be of asistance here]

The whole issue of Physical Security is forgotten, but it's really 
the first and primary barrier:  you need to make sure no one has 
access to your computer/data through theft, hacking, etc.  Once 
someone gains entry to your computer and its data, they can take 
information and use it to hurt you or others.  So you need to prevent 
thefts, stolen laptops or harddrives or USB Flash sticks, and the Q 
is how to do that.  There are plenty of good software resources for 
that [more information will be on the website of DMMUG, 
www.DMMUG.org].

Use a Lock:  cables with keys or combinations lock to the computer 
thru its locking port and you attach it then to some immoveable 
object [don't tie it to a chair or pillow and expect it not to wander 
away].  If some determined thief comes across it, he/she will turn 
and steal someone else's unlocked laptop and yours will probably be 
safe.

There are alert systems, tracking down systems and the like which 
also deter theft or, if it happens, finds the culprit and lets you 
rip them limb from limb.  [There are more advanced technical steps 
within OS X such as setting up the open firmware or EFI to require 
passwords before booting and the like, which may be worth exploring]

Disable the Microphone and iSight in your computer, since access to 
them could allow someone to steal images or sounds from a highly 
confidential meeting [again, whether or how much you may need this 
depends on your circumstances;  it's certainly something to askthe IT 
department personnel about].

Reset the various OSX defaults:  there is a tradeoff between Security 
and Useability and Apple's defaults err toward the latter.  So, if 
you want a more secure machine you will have to jump through some 
hoops to use it, but it'll be more protected, your data will be more 
protected, and the hoops won't be that difficult to handle given the 
pay back.  (1) in System Preferences, set the machine to go to sleep 
regularly and require a password to wake it from sleep, (2) disable 
the IR [infrared], (3) use an encrypted Disk Image created by Disk 
Utility [free program, part of Utilities in OSX] to store things that 
you want protected especially and use AES-128 security to encrypt, 
(4) reset your Account preferences to keep the Administrative user 
only for limited purposes and use only a Standard account for 
yourself, (5) limit the number of Log In items to those you really 
need and recognize.

Have a good way to generate passwords and use it.  Passwords should 
have:  uppercase and lower case letters, numbers and punctuation. 
They can be created in and stored in Keychain Access [an encrypted 
file reachable thru a special password you better remember, again a 
free program in the Mac OS X Utilities].  There're also programs such 
as 1Password and Password Wallet that leverage the keychain and allow 
for all sorts of things to be secured, remembered and accessed beyond 
the main computer [such as thru syncing with Treos, iPhones, .Mac 
etc.]  [shameless plug, I have a Password Algorithum article I wrote 
on my website for download, 
http://www.herringlaw.com/publications.html ]

Use your Firewall:  You need to prevent easy access to your computer 
by those who would come into it thru wifi or landline or whatever and 
get your data.  If you don't both set up your software OS X Firewall 
[Sharing pane in System Preferences] AND have a hardware firewall 
between the cable or DSL modem and your computer, you are asking for 
trouble.

Turn off sharing of Printers.  In fact, in larger enterprises with 
those fancy new large printers, there are people hacking the printers 
and then getting into the network, so closing the printer system to 
unnecessary access is vital [again, tell your IT folks].

QuickTime is a major security hole - apply all updates and security 
patches, disable Auto Play and Instant On in the preferences.

Be sure to Security Empty Trash and Secure Erase FreeSpace to prevent 
information being leaked;  Secure Virtual Memory [all these terms are 
in the OS X Help area or googleable]

Get a Virus Program - Macs can have viruses and, more to the point, 
pass them on if they are received.  Be good to yourself and your data 
and protect it from viruses.  I use VirusBarrier, there are programs 
from Symantec, Virex [a bit old], Sophos, and free programs ClamAV 
and ClamXAV.  And be sure to update your definitions regularly, and 
run it.

Wireless is like Radio - it not only receives data, it sends it.  You 
need to make it difficult for people to steal or obtain your wireless 
signal or use it to access your comptuer.  Use encryption of messages 
and material over wireless, set up your Airport Utility to use WPA 
security.

Practice Safe Computing: don't click on links in emails - enter the 
URL directly in the browser instead;  if you can, use cable not 
wireless, in public hotspots [coffe cafes, city libraries, other 
general access points] do NOT do any banking or handling of extremely 
confidential information.  The old saw about 'you're not paranoid, 
they really are out to get you' holds true -- maybe no one is 
targeting you, but they will target your data and use it for their 
own purposes [and hurt you in the process].  Make it hard to do so.

Your banks, brokerage accounts and other such are all interested in 
security.  Don't pay attention to emails from them [probably spoofs 
or phishing] but go to your bank's or credit card or brokerage sites 
and check their information on security.  Lots of good tips there too.

A great and helpful program no matter the OS, but a good wakeup call 
for OS X users.


-- 
Victoria L. Herring, Attorney in Des Moines, Iowa -  Civil rights, 
Discrimination & Employment Law, http://www.herringlaw.com.  Ph. 
515/255-4475;  iChat AV:  victoriaherring at mac.com;  Skype:  vlherring.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/dmmug/attachments/20080123/550f3876/attachment.html

More information about the DMMUG mailing list