OSX Security (share your tips and tricks)

Discussion in 'OS X and OS X Apps' started by jcdman, Oct 8, 2008.

  1. jcdman

    jcdman Member

    Joined:
    Sep 11, 2008
    Messages:
    177
    Likes Received:
    0
    Location:
    Makati
    i'm relatively new to the security features of OSX leopard. any tips and tricks that you guys wanna share? so far, what i'm just keen on are the logon passwords, parental controls for other/guest users, and authentication by the administrator whenever a new program is installed or for updates or when settings are going to be changed in system preferences.

    what are your layers of security? actually, share your tricks na lang :) security would be pointless if you disclose that you're using this or that kind of security protocol :)
     
  2. bacchus_3

    bacchus_3 PhilMUG Addict Member

    Joined:
    Apr 29, 2007
    Messages:
    4,804
    Likes Received:
    310
    Gender:
    Male
    I think there was a thread of security tips but I can't seem to find it.

    If I'd get a new Mac here's the first steps I'd want to do [but not limited to].

    1. Create a dedicated administrator user account
    2. Add password to my frequently used user account and set it up as a normal user
    3. Set up the firewall to 'Set access for specific services and applications' and add applications that I'd want the firewall explicit access to the net.
    4. Set up screensaver to prompt for password when woken up

    Hmmm...that's as far as I can remember it.
     
  3. rafaelc378

    rafaelc378 Active Member

    Joined:
    Mar 19, 2008
    Messages:
    5,464
    Likes Received:
    2
    In addition to what bacchus mentioned:

    -Activate & setup the EFI Firmware Password. This means that the mac won't boot from anything other than the onboard HD without entering that password.

    -Set up security so that any change to system preferences needs a password input.

    -(Not part of OS X, but good idea nontheless) If you have the funds, buy a tracking/recovery software like Orbicule's Undercover.
     
  4. macdrive007

    macdrive007 Well-Known Member

    Joined:
    Mar 18, 2007
    Messages:
    3,665
    Likes Received:
    26
    Gender:
    Male
    Location:
    Caleruega, near Tagaytay
    Question:
    If your regular typical OS X Tiger/Leopard-installed Mac is connected to a local network hub to connect to the internet in the office, either through Ethernet or Wifi, can other Macs or PCs access the data of your Mac? Can they peep what you are currently working on? Can they access your files, apps, browser and desktop? Can they see your usage history and all private info including internet websites and keychain? Or the network server has all your files and history?

    Or are Macs secure as they are used as-is...? If not, what security measures should you use?
     
  5. jcdman

    jcdman Member

    Joined:
    Sep 11, 2008
    Messages:
    177
    Likes Received:
    0
    Location:
    Makati
    rafaelc378, the ONLY way to setup the firmware passowrd is to run the recovery again right? there's no way of activating it otherwise?

    bacchus, you mean the account you always use isn't the admin account for your mac?
     
  6. rafaelc378

    rafaelc378 Active Member

    Joined:
    Mar 19, 2008
    Messages:
    5,464
    Likes Received:
    2
    @macdrive: Go to System Prefs>>Sharing>> If all of them are unchecked, you are safe. While you may be seen on the network, nothing you have will be shared on the network.

    @jcdman: Yes, unfortunately for you, you're supposed to set it up only with the OS X restore disks that came with your Mac originally.
     
  7. bacchus_3

    bacchus_3 PhilMUG Addict Member

    Joined:
    Apr 29, 2007
    Messages:
    4,804
    Likes Received:
    310
    Gender:
    Male
    yes, my account is a normal user. I think it then requires me to unlock all system specific pref panes before making changes - correct me if I'm wrong. I never run applications as a superuser/admin too. Doing so may allow any successful hacking take control of your account with admin rights. If it was a normal user, then additional hacking is needed to gain admin rights. It makes it harder. Although the Mac is fairly secure, it helps to make things harder for hackers :)
     
  8. bacchus_3

    bacchus_3 PhilMUG Addict Member

    Joined:
    Apr 29, 2007
    Messages:
    4,804
    Likes Received:
    310
    Gender:
    Male
    when I had tiger on my MB I only had to tweak some more firewall settings - and those I listed above. But by default an out of the box OS X Tiger won't be instantly vulnerable to attacks to hacking. If you have folde sharing turned on you may need to add password and disable unnecessary services - check your System Preferences in Tiger OS X.

    Unless you have Trojan apps (think online dashboard widgets calling home), Tiger is secure like Leopard.
     
  9. viral_variance

    Joined:
    Mar 16, 2008
    Messages:
    512
    Likes Received:
    0
    Gender:
    Male
    Hi,

    Typical Setup
    1. Create a separate admin account for your maintenance tasks.
    2. Do not grant admin rights to your user (aside from admin of course)
    3. Enable Firewall to Specific Applications
    4. Disable Automatic Login
    5. Require password when waking up from screen saver or sleep
    6. Do not use weak passwords

    Advance
    1. Enable root user, so that no other kiddie script/application might enable it aside from you.
    2. Get a third-party firewall application (e.g. Little Snitch, or study ipfw)
    3. Enable Stealth mode on firewall setting
    4. Scan for open ports from www.grc.com
    5. Disable unused services on System Prefs > Sharing
    6. Do not surf for Banking sites on Free Wifi spots

    more to come later
     
  10. chi.mac

    chi.mac Member

    Joined:
    May 7, 2008
    Messages:
    437
    Likes Received:
    0
    Location:
    Long Beach, CA/Manila, PH
    Thanks for the tips guys! :rolleyes:
     
  11. viral_variance

    Joined:
    Mar 16, 2008
    Messages:
    512
    Likes Received:
    0
    Gender:
    Male
    based on my experience, macbooks, in particular, are not really safe out of the box, with the default settings on. there are too many loopholes to begin with, such as login, and firewall settings.

    though i believe it is still relatively safer than windows, on default settings.

    and your biggest enemy, is always, social engineering. it doesn't matter if you have those $99 security suites and operating system. alll it takes is for you to disclose your password to an aggressive hacker, and you're gone.
     
  12. bacchus_3

    bacchus_3 PhilMUG Addict Member

    Joined:
    Apr 29, 2007
    Messages:
    4,804
    Likes Received:
    310
    Gender:
    Male
    oh, I agree with that viral_variance. What I'm trying to say is get get a Windows XP - ka-level nang Tiger at that time - notebook out of the box to the net and if you don't get it updated soon you'll be hit by the RPC exploit within an hour (the one that shows you a prompt that your system will shutdown in 30 seconds and you can't cancel it - remember this?). I've seen this on two of my XP notebooks back in my Windows days.
     
    #12 bacchus_3, Oct 8, 2008
    Last edited: Oct 8, 2008
  13. viral_variance

    Joined:
    Mar 16, 2008
    Messages:
    512
    Likes Received:
    0
    Gender:
    Male
    i just realized that, an aspect that makes Mac OS X secure is that is shares the strength of both windows and unix/linux environments.

    Windows, with its closed-source, proprietary system shields its code from immediate vulnerability away from hackers, given its obvious popularity (yes i don't believe in the "many-eyes theory" of linux).

    linux, with its unix-core, secured for many years by the world's top hackers.

    Mac OS X, of course has a closed-source framework and open source unix back-end, mid-level popularity, gave it its present state of security.
     
  14. Swamommy

    Swamommy Member

    Joined:
    Apr 28, 2008
    Messages:
    236
    Likes Received:
    0
    Gender:
    Female
    Location:
    Quezon City
    @ VIRAL VARIANCE:
    You mentioned in number 6: "Do not surf on Banking sites..."
    Does this mean online banking is discouraged? I access some of my accounts online. Nge. It's not safe ba? :(
     
  15. arelcee

    arelcee Active Member

    Joined:
    Jan 17, 2007
    Messages:
    1,052
    Likes Received:
    1
    Gender:
    Male
    Location:
    Philippines
    Hi... I believe viral_variance is referring to doing online banking on a free Wifi spot. ;)
     
    #15 arelcee, Oct 9, 2008
    Last edited: Oct 9, 2008
  16. viral_variance

    Joined:
    Mar 16, 2008
    Messages:
    512
    Likes Received:
    0
    Gender:
    Male
    yap thanks reivi400 :)

    hi swamommy,

    yap, an aggressive hacker can scan for your internet activities, it is called network sniffing. i actually have a sniffer tool on my mac for monitoring if i have unwanted visitors on my wifi zone.

    though the information transmitted by banking sites are encrypted (which means the data sent over the air is garbled by mathematical means), given the right tools again, a hacker can decrypt that message and get your password, credit card number etc... :)
     
  17. raypin

    raypin PhilMUG Addict Member

    Joined:
    Jun 8, 2008
    Messages:
    14,484
    Likes Received:
    7,671
    mmm.......afaik, 128 bit ssl encryption (the ones employed by most on-line banking facilities) has NOT YET been broken.
     
  18. rafaelc378

    rafaelc378 Active Member

    Joined:
    Mar 19, 2008
    Messages:
    5,464
    Likes Received:
    2
    Raypin's right. As long as the site has SSL Encryption (look for the lock icon on your browser & an https in the URL) you are probably in the clear.

    Since we're on Public Wifi networks, always make sure if you use file sharing in your network at home, to adjust these settings when you are on the road. You don't know how many times I've seen open computers when I'm logged onto a public WiFi network.

    Either they don't know they're open to begin with. Or they use file sharing at home in between systems, but forget that they're wide open when they leave the house.
     
  19. Swamommy

    Swamommy Member

    Joined:
    Apr 28, 2008
    Messages:
    236
    Likes Received:
    0
    Gender:
    Female
    Location:
    Quezon City
    @ VIRAL VARIANCE & REIVI400:

    Thanks for the clarification. Haaay...buti na lang I don't use free wi-fi very often. Pang facebook lang when I'm lounging in some cafe. Hahaha! Juvenile no? Anyway, I just got scared for a moment there because I've heard so much horror stories about accounts being hacked, etc. Sometimes tuloy, I just want to disconnect. Literally and figuratively. Haaay...the times we live in. :(
     
  20. viral_variance

    Joined:
    Mar 16, 2008
    Messages:
    512
    Likes Received:
    0
    Gender:
    Male
    actually you'll never know. it is always best practice to assume that everything digital is vulnerable. that's why they only need the right tools :)

    its not only sniffing btw, someone can plant a keylogger and voila, broadcast your password over the air. or a browser vulnerability exposing your cache or cookies. and the most popular of course, phishing :)
     

Share This Page

  • About PhilMUG

    Since the mid-1990s, PhilMUG (formerly the Philippine Macintosh Users Group) has grown to become not just the Philippines’ but one of the world’s foremost Apple user groups. Our online community brings together thousands of members from the Philippines and around the world for the latest news and discussions covering all Apple products and related hardware and software. Anyone can join PhilMUG, from newbies to experts, subject to our membership rules and guidelines.
  • Like us on Facebook

  • Buy us a beer!

    The staff works very hard to make sure that PhilMUG is running 24/7. Care to buy us a beer or help out with our hosting fees? We'd really appreciate it!

    Donate to us!