OSX Security (share your tips and tricks)

I think there was a thread of security tips but I can't seem to find it.

If I'd get a new Mac here's the first steps I'd want to do [but not limited to].

1. Create a dedicated administrator user account
2. Add password to my frequently used user account and set it up as a normal user
3. Set up the firewall to 'Set access for specific services and applications' and add applications that I'd want the firewall explicit access to the net.
4. Set up screensaver to prompt for password when woken up

Hmmm...that's as far as I can remember it.

 

In addition to what bacchus mentioned:

-Activate & setup the EFI Firmware Password. This means that the mac won't boot from anything other than the onboard HD without entering that password.

-Set up security so that any change to system preferences needs a password input.

-(Not part of OS X, but good idea nontheless) If you have the funds, buy a tracking/recovery software like Orbicule's Undercover.

 

Question:
If your regular typical OS X Tiger/Leopard-installed Mac is connected to a local network hub to connect to the internet in the office, either through Ethernet or Wifi, can other Macs or PCs access the data of your Mac? Can they peep what you are currently working on? Can they access your files, apps, browser and desktop? Can they see your usage history and all private info including internet websites and keychain? Or the network server has all your files and history?

Or are Macs secure as they are used as-is...? If not, what security measures should you use?

 

@macdrive: Go to System Prefs>>Sharing>> If all of them are unchecked, you are safe. While you may be seen on the network, nothing you have will be shared on the network.

@jcdman: Yes, unfortunately for you, you're supposed to set it up only with the OS X restore disks that came with your Mac originally.

 

yes, my account is a normal user. I think it then requires me to unlock all system specific pref panes before making changes - correct me if I'm wrong. I never run applications as a superuser/admin too. Doing so may allow any successful hacking take control of your account with admin rights. If it was a normal user, then additional hacking is needed to gain admin rights. It makes it harder. Although the Mac is fairly secure, it helps to make things harder for hackers

 

when I had tiger on my MB I only had to tweak some more firewall settings - and those I listed above. But by default an out of the box OS X Tiger won't be instantly vulnerable to attacks to hacking. If you have folde sharing turned on you may need to add password and disable unnecessary services - check your System Preferences in Tiger OS X.

Unless you have Trojan apps (think online dashboard widgets calling home), Tiger is secure like Leopard.

 

Hi,

Typical Setup
1. Create a separate admin account for your maintenance tasks.
2. Do not grant admin rights to your user (aside from admin of course)
3. Enable Firewall to Specific Applications
4. Disable Automatic Login
5. Require password when waking up from screen saver or sleep
6. Do not use weak passwords

Advance
1. Enable root user, so that no other kiddie script/application might enable it aside from you.
2. Get a third-party firewall application (e.g. Little Snitch, or study ipfw)
3. Enable Stealth mode on firewall setting
4. Scan for open ports from www.grc.com
5. Disable unused services on System Prefs > Sharing
6. Do not surf for Banking sites on Free Wifi spots

more to come later

 

Thanks for the tips guys!

 

based on my experience, macbooks, in particular, are not really safe out of the box, with the default settings on. there are too many loopholes to begin with, such as login, and firewall settings.

though i believe it is still relatively safer than windows, on default settings.

and your biggest enemy, is always, social engineering. it doesn't matter if you have those $99 security suites and operating system. alll it takes is for you to disclose your password to an aggressive hacker, and you're gone.

 

oh, I agree with that viral_variance. What I'm trying to say is get get a Windows XP - ka-level nang Tiger at that time - notebook out of the box to the net and if you don't get it updated soon you'll be hit by the RPC exploit within an hour (the one that shows you a prompt that your system will shutdown in 30 seconds and you can't cancel it - remember this?). I've seen this on two of my XP notebooks back in my Windows days.

 

i just realized that, an aspect that makes Mac OS X secure is that is shares the strength of both windows and unix/linux environments.

Windows, with its closed-source, proprietary system shields its code from immediate vulnerability away from hackers, given its obvious popularity (yes i don't believe in the "many-eyes theory" of linux).

linux, with its unix-core, secured for many years by the world's top hackers.

Mac OS X, of course has a closed-source framework and open source unix back-end, mid-level popularity, gave it its present state of security.

 

@ VIRAL VARIANCE:
You mentioned in number 6: "Do not surf on Banking sites..."
Does this mean online banking is discouraged? I access some of my accounts online. Nge. It's not safe ba?

 

Hi... I believe viral_variance is referring to doing online banking on a free Wifi spot.

 

yap thanks reivi400

hi swamommy,

yap, an aggressive hacker can scan for your internet activities, it is called network sniffing. i actually have a sniffer tool on my mac for monitoring if i have unwanted visitors on my wifi zone.

though the information transmitted by banking sites are encrypted (which means the data sent over the air is garbled by mathematical means), given the right tools again, a hacker can decrypt that message and get your password, credit card number etc...

 

mmm.......afaik, 128 bit ssl encryption (the ones employed by most on-line banking facilities) has NOT YET been broken.

 

Raypin's right. As long as the site has SSL Encryption (look for the lock icon on your browser & an https in the URL) you are probably in the clear.

Since we're on Public Wifi networks, always make sure if you use file sharing in your network at home, to adjust these settings when you are on the road. You don't know how many times I've seen open computers when I'm logged onto a public WiFi network.

Either they don't know they're open to begin with. Or they use file sharing at home in between systems, but forget that they're wide open when they leave the house.

 

@ VIRAL VARIANCE & REIVI400:

Thanks for the clarification. Haaay...buti na lang I don't use free wi-fi very often. Pang facebook lang when I'm lounging in some cafe. Hahaha! Juvenile no? Anyway, I just got scared for a moment there because I've heard so much horror stories about accounts being hacked, etc. Sometimes tuloy, I just want to disconnect. Literally and figuratively. Haaay...the times we live in.

 

actually you'll never know. it is always best practice to assume that everything digital is vulnerable. that's why they only need the right tools

its not only sniffing btw, someone can plant a keylogger and voila, broadcast your password over the air. or a browser vulnerability exposing your cache or cookies. and the most popular of course, phishing