Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Securing Your Mac

© 2002 Lawrence I. Charters

Washington Apple Pi Journal, reprint information

There are two different kinds of computer security: physical security, and electronic security. Physical security includes such things as buying a decent, protective carrying case for your laptop, not leaving your laptop out in the rain, not positioning your desktop machine under a potted plant that needs watering, not positioning your desktop machine on the same bench that has an arc welder, etc. These are all good and important issues, but they won't be covered in this article.

Electronic security for a Mac has, traditionally, been quite boring. Back in the "good old days," before people invented Microsoft Macro viruses and worms, the only electronic dangers facing your Mac were custom-written Mac viruses. Five years ago, there were less than three dozen of them. In 2002, there are still less than three dozen of them. On the other hand, there are now tens of thousands of MS Macro viruses and worms. These viruses are considerably less destructive on a Mac than on a Windows machine (yes, they really can erase your hard drive, send all your credit card numbers to Korea, and send insulting messages to your boss -- on a Windows machine).

While the results may not be quite as catastrophic, you can still waste dozens of hours trying to clean up a MS Macro virus infection on a Mac. Additionally, some old Mac viruses have recently started making the rounds again, probably when people transferred files from old, infected machines to new, Internet-connected machines. Accordingly, the first order of business is:

1) Buy a good, commercial anti-virus package. "Good" ones are updated monthly, to cope with the hundreds, if not thousands, of new viruses detected every month.

Before you claim you don't need an anti-virus package, you should know that most people claim they don't need an anti-virus package, before they come down with a virus. Grandparents who never visit porno sites, parents who never let their children use their machines, children who never let their parents use their machines -- all are good candidates for getting a virus. The virus can come in the form of an "infected" attachment to an E-mail message, or a floppy disk returned by a teacher with homework assignments, or a CD-ROM burned by Aunt Martha with pictures of the twin's double-wedding ceremony, or -- a common problem -- a transfer of files from a quirky old Mac (quirky because it was virus infected) to a sparkling new iMac, iBook or Power Mac G4..

Can you tell if you are at risk? Consider your risk factors: do you have a child? Do you have a parent? Do you have relatives with computers? Have you ever met another living soul with a computer? Do you have an E-mail account? Have you ever taken a disk to a library or copy shop for printing or duplication? Have you ever accepted a homework assignment, newsletter contribution, or funny digital cartoon from someone? Do you own a computer? If you can say "no" to the last question, you don't need an anti-virus package, but a "yes" to any of the others means: get an anti-virus package.

Internal attacks from computer viruses and their cousins, computer worms, are the most common electronic security breaches, but they don't get the most press. External attacks are the darlings of headline writers and newspaper and magazine editors. While it might be funny to know that Vice President Cheney's speech to the Cleveland Pipefitter's Union was trashed by a virus, it should be far more alarming to hear that someone broke into your bank's computers and copied off all the credit card account names and numbers.

If you have a pre-Mac OS 9 computer, you can do an excellent job of securing it by doing the following four things (which also, by the way, apply to Mac OS 9):

2) Give your machine a non-blank user name.

While Mac OS X won't let you set up a machine without entering a user name, all Mac operating systems before it allowed you to leave the user name blank. The details differ depending on which version of Mac OS you have, but generally speaking, go to the Apple menu, select Control Panels, select File Sharing, and enter a user name. The user name can be yours, your pet's, or a favorite flavor of ice cream. The details aren't as important; just make sure it isn't blank.

3) Give your machine a non-blank machine name.

Giving the machine a non-blank name is, technically, not so much a security issue as just good housekeeping. If you have only one machine, you may find it useful to use the same name for the machine and for the user. So if you entered "Smith, Robert" as the user name, you might wish to enter the same for the machine name. Or "Twiggy." Or "Blue iBook." Or almost anything. Note: on a given AppleTalk network, all machine names must be unique, so make sure that all machines have unique names, even if you never plan on networking anything.

4) Give your machine a non-blank, non-trivial password.

Strange as it may seem, you don't even have to remember the password -- all you need to do is enter something. You can even drum on the keys and enter nonsense as the password. Since you can sit down at the machine and change the password at any time to a known value, the important thing to do is to make it hard for someone not sitting at the machine to guess the password, and a blank password is the easiest one to guess.

5) Rename the hard drive from the default name.

Apple's Drive Setup utility names the hard drive "Macintosh HD," and most Macs ship with the hard drive already named "Macintosh HD." Third-party disk formatting software might name the drive something else. In any case, rename the hard drive to something other than the default. If you ever intend to use the machine with Mac OS X, it would be best to stick with a single-word name without hyphenation, spaces or punctuation.

Now, why are these four measures useful? If you ever connect your computer to the Internet, either accidentally or on purpose, and someone else manages to "see" your machine, having a non-blank name and password makes your machine far more difficult to break into. The non-standard drive name, on the other hand, is more of an anti-Vandal effort. Consider: every single Windows machine in the world boots off the "c:" drive, making it relatively simple to guess where files are located on a Windows machine. If you rename your hard drive to something other than Macintosh HD, it is very difficult for a virus, a worm, or some external intruder to guess where things are located on your hard drive. A program that tried to delete everything in "Macintosh HD:Applications" will fail if the hard drive is named "Sweetums."

The next measure is particularly important for Mac OS 9 users:

6) Turn off file sharing.

File sharing on a Macintosh is easy: just turn it on. Unfortunately, few users do this correctly, and they end up sharing more than they intend, with more people than they intend. Many people also don't realize that only one Mac needs to have file sharing turned on in order to exchange files between the two Macs; turning on file sharing on both machines is unnecessary. There is also a performance penalty: almost all Macs are 20 to 40% slower with file sharing enabled.

So never turn on file sharing unless you actively need to share files on that particular machine right now. After you are done sharing the files, turn file sharing off. Learn how to restrict file sharing to just one folder; sharing the entire hard drive when you just need to share the latest bowling league results can be harmful to your computer's health.

Why is this a particular concern for Mac OS 9 users? Mac OS 9 has the ability to share files across the Internet. If the user turns on file sharing and checks the box labeled "Enable File Sharing clients to connect over TCP/IP," anyone on the Internet can "see" this machine and try to break in. Earlier versions of Mac OS, limited unwanted visitors to your office or campus, but now the entire world can come and visit.

7) Disable Web sharing.

While relatively few people used Web sharing (available in Mac OS 8 and 9), it does offer another way for people to enter your computer. If you don't use Web sharing (and the Web software isn't particularly fast or flexible, in any case), use the Extensions Manager to disable both the Web Sharing control panel and the Web Sharing Extension. This will protect you from even accidentally turning on the Web server.

These seven steps should cover the majority of Mac users using Mac OS 7.5 to Mac OS 9, and connecting to the Internet via a dial-up modem. True, dial-up users are not the most likely victims of computer attacks, but such attacks happen far more frequently than people realize. Many people think their "modem is acting strange" and hang up, not realizing that the reason their "modem was acting strange" was that they weren't the only one using it.

If you have an ISDN, DSL or cable modem Internet connection, or you are connecting multiple Macs to the Internet, or you are running Mac OS X, you need to look at additional security precautions.

8) Buy a hardware firewall.

A firewall is a device that separates your computer or network from the outside world with a "ring of fire." This is figurative, of course, but the idea is to allow into your network only those things from the outside world that you've explicitly requested.

Sadly, advertisers have hyped almost anything that does some sort of security as a "firewall," so look for some technical details. If the manufacturer doesn't mention the phrase "stateful packet inspection," you don't want it. "Stateful packet inspection" checks every packet of information coming into your network to make sure it is what you want, not only individually but in context. This prevents, for example, an external entity (either a hacker or a program designed to automate attacks) from sending you packets forged to make them look like you asked for them when, in fact, you hadn't. (One popular way to disable a computer or network is to "return" a flood of ping requests that had not, in fact, ever been made. The computer or network gets so busy accepting "their" own ping requests that they are unable to do anything else. A firewall performing stateful packet inspection can prevent this.)

Software firewalls are a popular alternative to hardware firewalls, but are not good substitutes. A software firewall depends on the expertise of the user to configure not only the firewall software but also the operating system correctly; an error in either configuration could make you more vulnerable to attack, not less. Software firewalls also tend to protect just one machine at a time, while a hardware firewall can protect an entire network at once. Because hardware firewalls are single-purpose devices, they also tend to be easier to configure, have better reporting mechanisms, and perform faster.

Two items of note: first, many "firewalls" are actually Internet sharing hubs or switches, and claim that NAT (Network Address Translation) is a "firewall" feature. NAT is certainly useful, but it doesn't make these devices firewalls. Second, you may have heard that Mac OS X includes a built-in firewall. It does, and it works quite nicely. There are even shareware programs that allow you to configure it. Unless you know enough about UNIX security that you could configure the firewall without the shareware programs, it is best to leave the Mac OS X firewall alone. And no, it is not a substitute for a hardware firewall.

9) Visit Apple's Product Security Incident Response page (http://www.apple.com/support/security/security.html)

Unlike certain other manufacturers, Apple has an excellent security reputation, so visiting this page every once in a while is no great burden. The page has phone numbers and E-mail addresses for reporting security problems, as well as links to Apple's security updates (http://www.apple.com/support/security/security_updates.html) page. The security updates page provides details of all security releases, along with information on how to get them.

10) Sign up for Apples' "security-announce" mailing list.

This is a remarkably low-volume mailing list that sends out produce security notifications and announcements from Apple. There aren't that many, so it isn't a burden to get them all. Sign up at the Web address listed in Step 9.

11) Regularly use the Software Update control panel

Included as a standard feature in both Mac OS 9 and Mac OS X, the Software Update control panel (or control pane, in Mac OS X) should be set to "Update software automatically" and (in Mac OS 9) "Ask me before installing new software." This will allow your computer to automatically reach out across the Internet, contact Apple, and see if there are any updates to your software.

By having your computer make these requests, automatically, you eliminate your frail, fallible human mind from the process. Once a week, or using some other schedule that you can set, your computer reaches out and discovers what new goodies might be available. Most of the updates are not security related -- but the Software Update mechanism is one of the fastest, most reliable means of getting security updates, too. Since both Mac OS 9 and Mac OS X will frequently offer you updates you can't use (such as CD-ROM disc burning software for a computer without a CD-ROM burner), instruct Mac OS 9 to "Ask me before installing new software." Mac OS X never installs anything without asking first.

For the vast majority of Mac users, these are the only electronic security measures that you need follow. If you decide you want to set up an Internet mail service, or a Web server, or an FTP server, or run LimeWire (a particularly risky venture), or some other kind of Internet service on either a Mac OS 9 or Mac OS X machine, you'll need to consider additional security measures. Even some innocent programs, such as screen savers, might require additional security measures (there are screen savers, for example, that reach out across the Internet every day and download a new picture; they could easily be compromised to download something else, instead).

Further Reading

If you feel the need to enhance your paranoia, or you own a Windows computer, there are lots of sources for information. One of the best is the National Infrastructure Protection Center (NIPC), which publishes a splendid, free newsletter detailing computer security issues, called CyberNotes. CyberNotes is available in Adobe Acrobat format from this address:

http://www.nipc.gov/cybernotes/cybernotes.htm

NIPC is a relative newcomer to the field of computer security, while the Carnegie Mellon CERT (Computer Emergency Response Team, http://www.cert.org/) dates back, in various forms, to 1988. They don't publish a nice, neat newsletter like CyberNotes, but their Web site does give access to a vast encyclopedia of computer security knowledge. The CERT Advisory Mailing list is also a good way to keep abreast of computer security issues, though these rarely involve Macs of any flavor. One of the more interesting features is their Statistics page,

http://www.cert.org/stats/cert_stats.html

where you can see that six computer security incidents were reported in 1988, 132 in 1989 -- and 26,829 in the first quarter of 2002. Since one incident can involve thousands or tens of thousands of computers, these statistics suggest that a major war is taking place on the Internet -- and that is entirely correct.

The more you know about computer security, the more you will realize that a little paranoia is a good thing -- and a well-protected Mac is not a great burden. But don't get cocky: even Apple's sprightly new Mac OS X has a known, fatal flaw: the clock. Mac OS X has an option to use a network time server, which allows the Mac to reach out across the Internet and use a highly accurate atomic clock to determine the exact local time and, unless changes are made, this will result in disaster.

On January 19, 2038, at seven seconds past 3:14 a.m., Mac OS X -- along with every other UNIX computer -- will overflow the system clock, and think it is Friday the 13th of January, 1901. Apple has less than 36 years to correct this problem.