Securing your Mac, pt 4

Between September 2005 and July 2011 I was a regular contributor to MacFormat in the UK.

Whereas I’m posting the published articles for my MacWarehouse writing with the MacFormat ones I’ve decided to post the text as submitted, including any comments that I included for design. I am, however, allowing myself a few small edits for clarity.

The particular one is my eighth column, written in April 2006. This is presented purely as a historical record as much, if not all, of the information contained in it may well have changed in the meantime.


Securing your Mac, pt 4

Following last month’s diversion into the world of malware it is time to take a look at the security issues facing networks of Macs and networking in general.

For almost any business one of their most valuable assets is their intellectual property (IP), whether that be the designs for a new product or a database of their customers complete with account history. In addition to taking precautions against loosing IP through equipment failures by backing up the servers that it is stored on it is critical to ensure that the company’s property stays the company’s property. It is not just James Bond that has to deal with industrial espionage and a disaffected employee taking your customer database to a competitor can have a very damaging impact on business.

The tools that Apple provides for free with OS X Server can be used to ensure that users cannot store any information at all on their workstations, they can only keep it on the server itself. You can also disable CD or DVD burners and prevent users from saving files to USB or FireWire drives. These preferences can be enforced even if a computer is taken off the network and if you do need to take data off-site then do it in the form of an encrypted disk image which will make it almost impossible for somebody to read the data without authorisation if it is lost.

If you have wireless devices on your network, including Macs with AirPort or Bluetooth cards, be aware that you cannot easily put up barriers to stop their radio waves from spreading outside of the building. I have known business where it is perfectly possible to sit in a car in the street and connect to the company network without needing any password or other form of authentication. If you have wireless devices that are not required then disable them so that a user cannot inadvertently create an insecure access point to the network. For the access points that you do require take the following steps; disable broadcasting the network name so that you cannot find it by browsing, make sure that the network name itself is unobvious, e.g. don’t call it “AirPort”, require WPA2 encryption to be able to access the network and finally lock the network so that only specified wireless cards can access it.

You can take access control further by introducing two factor authentication with solutions from companies such as RSA and CRYPTOCard. These solutions require a user to not only know their password but also to be in possession of a token of some description to be able to access the network. Neither the token nor the password on it’s own is enough.

Two factor authentication comes into it’s own when remote access solutions are considered. The internet is inherently insecure but it is possible to create secure tunnels from point to point. If you need users to be able to access company data from home or whilst on the road then consider setting up a Virtual Private Network (VPN) which will allow you to create a secure tunnel from wherever they are in the world to the office and work as if their Mac was connected directly to the network and keep out prying eyes.

It is a very simple task to download a piece of open source software such as Ethereal and sit in your local coffee shop watching unencrypted but sensitive information going back and forth across the internet. If you don’t keep an eye on your data somebody else will.

Securing your network can be an expensive and time consuming business and the more secure it is the less friendly it will be to those who you want to access the network. How far you take network security and how much time and money you spend on it will depend on how valuable your data is to your business.

Securing your Mac, pt 3

Between September 2005 and July 2011 I was a regular contributor to MacFormat in the UK.

Whereas I’m posting the published articles for my MacWarehouse writing with the MacFormat ones I’ve decided to post the text as submitted, including any comments that I included for design. I am, however, allowing myself a few small edits for clarity.

The particular one is my seventh column, written in March 2006. This is presented purely as a historical record as much, if not all, of the information contained in it may well have changed in the meantime.


Securing your Mac, pt 3

Last month I talked about the benefits of having a good password and not having your Mac save it for you. One of the key ways to ensure that your password is a good one is to not use real words, the name of family members etc. Whilst it may be easier for you to remember the name of your dog than a random collection of letters and numbers it is also much easier for someone to guess. This can be exploited by something called social engineering.

Social engineering is used by both virus writers and spammers to try to trick the unwary into exposing their system to an attack of some form. You may get an email that appears to come from your bank that asks you to log onto their website to confirm your account details or password. Trusting your bank you do just that and in doing so give the spammer all the info that they need to access your account. Your bank will never ask you to do anything like that, if they ever do I suggest that you run a mile and start banking with someone else. If you need to confirm things then log on to the bank’s website in the usual way and do not click the link in an email as it will probably lead you to a site designed to look like the real one that your bank uses.

Alternatively you may get an email from a friend that says something like “Hey take a look at these great new pictures” but the pictures are nothing of the sort and really contain a Windows virus that would, on a PC, replicate itself and mail a copy to everybody in your address book in the hope that, since it appears to have come from you, they trust and open thus perpetuating the virus.

Note that in the paragraph above I stressed that it would be a Windows virus that would infect a PC. Until recently I would be pretty confident that this sort of thing only affected PCs and not Macs but the world of malware is changing. Malware is an overall term that encompasses not only spam and viruses but also other nasties such as trojan horses, spyware and phishing attacks. Many people confuse viruses and trojans, and there is a definite distinction between them, but either way malware of any sort should be considered a bad thing.

In the past few weeks there has been a lot of noise in the Mac community about the first genuine OS X viruses having been found. As of today, and things could very easily change in the short time between me writing this and it being published, there have been no OS X viruses found “in the wild”. The items that are being talked about are trojans rather than viruses and are generally just a proof of concept rather than a finished product but that doesn’t mean that we should dismiss the treat that they, and their descendants, pose to us.

First, the basics. OS X is essentially a secure architecture. Many of it’s components have source code that is open and so there are lots of eyes trying to fix any holes that are found in it. When Apple release a security update you should install it, taking the precautions that I mentioned in previous columns first. Turn your firewall on and only open it to the services that you actually need to have access to your Mac. Use anti-virus software and ensure that it is regularly updated. If you don’t update it then it is worse than useless as it will give you a false sense of security. Today we are mainly ensuring that we don’t pass on Windows viruses, tomorrow you may be stopping a Mac virus from spreading.

Second, watch out for social engineering. Before opening an email ask yourself if you really were expecting Aunt Agnes to send you some “cool new pics”, which is really just a trojan in disguise. Your bank and other organisations should never ask for passwords and account details in an email.

Third, watch what you install. OS X will ask for a admin user name and password before installing applications that scatter parts of themselves throughout your system. If a dialog pops up asking for your password were you expecting one? If you weren’t, e.g. you just clicked on a picture in an email, then don’t give it your password. Don’t just enter passwords blindly, make sure you know why you are being asked for it and what for.

Fourth, don’t use an administrator account for general use. If you can make sure that you log into your Mac as a user that doesn’t have the right to administer the computer. This gives you an added layer of security as you will have to enter the name of an admin user and their password before you, or a virus, can do anything really destructive. You can always log out and log back in as an administrator if you want to make major changes, just remember to log back in to your regular account when you have finished.