Securing your Mac, pt 3

Between September 2005 and July 2011 I was a regular contributor to MacFormat in the UK.

Whereas I’m posting the published articles for my MacWarehouse writing with the MacFormat ones I’ve decided to post the text as submitted, including any comments that I included for design. I am, however, allowing myself a few small edits for clarity.

The particular one is my seventh column, written in March 2006. This is presented purely as a historical record as much, if not all, of the information contained in it may well have changed in the meantime.


Securing your Mac, pt 3

Last month I talked about the benefits of having a good password and not having your Mac save it for you. One of the key ways to ensure that your password is a good one is to not use real words, the name of family members etc. Whilst it may be easier for you to remember the name of your dog than a random collection of letters and numbers it is also much easier for someone to guess. This can be exploited by something called social engineering.

Social engineering is used by both virus writers and spammers to try to trick the unwary into exposing their system to an attack of some form. You may get an email that appears to come from your bank that asks you to log onto their website to confirm your account details or password. Trusting your bank you do just that and in doing so give the spammer all the info that they need to access your account. Your bank will never ask you to do anything like that, if they ever do I suggest that you run a mile and start banking with someone else. If you need to confirm things then log on to the bank’s website in the usual way and do not click the link in an email as it will probably lead you to a site designed to look like the real one that your bank uses.

Alternatively you may get an email from a friend that says something like “Hey take a look at these great new pictures” but the pictures are nothing of the sort and really contain a Windows virus that would, on a PC, replicate itself and mail a copy to everybody in your address book in the hope that, since it appears to have come from you, they trust and open thus perpetuating the virus.

Note that in the paragraph above I stressed that it would be a Windows virus that would infect a PC. Until recently I would be pretty confident that this sort of thing only affected PCs and not Macs but the world of malware is changing. Malware is an overall term that encompasses not only spam and viruses but also other nasties such as trojan horses, spyware and phishing attacks. Many people confuse viruses and trojans, and there is a definite distinction between them, but either way malware of any sort should be considered a bad thing.

In the past few weeks there has been a lot of noise in the Mac community about the first genuine OS X viruses having been found. As of today, and things could very easily change in the short time between me writing this and it being published, there have been no OS X viruses found “in the wild”. The items that are being talked about are trojans rather than viruses and are generally just a proof of concept rather than a finished product but that doesn’t mean that we should dismiss the treat that they, and their descendants, pose to us.

First, the basics. OS X is essentially a secure architecture. Many of it’s components have source code that is open and so there are lots of eyes trying to fix any holes that are found in it. When Apple release a security update you should install it, taking the precautions that I mentioned in previous columns first. Turn your firewall on and only open it to the services that you actually need to have access to your Mac. Use anti-virus software and ensure that it is regularly updated. If you don’t update it then it is worse than useless as it will give you a false sense of security. Today we are mainly ensuring that we don’t pass on Windows viruses, tomorrow you may be stopping a Mac virus from spreading.

Second, watch out for social engineering. Before opening an email ask yourself if you really were expecting Aunt Agnes to send you some “cool new pics”, which is really just a trojan in disguise. Your bank and other organisations should never ask for passwords and account details in an email.

Third, watch what you install. OS X will ask for a admin user name and password before installing applications that scatter parts of themselves throughout your system. If a dialog pops up asking for your password were you expecting one? If you weren’t, e.g. you just clicked on a picture in an email, then don’t give it your password. Don’t just enter passwords blindly, make sure you know why you are being asked for it and what for.

Fourth, don’t use an administrator account for general use. If you can make sure that you log into your Mac as a user that doesn’t have the right to administer the computer. This gives you an added layer of security as you will have to enter the name of an admin user and their password before you, or a virus, can do anything really destructive. You can always log out and log back in as an administrator if you want to make major changes, just remember to log back in to your regular account when you have finished.

Comment on this post

This site uses Akismet to reduce spam. Learn how your comment data is processed.