Beef Up Your Mac's Security

One of the most interesting perks of using Mac OS X is benefiting from a strong amount of security that Windows users don't enjoy - and without sacrificing the "mainstream" aspect of the Mac.

On the other hand, a bit of paranoia is healthy as far as security is concerned. There are ways to satisfy your need for secure computing, and most of them are little things that can be done every day without breaking your piggy bank.

Mac OS X 10.4 Tiger, as all Unix-based systems, does not execute those dreaded .exe files, no matter where they are or what they want to do. Mac users who run Virtual PC can open .exe files, but they will only run in the emulated Windows environment.

Another thing you shouldn't worry about is virus software. As of today, there are no reported virus threats to Mac OS X.

Still, there are a few things you should be aware of to protect your security and privacy. Starting from the default system installation, you can act immediately.

When you are connected to the Internet, it is important to limit the number of open ports. Each open port is a potential security hole for hackers to exploit for invasion or file transfer. Therefore, you should only open those you need and open them only when you actually need them for file sharing, networking, etc.

OS X has an integrated software firewall, which you can easily use. To manage it and shut some ports down, pull down the Apple menu in the Finder and select System Preferences. Click on the Sharing button. Under the Services tab you will see a number of services, most of them for sharing. Make sure that they are all turned off - except when you really need to use them. If you use them only once in a while, turn them on every once in a while. It's more secure than keeping them open at all times.

Now, click on the Firewall tab. Most of the options won't be clickable because they are managed by the Services tab, but they are part of them firewall anyway. Others, such as iChat Bonjour, the network clock, and iTunes and iPhoto sharing can be turned on and off there. The iChat Bonjour port is very likely to be one that you keep turned on at all times if you use iChat every day. Otherwise, the same rule applies: turn it off.

Do the same drill with the Internet tab.

While you're still in the System Preferences, click on Show All, and then click on Spotlight. That's right: Spotlight can be part of your security strategy, mostly by limiting some of its search capabilities. If you want, for example, to make sure that your email is not searchable, uncheck the Mail item. Do the same for all sensitive file types.

Still in the Spotlight preference pane, click on Privacy. You can blacklist folders and directories to prevent Spotlight from searching them by clicking on the plus sign (+) button in the bottom left corner of the window.

Kick Butt with a Single Password

Mac OS X brought a solid amount of security to the Mac by coming up with a good user and password interface. By allowing a computer's owner to administrate everything with accounts, it addressed security concerns. The admin password can prevent unwanted software from installing itself, virtually eliminating any spyware threats. Of course, minimizing the number of admin accounts is always smart.

The other advantage of accounts is that you can easily lock your computer by logging out before leaving. Another way to lock your computer is to make sure that the default screen saver activates when you are away and requires the user password to authorize access again.

To set this up, go to the System Preferences and click on Desktop & Screen Saver. Click on the Screen Saver tab. Then, choose when you want the screen saver to take over when you are leaving. Click on the Hot Corners button if you want one of the screen corners to be used as a screen saver launcher. If you do that, rolling your mouse to the activated corner will launch the screen saver instantly.

Once that is done, you have to turn on password protection. Click on Show All in the System Preferences and choose Security. Click the checkbox besides “Require password to wake up computer from sleep or screen saver”. You guessed it, the setting will also ask for a password when waking the computer up from the sleep mode.

While at it, take a look at the other checkboxes to see if any of them is interesting to you. They add some robustness to your security strategy.

Now, on top of the same Security preference pane, there is this FileVault feature.

Should you use it? Yes and no. It provides encryption for files stored in your Home directory, making the directory a secure place to store sensitive data. At the same time, it poses a serious threat for data loss!

Why? Because FileVault encrypts the files and decrypts them when you need to use them. It ties the use of your files to your account's password - even if they are copied to another medium than your hard drive. If you forget your password, you can kiss your data goodbye unless you know how to crack the encryption. Good luck....

This brings me to the importance of a good password for efficiency, for FileVault or for just any password on the Internet. Don't be naive: a four-letter word without numbers is easier to crack than a long password that combines letters and numbers. In fact, each character makes a  cracker's life more difficult, especially when numbers are thrown into the mix. If  "la32duh98" is harder to remember than "blah", it's also much more secure.

Internet Cleanup

Are you paranoid about security yet? Good. I am, and I have some more suggestions.

Buy Internet Cleanup from Allume, and for a relatively low price (US$29.99) you'll get more options to protect yourself against unwanted intruders and hackers.

Its NetBlockade feature will address many concerns. It will come down on browser popups like a ton of bricks, and it will also crack down on unwanted advertising. It lets you tailor your preferences for cookies that websites install to track your surfing habits. My favorite feature of all: NetBlockade can refuse to give away the last Web pages you have visited when you head to another site. I told you I was paranoid....

The NetBlockade feature be combined with (or override) your browser's privacy and security features to make browsing more secure. It is highly customizable, down to the names of servers that should be allowed to show popup windows and ads.

Network SpyAlert is another neat feature of Internet Cleanup. It intercepts all network activity and asks you what to do about them. Therefore, you can decide what software can contact which server. When you first use it, it will be quite aggressive. But don't worry, this happens because it has no authorizations to remember when you first install it.

Tailor its authorizations as the alerts appear, and it will remember which Internet addresses are considered safe to contact temporarily or at any time. At that point, only unwanted connections will be detected for you to block. I strongly recommend using the feature, because it prevents software from reporting activity without your authorization.

SpyAlert is another nice safeguard against intrusions. It scans your computer for spyware. Since there is no effective spyware for the Mac at the moment, it doesn't find anything yet, but since it is included in an inexpensive package, it's nice to have, especially if threats materialize.

Internet Cleanup also includes cleaning options, but in my series of tutorials about Mac maintenance, you learned how to do that kind of work. In any case, Internet Cleanup offers you another way to do it.

Awareness

The last step in computer security is awareness. Yes, your mind is important. There are some small things you can do to prevent problems.

The first tip? Use plain text email. By doing away with HTML, you get rid of JavaScript and code that execute automatically when read. You also make sure that no 'tracker' image proves that you opened a spam message.

Phishing, a technique used to fool you into giving your personal and financial information to thieves who pretend to be from your bank, PayPal, eBay, etc. is easier to avoid with plain text email. That's because HTML allows thieves to code a phishing link to make it look legitimate. Plain text strips the thief from the "clothes" he uses to hide - to let you see that the link you are supposed to follow is not legit.

Secondly, I strongly recommend that you download security updates whenever they are available in the System Preferences (when there, click on the Software Update button to get them). Look for all software update descriptions to see if there are security fixes elsewhere than in the security updates. For instance, an AirPort update can contain security fixes. For non-Apple software, make sure to check the vendors' websites to find similar updates.

Using a browser with good security preferences is another smart thing to do. Most Mac browsers are good, with extra kudos for Opera, which is a gem in that department. Not using the autofill and autocomplete features also prevents Web forms from being filled in automatically.

When you browse, notice which pages are secure and which are not. Secure pages start with https instead of plain http, and browsers will change the color of the address bar as well as display a locked padlock. Another important setting is to allow your browser to display an alert that lets you know when you leave a secure browsing area right in the middle of a transaction. Don't turn this off! Sites that lie about security and encryption will be uncovered easily when the alert shows up.

It sounds stupid, but it's still true: Email attachments should always be handled with care. When they come from trusted sources, they are usually free from any threats, but you should still be careful, especially with Microsoft Word files, which can contain macro viruses. Make sure to have macro virus protection turned on in Word. Pull down the Word menu, select Preferences, and click on Security, and then check "Warn before opening files that contain macros"

One last tip: Erase file securely – by overwriting them - in the Finder by pulling down the Finder menu and choosing Secure Empty Trash. That way, nobody will be able to recuperate them.

Nobody said that you had to deal with cracking, hacking, spam and security holes just because you use a computer. Leave that to Windows users. There is nothing better to satisfy your security paranoia than using a Macintosh. :-)