Advertisement
Security

Lock Up Your Mac with Security Settings

by

It all started when people passed around the rumor of the Mac’s invincibility. Some said a virus for the platform was nowhere to be found. Others knew the truth though: that there really can be malicious code written for OS X. Nothing’s perfect, you know. When an illness does befall Apple’s OS, the company typically issues penicillin in a timely manner. (The timeline actually depends on the problem though and can sometimes be an unnecessary length.)

“Flashback”, for instance, was a trojan back door that came about in early 2012 with the aid of, despite the name, a hole in Javascript. Apple repaired the defect nearly two months after its release. There have been other infections in the past year as well — but I’m not here as a security analyst. Instead, I’m an advisor. Today, if you have some time and motivation, I’m going to help you secure your Mac as best as you possibly can.


Step 1: A Password

It's a question of true security.
It's a question of true security.

You probably just read that header and thought, “Well that one’s obvious!” Not so fast, McQueen. In many people’s lives, a password does not play a part. They’re either not willing to remember it or are happy with the convenience of automatic login and no permission-request pop-ups. As understandable as that is, excuses should never be given when it comes to your security. That does not mean setting a short password is better than none. It means you need to start employing a somewhat lengthy and secure password.

Generating something stronger.
Generating something stronger.

Examples of strong passwords are everywhere. It’s best to go with something 15 characters in length, but you can always do 9 or 10 and you’ll still be safe. I used one that was a mere 8 characters for over a year and never had a breach.

Now, when it comes to actually creating this juggernaut password, there are several useful tools available to you. A good one is Strong Password Generator. It’s a simple website that informs you what a good password consists of, generates one for you with one click, and even helps you remember it with key words.

Using the Mac's built-in password generator.
Using the Mac's built-in password generator.

If you want to keep things local, Apple has built an alternative to that website for your Mac. It can be found in the System Preferences Users & Groups pane. Head there and start by unlocking it, then click “Change Password…”, and click the key at beside the New Password field to launch the “Password Assistant”. It’s a small window with five fields: the type of password, the suggestion, a length selection slider, a quality indicator, and a tips box.

Tip: A password is something you should have on all your devices, not just your Mac. If you have an iPad or iPhone, make sure there are at least simple four-character pass codes on them. Remember that everything is connected.

Tweaking the Password Assistant.
Tweaking the Password Assistant.

Surprisingly, there are a few different actions you can perform in the Password Assistant. First, you can change the type of password from the default, Memorable, to Letters & Numbers, Numbers Only, Random, and FIPS–181 Compliant (which, while sounding very cool out loud is actually the worst).

Then there’s the suggestion box, which you can copy text from or click to expand into a full list of the available selections. Lastly, the Length slider lets you adjust the character count and you can hover over the Quality indicator for an entropy score (how disorganized and unpredictable it is; out of 100).

Apple may recommend hints in the OS X setup process and also when changing your password, but it’s really a bad idea. Yes, you will probably forget your new password for the first few days, but that doesn’t mean you should give the local world a hint. Instead, write down your password and keep it safe in your desk drawer, wallet, or car. Eventually you’ll overcome the need for that paper and all will be well.


Step 2: Lock the Screen When Away

Enabling an automatic lock.
Enabling an automatic lock.

Your Mac has several settings for when to lock your computer. The first one, set by default, can be found in the Security & Privacy pane of System Preferences under the General tab. The “Require password x amount of time after sleep or screen saver begins” checkbox is what I’m talking about. It’s set to immediately by default, but you can change it to anything from five seconds to four hours. If you know you’ll be taking a quick break from your computer when closing it and there’s no harm that will come to it, you can set it for fifteen minutes. However, it’d be a much better idea to keep it locked when you close it.

A custom message on my Mac's lock screen.
A custom message on my Mac's lock screen.

The next checkbox, when checked, enables showing a custom message when your screen is locked. For example, you can say “Can’t touch this”. Or, if you don’t like MC Hammer, maybe think of your own lock screen phrase. Click the “Set Lock Message…” button and type in whatever you’d like to set up this text. When you’re finished, make sure “Disable automatic login” is checked on your Security & Privacy pane, because it’s by far the most important thing from keeping people out of your computer. (If they can just restart the machine to gain access, what’s the point of a password?)

In the advanced Security & Privacy settings (click the button in the bottom right of the screen) you will find an automatic logout function with a time setting on it. With this, you can tell the computer to automatically log off your user after a certain amount of time has passed. It’s a great way to ensure your files are safe from prying eyes when you leave your desk. You can also opt to require an administrator password to unlock preferences, which is highly recommended if you want to stop those mischievous children that already have access to your computer from meddling.


Step 3: Moving To and From the Cloud

Apple's iCloud preferences.
Apple's iCloud preferences.

Even with all the talk about moving to the cloud and its “security”, you must remain cautious about leaving your personal information on remote servers. Indeed, there is the matter of trust and hopefully you have some in the company that holds your data. Apple has not been known for security breaches on its servers, but that doesn’t mean it will never happen. Take Google for example. The company gets massive Gmail break-ins every few months and it must account for the lost data, passwords, and personal information that users entrust the company with.

It’s really never a good idea to put all your information in the cloud. I upload a lot of my documents to Dropbox, but not the important ones like tax returns and others that contain confidential information. Dropbox may be reliable and have a great track record, but that does not mean you should trust everything with them. Keep some of your documents safe on your own computer, maybe in an encrypted disc image. Putting it all in the hands of a company whose servers are always in the spotlight isn’t as secure as keeping it on your personal computer where hackers may not even know about.

On to the matter of iCloud, Apple’s main cloud computing system. The company names this service as being responsible for holding your music from iTunes, documents on all your devices (if you upload them), bookmarks in Safari, and even your email. It’s everything in one account, which means that all a hacker needs to do is break one password. If you use the same password for your iCloud account somewhere else on the Internet, change it now. Here’s why.

iPhone and iPad Backups are Stored There

Browsing my iOS backups in iCloud.
Browsing my iOS backups in iCloud.

If you have iOS devices, you probably back them up to iCloud. Apple has been pushing this feature for quite a while now because it no longer requires that you be in close proximity of your computer just to back up your mobile device. Convenience is great, but there’s a matter of security here.

Say your password gets to a hacker, or even someone that knows you personally and wishes harm. This person can log into your iCloud account and remotely wipe your phone, should Find My iPhone be enabled. Alternatively, he can go get his own iPhone, log into your iCloud account, and restore his device using your backup that’s stored in the cloud. That wouldn’t give him your number, but it’d put all your app info on his device, including maybe Dropbox (which I recommend setting a pass code for on mobile devices) and even Mint.com.

It doesn’t stop with this man gaining access to those things. If you keep lists of passwords in a cloud account, it’s probably somewhere on your iPhone. All he has to do is find the app that syncs with iCloud, download it in the app store, and (with some less secure apps) launch it to reveal your lists. He can also go to Pages to look at your documents, write your article for you in Byword, edit your Day One journal to exclude you, and play your Fieldrunners 2 — oh the horror! (He needs to earn those fancy towers, not steal them.)

Now you’re probably thinking, “Well, this is all good and well. It’s also hypothetical.” If you keep telling yourself that, you’ll find a day when you don’t know what to do with your devices because a hacker has disabled them and stolen your identity online. Don’t let that happen — just change the password to something fresh and secure. It’s also a good idea to use the password generator I mentioned before as a guideline.

Your Payment Information is Connected to It

Purchasing something online doesn't usually require payment verification.
Purchasing something online doesn't usually require payment verification.

You undoubtedly remember iTunes, Apple’s world-famous music distribution service and player that comes included with your Mac. Ever since Apple started using iCloud extensively throughout its ecosystem, your ID has been all the more attached to nearly all the apps you use, music you listen to, films you watch, and even books you read. It’s just like Amazon, Google, or any other giant in the business today. However, there is a big thing that people seem to forget about. With all this connection, what if your payment information is stolen?

Now remember, this is a hypothetical situation in which your account has been breached. Since you use it at iTunes, it works at Apple.com. The hacker could gain access to your account, go purchase a few apps with your password (no verification), and even go to Apple’s Web site to place an order of something large. In fact, unlike Amazon.com, if you have someone’s Apple account password, you don’t even need to verify any credit card numbers on the website. iTunes is a bit better at preventing this.

If the content store senses that you are on a different computer, it will ask for the security code (that three to four digit number on the back of you card) for your main credit card. But if it’s a PayPal account, you’re in trouble.

Just a few weeks ago, one of my friends sent me a text message asking how Apple deals with account fraud. He was wondering this because not he, but his mother, was shut out of her account by a hacker. Apple then did not respond to her emails and she lost all her iCloud purchases — apps, music, films, and every bit of content you can purchase at the iTunes Store. This seems like a flawed system, but part of it is understandable seeing as the hacker could contact the company masking himself to appear as the real owner of the account.

This woman used PayPal for her account, so she got her money back, but lost all access to her account. You see, the problem is that if you use a PayPal account, verification is not required. Therefore, a hacker only needs your password to do whatever he wishes with you account. It’s a very unsafe way of doing business with Apple, and the company really should remove this option. In the meantime though, it’s a good idea to stay away from it, however convenient it may be, especially if it’s connected to your bank account.

You Can Reset Your Mac Password with It

A checkbox to switch on password resetting using your Apple ID.
A checkbox to switch on password resetting using your Apple ID.

The last and most important (to new Mac users) reason that you should keep your iCloud account safe with a unique password is that you can reset your Mac’s account password with it. So, say you have remote logon enabled (which most people don’t) or someone nabs your computer. If they were to attempt a log-in, they’d need your password, but there’s an option to reset it using the Apple ID associated with the account. With that account password already in their hands, the hackers could gain access to one more.

Tip: You can enable password reset using an Apple ID in the Users & Groups pane of System Preferences. Just select the user and check the box titled “Allow user to reset password using Apple ID”.

This does seem awfully unlikely, and it really is. It’s definitely a good idea to keep the Apple ID password reset service enabled just for your memory’s sake. Will it be used as an exploit for your account? That depends on the location of your computer.


Step 4: Putting Up the Firewall and FileVault

Setting guildelines for the firewall.
Setting guidelines for the firewall.

When browsing the Security & Privacy pane of System Preferences, you may have stumbled upon your system’s built-in firewall, as well as FileVault. Let’s discuss the former in detail.

First, what is a firewall? Well, think of it as a filter you would set for your children. If you visit any website, your computer sends data packets to it and requests access. The website then grants this entry and begins sending you the main page in packets, making up either HTML, CSS, XML, or whatever code it may be in. Sometimes, however, these packets can be malicious. A hacker may attach an iota of bad code in hopes of gaining access to your computer.

On Macs, there’s not usually a problem with bad packets because the code is incompatible as the hackers have built it for Windows. Sometimes, however, you will encounter an evildoer. Randomly, maybe in a pop-up or while downloading file, something will try to make its way to your hard drive or, worse, RAM. To prevent this sort of attempt, enable your firewall by clicking the Turn On Firewall button in Security & Privacy.

You are now given access to options related to your firewall by clicking “Firewall Options…”. The first lets you block all incoming connections except those required for basic interaction with the digital world, like DCHP (absolutely necessary for communication with the Internet as a whole) and Bonjour. You can enable this if you are truly paranoid about security. It’s very unlikely you’ll have a breach, but you also won’t have access to many sharing features like iTunes Music Sharing and multiplayer gaming.

The second option is app control. You can allow all communications from certain apps by clicking the + and adding them to the list. You can also deny incoming communications from anything in this list. When the firewall is enabled, you will notice that certain apps request permission to receive incoming connections. To avoid such annoying prompts as those, add the apps to this list.

Next up is a convenience option that will automatically allow signed software (those apps you’ve downloaded from the Mac App Store or ones from a developer who uses Apple’s ID system). It’s a lot easier than confirming each of the apps, and Apple does not often allow malicious software into the App Store. Lastly, you have stealth mode. It sounds quite fun and is useful. Instead of allowing test applications to use ICMP, this feature is disables completely.

The FileVault

Enabling FileVault encryption.
Enabling FileVault encryption.

On the local network a hacker perches, waiting to pounce. He wants to break into your filesystem. You, knowing there may be someone out to get you, enable FileVault, a full automated encryption of your user directory. Even though that sounds cool, it’s dangerous. When you enable FileVault, a recovery key is generated and you can access your data using either it or your user password. Should you forget both, there is no way to gain access to your data again. With great security comes great risk, so think carefully before clicking the “Turn On FileVault…” button. Also, remember it will only be enabled for your user, unless you switch it on for others as well.

For more detail on using FileVault, refer to the corresponding section of our “Password protect files in OS X” article. Also, Apple’s support document on the utility is available here for reference.


For Serious Users: Third-Party Antivirus Applications

You never thought you’d see the day that antivirus software was available on a Mac. Well, it has come and is here to stay. The Mac App Store has a few tools for the job, and I’m going to give you a quick tour of each of them.

iAntivirus

As the most basic of antivirus apps available, this free tool by the Symantec Corporation (known for Norton Security) does four things: scan your whole computer, scan your home folder, scan specific files and folders, and scan your Facebook wall (random). The only problem with this extremely minimal idea is that it doesn’t have a way to remove any malware that it detects.

VirusBarrier Express

This is the smallest of them all. At only 1.8 MB, it’s much better looking from the start than the others, which weigh in at 100MB+. This app also finds Windows malware, anything embedded in a PDF or Flash, and destroys those keyloggers. It has a scheduling feature for convenience, along with special guidelines for what it should scan at certain times. The developer also boasts that it has “no impact on performance”.

Bitdefender Virus Scanner

Stepping up to something a bit more advanced, but still free, we have Bitdefender. It will scan “critical locations”, the entire system, running applications (useful), or a custom directory. When a threat is found, you can quarantine it and delete it. Simple and straightforward — great for the price.

Avast! Free Antivirus for Mac

This one is my personal favorite Windows antivirus, and the Mac app doesn’t disappoint. It’s free, scans emails, adds a safety plugin to your Web browsers, and even puts up a “Web shield” on top of your firewall for extra protection. All scan results are available in the form of “reports”, which are logged in full. The app tries to make things visual by adding graphs to scans with spikes and red for activity. It’s kind of geeky and fun.

Avast! for the Mac.
Avast! for the Mac.

ClamXav

From Mark Allan comes a simple-looking app with a console, logs, and more options. This app will scan emails for phishing and viruses, let you know when things are finished with a sound, and also let you schedule a time to scan, daily or weekly. Having logs and a console also makes it feel more worthy of battling something a crafty hacker created.


Locking It Up for the Future

It’s been quite a ride. I hope you’ve enjoyed all this information on your Mac’s available security settings. Most of all, it’s my ambition that you use these new settings to your advantage and stop people from harming your digital and real life using any personal information that may have before been too easy to access.

At the end of the day, how do you keep your data secure? Is it different from what I’ve detailed here or are you considering a complete revamp of your system thanks to this article? Let us know in the comments below.

Further reading:

Related Posts