Securing Your Mac

Updated 12/6/03

Following up on my article about useful programs to secure your PC, I got to thinking about security on Macintosh computers. Unlike PCs, Macintosh computers running OS9 were considered to be virtually impenetrable, and truth be told, I never had any major security issues under OS9. However, OSX is based on BSD, a UNIX operating system - and while it is arguably much more powerful than OS9 ever was, OSX brings with it a whole host of new vulnerabilities that people used to something like OS9 may not be aware of.

Don't get me wrong - for the most part, OSX is much more reliable and secure than any version of Windows (although this is a point some would debate, look at virii for windows vs. virii for OSX). OSX ships with no open ports, a half-decent built-in firewall against incoming remote attacks, no default super-user account, and more checks against abuses of administrator privilege. Still, becoming complacent in the face of this is a bad idea - there have been many security patches for OSX, and there is still a very real possibility of malicious hackers porting such nasty things as trojans and spyware to OSX.

That being said, there are many useful tools out there for Mac users to ensure that their OSX installation is even more secure and robust against intrusion, and to improve security in general. Even better, most of the tools mentioned here are available free of charge. As I mentioned in the other tutorial, if these programs have MD5 checksums available, make sure to verify the downloaded file with them (open Terminal, type "cd Desktop" or the path to where the downloaded files are, and then type "md5sum yourfilename", where yourfilename is the name of the file, to get the checksum - enter commands without the quotes) to ensure that you downloaded a file that has not been corrupted or compromised. Simply put, an MD5 or other checksum is like a file's fingerprint - change even a single bit in the original file, and its fingerprint will change. Because of this, if the checksum of the file matches the checksum given by the developer, the file should (in theory) be exactly the same file that was created and posted by the developer.


-Remember when I said that OSX has a half-decent firewall? The main problem with the built-in firewall is that its functionality is somewhat limited - it can, by default, only allow certain applications to poke through the firewall to accept information, and while it can add additional rules, it can only accept incoming connections by port, without differentiating separate rules for different remote computers. However, the OSX interface is simply a basic interface to ipfw, a powerful unix firewall. You could reconfigure it through editing files in the terminal, but this is strictly for people who know what they're doing. Still, if you want more control, check out sunShield, a freeware preference pane to more directly interface with ipfw. It's still somewhat complicated, but it allows you to let some remote sites connect to your computer, but not others, and is helpful for customizing the built-in firewall exactly.

-However well-configured, though, the OSX firewall still only blocks incoming connections to your computer - it does not stop outgoing connections. For the most part, you wouldn't think this would be a problem, until you take a look at the PC side. Most of the time, having a program connect to the internet is not a problem, but some programs on the mac already "phone home" without telling you. Even more concerning, if spyware and trojans do come over to the mac, programs capturing your personal data could send it back to the servers of malicious individuals without any hindrance. Unfortunately, I have yet to see a freeware program address this, but a program called Little Snitch ($24.95 at last check) does address this. It works in a way similar to the major PC firewalls - when an application tries to connect to the internet, it pops up a dialog box displaying the program and the remote host, and from there you can either allow the connection once, allow it until the application quits, or set it up as a permanent rule for the application. Also, like sunShield, you can set rules to allow an application to only connect on a single port, or to a single remote server, or both. Using this, you can easily deny internet access to a suspicious-looking application, while still using your regular internet programs with minimal interference.

-One thing that's great about OSX is that it's based on UNIX, and can run powerful UNIX tools - such as the Snort IDS (Intrusion Detection System).  Basically, Snort monitors each packet that goes through your network connection, analyzing them for a wide variety of malicious traffic.  Configuring Snort, however, is not an easy task without a OSX-like interface.  That interface is provided by HewWen, a frontend that allows you to select from a huge variety of monitoring options (and also can install and autostart the Snort program itself).  Coupled with a small program called LetterStick (included in the package), it can alert you with a pop-up any time it detects malicious traffic.  However, beware that it can have a high false- positive rate (it will alert for Samba networking activity from a local-network address, among others) - still, better a few false alarms than a hacker attack that got through.

-Of course, once you suspect suspicious net activity, the first thing you should do is UNPLUG YOUR NETWORK CABLE FROM THE BACK OF YOUR COMPUTER.  If you're the curious type, though, or want to see precisely what your programs are phoning home about, or just want to look at the low-level details of your travels across the net, you want to use a packet sniffer (a program that looks at each chunk of data sent through your network connection and displays the contents).  If you want to do this from a graphical OSX interface, check out the freeware  MacSniffer .  Using this program, you can keep a log of every single packet that's transferred across your network connection (it also tells you where the packet was transferred), and also has an inspector window that can display the raw contents of the packets.  This kind of program is essential for troubleshooting transient unrequested net connections from your applications.

-One key method that experts recommend for securing your system is to try to hack it yourself.  While full-scale hacktests like Nessus are beyond the scope of this article, as unless used by an experienced user they can cause permanent harm to your machine, one easy thing you can do is scan your computer for open ports.  Every port that is open is advertising a service that people at a remote site can connect to, and which might, if not run by a secure protocol, become a security vulnerability.  The prgroam commonly used to test this is called NMAP, and the freeware graphical frontend for OSX is aply named NmapFE.  Note, however, that you should only use this program to scan computers that you own or administer for vulnerabilities - scanning a remote compuer without someone's permission may be considered a prelude to hacking (similar to "casing the joint" for a burglary) and could be illegal depending on your government's policies.

-As one final way of keeping tabs on your system, check out Net Connections (or, for the more adventurous Terminal users, try lsof -i | more).  This is a simple program similar in scope to TCPView on the PC, in that it lists all current network connections on your machine, including which ports are connected to which remote machines.  This is simply one more way of keeping tabs on your system, and ensuring that  you always know who's connected.


Now that you've got your computer secured against attack by malicious programs, there are a few more steps you can take to stay even more secure, even against physical intruders, and other methods to protect your privacy and important information.

-One annoying thing about the internet is that everywhere you go, you are inundated with ads, pop-up or otherwise. One thing you can do about this (if your primary browser is Safari, at least) is to download and install PithHelmet, a freeware piece of software that integrates into Safari and stops most pop-ups and other annoyances. However, given that Safari has some annoyances of its own, you may want to use a different browser (such as Mozilla, which has pop-up blocking built-in). Luckily, there's a great program out there called Privoxy, which can filter ad content in just about any browser, on just about any platform (including Windows and Linux). It's fairly easy to install on the mac: just go through the interactive setup, and set your browsers to use the HTTP proxy at 127.0.0.1 port 8118. From there, Privoxy already has a built-in ruleset that can nail most annoying content, and can easily reconfigured if something slips through. It's now taken over as my favorite web filter for any computing platform.

-Need to encrypt a file quickly? How about archive it? Securely (sort of) delete it? Or even generate a variety of checksums for it? There's a great free program called DropTBZ2 that does all of this with a simple drag and drop. This is one of the best programs I've seen so far for quickly checksumming a file, and it's a lot easier than trying to type all of this in from the terminal. The program can encrypt with Blowfish, 3DES, and AES, archive in zip, tar, tgz, and tbz formats, and generate md5, sha, and sha-1 hashes.

-On the subject of hashing, if you want to make extra sure that your file's haven't been modified, the same person who wrote DropTBZ2 also wrote Hasher, a program that can calculate a huge and exotic variety of hashes, some that even go up to 384 or 512 bits for maximum intergrity. Hashes can be used for a variety of purposes - everything from checking the integrity of files to two-factor authentication schemes.

-If you're looking for a truly robust suite of encryption services, look no further than Pretty Good Privacy. PGP is promarily designed around securing email communications, and allows you to do two very powerful things: encrypt a message to someone else's encryption key without being able to decrypt their private correspondence, and sign messages with a digital signiature to prove their authenticity. PGP is what's known as an asymmetric encryption system, which has two types of encryption keys - one, a public key, you can give to everyone, and can encrypt files and verify your signiatures only, while the other key is kept only by you and is used to sign messages and decrypt correspondence. Basically, this allows anyone to email you securely without knowing your decryption password, as would be the case with standard encryption. PGP offers a free, basic version of its software on their website, although I prefer the $50 Personal Edition, with its extra integration into mail.app and strong-encryption disk images. However, if you're determined, you can do all of this for free! The free, open-source version of this is called Gnu Privacy Guard, and has a whole suite of tools available for using GPG under OSX. These graphical tools aren't quite as easy to set up as PGP, but they do most of the basic functionality - encrypting and signing email, ecnrypting files, managing encryption keys. Couple this with the ability to create encrypted disk images in Disk Copy (10.2) or DIsk Utility (10.3), and you're all set to keep your data secure. For the technically inclined, PGP uses RSA or DSS/Diffie-Helman signing keys, whereas GPG uses ElGamal signing keys. Both programs use a similar suite of open encryption algoritms (3DES, AES, CAST) and hash algorithms (MD5, SHA-1) - PGP also includes the IDEA algorithm, which can be downloaded as an extension for GPG but is not open-source.

-Here's a scary thought: anyone with physical access to your computer can, by simply holding down a key combinaiton while restarting it, have complete, root access to every file on your hard disk. An easy way to prevent this is a script called secureIt, which password-protects this access (formally called single-user mode). If you're really determined to protect your Mac from physical access, try Apple's Open Firmware Password (link is to article about how to install it). This will prevent anyone from changing the boot sequence without a password - however, if you forget that password, you're in big trouble. Of course, if you really want your computer to be secure, lock it in a computer security cage along with these precautions to prevent all possible tampering by quick physical access (or use a security cable on your Mac's security port to make it harder to open up).

-Both WIndows XP and OSX 10.3 have functionality to use a hotkey to instantly and conveniently lock your workstation before stepping away from it. IN 10.2, you can do this with a program called SleepTight. Remember, though, that if you're using a machine intended for multiple users, no one else can log on until you unlock the screen if you do this.

-Most people have a lot of passwords, and have a hard time keeping track of them all - hence, the proliferation of a number of "password wallet" programs that have recently appeared on the market. The one I use is called CiphSafe, but it has since been discontinued (unfortunately). Still, if you don't care about using a fancy-looking database, you can just open a text file, enter your info, and encrypt it using PGP/GPG. One word of warning on doing this, though: when you enter your data, you must enter it all first, encrypt it, and only THEN save the file to disk - otherwise, the unencrypted version will be saved to disk and some of it may be recoverable by an unerase utility. Of course, there is also a risk of the file being written to the disk as virtual memory if you're running low on RAM, so be aware. My favorite way to do this is to encrypt and save the file to an encrypted disk image for multiple layers of protection, and have as few other programs open as possible to minimize writing of memory contents to disk. UPDATE: someone suggested to me that you can use the OSX Keychain to do just this, and indeed you can - simply open Keychain Access and use the GUI to enter logins by hand. The big problem with this is that most people's keychain password is the same as their login, and is completely unsecured when they are logged in. If you want to use the Keychain for password storage, use a different password than the one you use to login!

-Let's say you want to get rid of your computer/donate it to your local school or charity/sell it on ebay. Chances are, unless you take fairly extraordinary measures, all the personal data on that computer is still avaliable to a computer power-user that comes across it. Remember, just dragging a file into the trash doesn't actually delete it from the drive (10.3's Secure Delete for the trash does some obfuscation, but does not make that data completely irretrievable). To understand how this works requires a lot of detailed knowledge about magnetic storage mediums, but suffice it to say that even zero-formatting a drive or overwriting it a few times with random data won't stop a determined hacker with some fairly basic pieces of electronic equipment. In fact, if you don't want anyone at all getting access to your data, the best thing to do is take the drive to a disposal service and watch them melt it down into a metal lump. However, if the NSA isn't after your hard drive, and you want to keep the drive intact for someone else to use, your best bet is to use an algorithm invented by Peter Gutmann, which uses a 35-pass procedure to make your data irretrievable for just about anyone. Currently, I have only found one program capable of doing this: SPX, a program included in the $45 (with a free trial of some apps) AppleCore suite of programs. However, at this point the program is limited to deleting data on a file-by-file basis, and is not equipped to erase the free space on a drive to eliminate and personal files that had been trashed normally (as an aside, the AppleCore suite provides a number of other tools of varying degrees of usefulness for securing your computer, although I have found some of the other applications to be quite useful in situations where OSX is usually just annoying).


These programs can go a long way towards securing your computer - and your privacy, from intruders. However, remember that above all, being vigilant with your computer, avoiding risks if possible, and knowing what to do if your computer begins behaving suspiciously are the best ways to keep your personal information from falling into the wrong hands.

If you have a PC, idlecircuits.com also has a page with a variety of (mostly freeware) applications that you can use to secure your PC.

If you have any other freeware security programs that you think deserve a mention, email me and I'll give them a try.

- David Kibrick

Download Signed Version of this Page