Mac OS X Security

    February 20, 2006

Mac and Linux users aren’t used to turning on the news and hearing about security threats that affect us.

The Linux stuff doesn’t get reported because Linux is too geeky, and the Mac threats have been generally absent because there haven’t been many.

Well, two Mac issues popped up last week and caused a bit of excitement. The second of the two was really bogus, and probably never would have had any legs at all if the other one hadn’t happened. From

Inqtana.A has not been met in the wild and it uses Bluetooth library that is locked into specific Bluetooth address and the library expires on 24. February 2006. So it is quite unlikely that Inqtana.A would be any kind of threat.

Yeah, that and the fact that it’s already patched.

The other thing (and it is just a “thing” – it’s really not a virus and it’s barely a trojan worm) was quite exciting to some:

Virus Attacks Mac OS X Users:

Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but this will leave them shell-shocked, as it shows the malware threat on Mac OS X is real, said Graham Cluley, senior technology consultant for Sophos, in a statement. Mac users shouldnt think its okay to lie back and not worry about viruses.

Ayup. Mac users should really worry about this one. It’s a picture. It doesn’t “attack”; somebody has to send it to you or you have to deliberately go download it. You have to uncompress it, and then click on it. Even then, if you aren’t running as an Admin user, it doesn’t get to do anything harmful. There’s a full writeup of it at New MacOS X trojan/virus alert, mostly a non-event.

It is true, however, that Mac (and Linux) folk tend toward being too lax about security. There are things you should be doing to protect yourself no matter what OS you are running. I’ll just run over some of them quickly here. There’s a good article at Mac Geekery – Basic Mac OS X Security but I am a bit more draconian:

Don’t carry a loaded gun around the house

What I mean here is don’t be root. On Mac OS X, the root account isn’t even enabled by default and ordinarily you’d want to leave it that way (use “dsenableroot” to enable or disenable it).

Don’t even run as an Administrator account except when you need to. That’s a lot easier to do on Mac than it is on Windows (and there is no such thing on Linux in general), and Fast User Switching makes it painless to login as an Administrator when you do need it. The point is to keep the firearms put away and locked up so they aren’t available for use.

If you have been using an Administrator account, don’t switch your account to a non-admin account as suggested at the Mac Geekery article. Just make a new account and start using that. Copy your files as you find you need them and you’ll also accomplish a nice house-cleaning.

Lock the doors

While you are logged in as an Administrator, visit the Security Pane in System Preferences and tell it to lock everything – check off “Require password to unlock each secure system preference”. That’s important and should be automatic. You might also consider disabling automatic login and requiring passwords to wake up from sleep, but those things are more for protecting against unauthorized use than virus and worm attacks.

While you are in there, check Sharing and make sure you aren’t running services you don’t need to run and that the firewall is enabled. You DO have a hardware firewall also, right?

“t00r” is not a password

Your passwords need to be really tough and you should not be using the same password all over the internet. Yeah, I know that means a lot of passwords, but it doesn’t have to be that hard. For example, for the dozens of sites that I need passwords for but that aren’t particularly critical if hacked (meaning that you could pretend to be me for a comment or whatever but can’t steal money), I use two basic passwords and add in part of the site name. For example, I might use “fru%78hfg” as one password. When I visit, my password is “fru%xyz78hfg” but if I visit, it’s “fruabc%hfg”. The positioning of the “%” is determined by the alphabet position of the “a” in “abc”; under “m” means position before the %, “n” on up means insert three characters after the %. This gives me unique passwords for each site, but I know what they are.

No automatic passwords, thanks anyway

In Applications, Utilities is the “Keychain”. If you opened that up on my machine, you’ll find that it doesn’t know a single password. That’s partially a security measure, but it’s more of a convenience: I remember my own passwords because I want to be able to use them anywhere, anytime. I was working with someone the other day who wanted to check their Gmail and had to go back to their office to do it – they had no idea what their password might be! I know my passwwords and can access whatever I want from wherever I am.

Macs are basically secure, and Mac users don’t have the constant problems that plague Windows. But Macs are not immune to security threats, and you shouldn’t be lazy and complacent about protecting yourself.

*Originally published at

A.P. Lawrence provides SCO Unix and Linux consulting services