Thursday, January 27, 2011

Sophos Top tips for Mac OS X security - Part 1
And my commentary

--
While I polish up Parts II and III of my 2010 Mac security summary, here is an article Sophos posted on Christmas day. It is the first in a series of articles to help Mac users secure their Macs. For advanced users, this is old news.

Top tips for Mac OS X security - Part 1

For users new to the concepts in this article, it is important to note that each added layer of security typically adds a layer of difficulty for the user. Using the points from this article, here are some useful examples:

1) Disable Automatic Login: This is absolutely critical. But it means there is not automatic logging in and booting of your user account ever again. That is a GREAT thing for security. But there are always newbies who complain. I say tough. But I'm a grizzly old meanie when it comes to personal responsibility. If you are of a more personable personality, talk over with your users exactly what happens when a hacker accesses their computer: Everything of yours is now their's. Everything. Once people think about that, they tend to want to protect their computer.

2) Set a Firmware Password: This is incredibly brilliant for stopping that big, Huge GAPING SECURITY HOLE in Mac OS X: Booting onto anyone's Mac via any compatible Mac OS X installation disc. Once booted from these discs, it is dirt easy to remove and change the Administrator account password. Once changed, that Mac is PWNED! Setting a firmware password stops that DEAD. However! There are other results as well. These include losing the ability to easily change your Startup Disc. You can't boot with the Option key down to change startup discs. You can't simply click on a new volume in the Startup Disc preference pane. The result can be quite annoying if you frequently change them, for example to use another volume on your Mac for repairing your main boot volume, which I do regularly.

3) Encryption is a good idea:

--3A) Boot Drives:

On Mac OS X you are allowed to use FileVault (found in the Security preference pane) to encrypt your User accounts. If you have critical data that should NEVER fall into other people's hands, this encryption is CRITICAL! Do it. However! You've got to consider some consequences:  

First, you can no longer access that volume from another boot volume. No more repairing it from elsewhere.

Second, you MUST keep all your critical data specifically in your User account and NOT anywhere else on your boot volume. Again, only the contents of your user account Home folder is encrypted.

Third, updating Mac OS X to a new version is a bit more of a PITA if items in your Home folder have to be updated.

Fourth, there is a minor slowdown of your machine due to the constant decryption of your data then reencryption of new data.

And you'll find other minor annoyances.

If you have a critical machine, all of three of these steps are important. Think of the added user annoyances as added 'Cost Of Doing Business' that you cannot do without. Live with them and appreciate that they provide you with solid and important security.

Question: Is it important to encrypt your entire hard drive?

Answer: NO, not if you keep ALL your critical data inside your Home folder. Everything else on your hard drive should not be of any consequence. All of it should be files and folders and apps that anyone could obtain any day of the week. Therefore, getting them off your computer is trivial. What you must protect is UNIQUE data that only you and trusted colleagues should ever see.

Question: But, but, but, some security expert firm says blahblahblah!!!

Answer: They are either being extremists or they want to sell you something. For example, Sophos use their article to try to sell you their 'SafeGuard Disk Encryption for Mac' that encrypts absolutely everything on your Mac. If you see a point in further slowing down your Mac and keeping publicly accessible System files away from bad guys, fine. Go buy it. I personally see no reason for it.

The only possible exceptions I can imagine are if you are a developer or software tester who has something unique installed into their system, such as a custom .KEXT extension file, that there is no way on Earth you want anyone to obtain. Then I'd encrypt everything.

--3B) External Drives:

YES! Encrypt them! They have your data on them. This includes everything from CDs you burn to DVDs to Flash drives to attached hard drives. ENCRYPT THEM ALL!

There are lots of great programs to accomplish this for you, many of which are simple Drag And Drop apps that encrypt then put the encrypted file onto your external drive for you. Some of them will alert you if you attempt to put anything unencrypted onto a drive, 'user-minder' apps if you will. These are great to have.

--3C) Wi-Fi Encryption:

YES OF COURSE! It is so easy to forget that free Wi-Fi spots continue to provide ZERO PRIVACY. If you don't have to sign in to a Wi-Fi spot, your data and/or your cookies to websites are IN THE CLEAR, meaning you can expect them to be stolen by anyone else also connected to that router. This is why the Firesheep hacking tool was made public: To force people, Wi-Fi spot owners and website owners to WAKE UP and force encryption or account privacy at all times. Very very slowly the world is catching on. But I fully expect encryption/privacy cluelessness to last well on into the very distant future. Some people are never going to understand. That includes members of my own family! Be nice to them and if need be, set up encryption and privacy on their routers for them.

As Sophos publish further Mac OS X security tips I will provide further links and further commentary.

Share and Enjoy!
--

No comments:

Post a Comment