Six Tips for Enhanced Mac Security

Hi Everyone:

This is the draft script I used for my April 2012 presentation on Mac security. You will also find a video in Mac .mov format showing the Powerpoint slides I showed during the presentation

If you want the full presentation in Powerpoint .ppt format, go here to our Meetup page.

Here is the script:

How to Add Security to Your New Mac (or old Mac) in Six Easy Steps.

Hello, I’m Tom Briant, editor of the Voice. Nils Jakobsen won’t be joining us tonight. He got a new job in San Francisco. So, I’m his replacement for tonight.

To begin with, let’s look at a stock MacBook Air that someone just took out of the box and set up. When they press on the power button, it comes to life immediately. Their desktop is ready to go. They don’t share this machine with anyone else. It’s their machine exclusively. When the screensaver comes on, they just press the Enter key to return to the Desktop. Their home Wi-Fi network consists of their MacBook and the wireless router from AT&T U-Verse. They surf the Net and read their e-mail from this one account. Their administrative password is their mother’s name. All is seemingly well.

So what’s wrong here?

Anyone who wants to use that machine just has to press the Power button to reach the Desktop.  It doesn’t matter whether the owner wants them to or not.

If a message comes on that a program wants to be installed, they only have to Press “Yes” to install it. Malware could creep in due to carelessness.

The screensaver doesn’t demand a password to return to the Desktop. If they leave the laptop in plain view, anyone can get into it with just a tap.

At least their home network has security. AT&T put a password on the router in order to use it. If your router doesn’t require a password, install one! You don’t want to share your Wi-Fi with other people you don’t know.

Don’t surf the net and read e-mail from an administrative account! Most malware depends on the owner having not upgraded from the 1 original administrative account they set up in the euphoria of opening the box. If malware hits a standard account without administrative privileges, it’s stymied.

If a hacker wants to attack your computer, they’ll try every word in the dictionary as your password. Don’t make it easy for them by using a common word as a password. Honor Mom by putting her picture up as wallpaper on your Desktop instead.

So, what can you do to harden your Mac against attack?

First, turn off automatic log-in. Go to System Preferences and select the Security & Privacy preference pane.

Now click on the padlock icon in the lower left-hand corner of the preference pane. You’ll be prompted for an administrator password-your Mom’s name-to make changes.

Disable automatic login for all accounts on this computer.

Require an administrator password to make changes in system preferences with lock icons.

Log out after a specified period of inactivity.

Change the login window to show fields for the user name and the password.

Second, Require password as soon as possible after sleep or screensaver begins.

Third, stop using that original administrative account to surf the net or read e-mail. You’re most vulnerable when doing those activities.

You may think that you have to set up a new standard account and enter all your serial numbers for your software. You may not know where you put those licenses. What are you going to do?

Here’s what to do. Set up a second administrative account with a secure password.  For a minute, you’ll have two administrative accounts. Then you will go into Users & Groups (or Accounts in previous OS X versions) to change your old administrative account into a standard one.

You’ll still have your data intact. You won’t need to enter license information that you can’t put your hands just yet.  You just won’t be able to install software from that account so easily. And that’s a good thing.

Fourth, change your passwords regularly.

Fifth, harden your Wi-Fi router. Don’t use an unsecured router. If you want to share Wi-Fi with someone, give him or her the password and tell him or her not to spread it around.

At least two men with unsecured Wi-Fi routers have been arrested on child pornography charges by the Feds. It took them some time to convince the government they weren’t total criminal slime. They could have avoided the problem by password protecting their Wi-Fi routers. It turns out their neighbors borrowed some bandwidth to download child porn.

Sixth, tell Safari not to open “safe” downloads. There are no safe downloads. You have to look at them first.

Go into Safari’s preferences and uncheck that preference.

Along with that, you want to go into the Finder and check the Advanced preference to show all file extensions. One common malware trick is to string two file extensions together. You see the name of the file as “cutebunny.jpg” but the real name is “cutebunny.jpg.tgz” If you let Safari automatically decompress that file, who knows what might happen!

If I may, I’d like to add a number 7 tip. Regularly check for software updates from Apple.  That is #2 on the National Security Agency’s list of Mac security tips.