The Mac Security Blog
You probably use Mac OS X’s keychain to store user names and passwords. This is an encrypted file that gets “unlocked” when you log in to your Mac, in normal circumstances, and allows software to access data belonging to you. For example, when your e-mail program wants to check for new messages, it needs to send a user name and password; it gets the password from the keychain and sends it to the mail server.
By default, Mac OS X creates a keychain for you called “login,” and this keychain gets unlocked as soon as you log into your Mac. This means that if you use automatic login, not only are your files accessible, but your keychain is unlocked, so anyone who accesses your Mac can get your e-mail, or even access web sites for which you have saved passwords in your keychain.
The first thing to change is to turn off automatic login, which we discussed in a recent Mac security tip. But another security precaution to take is to create a non-login keychain, so when you do log in, your keychain stays protected until you enter a password.
To do this, open Keychain Access (in your /Applications/Utilities folder), then choose File > New Keychain . The program will ask you to name the keychain – you could use your user name or any other name – and then a password. Don’t use the same password that is assigned to your user account; the point of creating a second keychain is to have a different password in case your account is compromised.
After you’ve done this and created the keychain, it will appear in the sidebar of the Keychain Access application. Next, click on the login keychain, select all the items in the right-hand section of the window, and drag them to the new keychain. You’ll have to enter your password to do this. Moving these items means that they won’t be unlocked when you log in, and that they’ll only be available from your new keychain.
When you next try to access an item in the keychain, you’ll have to enter your password; not your user account password, but the one for the keychain you just created. By default, the first request unlocks the keychain, and the keychain will lock again in 5 minutes. If this is too soon, you can change the amount of time before it locks; you could choose, say, 30 minutes, so you don’t have to enter your password too often.
To do this, choose Edit > Change Settings for Keychain
Creating a separate keychain is the best way to protect your passwords from being discovered. Since the keychain password is different from your login password, the protection is doubled, and as long as the password isn’t easy to figure out, no one will be able to access your passwords.
When you first set up a new Mac, or when you do a clean installation of a new version of OS X, you create a user account, and that account is set, by default, to log in automatically at startup. This isn’t a problem when you’re at home, but if you use a laptop, and travel, this is a serious risk. This automatic login means that anyone who finds your Mac only needs to start it up to have access to your files.
You can change this, and tell OS X to display a login screen on boot. There are two ways to do this.
First, if you go to the Users & Groups pane of System Preferences, and click on Login Options, you’ll see a menu that lets you choose which user logs in automatically at startup, or you can choose Off from this menu to turn off automatic login.
The second way to change this is in the Security & Privacy preferences, again in System Preferences. If you click on the General tab, you’ll see an option to Disable Automatic Login.
Either way, turning off automatic login protects your data, and is only a slight encumbrance when you start up your Mac. You merely have to choose your user and enter your password to get to work. Think about making this change to protect your data from easily being grabbed by anyone who finds or steals your Mac.
When you first start up a new Mac, the Mac OS X setup assistant asks you for your name, a user name and a password, and uses this information to set up your first user account. Since there has to be at least one user with administrative rights on your Mac, that first account is an administrator account. While this is useful – you can install software, and perform other actions, after entering your password – it can also be risky.
First, let’s look at the two main types of user accounts. Administrators can, as we mentioned above, install any software, even if it requires an administrator’s password. They can access secure System Preferences; the ones with padlock icons. They can change permissions to files and folders (select an item, press Command-I, click the padlock at the bottom of the window, enter a password, then make changes to the Sharing & Permissions section). They can also perform other tasks, such as install fonts for all users, access external disks on Macs where they have accounts, create folders in locations other than in their home folder, run certain utilities that are off-limits to standard users, and use the sudo command in the Terminal application to access or make changes to any files, or to run certain commands limited to administrators.
However, there are risks to using an administrator account. An administrator may make mistakes; since they can change or delete any file, they may do so, accidentally. They can also install any software, which may be a risk, if the software is malicious.
Standard users, on the other hand, have limited access rights on a Mac. They can use, change and create files in their home folder, access folders on shared volumes if the permissions allow it, change settings to non-secure preferences in System Preferences, and install some software (if it doesn’t need to install items in the System or Library folders).
So while standard accounts are more limited, it can be useful to use a standard account, just to be safe, in daily work.
Assuming you set up a first administrator’s account with the name Alice, you can set up a second, standard account, with the name Alice2, or any other name. Log into that second account, and use it for your everyday activities, and to store your personal files. Whenever an administrator’s password is required, type Alice as the user name, and the appropriate password. While this will lead to some more password requests than if you were working under an administrator’s account, each of these requests should raise a red flag and make you think whether you should be entering your password. For if malware gets onto your Mac, it may need such a password to install itself (as we have seen with the different variants of the MacDefender fake antivirus).
While using a standard account is not thorough protection from malware – only a fully-featured malware and network protection program, such as Intego VirusBarrier X6 will provide the protection you need – it is protection from some types of malware, and can provide a warning that something is going on. It can also prevent you from blundering by deleting files that you didn’t mean to erase. So using two accounts is a tiny bit of hassle that is worth trying out to save you from potential problems.
We have written a lot about the MacDefender / MacSecurity / MacProtector fake antivirus in the past couple of weeks. These “scareware” programs try to trick you into installing their software, which then tells you that your Mac is infected with malware, even if this is not the case. They then offer to clean your Mac, for a fee. After you pay your “fine” by credit card, the programs tell you that your Mac is clean, even though it has cleaned out nothing but a part of your bank account.
This malware does not install itself, though, unless you enter a password. In the video we posted here, you can see that the Mac OS X Installer opens on its own, but it then waits for you to initiate the actual installation process. If you were to quit the installer application at that point, and delete the downloaded installation package, you would have nothing to worry about.
The most important moment, however, occurs when the Installer asks for your password. Even if you have proceeded with the installation, you still need to enter your password for it to complete.
You should see any password request as an alert, and you should ask yourself why you are seeing this password request, and what is causing it.
It is common to get password requests on your Mac; a number of programs, or system functions, will ask for it. For example, you may get such requests to unlock your keychain (this stores your passwords; depending on the settings on your Mac, you may get requests from this function). You’ll generally get password requests when connecting to another computer on a network, or when connecting to an iDisk (if you have a MobileMe subscription). And, you’ll often get password requests when installing software. In this case, the password required is that of an administrator.
There are two types of accounts on Macs: standard accounts and administrative accounts. The latter is the type you have if you have just one user account; you may also have standard accounts if you have created other user accounts on your Mac. If users with these accounts try to install software that accesses certain parts of the operating system, they’ll need an administrator to enter a password to allow the installation to take place.
So, when you install software – when you initiate the installation, not when a web page downloads software and launches the Installer application – it is normal that you enter a password. When certain system functions ask for your password, this is normal too. However, make sure that these are real system functions. There are only a handful of Mac OS X functions that may ask for passwords. These include accessing disks or volumes, especially those on a network; unlocking your keychain, in certain cases; installing software updates via Apple’s Software Update program; and accessing certain system preferences, which have padlock icons on their windows. You may also need to enter your password when you log in to your Mac if you don’t have it set to automatic login, but this occurs on a special login window. Other applications may ask for passwords as well, but not with the same window as shown above.
If you are careful about entering your password, your risk of installing a Trojan horse is greatly decreased. Naturally, there are other types of malware, and we strongly recommend the use of VirusBarrier X6 to protect against these. But with simple, safe computing techniques, you can protect yourself from the current fake antivirus that has become quite widespread.
When we inform you about new security updates, we often specify the version numbers of the new applications. In some cases, you can run an application’s built-in updater to see if you’re up to date, but in others you may want to check an application and see what version it is. Here’s how you can check for version numbers in different types of applications.
Getting version information for Mac OS X
To find which version of Mac OS X you are using, you need merely check in a menu. Click on the Apple menu, then choose About this Mac. A small window displays, giving you information about your Mac, and which version of Mac OS X you’re using:
As you can see in the screenshot above, the version of Mac OS X is 10.6.7. If you click on that text, you will see the build number (a sort of sub-version number), and if you click again, you’ll see the serial number of your Mac.
Below this is a Software Update button. This opens the Software Update application, and checks for new versions of Mac OS X and other Apple software. We discussed using Software Update in an earlier Mac Security Tip.
As you can see, there is more information in this window: the type of processor, the amount of memory, and the name of the startup disk. If you click More Info, the System Profiler application opens, giving much more detailed information about your Mac, its hardware, peripherals, software and more.
Getting version information for applications
There are several ways you can find out the version of a specific application. If the application is running, choosing the application name > About application name menu displays an About box giving you information. For example, in iTunes, you would choose iTunes > About iTunes and see this window:
You can also find version numbers from the Finder. Click on an application to select it, then press the spacebar; a QuickLook window displays, showing the version number, size and last modification date.
Finally, you can select an application and press Command-I, to see the following:
You see the kind, size and location, creation and modification dates, and the version number.
Getting version information for browser plug-ins
Plug-ins are software elements that are used by web browsers, often to display certain types of content, such as Flash, Java or others. Your web browser can tell you which plug-ins you have installed, and which versions. In Safari, choose Help > Installed Plug-Ins. A web page displays giving a list of the plug-ins, their versions, and the types of content they manage. In Firefox, choose Tools > Add-Ons to see not only plug-ins, but also extensions and other types of add-ons. (To view Safari extensions, choose Safari > Preferences, then click the Extensions icon.)
While there are several procedures above to view information for different elements, it’s pretty simple to find out which versions of software you are running. Whenever you have doubts about whether your software is update, use these techniques to find out whether you need to download new versions of your software.
In our last Mac Security Tip, Securely Erase Trash, we explained that you can securely overwrite files, but pointed out that this may not be as secure as it seems.
When a computer writes a file to a hard disk the first time – when you first save a new file – it is stored in one location. When you next save the file, such as after you’ve written some text or entered some data in a spreadsheet, your Mac saves it in a different location, because it cannot safely overwrite the first version. And the next time you save the file, the same thing happens again. So each time you save a file, the new version gets written to a new location. Because of this, the final file that you securely delete is not the only trace of the contents of that file.
Let’s say that you’ve saved a file ten times, then securely deleted the final version; there are still a possible nine other versions of the file on your hard disk. The spaces where this data are written are not protected; other files can be written there. But you cannot be sure that this is the case, and there is the possibility that the free space on your hard drive contains confidential data that may be recoverable by disk rescue software.
With Apple’s Disk Utility (located in your /Applications/Utilities folder), you can erase the free space on your hard disk. Launch the program, select your disk in the sidebar, then click on the Erase icon in the toolbar. Click on the Erase Free Space button to see your options:
You can choose from three options here:
- Zero Out Deleted Files: this writes zeroes over all the free space on your disk.
- 7-Pass Erase of Deleted Files: this writes zeroes seven times over the free space, and takes seven times as long.
- 35-Pass Erase of Deleted Files: this is for the truly paranoid; it writes zeroes 35 times, and takes a very long time.
In most cases, the first option is sufficient, but even if you zero out the deleted files, some disc recovery software may be able to recover data. So the 7-pass erase is probably safer if you’re worried about very confidential files.
This is certainly not an everyday operation. However, if you work with confidential files and are selling a computer, giving it to someone, or even sending a computer for service, you might want to do this. The same options are available from the Erase tab when you erase the entire disk or partition.