updated 081220001622







Introduction

The Mac OS platform can be secured as well as any other standard system if the user follows certain checks and safeguards. There are even security bonuses with the Mac OS - compared to other operating platforms, very few trojans or viruses have been developed for these systems - unlike Windoze environments which are under constant attack from the latest problem programs. This info file has been written to help individual Macintosh users ensure good security in their system environments. This guide assumes that you have a basic working knowledge of Macintosh OS and can comfortably navigate your way around the system and install software.

Links in blue refer to pages on the security.tao.ca main site that have detailed background information on the subject mentioned.



should this title be here? Levels of Security?

A quick way to test the overall level of security on your Mac (or just to show yourself how easy it is to gather pertinent data from it) is to look at the data that can be gathered from your Preferences and Settings files either manually or using a program like ResEdit or a small utility like Ferret (home - download).

Ferret output window


Ferret will gather the saved 'access information' from preferences and settings files (Including AIM, Apple File Sharing Registry, FreePPP, Gerry'sICQ, Internet Control Panel, MacSLIP, Netscape Communicator, OT/PPP and ARA and more) on any mounted volume. It can even decrypt some passwords, all in under 60 seconds for most volumes.

This is a good first exercise to see what is sitting on, or very close to surface level on your computer - and thus, accessible to anyone sitting down at your machine or intruding on it remotely.



Your Macintosh System

The first thing to recognize is that there are many ways that a machine may be compromised. Viruses, software with built-in trojan horses, keylogging software and remote admin programs can all be easily installed (either physically or remotely) on your machine, and used to keep tabs on your computer and the files that it processes and runs.

To help ensure you are not running software that is putting the security of your machine at risk you should perform clean system software installations on a regular basis. System software should be obtained only from a reputable source. If for some reasons you have any doubts about the system software in your possession - get a new copy directly from Apple.

This below doesn't sound right
One thing to do right away upon a new system install is to delete or at minimum move to a disabled folder.

    System 9.0+

    Web Sharing extension & control panel
    location: HardDrive:System Folder:Control Panels:Web Sharing System Folder:Extensions:Web Sharing Extension

    Personal Web Sharing server software that is installed with a lot of Macintosh operating systems unless you really plan on running web server from your home computer.

    Multiple Users extension
    location:

    Also recognize that the Multiple Users support in OS 9 (allowing you to set different levels of access to your machine) is very easy to break through with nothing more than a startup CD or via many several other methods. "Multiple Users" is not secure

    Find By Content extension and folder
    location: HardDrive:Extensions:Find By Content HardDrive:Extensions:Find: (entire "Find" directory)

    Find by Content automatically indexes your Hard Drive for use by Sherlock

    Remote Access control panel
    location: HardDrive:Control Panels:Remote Access

    Allows access from

    Software Updater 2 extensions & control panel
    location: HardDrive:Control Panels:Software Update HardDrive:Extensions:Software Update Engine HardDrive:Extensions:Software Update Scheduler

    Modem control panel
    location: HardDrive:Control Panels:Modem

    If you use an ADSL and Cable connection and do not sue you internal or external dialup modem at all, disable this control panel so that it can't be used by Remote Admin or Trojan software.



    System 8.5









Remember that all software residing on your hard drive that is not stored in a encrypted partition or disk is at risk of incursion. Clean installs of other important software are also a good idea. Check cryptographic signatures on software distributions that are signed.

Mac Os 9 has introduced the Apple Verifier utility (located: HardDrive:Applications:Security)
You can verify whether a Mac OS file or program that you've downloaded from the Internet is from the authorized sender and has not been modified by checking its digital signature.

10/20/99 - 60481 - Mac OS 9: File Security - Verifying Digital Signatures http://tcl.info.apple.com/techinfo.nsf/artnum/n60481



Detection

The Detection Section of this model covers policies and procedures that enhance the chances for the system administrator or user to detect improper or unauthorized use of a Macintosh using MacOS V7.5.x. The policies and procedures discussed in this section tie directly into the actions listed in the Background, Prevention, Awareness, and Recovery sections.

Recording System Defaults

When a Macintosh is accessed by an unauthorized user, there is a possibility that the system software, application software, and documents will be modified or deleted. When an unauthorized access is detected, the system administrator should check the Macintosh for modified and deleted files, hidden files, viruses, trojan horses, etc., and then restore the Macintosh to its original state.

Keeping accurate information on the default system configuration is an easy way to detect and defeat and unauthorized user in this regard. The routine procedure of making system backups, comparing current and archived files for unexpected changes, and reviewing the Startup Folder, Shutdown Folder, Extensions Folder, and Preferences Folder for unexpected additions or changes will help the system administrator and users detect unauthorized activity.

ACTION: Implement a routine schedule of complete system backups. Periodically verify that the backups are usable. Check the default system configuration for any unexpected changes.

Paving your hard drive

Do not download and use software from any ftp or web sites that are suspicious in any way. This includes a lot of free web page servers...

Know what software is installed on your computer. Be ware of spyware products and other snakeoil.

System Integrity

After re-installing a clean Operating System on your Mac and software from verified sources.

Installer Observer 3.02 (home - download PPC / 68k). is a program designed to aid users in determining exactly what an Installer/Updater/Trojan Horse/Whatever has done to their system. One should use it to first Scan folders within and/or including their System folder and save a snapshot of those folder(s) if necessary. Then, after running Installer/Updater/Trojan Horse/Whatever, he or she should load the saved system state if necessary and have Installer Observer Examine the changes made by the Installer/Updater/Trojan Horse/Whatever. Installer Observer will report new files/folders, files/folders that have been removed, and files/folders that have been changed.

Utilities such as WhoInstalled 1.1.2 (home - download)

A copy of the "snapshot" should be kept in a secure place preferably on encrypted disk. Virtual Memory, RAM and Memory caches

If at all possible you should not be using Virtual Memory at all (see above) but if you are, it can be erased after you disable it in the Restart your computer and then wipe all the free space on your hard drive

Virtual Memory uses space on your Hard Drive as Virtual RAM in essence storing your everything from RAM on your Hard Disk.

Solution: Buy enough RAM so you do not have to use Virtual RAM and turn it off in the Memory control panel (located: HardDrive/System Folder/Control Panels/Memory)

A few simple precautions need to be taken to assure the absolute secrecy of your data. First of all, NEVER run enigma with virtual memory on, an image of the clear-text or key could be left on your hard disk. See the memory control panel for this switch. This caution applies to the new "enhanced" virtual memory tools such as OptiMem and RamDoubler as well. If you can't live without these utilities just be sure to always run Enigma when you have plenty of free (real) RAM.





KeyLogging, Trojans and Remote Admin

Detection

Manually checking your System Folder to know what belongs there after a clean system install is good idea. You can use a program like ResEdit so you can see all invisible files and folders on your hard drive.

Its always a good idea to inspect your Extensions, Control Panels and Startup Items folder and take a look for any strange files.

Monitoring System Processes

Cone Of Silence (home - download) was developed to detect key-logging software running in the background on your computer. It great little utility for detecting for keylogging software, but what works even better is...

System process watchers like Peek-A-Boo 1.5 (home - download), ProcessInfo 1.3.1 (home - download) and ProcessWatcher 3.2 tend to be the best method of detecting any strange processes running the background on your computer.


Peek-A-Boo window



Strong Encryption

Security of your files and information stored on your computer can only be kept from most eyes by encrypting them.

Read more about encryption...

Disk Encryption

Encrypting your hard drive is an ideal solution to many security problems. Large amounts of data including software can all be stored safely inside and encrypted partition. Users or groups can be given there own encrypted partition.

The only really good option out there is PGP Disk and it has been distributed free with several versions of PGP for the Macintosh. It allows for PGP partitions of sizes from ???k fitting on a floppy all the way up to 2000 MB.

PGP and PGP Disk versions below 6.5.1 are not compatible with Mac OS 9.0+

Download:


Harden Your Browser

Use 128 bit encryption only.

Secure Socket Layer (SSL) allows you to have secure access to a web site or certain pages on a web site. Connections always use the prefix https:// (Secure HTTP) instead of http://. You can usually find out if a server has SSL available by trying their normal url and adding the s. You can tell if you are connected using a SSL connection by looking at the bottom bar of your browser. Depending on what browser you are using you will see a closed lock instead of an open lock or a key with one (40 bit) or two (strong encryption) teeth instead of a broken key.

You can test your browsers encryption strength by using Fortify's test page click here

Snake Oil

Good cryptography is an excellent and necessary tool for almost anyone. Many good cryptographic products are available commercially, as shareware, or free. However, there are also extremely bad cryptographic products which not only fail to provide security, but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.

Read "Snake Oil Warning Signs: Encryption Software to Avoid" (local original pdf version)



File Sharing and Apple Talk Networks

Turn off File Sharing and when connected to the net.

If you're not connected to an AppleTalk Network, disable Appletalk.

E. For Macintosh systems, disable file sharing and web sharing extensions unless absolutely required. If file sharing must be enabled, ensure strong passwords for access, and stop file sharing during periods in which it is not required.

To permanently disable Web sharing in MacOS 8 or MacOS 9, remove two files and restart:
System Folder:Control Panels:Web Sharing
System Folder:Extensions:Web Sharing Extension

To permanently disable AppleShare/IP in MacOS 9, remove one file and restart:
System Folder:Extensions:Shareway IP Personal Bgnd

If you need to use an AppleTalk network you should seriously consider using Public Key Authentication for AppleShare (home - download) or some other type of encrypted Virtual Private Network like PGPNet.



The Internet

Firewalls

If you connecting to the internet all, even via a dialup 300 baud modem you should be using at least a software firewall at all times.

There are really only two products out there for the Macintosh; NetBarrier and DoorStop.

While they are both great products I reccomend NetBarrier as its interface is easier to use and has few more bells and whistles.

It also provides some other good options such as;

Full logging and a Fully customizable Rules set.........

Internet Control panel info

Internet Browsers

Browser bookmarks, caches and history's are all very easily viewable. They are even utitlites to help make it reall easy for you like Netscape History 3.0.3

ICab

Explorer

Netscape:

about:memory-cache (you'll see the memory cache)
about:image-cache (you'll see a list of the cached images...)
about:global (you'll see global history entries)
about:cache (you'll see all disk cache statistics)
about:document (you'll get a new window with info about the current document)

Customize your Netscape Communicator preferences for your privacy and security:

step #?

Select Preferences from the pull down Edit menu.
In your Preferences make the following changes:

  • Click on Navigator, change Navigator starts with to Blank Page if it is not already. Delete the Home page location: so it is empty. Change the Visited links expire after to 1 day. You can also clear you History by clicking on Expire now.

  • Click on Smart Browsing, make sure Enable "What's Related" is not checked, also make sure Enable Internet Keywords is not checked. http://www.interhack.net/pubs/whatsrelated/

    Eudora No Log plugin NoLog by Andrew Starr turns off Eudora logging. http://www.emailman.com/eudora/mac/macfiles/nolog.sit.bin

    Edit headers plugin http://www.emailman.com/eudora/mac/plugin.html



    Traces on your computer

    Hard Disk

    As you probably already know everything you throw in the Trash is not actually erased when you empty the trash. It is an amazingly simple process to run Norton UnErase or another data recovery tool and get dozens of files that you have "deleted".

    In order for any file to be securely deleted you should use some type of data overwrite utility.

    Even files that are encrypted should be securely destroyed.

    Free Space Wiping

    There are many utilities for the Mac that are supposed to overwrite data securely. We reccomend Burn 2.5 (home - download) In order to securely delete data you should set the preferences to use a Random Pattern and overwrite data 13 times.

    ? PGP Wipe - http://www.McCune.cc/PGPpage2.htm#Wiping

    --- Expert Witness for Macintosh, version 3.6 Registered users of Expert Witness for Macintosh should make sure they are running the latest version. ---

    File Resource Headers

    info.....

    Wipe Resource Headers 1.0 (home - download)

    20 July, 2000 - I found out at MacHack this year that Mac OS 9.0.4 actually wipes the resource header when it creates a new file. Cool. They're obsoleting this product for me. Of course any files you'd created before you installed 9.0.4 could still have sensitive information in the header, but at least new files won't.

    Postscript File Headers conatin email addresses from Internet Config...... StripAPost



    PGP Tips

    Your secret keyrings, if you do happen to be using PGP! These are protected by your passphrase, so I hope you've got a realllllly long one, and it's not something any average cracker will be able to pick, and you're not running any keypress macro recorders or typing sniffers, and you've not got any Trojan Horses or Password Targeted Viruses busy siphoning off your passwords and passphrases, and you trust all the software you run on your PC, even Micro$oft's recent "on line sniffing programs"

    PGP Preferences, keys and RNDSeed all normally located in your System Folder (YourHardDisk/System Folder/Preferences/Pretty Good Preferences) should be moved to your encrypted PGP Disk partition.

    Set Auto-Unmount to a low amount of time. This way if you walk away from your computer and forget to umount your PGP Partition it will attempt to auto-unmount it



    Other Tips and Tricks

    Startup & ScreenSaver Security

    Most if not all password protection schemes on the market for the Mac OS can be bypassed or broken via numerous methods. You should never rely on them.

    They may keep out a typical layperson, nosy person and even some hired investigators out they won't keep and any Security Professional out for very long.

    Encrypted partitions/disks are the only real solution.

    Apple's startup password security features have been plagued by security and other bugs through it's history. They may be good enough to keep lots of people out but are allmost always accessible through a backdoor or some other means.

    Using Mac OS 9's Multiple Users feature you can have a password at startup. If you need very strong security, or are not running Mac OS 9 you may need to purchase a third-party solution such as a screen saver, or other security software.

    Passwords

    Use secure pass phrases for your System and Internet related programs. But beware that a lot of software out there does not use very secure encryption for password storage and some of them use none at all.

    Stayaway 1.0 will break the encryption algorithm used on the MacOS Users & Groups Data File, On Guard, Internet Config, FreePPP, Virex Control Panel, FTP Transmit, and Keep Out!

    Choosing not to Save the password in the program if it gives you the option and moving the applications applicable preference/setting file to a secure encrypted disk/partition and replacing it with an Alias may also help solve this problem.

    Do not use the same passwords for System/Internet related programs and other more secure and much more important applications such as PGP, Web Confidential, etc.



    References

    Sites:

    security.tao.ca - http://security.tao.ca

    Secure Mac - http://www.securemac.com

    Mac Security

    Pure Mac's - Paranoia software section

    Articles:

    Secure Deletion of Data from Magnetic and Solid-State Memory - http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html


    Info Sources

    Encryption:

    A Basic Introduction to Crypto
    Why Cryptography Is Harder Than It Looks - By Bruce Schneier
    Minimal Key Lengths For Symmetric Ciphers to Provide Adequate Commercial Security

    Newsgroups:











  • 
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Apple Network Administrator Toolkit 2.0: Read M
    http://til.info.apple.com/techinfo.nsf/artnum/n30217
    
    
    06/01/2000 - 24417 - Macintosh Server G3: Setting Up For Remote Administration
    http://til.info.apple.com/techinfo.nsf/artnum/n24417
    
    05/29/2000 - 60092 - Mac OS X Server: Why and Why Not Allow Remote Login
    http://til.info.apple.com/techinfo.nsf/artnum/n60092
    
    
    08/04/98 - 24514 - TCP/IP: Ports And Firewalls Explained
    http://til.info.apple.com/techinfo.nsf/artnum/n24514
    
    
    04/10/2000 - 60480 - Mac OS 9: File Security - About Digital Certificates and Keys
    http://til.info.apple.com/techinfo.nsf/artnum/n60480
    
    
    10/20/99 - 60482 - Mac OS 9: File Security - Creating a Keychain
    http://til.info.apple.com/techinfo.nsf/artnum/n60482
    
    
    10/20/99 - 60621 - Mac OS 9: File Sharing Security
    http://til.info.apple.com/techinfo.nsf/artnum/n60621
    
    
    10/20/99 - 60487 - Mac OS 9: File Security - Encrypting and Decrypting Files
    http://til.info.apple.com/techinfo.nsf/artnum/n60487
    
    
    10/20/99 - 60485 - Mac OS 9: File Security - Using Your Keychain On Another Computer
    http://til.info.apple.com/techinfo.nsf/artnum/n60485
    
    10/20/99 - 60523 - Mac OS 9: File Security - Forgotten Passphrase
    http://til.info.apple.com/techinfo.nsf/artnum/n60523
    
    10/20/99 - 60486 - Mac OS 9: File Security - Protecting Files, Folders, and Disks
    http://til.info.apple.com/techinfo.nsf/artnum/n60486
    
    10/20/99 - 60483 - Mac OS 9: File Security - Choosing a Good Password
    http://til.info.apple.com/techinfo.nsf/artnum/n60483
    
    10/20/99 - 60524 - Mac OS 9: File Security - Items That Cannot Be Encrypted
    http://til.info.apple.com/techinfo.nsf/artnum/n60524
    
    10/20/99 - 60484 - Mac OS 9: File Security - Changing Keychain Settings
    http://til.info.apple.com/techinfo.nsf/artnum/n60484
    
    
    
    
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    http://www.sans.org/topten.htm
    
    
                       7. Global file sharing and inappropriate information sharing via NetBIOS and 
                       Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port 
                       2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548. 
                       
                       These services allow file sharing over networks. When improperly configured, they can expose critical system files or give full file system
                       access to any hostile party connected to the network. Many computer owners and administrators use these services to make their file
                       systems readable and writeable in an effort to improve the convenience of data access. Administrators of a government computer site used
                       for software development for mission planning made their files world readable so people at a different government facility could get easy
                       access. Within two days, other people had discovered the open file shares and stolen the mission planning software.
    
                       When file sharing is enabled on Windows machines they become vulnerable to both information theft and certain types of quick-moving
                       viruses. A recently released virus called the 911 Worm uses file shares on Windows 95 and 98 systems to propagate and causes the
                       victimıs computer to dial 911 on its modem. Macintosh computers are also vulnerable to file sharing exploits.
    
                       The same NetBIOS mechanisms that permit Windows File Sharing may also be used to enumerate sensitive system information from NT
                       systems. User and Group information (usernames, last logon dates, password policy, RAS information), system information, and certain
                       Registry keys may be accessed via a "null session" connection to the NetBIOS Session Service. This information is typically used to
                       mount a password guessing or brute force password attack against the NT target.
                       Systems Affected: 
                       UNIX, Windows, and Macintosh systems.
    
                       CVE Entries: 
                       SMB shares with poor access control - CAN-1999-0520
                       NFS exports to the world - CAN-1999-0554
                       These candidate entries are likely to change significantly before being accepted as full CVE entries.
    
                       Advice on correcting the problem:
                       A. When sharing mounted drives, ensure only required directories are shared.
    
                       B. For added security, allow sharing only to specific IP addresses because DNS names can be spoofed. 
    
                       C. For Windows systems, ensure all shares are protected with strong passwords.
    
                       D. For Windows NT systems, prevent anonymous enumeration of users, groups, system configuration and registry keys via the "null
                       session" connection. 
    
                       Block inbound connections to the NetBIOS Session Service (tcp 139) at the router or the NT host.
    
                       Consider implementing the RestrictAnonymous registry key for Internet-connected hosts in standalone or non-trusted domain
                       environments:
    
                             NT4: http://support.microsoft.com/support/kb/articles/Q143/4/74.asp
                             Win2000: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
    
                       E. For Macintosh systems, disable file sharing and web sharing extensions unless absolutely required. If file sharing must be enabled,
                       ensure strong passwords for access, and stop file sharing during periods in which it is not required.
    
                       To permanently disable Web sharing in MacOS 8 or MacOS 9, remove two files and restart:
                       System Folder:Control Panels:Web Sharing
                       System Folder:Extensions:Web Sharing Extension
    
                       To permanently disable AppleShare/IP in MacOS 9, remove one file and restart:
                       System Folder:Extensions:Shareway IP Personal Bgnd
     
     
     
     
     
     
     
     
     
                       Perimeter Protection For An Added Layer of Defense In Depth
                       In this section, we list ports that are commonly probed and attacked. Blocking these ports is a minimum requirement for perimeter
                       security, not a comprehensive firewall specification list. A far better rule is to block all unused ports. And even if you believe these ports
                       are blocked, you should still actively monitor them to detect intrusion attempts. A warning is also in order. Blocking some of the ports in
                       the following list may disable needed services. Please consider the potential effects of these recommendations before implementing them.
    
                           1.Block "spoofed" addresses-- packets coming from outside your company sourced from internal addresses or private (RFC1918
                             and network 127) addresses. Also block source routed packets. 
                           2.Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS (139/tcp), rlogin et al (512/tcp through 514/tcp) 
                           3.RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp) 
                           4.NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp). Windows 2000 ­ earlier ports plus 445(tcp and
                             udp) 
                           5.X Windows -- 6000/tcp through 6255/tcp 
                           6.Naming services-- DNS (53/udp) to all machines which are not DNS servers, DNS zone transfers (53/tcp) except from external
                             secondaries, LDAP (389/tcp and 389/udp) 
                           7.Mail-- SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp) 
                           8.Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web servers, may also want to block common high-order HTTP port
                             choices (8000/tcp, 8080/tcp, 8888/tcp, etc.) 
                           9."Small Services"-- ports below 20/tcp and 20/udp, time (37/tcp and 37/udp) 
                          10.Miscellaneous-- TFTP (69/udp), finger (79/tcp), NNTP (119/tcp), NTP (123/tcp), LPD (515/tcp), syslog (514/udp), SNMP
                             (161/tcp and 161/udp, 162/tcp and 162/udp), BGP (179/tcp), SOCKS (1080/tcp) 
                          11.ICMP-- block incoming echo request (ping and Windows traceroute), block outgoing echo replies, time exceeded, and
                             unreachable messages (This item is the most controversial recommendation. Security experts have extensive proof that ICMP is
                             being used in multiple malicious scans and control efforts. Network operations experts counter that performance will be
                             substantially impacted under certain circumstances if ICMP is blocked.) 
     
     
     
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Ownership Privileges
           Basically, the first task to secure your Macintosh from unauthorised network access is to set up ownership privileges. To implement this: 
                  Open the Sharing Setup control panel (the File Sharing control panel in MacOS 8) and set the owner name, owner password and computer name.
                  This computer name is then advertised on the Appletalk network. 
                  Close the control panel to make the changes effective. 
    
           File Sharing
           Do not enable File Sharing unless there are people who really need to access files on your Macintosh. This may make your Macintosh open to
           unauthorised access. To ensure File Sharing is off, go into the Sharing Setup control panel and check that the File Sharing Button reads "Start". If it reads
           "Stop" file sharing is currently running. You should disable Program Linking on the same control panel in the same manner. It opens your Macintosh to
           attack via Finder scripting. 
    
           If you must use file sharing, 
                  Turn off the automatic Owner access to the entire hard disk: open the Users & Groups control panel, open the icon with your Owner name on it,
                  and turn off "Allow user to see entire disk." 
                  Ensure access for Guest users is turned off. In the Users & Groups control panel, open the Guest icon, and turn off the "Allow user to connect"
                  option. 
                  When you create users, give them passwords. As with any other password, don't use someone's name, birthdate, or other obvious, easily available
                  information. 
                  Create a folder just for shared information and share it, not the entire hard disk. 
                  When sharing a folder, ensure groups and users have appropriate access to the folder (read only, read write or no access). 
    
           Other vulnerabilities 
                  If you use either NCSA telnet or tn3270 on a Macintosh, do not enable ftp access. To move files between your macintosh and another computer
                  (UNIX or cms), use an ftp client program such as Fetch. 
                  If you use MacX, select Access Control under the Remote menu. With this selected, MacX will require confirmation before allowing a client to
                  connect to your X server. You should save your X document (File, Save) after making this change.
                  
                  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Cipher's Security/Privacy for the Macintosh
      
     I'll start with the presumption that you consider your business to private and that you do not wish 
     others to be inside your
     computer for any reason.  Remember, it's not always what you have that interests them, but the use 
     of your connection
     without your knowledge.  And don't forget the vandals who just like to destroy things...
      
     These tips are not meant to give you 100% protection, I doubt that can be had, rather an 
     attempt to make you more
     secure.  Taking the security steps on this page will make your computer and data very secure. 
      
     I assume an intermediate knowledge of your Mac and it's operating system, and at least a passing 
     knowledge of the internet.
      
      
     Network/Internet
      
     Turn off File Sharing when connected to the Internet.  If you're not connected to, or using, an 
     AppleTalk Network, disable
     AppleTalk as well. 
      
     If you install any Microsoft software, find and trash the Configuration Control Panel if it 
     installs one. (see Micrsosoft
     below)
      
     Get rid of any personal web server software you may have installed as a part of some 
     software/operating system install.  If
     you're serving web pages from your home box, you have a set of problems this document 
     does not cover.
      
     Disable Javascript on your browser. Use it only when you have to.
     
      
     Use a proxy server for any web browsing you do.
     
      
     Test your security at the Gibson Research Shields Up site.
     
      
     For a full security exam, go to the Hacker Whacker Site.
       I have no
     interest in Intego, they make a damn fine firewall for the Mac... 
      
     Replace the file MagicCookies with a folder named MagicCookies.  No persistent cookies will be written to your hard disk,
     but sites requiring cookies will let you in...
      
     Do the same with the Netscape History file.  Set your cache to 0.  Trash any AOL IM and Netscape Talkback modules. 
     Investigate alternative browsers, say iCab.  Never use Internet Explorer.  Ever...
      
     Use an ISP that dynamically assigns IP Addresses. If you use an ISP that assigns static IP addresses, pull the plug to your
     box when not on the net.  If using a dial-up, turn off your modem and computer when not connected to the net.
      
     Microsoft
      
     Never use anything made by Microsoft.  Never. See the NSA Key Microsoft installed in their software.
     
     Ask yourself why Microsoft needed to put up this page.
     
      
     I once read a Word 98 document on a Mac. It added my name to the document. I also saw that the document, a humor thingy,
     originated from someone in the Lear Corporation.  I merely read it, mind you...
      
      
     Crypto
      
     Use PGP   Disable Faster
     Key Generation in PGP Keys Preferences, you make attacks considerably harder, you're not generating keys from a set of
     predefined prime numbers.  Encrypt sensitive files.  Back up your keys to removable media. 
      
      
     Miscellaneous
      
     Connect your equipment to a single power point to isolate it with one switch.  Make it your Mantra
     
      
      
     Get and learn ResEdit.    Create
     .jpgs, open them with ResEdit and create a new resource, type Text. Paste in PGP encrpyted text.  Poor man's Steno...
      
     Learn to use the Norton Disk Editor.  Use Find File to see what invisible files are on your machine.
      
     Use anti-virus software.  Scan everything inbound to your box.  this is money well spent...
        
      
    
    Misc. Security/Privacy for the Macintosh
    
    1.  Turn off File Sharing and when connected to the net.  If you're not
    connected to an AppleTalk Network, disable Appletalk.
    
    
    3.  Disable Java and Javascript on your browser.  Use a proxy server for
    any web browsing you do.  http://freebooks.hypermart.net/proxy/howto.htm 
    Replace the file MagicCookies with a folder named MagicCookies.
    
    
    4.  Never use anything made by Microsoft.  Never. 
    http://www.datafellows.com/news/1999/19990906.htm
    
    
    6.  Use PGP.  Disable Faster Key Generation in PGP Keys Preferences, you
    make attacks considerably harder.  Encrypt sensitive files.  Back up your
    keys to floppy.
    
    
    8.  When not connected to the net, turn off your modem and computer. 
    Connect your equipment to a single power point to isolate it with one
    switch.  http://www.gn.apc.org/pmhp/dc/activism/mantra.htm
    
    
    9.  Get and learn ResEdit.  Create .jpgs, open them with ResEdit and
    create a new resource, type Text.  Paste in PGP encrpyted text.  Poor
    man's Stenography.
    
    
    10.  Learn to use the Norton Disk Editor.  Use Find File to see what
    invisible files see on your machine.
    
    
    11.  Use anti-virus software.  Scan everything inbound to your computer.
    
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    
    
    




    hosted by security.tao.ca

    maintained by securitysite at tao dot ca
    Comments and additions always welcome

    this page is located at http://security.tao.ca/mac .