Macs and security

Discussion in 'Apple Forum' started by Edward P, Jan 18, 2008.

  1. Edward P

    Edward P
    Active Member

    Joined:
    Dec 29, 2007
    Messages:
    176
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Location:
    Leamington Spa
    Ratings:
    +19
    Just come home after a disturbing conversation with a mate about internet security, firewalls, network and hard drive hijacking etc. Was wondering what sort of added security folks use here on top of whatever comes with the Apple OS (in my case 10.4.11)? For background, I use a Belkin Wireless router (N Draft) and an occasionally unencrypted wireless network (got so many gadgets - Touch and internet radio etc. - that I get hacked off putting in the codes all the time). Any advice gratefully received...
     
  2. alanrob

    alanrob
    Active Member

    Joined:
    May 24, 2001
    Messages:
    2,375
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Location:
    Glasgow
    Ratings:
    +234
    Nothing bar my OS X firewall and the firewall in my router :D

    There are a few sites on the web (search via Google) that will let you check your computers security. They will show you how open your network and machine are to attack.
     
  3. Member 79251

    Member 79251
    Banned

    Joined:
    Jul 2, 2005
    Messages:
    13,421
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    ?
    Ratings:
    +2,187
    Do you leave your front door open ? Then why leave your internet connection open ?

    Have a look at this it seems that a few people are working on the mac, maybe this year we will see the first 'virus' for the platform. Remember apple have big holes in quicktime and a few other things ;)

    Having a virus is ok but then having holes in software is another :smashin:
     
  4. RobM

    RobM
    Distinguished Member

    Joined:
    Dec 29, 2006
    Messages:
    13,227
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +2,168
    You've already committed a big crime....

    Security is a hassle, it's inconvenient. But it's there for a reason, so bloody well use it! Turn it on on your router.

    As you probably know, it's not going to stop somebody who REALLY wants to break it. But since most wireless hacking, especially in residential areas is opportunistic, it's enough to stop somebody stealing your connection.

    The next best advice is ALWAYS keep ALL your software - OS and applications - fully patched and up-to-date. Most vulnerabilities that can be exploited come down to bugs in the software, bugs which are fixed in patches later on. So by patching your software regularly you get rid of these risks. Until the next one is found, anyway :rotfl:

    But the best form of defence, better than anything else you'll find, is common sense.

    Think about it. Most vulnerabilities require you to do something. They come in by email and run when you open an attachment. Or they attack via a website you followed a link to. Or they are opportunistic and you're attacked when somebody finds your un-secured wireless network or when packet sniffing you logging onto your online banking in Starbucks.

    So if you're not expecting an attachment via email, don't open it. Same applies to links sent from unknown sources.
    And don't use anything sensitive (online banking etc) on a public network.
    Think about the websites you visit, there are safe free porn sites ;)
    Avoid Warez sites, as nothing is for free...

    Common sense will protect you from most threats out there. Luckily, OS X also requires you to enter your admin user account details before anything can run, so if that ever comes up when you're not making a system change or installing legitimate software, DON'T enter the details! :)
     
  5. Edward P

    Edward P
    Active Member

    Joined:
    Dec 29, 2007
    Messages:
    176
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Location:
    Leamington Spa
    Ratings:
    +19
    Thanks for advice so far guys. I didn't know about the indirect benefits of software updates, but it's obvious when you think about it. I've been adopting the 'pull out the power plug when you're out' method. I'll log onto the Router and put the encryption on and find a workaround for the gadgets asap. Attachments I steer clear of, but I do have a lot of stuff coming in for work (word files, a few virals and pics) so I guess I am more open than some. Thanks, I obviously need a kick up the backside on this one...:eek:

    PS: putting aside the obvious lunacy of the open wireless issue, how powerful is the firewall on Tiger?
     
  6. RobM

    RobM
    Distinguished Member

    Joined:
    Dec 29, 2006
    Messages:
    13,227
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +2,168
    Attachments are perfectly safe if you are expecting them and know what they are and the person sending them, so don't be put off. But if an unknown sender sends you a Britney screensaver, I wouldn't recommend opening it ;)

    As for encryption... most devices should support WPA2 personal, which your router should support. But if all else fails and you have to use WEP, that's at least better than nothing and will stop somebody who can 'see' your network from having a random attempt to connect.

    Can't tell you much about the firewall though as I've never put it through it's paces, but a Google search might bring up some reading as I'm sure somebody has tested it :)
     
  7. Tenex

    Tenex
    Well-known Member

    Joined:
    Mar 2, 2003
    Messages:
    7,632
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,063
    I have firewalls enabled on both the router and iMac/MacBook, but something else worth considering to lock down access is MAC address filtering. In essence this requires you to input the MAC address of all devices you own and connect to the router and all others will be rejected.
     
  8. Tenex

    Tenex
    Well-known Member

    Joined:
    Mar 2, 2003
    Messages:
    7,632
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,063
    I'll swear some around here hacked my WEP password as the wireless connection seemed to be flashing constantly even when not in use. Since switching to WPA-PSK its stopped.
     
  9. alanrob

    alanrob
    Active Member

    Joined:
    May 24, 2001
    Messages:
    2,375
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Location:
    Glasgow
    Ratings:
    +234
    Another thing that will be good practise is to set up a new standard user account and use this new account instead of your admin account when using your Mac.

    That way any time something requires access to install you will be asked for the admin account user/pass. So no chance of getting something installed that you were not expecting.
     
  10. Tenex

    Tenex
    Well-known Member

    Joined:
    Mar 2, 2003
    Messages:
    7,632
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,063
    Agreed, something everyone should do.
     
  11. Edward P

    Edward P
    Active Member

    Joined:
    Dec 29, 2007
    Messages:
    176
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Location:
    Leamington Spa
    Ratings:
    +19
    I think I already did that when I set up the mac. I get asked for my admin password regularly on updates and other changes. Mac address filrring sounds good, though, I'll look into this. Thanks.
     
  12. markuswarren

    markuswarren
    Active Member

    Joined:
    Nov 25, 2007
    Messages:
    128
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Location:
    Oakville, ON
    Ratings:
    +18
    When it comes to network security and Macintosh, here's what I usually suggest.

    1: If you have DSL/Cable then go into your router/modem settings and change the default admin name (if possible) and password. This is especially important if it's a wireless router/modem (I'll explain why later). Many people do not change the defaults and there are lists of default logins for all types of routers available on the internet, which is sometimes a good thing if you forget what the default combo is and need to get in. If you change these details then it will make it more difficult for someone to reconfigure your router

    2: If you have a wireless network then do not leave it open, protect it with a password. I usually go for a WPA/WPA2 password. Also, change the default network name (SSID) to something else, even if it's "Office" or "Living Room", anything other than "default" is good. The reason for the change is that, for example, some linksys equipment will have the default name as linksys, thus you know the wireless is provided by a linksys device, at which point you could try and find out the IP address of the device and get onto the router, change the key, etc... (on a mac I'd use airport to switch to that network, and have it get a DHCP address from it, something like 192.168.1.5 might be given to me, well, 192.168.1.1 is usually the device itself, if it's a wireless router/modem, so I would fire up my browser, punch in that address, and you may well see the login screen for the router, at which point, consult your list of login id's for wireless devices, and try one, if you get in, blammo, you can reconfigure someone's router! This is why I suggested changing the default passwords above)

    You may also want to hide the SSID, so it cannot be browsed for (Mac wise this means it would not show up in the airport menu, and possibly not in some wireless network scanner software). This means that to access your wireless network, you'd need to know the SSID *and* the password.

    3: Firewalls. Depends how heavy handed you want to be. You could use the firewall built into most routers/modems, or you could leave that open and use the software firewall on the Mac (if you're doing that I would suggest getting and using a copy of FlyingButtress, it's far more configurable than the built in firewall in OS X). You could also get a dedicated hardware firewall, but that is a little overkill unless you have many machines.
    I think most people would use the firewall built into their router as it will protect all of their machines. If you have a single machine you can do this, or you could leave the firewall in the router disabled and use the OS firewall. It's really up to you.
    I actually have my router's firewall disabled and use FlyingButress on my mac to control things. My other macs get addressed from my airport basestation so they are protected in that way, so I don't have a firewall enabled on them. The PC's all have at least Windows Firewall, if not Zone Alarm Pro running on them.

    For outgoing connections I use Little Snitch. It will tell you whenever anything wants to make an outgoing connection, along with what it is, where it wants to connect to. You can then allow or deny this, either once, until it quits, or forever. You could of course configure your firewall to restrict outgoing as well, but I like Little Snitch :)


    So what do I actually use? I've got a router on which the firewall is disabled, my main machine has the firewall enabled and I use Flying Buttress to control incoming connections. The firewall allows all outgoing connections as they are monitored by Little Snitch, thus when something tries to make an outbound connection, I'll know about it and can decide what to do. I also have it configured to deny until quit automatically after a short while, so if something happens overnight (my machine is left on 24/7) then it'll be denied. If there was something genuine requiring the connection then I'm sure I'll find out about it and allow the item that was automatically denied.
    My other macs get IP addresses via my airport basestation. They aren't generally on all the time, so there isn't any specific firewall for them. For the PC's I'm a little more paranoid and regardless of them being DHCP or not (some do have static addresses as they are servers), I run either Windows Firewall or Zone Alarm Pro. This seems to stop anything untoward happening.
     
  13. J0hnEast0n

    J0hnEast0n
    Active Member

    Joined:
    Aug 24, 2007
    Messages:
    273
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Location:
    Aberdeenshire
    Ratings:
    +22
  14. jamiesdad

    jamiesdad
    Active Member

    Joined:
    Jan 3, 2008
    Messages:
    594
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    46
    Location:
    Scotland
    Ratings:
    +108
    thanks slug ran the checks (bit nervous doing it) and everything ok which is good to know

    i run Intego net barrier which monitors my system bit complicated at least for me but its a good bit of soft ware
    I keep the firewall on in net barrier and the hardware one on my router wireless network also passphrase protected

    personally i dont think you an be to careful even with a mac.

    ps a good little bit of software is coconut wi fi it lets you know all available networks near you open or protected

    cheers

    David:thumbsup:
     
  15. Tenex

    Tenex
    Well-known Member

    Joined:
    Mar 2, 2003
    Messages:
    7,632
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,063
    So will your Airport antenna, either check it in Sys Prefs or from the menu bar.
     
  16. jamiesdad

    jamiesdad
    Active Member

    Joined:
    Jan 3, 2008
    Messages:
    594
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    46
    Location:
    Scotland
    Ratings:
    +108
    :)
    :)yeh but i like my little yellow dot lol:thumbsup:
     
  17. duke748

    duke748
    Active Member

    Joined:
    Dec 19, 2002
    Messages:
    557
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Location:
    Mid Sussex
    Ratings:
    +34
    Even legitimate sites are mass targeted \compromised these days. The latest example being http://blog.trendmicro.com/e-commerce-sites-invaded/

    You no longer have to visit "Dodgy" sites to get hit. Just another example of Linux servers being compromised to target Windows machines

    It's just a matter of time before OSX is compromised just as thoroughly :(
     
  18. Edward P

    Edward P
    Active Member

    Joined:
    Dec 29, 2007
    Messages:
    176
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Location:
    Leamington Spa
    Ratings:
    +19
    Thanks, chaps. I'll keep an eye on this but I've now sorted out a decent password based lock on the wireless router and confirmed the router firewall. Will upgrade to mac address protection once I find out how to get the damn mac addresses of all my gadgets. Got my IT friendly next door neighbour to try and hack into my system and he failed. So far so good!
     
  19. RobM

    RobM
    Distinguished Member

    Joined:
    Dec 29, 2006
    Messages:
    13,227
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +2,168
    Whilst that's very true, the chances of a commercial, well-known, genuine site being compromised are much, much smaller than a warez site, porn site or anything else not quite legit.
    If you worry about the legitimate sites you visit, you'll never use the net again :rotfl: So long as you bear in mind the other aspects of web security - such as never confirm any installations or provide admin details unless you have initiated an install yourself - you'll be fine.
     
  20. ahin4114

    ahin4114
    Active Member

    Joined:
    Nov 1, 2004
    Messages:
    1,066
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    51
    Location:
    Reading
    Ratings:
    +48
    Another thing I always do for home routers is to turn off DHCP and limit the subnet mask down so that only a few addresses are available. Means that you have to manually assign IP addresses to your kit, but it's another step to make life difficult for your average packet sniffer.
     

Share This Page

Loading...