Take Control of Security for Mac Users (2015)
Perform Quick Security Fixes
Time to get to work improving your security! Let’s begin with a few things everyone should do (with small variations depending on your risk level). This chapter contains steps so fundamental to your security that you’d be doing yourself a huge disservice to avoid them. Just as you need to check that the appliance is plugged in before you call customer service, the steps in this chapter constitute a sort of minimum threshold for security awareness.
Keep Your Software Up to Date
It’s a fact of life: software has bugs. And some of those bugs result in security vulnerabilities. Fortunately, most major software vendors, including Apple, have teams of programmers working constantly to identify and fix security-related bugs. I can’t tell you how many times I’ve read breathless news reports about some newly discovered and seemingly disastrous Mac security issue, only to see a software update from Apple fix it a few days later before any widespread damage occurs. This is Apple’s normal pattern, and it’s why you should never lose sleep about the Mac security crisis du jour.
However, Apple security updates don’t help unless you install them! If you have automatic software updates turned off and never bother to check for updates, you could be needlessly putting your Mac and your data at risk from problems that were solved months or years ago.
Software updates fall into several categories, all of which can fix security issues:
· Major upgrades to OS X itself, such as 10.10 Yosemite
· Minor updates to OS X, such as 10.10.1
· Stand-alone security updates for OS X
· Updates to specific Apple apps (Safari, iTunes, QuickTime, etc.)
· Updates to third-party apps
Which of these should you keep up with? Ideally, all of them—but at a bare minimum, be sure to install the stand-alone security updates. The next-highest priority would be minor OS X updates.
Tip: To learn about all Apple software updates with security implications, see the Apple security updates page. Click a specific update to read the security details.
In most cases, Apple releases security updates, for the current version of OS X and the previous two—so an update in early 2015 would apply to Yosemite, Mavericks, and Mountain Lion. If you aren’t at least on the third-most-recent version of OS X, you risk being vulnerable to known security problems that Apple won’t ever fix.
Meanwhile, each major new version of OS X contains entirely new security features, independent of bug fixes. Yosemite offers certain intrinsic protections that Mavericks did not, and Mavericks has security features that Mountain Lion lacks. So if you really want all the latest security goodness, you should (if your hardware supports it) upgrade to the latest version of OS X and install all the pertinent OS X, security, and app updates.
Note: Often the initial releases of new OS X versions (10.9.0, 10.10.0) have significant bugs that Apple fixes quickly. So it’s fine to wait a few weeks on major upgrades, by which time (if there’s not already a 10.x.1 version) enough others will have tried out the new release that you can judge how stable it may be for you.
All Apple software updates for OS X are now delivered through the App Store app, which also handles a good bit of third-party software. You can use that app to manually install any available update, and you can configure its preferences to automatically download and/or install new updates as they appear.
Update App Store Software Manually
If you haven’t recently checked for OS X updates, open the App Store by clicking its Dock or Launchpad icon, double-clicking its icon in your /Applications folder, or choosing Apple > App Store. Then click the Updates button on the toolbar.
Now, to update a single app, click the Update button next to it. (In some cases, Apple groups multiple software updates together; click the More link to see details on each one.) Or, to update all the listed apps at once, click Update All. You may be asked for your Apple ID and password, but otherwise the App Store downloads and installs the updates automatically.
Configure Automatic App Store Updates
You can have your Mac check for, and even download and install, updates from the App Store in the background—with or without asking for your explicit approval.
In fact, the first time you update an app in the App Store app under Yosemite, an alert appears (Figure 1) asking whether you want this automatic installation—click Turn On or Not Now, as you prefer (you can change the setting later, as I describe in a moment).
Figure 1: The App Store would really like to update all your apps automatically from now on.
Personally, I prefer to learn about updates as soon as possible. And, because there’s a greater than 95 percent chance that I’ll install any given update, it saves time to let OS X download updates automatically in the background. I don’t necessarily install updates as soon as they appear, because occasionally updates cause more problems than they fix. I like to keep an eye on social media to make sure the new software won’t wreak havoc if I install it.
You can decide on your desired level of automation, but at the bare minimum I urge you to turn on automated checking for updates so that you’ll be notified when something new is available.
Follow these steps to configure software updates:
1. Go to System Preferences > App Store (Figure 2).
Figure 2: Configure automatic updates in the App Store preference pane.
2. Select the Automatically Check for Updates checkbox to enable automatic checking. If it’s selected, you can also select any or all of:
§ Download Newly Available Updates in the Background, which not only notifies you of updates but downloads them so you can install them as soon as you’re ready (click Install to install immediately; click Later and choose Try in an Hour, Try Tonight, or Remind Me Tomorrow from the pop-up menu to “snooze” the reminder; or click the notification itself to open the App Store and see which updates are available)
§ Install App Updates, which silently updates apps automatically after they’re downloaded (except those requiring a restart or other interaction)
§ Install OS X updates, which does the same as Install App Updates except for OS X itself—that is, OS X 10.10.x—and will presumably prompt you to restart your Mac
§ Install System Data Files and Security Updates, which automatically (without prompting you) installs these essential updates—but only after they’ve been available in the Mac App Store for 3 days
Of the above settings, I suggest selecting Automatically Check for Updates, Download Newly Available Updates in the Background, and Install System Data Files and Security Updates. That way, the most urgent security fixes will be installed automatically, while less-critical updates will be downloaded as soon as they’re available, enabling you to install them more quickly when you’re ready.
Note: Regardless of these settings, you can always check for updates manually at any time by clicking Check Now (which changes to Show Updates if updates have already been downloaded).
3. If you’re signed in to the Mac App Store, you can also check or uncheck Automatically Download Apps Purchased on Other Macs, which does exactly what it says.
Manual Updates of OS X
All updates to OS X are available not only through the App Store but also on Apple’s Web site, so you can download them manually if you wish. In this way, you can decide whether to use a standard (or “delta”) updater, which requires the most recent previous release of OS X, or a “combo” updater, which can update any previous version of the major system release (for example, 10.10.0 or 10.10.1) to the new version (say, 10.10.3).
Update Other Apps
Software that didn’t come from the App Store must be updated separately. The majority of modern apps include a Check for Updates menu command—or something with similar wording—and a preference that lets you enable automatic checking if you like. So go through your most frequently used apps now, use the Check for Updates feature, and if applicable, enable the preference to tell you automatically about new updates as they appear.
Manage Basic Security and Privacy Settings
The Security & Privacy pane of System Preferences (Figure 3) is the spot to adjust many of your Mac’s security settings. We’ll cover them all at some point in this book, but for now, I want to draw your attention to a few especially important settings. I’ll also mention settings in the Users & Groups pane and in the Keychain Access utility that deserve a quick look.
Figure 3: Set key security options in the Security & Privacy preference pane. (Slightly different options appear with FileVault enabled.)
General Security Preferences
In the General view of System Preferences > Security & Privacy are a couple of settings you should check:
1. Go to System Preferences > Security & Privacy > General.
2. At the top is a Require Password checkbox and a pop-up menu to choose the delay after sleep or screen saver begins before a password is required. Set these according to your risk level (see Determine Your Risk Profile):
§ If you’re at Level 1, leave the box unchecked—it’s not worth the bother.
§ For Level 2 and higher, select the Require Password checkbox.
§ As for the time interval in the pop-up menu, I’ll make the general statement that the higher your risk level is, the lower this number should be. For anyone at Level 4, it should be Immediately.
3. Click the lock icon in the lower left of the window, enter your administrator username and password, and click Unlock.
4. Under Allow Apps Downloaded from, make sure—for now—the middle choice (Mac App Store and Identified Developers) is selected. That’s the quick fix; I’ll explain when the other two options are appropriate when we get to Manage App Sources.
Your changes take place immediately. But wait! There’s one more thing to do. In Step 2, if you selected Require Password after Sleep or Screen Saver Begins, you must also make sure that one or both of those things will happen automatically! Here’s how:
· Sleep: Go to System Preferences > Energy Saver and drag the Computer Sleep and Display Sleep sliders to the desired position (but not to Never). On a notebook Mac, you’ll have to set these separately for when it’s running on Battery and Power Adapter.
· Screen saver: Go to System Preferences > Desktop & Screen Saver > Screen Saver and choose how long your Mac must be idle before the screen saver activates from the Start After pop-up menu (don’t choose Never).
You can also lock your screen (activating the screen saver in the process) by using the Lock Screen command on the Keychain menu (see Keychain Security, ahead), or by moving your pointer into a corner of the screen you’ve designated as a Hot Corner (set this up in System Preferences > Desktop & Screen Saver > Screen Saver > Hot Corners).
When you set up a new Mac, one of the first things you must do is create a user account for yourself (your Mac can have many such accounts but at least one is mandatory), along with a username and password. By default, OS X logs in that initial user account automatically when you turn on or restart your Mac. That means you can get right to work without entering a password, and it’s the most convenient arrangement for Macs with a single user—especially if the Mac is kept in a secure place.
However, if anyone else (including a thief!) can get to your Mac, that automatic login becomes a problem, because your Keychain unlocks automatically (see Keychain Security, next) and all the files on your Mac are readily available.
Note: If you use FileVault (see Prevent Data Theft), automatic login is disabled.
Therefore, if your risk (see Determine Your Risk Profile) is above Level 2, I suggest disabling automatic login. The consequence will be that you’ll have to type your password whenever you turn on or restart your Mac—but of course this very thing that poses a small annoyance to you is a much greater barrier to those you want to keep out of your Mac.
To disable automatic login, go to System Preferences > Users & Groups > Login Options. Click the lock icon in the lower left of the window and enter your administrator username and password. Then choose Off from the Automatic Login pop-up menu.
If you’ve increased your security by disabling automatic login and/or requiring a password after sleep or screen saver, you may find all those extra password prompts annoying. Wouldn’t it be nice if your Mac could unlock itself whenever you’re close, no password required? In fact, it can—but with a catch or two. Here are a few examples:
· Knock is a pair of apps—one runs on your iPhone and the other runs on your Mac. After you set it up, as long as your phone is within a few meters of your Mac, you can unlock your Mac (except when you initially turn it on) and respond to administrator password requests by merely knocking twice on your phone.
· MacID also uses an app on your iPhone and a companion app on your Mac. But unlike Knock, it requires you to use Touch ID on your iPhone to unlock your Mac, which makes it more secure. It can also automatically lock your Mac when you move away.
· Sesame 2 combines a Mac app with a keychain fob. When you bring the fob into proximity with your Mac, it unlocks—no iPhone (or knocking) required. Sesame 2 also locks your Mac when you move away from it, regardless of your sleep/screen saver settings.
Each of these solutions require a fairly recent Mac (roughly speaking, 2012 or newer) with Bluetooth 4.0 LE support. Knock and Sesame 2 assume that their respective proximity sensors (your iPhone or key fob) will remain safely on your person at all times. That’s their biggest weakness—anyone who got hold of the object that serves as a key could unlock your Mac. In addition, their range is highly variable, meaning your Mac could be unlocked even if you’re not close enough to see or control it.
Knock or Sesame 2 might be worth considering if you’re at Risk Level 1 or 2, and MacID (if properly configured) could possibly be helpful even at Risk Level 3. But think carefully before using any of these products, because their added convenience can also increase your vulnerability.
Your Mac’s Keychain contains passwords for apps and Wi-Fi networks, credentials for local network servers, encryption certificates, and other important information your Mac needs to function securely. If you use iCloud Keychain (see Use a Password Manager), it may also contain credentials for Web sites where you have accounts as well as your credit card details.
Because this information is valuable and potentially sensitive, OS X encrypts the contents of your Keychain. However, whenever your Keychain is unlocked, your credentials can be passed to apps, Web sites, and network services without any intervention on your part. And how do you unlock your Keychain? That’s the crazy part—by default, all you have to do is log in to your Mac’s user account. And (as we saw in Login Options) another default setting is to log you in to your account automatically.
In other words, unless you take steps to change the defaults, merely turning on your Mac unlocks your Keychain! That means anyone else who might have physical access to your Mac can log in to all the Web accounts (like your bank, Amazon, or PayPal), file servers, and other resources for which you’ve saved credentials (like iTunes or the App Store)—although no one can see the individual passwords without knowing your login password, someone can use all your passwords.
Rather insecure, wouldn’t you say?
Well, if you decided that you’re at the lowest risk level (see Determine Your Risk Profile), it may not matter, because your Keychain is unlikely to hold anything terribly valuable. The inconvenience of having to log in and/or unlock your Keychain manually wouldn’t make sense.
For everyone else, however, I recommend taking one or more of the following actions:
· Turn off automatic login. As I explained just above, in Login Options, you can disable automatic login. As long as you also configure your Mac to sleep or activate a screen saver after a short absence (see General Security Preferences) and require a password soon thereafter (Login Options), you’re reasonably safe when you’re physically away from your Mac—though less safe than if you had logged out or shut down.
· Lock your Keychain automatically. Your Keychain is unlocked when you log in, but you can set it to lock automatically after a pre-determined period of inactivity, when your Mac goes to sleep, or both. Either of these options will increase your security but also force you to enter your password frequently, so you’ll have to decide whether that trade-off is worth it. To set up automatic locking, open Keychain Access (in /Applications/Utilities), select your login keychain, and choose Edit > Change Settings for Keychain “login.” Select either or both of the checkboxes, set the delay time if applicable, and click Save. Note that you can only change settings for the login keychain and any custom keychains you may have created. You cannot change these settings for the System and System Roots keychains, or your iCloud keychain (if enabled).
· Lock your Keychain manually. Even if your Keychain is unlocked automatically on login and isn’t set to lock automatically, you can lock it manually at any time, and then unlock it when needed. One way to do this is by enabling a special system-wide menu. Open Keychain Access, go to Keychain Access > Preferences > General, and make sure Show Keychain Status in Menu Bar is checked. You can then choose Lock Keychain or Unlock Keychain from the Keychain menu.
· Change your Keychain password. If you make your Keychain password different from your login password, your Keychain won’t unlock automatically at login. (Of course, that means you’ll have to enter your Keychain password separately after each login, as you’ll be prompted to do as soon as an app needs access to its data.) To do this, open Keychain Access. Select login in the Keychains list and choose Edit > Change Password for Keychain “login.” Enter your current password, enter and repeat the new password, and click OK. (You should also enable the Keychain menu, as in the last bullet point, for easier locking and unlocking.)
Note: Your login keychain is different from your iCloud keychain (see Use a Password Manager), and you can’t change the password for the latter without changing your iCloud password itself.