Sep 14, 2015
Although Kayaker's cove could be described as a quaint, warm inlet with calm lapping waves, the ocean can be a dark, violent place with giant rogue waves and swashbucklers and pirates just over the horizon. As is the sea, so goes technology.
Every week there are new stories of data breaches and new security exploits putting your data at risk. You will never be safe. But don't go off the grid yet or pull that boat into dry dock. There are easy things you can do to help reduce your exposure on the high-tech seas, so let's get started! Here's my top ten security tips and best practices list for you.
Don't Run as Admin
They still call it a personal computer, and many of us still think of it that way. It's my computer, so why would I have more than one account set up on it? Well, that's probably your biggest security risk, and it started from the moment you booted your Mac for the very first time and it asked you to create a username and password. That initial account has what is called admin level privileges and has the potential to tweak just about every file on your computer. Any application you run will have admin privileges, and thus any application you run can change about anything on your system. A malicious piece of software would love to have that chance. I always recommend two accounts on your Mac, one that is your admin account that you set up when you first set up a new Mac, and then a standard account, which is your main account you use every day. I use the user MacAdmin as my admin account, and kayaker as my main account. You would set this up by going to System Preferences, Users and Groups. From there, you should see the Users table and ideally you want to see that you have an account with admin privileges and another with standard privileges. The way you can tell which is which is in the user account info section, where you should find a checkbox that says something like Allow this user to administer this computer. There has to be at least one account that has this ability. If you only have an account with admin privileges, you need to correct the situation. To do this, create a new account called MacAdmin and give it the ability to administer the computer. Then, go to your personal account name and remove your main account's ability to administer the computer by unchecking the checkbox.
So what does this mean for your day-to-day life? Not much. If you ever are prompted with a dialog to enter admin credentials, instead of just typing your password, you instead need to enter the MacAdmin username and the MacAdmin password. That's about it. This simple step has now prevented what we call an escalation of privileges attack, one of the most common attack vectors for malware.
Time to Give Up Your 1234 Password used everywhere
If you keep the key to your treasure chest on top of the chest, well, I'm certain Captain Jack will thank you. You are only as safe as your passwords. This is the weakest link in any security system. So you need to make it strong. In fact, you can google “most common passwords” and get a list. Your password better not be on it. So, how do you make a password strong? I suggest that whatever you use, it not be in a dictionary, or in the script of any Star Trek or Star Wars movie. Mixing numbers and symbols in is always a good thing. I also suggest you make it at least 12 characters long.
Now that you have a strong password, make sure you use it for one purpose. If you have another account, use a different strong password. Hope you just didn't make your admin password the same as your main user password just now. A sad but true fact is that Web developers are lazy. Anyone who stores your password should be saving not the password, but a hash of your password. And I won't go geeky technical here, but in general, a hash cannot be used to figure out your actual password. It is just like what Apple does with your touch ID info: they hash your fingerprint and save the hash, not the fingerprint. Unfortunately, you have no insight as to how any site you visit saves your credentials. So, if bad guys steal data from your favourite gossip site, and that site saved your password as text, and that's the password you use all over the Web, well, there goes your bank account balance.
I know, I know, you have passwords for every site out there. How on earth can you keep track? There are some great applications out there to help you manage all your credentials. I personally use 1Password by Agile Bits. It's cross platform and secure. Despite the recent news of data being potentially compromised from LastPass, that's another good option. LastPass keeps your data very secure and even if bad guys had their entire database, it's so heavily encrypted that it would be impossible to crack it in your lifetime and that of your great-great-great-grandkids' lifetime as well.
I m the Key Master, are you using the Gatekeeper?
It doesn't take a ghost to haunt your computer with malware. You can accidentally run an app that installs a demon of a daemon onto your Mac. Fortunately, MacOS has a security feature called Gatekeeper that will warn you if it thinks you might be running an app that you shouldn't. You can find Gatekeeper in the General tab of the Security and Privacy System Preference pane. There, you will find a radio button to complete the sentence: Allow only downloaded apps from, and suggest you use the second radio button, from the app store and identified developers. This is the default setting. But even if you want to run an app that Gatekeeper doesn't know about, fear not. You can easily override the warning by right clicking on the app and choosing open, and then confirming you want to open it on the next dialog box.
News Flash: Don't Use Flash
This is an easy one. Never never never install Flash on your Mac or PC. That's it. Flash is probably the single largest attack vector of virus and malware out there today. And you can get infected by just visiting any site that uses an ad service that has an infected ad. Bang. Your computer is now compromised. Did I mention to never never never use Flash? But if there is a site that needs Flash that your life depends on, use the Chrome browser and make certain you've done everything else on this list to help mitigate potential damage. Did I mention to never never never use Flash?
Disable Opening of Safe Files
Safari tries to be helpful and will automatically open safe files. Sorry, there is simply no such thing. A clever JPEG file can infect your computer; a clever PDF file can infect your computer. There is no such thing as a safe file. So go to your Safari preferences and uncheck "Open safe files after downloading." This will mean you will have to go to your downloads folder to open files you have downloaded, but it also means you won't accidentally download and run a maliciously crafted "safe" file from a bad guy.
Disable Auto Login
You don't sail off the coast of Somalia with a sign that says we will pay ransoms; nor should you make it easy for someone to steal your data. If you turn on your Mac and are brought right to your desktop without having to enter your username and password, you're giving anyone easy physical access to your computer. It's just like leaving your house keys hanging in the lock of your front door. It's easy to fix this in System Preferences, Security and Privacy, General tab. Make certain that your settings are not set to auto login. In earlier versions of MacOS X, this option was found in the Users and Groups or Accounts System Preference pane in the login options section.
Don't Click That Link!
This is analogous to don't call me, I'll call you. The majority of malware infections are done by phishing attempts. These are e-mails or pop-ups asking you to click on something or install something that will take you to a fraudulent website where bad things will happen. Never click on a link in an e‑mail or click on a pop-up from a browser that asks you to update something. The simple rule is that if you did not initiate the contact, then don't click on any link, even from your mother. But if you signed up for something like a new account from a particular site, and they send you a confirmation e‑mail in the time frame of your interaction with that site maybe asking you to verify your e‑mail by clicking on a link, then that's probably OK since you initiated the contact. If you are uncertain about the validity of an e‑mail, then go to the website not by clicking on the link in the e‑mail, but by typing the address in your browser directly. And don't forget to look for that https protocol, not just http. That S is for ‘securer.’
Certificates and the Price of Free WIFI
Public WIFI access points are just that: public. Be very careful about sending or doing anything critical over them. This goes for hotels and coffee shops. The risk here is about man in the middle attacks. If you can join a WIFI network, then a bad guy can join a WIFI network. If a bad guy can join, then a bad guy can see all traffic, and if he can see all traffic, he can spoof an extenuation of the network and force you to connect to his computer as your access point. He can then see any nonsecure traffic leaving your machine, and could possibly trick you into letting him see encrypted traffic as well, by issuing you a non-validated certificate. I could do a whole podcast on certificates, but for now, think of certificates as ways to encrypt your data and verify the identity of the website you are connecting to. If you ever see a dialog saying your browser cannot verify the identity or validity of a certificate, do not click Continue or OK if you are using a public access point or are connecting to an important website. The exception to this rule is if you are connecting to a small or personal website. These certificates are often just used for encryption and are what we call self-signed certificates. I have a self-signed certificate for my domain because certificates cost a lot of money to get, and I'm only interested in using it for encryption. Just be very, very mindful of any certificate warning you receive from your browser.
Those Three Security Questions Aren't
The advent of security questions was to solve one problem only: too many support calls about a forgotten password. It's not about security. Besides, your Facebook page and Google could probably give a bad guy all the answers he needs to take over your account, so don't let it happen. Those answers may be required to set up an account, but you need not be truthful. Make your answers as random as your passwords. Use your password manager to store your answers. Don't make it easy for social engineering to steal your identity.
This may be obvious, but make sure the software you run is up-to-date. That goes for your Mac OS version as well as your apps. If exploits are discovered and then fixed, you need to update to get that fix. But if you are not using the built-in software update mechanism or the app store, just be careful about how you get your updates by making sure you are going to the developer's site directly.