A Safer Apple Experience per Grandma Roberts
In these days where everyone is getting worked up over OS X vulnerabilities it's somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It's really quite touching and means a lot that she cares enough to take an interest in what I do.
It also throws some things into a different perspective for me. I often ask myself how this, be it a new vulnerability or defensive technology, would impact my grandmother. Now I've heard of this technique used to shift paradigms and gain a better understanding of a technology, but for me it's also protection, since I never know when my next call to Grandma could turn into "So Scott, is my Mac going to get broken into?"
What can I say? My grandma is a proactive person. It puts a lot of pressure on a guy. I'm used to explaining the newest vulnerabilities, exploits, worms, and attack techniques to a cadre of some of the finest information security analysts in the world. I'm used to producing technical write ups that go to highly skilled information security teams all over the world. Explaining how Dino D's exploit will impact my grand mother? Much more complicated. It can't be a "O don't worry, it'll be fine Grandma, I promise." No sir. Last time I tried that was over a printer, and so insistent was my grandmother to get it sorted out herself that I ended up wearing half a cartridge of printer ink. So I have to be prepared if Grandma gets wind of this to not just to explain whats going on and it's impact, but also how grandma can mitigate the issue for herself.
I figure such things might also be useful to the community in general. Perhaps you have a grandparent or parent with a similar iron will and determined interest. Perhaps you're just curious. Here goes.
Scott's Guide to Securing Grandmas Mac:
It also throws some things into a different perspective for me. I often ask myself how this, be it a new vulnerability or defensive technology, would impact my grandmother. Now I've heard of this technique used to shift paradigms and gain a better understanding of a technology, but for me it's also protection, since I never know when my next call to Grandma could turn into "So Scott, is my Mac going to get broken into?"
What can I say? My grandma is a proactive person. It puts a lot of pressure on a guy. I'm used to explaining the newest vulnerabilities, exploits, worms, and attack techniques to a cadre of some of the finest information security analysts in the world. I'm used to producing technical write ups that go to highly skilled information security teams all over the world. Explaining how Dino D's exploit will impact my grand mother? Much more complicated. It can't be a "O don't worry, it'll be fine Grandma, I promise." No sir. Last time I tried that was over a printer, and so insistent was my grandmother to get it sorted out herself that I ended up wearing half a cartridge of printer ink. So I have to be prepared if Grandma gets wind of this to not just to explain whats going on and it's impact, but also how grandma can mitigate the issue for herself.
I figure such things might also be useful to the community in general. Perhaps you have a grandparent or parent with a similar iron will and determined interest. Perhaps you're just curious. Here goes.
Scott's Guide to Securing Grandmas Mac:
- Disable the automatic "Open 'Safe' files after download." in Safari.
- Disable Java in Safari.
- Turn on the Firewall.
- Stop using the Administrative Account for day to day stuff.
- Use strong passwords on all user accounts.
- Give Keychain a different password than your user password.
- Turn on Filevault.
There ya go. Thats the basics, as per Scott Roberts and, even though he may not remember it, Timothy Martin. Most of those steps, though very similar to those Dino himself recommended, were pulled from a presentation Tim and I gave as the Security Geniuses for the Penn State Mac Users Group more than two years ago. Oddly enough they're still relevant. Some things never change.
Not enough for you? You want more Mac security goodness? O well I've got that too:
Not enough for you? You want more Mac security goodness? O well I've got that too:
- Want the next step up? Check out Apple's own Tiger Security Config (PDF) for a more in depth look at how to secure OS X.
- Want most of that fun without all the reading? If you know your system well then you can get a lot of automated security goodness out of Bastille for OS X. Jay Beale is a smart cookie.
- Not enough? My my, feeling ambitious, well if you want to lock your OS X down to National Security Agency Standards (something I refer as a Paperweight Lockdown) then check out the NSA's own Security Configuration Guide for OS X.
There ya go. That's four different ways to lock down your Mac. Are they perfect? No, not quite, but as fellow Vulnerable Mind Rolf constantly says "You're only 'secure' in a single moment. Staying secure is a process." Wise words from the Vulnerable Minds elder.
3 comments:
Hmm, could this be automated?
Sure could. That's what Bastille is.
I used Bastille and though it did a great job of everything else, it dorked up my firewall config.
It didn't remove the old rules first. Instead it appended its rules to the bottom of the ipfw ruleset.
I ended up ditching it out of frustration and laziness. I have a blog post half written about my experience, but again, I'm lazy. =)
Great post! The only thing I would add is ClamAV. Might as well get the mac users in the habit now. There's a ClamAV version available in Fink or you can download a pre-compiled version from the intarweb.
Post a Comment