Introduction

For years, one of the most compelling selling points of Macs has been their apparent freedom from many of the security problems that have long plagued Windows users. Countless people have switched to Macs because they want to stop worrying about viruses, spyware, and other threats so common to PC users. According to conventional wisdom (and even some Apple marketing), Macs are inherently much safer than Windows PCs — and, sure enough, millions of people use Macs every day without incident, having never given a moment's thought to security.

And yet, curiously, some guy seems to have come up with enough to say about Mac security to fill a rather thick and heavy book. How can that be? Are Macs really as insecure as other computers — and are Mac users a bunch of blissfully ignorant folks on the fast track to digital oblivion? Or are the supposed security risks to Mac users nothing more than fear-mongering on the part of an overzealous publisher?

Although Macs have many effective security features and are, in my humble opinion, vastly superior to PCs for a long list of reasons, the truth of the matter is that a computer running Mac OS X isn't inherently more secure than a computer running Windows (at least if it's a recent version of Windows). Fabulous user interface and industrial design notwithstanding, Macs are still computers, and they're still vulnerable to the kinds of risks that can affect any other computer.

The main reason Mac users have largely escaped the threats of viruses and other malware is that most of the people creating such nasty software simply want the most bang for their buck — so they choose the platform with the biggest base of users. There's no technical reason devastating Mac viruses couldn't exist — and perhaps some day they will.

Be that as it may, malware is just one tiny piece of the security puzzle. Another piece is physical security — preventing theft and unauthorized access or tracking a stolen Mac. There's also the matter of keeping confidential data private, whether it's on disk, in an email message, or typed in a form on a web page. And let's not forget network security. Macs use the same public Internet as other computers and are just as prone to attacks from people sniffing network traffic, creating fraudulent websites, and stealing (or guessing) passwords. The list goes on and on — just take a look at the Table of Contents!

Mac users need to learn about security for the same reasons other computer users do. The fact that you have a better computer doesn't make you immune to the ever-expanding array of potential threats. If you've never had your data stolen or your password hacked, you may simply be lucky. I'm sorry to say that these kinds of things happen to Mac users every day.

Fortunately, Mac users are a smart bunch, and the aim of this book is to make you even smarter by educating you about the ins and outs of a topic that's received far too little attention. If you apply what you learn in this book, you'll be much less likely to suffer the kinds of damage and loss that are becoming so common among computer users of all kinds.

Unlike most books on computer security, this one is written for mere mortals. As often as possible, I've approached the subjects in this book from the perspective of an ordinary Mac user rather than a computer geek. Although a few topics do inevitably get a bit complex, I've done my best to present the information in a way that presupposes no particular technical knowledge. Even if you don't know the meaning of TCP, AES, VPN, and other TLAs (three-letter abbreviations), you should be able to jump right in and learn how to compute more safely — and without sacrificing convenience.

On the other hand, if you're an IT pro, there's also plenty of detailed information here for you, and you can feel free to explore some of the more advanced concepts and techniques that may be a bit daunting for the average user. Whether you have a single Mac at home or manage a whole network at your place of business, you should find enough information in this book to understand your risks and the measures necessary to address them.

How This Book Is Organized

This book is divided into five major sections, each corresponding to a different aspect of Mac security. Here's a quick overview of what you find in each part.

Part I: Mac Security Basics

In this part, I describe the variety of threats you may encounter, and I explain how to make informed decisions about how to balance your need for security with other priorities. This part of the book discusses anti-theft measures, introduces you to the major security features built into Mac OS X, and shows you how to configure user accounts and various other settings for best results. It also discusses in detail the many issues involving passwords in general and the Mac OS X Keychain in particular, how to share resources on your Mac securely, and how to back up your Mac's data.

Part II: Protecting Your Privacy

This part explains how to prevent others from seeing or hearing confidential data you create, send, receive, or store using your Mac. This part also discusses how to communicate securely by using instant messaging, voice over IP, email, and the web as well as the more general topic of how to encrypt all your network communications by using a virtual private network (VPN). It also covers a variety of ways to encrypt the data on your Mac's disk to prevent it from being read by a thief or hacker.

Part III: Network Security Fundamentals

This part focuses primarily on how to prevent an attacker from breaking into or snooping on your Mac over a network. It begins with a candid discussion of malware — and whether or to what extent you should use software to prevent it from causing damage. It then discusses the ways you can secure both wired and wireless networks against intrusions, how a firewall can protect your Mac from certain kinds of network traffic, and what special measures you should take if you use your Mac as a web server. It concludes with a discussion of how to use logs to track down certain problems after the fact and to discover potential security issues you may never have noticed otherwise.

Part IV: Advanced Security Measures

This part covers techniques that enable someone with better-than-average technical skills to delve deeper into Mac security. As such, it's directed primarily at people who must manage a number of Macs in a professional setting of some kind. If you're an individual Mac user without a lot of spare time on your hands, you can skip both Part IV and Part V or use them to solve other sorts of problems, such as insomnia. However, if you have a bit of geek mojo — you're comfortable using the command line, you know a few things about networking protocols, and you enjoy experimenting — you can use the information in this part to probe the Macs on your network for potential security problems, watch individual Macs for unauthorized file changes, and examine a Mac that's been compromised by malware or a hacker to find out what went wrong.

Part V: Securing Mac OS X Server

This part covers security considerations specific to Leopard Server and Snow Leopard Server. The server version of Mac OS X is identical in most respects to the standard version but includes additional software and configuration tools that enable a Mac (most often an Xserve or Mac Pro) to provide a wide range of services to other devices, whether on the local network or around the world. The extra features of Mac OS X Server, such as Open Directory and NFS file sharing, bring tremendous advantages to workgroups of nearly any size, but they also provide more potential avenues of attack and require additional steps to keep secure.

As enterprise servers go, Mac OS X Server is easy to configure and run, but even so, Apple provides thousands of pages of documentation in the form of PDF files available at www.apple.com/server/macosx/resources/documentation.html. One of these files, Mac OS X Server Security Configuration, contains nearly 500 pages of instruction and advice from Apple on keeping your server and your network secure. I mention it to emphasize that this book can address only a small portion of that subject matter. If you're new to Mac OS X Server or if you're a non-technical person entrusted with maintaining a server for a small organization, I hope the information I offer in this section will put you on the right track and help you to make smart decisions about how to use the operating system safely. It may also provide some helpful background to better make sense of Apple's documentation.

What This Book Doesn't Cover

This may be the Mac Security Bible, but the topic of Mac security is broad enough to fill a whole shelf of holy books. Because this book was intended for laypeople rather than technical experts, I've deliberately skipped certain topics and have given others only cursory treatment.

For example, I only briefly discuss enterprise security — the complex issues one must contend with in a large corporation or government office. Those charged with securing Macs on a corporate network will surely find plenty of useful information here, but I don't pretend to address every potential aspect of Mac security for an enterprise. I also say nothing at all about the important subject of how to go about developing secure software. If you're a programmer trying to avoid security holes in your application, you should look elsewhere for guidance. And this isn't a book for hackers of any stripe. I do mention certain methods of attacking or exploiting Mac security weaknesses, but if you're looking for the nitty-gritty details of how to break into a Mac or Mac network (even for the virtuous reason of improving your own security), this isn't the ideal book for you.

In short, this book is neither written for security pros nor intended to turn you into one. Rather, it's intended to help ordinary Mac users understand the risks they may face and develop a sensible plan to keep their computers and their data safe.

I should also mention that this book is intended exclusively for users of Mac OS X 10.5 Leopard and Mac OS X 10.6 Snow Leopard (including Mac OS X Server 10.5 and 10.6). Although much of this book is also applicable in a general way to earlier versions of Mac OS X, the specific details and instructions may differ considerably, and I can't guarantee that any of the procedures discussed here will work as described with versions of Mac OS X prior to 10.5.

Tips for Readers

I wouldn't expect anyone to read this book straight through, but because it's organized roughly in order of increasing complexity, I suggest reading at least Chapter 1 first, to get an idea of this book's assumptions and learn some important background information. If you decide to dip randomly into any other chapter, keep in mind that most chapters also build from simpler to more complex concepts, so if you find yourself scratching your head at any point, try backing up and starting from the beginning of the current chapter. I've provided plentiful cross-references to help you pinpoint the spots elsewhere in this book where you can learn more about each topic.

There are numerous ways to do almost anything on a Mac, and in this book, I've generally selected the one or two methods for each activity that are easiest to explain. For example, many of the steps in this book require you to make changes in System Preferences. To open this application, you could click its icon in the Dock (if you haven't removed it from there), navigate manually to your Applications folder and double-click its icon, or choose System Preferences from the Apple menu. Once you've done that, you can click an icon to open its preferences pane or choose the name of the pane from the View menu. You might even use a third-party launcher such as LaunchBar to jump directly to a particular preferences pane. So, when you see a step such as Choose System Preferences and then click Accounts, feel free to use a different method to get to the same spot if it's more convenient for you.

I frequently direct you to files and programs stored in various locations on your Mac's hard disk. The slash (/) character by itself refers to the top level of your disk, and if a slash occurs at the beginning of a path, it means you start from the top and work your way down. For example, if I tell you to open /Applications/Utilities/Network Utility, that means to start at the top level of your disk (for example, by double-clicking your hard disk icon) and then find the Applications folder. Inside that, find the Utilities folder, and inside the Utilities folder, find Network Utility. The tilde (~) character is a shorthand way of referring to your home folder — that is, /Users/your-username. But you may want to use any of the many available shortcuts in Mac OS X to get to your destination in another way.

Finally, several chapters of this book contain steps that must be performed in Mac OS X's Terminal utility, which provides a command-line interface. When working in Terminal, as in any command-line environment, you type a command and then press Return or Enter to execute it.