This is a common misconception (and people are probably getting tired of me bringing it up), but the belief that Macs require a password to do anything is unfortunately incorrect.

The default login on a Mac is a member of the "admin" group. There are multiple local admin->root privilege escalation vulnerabilities that are well known (i.e. unpatched by Apple years after knowledge of them hit the mainstream web). That means if someone can get code to run on a default Mac by any means, social engineering or otherwise, it has full access to the system. This would for example, allow system level changes to network settings to make changes that could direct you to fake bank or online payment sites, or to insert fake password dialogues when you connect to a legitimate site. In Leopard, the access even includes unsetting the 'schg' flag which is something for which physical access should be required.

If an experienced user continues to use an "admin" account, that is of course their prerogative. They would be knowledgeable enough to avoid unsafe activities, although they would still be susceptible vulnerabilities in the system or applications. Even so, they are likely to be better prepared to recognize that something is wrong, investigate if they suspect something is wrong, and to recover, having taken basic precautions like having a backup if something is found to have gone wrong.

The problem is that Macs are directly marketed toward inexperienced users, with ease of use and security actively promoted by Apple. One of the TV ads actually went so far as to say "Macs don't get viruses", with full knowlege that the target audience think of all malware as "viruses" and probably couldn't tell you the difference between a worm, virus or trojan. Most users continue to use the default account as their primary account (an informal poll here with an admittedly puny sample size pegged admin usage at ~80%) which, given the Mac's growing user base, could make them a juicy target.

Port 22 is the default port used by ssh. If you leave (Not positive, but I think Leopard's screen sharing uses this port too) remote login turned on, and using the default port so that you can connect to your computer from elsewhere it is possible for a hacker to use a script to mount a dictionary attack on your system. All their script needs to do is try port 22 and if it gets a response, run through the dictionary.

That works well for PIN numbers too. Patterns are visual, and so easier to remember.

Well, I have never been interested in either remote log-in or screen-sharing, so if Leopard required me to do anything deliberate to enable this, I won't have done it. In SysPref/Network/Sharing (which I went to just now for the first time), every single box is off, as in unchecked. Anything else that I -- and maybe Aehurst -- should go look for to make extra sure?

That means that you're not running any services on your computer. That's a good first step.

Also, make sure that you have a good long password on ALL the accounts on your computers and devices, consisting of numbers and letters of both upper and lower case, and not consisting of a word that can be found in any dictionary, and not consisting of anything that can be personally traced to you (like your first dog's name).

Turn on your firewall.

Don't run as your admin user except when necessary, say to install software.

Keep your computer behind a NAT router (99.9% of small home routers are NAT routers). This keeps any attacks on your computer indirect--all attacks have to go through the router first. And make sure that "Remote Administration" is OFF on your NAT router.

If you use a wireless router, make sure to use WPA2 encryption (or at a minimum WPA, although that's getting a bit compromised now too). Use a long passphrase on your wireless network--12 characters is a bare minumum, more like 20 is preferred. Use the same rules as for password selection above.

Encrypt directories with stuff that you need to protect on your computer, but don't use FileVault--it's unfortunately caused many problems that we've seen on this and other Mac forums. (Disk Utility can easily make encrypted disk images, into which you can put the stuff you need to protect.)

Within reason, keep up-to-date on new versions of OS X, and Security Updates--those often fix vulnerabilities.

Trevor

I need a better one there, working on it...... Say, what about foreign words and names? There are a lot of languages out there, do they do dictionary attacks in exotic tongues too?

Could you explain where and how? I had one of those as a Windows user, but have heard no talk about that for Macs hitherto -- illustrating what someone said just now about hype aimed at us innocents...... For all I know it may be already on, just as remote log-in was already firmly off!

Now that's harder. I ran as standard user until recently, when I discovered that something about the users was preventing Spotlight from indexing. I gave my standard user, the one with MyStuff, admin privileges and killed the other one, the factory-settings user, and that problem cleared up. I also suspect that this issue was what caused Time Machine not to work back in November, you may remember that. When I've thought up an admin password that both fits your rules and can be remembered, I guess I could set up a new user structure, but if for some weird reason Spotlight will only index when I'm admin, then that's what I've gotta be, and take my chances.

That done via the ISP's website, like when mine failed and I had to configure a new one? Had to be talked through that, no fun at all.

Nope.

Been warned about FileVault, got a tutorial on disk images printed out.

Been assiduous there. So I think my top two priorities now are working out a new password, which I can do on my own, and hearing more about the firewall.

Funny thing, I ran a Windows box for 12 years, and as far as well-updated AV could tell me, I never caught a bug, other than a little adware, but now you guys are making me more scared than I ever was before!

Depends on the hacker, and how exotic the tongue is. Cherokee, you're probably safe. French, German, Italian, Spanish, not so much.

In any event, you later mention that you'll have trouble picking out a good long password that is memorable, so I'll share a useful password-picking trick that I got from someone else years ago. Start with a memorable phrase, preferably something fairly long. For example, I'll use the Gettysburg Address by Abraham Lincoln.

The text of the first sentence of the Gettysburg Address is

So, now, start with the first letter of each word, and you get
FsasyaofbfotcannciLadttptamace

Pretty good--it's 30 characters, and a mixture of upper and lower case. But let's also substitute the words referring to numbers with those actual numbers. Then we get

4sa7yaofbfotcannciLadttptamace

That's already a pretty good password that won't be found in any dictionary, yet is memorable (at least if you know the Gettysburg address, or if you forget it you can look it up). If you wanted, you could obfuscate it even more by substituting an "&" for the "ands"

4s&7yaofbfotcannciL&dttptamace

Of course, choose something else that is long and memorable to YOU.

Be aware though, and be SURE to keep it something that is not personally associated with you. A friend of mine was working IT for the University of Colorado in Boulder and his supervisor always bragged about how secure his password was. My friend knew that he was a huge fan of the Doors, and tried this technique with Doors lyrics until he found that his supervisor had used the initial letters of "Light My Fire" as his password.

The directions for turning on your firewall are different for OS X 10.0 - 10.4 and in 10.5 Leopard. Your OS X Help should be your first resource for questions like this, but briefly in 10.0-10.4, it's System Preferences > Sharing > Firewall tab > click it on. In OS X 10.5 Leopard, it's System Preferences > Security > Firewall tab > click the radio button to either "Allow only essential services" or "Set access for specific services and applications".

No, it's most definitely NOT done via the ISP's website. It's to YOUR router, so you configure it on your router. Since we don't know what router you have, we can't really say much more, but with non-Apple routers you probably go to the IP address of your router, such as http://192.168.1.1 or http://192.168.0.1 and make sure that remote administration is turned off.

Note that this is usually turned off by default in routers, since it's a big stupid security hole.

Trevor

Okay. I am thinking of perhaps a placename in a language somewhere between Italian and Cherokee in obscurity, with some numerics thrown in. Not as elaborate as yours, but better than the present.

Ye gods and little fishes! And you do that how often? Not when you're travelling and your screensaver comes on every minute, surely? (As far as I understand it, the sleep/screensaver/user password has to be the same). I think about how often I'd need to type it in, and how often I fumble even my much easier Forum password.....:(

Duh, even what I've got now is less traceable than that!

Sorry, but I've had really bad experiences with Help and think I must have a mental block on it or something. Should also have found it for myself in SysPref the way I found Sharing, which wasn't difficult, I should have gotten used to things being logical by now..:o I've been lazy, mea culpa.

Yikes, it was off. Maybe they should ship with it defaulted to on? I put in on the middle option now. So that was a solid step forward this evening. Also enabled Stealth Mode.

Sorry again again, that's actually what I meant..... Not at my best today.

Good thread for us non-techies. Like Woodsman, I have tightened up a little, too. Had been running in an admin account. No more. Passwords now longer & stronger. Thanks Trevor & biovizier!!

Then, use the first 12 characters of whatever passphrase you have in mind. 12 characters isn't too long, is it?

I guess I wasn't clear that he was using the first letters of the full lyrics of "Light My Fire", not just the first letters of the title.

I wish that Apple would ship the firewall on by default as well. That has always seemed like a bad decision on Apple's part to me, but then they never bothered to ask for my opinion.

That's fine as long as it doesn't cause other problems. On the SMB network in my place of work, for example, I can't use Stealth Mode because it caused problems for me connecting to SMB/CIFS shares. Because of that, and it's antibenefits as far as troubleshooting (you can't easily ping a computer in stealth mode), I personally leave "Stealth Mode" off on my computers.

Trevor

I'll experiment a bit on dead trees and see...... thanks for the Firewall and all the other tips!

here is a list of kown netowrk ports Apple OS X uses, some are standard for every platform some are OS X specific

http://support.apple.com/kb/TS1629

Trevor already pretty much outlined what I would have said anyway, so maybe I will add a bit more to it later but he pretty much already explained it.

Interesting choice of example url's.

Why? Those are the common factory default IP addresses for several major brands of router. You can change them, of course, but a lot of people just stick with those defaults, as they are fine choices.

Trevor

Didn't realize that. In any case, one example was within a digit of my Mac's AT&T assigned IP (not the router). Too close, I thought, to be coincidence. I know next to nothing about IP addresses.

This is very well put. A mac does not guarantee you more safety over windows because most windows attacks are through some sort of social engineering attack. Which no platform is safe from.

There are still so many stigmas and misconceptions about Windows as well. Vista is the first machine that requires an application to run as admin if it wants to modify system files. Which sure, no password is there, but it requires the user to actually go in and say hey run this as admin. Windows Server security policies are pretty insane too. While, I do not like messing with creating Windows security policies because they are more complex than a standard Unix or Linux configuration file, in my opinion, there are ways to make them very secure.

I was just talking to my co-worker the other day about how easy it would be to embed some sort of worm or virus into a Mac application torrent file and when the user downloads and installs said software with admin rights, have dscl scripts that create hidden user accounts and open up access to certain ports all in the background with out the user's knowledge. All they have to do is put that password in once. While, I am not a developer at all so my coding skills are lacking, I do know how to make hidden user accounts, and manually set network settings from the command line. That is something I could easily script out.

So? This doesn't mean that you aren't more safe. It's just not guaranteed. What is?

First among all operating systems???? :rolleyes:
It's meaningless for Vista to be the first Microsoft operating system to do this.

I'm shocked!!! Shocked to find that programmers could do bad things!

Ugg. Enough pretty please. All OS have Pros and Cons. I prefer OSX. The fact that Vista and later require passwords for most installs is a good thing. Generally OSX has always done so. Its true that even more passes could be required in OSX or more limited account used.

I do not think were going to make everyone happy. Most of us on this site are Mac users and thus we like our Macs, not blindly but we did choose with our eyes open what we consider mostly superior. Admins that work with both will be well versed in the Pros and Cons of each environment.

I won't deny that what Apple did with Unix in my mind is pretty impressive. In many ways it isn't even Unix. Apple is gaining more and more market share and they will just have to keep up with everyone else that updates and fixes and expands their OS.

Novell, was horrible about this and that is one reason they lost their market share to Microsoft. They were able to expand and update faster to meet customers needs. Of course this applies to only one aspect of the market, but I think if Novell had kept that market share they would have probably ventured into end user OSes. Just my opinion, on that one.

I like OS X a lot, but it isn't perfect in my mind, and I hope Apple can keep up because in all honesty I would just like to see more market share and competition to drive everyone to actually make a better product.

More market share doesn't drive anyone to create a better product. Look at the big 3 auto makers. They had the bulk of the market and their complacency is what allowed the rest of the world to overtake them.

There is also the problem of where new customers come from when you're expanding market share, and what that does to your business culture. Ben & Jerry's used to have a strong following. Today, they're part of Unilever and many former customers think they're sellouts. I'm afraid that as Apple caters to more and more Windows users the same will happen to them. Little annoyances ported over from Windows already abound in OS X. When Jobs leaves Apple, they may truly be just another large corporation. That's when OS X will be under serious attack from hackers. :(