Web browsing
The largest potential danger comes from the "Internet". My Mac is online most of its operating time and web browsers are among the most used applications on my Mac.
Therefore, the most important rules are:
- surf the web carefully
- don't just download any software you find
Browser choice
The browser choices, configurations and extensions offers various options to configure your security and privacy.
I like to use Chrome because it's known for having
- strict sandboxing
- updates itself, its extensions and flash plug-in automatically
- open extension design
Safari's extension design is more restricted, causing the JavaScriptBlocker for Safari not to be as functional as similar extensions for Chrome or Firefox: e.g. Web Bugs are not blocked.
Chrome is considered quite safe. It did not get exploited at the Pwn2Own hacking contest three years in a row (2009-2011). 2012 is the first year a team presented the use of a zero-day-exploit in Chrome.
The German Federal Office for Information Security (BSI) (similar to the NIST in the U.S.) recommends the use of Chrome because of its sandboxing technology and auto-updates.
Java
Chrome has disabled Java by default and asks you every time when it's required to run.
You can disable Java for Safari as well. You won't miss it most of the time:
- Safari Preferences → Security → uncheck Enable Java
- Open
/Applications/Utilities/Java Preferences.app
→ uncheck Enable applet plug-in and Web Start applications
Other options
- System Preferences → General → check Automatically update safe downloads list
Open Safari downloads manually:
- Safari Preferences → General → uncheck Open "safe" files after downloading
Flash and PDF viewer
Download Adobe flash only from the official website. However, you don't need to update it manually anymore. The latest Flash update for Mac adds auto-updates.
In Safari, you can use the ClickToFlash extension to manually allow flash to run in your browser.
You don't need to use Adobe's PDF viewer. Apples's preview works in Safari as well. You can remove the Adobe plug-in here:
/Library/Internet Plug-ins/AdobePDFViewer.plugin
Passwords
For creating passwords you can use the Password Assistant provided by OS X. Go to /Applications/Utilites/Keychain Access.app
→ click the plus at the bottom left → click the key symbol.
Adblock lists
The Adblock and Adblock Plus extensions offer lists to improve your privacy and security.
The lists are named:
- EasyPrivacy: privacy protection
- Malware Domains: malware protection
- Antisocial: blocks social integration.
Yes. If you enable automatic login, the keychain password is stored in /etc/kcpassword
using XOR cipher, which can be decoded easily. You need root privileges to read it though.
sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'
Even if automatic login was disabled, the login password can be reset in single user mode. It doesn't change the password of the login keychain though. If someone logged in to your account after resetting the login password, they could access most of your files normally, but they couldn't log in on your account in Mail or use auto-fill in Safari. If automatic login was enabled, they could see your passwords with something like security find-internet-password -s accounts.google.com -w
and use Mail and auto-fill.
There was a vulnerability when automatic login was enabled:
According to a leading password recovery software developer Passware, your password could be easily accessed via the direct memory access associated with the Mac’s FireWire port.
It seems that by enabling the “automatic login” feature the FireWire port on your Mac opens the door to unauthorized password recovery. It seems that this is an issue that has plagued Snow Leopard as well, but as it stands it does not look like there is any fix for it, apart from disabling “automatic login” and spending that extra second or two typing in your password.
The hash of the login password (which is usually also the password of the login keychain) is stored in /private/var/db/dslocal/nodes/Default/users/username.plist
in 10.7 and 10.8. In 10.7 even relatively complex passwords could be cracked with DaveGrohl, but 10.8 switched to PBKDF2, which limits it to about 10 guesses per second per core.
Best Answer
In System Preferences you go to Security and Privacy.
Code signing is a component of this. Choosing Mac App Store and Identified developers requires the use of Code Signing certificate. If you want to be able to install anything unsigned, you will have to select "Anywhere." This allows you to install anything, but it allows you to install anything :) See this pic: