This article originally appeared in TidBITS on 2015-02-09 at 4:47 p.m.
The permanent URL for this article is:
Include images: Off

Take Control of Security for Mac Users, Chapter 3: Quick Security Fixes

by Joe Kissell

This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from Chapter 1: Introducing Mac Security [1], and Chapter 2: Learn Security Basics [2], these chapters are available only to TidBITS members [3]; see “Take Control of Security for Mac Users” Streaming in TidBITS [4] for details.

Chapter 3: Perform Quick Security Fixes

Time to get to work improving your security! Let’s begin with a few things everyone should do (with small variations depending on your risk level). This chapter contains steps so fundamental to your security that you’d be doing yourself a huge disservice to avoid them. Just as you need to check that the appliance is plugged in before you call customer service, the steps in this chapter constitute a sort of minimum threshold for security awareness.

Keep Your Software Up to Date

It’s a fact of life: software has bugs. And some of those bugs result in security vulnerabilities. Fortunately, most major software vendors, including Apple, have teams of programmers working constantly to identify and fix security-related bugs. I can’t tell you how many times I’ve read breathless news reports about some newly discovered and seemingly disastrous Mac security issue, only to see a software update from Apple fix it a few days later before any widespread damage occurs. This is Apple’s normal pattern, and it’s why you should never lose sleep about the Mac security crisis du jour.

However, Apple security updates don’t help unless you install them! If you have automatic software updates turned off and never bother to check for updates, you could be needlessly putting your Mac and your data at risk from problems that were solved months or years ago.

Software updates fall into several categories, all of which can fix security issues:

  • Major upgrades to OS X itself, such as 10.10 Yosemite
  • Minor updates to OS X, such as 10.10.1
  • Stand-alone security updates for OS X
  • Updates to specific Apple apps (Safari, iTunes, QuickTime, etc.)
  • Updates to third-party apps

Which of these should you keep up with? Ideally, all of them—but at a bare minimum, be sure to install the stand-alone security updates. The next-highest priority would be minor OS X updates.

Tip: To learn about all Apple software updates with security implications, see the Apple security updates [5] page. Click a specific update to read the security details.

In most cases, when Apple releases a security update, it’s available for the current version of OS X and the previous two—so an update in early 2015 would apply to Yosemite, Mavericks, and Mountain Lion. If you aren’t at least on the third-most-recent version of OS X, you risk dangers from known security problems that Apple won’t ever fix.

Meanwhile, each major new version of OS X contains entirely new security features, independent of bug fixes. Yosemite offers certain intrinsic protections that Mavericks did not, and Mavericks has security features that Mountain Lion lacks. So if you really want all the latest security goodness, you should (if your hardware supports it) upgrade to the latest version of OS X and install all the pertinent OS X, security, and app updates.

Note: Often the initial releases of new OS X versions (10.9.0, 10.10.0) have significant bugs that Apple fixes quickly. So it’s fine to wait a few weeks on major upgrades, by which time (if there’s not already a 10.x.1 version) enough others will have tried out the new release that you can judge how stable it may be for you.

All Apple software updates are now delivered through the App Store app, which also handles a good bit of third-party software. You can use that app to manually install any available update, and you can configure its preferences to automatically download and/or install new updates as they appear.

Update App Store Software Manually

If you haven’t recently checked for OS X updates, open the App Store by clicking its Dock icon, double-clicking its icon in /Applications or in Launchpad, or choosing Apple  > App Store. Then click the Updates button on the toolbar.

Now, to update a single app, click the Update button next to it. (In some cases, Apple groups multiple software updates together; click the More link to see details on each one.) Or, to update all the listed apps at once, click Update All. You may be asked for your Apple ID and password, but otherwise the App Store downloads and installs the updates automatically.

Configure Automatic App Store Updates

You can have your Mac check for, and even download and install, updates from the App Store in the background—with or without asking for your explicit approval.

In fact, the first time you update an app in the App Store app under Yosemite, a dialog appears (Figure 1) asking if you want this automatic installation—click Turn On or Not Now, as you prefer (you can change the setting later, as I describe in a moment).

[image link]

Figure 1: The App Store would really like to update all your apps automatically from now on.

Personally, I prefer to learn about updates as soon as possible. And, because there’s a greater than 95 percent chance that I’ll install any given update, it saves time to let OS X download updates automatically in the background. I don’t necessarily install updates as soon as they appear, because occasionally updates cause more problems than they fix. I like to keep an eye on social media to make sure the new software won’t wreak havoc if I install it.

You can decide on your desired level of automation, but at the bare minimum I urge you to turn on automated checking for updates so that you’ll be notified when something new is available.

Follow these steps to configure software updates:

  1. Go to System Preferences > App Store (Figure 2).
    [image link]

    Figure 2: Configure automatic updates in the App Store preference pane.

  2. Select the Automatically Check for Updates checkbox to enable automatic checking. If it’s selected, you can also select any or all of:
    • Download Newly Available Updates in the Background, which not only notifies you of updates but downloads them for you so you can install them as soon as you’re ready (click Install to install immediately; click Later and choose Try in an Hour, Try Tonight, or Remind Me Tomorrow from the pop-up menu to “snooze” the reminder; or click the notification itself to open the App Store and see which updates are available)
    • Install App Updates, which silently updates apps automatically after they’re downloaded (except those requiring a restart or other interaction)
    • Install OS X updates, which does the same as Install App Updates except for OS X itself—that is, OS X 10.10.x—and will presumably prompt you to restart your Mac
    • Install System Data Files and Security Updates, which automatically (without prompting you) installs these essential updates—but only after they’ve been available in the Mac App Store for 3 days

    Of the above settings, I suggest selecting Automatically Check for Updates, Download Newly Available Updates in the Background, and Install System Data Files and Security Updates. That way, the most urgent security fixes will be installed automatically, while less-critical updates will be downloaded as soon as they’re available, enabling you to install them more quickly when you’re ready.

    Note: Regardless of these settings, you can always check for updates manually at any time by clicking Check Now (which changes to Show Updates if updates have already been downloaded).

  3. If you’re signed in to the Mac App Store, you can also check or uncheck Automatically Download Apps Purchased on Other Macs, which does exactly what it says.

Manual Updates of OS X

All updates to OS X are available not only through Software Update but also on Apple’s Web site, so you can download them manually [6] if you wish. This lets users decide whether to use a standard (or “delta”) updater, which requires the most recent previous release of OS X, or a “combo” updater, which can update any previous version of the major system release (for example, 10.10.0 or 10.10.1) to the new version (say, 10.10.2).

Update Other Apps

Software that didn’t come from the App Store must be updated separately. The majority of modern apps include a Check for Updates menu command—or something with similar wording—and a preference that lets you enable automatic checking if you like. So go through your most frequently used apps now, use the Check for Updates feature, and if applicable, enable the preference to tell you automatically about new updates as they appear.

Manage Basic Security and Privacy Settings

The Security & Privacy pane of System Preferences is (as the name suggests) the spot to adjust many of your Mac’s security settings. We’ll cover them all at some point in this book, but for now, I want to draw your attention to a few especially important settings here. I’ll also mention settings in the Users & Groups pane and in the Keychain Access utility that deserve a quick look.

General Security Preferences

In the General view of System Preferences > Security & Privacy are a couple of settings you should check:

  1. Go to System Preferences > Security & Privacy > General (Figure 3).
    Figure 3: Set key security options in the Security & Privacy preference pane. (Some Macs show slightly different options here.)

    Figure 3: Set key security options in the Security & Privacy preference pane. (Some Macs show slightly different options here.)

  2. At the top is a Require Password checkbox and a pop-up menu to choose the delay after sleep or screen saver begins before a password is required. Set these according to your risk level (see Determine Your Risk Profile [7]):
    • If you’re at Level 1, leave the box unchecked—it’s not worth the bother.
    • For Level 2 and higher, select the Require Password checkbox.
    • As for the time interval shown in the pop-up menu, I’ll simply make the general statement that the higher your risk level is, the lower this number should be. For anyone at Level 4, it should be Immediately.
  3. Click the lock [image link] icon in the lower left of the window, enter your existing administrator username and password, and click Unlock.
  4. Under Allow Apps Downloaded from, make sure—for now—the middle choice (Mac App Store and Identified Developers) is selected. That’s the quick fix; I’ll explain when the other two options are appropriate when we get to Manage App Sources in Chapter 4.

Your changes take place immediately. But wait! There’s one more thing to do. In Step 2, if you selected Require Password after Sleep or Screen Saver Begins, you must also make sure that one or both of those things will happen automatically! Here’s how:

  • Sleep: Go to System Preferences > Energy Saver and drag the Computer Sleep and Display Sleep sliders to the desired position (but not to Never). On a notebook Mac, you’ll have to set these separately for when it’s running on Battery and Power Adapter.
  • Screen saver: Go to System Preferences > Desktop & Screen Saver > Screen Saver and choose how long your Mac must be idle before the screen saver activates from the Start After pop-up menu (don’t choose Never).

Login Options

When you set up a new Mac, one of the first things you must do is create a user account for yourself (your Mac can have many such accounts but at least one is mandatory), along with a username and password. By default, OS X logs in that initial user account automatically when you turn on or restart your Mac,. That means you can get right to work without entering a password, and it’s the most convenient arrangement for Macs with a sole user—especially if the Mac is kept in a secure place.

However, if anyone else (including a thief!) can get to your Mac, that automatic login becomes a problem, because your Keychain unlocks automatically (see Keychain Security [8], next) and all the files on your Mac are readily available.

Note: If you use FileVault (see Prevent Data Theft in Chapter 10), automatic login is disabled.

Therefore, if your risk (see Determine Your Risk Profile [9]) is greater than Level 2, I suggest disabling automatic login. The consequence will be that you’ll have to type your password whenever you turn on or restart your Mac—but of course the very thing that poses a small annoyance to you is a much greater barrier to those you want to keep out of your Mac.

To disable automatic login, go to System Preferences > Users & Groups > Login Options and choose Off from the Automatic Login pop-up menu.

Keychain Security

Your Mac’s Keychain contains passwords for apps and Wi-Fi networks, credentials for local network servers, encryption certificates, and other important information your Mac needs to function securely. If you use iCloud Keychain (see Use a Password Manager in Chapter 5), it may also contain credentials for Web sites where you have accounts as well as your credit card details.

Because this information is valuable and potentially sensitive, OS X encrypts the contents of your Keychain. However, whenever your Keychain is unlocked, your credentials can be passed to apps, Web sites, and network services without any additional intervention on your part. And how do you unlock your Keychain? That’s the crazy part—by default, all you have to do is log in to your Mac’s user account. And (as we saw in Login Options [10]) another default setting is to log you in to your account automatically.

In other words, unless you take steps to change the defaults, merely turning on your Mac unlocks your Keychain! That means anyone else who might have physical access to your Mac can log in to all the Web accounts (like your bank, Amazon, or PayPal), file servers, and other resources for which you’ve saved credentials (like iTunes or the App Store)—although no one can see the individual passwords without knowing your login password, someone can use all your passwords.

Rather insecure, wouldn’t you say?

Well, if you decided that you’re at the lowest risk level (see Determine Your Risk Profile [11]), it probably doesn’t matter, because your Keychain is unlikely to hold anything terribly valuable. The inconvenience of having to log in and/or unlock your Keychain more often wouldn’t make sense.

For everyone else, however, I recommend taking one or more of the following actions:

  • Turn off automatic login. As I explained just above, in Login Options [12], you can disable automatic login. As long as you also configure your Mac to sleep or activate a screen saver after a short absence (see General Security Preferences [13]) and require a password soon thereafter (Login Options [14]), you’re reasonably safe when you’re physically away from your Mac—though less safe than if you had logged out or shut down.
  • Lock your Keychain manually. Even if your Keychain is unlocked automatically on login, you can lock it manually at any time, and then unlock it when needed. The easiest way to do this is by enabling a special system-wide menu. Open Keychain Access (found in /Applications/Utilities), go to Keychain Access > Preferences > General, and make sure Show Keychain Status in Menu Bar is checked. You can then choose Lock Keychain or Unlock Keychain from the Keychain [image link] menu.
  • Change your Keychain password. If you change your Keychain password so that it’s different from your login password, your Keychain won’t unlock automatically at login. To do this, open Keychain Access (in /Applications/Utilities). Select login in the Keychains list and choose Edit > Change Password for Keychain “login.” Enter your current password, enter and repeat the new password, and click OK. (You should also enable the Keychain menu, as in the last bullet point, for easier locking and unlocking.)

Note: Your login keychain is different from your iCloud keychain (see Use a Password Manager in Chapter 5), and you can’t change the password for the latter without changing your iCloud password itself.

Read More: About [15] | Chapter 1 [16] | Chapter 2 [17] | Chapter 3 [18] | Chapter 4 [19] | Chapter 5 [20] | Chapter 6 [21] | Chapter 7 [22] | Chapter 8 [23] | Chapter 9 [24] | Chapter 10 [25] | Chapter 11 [26] | Chapter 12