"Security alert! A vulnerability in Mac OS X HTTP protocol handling makes possible denial of service attacks and arbitrary code execution."
"Oh no," you think. "This sounds bad. Is my Mac unsafe? Worse yet, is my entire network at risk?"
The reality is that "safe" is a relative term, both in the real world and on the Internet. Is it safe to get in your car and drive to the QuickieMart? Modern cars have seat belts (they didn't always), crumple zones, and airbags, but they don't guarantee that you won't be injured in a crash. Over time, the addition of these features has made cars incrementally safer, but their level of safety is still relative. You can't point to one car and say, "That one is absolutely safe, and that one absolutely isn't."
The same is true of computers and networks. An online banking site is expected to be more secure than the average Britney Spears fan blog, but the reality is that both are probably reasonably difficult to hack, even for a technically savvy user. But at the same time, both are potentially vulnerable to a malicious cracker.
The problem with security bulletins (well, one of the problems, anyway) is that they tend to redirect our attention to arcane technical details and away from common sense precautions. In most cases, there is greater risk of "social" security breaches than technical ones. Have you ever written down a password on a Post-it and stuck it to your monitor? Have you ever had users share a user account name and password, or sent passwords via normal email? These are potentially much greater threats to your security than the vast majority of vulnerabilities that could - in theory - be exploited to assault your network.
Another problem is that Internet security advisories can be hard to understand, sometimes even for well-trained network and system administrators. Often this is because the problem being reported is so obscure and technical that only a specialist could understand or respond to it. So, while this fact makes it difficult for many of us to determine the severity of a problem, or whether or not it even applies to our situations, it is more important to realize that more practical, almost intuitive issues generally pose a more significant threat to your network security.
Most of us make the choice to drive cars because the benefit outweighs the risk. We connect our computers to the Internet for the same reason. We do our best to manage the risk, of course, but ultimately the responsibility is ours. Software vendors have a responsibility to provide software that is fundamentally stable and secure, of course, but just like a car, it is up to the end user to use the software responsibly.
If a car accelerates through the back of some poor guy's garage when he hits the brakes, or a gas tank explodes when a Ford Pinto is rear-ended, the public rightly expects the company responsible to correct the problem. But the vast majority of accidents can be attributed to drivers, other cars on the road, or conditions outside of anyone's control, not to fundamental flaws in the engineering of the cars. Again, the analogy applies to computers and networks; most real-world security vulnerabilities could be addressed by users applying basic security measures.
- Secure physical access to your computers and crucial network devices. The ultimate "denial of service" attack may just be someone walking in, unplugging your Mac, and stealing it.
- Assign passwords that are non-trivial and difficult to guess, without being hard to remember. Trivial passwords ("abc123", "admin", "test", etc.) are commonly guessed by port sniffing robots, and definitely need to be avoided. At the same time, while long sequences of random characters might seem more secure, these passwords essentially force users to write them down for handy reference. [For real-world advice on how to maintain a set of memorable and secure passwords, check out Joe Kissell's "Take Control of Passwords in Mac OS X." -Adam]
- When setting up network services, don't share user accounts among users. When more than one person uses the same user account, they not only automatically have access to the same content and services, but your ability to track activity is severely limited. Should you ever need to review activity logs for some reason, there may be no way to tell one user from another.
- Minimize the number of applications running, and use software only from trusted sources. Many potential attacks aren't launched against a single application, but rather make use of multiple applications in conjunction with one another. By eliminating unnecessary applications, and avoiding software from dubious sources, you can minimize the chance that a small flaw in one program can be turned into a big hole in your system.
- When setting up a normal desktop Mac, a server, or your network, turn on and properly configure the firewall (which is built into Mac OS X and most modern routers). While it may take a few extra minutes, this is time well-spent, even when security isn't a primary concern. It is shocking how much malicious traffic is on the Internet. Much of this traffic is more annoying than actually dangerous for Mac users, but your first defense against email harvesting robots, virus-spread port scanners, and worse is a properly deployed firewall.
When cars first began to be used widely, their limited top speed minimized the risk of driving them. As they have become more powerful, and the roads have become more congested, the risks have increased and drivers have had to exercise more skill and care to get around safely. Similarly, as we increasingly rely on universally available and networked computer systems, and as ever more critical information is kept on these systems, we must be better about basic precautions, spending our time on them, rather than on worrying about the latest possible exploit.
Airbags are a great safety feature, but you still need to pay attention to the road.
[John O'Fallon founded Maxum Development, makers of Rumpus, a popular FTP and Web file transfer server. He has been developing commercial software for Apple computers for 25 years.]