Original Post from the following:
Information protection is now scrutinized in all commercial and government industries. Theft of information has crippled many organizations and businesses. One of the main reasons information is lost, corrupt, or stolen is because many industries have not fully adopted it as a risk, and have yet to implement strong quality assurance policies and programs.
Some of the most common risks are because of unattended computers, weak passwords, and poor information management practices. Hackers look for the weakest target and tunnel into a business from easy sources, like tablets or cell phones. Using smart encryption software can remediate this threat and vulnerability, making it difficult for competitors or rookie hackers to penetrate your device. However, software alone is not enough to prevent Macs from being hacked. It is the Mac user who has the authority and resources to save it from potential penetration. The top 10 ways to prevent your Mac from being hacked is discussed below. Following all these tips will surely make your Mac hack-resistant. As a word of caution, before starting on the below processes, be sure to back-up your system first.
Create a non-administrator user in the Accounts pane of System Preferences and use this account for everyday tasks. Only log in with an administrator account when you need to perform system administration tasks.
Regularly applying system updates is extremely important.
For Internet-connected systems: Open the Software Update pane in System Preferences. Ensure that “Check for Updates” is enabled, and set it to “Daily” (or the most frequent setting). There is a command line version available as well, called Software Update. Read its main-page for more details.
For systems not connected to the Internet: Retrieve updates regularly fromwww.apple.com/support/downloads. Be sure to verify that the SHA-1 digest of any download matches the digest published there, using the following command: /usr/bin/openssl sha1 download.dmg
You want to disable Automatic Login. To do this, open the Accounts pane in System Preferences. Click on “Login Options.” Set “Automatic login” to “Off.” Set “Display login window as” to “Name and password.”
To disable Guest Account and Sharing, select the Guest Account and then disable it by unchecking “Allow Guest to log in to this computer.” Also, uncheck “Allow guests to connect to shared folders.”
To prevent users and guests from perusing other users’ home folders, run the following command for each home folder: sudo chmod go-rx /Users/username
Set a firmware password that will prevent unauthorized users from changing the boot device or making other changes. Apple provides detailed instructions for Leopard (which apply to Snow Leopard) here:
Open the Network pane in System Preferences. For every network interface listed:
The following services can be found in /System/Library/LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w System/Library/LaunchDaemons/com.apple.blued.plist
Other Services Can be found here: /System/Library/LaunchAgents and can be disabled the same exact way as the items listed above.
Setuid programs run with the privileges of the file’s owner (which is often root), no matter which user executes them. Bugs in these programs can allow privilege escalation attacks.
To find setuid and setgid programs, use the commands:
After identifying setuid and setgid binaries, disable setuid and setgid bits (using chmod ug-s programname) on those that are not needed for system or mission operations. The following files should have their setuid or setgid bits disabled unless required. The programs can always have their setuid or setgid bits re-enabled later, if necessary.
The Mac system includes two firewalls: the IPFW Packet-Filtering Firewall, and the new Application Firewall. The Application Firewall limits which programs are allowed to receive incoming connections. It is quite easy to configure the Application Firewall. Below, I mention how to configure Mac’s Application firewall. Configuring the IPFW Firewall requires more technical expertise and cannot be fully described here. It involves creating a file with manually written rules (traditionally, /etc/ipfw.conf), and also adding a plist file to /Library/LaunchDaemons to make the system read those rules at boot. These rules depend heavily on the network environment and the system’s role in it.
In only Four steps you can easily configure the Application Firewall in Mac.
1. Select System Preferences from the Apple Menu
2. From the System Preferences Pane select Security. Then click on theFirewall Tab. Ignore the other Tabs (General and Firevault ).
3. On the Firewall tab, you may need to unlock the pane, if it is locked. To unlock, click on the small pad lock on lower left corner and enter your Administrator Username and Password.
4. Click Start to enable Mac’s Application Firewall. The green light beside Firewall Status and the ON notification will ensure that the Firewall is running smoothly.
You can further customize the Firewall configuration by clicking on the Advance button on the right side.
There are three Advance option in the Firewall Tab
1. Block All Incoming Connections: Blocking all incoming connections will disable most of the sharing services like File Sharing, Screen Sharing and others. It will only allow basic internet service. Keeping it checked or unchecked depends with on the user.
2. Automatically allow signed software to receive incoming connections: I prefer to keep this option unchecked. This will automatically add software signed by “any” valid authority to the allowed list of Software rather than prompting the users to authorize them.
3. Enable stealth mode: I always keep this option checked. This prevent your Mac from responding to ping requests and port scans
Safari will automatically open some files by default. This behavior could be leveraged to perform attacks. To disable, uncheck “Open safe files after downloading” in the General tab. Unless specifically required, Safari’s Java should be disabled to reduce the browser’s attack surface. On the Security tab, uncheck “Enable Java.” Also, private browsing in Safari is a great way to stop hackers from picking up bread crumbs and using them against you later.
The best way to disable Bluetooth hardware is to have an Apple-certified technician remove it. If this is not possible, disable it at the software level by removing the following files from /System/Library/Extensions:
The best way to disable AirPort is to have the AirPort card physically removed from the system. If this is not possible, disable it at the software level by removing the following file from /System/Library/Extensions: