Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How the NSA snoop-proofs its Macs

Rich Mogull | Sept. 9, 2013
It's the NSA's job to snoop on all of us, but it doesn't want to be snooped on itself. So it has guidelines for securing all the Macs in its service.

The NSA (the National Security Agency, or, as some people prefer, No Such Agency) has found itself in the spotlight lately, owing in large part to leaks from former contractor Edward Snowden. But although the agency has been in hot water because of who it has been spying on, snooping isn't the agency's only job. The NSA also plays an important role in helping the rest of the government secure its computers from outside attackers.

Back in 2010 the NSA published "Hardening Tips for Mac OS X 10.6 'Snow Leopard'" (PDF), a terse, two-page pamphlet recommending a series of security precautions. The agency hasn't updated that pamphlet for more recent versions of OS X—so I thought I'd do so in the agency's stead.

Practically speaking, these precautions would seriously degrade the Mac user experience for anyone who implemented all of them. So as I was updating the NSA's advice for OS X 10.8, I decided to add a little guidance as to how much pain some of these tips might cause you. I certainly don't use all of these tricks myself. But they are still good to know.

(I'll be referring to the pamphlet throughout, so you should download it before you go any further. Plus, one reminder: When changing some System Preferences items, you'll need to click the lock icon in the lower-left corner and enter an administrator password.)

Don't surf or read mail using an admin account
Email and websites are the primary ways attackers can compromise your Mac. If you check your mail or browse the Web while using an admin account, you're reducing the number of hoops intruders need to jump through to control your Mac fully. It's better to create a standard user account for day-to-day use, and log in as an admin only when absolutely necessary. Doing so is easy, and doesn't really degrade your user experience.

Use software update
The NSA explains how to update software both automatically and manually, but you should stick with the automatic method. Go to System Preferences > Software Update and check Automatically check for updates, Download newly available updates in the background, and Install system data files and security updates. (That last one updates OS X's malware blacklist, browser blacklist, and certain other files that protect you without changing your system.)

As of 10.8, updates now appear in the Mac App Store; you will see a Notification Center banner pop up when an update is available. You can no longer control the update schedule. (It's weekly.)

Account settings
These items are now located under System Preferences > Users & Groups.

Disable automatic login and user lists: Open the Login Options section (at the bottom of the user list) and set Automatic login to Off. Then set Display login window as to Name and password. This arrangement forces you to log in to your computer, and forces anyone doing so to know your username, not just select it from a list.


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.