

Ask HN: How do you secure your OSX machines? - diziet

OSX security is an open question. What do you do to keep your development machines secure?<p>Recently at a large conference one of our OSX machines (10.7.5) experienced erratic behavior: mouse moving around as if a vnc was engaged. Upon turning off the wifi, the behavior stopped. All seemed normal until a bit later we had strange phone calls, weird ssh requests via mosh, other strange occurrences that made us paranoid to the level of changing all passwords / wiping the machine.<p>What security precautions do you take with your OSX machines -- and which ones are the best tradeoff in terms of hassle vs security? What tools do you use to check for intrusion/strange behavior on suspicious machines?
======
Samuel_Michon
The basic stuff really.

Keep your software up-to-date (older versions of OS X get less love from Apple
as fixing vulnerabilities goes).

Turn on OS X's FileVault and firewall, install LittleSnitch [1]. Turn on 'Ask
for password on wake'. Create a user account to work in, don't use your Admin
account for everything. Don't install Java Runtime, Adobe Flash Player, Adobe
Acrobat Reader, Microsoft Office, MSN/AIM Messenger, or Microsoft Windows
(Bootcamp, VM, or otherwise). Disable Flash plugin in Chrome. Only install
signed apps.

Run good AV on your incoming mail server. For testing on Windows, use a
separate box or host it remotely.

[1] <http://www.obdev.at/products/littlesnitch/index.html>

~~~
bigiain
" … or Microsoft Windows (Bootcamp, VM, or otherwise)"

I'm curious, do you think there's any attacks that can break out of those
visualization environments and threaten the host MacOSX machine? I quite often
use "throwaway" Windows VM clones for IE testing - usually (but not
religiously) starting from scratch with a new fresh clone (but occasionally
leaving one running for maybe a few days at a time). I'm never _too_ worried
about hardening my Windows VMs, since I (at least intend to) throw them away
after using them. I never bother disabling Flash/Java/Acrobat in them either,
since I generally only visit sites I'm developing (and, as above, I throw them
away anyway).

~~~
46Bit
If that VM is isolated, you're fairly safe. Most people in practice run VMs on
a Mac with various Sharing options enabled where files can be dropped to/from
your Mac filesystem if the VM is breached. Given that a lot of people don't
run AV or Firewalls on their VMs they're a very easy target.

