The Right Tools for the Job What Mac security software do you _really_ need? Are Macs really more secure than PCs? The answer isnÕt simple. Technically, Macs are not inherently more secure than Windows PCs. In some ways, they are even less so. Over the past five years, Microsoft has actually taken huge strides in making Windows more secure. Apple now lags Microsoft in implementing library randomization, data execution protection, and other advanced security features. Around the time I was writing this, Apple released six major security updates for OS X, each of which fixed numerous vulnerabilities serious enough to enable a bad guy to take over your Mac. But Windows machines are still at greater risk than Macs. They face an ongoing onslaught of attacks that dwarfs anything experienced by OS X. That's because the days when bad guys wrote viruses and took down Web sites just for fun are long past. Now they do it for money. Since the vast majority of computers run Windows, it only makes sense for attackers to focus their efforts on that platform. Even if Windows is technically harder to exploit than OS X, itÕs still a more profitable use of a malicious hacker's time. (TK Then you need at least a sentence explaining why Mac apps exist, since you've just strongly implied that commercial programmers only write for Windows. TK) In addition, there are fewer bad guy tools for Macs, and fewer attackers with OS X programming experience. Put all that together, and there are fewer attacks on Macs. Could that change? Absolutely. Most security experts agree that, as the Mac's popularity and market share increase, so will the risks. Proactive Defense ----- So whatÕs the average Mac user to do? We've [told you before](http://www.macworld.com/article/60442/2007/10/lockup_main.html) about the [everyday practices](http://www.macworld.com/article/51426/2006/06/protectmac.html) that will protect you and your Mac from the threats that exist today as well as future attacks that may or may not occur. Many of those tips depend on OS X's built-in security tools -- especially the firewall and programs like FileVault and Disk Utility that can help you encrypt your data. With tools like those built into the OS, why do so many Mac software vendors -- including big names like Symantec and Intego -- bother to offer their own security programs? When are the tools built into OS X enough, and when (if ever) do you need extra help? Those are the questions we hope to answer in the pages that follow. We looked at three categories of security software -- firewalls, antivirus applications, and privacy programs -- and for each of them asked: How serious are the dangers these programs try to protect against? How good are OS X's built-in tools at addressing those dangers? And when, if ever, is a third-party security program really necessary? At the same time, we urge you to go back to our previous security articles, and make sure you're following their advice, as well. And throughout the pages that follow, you'll find some new and updated advice for keeping your Mac safe now and into the future. The bottom line is that the best defense is common sense. The more secure computers become, the more bad guys will rely on deceiving you rather than your computer. A little bit of skepticism mixed with a dash of paranoia goes further to protect you than any tool ever will. No computer is immune from attack. By educating yourself and taking basic Ñ often free Ñ precautions, you can continue to enjoy a safe computing experience, even if the world becomes a little riskier down the road.--Rich Mogull Firewalls ===== OS X has two firewalls built in. Why would you need another? by Rich Mogull and Chris Pepper Simply put, firewalls are software or hardware that let you regulate the data traffic in and out of your computer or network. That means they can help keep bad guys from tapping into your system or network, while permitting network access to legitimate programs. OS X comes with not one, but two firewalls built in. But even those two are not always enough. The Threat ----- Sneaking up on your computer through its network connection is a much more effective way to gain access to it than, say, waiting for you to click on a virus-infected e-mail attachment. And it's certainly been used repeatedly through computing history, even against supposedly safe Macs. For example, a long-fixed bug called the "Ping of Death" let attackers crash many Macs just by sending them specially designed network traffic. It may seem like the odds of your particular Mac being targeted for attack, out of all the millions of computers worldwide, are awfully long. But in fact there are computers out there that do nothing all day but probe Net-connected machines for vulnerabilities; it's certainly possible one will find yours. And don't forget that anytime you're on a network -- the local coffee shop's Wi-Fi system, for example -- you're exposed to anyone else on the same net. The potential risks -- the loss of private data, the hijacking of your Mac's computing power by someone else -- are great enough, and the cost of prevention low enough, that implementing a good firewall on your Mac and on your local network is considered a no-brainer by most security experts. OS X's Firewalls ----- OS X has long included its own firewall. In Mac OS X versions through 10.4 Tiger, that underlying firewall was a Unix-based program called ipfw. In security parlance, ipfw is a _packet-filtering_ firewall, meaning it monitors all traffic coming or going through the Mac's network interfaces, and checks each packet against a set of rules specifying whether it can pass through or should be blocked. Many corporations and other organizations rely on ipfw for their network security. Packet-filtering firewalls classify network activity two main ways: by type, based on port numbers; and by origin and destination, based on IP addresses. For instance, a packet-filtering firewall enables you to configure your home computer to accept file sharing connections from the IP addresses of your network at work, but not other addresses on the Internet (where attacks might come from). To anyone trying to connect to your packet-filtered system from a blocked address, it looks like file sharing isn't running at all, while your machine remains fully accessible from work. With Leopard, Apple took the firewall in a completely different direction, apparently to make it easier for Mac users to understand. Leopard relies on a new _socket filter_ firewall (also known as an _application firewall_). Rather than allowing and disallowing connections based on network ports and IP addresses, it allows and disallows them based on the application that wants to listen for network traffic. Whenever a program makes such a request, the socket filter checks the program against a list of those that have been authorized to do so. If the program is on this "white list", the firewall allows the connection. If the program isn't on the list -- as in the case of new or upgraded software -- Mac OS X asks you whether to allow the program to accept incoming traffic. You access the Leopard firewall in System Preferences: Security: Firewall by selecting "Set access for specific services and applications"; your allowed and blocked programs will appear in the box below. If you'd like to block _all_ nonessential traffic, you can select "Allow only essential services", but beware: Doing so breaks some applications. You'll still be able to browse the Web and use e-mail, but other inbound connections are blocked. ![Set access](25.10 Security 1.tiff "The Security preference pane lets you configure OS X's built-in socket filter firewall, which filters network traffic application by application.") Unfortunately, application firewalls are less flexible than many would like. Applications that are allowed to listen for network connections will accept communications from anywhere on the Internet; they can't be told to distinguish trusted from untrusted Net addresses. The Leopard application firewall also only blocks _inbound_ connections; it won't prevent programs from making outbound connections. This has become a big problem in the Windows world: Spyware programs lodge themselves on hard drives and then attempt to "phone home" with sensitive private information. Fortunately, OS X 10.5 Leopard still includes ipfw. By default, it's effectively disabled, and does not block any traffic, but you can configure it from the command line or using a third-party application such as [WaterRoof 2.0 or Noobproof 1.1](http://www.macworld.com/article/133929/2008/06/noobproof_waterroof.html) (both mmmm). And ipfw is compatible with Leopard's socket filter, so you can combine the two to block untrusted applications from listening, and simultaneously restrict inbound and outbound traffic by ports and IP addresses with the specificity of ipfw rules. !([Noobproof](25.10 Security 2.tiff "Using a third-party utility like Noobproof, you can configure OS X's built-in ipfw firewall from the comfort of a GUI, rather than the command-line.") Third-Party Firewalls ----- So why would you want to buy and install a third-party firewall, when OS X's seem to cover the bases pretty well? The first and best reasons are flexibility and better protection. For example, you might want to block Internet connections to services on your Mac, but allow local users to connect. A tool like [NetBarrier X5](URL TK) (rating TK) lets you set different rules based on where connections are coming from. NetBarrier also includes privacy features to protect you when browsing the Web, and other advanced options such as application control, for more precise restrictions without resorting to the command line. You can get similar firewall control from free tools such as WaterRoof, but they don't offer the other features. ![NetBarrier](25.10 Security 3.tiff "NetBarrier X5 gives you fine-grained control over what kinds of network traffic you'll allow, depending on where connections are coming from."] Another limitation of Leopard's built-in socket filter: It can't change rules based on your location. For example, you might want to leave iTunes-sharing open at home, but want to shut it off when you take your laptop down to the local Internet cafe. Open Door Networks' [DoorStop X Firewall](http://www.macworld.com/article/50995/2006/05/doorstopx.html) (mmmm) lets you define locations and, with a quick click of your menu bar, set the firewall to use preset rules for where you are. NetBarrier also allows you to create different rules for local network addresses versus those on the Internet -- a remarkably simple and useful distinction. If you want fine-grained application control -- not only over which applications send and receive information from the Internet, but also to which Net addresses they can contact -- you can use [Little Snitch](http://www.macworld.com/article/133363/2008/05/littlesnitch2.html) (mmmmh); it's particularly effective against spyware. The Final Word ----- For most users, the firewalls built into OS X are enough. Many Mac firewall vendors seem to recognize this, because they're continually adding extra security features -- intrusion detection, anti-phishing, outbound application control, and smarter location awareness -- beyond the basic firewall, to make their products more enticing. In addition to enabling OS X's basic socket filter firewall from the Security preference pane (we recommend you set it to "Set access for specific services and applications"), be sure you're also setting strong passwords for file sharing and other services and keeping your system up to date with Apple's latest security patches. And if you want to add the extra protection of OS X's ipfw firewall, use the excellent and free NoobProof to configure it. [[BIO]] Rich Mogull is a contributor to [TidBITS](http://db.tidbits.com/) and runs [Securosis LLC](securosis.com), a security consulting practice. Chris Pepper is a systems administrator and writes about security issues. [[SIDEBAR TIP]] Stay Current with Software Update Bad guys exploit software flaws to gain access to or control of your Mac. These flaws are called _vulnerabilities_ in the security business, and the Mac has them too. The key thing is the speed with which Apple responds with fixes for those vulnerabilities, and how quickly you install those fixes. Thus keeping your software up to date is the single most valuable thing you can do to protect your Mac. To make sure you stay current, go to Preferences: Software Update and make sure it's enabled. (By default, it is.) I recommend changing the setting so you check for updates every day, not just weekly, since sometimes exploits appear within hours of a patch release. This will keep OS X and Apple applications up to date, but doesnÕt help with all the other programs youÕve installed and also need to keep current. For those, use a tool like [AppFresh](http://www.macosxhints.com/index.php?page=2&topic=pick) or [VersionTracker Pro](www.versiontracker.com/macosx) to check your installed software versions.--rm Antivirus ===== If there are no Mac viruses, who needs an antivirus program? By Scott McNulty In 1982, the Elk Cloner virus spread among Apple IIs by copying itself to the boot sectors of floppy disks. The fiftieth time an infected machine was booted, a poem would appear on the screen. Elk Cloner didnÕt do any actual damage, but it certainly perplexed many of those 1982 computer users, who had never experienced a computer virus before. The point being, Apple computers are not somehow magically immune to viruses and other malware. But they've been remarkably free of such pests for most of their history. The question is, does that mean you can ignore antivirus software? The Threat ----- Twenty four years after Elk Cloner, the first OS X virus -- Leap-A -- emerged. Leap-A looked, at first glance, like an image file, but it modified files on the victim's Mac and installed a process that would wait for iChat to open. Once iChat opened it would send infected files to all of the victimÕs iChat buddies. Luckily, it was poorly programmed and hardly a virus (some at the time argued that it should more properly be called a Trojan, because it couldnÕt propagate itself without user intervention). But many thought at the time that Leap-A signaled the end of OS XÕs bug-free idyll. Still, a couple of years have now passed since Leap-A managed to infect a (grand total of 49 Macs)[http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99&tabid=1]), and the virus floodgates have yet to open. There have been a handful of proof-of-concept viruses since then, but almost none have been observed in the wild. Renowned security expert Bruce Schneier says it's all because of the numbers. Given the MacÕs relatively small market-share, there isnÕt a big enough return on investment for malware writers to write for the Mac. "If youÕre looking for the masses of naive users, Windows is where to go," said Schneier. Adam O'Donnell, Director of Emerging Technologies at Cloudmark, agrees with the "security through obscurity" theory. He recently wrote an article entitled **When Malware Attacks (Anything but Windows)** for the IEEE Security & Privacy magazine, in which he applied game theory to the question of why Macs arenÕt being targeted by viruses, trojans, and malware. His conclusion: It won't be economically viable to produce Mac malware until the Mac's market-share hits 16%. (It's now 8.5%.) "There is no economic benefit investing the time in compromising a Mac when you can compromise 10 to 20 times more systems for the same level of effort by going after PCs," OÕDonnell says. So if Mac viruses aren't a real threat (yet), can you keep your guard down? Not entirely. Intel Macs have changed the Mac security equation forever. Running Windows on an Intel-based Mac -- in either BootCamp or with virtualization software such as Parallels Desktop or VMware Fusion -- is the same as running it on a Dell. That means you're exposed to the same security risks and need to take the same precautions. No matter what kind of Mac you use, you also need to remember that, while your Mac might not suffer any ill effects from an e-mail with a virus-laden attachment, you could unknowingly pass along those dangerous files to your Windows friends. Finally, there are threats on the Web. Some malicious hackers have turned their talents to setting up phishing sites, where they hope to dupe you into handing over your credit card information, social security numbers and the like. Antivirus Programs ----- Given all this, you've already taken the first and best step to keep malware off your computer: You bought a Mac. (It's striking how many of the security folks interviewed for this article use Macs themselves.) Historically, Macs have been configured to be nearly invisible on a network right out of the box. (That's changed a bit since the introduction of Bonjour.) But there are still things Apple could do to make the Mac safer, such as fully implementing Library Randomization (which makes it harder [[CHECK]] for attackers to know where system calls are stored in memory). Apple implemented it in Leopard, but only partially. Still, you can do more to keep your system -- and systems you're connected to over a network -- safe from malware. The fact is, you don't need an antivirus program for your Mac, as long as you don't run Windows and you don't mind passing along virus-laden e-mail attachments to your Windows friends. (They should be running antivirus apps of their own, right?) Both Norton and Intego sell Mac antivirus programs -- [Norton AntiVirus 11 for Mac](http://www.macworld.com/article/134302/2008/07/nav11.html) and [VirusBarrier X5](http://www.macworld.com/article/134212/2008/07/virusbarrierx5.html), respectively But if you do run Windows on your Mac, you should install a Windows antivirus program on your virtual machine. Our confederates at PC World recommend Symantec's $70 Norton Internet Security 2008)[http://www.pcworld.com/article/139988/symantec_norton_internet_security_2008.html], the $80 [Kaspersky Internet Security7.0](http://www.pcworld.com/article/139990/kaspersky_internet_security_70.html), [McAfee Internet Security Suite](http://www.pcworld.com/article/139994/mcafee_internet_security_suite.html) and [BitDefender Internet Security 2008](http://www.pcworld.com/article/139992/bitdefender_internet_security_2008.html), which costs $50. Those are all general purpose security suites, which will protect your Windows virtual machine against all sorts of threats. Both [Norton](http://www.symantec.com/norton/macintosh/antivirus-dual-protection) and [Intego](http://www.intego.com/bdav/home.asp) offer dual-protection products for users who run both Windows and OS X on their Macs. These bundles give you both Windows and Mac antivirus apps. NortonÕs package costs $70 and includes Norton AntiVirus 11 for Mac and Norton AntiVirus 2008 for Windows, while IntegoÕs package costs $80 and includes VirusBarrier X5 for the Mac and BitDefender Antivirus 2008 for Windows. Both of these packages cost far less than the cost of the two programs individually; you have to install the Mac and Windows applications separately on their respective operating systems. If you're worried about passing along infected e-mails to friends, these bundles can also scan your inbox for malware attachments. If you'd rather not spend the cash, the free [ClamXav](http://www.clamxav.com/) will do so, too; it won't work on your Windows virtual machine, however, and it's slow and resource intensive. ![ClamXav](25.10 Security 4.tiff "ClamXav is a free way to scan Mac e-mail for Windows viruses, before you pass them along to your Windows-using friends or co-workers.") As for keeping yourself safe from Web-based phishing schemes, your own common sense is probably the best guard. Don't give out personal information on a site unless you're 100 percent sure that site is legitimate. Some Web browsers -- notably Firefox and Opera -- notify you if you might be visiting a potentially dangerous site. Safari doesn't, which is why some e-commerce companies (including PayPal) recommend against using it. Studies have shown that most users ignore these warnings; they shouldn't. Safari users can stay safer by using the password manager [1Password}(http://www.macworld.com/article/59167-2/2007/07/gems_work.html) (mmmmh). It automatically fills in Web forms, but you can define profiles that customize how much information it'll give out and when. If you then accidentally visit a phishing site masquerading as a legit site (think eBay or PayPal) 1Password will likely catch the error and keep your info under wraps. It also compares the URLs you are visiting to known phishing sites listed in the database at PhishTank.com (a community-based phish-tracking site) and alerts you when you visit a suspicious one. If you're willing to invest some money, [Norton Confidential for the Mac](http://www.symantec.com/norton/macintosh/confidential) (which costs $50) includes anti-phishing plugins for both Safari and Firefox. It compares URLs you visit against Symantec's own database of known phishing sites and will alert you if you attempt to visit one. Norton Confidential also protects against e-mail based phishing attempts. The Final Word No matter what operating system you use, there will always be people out there trying to make a fast buck by exploiting known bugs, weaknesses, and users who are too lax with their info. My advice: Save the money you'd otherwise spend on Mac antivirus software and spend it instead on a good anti-phishing application; at the very least consider using a browser that offers built-in phishing protection. Your MacÕs file system is probably safe from malicious hackers, but your identity may not be. [[bio]] Scott McNulty blogs for [The Unofficial Apple Weblog](www.tuaw.com), as well as his own personal Web site, [blankbaby](blankbaby.typepad.com). [[SIDEBAR TIP]] Pick E-mail Services with Antispam and Antivirus E-mail is one of the bad guysÕ favorite tools; itÕs a perfect distribution mechanism for viruses and other malicious software. If you don't see the sense in installing antivirus software on your Mac (and for many users, that's the right decision), consider using an e-mail service, such as [Gmail](http://www.macworld.com/article/132644/2008/04/gmail.html), [MobileMe](REVIEW URL TK), or [Yahoo! Mail](http://www.macworld.com/article/132656/2008/04/yahoomail.html) (mmmh) , that scans e-mail and blocks viruses and spam before they ever hit you.--rm Privacy Protection ===== Keep your personal information personal with OS X and third-party software By Joe Kissell At the very least, losing your wallet to a thief is a major inconvenience: YouÕll lose your cash, youÕll have to cancel your credit cards and replace your driverÕs license, and you may lose some of your precious mementos. More seriously, the thief (who now knows where you live) could break into your home while youÕre away or steal your identity, using your personal information to make purchases, get loans, or cause you all sorts of other grief by pretending to be you. All that and more could also happen if your Mac or the data on it falls into the wrong hands. Your address is there, of course. So, perhaps, are your credit card numbers and all your passwords, which can be as good as cash. Someone whoÕs truly determined could use information they pilfer to pretend to be you -- breaking into your blog, sending inflammatory e-mail messages out under your name, and stealing business secrets, among many other things. It's not just your Mac itself you need to worry about. If you use e-mail or instant messaging to send or receive confidential data, all of it's at risk as it travels to or from your computer over the Internet. Privacy software addresses concerns like these by making sure any confidential information you keep on your computer or send across the Net can be seen only by you and the people you designate. In most cases, that means using some form of encryption. The Threats ---------------------------- Threats to computer privacy -- and the software tools to address those threats -- fall into two broad categories: threats from physical loss and threats from electronic snooping. **Physical Loss** Computer theft is unfortunately quite common. Thieves are certainly interested in the computer itself, either for their own use or to sell. But anyone with a bit of curiosity and a few minutes could discover all kinds of useful things about you by examining your files -- especially if your keychain is unlocked or has an easily guessable password. Laptops are more likely to be stolen than desktops, especially if they spend a lot of time outside your home or office. If your Mac is a desktop in a locked room of a house in the country with a big guard dog, itÕs certainly less likely to be stolen than a MacBook Air you carry with you all the time as you walk around a big city. In addition to theft, laptops are often simply lost -- left on restaurant tables or at bus stops, forgotten at airport security checkpoints, or otherwise misplaced. Although an honest person might locate and return your lost computer, you might not be so lucky. Even if your computer is right where it's supposed to be, other people can still get to your personal information. Family members, friends, coworkers: any of them could, in theory, snoop around on your hard disk. And if your Mac breaks down, any repair technician could potentially see your private data. **Electronic Snooping** Bad guys don't need physical access to your Mac to do you wrong. They can snoop on your network traffic (unencrypted Wi-Fi connections are especially easy), looking for strings of characters that might be passwords, account numbers, and the like. ThereÕs no way to state the exact likelihood of your network traffic being intercepted. But anecdotal evidence suggests it is quite common. Whenever you use an unsecured wireless network -- from an office, coffee-shop table, airport waiting area, or park bench -- someone _could_ be eavesdropping. Snooping is harder on wired Internet connections, but it's still possible. In theory, anyone who can tap into the network at any point between you and the servers you visit (for example, an employee of an ISP, a government agent, or someone else with physical access to one of the many routers your data passes through) could pick out your passwords, account numbers, and other private data. Whether youÕre talking about physical or electronic vulnerabilities, you do have the odds in your favor. Thieves, hackers, and spies have only so much time to do their work. They can't attack all the countless computer users out there. But even if the odds are one in a million that you'll be attacked in this way, you can make it virtually impossible by using encryption and other software to protect your privacy. OS X's Privacy Tools ------------------- Encryption software can ensure the privacy of data youÕre storing on your hard drive or sending to others, by making it essentially impossible for anyone else to read it. OS X itself has some built-in encryption tools that address part of the problem, and third-party software can help with the rest. **Protecting Your Files** To protect yourself against people who have physical access to your Mac, you should consider encrypting at least some of the data on your hard disk. You can encrypt anything from a single file to the contents of an entire volume. Unless you're protecting state secrets, one of the many off-the-shelf encryption tools available for the Mac, combined with a good password, should be good enough to keep your data safe. ###FileVault OS XÕs FileVault feature encrypts the entire contents of your user folder (/Users/_your-user-name_). To activate FileVault in Leopard, go to the Security pane of System Preferences and click on the FileVault tab. If you havenÕt already done so, click on Set Master Password and specify a password that can be used to unlock FileVault if you forget your regular login password. Make it a good one but one you'll remember, and be sure not to lose it. Then click Turn On FileVault. The process of encrypting your user folder takes time. Also, remember that, before you start, you'll need at least as much free space on your disk as your user folder currently occupies. Once FileVault is on, logging out will encrypt all your files, and logging in will decrypt them again. ![FileVault](25.10 Security 5.tiff "If you've encrypted your user folder with FileVault, then for some reason forget your regular login password, you can still get your data by providing the master password.") While you're at it, you should consider encrypting your virtual memory (check Use Secure Virtual Memory on the General tab of the Security Preference Pane). Then, if someone were to examine the virtual memory files written to disk as you use your Mac, they wouldnÕt find any unencrypted copies of your data. ###Disk Utility If encrypting your entire user folder with FileVault seems like overkill, you can instead store important files in an encrypted disk image created with Disk Utility. To do so, open Disk Utility (in /Applications/Utilities). Choose File: New: Blank Disk Image. Enter a name for the disk image file and choose a location; also enter in Volume Name the name you want the mounted image to have. From the Volume Size pop-up menu, choose the _maximum_ size you want your disk image to have. Select Mac OS Extended from the Format pop-up menu. Choose 128-bit AES Encryption from the Encryption pop-up menu; leave Partitions set to Single Partition - Apple Partition Map; and choose Sparse Bundle Disk Image from the Image Format pop-up menu. Now click on Create. When prompted, enter and repeat a password and click on OK. ![Bundle Up](25.10 Security 6.tiff ÒWhen creating an encrypted disk image in Disk Utility, use these settings for best results (alter the name, location, and size to meet your needs).Ó) To use your new disk image, simply double-click the file. Enter your password when prompted, and the volume mounts in the Finder. You can then copy files to it and open them directly from the image. When you eject the image, log out, or shut down, the files will be inaccessible to anyone who doesn't have the password. **Protecting Your Communications** To protect your e-mail, you can use one or more forms of encryption. Similarly, live chats using iChat or other instant messaging clients can be encrypted to protect them from interception. (For more advice on securely transferring files, see this month's Mobile Mac column, page TK.) ###Using SSL The easiest place to start in ensuring secure communication is to make sure you use SSL (secure sockets layer). Virtually all modern e-mail services (including, naturally, MobileMe) offer SSL as an option for receiving mail (using IMAP, POP, or Exchange) and for sending mail (using SMTP). SSL encrypts e-mail as it travels between your computer and your e-mail provider (in either direction); messages will still be stored unencrypted on your mail server and the recipientÕs mail server. In most cases you just need to turn on this option in your e-mail program -- but before doing so, confirm that your e-mail provider supports SSL, and find out whether it requires the use of a special mail server address or other configuration changes. To activate SSL in Mail, choose Mail: Preferences, click on Accounts, and select your e-mail account in the list on the left. To use SSL for incoming mail, click on the Advanced tab and make sure the Use SSL checkbox is selected. To use SSL for outgoing mail, click on the Account Information tab and choose Edit Server List from the Outgoing Mail Server (SMTP) pop-up menu. Select the SMTP server associated with this account, click on the Advanced tab, and make sure the Use Secure Sockets Layer (SSL) checkbox is selected. Click on OK. If you use another e-mail program, consult its documentation to learn how to turn on SSL. In the event that your e-mail provider doesnÕt support SSL, you can opt to encrypt your entire Internet connection instead; see ÒVirtual Private NetworksÓ for details. ###Encrypting Apple Mail SSL protects your messages during just part of their journey between sender and recipient. To make sure that no one but you and your correspondents can read your messages, even when theyÕre sitting on a mail server, you need to encrypt their contents. Apple Mail has built-in encryption capabilities. (Again, see this month's Mobile Mac for more.) If you use another e-mail program, or if you want a simpler setup procedure, you can use third-party software (described just ahead) to encrypt e-mail. ###Encrypting Instant Messaging Instant messaging (IM) sessions using iChat or another client are also vulnerable to snooping. If you use IM mainly for small talk, this risk might not bother you at all. But if you exchange business plans, passwords, or other confidential information using IM, you should consider encrypting your chats. Some IM programs (such as Skype) encrypt chats automatically. iChat can encrypt chats if youÕre a MobileMe member. To set this up, open iChat and choose iChat: Preferences. Select your MobileMe account in the list on the left, click on Security, and make sure the message at the bottom of the window says ÒiChat encryption is enabled.Ó If it says ÒiChat encryption is disabled,Ó click on the Enable button to enable it. ![Private Chat](25.10 Security 7.tiff ÒMobileMe members can encrypt their iChats just by clicking a button; the setup looks like this when encryption is active.Ó) Third-Party Privacy Tools ----- When it comes to encrypting your files or keeping your communications confidential as they traverse the Net, there are several third-party apps that can substantially supplement the tools built into OS X. **Protecting Your Files** If neither FileVault nor an encrypted disk image suits your needs, you should consider a third-party encryption program instead. Numerous Mac programs can encrypt individual files or folders (or create Òvaults,Ó sometimes in the form of proprietary disk images, for holding multiple files). Examples include [FileGuard X5](http://www.intego.com/fileguard/) ($40; TKTK mice), [Knox](http://www.knoxformac.com/) ($35), [PGP Desktop Home](http://www.pgp.com/products/desktop_home/) ($99), and [StuffIt Deluxe](http://www.smithmicro.com/default.tpl?group=product_full&sku=DLX12CD) ($80). These programs typically offer greater flexibility and more features than either FileVault or Disk Utility. For example, StuffIt Deluxe not only encrypts but compresses your files. PGP Desktop Home (a new version of which should be available around the time this magazine hits newsstands; see macworld.com for our review when it does) can also encrypt e-mail and instant messaging. FileGuard can be set to securely overwrite the original versions of your files automatically when theyÕre copied to an encrypted image. If you want to encrypt an entire volume (other than your startup volume), consider the open-source [TrueCrypt](http://www.truecrypt.org/) (free; TKTK mice), which can also create _hidden_ encrypted volumes. Two products are available to encrypt an entire Mac startup volume: [Check Point Full Disk Encryption](http://www.checkpoint.com/products/datasecurity/pc/) ($120) and [PGP Whole Disk Encryption](http://www.pgp.com/products/wholediskencryption/osx.html) ($119?). Check Point Full Disk Encryption is geared toward corporate customers who buy in volume, while PGP Whole Disk Encryption is readily available to individual consumers. **Protecting Your Communications** If you want to be absolutely certain that a message will get to its destination without being read by anyone else, but donÕt want to jump through the hoops that Apple Mail requires, look for a third-party option. Your best bet is software based on PGP (Pretty Good Privacy), a widely used, platform-neutral encryption system. The commercial version of PGP, [PGP Desktop Home](http://www.pgp.com/products/desktop_home/) ($99), lets you sign and/or encrypt e-mail messages with just a few clicks; it also ensures that all your e-mail accounts use SSL. (Your correspondents must also be using some version of PGP.) Alternatively, you might try the free, open-source [Mac GNU Privacy Guard](http://macgpg.sourceforge.net/) (or Mac GPG for short). Mac GPG lacks many of PGP Desktop HomeÕs snazzier features. It also requires the installation of several different packages and a bit of effort to get it set up. (For example, to use it with Mail, youÕll need a separate add-on called [GPGMail](http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html); the Leopard version of which is still in beta.) But itÕs compatible with PGP and makes a good, inexpensive way to get started with e-mail encryption. The Last Word -------------------- For most users, simple approaches (perhaps even using software built into OS X) are more than enough to protect your privacy. Secure your e-mail with SSL and your iChats with MobileMe encryption; create an encrypted disk image to hold sensitive files or opt for FileVault to encrypt all your personal documents. If you need more power or flexibility, try a third-party program, but be sure to download a demo version and give it a thorough tryout before committing to buying it. Even the most powerful encryption software does you no good if it turns out too be so cumbersome to use that you avoid it for your own convenience. [bio] __Joe Kissell__ is the senior editor of TidBITS and the author of [numerous e-books](www.takecontrolbooks.com) about OS X. [sidebar 1] Scrubbers -------------------------------------- Every time you visit a Web page, your browser stores information about where youÕve been and what youÕve been doing. Unless you encrypt everything on your hard disk or in your user folder, this information is in plain view for anyone who knows where to look. You donÕt have to be up to something unsavory to feel your browsing habits are no one elseÕs business. For example, if youÕre using a shared or public computer, you probably donÕt want the next user to know that you were searching for information on a private medical condition or buying tickets for a surprise weekend getaway with your spouse. One solution, if you use Safari, is to activate Private Browsing mode (Safari: Private Browsing), which prevents most of this data from being written to your disk in the first place. Most other browsers also let you turn off these features, though it may require changing several settings. If you canÕt or donÕt want to do that, though, you may need to look in numerous places for private data to erase after the fact. A class of utilities IÕll refer to as ÒscrubbersÓ automates this task for you, seeking out all the traces of your recent Web browsing history (and sometimes other Internet activities too) and deleting them -- in some cases, securely overwriting the data so that it canÕt be recovered later. These program include [Cocktail](http://www.maintain.se/cocktail/) ($15); [Internet Cleanup](http://www.smithmicro.com/) ($30; 3.0 mice); [MacCleanse](http://www.koingosw.com/products/maccleanse.php) ($20); [MacScan](http://macscan.securemac.com/) ($30; 2.0 mice), which also checks for spyware; and [NetShred X](http://www.mireth.com/pub/nxme.html) ($25). (TK NetBarrier X5 includes Washing Machine for this purpose. TK) Be aware that both your browserÕs private browsing mode and some scrubbers can still overlook certain data. For example, an OS X component called Directory Services can cache some DNS information, revealing Web sites youÕve visited. To clear this, open Terminal (/Applications/Utilities) and type `dscacheutil -flushcache`, followed by Return Also, some browser plug-ins (such as the one used for displaying Flash content) can cache their own content, even if your browser itself is set not to save anything. To remove your Flash cache, drag the contents of the following two folders to the Trash: /Users/_your-user-name_/Library/Preferences/Macromedia/Flash Player/Shared Objects and /Users/_your-user-name_/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys. [[SIDEBAR TIP]] Browse Safely After e-mail, Web browsers are the most commonly attacked programs. Among the things you can do make browsing safer: --If youÕre using Safari, make sure you disable the Open Safe Files After Downloading option on the General preference pane. --If you're using Firefox, trying installing the NoScript plug-in. (Go to [addons.mozilla.org](addons.mozilla.org), search for and find the NoScript plug-in, then click Add to Firefox.) It prevents scripts from running without your permission, but you'll have to manually enable them for every site.--rm [[SIDEBAR TIP]] Use Parental Controls The one time I was ever infected by malware on Windows it was thanks to my niece browsing around for free online games. Even if you follow safe browsing habits, not everyone else using your computer will. LeopardÕs Parental Controls (in System Preferences) are a little-used but powerful tool to limit risky activity on your Mac.--rm