Enhancing Security and Privacy in Mac OS X Tiger

by Ming Chow

  • To start really fresh, secure erase (or "shred") your hard drive. To do this, pop in the Mac OS X Tiger DVD, run the installer, and your machine will reboot. Then, run the Disk Utility before you install Mac OS X Tiger. In Disk Utility, go to the "Erase" tab. Click on the "Options" button, and you will be presented with three erase options: standard (simple, not necessarily secure), 7-pass (very secure), and 35-pass (uber-secure). The 7-pass secure erase took approximately 4 hours on (my) 30 GB hard drive. The 35-pass secure erase took approximately 18 hours on my 30 GB hard drive. Yes, I used both options (don't ask)! Be sure to have plans or something to do during the time while the hard drive is being erased. After the hard drive has been wiped clean, perform install of Mac OS X Tiger.

  • Turn on firewall via Sharing control panel. No, it is not automatically turned on after a fresh install!

  • If not necessary, turn off file sharing.

  • Turn on FileVault to encrypt your home directory.

  • Whenever you use Safari, enable "Privacy Browsing" via the Safari menu. Your history, downloads, searches will not be saved. The problem is, you have to enable this each time you open Safari.

  • Disable AutoFill in Safari --period.

  • For the terminal users, enable "Secure Keyboard Entry" via File menu.

  • For the administrators and the paranoid, enable firewall logging, block UDP traffic, and enable stealth mode via "Advanced" options after you enable firewall.

Anything I missed?


2005-05-06 00:35:23
Missed... Secure VM
Turn on 'Secure Virtual Memory' in the Security pane of System Preferences.

This turns on encrypted swap, one thing to take note of is that any old swap files may persist for a while and if you want to be really paranoid you might want to boot into single user mode, mount / rw and use srm to erase /var/vm/swapfile*

2005-05-06 14:55:19
Explain Autofill?
I was hoping you could explain more about why I should turn off Autofill in Safari? It's such a handy feature...
2005-05-09 05:09:14
OpenFirmware Security Mode
You should enable a OpenFirmware security mode. It prevents this kind of attack.
2005-05-14 11:30:27
download and setup with Common Criteria Tools
Personal cookbook is not enough, you would want an international standard that is used for a lot of other vedors as well.

Common Criteria.

Available from Apple: Apple's Common Criteria Tools

George Chacko
2006-05-19 10:07:07
Filevault doesn't work for UFS volumes.