Ask LH: How Do I Protect My OS X Lion Passwords From Hackers?

Dear Lifehacker, I read that passwords in Mac OS X Lion can be easily hacked. Is this a big issue or has it been blown out of proportion? Is there anything I should be doing to protect myself?Sincerely, Paranoid About Passwords

Dear PAP,

As security blog Defence in Depth noted, the problem is that OS X Lion allows user passwords to be changed without first requiring authentication. That means someone could use your computer, jump into the Terminal, and change your password without the need to enter the original password first. While many sources are reporting that physical access to your machine is required for this to happen, Defence in Depth suggests a scenario where this problem could exist remotely:

A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent-looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user.

Basically, the severity of this risk depends on your level of active paranoia. If you’re letting people who you don’t really know use your machine, leave your machine unattended, or accept every Java applet you see, then, yes, you probably have some reason for concern. If you’re diligently watching for the right things, however, you shouldn’t have to worry too much. This isn’t like getting a virus, so much as it’s like getting mugged by someone who knows who you are. (After all, the attacker would need to know your username to make use of this exploit.) You can make choices and probably avoid harm in most cases, but sometimes you’re just going to get screwed. Presumably you’re not into getting screwed by an anonymous hacker on the internet (if you are, no judgment), so let’s take a look at a look at the ways you can protect yourself.

Lock Lion Down

For starters, let’s not make it easy to access your machine physically or remotely by doing the following:

• Turn Off Automatic Login – Open System Preferences, and click on the Users & Groups section. Click the lock to authenticate, click Login Options, and set the Automatic Login drop-down menu to Off.
• Disable Guest Accounts – Still in the Users & Group section, click on the Guest User. You’ll see check box (that is likely checked) that says “Allow guests to log in to this computer.” Uncheck that. You can uncheck “Allow guests to connect to shared folders” as well, but that’s not really the issue we’re dealing with here.
• Enable Sleep and Screensaver Passwords – Also in System Preferences, go to the Security & Privacy section. Click the General tab, then check “Require password _______ after sleep or screensaver begins.” You can set that blank to immediately, or whatever delay you prefer.
• Lock Down System Preferences – Still in the Security & Privacy section, check the box next to “Require an administrator password to access system preferences with lock icons.”

Use Parental Controls to Disable Access to Risky Applications

Any admin account is technically at risk for this exploit, but you can use Parental Controls to correct that. You just need to enable it on every admin account on your system, then disable risky apps. Here are the steps you need to take:

1. Go into System Preferences and choose Parental Controls.
2. Choose your user account (and, later, any other admin accounts).
3. In the Apps tab, you’ll see a section called Allowed Apps. In the list, find Terminal and X11. Disable both of them by unchecking the box next to their name.

Obviously this isn’t ideal because you’re limiting your own access as well, but for your less-technical friends and family it might not be a bad option. In general, this authentication exploit isn’t something to be hugely concerned about but it never hurts to take a few extra security measures to help protect yourself.

Cheers
Lifehacker