You can password protect files and folders in Mac OS X by using a trick with disk images. Here’s how it works; by placing files inside of an encrypted disk image, that disk image will work like a password protected folder and require a password before it’s mounted, preventing unauthorized access to all of the contents.

How to Password Protect Files & Folders in Mac OS X with Disk Images

Do this along with general password protection for maximum effect.

• Launch “Disk Utility” located in /Applications/Utilities
• Click on the “New Image” button at the top of the app



• Name the disk image and set a file size that is appropriate for what you intend to store in there
• Click on the contextual menu alongside “Encryption” and choose either 128 or 256-bit encryption (256 is stronger)



• Click “Create”
• At the next screen you will set a password to access the folder – do not lose this password, you will not be able to open the disk image if you do
• Optional: Uncheck the box next to “Remember password in keychain” – only do this if you’re the only user on the Mac, otherwise anyone can open the image without the password



• Click “OK” to create the disk image

The encrypted disk image is now created. Now you need to locate the image, mount it which will require the password set in the creation process, and drag files and folders into the mounted image that you want password protected. The default location for new disk images is the Desktop, but if you saved it elsewhere, look there instead.

Once you are finished copying files and folders to the mounted disk image, eject it like any other disk and the contents will be safely protected within, requiring the password to access again. Because the files and folders have been copied, you’ll want to delete the originals so they aren’t visible to anyone else. Again, do not lose the password set or you will not be able to get access to the contents of the encrypted disk image.

This should not be considered a replacement for setting a general password for a Mac, and it’s always a good idea to lock down the screen when you’re away from the computer. Filevault also provides encryption and security features, but older version have some potential speed drawbacks that are particularly noticeable on non-SSD drives, this is mostly a non-issue for OS X Lion, however.

The root user is a special user account with high level system-wide access privileges intended for system administration, monitoring, and in depth troubleshooting purposes. By default, root user is disabled in Mac OS X for security purposes, but if you need to enable superuser, this guide will show you how to do so in OS X 10.7 Lion.

If you do not have a specific need to enable root, you should leave it disabled.

Enable Root User in OS X Lion

This process also sets a password for the root account.

• From the Mac OS X Desktop, hit Command+Shift+G to bring up Go To Folder and enter the following path:

/System/Library/CoreServices/


• Inside CoreServices folder, locate and launch “Directory Utility”
• Unlock “Directory Utility” by clicking the padlock icon and entering the administrator password
• Pull down the “Edit” menu and select “Enable Root User”
• Enter and confirm a password to set the root users password and to enable the account

Be sure to set a strong password for the root account. If you’re bad at picking passwords or you just want the security advantages of randomness, generate one randomly from the command line.

With root now enabled, the account can be used freely. It will not appear in the Users & Groups preference pane.

The root account can access, read, and write to all files on a system, even if they belong to someone else. Additionally, root can also remove or replace system files. This is why it’s a potential security risk to leave the account enabled aimlessly, or to use a weak password with the account.

The Directory Utility control panel can also be used to change a set root password through the Edit menu, or that can be done through the command line using sudo passwd, similar to changing the root password in iOS devices.

Creating a password protected zip file is easy in Mac OS X and does not require any add-ons or downloads. Instead, use the zip utility that is bundled with all Macs.

If you’re familiar with the command line, the syntax of the encrypted zip command is as follows:
zip -e [archive] [file]

If you’re not sure how to use that, read on to learn how to create zip archives encrypted with passwords. These encrypted zip files will maintain password protection across platforms, meaning you can send a protected zip file to a Windows user and they will still need to enter the password in order to view the contents.

Set a Zip Password in Mac OS X

You can create password protected archives of files and folders:

1. Launch the Terminal from the Applications > Utilities folder
2. Type the following command:

zip -e archivename.zip filetoprotect.txt

3. Enter and verify the password – don’t forget this

The resulting archive, in this case named “archivename.zip”, is now encrypted with the password provided. The file that was encrypted, “filetoprotect.txt”, is now inaccessible without entering that password.

Example: Zipping a Folder and Setting a Password
Here is an example of what this will look like from the command line, in this case we are compressing and password protecting the entire ‘Confidential’ folder located within the users /Documents directory, and the password protected zip is being placed on the users desktop for easy access:
$ zip -e ~/Desktop/encrypted.zip ~/Documents/Confidential/
Enter password:
Verify password:
adding: ~/Documents/Confidential/ (deflated 13%)

Notice the password will not display, this is normal behavior for the Terminal.

Opening the Password Protected Zip

Despite being created at the command line, you do not need to unzip the file from the terminal, it can be expanded from the Mac OS X Finder or within Windows using standard unzipping apps. Just double click on the file, enter the password, and it will decompress. You can also decompress the zip archive from the command line with:
unzip filename.zip

Here are some use cases for password protected zip archives:

• Password protecting an individual file or directory
• Sending a sensitive and encrypted file over an unencrypted network
• Emailing confidential data to a Windows user
• Adding an additional layer of security to a hidden folder
• Password protecting your own backups, outside of Time Machine

While this can provide some protection on a per-file or folder basis, it’s always a good idea to password protect the Mac in general with a login requirement on system boot, wake from sleep, and waking from the screen saver.

If you’ve been following the Carrier IQ brouhaha and ensuing fallout, you might be interested to know that it’s very easy to disable the Carrier IQ service, logging, and reporting on iPhone or any other iOS device:

• Tap on “Settings”
• Go to “General” and tap on “About”
• Tap on “Diagnostics and Usage”
• Tap on “Don’t Send”

If this was already disabled for battery saving purposes or whatever other reason, you should have nothing to worry about, if not, then this should prevent Carrier IQ from sending any data over to Apple.

For some background here, Carrier IQ is network diagnostic software that some cellular carriers have been installing on smartphones and tablets. Going beyond just gathering network diagnostics, Carrier IQ was found on some Android phones to be gathering personal and private information, including phone call logs, text message content, and even encrypted web searches, or, put simply, it’s a substantial invasion of personal privacy. Later, renowned iOS hacker chpwn found references to Carrier IQ in some versions of iOS, but it isn’t nearly as nefarious as what was discovered on Android, doesn’t track nearly as much personal information, and thankfully, it’s much easier to disable.

Keep in mind that Apple also told WSJ’s AllThingsD that they stopped supporting the feature in iOS 5 for most of their products, saying the following:

“We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

We should expect an update to iOS in the near future to address this on any remaining devices.

If you are using a public Mac or are just concerned about things like keyloggers and other potentially unauthorized access to your keystrokes, you can enable a feature in Mac OS X Terminal app that secures keyboard entry and input into the terminal. According to Apple, this feature “prevents other applications on your computer or the network from detecting and recording what is typed in into Terminal“, making it a good additional security measure when such precautions are needed. Enabling it is extremely easy:

• Pull down the “Terminal” menu and select “Secure Keyboard Entry

Using a personal Mac likely makes this an unnecessary precaution since the risk is very low, but it’s a helpful tip if you’re using another untrusted computer or in a situation where you’d be concerned about another application capturing keystrokes.

Be warned that enabling “Secure Keyboard Entry” will interfere with most password managers and anything else that attempts to automatically type and interact with the Terminal for you.

Private Eye is a free real-time network monitor app for Mac OS X 10.7+ that is extremely easy to use. Launching the app, you’ll start to see all open network connections, and you can then filter connections by app, monitor all open connections, or watch only incoming or outgoing transfer.

Connections are reported by application, the time of the connection, and arguably the most useful, the IP address that is being connected to by the app. If you have any interest in networking, security, or you just want to keep an eye on what apps are connecting to the internet and to where, you should download this app.

• Download Private Eye now (direct link) or visit the developers home

This is a simple yet powerful tool without the complexity or the learning curves related to compiling and using the command line tools lsof, watch, open_ports, or wireshark. Highly recommended.

Well here’s a security flaw in iOS 5 that will quickly get patched: anyone with a magnet (or a Smart Cover) can bypass the iPad 2′s locked passcode screen and access whatever app was previously left open. The passcode bypass was discovered by 9to5mac, who recorded a video demonstrating the security breach (embedded below).

From a locked iPad 2:

• Hold down the power button until the the slider appears across the top
• Close the iPad 2′s Smart Cover or swing a magnet over the magnetic points around the screen rim, then remove the Smart cover or magnet
• Click “Cancel” at the bottom of the lock screen

You’re now at the iOS 5 springboard, but the biggest security threat is when users have left an app open with sensitive data, since the lockscreen is bypassed directly to it. This could mean

Protection Against the iPad 2 Lock Screen Bypass:
For the time being, iPad 2 users are encouraged to disable the “Smart Cover unlocking” feature found in Settings > General.

Here’s the video showing the password bypass:

We recently wrote about the dscl utility and how it allows a Mac OS X Lion user to change a password without knowing the existing password. The lack of required admin authentication has since been widely reported as a bug, and a small Security Update will likely be issued by Apple sometime in the near future. Nonetheless, if you’re paranoid about someone getting ahold of your Mac and changing the user password without authorization, you can manually change the permissions of the dscl utility yourself, forcing it to require administrative privileges in order to be run.

• Launch Terminal (located at /Applications/Utilities/)
• Type the following command and hit return:

sudo chmod 100 /usr/bin/dscl

• You will be asked for the current administrative password to confirm the permissions change, enter it and hit return

This is a simple permissions fix that likely mimics what an official security update will do. Using sudo chmod 100 states that only the owner (root) is able to execute the dscl command, which effectively prevents other non-admin users from accessing the directory services utility without using the sudo command, and thus the administrator password.

There may be some unintended consequences of changing those permissions, but it’s unlikely to effect most users. If you do encounter some problems you can always change the permissions back, which look to be set as 755 by default.

A big thanks to “Tjb” who left this tip in the comments!

Update: Jim T left the following recommendation in the comments, suggesting another chmod command to change the permissions:

Instead, do this:

sudo chmod go-x /usr/bin/dscl

That will -only- remove the execute permission on group and other, leaving the other permissions (read & write, and root’s full permissions) completely as was before the change. To reverse, do:

sudo chmod go+x /usr/bin/dscl

Only touch the stuff you need to touch!

His reasoning is that chmod 100 is too restrictive in that it changes the command to execute only, where as before the root user could read, write, and execute.

Renowned jailbreaker i0n1c, aka Stefan Esser, has put together a rather extensive presentation titled “iOS Kernel Exploitation” that explains exactly how jailbreaks work, ranging from how the exploits are found, how new code is injected into the iOS devices, how untethers work, and so much more. It was presented live at last months Black Hat security conference, but now the slides are freely available on the web for all to see.

The 97 slide presentation includes the following main topics and dives into very specific details:

• Introduction
• Kernel Debugging
• Kernel Exploitation

• Stack Buffer Overflows
• Heap Buffer Overflows

This is a fairly technical read with plenty of code samples, making it an extremely interesting look into the world of jailbreaking and iOS security. It’s pretty much a must read for anyone interested in security, development, iOS, Mac OS X, or just jailbreaking in general.

Download the presentation slides in PDF format here (.pdf) or check out the embed below:
Read more »

FileVault 2 is the all new disk encryption method that comes with Lion, and it’s more secure than ever, using XTS-AES 128 encryption on your entire disk, as opposed to just the user directory as in past versions. The other huge change that came with FileVault 2 is the significant performance boost, where using full disk encryption barely makes a dent on system performance.

Just how fast is FileVault 2? See for yourself with these benchmark charts on a variety of SSD and traditional hard drive configurations.
Read more »