Mac security question

Hey all, I am a very security-minded person and have this question. The most critical function that malware needs to accomplish is to make itself automatically start up every time you boot. This is the act of "infecting" your computer. Because if it stops running and just sits on your hard drive like a bump on a log after you reboot, then it is a pretty lame bit of malware. In Windows, at least up to XP (I don't know much about Vista/7) a very easy and convenient way for malware to accomplish this task is by creating a registry entry to start it up at reboot. The registry is a great place for this, because it is soooo frickin' huge and difficult to understand that it is easy for a virus to hide an entry in there. The way to circumvent this in windows is to run only with a non-administrative account, which takes away privileges to write into the registry. Now, on to the Mac part of my question. As far as I can tell, there are at least two ways to make a program automatically start at boot. You can right click on the program on your dock, and select "start at login" or something like that. Another way is to go to your system preferences and select the programs to restart at boot. My question is this: is there a system file somewhere that reflects these actions, which take place graphically? And can you prevent this file from being modified? My thinking is that there has to be a file somewhere, and if a virus wanted to infect your Mac, all it needs to do is modify this file. I would like to inspect these file(s) and make sure there's nothing that is auto-starting that shouldn't be there. I also have a related question. Are only programs from your Applications folder allowed to auto-start? This would be a good security measure, because you need admin privilege to put a program in the Applications folder. And as a side note: there is one thing that Mac does wrong, following Microsoft Windows' bad example. After you install the OS, the default account has administrative privilege! Most people probably don't know/don't care enough to create a non-admin account for daily use, therefore making themselves vulnerable just like the Windows users who run in admin mode. It is because of this that I believe Macs are just as vulnerable as Windows machines, and Macs are just not targeted because virus writers are too lazy to go after the last 10% of existing computers. I am trying to close this hole on my own machines by running only in non-admin mode, but i would like to understand the auto-start mechanism to confirm that I am safe.

cubicle slave wrote:
Hey all, I am a very security-minded person and have this question. The most critical function that malware needs to accomplish is to make itself automatically start up every time you boot. This is the act of "infecting" your computer. Because if it stops running and just sits on your hard drive like a bump on a log after you reboot, then it is a pretty lame bit of malware. In Windows, at least up to XP (I don't know much about Vista/7) a very easy and convenient way for malware to accomplish this task is by creating a registry entry to start it up at reboot. The registry is a great place for this, because it is soooo frickin' huge and difficult to understand that it is easy for a virus to hide an entry in there. The way to circumvent this in windows is to run only with a non-administrative account, which takes away privileges to write into the registry.
Not really. Windows has such a lax security model that malware can easily get the privileges it needs to install and run - even if you can't.
Now, on to the Mac part of my question. As far as I can tell, there are at least two ways to make a program automatically start at boot. You can right click on the program on your dock, and select "start at login" or something like that. Another way is to go to your system preferences and select the programs to restart at boot.
There are a number of ways to start programs at boot. Except for user account login items, these methods are not accessible from System Preferences. You need to know your way around the Terminal to find them.
My question is this: is there a system file somewhere that reflects these actions, which take place graphically?
They are:
~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
/System/Library/StartupItems
I don't know of any graphical interface to them.
And can you prevent this file from being modified?
Only the root user can modify the most of those directories. You can modify your own ~/Library/LaunchAgents and System Preferences > Accounts > your account > Login Items. Of course, any time you give your admin password to some installer program, you are giving that installer program root privileges.
My thinking is that there has to be a file somewhere, and if a virus wanted to infect your Mac, all it needs to do is modify this file. I would like to inspect these file(s) and make sure there's nothing that is auto-starting that shouldn't be there.
That is true, but there are no Mac viruses that can do that. There are a couple of Trojan Horses that ask for your admin password and will do malicious things in those directories if you give them your admin password. Also, those directories are pretty obscure. You have to be pretty savvy with software to be able to tell who installed what.
I also have a related question. Are only programs from your Applications folder allowed to auto-start?
No. Any program can be run at startup. Most startup programs are not in the Applications folder.
And as a side note: there is one thing that Mac does wrong, following Microsoft Windows' bad example. After you install the OS, the default account has administrative privilege! Most people probably don't know/don't care enough to create a non-admin account for daily use, therefore making themselves vulnerable just like the Windows users who run in admin mode.
This is true.
It is because of this that I believe Macs are just as vulnerable as Windows machines, and Macs are just not targeted because virus writers are too lazy to go after the last 10% of existing computers.
It is more complicated than that. There are trojans on both platforms that will ask for your admin password so they can do nasty things. The difference is that a well-written Window virus doesn't need to ask for your admin password. Those viruses have more privileges than even the admin user does. The Mac has a tighter security model and no virus has yet found a way around it. There are plenty of people trying, but they just want bragging rights. It isn't really laziness per se. It isn't a good return on investment. Macs are so much more difficult to crack that true virus writers usually don't bother, only people who want publicity.
I am trying to close this hole on my own machines by running only in non-admin mode, but i would like to understand the auto-start mechanism to confirm that I am safe.
You are already in the top 10% of safe users on the top 10% of safe computers. You're fine.

Similar Messages

  • Some reason my apps cannot download in my mac security question problem

    securty questionn of apple id problem i tried my apple id method also but did`t work

    I strongly recommend that you use a password for each login account but primarily for your admin account which will also be required when installing any software that uses an installer and/or for something being installed to the root directory of the hard drive such as a virus would likely require. If you are ever prompted for your admin password out of the blue to install anything without purposely trying to install anything, you should always decline which not having an admin password negates.
    Many single users of a Mac have an admin account (obviously and required) but create a login account without admin privileges for every day use as added security.
    Besides turning on the built-in Firewall, do not enable any services/ports that you don't need or regularly use and select all options via the Advanced button under the Firewall tab.

  • Mac security question and opinions

    Hi,
    My Mac is plugged directly into my cable modem. I am wondering about security.
    Firstly, I have two accounts for me and my wife; my account can "administer the computer" and my wife's cannot. Both accounts currently have blank passwords, I know that may sound like a red flag right there, but it's just easier to switch back and forth that way.
    I discovered there's a firewall on the System Preferences > Sharing > Firewall tab. I clicked "start firewall", but I'm wondering what that's going to do for me. Apple's docs say that make me invisible to the world.
    So the quick question, with "firewall started" am I pretty much protected against threats coming from the internet? I prefer to leave the accounts with blank passwords, am I being stupid? I just don't feel like it's a problem, especially if the firewall works as advertised.
    Any info or opinions are greatly appreciated!
    slegge
    20" intel iMac   Mac OS X (10.4.9)   2 gig Ram, x1600 128Meg video

    I strongly recommend that you use a password for each login account but primarily for your admin account which will also be required when installing any software that uses an installer and/or for something being installed to the root directory of the hard drive such as a virus would likely require. If you are ever prompted for your admin password out of the blue to install anything without purposely trying to install anything, you should always decline which not having an admin password negates.
    Many single users of a Mac have an admin account (obviously and required) but create a login account without admin privileges for every day use as added security.
    Besides turning on the built-in Firewall, do not enable any services/ports that you don't need or regularly use and select all options via the Advanced button under the Firewall tab.

  • Authorisation of an old account on a new mac, Password not working, no longer have access to that email address, and security question not working. But I do have my mac authorised! ...is there anyway to copy or get authorisation info off it???

    Please help me!!!!
    I have got a new Mac, I am trying to share my itues on it as well as my old mac, I have had two itunes accounts in my life, one is current now (this account) one I have not had access to the email for years. Since I have bought music off both accounts, I wish to play it all on  both my macs. My Old mac has both accounts Authorised fine and all is good.
    My new Mac, I have thios account running fine, but keep getting prompted for the password for my old account, I have no idea what my old password is, I have not had access to that email address for 5 years, and for some strange reason the security question isn't working eaither.
    Since I do still have one Mac where it is Authorised, Is there any file I can copy accross or anyway to get the password out of the OSX 10.6.8 for my old account.
    Secondly, is there anyway to roll both accounts into just my current one.
    Many Thanks in advance for your help.
    Steve

    I too am having this same problem but I have not seen ANY solutions for it. Looks like Apple is ignoring it!!!!!!!!?

  • HT204053 Mistakenly I changed my Apple ID when I left Italy for UK. when I want to update application for my mac and iPad, they ask me for the old ID password which I have forgotten At the same time I have forgotten the answers to the security questions e

    After having created an apple ID with Italian itunes I moved to UK and I mistakenly created a new Apple ID. However, when I want to update the application on my Ipad and mac computer I am asked fo the old password which I have fogotten. I have also forgotten the answers to the security questions. I made a mistake also with the email i gave and so i cant verify a new password that i want to create. How can you help me?

    Normally you need to call Apple Care for the country where the ID is located. You have changed countries and complicated it by making a new ID. I don't know what to suggest beyond calling Apple Care for Italy and asking them to help you recover the old ID.

  • I have no clue as to what my security question answers are and since this is my first purchase from my mac book it is asking for these. What do i do?

    I have no clue as to what my security question answers are and since this is my first purchase from my mac book it is asking for these. What do i do?

    You won't be able to change your rescue email address until you can answer 2 of your questions, you will need to contact iTunes Support / Apple to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset you can then use the steps half-way down this page to update your rescue email address for potential future use : http://support.apple.com/kb/HT5312

  • Why won't my mac pro let me reset my security questions?

    why won't my mac pro let me reset my security questions?

    Solution may be found if you search in the "More Like This" section over in the right column. 

  • What happens if you set up you mac email 17 years ago and forgot the answers to your security questions?

    I started my mac email account 17 years ago and I can't remember my security question answers so I can change my password. What can I do?

    You need to ask Apple to reset your security questions; ways of doing so include clicking here and picking a method for your country, and filling out and submitting this form.
    (96139)

  • I do not remember my security questions and the recovery email hasnt been logged onto in years. i can't buy anything for my mac for college without answering the security questions

    I do not remember my security questions and the recovery email hasnt been logged onto in years. i can't buy anything for my mac for college without answering the security questions which i cant recover

    you can setup a rescue email. http://support.apple.com/kb/HT5312
    all else failing you can reestablish a new account.  as a last resort
    https://iforgot.apple.com/appleid?language=US-EN&returnURL=https://appleid.apple .com/cgi-bin/WebObjects/MyAppleId.woa&app_id=93&app_type=ext

  • HT5312 This advice above is useless, as I don't get an option to send an email to my rescue address (it is verified) to reset security questions. Any suggestions fellow mac users?

    This advice given above to reset security questions is useless, as I don't get the option to send an email to my rescue address (which is verified) to reset my security questions.
    Any suggestions fellow mac users?

    You are sure that you have a rescue email address, and not an alternate email address ? They are different addressess and settings.
    If you don't have a rescue email address then see if the instructions on this user tip helps : https://discussions.apple.com/docs/DOC-4551

  • Good morning, i need to do a recovery of my ios  X on my mac butthe apple id I have linked to my mac is an old one and i have locked it up trying to remeber the security questions

    Good morning, i need to do a recovery of my ios  X on my mac butthe apple id I have linked to my mac is an old one and i have locked it up trying to remeber the security questions

    You need to ask Apple to reset your security questions; this can be done by phoning AppleCare and asking for the Account Security team, or clicking here and picking a method, or if your country isn't listed in either article, filling out and submitting this form.
    They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
    (107161)

  • I am trying to download Os x Mountain Lion on my mac,  but I can't remember my security questions. I looked up how to reset them but the "reset" button for when you go to answer them is not there. What do I do?

    Someone please help me!

    Forgotten security questions - https://discussions.apple.com/message/18402551
    More involved forgotten question issues - https://discussions.apple.com/thread/3961813
    Frequently asked questions about Apple ID - http://support.apple.com/kb/HE37

  • HT204266 i need to reset my apple id security questions so i can use the apple app store on my mac

    there is no button to reset it on my apple id anymore apple is REALLY REALLY STARTING TO **** ME OFF

    See Kappy's previous write-up.
    Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities

  • HT2204 I don't remember the answers to the security question to authorize my new laptop to use iTunes. How to sort this problem?

    iTunes requires me to answer to a couple of security questions to authorize me to use it on my new mac book pro, but I don't rimember the answer to them. I can I sort out this problem?
    Thank you for helping...
    Danila63

     Account Security Team (AST) 
    Check the AppleCare number for your country here:
    http://support.apple.com/kb/HE57
    Call them up, and let them know you would like to be transferred to the Account Security Team.

  • To download an App the 3 security questions are required. But at the end, apple is not able to complete the task and gives an error message. No more downloads are possible. What can I do?

    to download an App the 3 security questions are required. But at the end, apple is not able to complete the task and gives an error message. No more downloads are possible. What can I do?

    Very Important, how much Free Space is on your Hard Drive first of all? Click on the Macintosh HD on the Desktop, then do a Get Info on it.
    Could be many things, we should start with this...
    "Try Disk Utility
    1. Insert the Mac OS X Install disc, then restart the computer while holding the C key.
    2. When your computer finishes starting up from the disc, choose Disk Utility from the Installer menu at top of the screen. (In Mac OS X 10.4 or later, you must select your language first.)
    *Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Disk Utility.*
    3. Click the First Aid tab.
    4. Select your Mac OS X volume.
    5. Click Repair Disk, (not Repair Permissions). Disk Utility checks and repairs the disk."
    http://docs.info.apple.com/article.html?artnum=106214
    Then try a Safe Boot, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, reboot when it completes.
    (Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive.)
    If perchance you can't find your install Disc, at least try it from the Safe Boot part onward.
    Do they launch OK while in Safe Mode?

Maybe you are looking for

  • CS5 64-Bit packages crashing in open and save dialogs

    Hi all, I am having a big problem running photoshop 64-bit, it opens ok but when you go to file and click either Open or Save the application just closes with no error report. I have been on quite a few forums about this, common answers seem to be th

  • Navigation strange Behaviour

    Hi Experts, I'm facing a very strange behavior , and i am not able to find out why if i choose any measure , like for example if you create a new request, adn choose Financials -AR balance ,Facts AR Balance and choose closing amount then if you click

  • PPT action buttons are not present in pdf file upon conversion

    Hi Am using Office 2003 (SP3) and Acrobat 8 (version 8.1.6). Have been using action buttons in the presentations for several years, works fine. When converting existing files, action buttons in both PPT show and pdf file just works, no problems. Newl

  • Only main user works....?

    Only the main user works, all the other are very slow, and the Macintosh HD and the icons on the finder do not show up. I can open programs but cant close them or it freezes, and whenever I try to relaunch the finder it freezes. I tried to delete all

  • Integration with Weblogic Server 10.3.x

    Hello! When I use mod_oc4j in OAS 10.1.2., then I can use the directive Oc4jMount configured OHS. If you use this directive html-code that is returned to the client will contain only the URL that hosts the portal. Get some opaque proxy (much like mod