Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works

Your need passwords to log into websites and services, and it’s hard to remember them. Since it’s a bad idea to use the same password for each different website — because if one site is compromised, hackers will have an email address and password that they can try on other sites — you need to ensure that your passwords are different, and hard to crack. (A recent episode of the Intego Mac Podcast talks about password strategies.)

Your Macs and iOS devices have a “keychain,” which is an encrypted file that stores your passwords and some other information. This file syncs via iCloud, so you can use the same passwords on all your devices. Here’s how Apple’s iCloud keychain works.

Read the rest of the article on The Mac Security Blog.

Serious macOS Bug Allows Anyone to Get Full Access to Your Mac

A serious vulnerability in macOS High Sierra as disclosed yesterday. It allows anyone with physical access to your Mac to log in as the “root” user, without entering a password. The root user is the super-user, the one that can do anything on your Mac. Root has more power than an administrator, and can view all the files of all users.

For some reason, macOS High Sierra seems to have a root account set up with an empty password; so you just log in with “root” as user name and leave the password field blank. You may need to try this several times, but lots of people have tested and shown that it works in most cases. The exception is if you have FileVault enabled, since that requires a different password to unlock a disk. However, if your disk is already unlocked, then the root vulnerability can be exploited. (Note that this doesn’t affect older versions of macOS.)

As Adam Engst wrote on TidBITS, “The reason this shouldn’t work is that the root user isn’t supposed to be enabled.” By default, this account is not set up; or shouldn’t be. Adam’s article explains how you can protect yourself from this vulnerability; you simply have to enable the root account and add a password.

This vulnerability only affects your Mac if someone has physical access, or if they can connect via Screen Sharing (which you would need to activating in the Sharing pane of System Preferences).

One note about the way this was disclosed. A developer shared this on Twitter, effectively making it a zero-day vulnerability which people need to defend. Instead of reporting it to Apple, he chose to go public, which, for this type of bug, is harmful. Since he is a developer, he could certainly have figured out how to report it responsibly (it’s not hard to find Apple’s Contact Apple About Security Issues page and the product-security@apple.com address. The developer might have been frustrated by Apple’s impractical bug reporter, but that’s no excuse. You simply don’t go public with vulnerabilities this serious.

12 Ways to Open Files on a Mac

You open files every time you work on your Mac, most often, probably, by double-clicking them. But did you know that there are lots of different ways to open files? You can use your mouse, your trackpad, or even your keyboard. You can open files in windows, from menus, and from dialogs. Here are a dozen ways you can open files on a Mac.

Read the rest of the article on The Mac Security Blog.

How to Lock Your Mac Screen and Protect It from Prying Eyes

Whether you’re at home or at work, you might not want other people snooping on your Mac when you step away. Leaving your Mac unlocked and unattended allows others nearby to read your emails, text messages, browser history, and all your files. You may be researching gifts for your family, or you may be working on a project in your office that is for your eyes only. In any of these cases, when you step away from your Mac — whether for a meeting or to go make a cup of coffee — it’s a good idea to lock your Mac screen.

You don’t need to shut down your Mac, you don’t even need to log out. There are several ways you can quickly lock your screen and protect your Mac from prying eyes, so no one can access your data without entering your password. It only takes a second, and a keypress or a swipe of your mouse, so it’s worth learning how to do this.

Read the rest of the article on The Mac Security Blog.

How to Use Time Machine Server in macOS High Sierra

Some Mac users have long run Mac OS X Server on a computer in their household to use as a file sharing repository, and to centralized backups of other Macs. The Server software had a Time Machine server feature, which allowed you to designate a folder that other Macs could select to store Time Machine backups. This is especially useful if you have laptops that you don’t often connect to hard drives to back up; Time Machine can do this automatically, in the background, even at night.

With macOS High Sierra, this feature is built into the operating system, and you no longer need to install and manage Server to use it. Here’s how.

Choose a folder on your Mac for backups. Go to System Preferences > Sharing, then check File Sharing to activate it. In the Shared Folders section, click the + button, then choose the folder you want to use for your backups.

Right-click that folder in the Shared Folders list and choose Advanced Options. Check Share as a Time Machine backup destination.

Time machine server

On the Mac you want to back up, mount the shared folder, then open the Time Machine pane of System Preferences. Click Select Disk, and choose that folder. That computer will shortly begin backing up to that remote folder. Note that you can limit how much storage will be used for backups in this dialog; if you don’t, I assume that all available space will be used, which could be a problem.

With a laptop, macOS keeps local snapshots that it stores every hour, so if you’re not connected to your network, it won’t back these up, but will do so some time after you’ve rejoined the network (when the next Time Machine backup runs).

Thanks to this new feature in macOS High Sierra, many people who set up a Mac using Server can now eschew this additional layer of software. This makes things a bit easier for those who don’t need the advanced features of a server.