How to Disable Apple’s Two-Step Verification and Enable Two-Factor Authentication

I signed up for the extra level of security Apple offered called Two-Step Verification. With the advent of iOS 9, Apple started offering Two-Factor Authentication.  If you want to read about the differences, I’ve listed the two Apple support articles about the offerings.  The main difference between the two is that Two-Step Verification relied on the code being sent via the less secure method of SMS, and the newer Two-Factor Authentication uses built-in funtionality in iOS 9 and above.

Two-step verification:

Two-factor authentication:

My goal  was to enable my Apple Watch to automatically unlock my Mac running macOS Sierra, which requires Two-Factor Authentication, so we’ll go through those steps as well.

Continue reading “How to Disable Apple’s Two-Step Verification and Enable Two-Factor Authentication”

How to Turn On Automatic Updates for OS X and Apps

One of the best ways to protect yourself on your Mac is to download and install patches as Apple and app developers release them. Rather than doing it yourself, here’s how to have it happen automatically in the background.  You might want to turn this feature off when you go on a limited data service and turn it back on when you get home, as an operating system update can use a lot of data.

Continue reading “How to Turn On Automatic Updates for OS X and Apps”

How to Install and Configure ClamXav Anti-Virus for Mac

ClamXav can be downloaded directly or through the Mac App Store.  The Mac App Store version does not contain the Sentry tool that allows constant scanning for changes by folder, so this tutorial is for the download version which you can get at

Note:  ClamXav used to be free but as of June 2015 is a commercial product. I think it’s well worth the $30 and by paying for it I’m helping to ensure the development of the product continues.

After installation, log out of your Mac and back in.

Continue reading “How to Install and Configure ClamXav Anti-Virus for Mac”

The LastPass Breach – Don’t Panic!

lastpass logoWhen I do Security Lite with Allison as part of our Chit Chat Across the Pond segment I often tell people that there is no need to set your hair on fire. This is one of those times. Before I explain what happened and why it’s not a catastrophe, I want to start with a simple list what LastPass users should do now:

  1. Change your master password
  2. When setting your new password, make sure that your password hint is as cryptic as possible

It should not be possible to determine your password from your hint!

So, what happened?

The short version is that attackers were found to have accessed LastPass’s user authentication database, and that gave them access to email addresses, password hints, and very well protected master passwords. It’s important to note that people’s encrypted password databases were not in the breached database.

So, what of value did the attackers actually get?

Almost nothing!

The reason is that LastPass did a great job designing their architecture, so people’s data is very safe, even when attackers gain access to such a sensitive-sounding database. The reason people like Steve Gibson recommend LastPass is that their design is robust. The system was designed to keep your data protected, even if the LastPass servers were breached. Given that sooner or later every system gets hacked, that was very much the right thing to do.

Lets dig into the specifics – LastPass never store your actual master password, instead, they store an irreversibly encrypted version (more on how they do that later). When you need to prove you are who you say you are, the password you submit is irreversibly encrypted, and then that encrypted version of your password is compared to the encrypted version on file. Since LastPass don’t actually have your password, they can’t lose it!

The only thing the attackers can do with the protected passwords they have is guess what the password is, run it through the encryption process, then check if the encrypted version of their guess matches what was in the database they stole.

To make this as hard as possible, LastPass got two very important things right.

Firstly, every single LastPass users’s password is one-way-encrypted using a different random number known as a salt. This means that the password ‘open123’ encrypts to a different value for every user, so attackers have to re-do all their work for each user. Passwords protected in this way are referred to as hashed and salted.

Secondly, they did not just store the plain salted hashes, they ran them through a process designed to be computationally hard. A legitimate user doesn’t need their password validated often, so it’s not a problem that it takes a lot of CPU power each time. Attackers have to test trillions and trillions of password guesses, so the extra computational complexity really adds up for them.

This kind of password inflating is known as password based key derivation, and LastPass run the salted hashes of users passwords through 100,000 iterations of a password based key derivation known as PBKDF2. This is ten times more than the currently accepted best-practice of 10,000 iterations of PBKDF2.

Basically – LastPass were not just doing things by the book, they were doing things even better than that!

What this means is that even weak passwords will stand up to a lot more of an attack than you might expect.

Finally, once you change your password, the data the attackers have becomes useless, so, the inflated salted hashed passwords only have to stand up to attack for the short time window between the breach happening, and users resetting their passwords. So, if you are a LastPass user, go rest your password NOW as a precautionary measure.

Let’s talk about password hints

I do want to draw your attention to one subtle detail – the attackers got users’ password hints. We have seen from past breaches that some users do very silly things with password hints – there is the infamous example from the Adobe breach where some clown used the password hint ‘rhymes with assword’. The only people who need to panic here are those with dumb password hints. Given that a hint is shown whenever you can’t remember your password, those accounts were ALWAYS in danger, and they have been made even more vulnerable by the breach.

Bottom Line

To me the biggest take-away from this is that LastPass have been tested, and they have not been found wanting – their good design has paid off, and protected their users. Secondary to that, this breach serves as a reminder to be very careful when setting password hints on anything – if you make the hint too obvious, you have effectively published your password!

For more details, see this excellent Naked Security article:

How to Export LastPass Vault and Import to 1Password

These quick steps will walk you through how to export your LastPass vault to a Comma Separated Value (CSV) file which can then be imported into other tools such as 1Password (or even Excel).  The script and instructions that come with it are for both Windows and Mac, but I will only be showing you how to do this on a Mac.

The steps will be:

  1. Create a secure disk image where we can safely download your passwords
  2. Export your passwords from LastPass to the secure disk image as a text file
  3. Run a script to convert your data into a form 1Password can read (Mac or Windows). The script assumes you’re running 1Password Version 4.
  4. Import your newly formatted password file into 1Password


Continue reading “How to Export LastPass Vault and Import to 1Password”

How to Update OpenVPN for Heartbleed OpenSSL Vulnerability

After the Heartbleed OpenSSL vulnerability was exposed, Donald Burr of otakunopodcast wrote up instructions on how to verify the version of OpenSSL we’re running, and how to update it. Here are his instructions:

If you run the command:

port deps openvpn

it will show you what other MacPorts ports that openvpn depends on. If openssl is *not* in that list, then that means MacPorts used the Apple-included version of openssl when building openvpn, and so you’re fine.

If, however, openssl *is* in that list, we now need to check what version of openssl was used. Run the command:

port installed openssl

This command will list out what version of openssl is installed.

If it is version 0.9.8, or version 1.0.0, then you are fine. If, on the other hand, it is version 1.0.1a through 1.0.1f, then you are using the vulnerable version of openssl and you must upgrade. This vulnerability was fixed in openssl version 1.0.1g, so if that version (or a later version) installed then you are also fine.

If you need to upgrade openssl, then follow these steps. First thing you need to do is update the MacPorts ports tree by running the command:

sudo port selfupdate

You may see an error about MacPorts base, you can ignore that. After this is done, we need to check what port upgrades are available. Run this command:

port outdated

and look for a line similar to this:

openssl 1.0.1f < 1.0.1g

This indicates that an upgrade to openssl is available. (In fact I understand that the MacPorts team have released an upgrade to the non-vulnerable version of openssl.)

Finally, to upgrade the openssl port itself, run:

sudo port upgrade openssl

Now you can rerun the command:

port installed openssl

And you should see the new version of openssl with the word (active) next to it, and the old version as well. You should uninstall the old version via the command below (assuming your old version is @1.0.1e_1).

sudo port uninstall openssl @1.0.1e_1

At this point you will probably want to re-generate all of your VPN certificates and keys. Just follow Allison’s clearly written ScreenSteps tutorial 🙂

Start at the step “SECTION 6 – Donald’s Nifty Scripts of Doom”

How to Restart IP Forwarding on VPN Server on Mac

I have been running a VPN server on my Mac for a while now, per Donald Burr’s most awesome instructions here. One day while out and about I tried to use my VPN from my Mac and iOS devices only to discover that while I could connect and get an IP address internal to my network, I could not get outside to the Internet. I described the problem to Donald and he sent me the following instructions to restart IP forwarding on the VPN server. This fixed my problem in a snap, hope it helps you too.

Try running the following commands in terminal on the VPN server. You’ll have to do this when you’re next at home obviously. Note: replace “INTERFACE” with “en0” if your machine is hardwired (ethernet) or “en1” if it’s on wifi.

sudo sysctl -w net.inet.ip.fw.enable=1
sudo sysctl -w net.inet.ip.forwarding=1
sudo natd -interface INTERFACE
sudo ipfw add divert natd ip from any to any via INTERFACE

How to Uninstall VPN Server on Mac

If you’ve installed a VPN server on your Mac using Donald Burr’s most awesome instructions but for some reason want to uninstall the server, here’s an uninstall script along with text-based instructions from Donald:

Download the script here:

Find the place where you downloaded the script (probably in your Downloads folder), keep a finder window open and off to the side. Open a Terminal window, and type:

chmod [space] +x [space]

DO NOT press return yet. In the Finder window, drag the script into the Terminal window, it should insert its path in the command line you are currently typing. Then press return.

Finally type this:

bash [space]

Again DO NOT press return, but drag+drop the script from Finder into the terminal, then press return. The script should run now. When it’s finished reboot your machine.

How To Set Up a VPN Server Using a Mac

These instructions may seem arcane and complex but they’re really easy if you just follow along step by step. Donald Burr of Otaku No Podcast ( created all of these instructions in text form, Allison just created the ScreenSteps tutorial!

I’ll be focusing on using a Mac on your home network using an Airport Extreme Router (of course any router will work but the screenshots will be for the Airport). If you have a router capable of installing the Tomato Router Firmware, you should look at Donald’s full instructions because you may not need to use a Mac at all for this, your router can do it all. See Donald’s notes for other options.

Read Donald’s instructions ===> here.

If you’d rather download this manual for easy off line reference, click here.

If you’ve installed the VPN Server but would like to UNinstall it, click here for instructions.
If you can connect to your VPN server but can’t get outside your network, click here.

Let’s get started already!

SECTION 1 – Setting Up a Static IP for the Server on the LAN Side

These instructions should be completed on the machine that will become the VPN server.

Open Network Preferences


Select Advanced


Copy the Mac Address


Open AirPort Utility


Click on your router, in my case it’s called White Dart.

Select Enter Router Password


Enter your password when prompted and click OK.

Select Edit


Select the Network Tab and Click the + Button


Paste in the Mac Address You Copied Earlier


Select Update


Select Continue


Quit Airport Utility when this operation completes.

SECTION 2 – Creating Account at


Navigate to and select Sign Up.

Create a Username and Password


Enter your Email address. Note the host name shown which is free, but if you want to pay you can get more options. Scroll down to the bottom of the page.

Select Sign Up


Email Confirmation Will be Sent


Click the Link in the Email


Download the Update Client


This client will run in the background and check to see if your IP address has changed, and if it has, will send it to

Download and Install the Client


Enter Your Account Info You Just Created


This menu should pop up automatically.

Click OK


Click on Hosts and Check the Box Next to the Host Name You Chose


It may take a few moments for the host name you selected at to show up. Make sure you note this name, you’ll need it later.

Select Update Now


Turn on the Daemon


I chose this rather than running the application in the background all the time.

SECTION 3 – Installing Xcode and Running Command Line Tools

Find Xcode in the Mac App Store

Install Xcode


Install Java


Xcode only installs the standalone Java, and it does NOT include the Java Web plugin that has been the subject of so many security vulnerabilities lately.

Select Install Next to Command Line Tools


Wait till the installation finishes and quit X-Code

Type xcodebuild -license to Open the License Agreement


Start Hitting the Space Bar to Scroll Through the EULA – A LOT of Times


Type Agree


Type agree

Joy of Agreement


SECTION 4 – Installing MacPorts


Navigate to and scroll to the bottom to download the installer file for your OS.

Install MacPorts


Enter These Commands in the Terminal


To run the self update to Macports enter:

  source ~/.profile
  sudo port -v selfupdate

and enter your administrator password



Open the VPN Software



  sudo port -v install openvpn2

and watch a lot of glop go by…

SECTION 5 – Installing Tuntap Drivers


Open the Package File (in the folder after tuntap expands)


Gatekeeper won’t let you just double click on the installer package (it will complain that it is from an unknown source), you have to right click on the installer package and choose “open”.

SECTION 6 – Donald’s Nifty Scripts of Doom

Download Donald’s scripts from:

Type These Commands to Unarchive the Scripts


cd ~/Downloads
tar xvjf openvpn-mac.tar.bz2

Setting Up OpenVPN Server


We’re now going to run Donald’s scripts. Enter this command:

  cd openvpn-mac && sudo bash setup-openvpn-server

Name your Server (I’ve entered kyles-mac-vpn)
Enter the dynamic dns host name you noted back on (you DID note it, right?)

Keep Answering Questions


The first time through you need to answer these. These steps will be duplicated MANY times, but after this the answers will be there and you can simply hit Enter for each questions.

Hit Enter for All These Questions for an RSA Key


And Again for Some Reason


Keep Answering…


And Again


And Again…




Enter passphrase and password as many times as they ask for it!

Finder Window Opens Showing config-files


Copy this file to Dropbox. It will be the first connection file you test. It would be good to name it something associated with the device on which you’ll use it (you’ll be creating one of these for each of your devices).

Create a New VPN Connection Document for Each Device You Have

In Terminal, enter:

  sudo setup-openvpn-client connection-name

where connection-name means something to you for each different device you’ll want to connect to the VPN server. Move each of these files to Dropbox to be picked up on your devices.

SECTION 7 – Opening up UDP Port 1194


Open Airport Utility again, select your Airport again, Select Edit again. Select the Network tab, and select the + under Port Settings

Enter Information As Shown


Select Update


Wait until your Airport updates.

SECTION 8 – Install VPN Software on iOS


Download OpenVPN Connect from the iTunes App Store.

Open Dropbox


Find the file you created and moved into Dropbox and tap on it.

Select the Open In Button in the Bottom Right


Select Open in OpenVPN


Click the Green Plus Button to Import the File


Enter the Password


Enter the Password you created in the creation of the file, and tap the Save switch to turn it on. Finally tap the Off Switch to Connect to the VPN.



SECTION 9 – Install VPN Software on OSX


Two options for a VPN application on the Mac. Donald recommended Viscosity from which is $9 per Mac.

After the show Dr. Matt suggested the free TunnelBlick from I installed both and they both work well. This tutorial will be for Viscosity, but if you try Tunnelblick you have to do one thing to make it work. In the Settings, Configuration tab, select Advanced and then uncheck the box to use TunnelBlick’s tun/tap drivers.

Let’s keep going with Viscosity as our example.

Install Viscosity


Click on the icon for Viscosity in the menubar and choose Preferences.

In the Connection Tab Click on the Plus Button at the Bottom


Select Import Connection From File…


Navigate to the File You Created for This Device


In my case I called it alsmac so I could tell which one to open

Connection Imported


Connect Using Menu Bar App


Enter the Password You Created


No clue which one of the 198 I entered, luckily I typed the same one over and over again.

Fleeting Notification of Connection


To test mine at home I used a Mifi so I was on a different network.

Use the Menubar Icon to Disconnect When You’re Through


If you want to prove to yourself that you’re on VPN – go to before and after you VPN and you’ll find that your IP changes to your home IP. Congratulations!

How to Set Up Signed and Encrypted Email

In Episode 412 of the NosillaCast on 31 March 2013, Bart walked us through how to set up signed and encrypted email on on the Mac, and also on iOS. Below are three Clarify Tutorials designed to give you the step by step instructions. Bart and I worked on this together, and we decided breaking this up into three separated tutorials made sense.

First we’ll teach you first how to obtain a certificate and generate a private key and then send signed and encrypted email from

How to Set Up Encrypted and Signed Email in Apple Mail

You can stop there, but if you want to use a second Mac to send email or use a different email client, or even iOS, you’ll need to know how to export your certificate:

How to Export Your Certificate and Private Key

Finally if you want to read encrypted email, and sign your emails, you’ll need the last tutorial. Unfortunately, iOS isn’t at all easy to maintain for actually sending emails encrypted, but you’ll still be able to send them:

How to Read Encrypted and Send Signed Emails on iOS

Posts navigation

1 2
Scroll to top