hoakley Macs, Technology

Protecting your Mac against malware and intrusion

Middle of the road settings shown. Can you be more restrictive than these?

Security, like terror and debt, is a concept that can generate nightmares, or deep indifference, depending on your level of paranoia and anxiety.

As with backing up, there is no point in just doing what you think is best. You must have a thought-out policy or strategy which you consider addresses the risks that you, your Mac and other systems, face. You must implement the measures resulting from your policy or strategy, and stick to them. And you must monitor both their success and the changing landscape of threat.

This may sound horribly formal and excessive for a SOHO system, perhaps, but it does not need to generate lengthy formal documents. Indeed the more that you think (in a structured way) and the less that you write, the more cogent and effective it will be.

Risks

I don’t think that the theoretically zero risk Mac exists any more. Without Internet access, few computers can serve a useful purpose. The only exceptions are legacy systems which have to run old, unmaintained, and thus vulnerable versions of OS X. Exposing those to current risks on the Internet is courting disaster.

The risk to any given system is a complex issue, involving some or all of the following:

  • intrusion protection between the system and the Internet;
  • desirability of system(s) to hackers; the larger the organisation, the more kudos and value to an intruder;
  • number, type and privileges of users; one careful user is obviously safest, many careless users is chancing it;
  • browsing and other online habits of user(s); it only takes one user with an occasional penchant for porn, or someone who has to visit websites in risky countries, for an attack to occur; similarly a single user who assumes that all online security will be handled by their online security software could act recklessly;
  • whether the system exposes local services, such as a web server or file sharing;
  • robustness of all passwords and systems of authentication;
  • use of remote storage, including cloud systems such as iCloud;
  • reliance on security certificates and their vulnerabilities;
  • software installed, and whether kept fully up to date; if you have to run old and flawed versions of some products, these may significantly increase risk;
  • many other factors.

It is easy to kid yourself that a home or SOHO network is of no interest to potential intruders, but that is simply untrue. I am sure that there are plenty of things on your network which could be of value to those out to steal personal details, etc., and there are strange people out there who are just plain malicious. You are unlikely to be attacked by the most skilled or determined, who are more likely to target corporate or government networks. But even a blundering amateur can bring you a lot of grief.

Strategies

When you have properly assessed your risks, the strategies to mitigate them usually follow. However you need to consider all the options, rather than going straight for a product which claims to be a universal panacea. This is one reason that I do not like most ‘security’ and ‘anti-virus’ products. If they are to justify what you paid for them, and the problems that they can cause, then you need to hand a lot of trust over to them. Unfortunately I do not think that they justify that trust.

The best security begins at home, and here that means OS X: make sure that you keep it up to date, particularly with security patches, and that it is configured to give you the required level of protection. Most OS X and related updates contain several to many fixes addressing security vulnerabilities; some of those are likely to be exploited by the time that you install the update, so do not wait a few days to see whether the update causes problems with other users. That delay could leave you very vulnerable.

Use a balance of different strategies, operating at different levels and in different ways, rather than putting all your eggs in one basket. A key first step is to provide a solid way of stopping incoming connections from the Internet, normally by configuring the firewall built into your modem-router. Don’t assume that it comes with that enabled by default: read the documentation and check its configuration is correct as soon as possible after you install it.

This firewall blocks all incoming connections by default. Have you checked whether yours does, or configured it to do so?
This firewall blocks all incoming connections by default. Have you checked whether yours does, or configured it to do so?

Your Mac also invites material to come in from the Internet, by way of web pages, mail, and various other data. Ensure that you configure each app that connects to external services and systems correctly, to cover the risks that you have identified. This means learning to use your web browser and mail client properly.

If you decide that you want to install protection software against security risks from the Internet, or against viruses and other malware, choose the product carefully and keep it up to date. Outdated protection is worse than none at all, as it will be all but ineffective and will probably cause problems with other software. If you decide not to keep up your update subscription, uninstall the software fully. Another reason for disliking such products is that that may not be an easy matter.

Putting it in place

Middle of the road settings shown. Can you be more restrictive than these?
Middle of the road settings shown. Can you be more restrictive than these?

Start with System Preferences. Inevitably the key pane there is Security & Privacy. Make sure that you fully understand each of the settings and options there, lest you inadvertently open a gaping hole. Standard settings for each tab should read something like:

  • General – a login password is essential; if passers-by could be a problem then require password entry to unlock the screensaver or from sleep; never enable automatic login, even if you are the only user and sole resident; allow apps from Mac App Store only if possible, and never from ‘anywhere’;
  • Filevault – only turn this on if you really need all your files to be encrypted; if there is a significant risk of your Mac or hard drive being stolen and if it contains sensitive information, then this is usually mandatory;
  • Firewall – valuable on mobile systems if you cannot be sure how good the network firewall protection is, but in most static situations you can leave the software firewall turned off and rely on that in your modem-router;
  • Privacy – although tedious, it is best to work through each service and permitted access to its data individually; always opt for the minimum that is really necessary;
  • Advanced – don’t forget to click on this button for extras that Apple has tucked away; set automatic log out if you may be away from a desk to which others have access; disable infra-red remote controllers if there is any chance they might be used by others.
Check carefully through Privacy settings to minimise your exposure.
Check carefully through Privacy settings to minimise your exposure.
Check the Advanced settings using the Advanced... button.
Check the Advanced settings using the Advanced… button.

Other important panes include:

  • Extensions – check what is installed and what it is allowed to customise;
  • Network – check that this is properly configured with a reliable DNS server;
  • Sharing – only offer services that you need to use; ideally turn file sharing on when you need it, then off again;
  • Users & Groups – ensure that no Guest User account is enabled, and that you only have the correct login items;
  • Third-party – check all of these, and ensure that their settings are appropriate.
You may be able to lock your browser down more than is shown here. If you can, do so.
You may be able to lock your browser down more than is shown here. If you can, do so.

All software which connects with the outside world, particularly web browsers, also needs a thorough check. Try to disable features which you do not use, but which could give an intruder an easy entrance. This is particularly true of products with a history of vulnerability such as Adobe Flash and Java (indeed any scripting language, whether claimed to be secure or not): if you can, avoid installing them, or remove them. When you do need them, ensure that you keep them up to date so that their vulnerabilities are fixed as soon as possible.

Block notifications in Safari unless you really need them.
Block notifications in Safari unless you really need them.

Large networks have all sorts of elaborate policies on passwords. For smaller systems the crucial rules are that all passwords should be very hard to guess, or to find in a dictionary (which includes most proper names), and that you should never use similar passwords for different sites or purposes. It is better that you can remember such secure passwords than change them every few weeks. Your Mac will also try to keep passwords and the like in its keychain, where they are protected in turn by your admin user password. This makes it even more important that that password is properly robust. It is also likely to be the password which an intruder would need to guess before they can gain entry to your Mac.

Filter all incoming email suspecting that it is a phishing attack. Never open attached files, particularly Microsoft Office, Adobe Acrobat, or HTML documents unless you know who they came from. If you are unsure whether a message is genuine, inspect its Internet headers. Did it come from a hijacked server? Is it addressed properly to you, or to a different address? Is its content in keeping with your expectations? If it looks too good to be true, then it is, and is trying to trap you.

I do not use Mail or a similar client, but Mailsmith, which only deals with text content in messages, and cannot automatically open web pages or other content. This greatly reduces the risk posed by malevolent content, and makes me see what the message really contains. Although it is not hard to craft links to disguise them, most bogus links are easy to spot when mail is viewed as plain text. If I do receive an attachment (or download) which looks genuine but I want to be sure about its true nature, I have an up to date copy of ClamXav (free) ready to scan it.

WiFi

Wireless networking is a wonderfully empowering tool, but it is also a security nightmare. Read the documentation for your WiFi access points and ensure that they are properly locked down and cannot (readily) be hacked into. Disable all guest access. If you really do need to connect legacy systems to WiFi, this is a serious problem, as many old systems do not work with modern access protocols like WPA2, requiring you to enable older and readily-broken options. You would then be much better off using wired Ethernet instead.

Never allow Guest access to your WiFi, and always enable robust security protocols such as WPA2.
Never allow Guest access to your WiFi, and always enable robust security protocols such as WPA2.

The other side of WiFi access is when you use a public access WiFi system, perhaps at a cafe or hotel. You should avoid doing anything which could pose a risk if your communications were to be intercepted. When in public places using equipment controlled by other people, you should be extremely cautious.

Human factors

Most if not all security experts recognise that the single weakest element in all systems is the person. Human behaviour (and the lack of it!) is the greatest unknown in most risk assessments. The only solution in larger organisations is to put in place such measures as should protect users from themselves, something that you are unlikely to do on your own systems. However you can be more honest as to your behaviour, and identify risks that are peculiar to what you do.

Human weaknesses which have been preyed upon to result in intrusions or personal data theft include:

  • Trust – never trust anyone unless you know them well enough to have proven themselves trustworthy, and even then only trust if you must; distrust anyone claiming to be from your work organisation unless you know them well, and even then be suspicious; if someone phones you, get them to give you their phone number and call them back; if someone asks you to go give information to verify your identity, but you are not confident that they are who they say they are, ask them to verify their identity;
  • Greed – if something looks too good to be true, the chances are that it is not true, and is just a trap. Do you believe an unsolicited email telling you that you have won a million in a lottery which you never entered?
  • Haste – think things through before rushing ahead and clicking on that link. Hover the pointer over it and see if it admits to where it will take you; if it does not, don’t do it;
  • Lust – if it is about sex or partners, be doubly careful, as it is almost certainly a scam or trap.

Monitoring

If your home or office is in an urban area, it is highly likely to have a burglar alarm to detect anyone who gets past its locks and other security systems. So all Mac users should have a network intrusion detection system (NIDS), or the first that you may know about an intrusion is when your credit card breaks over its limit.

The snag is that, at the moment, there isn’t a good NIDS which I would recommend. I used to have faith in Snort, which is available for OS X, but its techniques are no longer at the leading edge, and the open source product Suricata would seem to be a better choice. However experience with these tools under OS X is quite limited, and they have not broken into the mainstream. OS X, and apps like Safari, do keep an eye, and their protective mechanisms should alert you to danger early, but OS X does not contain a built-in NIDS. I hope to cover this in a future article here.

An important task, linked with the need to keep critical software up to date, is keeping a watchful eye on the threat landscape. I would have loved to recommend that you read news items in MacUser, as we used to cover significant changes in threat and risk, and that is something that I am trying to do here.

Remaining alert and suspicious – but not paranoid, please – is also vital. If odd things start happening to your Mac, don’t automatically assume that it was a recent OS X update, but think about what is happening, and whether it could be the result of an intrusion, or that Trojan that you installed last night!

If you are not completely certain about the effectiveness of your firewall or other barriers to the outside world, then try getting into your network from outside, perhaps using your iPhone or iPad. If you do offer any way of connecting to your systems from the Internet, then it is very important that you (or, better, a security professional) performs proper ‘pen testing’ (penetration testing).

May all your potential intruders fail miserably, and your Macs stay safe. And please add to the above in your comments: no short article can ever be complete.