hoakley July 4, 2020 Macs, Technology

Protecting yourself against malware

It’s easy to solve all your security problems by installing more software – antimalware scanners, software firewalls, and so on. But as we are the weakest links, the real prey here, it’s actually down to what we do, where we point our browsers, what risky activities we do online. Good security tools are wonderful aids, but they can’t protect us from ourselves. The recent reappearance of what may be ransomware is a good spur to reassessing what we do to keep our Macs clean. Here are some thoughts.

Latest security protection

Always run the latest release of macOS that’s compatible with your main working apps. Catalina may seem unattractive to many, but it has much better protection for both you and macOS than any previous release. All the most important system files are stored on a separate System volume, which is not only protected by SIP but is read-only. That doesn’t make it impossible for malware to attack system files, but a great deal more difficult to do so.

Catalina also expects all apps and even command tools to be notarized. So far, no malware has apparently slipped past Apple’s checks which are required before it issues a notarization ‘ticket’. That doesn’t mean that all notarized apps are sweetness and light – they can still be unwanted, adware, and intensely annoying – but the chances of finding notarized malware seem so slight as to be effectively zero. It’s not hard for a malware developer to buy a certificate which allows them to sign their products, but notarization is a much higher hurdle.

Another security behaviour of Catalina is that, whenever they’re run (not just the first time when they’re in quarantine) apps are checked by XProtect to detect whether they match the signature of known malware. Apple has also ensured that XProtect’s signature data is updated every fortnight, keeping it up to date with the latest malware discovered.

Don’t forget to enable it

Over the years, my free utilities LockRattler and SilentKnight have discovered a steady stream of Macs whose security protection has been disabled. So far, these cases have all been deliberate: the user has at some time in the past disabled SIP, XProtect, or another part of the macOS security systems, and forgotten to turn them back on. This has resulted in some users having no SIP or XProtect checks for periods of over a year.

Think twice before turning any macOS security features off. Ask yourself whether you’re certain that’s the only solution, and that the software you’re about to install or use can be fully trusted.

Whenever you do disable or change any security system temporarily, put a sticky note on the display to remind you to enable it again as soon as you’re done.

Beware of links

Never click on any link, whether embedded in a mail message, on a web page, or iMessage, unless you are confident that it’s not going to abduct and ambush you. To make this easier in mail messages, I always read mine as plain text, which usually reveals the real URLs embedded; for this, I use Postbox, which allows me to view messages rendered from their HTML when I wish.

If any link has been shortened, then every Mac user should use Link Unshortener from the App Store, which tells you exactly where a shortened link takes you, and blocks the tracking which normally takes place when you follow a shortened link directly.

I haven’t yet come across a QR code which has been malicious, but if you use them frequently, beware that there will come the time when they too will be turned against you.

Another essential protection is to disable Safari’s option to Open “safe” files after downloading, at the foot of the General item in its preferences.

Don’t live dangerously outside a VM

In recent years, certain groups of users have been targeted again and again by malware. It used to be porn sites, then in more recent times attention has turned to those trading in crypto-currencies. Although those two activities remain high risk, another has always been obtaining pirated copies of software and other ‘warez’ using torrents.

These aren’t all illegal activities, but those we tend to keep as private as possible. We know we’re taking a risk in doing them, and sometimes that may be part of their psychological reward. We also know that when that risk goes wrong, we’re unlikely to complain to anyone about it. The best answer is to live a clean and honest life online, but if you’re not so saintly you must be exceedingly careful, and perpetually suspicious. One good security reason for our vulnerability in these situations is that, unlike when downloading files from a reputable vendor’s secure server, these downloads often circumvent the normal quarantine mechanism, so never undergo full first run checks by macOS security.

If you really must, then adopt the practice of the security researcher: do it all within the relatively protected confines of a Virtual Machine, a copy of a suitably recent version of macOS, such as Mojave perhaps, in VMware, Parallels, or your alternative favourite. Properly set up, and ensuring that you don’t use the VM to pass problems onto the host Mac, your dangerous secret hobby can be a lot safer.

Remove Flash

Adobe’s Flash reaches the end of its life at the end of this year, at last. Don’t wait until Christmas to remove it: do it now. It will be a weight removed from your Mac.

If in doubt, take your time

Finally, like all fraudsters, successful distributors of malware know that you make decisions worst when you’re under pressure. They deliberately confuse and harass you into making choices that, just a few minutes later, you know were wrong. Don’t let them brow-beat you into submission: if you’re not absolutely certain, if things look unfamiliar or suspicious in any way, stop. Regain control of the situation and take your time.

Stay safe.

15Comments

Add yours

1

EcleX on July 4, 2020 at 7:25 am

Thanks for the interesting article. I guess that by VM you mean Virtual Machine, like the ones of VMware Fusion. Finally, common sense is probably the best protection. Remember that if something did not happen to you before, that does not mean that it will not happen in the future. Besides having several backups (including the ones not connected all the time to the Mac). And never paying in case of ransomware. If nobody paid, ransomware would not exist.

LikeLiked by 1 person
- 2
  
  hoakley on July 4, 2020 at 8:41 am
  
  Thank you.
  Yes, that’s exactly what I explain above about using VMs.
  Sadly, either many users don’t have any common sense, or common sense doesn’t include any of the above. Remember that those wanting you to run malware exploit human weaknesses: they put you under pressure, or in unfamiliar situations, precisely so that you won’t be using any sense at all, just making bad decisions.
  Backups are vital, but no number of backups will prevent you from downloading, installing and running malware. Backups are only mitigation in the event that you get it wrong. You must be determined not to get any malware in the first place – the same lesson as with Covid-19.
  Prevention is always better than mitigation.
  Howard.
  
  LikeLike
3

Javier Gallardo on July 4, 2020 at 1:46 pm

Nice and sensate resume, and good compilation of situations. (I’ve learned/remembered this thing about shortened links; I take note).
How you pack a lot of useful and well defined info in an unique article still astounds me. (…been reading about malware lastly… a lot of vague and commonplaces-full writings). Perhaps is not necessary when installing legit software packages, but even in those situations I like to know what’s into those .pkg’s .
I use ”Pacifist”, a nice and useful app, as part of a preventive approach when adding software to my system.
I don’t know if it makes sense, but I even have a previous insight into some zip’s that arrive by e-mail.
Related to a general attitude you suggest, some curiosity in general to stop and think “what, why, how?” is good; not just to avoid problems but even as a help to know own system as a whole.

LikeLiked by 1 person
- 4
  
  hoakley on July 4, 2020 at 4:32 pm
  
  Thank you.
  A free alternative to Pacifist is the fine Suspicious Package, from Mother’s Ruin Software. I use it regularly.
  Howard.
  
  LikeLike
5

Bob on July 4, 2020 at 2:05 pm

Thanks Howard. The price of security is eternal vigilance. There have been numerous attacks on home routers over the last few years, that attempt to alter the configuration to send your home systems to a malicious DNS server. Thus, going to your bank, using a VM or not, may not actually be your bank’s login page. There are two specific practices that I use to thwart these issues:

1. I don’t use DHCP from my router. All devices in my home must use static addresses that I assign. This means I also assign my own DNS servers; preferentially Quad-9 (9.9.9.9) for the extra security for the kids. If someone alters the DNS configuration in my router, it’s useless to them.

2. When doing sensitive things like banking, I *always* invest a few seconds to look at the certificate before logging in. This ensures (to the extent possible) that I’m talking to the right organisation.

If I’m establishing a new trust relationship (i.e., going to a new web site for the first time, that requires I use or create credentials,) I always use the free web site checker at ssllabs.com. Just give it a URL, and it will throw a bevy of tests at the site, checking for bad practices, old (unsafe) ciphers etc., and issue a grade. For example, eclecticlight.co is capped at a grade of B because it uses TLS 1.0 – 1.1. I once had to make a direct-debit payment online, and first checking the site in this manner returned a grade of F. I wrote a paper check instead.

I have found that these three practices provide abundant free insurance.

LikeLiked by 1 person
- 6
  
  hoakley on July 4, 2020 at 4:34 pm
  
  Thank you. All good tips. I don’t use Web-based banking at all, but an iOS app provided by my bank. Its security then rests with them.
  I’m surprised that you’ve had so many problems with your router. Which make is that?
  I have no say in the TLS security of this site – that’s managed by Automattic.
  Howard.
  
  LikeLike
  - 7
    
    Bob on July 4, 2020 at 6:51 pm
    
    Oh, I have had no troubles with my router to date, but other routers have had this issue. Since we don’t know what we don’t know, who is to say that one’s router cannot be determined to have a vulnerability in the future? Thus it has always been, thus it shall always be, static addresses in my house. Not even an open guest network.
    I don’t know if URLs are allowed but I’ll try. Here is an article from March:
    
    https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/
    
    LikeLiked by 1 person
    - 8
      
      hoakley on July 4, 2020 at 7:03 pm
      
      I never allow guest networks. Never. Like guest user accounts, they’re a road to disaster. But we digress into network security, which is a fascinating and worthy subject, but a subject in itself.
      Howard.
      
      LikeLike
9

John Kelso on July 5, 2020 at 2:39 pm

Wonderful article! Unrelated to security, I’d like to be able to run Snow Leopard in Virtual Box on my Catalina Mini so I can support some older Apple Airports. I’ve not had any luck getting it to work. One site says I need the server version of Snow Leopard as opposed to the regular desktop version, for which I have the original DVDs.

Have you had any success getting OS X whatever to work in Virtual Box, or some other VM? If so, do you have any hints or pointers?

Many thanks!

LikeLiked by 1 person
- 10
  
  hoakley on July 5, 2020 at 11:12 pm
  
  Thank you.
  There’s a problem with a lot of older macOS installers, as their signing certificates have gone out of date. One way you can work around this is to set the clock date to a date in the past. You may also be best imaging those DVDs and running the install from those images.
  Howard.
  
  LikeLike
  - 11
    
    John Kelso on July 6, 2020 at 10:48 am
    
    Many thanks! I will give those suggestions a try.
    
    LikeLiked by 1 person
12

Aron D. on July 5, 2020 at 2:52 pm

so far my recipe for macOS security (on top of the suggestions you’ve written) consists of having three free apps from Patrick Wardle: Blockblock – for warning me when an app tries to install persistent software, LuLu – application firewall to help me decide which app or process i want to connect home (or elsewhere), and RansomWhere.
I’m a strong opponent of classical AV apps for mac, these three, in my opinion/experience, fully cover my mac’s security (and they are free/donationware!).
The only thing that’s still needed is browser security/privacy, for which an adblocker is necessary (my choice is AdGuard for mac).

LikeLiked by 1 person
- 13
  
  hoakley on July 5, 2020 at 11:12 pm
  
  Thank you.
  Howard.
  
  LikeLike
14

John Fredrick on July 14, 2020 at 11:21 am

Very nicely describe the whole article. informative thank you.

LikeLiked by 1 person
15

Best Protection Against Malware | on July 16, 2020 at 6:00 am

[…] on your machine. However, the bottomline in Mac security is always the end user; that would be you. This article describes why the end user is the key to Mac security and lists several things you should and should not do […]

LikeLike