Protecting yourself against malware

It’s easy to solve all your security problems by installing more software – antimalware scanners, software firewalls, and so on. But as we are the weakest links, the real prey here, it’s actually down to what we do, where we point our browsers, what risky activities we do online. Good security tools are wonderful aids, but they can’t protect us from ourselves. The recent reappearance of what may be ransomware is a good spur to reassessing what we do to keep our Macs clean. Here are some thoughts.

Latest security protection

Always run the latest release of macOS that’s compatible with your main working apps. Catalina may seem unattractive to many, but it has much better protection for both you and macOS than any previous release. All the most important system files are stored on a separate System volume, which is not only protected by SIP but is read-only. That doesn’t make it impossible for malware to attack system files, but a great deal more difficult to do so.

Catalina also expects all apps and even command tools to be notarized. So far, no malware has apparently slipped past Apple’s checks which are required before it issues a notarization ‘ticket’. That doesn’t mean that all notarized apps are sweetness and light – they can still be unwanted, adware, and intensely annoying – but the chances of finding notarized malware seem so slight as to be effectively zero. It’s not hard for a malware developer to buy a certificate which allows them to sign their products, but notarization is a much higher hurdle.

Another security behaviour of Catalina is that, whenever they’re run (not just the first time when they’re in quarantine) apps are checked by XProtect to detect whether they match the signature of known malware. Apple has also ensured that XProtect’s signature data is updated every fortnight, keeping it up to date with the latest malware discovered.

Don’t forget to enable it

Over the years, my free utilities LockRattler and SilentKnight have discovered a steady stream of Macs whose security protection has been disabled. So far, these cases have all been deliberate: the user has at some time in the past disabled SIP, XProtect, or another part of the macOS security systems, and forgotten to turn them back on. This has resulted in some users having no SIP or XProtect checks for periods of over a year.

Think twice before turning any macOS security features off. Ask yourself whether you’re certain that’s the only solution, and that the software you’re about to install or use can be fully trusted.

Whenever you do disable or change any security system temporarily, put a sticky note on the display to remind you to enable it again as soon as you’re done.

Beware of links

Never click on any link, whether embedded in a mail message, on a web page, or iMessage, unless you are confident that it’s not going to abduct and ambush you. To make this easier in mail messages, I always read mine as plain text, which usually reveals the real URLs embedded; for this, I use Postbox, which allows me to view messages rendered from their HTML when I wish.

If any link has been shortened, then every Mac user should use Link Unshortener from the App Store, which tells you exactly where a shortened link takes you, and blocks the tracking which normally takes place when you follow a shortened link directly.

I haven’t yet come across a QR code which has been malicious, but if you use them frequently, beware that there will come the time when they too will be turned against you.

Another essential protection is to disable Safari’s option to Open “safe” files after downloading, at the foot of the General item in its preferences.

Don’t live dangerously outside a VM

In recent years, certain groups of users have been targeted again and again by malware. It used to be porn sites, then in more recent times attention has turned to those trading in crypto-currencies. Although those two activities remain high risk, another has always been obtaining pirated copies of software and other ‘warez’ using torrents.

These aren’t all illegal activities, but those we tend to keep as private as possible. We know we’re taking a risk in doing them, and sometimes that may be part of their psychological reward. We also know that when that risk goes wrong, we’re unlikely to complain to anyone about it. The best answer is to live a clean and honest life online, but if you’re not so saintly you must be exceedingly careful, and perpetually suspicious. One good security reason for our vulnerability in these situations is that, unlike when downloading files from a reputable vendor’s secure server, these downloads often circumvent the normal quarantine mechanism, so never undergo full first run checks by macOS security.

If you really must, then adopt the practice of the security researcher: do it all within the relatively protected confines of a Virtual Machine, a copy of a suitably recent version of macOS, such as Mojave perhaps, in VMware, Parallels, or your alternative favourite. Properly set up, and ensuring that you don’t use the VM to pass problems onto the host Mac, your dangerous secret hobby can be a lot safer.

Remove Flash

Adobe’s Flash reaches the end of its life at the end of this year, at last. Don’t wait until Christmas to remove it: do it now. It will be a weight removed from your Mac.

If in doubt, take your time

Finally, like all fraudsters, successful distributors of malware know that you make decisions worst when you’re under pressure. They deliberately confuse and harass you into making choices that, just a few minutes later, you know were wrong. Don’t let them brow-beat you into submission: if you’re not absolutely certain, if things look unfamiliar or suspicious in any way, stop. Regain control of the situation and take your time.

Stay safe.