What? Secure my Mac? Why?
Mac owners sometimes exist in a bubble of avoidance – believing that since Mac OS X is more resistant to viruses, they don’t have to worry about a thing to do with security. Bubbles inevitably burst, unfortunately. There are many ways other than viruses to lose data or privacy. One important recent one is through Trojan Horses that can attack a Mac through security holes in third party software such as Java, Microsoft Word and Adobe FlashPlayer.
Your behaviour makes or breaks security efforts.
Message #1 is that social engineering is still the most effective vector for malware. Anything that you explicitly permit to run or install as an Admin level user of your Mac is going to bypass any security measures or good intentions.
- So do not click on that unknown link from an email, even if it seems to come from a friend.
- Don’t OK the installation of a “video codec” that pops up when you want to watch an online video.
- Resist the temptation to install free search bars, widgets and other apps unless you know for sure what they do and that they do not have a hidden agenda.
- Stay away from free photos, music and other media offered through unkown websites or through emails.
- Don’t download or install anything which you do not know 100% where it came from or the reason it needs to be used.
Be vigilant for phishing and hijacking:
- Always log onto financial or shopping sites manually by typing into the Location bar, never from a link in an email or a web page.
- Look at the URL in the Location bar to see if you arrive at the domain you expect for that institution (your search or link may have been hijacked. There is malware that can redirect your Google or Yahoo search to unknown sites Redirect and DNSChanger Trojan info), and
- look for the HTTPS and the lock icon on any page you are entering personal data or passwords.
Ignore bogus warning messages: Don’t respond to unexpected popup messages while you are using a Web browser. There are a number of companies that will put up a window saying that your machine is infected or has serious problems to try to scare you into downloading their ‘repair software’ or ‘antivirus software’. If in doubt, or if you can’t dismiss the window without clicking on one of their buttons, then Force Quit the browser, or if all else fails, Shut Down the Mac.
One type of malware will put up a message that a “Self Signed security certificate from Apple Inc. requires you to click Continue” – quit the browser instead. More information here.
Don’t log into public WiFi hotspots unless you are confident you are logging into a legitimate network. An easy hack is for someone to go into a cafe with a laptop and open a public hotspot called “RestaurantWiFi” or “CafeHotSpot”. As the owner of the router, they can then capture and see all of the internet traffic from anyone who logs into their network.
- Apple has an OS X security document here: http://www.apple.com/macosx/security/
- In-depth PDF Security Guides for OS X 10.3 – 10.6
- The NSA in the US has developed a downloadable pamphlet (PDF) for security of Mac OS computers within the government. Some of the recommendations go beyond what is reasonable for a personal user, but they all bear considering.
Something the NSA document doesn’t address – attend to the physical security of your data. All bets are off if a stranger has your machine or data storage device. More laptops, phones and storage devices (like USB memory ‘keychain drives’) are lost and stolen than are ever hacked into. Opportunistic snooping by co-workers and acquaintances is more common than network snooping.
- Use a cable lock on a laptop in a public place (including a university dorm),
- don’t let a portable machine be unattended in or out of its carrying case,
- encrypt the data that you put on USB memory keychain drives,
- put a screen lock on smartphones and tablets, and
- don’t walk away from a machine while your account is logged in – put it to sleep with a password required to wake up, or log out of your account altogether.
To summarize the software steps you can take to be more secure,
Use Apple’s Software Update – keeping your OSX, Safari, Java and related software (including other Web browsers and Adobe Flash Player and Adobe Reader software) continuously up to date is the best defense against potential viruses or exploits. Just because there are no live Mac OSX viruses and only a handful of trojan horses doesn’t mean there won’t be more in the future.
Apple, Microsoft and Adobe continuously add anti-malware features to their software. If you want to force Apple Software update to get the latest malware definitions, go into System Preferences: Security: General and un-check the box for “Automatically update safe downloads list” then re-check the box and close System Preferences. If you want to check the date of the latest update, follow the instructions here at MacWorld or download this little Safe Download app from MacObserver. Keep your Microsoft Office software up to date as well with AutoUpdate. If you are using the outdated Office 2004 or Word 2004 or 2008, these have known vulnerabilities, you should seriously consider replacing the Microsoft software with the latest 2011 version.
Note: Never use an updater from an unknown website or from an email link. Malware writers can package their installer into phony updaters for Adobe Flash Player and other programs. Always get your updaters and installers from the manufacturer’s official website.
Turn off automatic login: Open the Accounts pane in System Preferences.
Disable Automatic Login and User List: Click on “Login Options.” Set “Automatic login” to “Off.” Set “Display login window as” to “Name and password.”
Disable guest account, remote access and sharing: Select the Guest Account and then disable it by unchecking “Allow Guest to log in to this computer.” Uncheck “Allow guests to connect to shared folders.” Unclick everything you don’t absolutely need in System Preferences: Sharing.
Turn off Airport (WiFi) and Bluetooth if you don’t need them. Not only will your machine be more secure, a notebook or smartphone battery will last longer. System Preferences: Bluetooth and System Preferences: Network: Airport (or use the icons at the top right of the screen)
Create another Standard (non-Admin) User account for day to day logging in when you are surfing or reading email or using the machine in public. Use an Administrative User account with its ability to install software only when you need to install or update your computer.
Use Private Browsing in your Web browser
Firefox: Tools: Start Private Browsing
This will delete history and cookies when you exit the browser session.
In the System Preferences Security pane
- Require password “5 seconds” after sleep or after the screen saver begins
- Disable automatic login – force yourself to re-enter your password each time
- Use secure virtual memory – this encrypts the virtual memory file on the hard drive which otherwise may contain accounts and passwords
- Disable Location Services (if present)
- Disable remote control infrared receiver (if present)
Consider turning Location Services off on your iPhone or iPad as well. Think about how badly you really want Google Maps, Foursquare or Yelp to know where you are every minute. You’d be surprised the number of apps which request to know all about your location.
Encrypt your data – on a portable machine, consider using FileVault to encrypt your data. Keep in mind that this will cause trouble if you forget your password, and makes recovering a crashed hard drive harder. There have been reports of people losing their data with FileVault, so use with caution. As an alternative, use the open-source TrueCrypt to create encrypted folders on hard drive and on USB storage devices.
Enable your firewall: In the System Preference: Security: Firewall tab, click “Start” to turn firewall on. Next, click on “Advanced…” and enable “Block all incoming connections.” If you are using and AppleTV or file sharing with other Macs, you will have to modify these settings. http://support.apple.com/kb/ht1810
In Safari, turn off the “Open safe files after downloading” setting in the General tab. You do not want downloads to automatically open.
Turn off Java in your brower if you are not using it (and chances are, you are not)
Anti-virus scanners: There are some anti-malware programs available for Mac OSX, here is a backgrounder, and a review of 5 programs Note: I recommend that you do not download or install the program called MacKeeper.
- Avast Free Antivirus for Mac 7.0
- Avira Free MacSecurity 1.o
- PC Tools has a free antivirus http://www.iantivirus.com/
- As does Sophos http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
- ClamXAV is open source antivirus software
- Kapersky Labs offers a 30 day free trial of their commercial AV software
Windows Viruses and Malware: Remember that if you install Windows in Bootcamp or a virtual machine environment, you will need to take anti-virus and anti-malware precautions like any other Windows user http://computer-answers.ca/category/computer-questions/windows-questions/viruses-malware/
More information on securing a Macintosh, written by an analyst from Kapersky Labs is here.