Most exploits occur over the Internet, so this is a no-brainer. When you do not need to have an Internet connection going, go to the Wireless icon and select Turn Wifi Off. (Or disconnect the Ethernet cable if you use that.)
Bluetooth may be useful for connecting to an external keyboard at home, or to a fitness device, but if you don’t need it, it is prudent to switch it off since it offers a potential if rare means of attack. (This is less so today that in its early days.)
It is also useful for surveillance. Your Bluetooth device’s address can be obtained to identify and track you in public places. As a test, I tried detecting Bluetooth devices while driving down the road. The phones of people in passing cars were easily detected by my iSystem app.
Few people use the Ethernet port any longer. It is mainly useful for technology professionals in communicating with routers and servers. If you don’t need to use it, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
Most people never need Firewire. If you don’t, go into the Firewire settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
Trivia: It has been discovered that a Mac that is asleep can provide access to the entirety of its RAM through the Firewire port via DMA (direct memory access). Thus it can be used to copy data. It’s a rare exploit, especially since it requires physical access to a computer when it’s asleep, but it’s another reason to disable Firewire.
It is unwise to use iCloud or any other cloud-based online storage service such as DropBox, convenient though it may be. If you do not encrypt your files before you upload them, they can be copied and used right away or years from now e.g. by governments, by people who hacked into the cloud, and by employees of the cloud service.
The typical argument that it doesn’t matter if they’re stolen is a form of denial. Just because you don’t want to imagine the numerous outrageous ways in which for instance your photos can be used, but that doesn’t mean that others feel so inhibited.
The practice of encrypting data before storing it in the cloud is called TNO: Trust No One. Security professionals recommend a TNO approach.
You really should not use online free email services either such as these:
Surveillance is the killer app of the Internet.
Long before Edward Snowden, it was exposed on Cryptome.org that Yahoo charges the US government only US $60 for a year’s worth of a user’s emails.
Not everything has to be on your computer. Critical data such as your social security number, tax records, legal paperwork, birth certificates, passwords, ID cards, immigration documents, sexy photos and revealing private videos should be located on encrypted external media from start to finish.
Any laborer or landlord who walks into your apartment and sees a USB drive sitting on the table could in theory steal it, or copy it without your knowing. It’s wise to encrypt such drives to at least protect your data.
You may think you know what’s on a drive, but in truth most people are largely ignorant of where they’ve put their numerous files.
To encrypt a USB or hard drive, format it for Mac OS (not Windows FAT) and tell Disk Utility to encrypt it.
External media that are not in use should be locked away.
When you delete a file, use the Finder’s Secure Empty Trash [sic] feature. You should go into the Finder preferences and set secure erasure to be the default method.
But note, data deletion that is not done by the Finder, but rather is done automatically by programs like browsers, will probably not be done securely.
To make sure that no deleted data can be un-deleted, you can periodically run Disk Utility and use the Erase Empty Space feature. This will make sure important data like deleted web browser cache data and web history cannot be recovered.
It was revealed on Consumerist.com that workers in Best Buy’s Geek Squad service were regularly copying customers’ photos and other content onto personal thumb drives during the course of repairing their computers. Would Apple’s geniuses not do the same? Who can say, except an insider.
An article:
Geek Squad Accused Of Stealing and Distributing Customer’s Naked Photos.
Don’t be fooled by low prices. When you sign up with cheap services, they could just make up for the lack of profits by selling you out.
I discovered to my surprise that the Universal Terms of Service provided by GoDaddy and its various resellers has an enormous qualification: They claim ownership of your User Content if it is within a subcategory called User Submissions. The problem is, they never define what part of your data falls into that subcategory and what does not.
You should always take the time to read the fine print.
Never buy or use a USB thumb drive that cannot be attached to your keychain. A thumb drive without a keychain hook or that is not on your primary or only keychain is easily lost or stolen.
A thumb drive should always be encrypted unless it’s solely for use in
Give each thumb drive a name indicating what it’s for and mark it to indicate its purpose e.g. AUDIO BOOK FOR CAR.
Never use a thumb drive that you find sitting in public somewhere. Leaving a thumb drive on a ledge or table is a classic means of infecting computers at e.g. a nearby business or government organization.
After you enable your firewall (see section 3 below) your should enable its stealth mode. This should prevent your computer from broadcasting its existence to other computers on a network.
An alternative method is to disable the Bonjour service. This tells other Macs near you what services you have to offer them, and tells you what they can offer you.
Two rules of thumb:
In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Enable Stealth Mode (for good measure), and then Block All Incoming Connections.
Another approach is to use the command line to edit the file /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
. You add to the section ProgramArguments
by inserting a string entry called -NoMulticastAdvertisements
. Then reboot.
If you must use Bluetooth, disable discovery in the Bluetooth settings. You can also do this in the Bluetooth-icon pulldown menu.
It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing settings and uncheck everything.
I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because:
sudo rm -rf /System/Library/InternetAccounts/Google.iaplugin
|
You’ll need to enter your password to delete the plugin.
There are other plugins in that folder that you can delete if you are sure you don’t need them. They include:
sudo rm -rf /System/Library/InternetAccounts/126.iaplugin
sudo rm -rf /System/Library/InternetAccounts/163.iaplugin
sudo rm -rf /System/Library/InternetAccounts/AOL.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Exchange.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Facebook.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Flickr.iaplugin
sudo rm -rf /System/Library/InternetAccounts/LinkedIn.iaplugin
sudo rm -rf /System/Library/InternetAccounts/QQ.iaplugin
sudo rm -rf /System/Library/InternetAccounts/TencentWeibo.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Tudou.iaplugin
sudo rm -rf /System/Library/InternetAccounts/TwitterPlugin.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Vimeo.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Weibo.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Yahoo.iaplugin
sudo rm -rf /System/Library/InternetAccounts/Youku.iaplugin
sudo rm -rf /System/Library/InternetAccounts/iCloud.iaplugin
|
Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.
Location services is mainly useful for the Map program.
If you don’t have any older Canon printers on your network, you don’t need CIJScannerRegister. This program sends out UDP packets looking for these printers. If you have many Macs on a network this can add to the congestion, but even if you only have one, the fact that CIJScannerRegister is sending out these packets could leave you open to attacks, because
To remove CIJScannerRegister, use this Terminal command:
sudo rm -rf /Library/Image Capture/Support/LegacyDeviceDiscoveryHelpers/CIJScannerRegister.app
|
Note, CIJScannerRegister appears to have been removed from OS/X Mavericks.
You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple’s built-in Firewall capability, especially if you will use your Mac on an unencrypted public Wifi.
Go into Settings, Security, and Firewall to find it and start it.
Encrypt your entire drive using FileVault. The first time you enable it, it will require up to an hour to encrypt your drive.
If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your Mac files, and that’s generally good especially if your Windows setup get infected with malware.
The firmware password is not your normal login password, but rather the password that lets the Mac boot from a disk other than your hard drive. Adding it is done using the OS/X installation disk, if you have one. By enabling a firmware password, you prevent other people from booting up your computer from an CD-R or DVD-R disc or from a USB flash drive.
This can be very important, because if you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne’erdowells can potentially walk up to your unattended Mac, boot from a thumb drive and steal all of your data.
At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet.
If you think such a thing is unlikely, just google port 32764 backdoor. There are several ways to break into a Wifi router and port 32764 is perhaps the latest one to be discovered. Check it by clicking here.
Set the adminsitration password on your Wifi router (not just the encryption password) to something very hard to guess, and make sure you disable remote log-in. Also disable logging into the router via Wifi: require a connection with a cable.
If you must set up your Wifi router for port forwarding, make sure you turn off that feature immediately after you’re done with it. Otherwise you’re just providing a means for outsiders to bypass the firewall.
An example of an activity that often leads to port forwarding being left on is when gamers use it to play video games with other people from around the world. Since Macs are less commonly used for gaming than are Windows PCs and gaming consoles, this may not apply to you.
An example of a situation in which port forwarding is useful but potentially dangerous is when you set it up to permit you into into your Mac from afar using ssh
(secure shell). Remote login is a standard feature of OS/X that is enabled in Settings, the Sharing section, by clicking Remote Login. For such an activity you’d be enabling port 22 on your Wifi router to let outsiders (hopefully only you!) who are utilizing ssh
or sftp
to enter your machine.
If, in the worst case, you leave Remote Login enabled on your Mac and port forwarding enabled on your Wifi router and leave your router itself powered up e.g. at night, this could be very bad.
Most Wifi routers support universal plug-and-play, which can reveal information about what’s on your network to people who are far away. You should always make sure that uPnP is switched off. However you should also be aware that some routers, even if you tell them to switch off uPnP, leave it partially on anyway.
This is a no brainer. If people are able to get onto your Wifi network, they can read most of the data that is passing across the network. This means they can analyze it and record it. Even though much of your data will be useless to them, some of it could be quite useful. For instance, some email services even today fail to encrypt emails when your mail reader downloads them.
So enable the Wifi password, and use WPA2 encryption.
Note that WEP encryption is not secure and should not be used. It was not actually designed by security professionals.
If you know your router’s name, you don’t need to tell the world about it. Letting everyone in the neighborhood know the name (the SSID) is dangerous because it means they can then commence with trying to break into your Wifi network.
If more than one person will use your computer, each with his own account, make sure that users cannot access one another’s files.
This pertains to the files in your home directory. Most users don’t need to worry about this since they don’t put files in their home directory.
Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600.
The only directory that should be 0777 is ~/Public, which is the sharing directory.
A pitfall: Files copied from a Windows thumb drive, which typically has a FAT32 file system, will often be automatically set to 0644, and directories to 0755, which lets any other user on your Mac access them if those files are in your home directory.
Third-party cookies are a means by which people are tracked when they use the Internet.
If you begin to check who writes plugins, it quickly becomes apparent that many authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases, or they are located in faraway countries. This might not matter except for two key facts:
Food for thought:
When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it’s just not cool enough.
Don’t assume that experts are working to keep you safe in every possible way. They may care more about getting their kicks or winning security competition prize money than about protecting you.
In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. Thus, you should not assume that PDFs are generally safe.
In 2011, a Mac-specific trojan OSX/Revir-B was found that hides inside PDFs. Sophos article.
99.9% of the time, you do not need Java, but if it’s enabled, it is a huge security risk and the hackers in far-flung places like Mauritius and Khazakstan know this.
Granted, some employers still require use of Java by their employees. Some Scandinavian banks allegedly require its use for online banking. On your personal computer however you generally do not need it.
To delete the Safari plugin:
sudo rm "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin"
|
It’s very risky to leave Flash enabled or even installed. Flash may seem useful for watching videos on Youtube or Vimeo, outside of the limited context it is a pretty pathetic technology.
Give a listen to how it is being used for nefarious purposes, such as recording your keystokes:
In short, Adobe has done a horrific job of making Flash safe.
YouTube now supports HTML5 for watching many videos. Use that instead of Flash.
If you must use Flash, use it from within Chrome only and only go to specific websites, like YouTube, Xfinity, Vimeo and Hulu. Chrome is the wiser browser for Flash use because Google has their own variant of Flash that is based on Adobe’s code but is more secure. Verge article.
The copies of Flash that Safari or Firefox would use should be deleted.
In the directory /Library/Internet Plug-Ins, there is a part of the flash plugin for Safari. Use this command to remove it:
sudo rm "/Library/Internet Plug-Ins/flashplayer.xpt"
|
For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing.
An important point: It is in public Wifi locations that so-called zero day exploits are most likely to be deployed. A zero-day is simply one that security researchers have not yet become aware of, but the spooks and criminal gangs do know about.
The main way to make public Wifi secure is if encryption is enabled on their Wifi router, and they have to use WPA encryption. That protects you from other customers as well as people outside the building.
Without WPA encryption enabled, other people can potentially intercept your Internet traffic and even hijack your online account(s) using man in the middle attacks. If you must use non-encrypted public Wifi like at Starbucks, don’t access personal online accounts such as email.
Actually, some have asserted that even having WPA enabled is not enough, since miscreants can still snoop the key-exchange that is done when WPA is starting up, which is done in the clear.
One way to make public Wifi secure for you only is to use a VPN connection. Companies often require this for their employees’ computers.
A common type of exploit termed Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that hijacks a current session that you have open at a website like Facebook and Gmail. This type of exploit cannot succeed if you are logged out. Therefore always log out of your accounts when you are not using them.
The great masses of illicit video, music and photo content that are available on the web appear to be made available as-is. There is not much evidence that anyone checks them for malware. Let’s say 1 in 1000 files has malware that stealthily takes over your computer. If you view such materials on a regular basis, it is inevitable that you will get an infection sooner or later.
Rule 1: If you want illicit movies or TV shows, buy the DVDs and play them on your TV. Or rent them from your local library, which may be quite cheap or free.
Rule 2: If you want to look at interesting photos of bikini-clad women or accidents or whatever, consider doing it from within a virtual machine e.g. using VMWare or Parallels.
Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube rather than to download sites. This is where the artists expect and want you to go.
It turns out that Mozilla decided to allow add-ons in Thunderbird, and in the version I downloaded, Java is enabled by default. So if you use Thunderbird you will need to go into the Tools menu, select Add-Ons and disable all of them for your safety.
Specific domains that cause excessive or unknown traffic can often be blocked using a simple method: Add them to your /etc/hosts file, specifying their IP address as 127.0.0.1. This is also a good way to block ads, if you know the domains they’re using. Example:
sudo vi /etc/hosts
Adding lines such as:
127.0.0.1 akamaiedge.net
127.0.0.1 trafficjunky.net
127.0.0.1 akamaitechnologies.com
127.0.0.1 a23-62-228-16.deploy.static.akamaitechnologies.com
127.0.0.1 syndication.exoclick.com
127.0.0.1 exoclick.com
127.0.0.1 1e100.net
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 nuq04s19-in-f7.1e100.net # etc.
127.0.0.1 nuq05s02-in-f15.1e100.net
|
For visiting risky websites, don’t use a mainstream graphical browser. Use a text-based browser in Terminal. Links
is a good one. It does not come preinstalled but you can download from here, build it and install it.
Firefox does not have an ad-blocker built in. Most people use Ad Block Plus, which is a Firefox extension.
There are now websites that can run a series of tests on another website that you specify. You can thereby assess whether the specified sit will try to attack your computer. Malicious sites typically do this by exploiting vulnerabilities in web browsers.
One such scanner is: Sucuri SiteCheck.
Safari supports automatic software installation without your approval, and exploiters have used this feature to install malware. You can disable it ostensibly by going into preferences and disabling automatic opening of safe downloads.
Emails that contain images may seem like a safe convenience, but in fact there are risks to do with displaying them.
Some browsers such as Safari have a setting that gives it your permission (set to Yes by default) to automatically open some files that it deems to be safe. The issue here is, it is not worth trusting the browser to make that decision for you.
When you log in to the free Wifi at a business such as a coffeehouse, you often see a pop-up window appear saying “Click to accept our terms of service”. This is where your privacy gets violated. When you press Accept, the Javascript that is running in that popup puts your current MAC address into the URL that it sends to a server.
Why this is done only they know. My guess is that they are trying to make money by selling information about your doings and whereabouts using your MAC as the tracking identifier. If your MAC can be linked to your identity, for instance by examining your Web traffic, it can become even more valuable.
Furthermore if an alliance of retail companies were to share this information among themselves, they could track your movements throughout the day based on what businesses you go near. You don’t even have to enter a business: The Wifi signal travels outside the store. You could drive past a business and still be identified.
If any of that makes you uncomfortable or creeps you out, you can change your Mac’s Wifi MAC address like so:
ifconfig en0 ether NEW_MAC_ADDR
sudo arp -a -d
|
Even today, Microsoft’s Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily leaves open a conduit for malware exploits to be launched. It is a vulnerability that has been exploited extensively by hackers in the past.
The best rule of thumb is, if you did not compile a free program yourself from the source code, assume that it has malware in it, and don’t use it. In order to compile it you obviously need the source code, and if the source code is not available (i.e. it is closed source) then you should wonder what they are hiding.
Unfortunately some of the bigger apps are not made easy to build by users. Firefox, for example. Indeed it is the apps that are most critical to most people’s workflows that are most difficult to build.
Virtual machines like VMWare, Parallels and VirtualBox all present a potential risk of spying on your activities by the companies that make them. Think out it. These machines know every network connection your virtualized software is making, every keystroke that you type, every mouse click. If any of the companies that make these programs has a contract with an oppressive, spying-prone government or corporate espionage company, they could provide a record of everything that you do in a virtual machine to said malefactor company.
In addition, some virtual machines have vulnerabilities themselves. and bad people have written malware There are known to exist breakout exploits in which malware that is running within a VM can use vulnerabilities in the VM software to find a way out of the running VM and into your main OS.
When you log in, some programs automatically launch. Some programs that do so can be found and removed if you run Settings, click on Users and Groups, select the tab Login Items.
From the command line, you may also find launch data in ~/Library/LaunchItems
. You can stop them from launching after login by removing their launch plist files.
A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals or spooks.
A common Mac keylogger is ABK. Look for it using Spotlight or use the find
command to search in these directories:
~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
/System/Library/StartupItems
|
You can also check your non-Apple KEXT files related to keyloggers. For example Blazing Tools Perfect Keylogger shows up as com.BT.kext.bpkkext in the output of this command:
kextstat -kl | awk '!/com.apple/{printf "%s %sn", $6, $7}'
|
Having a commercial antivirus running can be a security risk in its own right.
There is a free and open-source antivirus scanner called ClamAV that, if you are a technically savvy person, you can download, build, install, and run from the command-line. ClamAV link.
Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS from time to time, e.g. once per month, after reformatting the hard drive. Like brushing one’s teeth or tying one’s shoelaces, this is not difficult once it becomes routine.
The first account that you create is a given administrator rights. That’s dangerous, because if you inadvertently run a malware-infected program, it can do more damage to your system that if you ran it from a regular user account.
Therefore, when you install OS/X, call your first account admin, and then create a separate non-admin account that you will use 98% of the time.
But you ask: Why? Isn’t this just paranoia? No. An example:
Taiwanese security researchers found, and reported at the Black Hat Europe 2014 conference, that Apple foolishly allows any user with admin privileges to install kernel drivers. They found this ability was still present in Yosemite when that it was released.
It can be important to block risky outgoing connections. You cannot be 100% sure that some random program you’ve downloaded is not a trojan horse than will upload your data to a server.
A simple script like the following, run using sudo, can stymie some spying efforts.
#!/bin/sh
IPFW="ipfw -q "
$IPFW flush
$IPFW add deny log dst-ip 173.194.0.0/16
$IPFW add deny log dst-ip 184.84.0.0/14
$IPFW add deny log dst-ip 208.91.0.0/22
$IPFW add deny log dst-ip 23.0.0.0/8
$IPFW add deny log dst-ip 239.200.3.0/24
$IPFW add deny log dst-ip 64.4.61.0/24
$IPFW add deny log dst-ip 93.184.0.0/16
$IPFW add deny log src-ip 82.128.0.0/16
$IPFW list
|
Four additional commands:
sudo launchctl list | sed 1d | awk '!/0x|com.(apple|openssh|vix)|edu.mit|org.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
launchctl list | sed 1d | awk '!/0x|com.apple|edu.mit|org.(x|openbsd)/{print $3}'
ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
|
It might help to get an idea of what computers are close enough to attack your computer.
Let’s say for instance that you want to access your bank account online (bad idea) but you have roommates that you don’t know very well. In this case it might be wise to wait until other people are not using your network. But how do you know if they are? You have to detect their presence.
If you’re using a Wifi connection, especially in a public place, there may be many computers, phones, and tablets that are on the Wifi and able snoop on your activity or to attack your computer.
Even if the owner of a device is benign, there may be malware on his or her device that is programmed to automatically seek out vulnerable devices or look for interesting data.
Using Terminal, run this command:
This lists any devices that your computer has knowledge of now, which may include devices that were previously on the network but recently disconnected. It is usually an incomplete list.
A more proactive way to see whether there is anyone else on your network is to use the command ping -i 5 -c 1 255.255.255.255 but this should only be done rarely as it makes your computer look suspicious.
There are a lot of things that you can do to secure your Mac, many of which do not require technical ability. They do require that you think though, and use common sense.