Mac OS/X Security Tips

My Related Pages

Please send payment to bitcoin address 17BVQmDP68sSmBw6o2hsEx2Mx4gi6f96Rv

Payment Received [[value]] BTC. Thank You.

[[error]]

Revision 11
Copyright © 2011-2013 by Zack Smith .
All rights reserved.

Disclaimer:

Apple's Macintosh is less commonly a target of hacker attacks and exploits than is Windows, but delinquents and professional criminals are increasingly taking an interest in the Mac and OS/X. What follows is a list of tips that I have devised to explain how to you can make your Mac more secure. This is not a complete list and I cannot provide any guarantee or warranty on this advise. Use it at your own risk. In the end, protecting your computer is your own responsibility.

1. Isolation

1.1. Disconnect your computer from the Internet.

Most exploits occur over the Internet, so this is a no-brainer. When you do not need to have an Internet connection going, go to the Wireless icon and select Turn Wifi Off. (Or disconnect the Ethernet cable if you use that.)

1.2. Disable Bluetooth.

Early in the history of Bluetooth security experts described it as a security nightmare, although they seem to say the situation has improved. Bluetooth is still imperfect. It may be useful for connecting to an external keyboard at home, but if you don't need it elsewhere, or at all, then by all means disable it in the Advanced part of Bluetooth settings.

1.3. Disable the Ethernet port.

Few people use the Ethernet port any longer. If you don't, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For IPv6 select Local Link Only.

1.4. Disable Firewire.

Most people never need Firewire. If you don't, go into the Firewire settings, select Disable for the Configure IPv4 setting. For IPv6 select Local Link Only.

Trivia: It has been discovered that a Mac that is asleep can have its entire RAM contents copied through the Firewire port via DMA (direct memory access). It's a rare exploit, especially since it requires direct access to your computer, but it's another reason to disable Firewire.

1.5. Do not use online storage.

Don't use iCloud or any other cloud-based online storage service like DropBox -- unless you encrypt your files before you upload them, which most users never do.

The practice of encrypting data before storing it in the cloud is called TNO: Trust No One. Security professionals recommend a TNO approach.

1.5. Avoid free online services.

You also should really not use online free email services either like Yahoo. Most corporations that run such services are all too eager to turn over your personal information to any nefarious company or government agency.

It was exposed on Cryptome.org that Yahoo charges the US government only $60 for a year's worth of a user's emails.

2. Disable risky services

2.1. Disable Bonjour.

In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Block All Incoming Connections.

To block outgoing connections, edit the file /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist and add to the section ProgramArguments in which you then put a string entry called -NoMulticastAdvertisements. Then reboot.

2.2. Disable Bluetooth discovery.

If you must use Bluetooth, disable "discovery" in the Bluetooth settings. You can also do this in the Bluetooth-icon pulldown menu.

2.3. Disable any Sharing services.

It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing Settings and disable everything.

2.4. Remove Google spyware that comes with Mail

I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because

I was not running Mail at the time.
I do not have a Gmail account.
I was not logged into my Google account.

To prevent this kind of spying, you need to remove the offending plugin. But... warning! If you do this then you won't be able to use a Gmail account from within Mail! From Terminal, do this:

sudo rm -rf /System/Library/InternetAccounts/Google.iaplugin

You'll need to enter your password to delete the plugin.

2.5. Disable Location Services and the IR receiver.

Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.

3. Block outsiders

3.1. Enable the Firewall.

You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple's built-in Firewall capability, especially if you will use your Mac with a free, public Wifi.

Go into Settings, Security, and Firewall to find it and start it.

3.2. Check your file permissions.

This requires technical ability. Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600. Note that files copied from a FAT32 thumb drive will often be automatically set to 0644, and directories to 0755.

3.3. Enable FileVault to encrypt your hard drive

Encrypt your entire drive using FileVault. The first time you enable it, it will need perhaps an hour to encrypt your drive.

If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your files, but that's good.

3.4. Add a firmware (boot) password

The firmware password is not your normal login password, but rather the password that lets the Mac boot from a disk other than your hard drive. Adding it is done using the OS/X installation disk.

By enabling a firmware password, you prevent other people from booting up your computer from an CD-R or DVD-R disc or from a USB flash drive. If you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne'erdowells can easily walk up to your unattended Mac, boot from a thumb drive and steal your data.

3.5. Turn off your home Wifi router at night and when not at home.

At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet and if it is especially vulnerable, they can modify or replace the firmware to let them snoop on much of what you do online.

In addition, if someone has managed to learn your Wifi password and is situated nearby, having the router on gives them the chance to engage in illegal activities through your broadband connection, which puts you at risk.

4. Browse the Web wisely

4.1. Avoid Safari most of the time.

Except perhaps for accessing Apple's websites, you should not use Safari. Apple has been shown to be slow to update Safari to fix security issues when they arise.

If you must use Safari, go into its preferences and disable extensions, then disable plug-ins, then disable Java.

Safari supports automatic software installation without your approval, and exploiters have used this feature to install malware. You can disable that feature ostensibly be going into preferences and disabling automatic opening of safe downloads.

4.2. Do not use unofficial Firefox plugins.

If you begin to check who writes plugins, it quickly becomes apparent that most authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases. This might not matter except for two key facts:

Plugins run Javascript which is a major mechanism for malware exploits.
It appears that plugins can in fact include object code i.e. real non-scripted software.

Here's something to think about:

When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it's just not cool enough.

Thus, don't assume that experts are looking to keep you safe. They may care more about getting their kicks than helping you.

4.3. Avoid PDFs except from reputable sources.

In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. Thus, you should not assume that PDFs are generally safe.

Recently a Mac-specific trojan OSX/Revir-B was found that hides inside PDFs. Sophos article.

4.4. Disable Java in each browser.

99.9% of the time, you do not need Java, but if it's enabled, it is a huge security risk and the hackers in far-flung places like Khazakstan know this.

Granted, some employers still require use of Java by their employees. For your personal computer however you generally do not need it.

To delete the Safari plugin:

sudo rm "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin"

4.5. Disable Flash in each browser.

It's very risky to leave Flash enabled. Flash may seem useful for watching videos on Youtube, but give a listen to how it is being used for nefarious purposes, such as recording your keystokes:

NPR story.

In short, Adobe has done a terrible job of making Flash safe. YouTube now supports HTML5 for watching many videos. Use that instead of Flash.

If you must use Flash, use it from within Google Chrome, which has an implementation of Flash by Google, not by Adobe.

4.6. Remove Flash if possible.

In the directory /Library/Internet Plug-Ins, there is a part of the flash plugin for Safari. Use this command to remove it:

sudo rm "/Library/Internet Plug-Ins/flashplayer.xpt"

4.7. Do not surf the Web in public places unless a password is required.

For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing. The only way to make it secure is if the business enables encryption on their Wifi router, and they have to use WPA encryption. That protects you from other customers as well as people outside the building.

Without WPA encryption enabled, other people can potentially intercept your Internet traffic and even hijack your online account(s). If you must use non-encrypted public Wifi, don't access personal online accounts such as Yahoo mail.

Actually, some have asserted that even having WPA enabled is not enough, since miscreants can still snoop the key-exchange that is done when WPA is starting up, which is done in the clear.

4.8. Log out of websites before you visit new ones.

A common type of exploit termed Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that hijacks a current session that you have open at a website like Facebook and Gmail. This type of exploit cannot succeed however if you are logged out. Therefore always log out of your accounts when you are not using them.

4.9. Skip the porn and skip the "interesting photo" websites.

The great masses of porn and bizarre-photo files that are available on the web appear to be made available as-is. There is no evidence that anyone checks them for malware. Let's say 1 in 100 files has malware that quietly takes over your Mac. If you peruse such material regularly then it is inevitable that you will get an infection sooner or later.

Rule 1: If you want porn movies, buy the DVDs and play them on your TV.

Rule 2: If you want to look at interesting photos of bikini-clad women or accidents or whatever, consider doing it from within a virtual machine e.g. using Parallels. Malware can exist in image files.

Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube.

5. Avoid risky software

5.1. Avoid products from Microsoft.

Even today, Microsoft's Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily leaves open a conduit for malware exploits, and it is one that has been exploited extensively by hackers in the past.

5.2. Skip the precompiled free software.

The best rule of thumb is, if you did not compile a free program yourself from the source code, assume that it has malware in it, and don't use it. In order to compile it you obviously need the source code, and if the source code is not available (i.e. it is closed source) then you should wonder what they are hiding. There is no free lunch.

6. Check for malware

6.1. Stop risky services from launching

When you log in, some programs automatically launch. You can stop them by removing their launch plist files, which are in these directories:

~/Library/LaunchAgents
/Library/LaunchAgents

6.2. Look for keyloggers

A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals.

A common Mac keylogger is ABK. Look for it using Spotlight or use the find command to search in these directories:

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
/System/Library/StartupItems

6.3. Antivirus

Having a commercial antivirus running is increasingly a security risk in its own right.

Some malware is now written to attack and take over the antivirus programs.
Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent.

There is a free and open-source antivirus scanner called ClamAV that, if you are technically savvy person, you can download, build, install, and run from the command-line.

ClamAV.

6.4. Regularly reinstall OS/X.

Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS form time to time, e.g. once per month, after reformatting. Like brushing one's teeth or tying one's shoelaces, this is not difficult once it becomes routine.

7. Summary

There are a lot of things that you can do to secure your Mac, many of which do not require technical ability. They do require that you think, though, and that you use common sense.