Security

Briefly:

Install Apple updates
Click cautiously
Use Chrome
Backup

Urgent

(05/17/12) The FBI is investigating cases where malware was installed on travelers' laptops through software updates on hotel internet connections.
(04/13/12) Several Trojan Horse attacks are being distributed via infected Microsoft Word files. Make sure you apply the latest update to Word 2011. Only Snow Leopard and below are vulnerable to this attack.
(04/02/12) There is a serious security threat that attacks Macs that just visit an infected web page. The malware tries to steal financial passwords from your computer. It has been estimated that over 500,000 Macs have been infected. Protect your machine by installing the update for Java from ► Software Update. See the page on The Flashback Malware for detailed instructions.
(03/08/12) The Flashback Trojan is getting sneakier. If you visit a hacked website, you may see a fake password dialog box from "Software Update." If you didn't select something to be installed, don't give your password. Many blogs have been hacked recently. The NoScript addon with Firefox will prevent such hacks, at the cost of extra clicks. Also make sure you have Java up to date, and do not accept fake (self signed) Apple certificates.
(12/01/11) If Facebook, or any web page, says you should install a Flash upgrade, DON'T CLICK IT.
(05/25/11) Don't Install "Mac Defender", or similar fake anti-virus scareware.

General

In the old days, I could just say "don't worry, there isn't any real threat to Mac users from malware." Those days are gone. Mac users need to be careful too. The bad guys have been busy. (There are still fewer attacks on Mac than on Windows.)

Almost all bad stuff out there is not actually viruses but Trojan Horses. That is, the threats are programs that trick YOU into typing your admin password and installing them. For example, if you get a mail message that says "From: Microsoft" and has a link to click that will update Microsoft Word, DON'T. (Mail senders can be forged. Links in mail may not go where you think.) If you're browsing a web page and you get a popup window that wants you to update your Flash player, DON'T. (There are multiple fake updaters for Flash, some spread via Facebook.) There are current attacks on Macs that do these things.

To update Apple software, start with the ► Software Update menu item. To update non-Apple software safely, restart your browser, type in the URL of the company website, e.g. adobe.com, and find and download the update.

I have written elsewhere about general suggestions on home computer security. Summary:

Back up your data often, preferably to more than one place.
Understand that mail messages and web pages may be forged.
Don't install untrusted programs.
Don't click on links in mail messages, even it they appear to be from friends.
Keep your software up-to-date. Security fixes may not be available for old OS versions.
Do everyday work on a non-administrator account.
Keep crucial data encrypted.
Use a hardware firewall (NAT router).
Use strong passwords sensibly.
Wireless has additional security implications. If you use it, be careful.
If you use sites like Facebook, connect to them with a URL like https://facebook.com.
Don't click on links in Facebook postings, even it they appear to be from friends.

See Frequently Asked Questions about Security.

Mac Specific Advice

Install Chrome and use it instead of Safari.
If you click on a link in mail or a browser, and get an alert that the page wants to install software, deny the request.
Set your System Preferences so only trusted programs are auto-run when external media are connected.
If you use Safari, make sure "Open 'safe' files after downloading" is NOT checked in Safari preferences.
Set a disk encryption password if you are using OSX 10.7 (Lion).

Attacks and Defenses

Here is a little explanation of threats and countermeasures. Notice that in these scenarios, the first word is You. Reminds me of the old joke: "Doctor, it hurts when I go like this." "So, don't do that."

Your Mistake	Bad Guy Action	How Likely	How to Avoid
You download some malicious software and install it, or open an attachment sent to you in mail, or view a malicious website that asks to install some software, or view a social website message. You are asked to permit the installation of software or to accept a self-signed certificate, and you click OK. You use an insecure connection, and an attacker pops up a fake software update notice, and you click OK.	The Trojan Horse malware you installed gets control of your computer. The malware can steal or modify your data, get your online banking passwords, or attack other computers.	There are multiple attacks aimed at Mac users. See below. Some of them use Facebook to send you to the attack site, infect your computer, and spread by sending messages to all your Facebook friends.	If you use Safari, make sure "Open 'safe' files after downloading" is NOT checked in Safari preferences. Make Firefox or Chrome your default browser, and install FlashBlock, AdBlock Plus, and NoScript or ScriptNo. Do not install software from strangers. Only install software from trusted providers. Avoid pirated software. Use caution when opening mail attachments. Install anti-virus software and keep it up to date, and use it to scan downloaded software before installing it. Buy and install an outgoing connection monitor such as Little Snitch*. Turn off "platform apps" in Facebook and similar sites. Avoid doing software updates over untrusted connections, such as hotel connections.
You click on a hyperlink in a mail message or web page. The link causes your browser to display a malicious web site.	The malicious web site contains Java, Javascript, or Flash code that exploits a bug and gets control of your computer. The code can steal or modify your data, get your online banking passwords, or attack other computers.	There have been repeated security bugs in browsers, Javascript, Flash, and Java; most of them were only exploited for the PC.	Make Firefox or Chrome your default browser, and install FlashBlock, AdBlock Plus, and NoScript. Use caution when clicking on links. Filter out spam mail messages. Keep web browser and mail software up-to-date. Install anti-virus software and keep it up to date, and use it to scan web pages and included code. Buy and install an outgoing connection monitor such as Little Snitch*.
You insert a disc containing some malicious software and install it. During this process you are asked to permit the installation and you click OK.	The Trojan Horse malware you installed gets control of your computer. The malware can steal or modify your data, get your online banking passwords, or attack other computers.	Possible in theory. This used to be how PC viruses propagated.	Only install software from trusted providers. Avoid pirated software. Disable "auto run." Install anti-virus software and keep it up to date, and use it to scan discs before running anything from them. Buy and install an outgoing connection monitor such as Little Snitch*.
You connect your computer to the Internet without using a hardware firewall.	A malicious computer on the Internet sends messages to your computer that trick it into installing programs that take control of your computer. The programs can steal or modify your data, get your online banking passwords, or attack other computers.	Possible in theory, mostly a movie plot. (The "Slammer" worm infected thousands of Windows machines within a few minutes this way in 2003.)	Turn on the Mac's built-in software firewall in ► System Preferences... ► Security ► Firewall. Install a hardware firewall (NAT router). Keep your system software up-to-date. Buy and install an outgoing connection monitor such as Little Snitch.
You import an infected Microsoft Word, Excel, or PowerPoint document or mail attachment and open it. The file may have been infected maliciously by an attacker, or accidentally by a previous victim.	A "macro virus" in the document alters Office templates to cause Word, Excel, or PowerPoint to infect subsequent documents, and possibly do other malicious actions, from displaying strange messages up to corrupting or disclosing your data.	Rare these days.	Only accept Office documents from trusted sources. In Word 2011, enable "Warn before opening a file that contains macros." Keep Microsoft Office software up-to-date. *Install anti-virus software and keep it up to date, and use it to scan imported Office files.
You leave your machine unattended.	A malicious person steals data from your computer or installs hardware or software that allows your computer to be taken over, and you don't notice. The malware can steal or modify your data, get your online banking passwords, or attack other computers.	This attack is common in movies, but probably rare in real life.	Use strong passwords on your computer. Change your screen saver to require a password in order to wake up. Lock your office. Disable USB and FireWire ports. Make sure the bad guy doesn't steal the whole computer. *Enable FileVault whole disk encryption if using 10.7 or better.
You have an administrator password that is blank or easily guessed. You turned on File Sharing in ► System Preferences... ► Sharing.	A malicious person on the same local network connects to your files and steals data or installs malware. The malware can steal or modify your data, get your online banking passwords, or attack other computers. This includes others using the same wireless access point.	Unless you override the Macintosh defaults, you are reasonably safe.	Use strong passwords on your computer. Do not give away access to folders on your computer to all users on the network. Turn AirPort off on your computer unless you are using it. Use a wired connection whenever possible. Use only trusted wireless access points. Do not use wireless access points unless they provide WPA2 encryption. If you control the wireless router, use encryption, a strong password, and WPA2.
You use wireless.	A malicious person intercepts your wireless traffic and reads or modifies your communications, or they observe your web logins and steal your login credentials (Google "firesheep"). When you browse a web page, an attacker can inject code into the page that pops up a faked software update request: if you install such an update, the attacker could take over your machine.	This is a growth area. There are many reports of "evil twin" wireless hot spots, especially in airports, coffee shops, and hotel areas. These attacks work equally well on Macs and PCs, so the bad guys have more incentive.	Turn AirPort off on your computer unless you are using it. Use a wired connection whenever possible. Don't use a wireless connection for sensitive data if you can wait till you return home. Use only trusted wireless access points. Do not use wireless access points unless they provide WPA2 encryption. If you control the wireless router, use encryption, a strong password, and WPA2. Use SSL or VPN for any communication that includes passwords or other valuable information; if you use web mail, access it using HTTPS. If you see a certificate warning, or don't see the "lock" indicator when you should, disconnect. Avoid doing software updates over untrusted connections, such as hotel connections.

* indicates measures that might work in theory but I have not tried.

Use common sense. To avoid malware problems, use good sense when surfing and clicking: don't click on links in mail from strangers, and don't install software from untrusted sources. Be suspicious. Watch out for scams and fraud. Here is a nice article: Mac security: scams and fraud.

Anti-Malware Packages

I currently do not install anti-malware software on my Macs or recommend it to others.

Malware scanners can check your whole hard drive, or selected files, when you tell them to. Malware checkers attach themselves into programs on your computer, such as Mail, and check files when they enter your machine; to do this they have to hook into applications and system facilities in ways that the malware cannot bypass. Such hookups are sometimes broken by OS updates, or lead to problems using your machine, or consume excessive resources.

Anti-malware programs' definition files must be updated very often in order to be useful. Anti-malware companies constantly capture and analyze new malware that is designed to evade existing detectors. Then they update their malware definitions and detection methods, and make updates available to you. Your computer can be attacked before you get protection installed. Recently, there have been multiple malware variants released in a single day, faster than the anti-malware software can be updated to catch it.

Anti-malware packages are available from Sophos, Intego, F-Secure, PC Tools, BitDefender, McAfee, ClamXav, Norton, SecureMac, and Avast!. They all claim to the the best.

Known Mac Malware

(April 2012) There are recent attacks on Macs that send infected Word documents in e-mail attachments. These exploit a hole that Microsoft patched years ago. Make sure your Microsoft products are up-to-date, by using the built-in Microsoft updater.

(March 2012) The various incarnations of the Flashback Trojan use ever changing tricks to get you to install it. Vist a hacked website, and you may see dialog boxes requesting your admin password with various excuses, or you may see a request to accept a certificate that claims to be from Apple but is not. If you get fooled, you are in big trouble: the Trojan will install code into your browser so it can steal your banking passwords and watch your traffic. Using Firefox with NoScript or Chrome with ScriptNo will help catch these attacks. Make sure your Java is up-to-date.

(December 2011) Trojan Horse attacks are spreading via social network sites like Facebook, telling you you have to update Adobe Flash. This is a social engineering Trojan that wants to steal your banking passwords. I have also been seeing Facebook postings that point to a video that will "make you laugh in the first 26 seconds." These have spread to many people's accounts, so I think it is a Facebook worm. Hint: in Facebook Account Settings, Security, make sure you set "Secure Browsing" on. I turn off all "platform apps" as well.

(November 2011) Trojan Horses claiming to be pirated graphic applications were uploaded to Pirate Bay as BitTorrent files. Installing these will add a back door that would let strangers take control of your Mac, steal your data, and use your machine to generate Bitcoins. Using pirated software is risky.

(October 2011) Trojan Horses disguised as Flash Player Installers attack Macs.

(June 2011) A Facebook attack is spreading Windows malware and Mac scareware via a video hosted in India passed by "Like" flags.

(May 2011) A Trojan Horse fake anti-virus called "Mac Defender," "Mac Protector," "Mac Guard," and other names was discovered. Like many PC fake anti-virus attacks, if you visit a malicious web page, you'll see a fake scan and a WARNING that your machine is infected. An installer is automatically downloaded (and Safari will even open it if you have "Open 'safe' files after downloading" checked). DO NOT INSTALL IT. If you run this installer, it will ask for permission to install on your computer, and if you allow it, it will install a fake anti-virus program which will pretend to scan for viruses and then ask for your credit card number to "clean" your Mac. Intego has a nice article on it. (If you use Firefox as a web browser, and use the NoScript plugin, it won't be able to run.) If you installed it already, see this Apple article. As of 6/1/11, Apple provides a security update to 10.6.7 that will prevent installation of the malware and remove it if it is found.

(May 2011) A new "Crime Kit" for malware writers was published. It makes it easy for bad guys to attack Macs. We may see more attacks.

(November 2010) Microsoft announced that a Trojan Horse file claiming to be OSXDriverUpdates.tar has been distributed by multiple web sites. If a user downloads and installs this software, it will install an agent on their computer that a remote attacker can use to take over the computer.

(October 2010) Symantec described a Trojan Horse that spreads via Facebook. It affects Windows, Mac, and Linux machines and is written in Java. A Facebook user gets a message like "is this you in the video" or "i am going to end my life" that appears to come from a friend. If the user clicks on the link, the malicious web page may ask to install software, or may silently install it. Infected machines will message all the user's Facebook friends, try to steal bank passwords, and install a backdoor in the machine.

(June 2010) Anti-virus company Intego found that some freeware programs for the Mac install spyware that copies a lot of your personal information and sends it in encrypted messages to a company called comScope. If you installed screen savers from "7art" or "MishInc FLV To Mp3", they asked for an administrator password and installed software that monitors your application usage, Internet browsing, and chat sessions, and goes through all your files. The software's license agreement says it does this, but nobody reads the fine print. You can opt out or run the uninstaller to get rid of it. A version of this software has existed for Windows since 2008. (This is a Trojan Horse, not a "virus," since it does not spread to other computers by itself.) Intego calls the software "OSX/OpinionSpy" and its Virus Barrier software alerts and offers to remove the spyware.

(2009) A Mac anti-virus vendor announced that there was a Trojan Horse program published on BitTorrent aimed at Macs. If you downloaded a pirated copy of "iWork 09" from BitTorrent, it asked for your administrator password during installation, and then installed software that allows a bad guy to read all your files, control your computer, and so on. Avoid installing software from unknown sources. (I am a professional programmer, and like to get paid for my work. I assume my fellow programmers do too. So I avoid pirated software anyway.)

My Security Practices

Because I am a "security guy," I put up with some inconvenience to keep my computers more secure. Everyone's security situation is different, and these tactics may be too much, or not enough, for people with different concerns. The measures you should take depend on what you are trying to defend against, and the value to you of the information on your computer that you want to protect. (Many of these measures also work or have analogues on other systems such as Linux and Unix.) Some of these steps may be too detailed for the general reader, but perhaps they will suggest the complexity of the security problem and the need to use multiple solutions.

I browse with Google Chrome, which is robust and fixes security problems rapidly.
I use the FlashBlock plugin for Chrome to prevent automatic running of Flash ads from web pages. Some ads are infected with security attacks, and AdBlock Plus will reduce your exposure to them.
I use the ScriptNo plugin for Chrome to prevent Javascript attacks. It learns which sites are allowed to use Javascript, and prevents various tricky attacks.
When I use any web browser for banking or commerce, I avoid having other windows open on untrusted sites.
I use a multi-layer spam filtering solution. (Much of spam is malware.)
My home network connection is behind a NAT router, so unsolicited traffic from outside is dropped.
My computer is connected to the Internet with a wired rather than wireless connection. If I use Wi-Fi at home, I use WPA2 encryption and a strong password.
I use SSH and SCP to access external servers so that their passwords won't be sniffed.
I load the SSH keys I use to access services on other computers into ssh-agent, and give passwords once at boot time.
I bought and installed Little Snitch to report on outbound connections from my Mac. It remembers what connections are OK and rarely interrupts me.
I have a password on every computer.
I generate strong passwords with my program GPW.
When Firefox offers to remember a password for a site that has my credit card (like Amazon), I tell it no.
I only write passwords down in a file that I keep encrypted.
I encrypt files with GPG so they can be decoded on Unix or Windows. After every change, I automatically back up encrypted files offsite.
When traveling, I use Wi-Fi with caution, and only with SSL and SSH.
I have a special account on my laptop for airport scanning use.
I enabled "secure virtual memory" in ► System Preferences... ► Security.
I installed the free program Adeona. It occasionally logs my laptop's whereabouts to the network.
My computers do not have the root account enabled for login.
My websites are hosted at a well-run ISP that manages the patching and security of the web server.

Things I Am Not Doing Yet

Apple has produced Security Feature Guides for OS versions from 10.3 (Panther) to 10.6 (Snow Leopard) with advice from the NSA. They are very thorough. There are some security measures that I have not chosen, after considering my security risks:

The Mac offers an option, File Vault, to keep the entire home directory in an encrypted container. I have not used this option; in the past, it has had buggy interactions with other software, and it does not work well with Time Machine. I will rethink this decision once I change over to Lion, which does full disk encryption.
I have not set Open Firmware (EFI) passwords (which prevent a Mac from being booted from external media and also lock down some FireWire exploits).
I have not disabled Bluetooth, WiFi, infrared, camera, and external device access, as the NSA suggests secure government users do.
I have not yet enabled the advanced ipfw firewall built into OS X.
I have not set my screen saver to require a password to wake up.
I have not installed DNSCrypt yet.
As I mentioned above, I have not installed anti-virus software.

Don't Get Complacent

Macs have fewer security problems than Windows because hackers have so far concentrated on the flaws in Windows, but this is changing. Over time, Windows has improved, and Apple should be working hard to improve also. Mac OS, Windows, Linux, and other Unix descendants are all written in the C language using informal processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying.

I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them. There's nothing inherent with Apple themselves and their development.
-- Marc Maiffret, former hacker