8 Things to Help Keep Your Mac Secure

As the recent spate of Mac-specific malware shows, Mac OS X is not immune to security problems. (Not that this is really surprising to anyone.) To be honest, though, I was—until recently—fairly confident that my systems were reasonably secure. However, a Twitter conversation with security guru Christofer Hoff (aka @Beaker) convinced me that I wasn’t doing enough. The appearance of the Flashback.K trojan, which can install itself even without administrative privileges, confirmed that he was right—I wasn’t doing enough. (No, I didn’t get infected.)

Upon thinking about it a bit more, I realized that if I wasn’t doing enough as a pretty savvy user, then a lot of people probably weren’t doing enough. So, here’s a breakdown of my Mac defense strategy. Perhaps sharing what I’m doing with others will encourage them to improve their security posture as well.

  1. I use the BSD-level ipfw firewall. Mac OS X is, at its core, built on FreeBSD. This powerful UNIX layer offers an equally powerful stateful firewall in the form of ipfw. If you aren’t using ipfw, I’d encourage you to take a long, hard look at starting to use it. It provides a powerful ruleset to give you tremendous control over the types of traffic that are allowed into (and out of) your Mac. To help encourage people to use it, I recently published an article on how to configure ipfw on Mac OS X.(Keep in mind that Mac OS X 10.7 “Lion” prefers pf instead of ipfw. I hope to post an article on that soon as well.)
  2. I use the built-in Mac OS X application-level firewall. Mac OS X ships with a pretty GUI for a built-in application-level firewall in System Preferences. I recommend that you turn it on, and select which applications you want to accept incoming connections. Some people have asked “Why both firewalls?” This is a fair question. The built-in application-level firewall simply allows or denies inbound traffic on a per-application level, but doesn’t—to my knowledge—offer any more granularity than that. Using the built-in application-level firewall in conjunction with the BSD-level ipfw (or pf) firewall gives you the ability to specify which source addresses or networks are allowed to make connections to applications. This means that you can allow iTunes connections at the built-in firewall layer, and then use ipfw (or pf) to only allow connections from your home network subnet.
  3. I use an outbound application-level firewall. The built-in Mac OS X firewall in System Preferences only controls inbound traffic. What about outbound traffic? Do you know what processes and applications on your system are communicating with the outside world? I use Little Snitch, which I believe to be an excellent choice in this area. (No, I don’t have any affiliation with Objective Development.) Little Snitch gives you the visibility to know what applications and processes are communicating and on which protocols and ports.
  4. I use an account without administrative privileges for my day-to-day use. While this won’t thwart all security problems—Flashback.K still works, for example—it’s still a good idea. I also recommend that you only install applications using a separate account with administrative privileges. This forces you to log off, log on as the administrative user, then install your application(s). While this is a bit of a hassle, the security trade-off is, in my opinion, worth it.
  5. I disabled the opening of “Safe” files. Safari has this feature enabled by default. I recommend that you turn it off, and check to make sure it’s turned off in other applications as well.
  6. I use an AV application. Yes, yes, I know—Macs don’t get viruses. Tell that to the 600,000 Macs infected with the Flashback trojan. And while Flashback isn’t technically a virus, at this point you’re just splitting hairs. I’m using the free Sophos AV Home Edition for the Mac and feel that it is pretty good, but there are numerous others. Find one and use it. (This is a recent addition to my own security strategy.)
  7. I do my best to stay updated. I encourage you to run Software Update on a regular basis. If you’ve followed the advice of #4, this means you’ll need to log in as an administrator and run Software Update. Make it a point to check regularly.
  8. I don’t run the standalone Adobe Flash Player. Instead, I use Google Chrome when Flash is required, which comes with its owned patched version of Adobe Flash that is generally regarded (last time I checked) to be a bit safer than the standalone version of Flash. Yes, this means that I need to switch back and forth between browsers (Safari for day-to-day use, Chrome for Flash use), but this is a task that AppleScript easily solves.

While these 8 things aren’t going to guarantee that my Mac (or yours, should you choose to follow them as well) will never be exploited, I do feel that they provide a reasonable level of protection. Safe computing (and safe browsing) is still required; no amount of security can protect against stupidity. But when combined with security awareness and safe computing/browsing, I feel that these measures will provide the level of protection that I need.

(BTW, there are other network-level protections that I have in place as well, but I didn’t include them here as the focus of this article is on the Mac itself.)

If you have any additional suggestions for helping keep your Mac secure, please feel free to speak up in the comments. Every suggestion can help!

Tags: ,

  1. Nick Nicholaou’s avatar

    Great points! The Mac is much more vulnerable than what its amazing reputation suggests. I also avoid using public WiFi as much as possible by using my MiFi or smartphone as a hotspot.

  2. Jay’s avatar

    Great suggestions! One exception though: I don’t think that an outbound firewall is a worthwhile option. Example: I install Little Snitch and it tells me that “softwareupdate” is requesting outbound access. Do I grant that access or not? Well, “softwareupdate” is the process name for the OS X update service, so the answer should be “yes”, right? Not necessarily, because if my system has already been compromised then that process might be a trojan hiding itself by masquerading as a legitimate service.

    Am I going to do the work to make sure that it’s the legit “softwareupdate” process? Maybe. Am I going to do that every single time Little Snitch warns me about any kind of outgoing connection? Of course not; I’d never get anything else done! So, ultimately, all Little Snitch would be doing there is training me to click “allow” on anything that has a name that doesn’t immediately look suspicious. Needless to say, that wouldn’t really enhance my security in any significant way. If anything, in fact, it would make me dangerously overconfident.

  3. slowe’s avatar

    Jay, thanks for your comment. With regard to outbound firewalls, that’s your opinion, and you’re entitled to have it. I, personally, disagree with your assessment; however, the effectiveness of any given security solution—be it outbound firewalls, inbound firewalls, malware scanners, etc.—can be limited by the habits of the user. I take the time to know with reasonable surety what processes should be allowed; as you point out, though, others might not. That’s not the fault of the outbound firewall, but rather the fault of the user. It really all depends on the user. Hence my statement that “Safe computing is still required.” Thanks!

  4. flakshack’s avatar

    Some good tips. I’ve been using the open source ClamAV, but I’ll give Sophos a try.

    I prefer HandsOff to Little Snitch. It has a similar interface to allow for easy rule creation, but has more blocking features. You can block dnslookups, inbound & outbound IP traffic, but more importantly you can control file reading and writing. For the average user, it would be overwhelming and turned off quickly, but for a power user it can be a really strong tool.

    In the case of Flashback, HandsOff would have prompted you as soon as the Java applet attempted to write the files to disk.

    As far as application validation, I’m not sure how exactly they do it (signature, hashing or what?), but HandsOff notices when applications have changed or been moved and treats the application as untrusted (with the default ruleset).

    I’d also recommend PreyProject (open source anti-theft) and TrueCrypt (open source encrypted volumes for your confidential data). PreyProject can be setup to point at your own web/ftp server.

    Also, if you find yourself doing a lot with ipfw, check out WaterRoof for a nice GUI.

  5. Brian Excarnate’s avatar

    A couple comments.

    I tried (4) and it didn’t work perfectly (iTunes doesn’t work perfectly, for example), and I don’t see what good it does on a single user computer. You might feel more secure in the admin account, but I don’t see that as being a very good tradeoff at this point. If files get trashed, I don’t care what account it happened under. If I have to start from a clean account to fix the problem, I’m starting from the DVD no matter what.

    I’m sorry, as stated (6) doesn’t make sense. A blanket “run something” is a worthless statement. You have to advise people to run something specific and tell them what good it actually does. If all it does is catch problems that someone can’t get because they patched (e.g. Flashback), then it is pointless.

    You are missing a couple of very important safety tips:
    1) Run some sort of Javascript blocker, such as NoScript under Firefox.

    2) Run some sort of Flash blocker, such as Flash Block under Firefox.

    I’d also ad to run AdBlock Plus (or similar), and to make sure if you run Safari that the Fraudulent sites box in the Security tab of Preferences is checked. It checks for some known bad websites (I believe via Google) which can help avoid some problems altogether.

    I do appreciate the help on the VMware client RDP file, though. I am not sure the new version is an improvement.

  6. slowe’s avatar

    Brian, thanks for your comment. I’ve been running as a non-administrative user for nearly 3 years now, and haven’t experienced any issues. I’m not sure what sort of problems you saw with iTunes, but it’s been quite smooth on my end. The key advantage of running as a non-administrative user is an extra “layer” of protection against system files getting modified. While this isn’t a panacea (and I didn’t claim that it was), every little bit helps.

    With regard to my suggestion to use an AV application, there’s a great deal of controversy here. Many have suggested that it wouldn’t have helped with Flashback and that it doesn’t serve any real purpose. My thought is that it’s just one more layer, one more tool. As with most things, YMMV.

    Finally, your suggestions regarding Javascript/Flash blockers are a good idea. Running Adblock Plus (which I do actually use, just didn’t place in this list) is also a good idea. I’ve also recently looked at Ghostery (another Safari extension like Adblock Plus).

    Thanks for your comment!

  7. Chris’s avatar

    What on earth are you trying to achieve here??
    Do you want to make my Mac completely unusable??
    What in the world is ‘ipfw’???

    These three are just example statements of a ‘real end-user’ and I hope these statements are illustrating a point here.

    Security must be simple and easy to follow!!!
    (Almost) none of your recommendations are.

    Here’s what a computer User (Mac / Linux / PC … don’t matter at all!) should do:

    1. Keep your software up-to-date! It’s called and ‘exploit’ because it exploits a vulnerability in your software. Fix the root cause!!!!
    2. Use an Anti-Virus program. They sometimes help. (It’s almost like a vaccination)
    3. Use good passwords! (The longer the password, the better! Because LONGER passwords take LONGER to crack!!! Make it at least 12 characters!)
    4. Be careful when you click on links or attachment in e-mails! Double-check that you really know the sender of the e-mail!

    You should better go learn some real security.

  8. slowe’s avatar

    Chris, thanks for your comment. You are correct that I didn’t list some basic—but extremely important—security measures. I appreciate you taking the time to bring them to the readers’ attention so that they can incorporate these suggestions into their environments. In the meantime, I’ll go learn some real security…

  9. flakshack’s avatar

    Scott’s blog is generally targeted at technical sysadmins and I don’t think this post was intended for the typical Mac end-user.

  10. Daizy’s avatar

    In above post you have described each points very nicely. I would like to include one more:- Every Mac user should install antivirus or they should keep the backup of data via time machine or any third party tool.
    I always prefer Stellar Drive clone to keep backup of my Mac.

  11. Guido’s avatar

    “Keep in mind that Mac OS X 10.7 “Lion” prefers pf instead of ipfw. I hope to post an article on that soon as well.”

    I would find that very useful since I’m not getting anywhere with setting up working rules with Lion’s pf. I tried IceFloor (hanynet.com), but it’s either buggy, or it’s setting up rules that conflict with the native configuration, or . . . ? I’ve finally decided it’s unusable (unlike Waterroof, the ipfw front end, which is really helpful). I don’t understand what the “apple.com” anchor does. So setting up my own anchor is a dodgy proposition. And I can’t find much at all via Google on pf that’s directly relevant to OS X. Anyway, thanks for this post.

  12. Mike’s avatar

    Wow, Thanks a lot for this post, it was great information for me and I think it will greatly increase the security of my Mac system. Have you heard of anybody using Back to My Mac for remote access capabilities that can be hidden, because I found a interesting line in my logs about a Back to My Mac account that I’ve never seen or used before trying to log into my Mac. In fact I’ve never used Back to My Mac before ever so this concerned me. Thank you for any further information, it’s greatly appreciated!

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>