Mac Security

Be afraid, be very afraid

Macs don't get viruses. Well... they do. Actually, computer viruses have all but died out as technology got better and persons of ill will got more ambitious. The security experts and media use the word "malware" - a portmanteau for software of malicious intent. The important thing to remember about any computer system is that it can't make decisions, only actions based on the set of instructions it has been given. All the apps you run are just numbers; huge arrays of zeros and ones, that are interpreted by the physical transistors etched into the silicon wafer in your processor. This is true for your word processor, your iTunes music files and the sly bit of code that was slipped onto your system when you clicked that suspect link on the internet that is now rifling through your data looking for lucrative account details.

Computers are useless, they can only give you answers.
— Pablo Picasso

We're all familiar at least with the discussion of AntiVirus for Windows machines. Windows has two problems to contend with. One is that the widespread success of windows made it a far more profitable target than other operating systems for the authors of malware. Why spend weeks writing complex code to exploit a small percentage of global computers when you can spend the same time and target 90% of computer systems? Hardly Microsoft's fault but true nonetheless.

it's also true that Windows kinda just sucks at keeping itself safe, and has always relied on third party software to intercept and handle threats. It does very little in the way of proactive, preventative security (though this began to change in Windows Vista). This problem is compounded by Window's need to provide backwards compatibility for more than a decade of legacy software.

Macs benefit on both fronts - it has historically been a less attractive target and it is more difficult for malware to execute uninvited. This shouldn't instil a sense of false security though. No system is unbreakable. One unwise click on an e-mail attachment of questionable origin or spiked app download and you hand over access to your system. Once a malcontent has that access, whatever security you had is more or less meaningless. This is compounded by software you install, particularly software that executes in your browser to enable web content. Adobe were publicly humiliated recently with a string of serious vulnerabilities introduced to computers, Mac and Windows alike, by their Flash software popular for playing video on sites such as YouTube. Java introduced similar problems, and led to widespread advice for all users to disable Java on their computers. Any software that has access to your system could potentially be targeted by malware seeking to exploit that access to get a shoe in.

If code instructions intended to do you no good get on to your system, your system blindly follows them. While software exists to isolate and destroy malware, it is often too late and damage has been done. The best defence is absolutely prevention. Despite the picture I have painted of endless vulnerabilities and myriad risks, most of us will never experience a security breach on our computers, and if you're a little wily, and apply a little healthy scepticism you can keep your chances to a minimum.

The good news is that prevention is actually pretty easy. Your primary tool is 'good practice' - that is exercising sound judgement about whether an action, download, website or app is safe. Your secondary tool is software. Your Mac gives you a good start on both fronts, but there are things you can and should be aware of.

Good Practice

Good practice really is an exercise in caution, and is a question of trust. The internet is by far the most common point of access to your system for malicious code and in all but the most sophisticated of cases this access requires the user (you) to give the malicious software permission to access your system. The authors of this software will try hard to coax you into doing just that.

Dealing when e-mailing

If you receive an e-mail and the sender or contents are unexpected, this is a cause for concern. Attachments that you weren't expecting, poor use of language, links with insufficient explanation or web addresses that appear to be misspelled or nonsensical are good indicators that something is wrong. Even still, a cleverly designed 'phishing' attack - that is an attempt to illicit, or fish for, personal information can be extremely convincing. There are a handful of warning signs even if the e-mail otherwise does appear to be a legitimate message from your bank (or whomever). Misspellings are always a good indicator - many of these emails originate from non-english speaking countries and a financial institution will rarely send out an email containing obvious typos. A legitimate email will in most cases also refer to you by your name "Dear Mrs. Jane Jones" - a piece of information that the anonymous stranger trying their luck will most likely not possess. A random number of nonsensical words is a dead give away - a tactic used to fool automated scanning systems that look for telltale word combinations (viagra, manhood augmentation… you get the picture). Any time you are asked to access your account with a service simply do not follow the link provided to you in the e-mail and instead, open your browser yourself, and visit the relevant website yourself. This ensures you access the real site and not a facsimile intended to capture your username and password.

Most e-mail providers are quite sharp on spotting these kinds of e-mails: the quantity of identical emails being received by a provider's customers usually triggers the alarm at their end. You never see the majority of suspect e-mails because they never arrive. Anyone who's used e-mail in the last decade knows that some get through all the same. If you don't trust it, just delete it. There are very few instances where someone who needs to can not get hold of you by other means. If you're really not certain, contact the alleged sender by telephone or an e-mail address that you can trust and ask them before acting.

Danger on the net

Your web browser is also a point of high risk; perhaps the biggest risk of any that most of use regularly utilise. The first thing you can do is ensure that you have a strong and up-to-date browser. Macs come with Safari, which employs robust code and a principle known as 'sandboxing'. When you open Safari, it is given an isolated chunk of your system resources to play in: it's own sandbox. The theory is that should something unpleasant work it's way into that sandbox, it may cause trouble in the sandbox and upset your browsing experience but it can't get out into the rest of your system. If something is wrong you can close down Safari, the sandbox is obliterated and the malware goes to oblivion with it as your system resources are returned, cleanly, to the system. It is not perfect, but it is a great tool in your arsenal. Google's Chrome browser also uses this technique. Sandboxing has the added benefit that other software, such as Flash player, that your browser may utilise will exist in the same sandbox bundled up in a package that can be safely disposed of.

You can't rely on clever software tricks to keep you safe, and there is a way to bypass every security measure, so you should still exercise good judgement. Don't let your curiosity get the better of you and trust your gut if you feel that something is less than legitimate. Simply don't invite them in, even if the bulldozers are ready to flatten the house with them inside.

Apps and software downloads

One of the greatest benefits of the internet is the immediate access to software that it facilitates, and an uncountable number of developers use it to sell their entirely awesome applications. If you're after a particular piece of software, be sure you're downloading it from the appropriate source. If you're buying from Adobe - be certain you're on Adobe's website. If you're uncertain about the credentials of a particular website, google the software, see if reviews from websites you feel you can trust have links to the appropriate site.

if you're downloading software from less than legitimate sources then you are effectively unprotected. You simply cannot guarantee the integrity or contents of the file you will receive.

With a Mac you have the benefit of the App store, where software goes through a validation process. Newer Apps are required by apple to use the sandboxing principle I already mentioned also. This is still a human-moderated process however and there will inevitably be mistakes made. The chances of you downloading malware from the Apple App Store however are vanishingly small. This is about the safest method to acquire software currently available.

Gatekeeper settings

Gatekeeper settings

Macs running Mountain Lion also come with a tool called Gatekeeper. Gatekeeper acknowledges three sources for the installation of software. The App Store where Apple controls the security tightly, licensed distributors whom are registered with Apple and include an electronic certificate with their software, and software of an unverified origin. The certified setting allows the installation of software downloaded from the internet, but should Apple become aware of a problem with that software they can revoke the certificate and prevent future installations of that App. Gatekeeper is also able to tell if a signed app has been altered after the point that it was signed. There are Apps that are simply unable to meet the security requirements of the App Store, as they legitimately utilise the system in ways that could be abused. Some of this software is excellent, but simply can't meet the standards required by the App Store; a necessary boundary to ensure that the App Store remains so secure. So long as the certificate is good, and you can feel confident in the legitimacy of the software, you should be safe enough to go ahead and install it on your Mac.

Apple have one of the most active developer, user and blogger communities - between the blogs, news sites and enthusiasts you should be able to find ample reference for quality, safe software.

Passwords

Passwords are awful. It's a broken system where in the majority of cases we spend more effort simply trying to make the system work for us than we do making it secure. The problem with passwords are twofold: quantity and memory. In modern life we have login details for everything from our newspaper to our music libraries and our bank accounts. That's a lot of passwords, and as our passwords become more inscrutable they also become harder to remember.

Well, tough luck, as passwords are what we've got.

There are two tenets to good passwords: make them complex and make them unique. Both of these add to the memory burden, in fact if you're doing it right they should pretty much be non-memorisable junk, right?

No.

The reason to avoid using passwords that incorporate words and dates with personal meaning (personal meaning being a great mnemonic) is that they can be guessed and/or they can be broken by what is called a 'dictionary attack'. being restricted to a whole english word vastly reduces the combinations of characters required to crack your password by trial and error. However, there's a half-way compromise that results in long, secure passwords that are at least vaguely memorable.

You have a choice of two variants: * A string of easily pronounceable sounds with some capitalisation and numbers. * A sequence of whole, unconnected words with regular capitalisation and a central numerical component.

These are not as secure as a string of 25 completely random alphanumeric characters, but strike a balance between security and memorability.

It is important to use unique passwords and there are helpful tools like 1Password, which allow you to manage multiple, randomly generated passwords from an integrated interface on your device. You only have to remember the password to access 1Password, and it will complete your login details on the website for you. It's worth noting however that it is possible to create a circular dependency; if you store your 1Password database on Dropbox for syncing, and use a 1Password generated password to access your Dropbox account then you could be in trouble if you for whatever reason lose your device. There should in reality be two passwords that you commit to memory: your 1Password password for the obvious reason, but also the password for your primary e-mail account - which can be used to reset any other password in the case of an emergency.

Still, remembering two strong passwords is far easier than remembering 20 of them.

There are alternatives to 1Password out there, and in OS X Mavericks Apple will be introducing some of this functionality with iCloud Keychain.

The software solution

Antivirus is a necessity on a Windows system, but is far less of a benefit on a Mac. That doesn't mean there aren't software aspects to a robust security plan. You're exercising wisdom on the internet now, but we're all familiar with the concept of a hacker actively trying to get on your system from the outside. This is actually a pretty unlikely scenario, but shouldn't be discounted. It's possible for a person of ill intent to listen passively to your internet traffic and siphon information if your network is not secured. Sufficient network security for most of us thankfully is once again a fairly simple affair.

Firewalls

Simply being connected to a network introduces a level of risk. In order to talk to each other computers have to send data, and constantly listen for incoming information. They're always open to the communication of other machines on the network and that communication is not guaranteed to be wholesome. Your primary defence against inappropriate contact is the firewall. A firewall places restrictions on what information, from which sources, and intended for which recipients, is allowed to travel through it. There are most likely two levels of firewall on your home network: the one on your router and the one on your Mac.

Most routers come with built in firewalls as part of their own security (possibly all routers) and most of us won't need to give it much thought. So long as your wifi is encrypted (you require a password to connect) then you shouldn't need to be concerned about this and while the firewall on your router probably has significant configurability it is beyond the scope of this post and likely beyond the needs of most home users.

Mac Firewall

Mac Firewall

The firewall on your Mac is an even simpler affair. You go to the firewall settings page and you make sure it is 'on'.

Firewalls can cause trouble with some applications. If this happens you should attempt to contact the developer of the software for help with a secure solution (which is usually a simple configuration change) before you entertain the option of disabling your firewall.

Anti-virus

I just told you that antivirus doesn't do a whole lot for your Mac, but the thing is that your Mac probably doesn't exist in isolation. The network is a source of woe, and the other devices on your network could be an infection risk for your Mac and vice versa. Once a network is compromised, each machine on the network is at increased risk.

The most populous malware is Windows malware, which is almost certainly harmless to your Mac. In an elegant parallel to real world infections though it is entirely possible for your Mac to host and pass-on code intended to abuse another operating system. If you have a MacBook, chances are you connect to more than one wifi network, some probably public ones. You likely also make use of CDs or flash drives which can carry malware from machine to machine. If you're hooking up to, for example, a business network that has Macs, PCs and perhaps Linux machines then your machine could be the gateway for nefarious software to access that network.

The Stuxnet worm that made the news about a year ago did exactly this; knowing that it's target machines were isolated from the internet it simply piggybacked on laptops and removable media until one infected flash drive was plugged into the inner workings of an Iranian nuclear facility. Clever monkey.

This is the argument for anti-virus on your Mac, and these are the situations where you should give it real consideration.

Privacy

Privacy is not just a worry for the likes of Twitter and Facebook whom are trusted with all manner of our personal details. If your machine is not private, then anyone in your physical vicinity might be able to get at your stuff.

Make sure your user account is password protected if at all possible. There are situations where a machine may need to be accessed without this impediment but for most of us, password protection to get to the desktop will halt any casual opportunist in their tracks. Make sure that the password is also required to wake your machine from sleep or the screensaver - so if you do have to wander away you're secure again after a couple of minutes.

A step beyond this is encryption. FileVault 2 comes with Mountain Lion, and will encrypt your entire disk - requiring your password to even boot successfully. It may however impact your Mac's performance - particularly on older generation machines. If your Mac holds any particularly sensitive data, perhaps belonging to your employer, then this is a wise option.

If someone has physical possession of your machine, encryption is the only certain method of preventing easy access. If that machine has iCloud configured, you can also remotely wipe that Mac so long as it connects to wifi at some point from iCloud.com on any modern web browser. You can also track the location of any enabled Apple device this way, dependent on it having internet (wifi or 3G) access.

In summary

You shouldn't be afraid to dive into the internet and the great opportunities and entertainment it provides. It's not really a scary place. Not unlike leaving the house in the morning it presents personal risks that are minimised by knowledge, caution and wise decisions. The internet is humanities single greatest pool of knowledge and your best tool to educate yourself. Make the most of it, do so safely.

Other Reading