Never Bring a Mac to a Gun Fight

| Editorial

If you’re thinking that you’re prepared to do battle with the bad guys on the Internet, if you’re just a touch overconfident, then you’re lost. A better approach for Macintosh customers these days is to be defensive, humble, suspicious and alert.

The Macintosh is benefiting from the iPhone and iPad halo effect. Macintosh sales continue to grow and Apple continues to note in its earnings reports that half of their retail sales are to former PC users. The Mac is being embraced, more and more, by thousands of newbies, students, and people of all ages who are looking for a “PC” that’s secure and almost as easy to use as their iPhone.

What this all means is that Apple’s many new customers — who were told that the Mac is more secure than the PC — are entering a world where they think their security problems are over. That can bring on a bit of overconfidence.

You're the target

So what should the average Mac user’s posture be? One of my colleagues at TMO has never run any kind of security software and doesn’t even turn on the Mac OS X firewall. But he also admits that he’s never been hacked. Those who have detected an intrusion on any OS are rather more gun-shy. Naturally, those who have never been successfully hacked tend towards, perhaps, a bit of complacency. Those IT managers who’ve been in the line of fire, every day for years in the work place, have a whole different attitude.

The discussion of mentality is important. Around the Internet, you’ll find some strong opinions that if you fall for one of these Mac targeted phishing schemes*, you’re an idiot and it’s all your own fault. That’s not a very helpful approach because it doesn’t help us diagnose the threat and learn how to respond. It doesn’t help us develop a healthy security mentality.

The Bad Guys Are Coming

Internet Criminals are out to make money. Like any hard worker, if you don’t succeed, you don’t get paid. Failure means less money, fewer toys. As a result, Internet criminals are highly motivated to invest in technologies, software kits that will help them succeed. You may buy a book on how to succeed as a salesperson. These guys buy documents and software that describe proven methods to make them money. This is just a simple fact of business life on the Internet. 

Phishing is best chance these criminals have right now of making serious money. Lots of new Mac users who are inexperienced creates a target-rich environment.

Survival Class 101

One of my favorite books when I was young is Robert Heinlein’s youth novel “Tunnel in the Sky.” It’s about young Rod Walker who’s taking a survival class. He’ll be transported to another planet where the dangers are unknown and the only rule is that there are no rules. The students in this survival class can take any weapons they choose.

Those who took armor and heavy weapons were ready for a fight, but they were overconfident and died right away. Rod is told by the armorer, “Remember, though, your best weapon is between your ears and under your scalp — provided it’s loaded.” So young Rod takes only a knife and keeps a very low profile until he can diagnose the dangers. His belief that he needs to be smart, quick, suspicious, develop allies and not engage in fights derived from overconfidence keeps him alive.

NHL goalie

This is how I think Macintosh customers should be. Don’t believe people who tell you there is no threat or that you don’t need to worry. Be like young Rod. Don’t live in abject fear, but don’t believe that you can take a Mac to an Internet gun fight and win. Be alert. Be defensive. Be smart. Be suspicious of everything. Be like a winning NHL goalie, ever observant, a fighter in the crease. Also, get onto Twitter and follow the right people, Macintosh editors and writers, so that you aren’t working in the dark. Your noggin is your best weapon.

While you may or may not decide to add extra layers of software protection to your Mac, what’s not optional is a good attitude. The bottom line is that, like young Rod Walker, the defining principle that will guide you through this new onslaught of sneaky, social engineering attacks on Mac users is that of caution, suspicion, intelligent preparation and alertness. Think defense.

There’s never a good time to be overconfident when you know they’re out to get you.

_______

* See, for example, “Protect Your Mac From Bad Guy Phishing.” It explains technical measure you can take to protect yourself.

Images courtesy: iStockPhoto.com

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

27 Comments Leave Your Own

Lee Dronick

Other than exercising caution what is the best anti-malware app for OSX?

geoduck

Those IT managers who?ve been in the line of fire, every day for years in the work place, have a whole different attitude.

Very True.
I change my personal account and network password monthly.
I keep the Firewall on and check regularly what is allowed.
I run Sophos antivirus and do a manual scan it regularly.
I run Ghostery to block tracking on the web
I use ClicktoFlash to limit what it can screw up.
I have Safari set to NOT automatically run things.
When I need to do something, like testing a software package that might expose my system to attack/exploitation I use VirtualBox to run a virtual temporary environment that I discard afterward.
I regularly use Secure Empty Trash when there is a question on the security of something I’ve thrown away or any time I’m discarding a Virtual Machine disk image.
My network runs in stealth mode and will only talk to systems whose MAC is registered in the Airport
I wear a foil hat just in case

mhikl

I agree that caution, suspicion, intelligent preparation and alertness are important. I would add being vigilant, and the adjective, habitual, to alertness. But these are just practices, not the ingredients to the cake. What we need is a list of the specific ingredients. Following specific instructions makes anyone a master chief when it comes to cake making. The same goes for Apple security. Specific formulae should be followed from which one does not falter.

The tweaking of Apple Security in System preferences is one specific ingredient in protection has been noted in TMO.

Another would be tweaking the browser and from previous reads at TMO, Safari?s Preferences - General - unselecting Open ?safe? files after downloading, is advised.

Sir H has a good point. I run Apple supported or recognised iAntiVirus (it’s free). When I first used it a while ago, two benign apps were found cornered and removed as suggested. Since then, I?ve had no notification of any malware found on my hardware. Is iAntiVirus enough? What other free and commercial software would be suggested.

I believe there is a place where malware is found or secured but I don?t remember where that is. It was easy to trash.

A list of suggestions regarding downloading movies, pictures and other susceptible downloads would be helpful.

I run clicktoflash. Is this of any help against Flash based malware? (Just saw that Geoduck suggests it may be.)

I?m not terribly worried but I do understand that the inevitable can happen if the doors are left open. A check list of the usual suspects would be helpful.

Geoduck?s list is a good start. I shall add it to a list of todos on my VooDooPad App.

John Martellaro

geoduck:  That’s a great list.  I would add “Little Snitch” to monitor outgoing connections.

ilikeimac

One area I’m interested in is applications that “phone home.” “Little Snitch” is a well known solution for managing which programs can dial out, but I’d be curious to know what other programs, especially any free ones, can do this. The built-in firewall (ipfw) can block outgoing traffic, but not based on which application sends it. Do Sophos or other anti-virus products address this?

In particular I manage one Mac as a web server; once upon a time I saw that one of its PHP scripts had a vulnerability and had been hacked; the hacker put in code that emailed out form data, and in another case pulled in data from another web server and injected it into pages as hidden content. Having something that monitored, or even intelligently blocked such activity would be a nice extra layer of defense. Apache needs to be able to connect to the (local) database server, and send out email, but only from select PHP scripts, and (in my case) never needs to be making other outside network connections

wab95

Well-aimed, John (no pun intended but appropriate all the same).

Overconfidence is no one’s friend. While I have never had my system hacked, a lot of this has to do with proactive protection practices. And yes, Twitter is a great place to get a realtime heads up on activities (endorse following John - jmartellaro).

Also recommend John F Braun and Dave Hamilton’s MacGeekGab (Premium is good value for money), as they cover soup to nuts, including security precautions. For example, years back they recommended a number things one might do to harden one’s system, such as using Secure Virtual Memory (in System Preferences under Security), in addition to unchecking ‘Open safe files’ in Safari.

Other than exercising caution what is the best anti-malware app for OSX?


One of the better ones of late, at least in my opinion, is Intego’s Internet Security Barrier X6. They claim to have a minimal footprint on one’s CPU performance. Unlike other packages I have tried in the past, I only ever notice it when it finds something, and then announces something like ‘Virus Detected’ followed by ‘Virus Eradicated’ (these are Windows viruses usually in mail attachments). It basically sits in the background until needed. Besides malware/spyware, the package also provides a spam filter and data backup, both of which work reasonably well. TMO’s Nancy Gravley did a package review back on 31 March.

Also recommend MacKeeper (unfortunately similar moniker to current MacDefender threat), which includes both anti-malware as well as anti-theft to snap pics of the bad guys who steal your laptop and send them over the internet to you and the good guys.

Concur with geoduck’s list above - the tinfoil hat however is suspect.

wab95

BTW

MacKeeper link.

Lee Dronick

One of the better ones of late, at least in my opinion, is Intego?s Internet Security Barrier X6.

I wonder what is the difference between that and the Virus Barrier Plus software that they sell on the Mac App Store.

John Martellaro

Sir Harry:  here’s the comparison chart.
http://www.intego.com/internet-security-barrier/

I just use the Virus Barrier—poorly named to be sure.

Lee Dronick

Sir Harry:? here?s the comparison chart.
http://www.intego.com/internet-security-barrier/

I just use the Virus Barrier?poorly named to be sure.

So if I am understanding this correctly, the Virus Barrier X6 sold on their website for $50 (two Macs) is the same as the Virus Barrier Plus sold at the Mac App Store for $10. If so then the license for the one at the Mac App Store seems to be a better deal for a multiple Mac family.

urapns

VB X6 ($50 for 2 pack) is not the same VB Plus ($10)

VB Plus
< http://www.intego.com/news/intego-releases-virusbarrier-plus.asp >

VB X6
< http://www.intego.com/virusbarrier/ >

I have 30 some users on X6 at this point.

Lee Dronick

VB X6 ($50 for 2 pack) is not the same VB Plus ($10)

I just did a cursory comparison. Looks like the Virus Barrier 6 has a more comprehensive package, checks for spyware, has a two way firewall, and scans an iPad among other things.

From a strictly virus/malware protection I am thinking that the two packages probably are the same. I need to think about the best way for me to go.

wab95

I wonder what is the difference between that and the Virus Barrier Plus software that they sell on the Mac App Store

As you’ve seen from John and urapns posts, VB+ is a more limited version of VirusBarrier X6, which in turn is more limited than Security Barrier X6. You can decide how much of this you need/want by looking at the links John and urapns provide.

I have been using the fuller package now since version 4, and have been happy with it. I use it on all our family computers. X6 appears to have been a substantial upgrade over previous versions in performance/features.

Jamie

I second Little Snitch - you might be amazed at how frequently your beloved Mac is establishing outgoing connections, I know I was. It isn’t expensive and is so highly configurable I consider it to be an essential at this point.

geoduck

I use Spohos because, well, I know it. I manage Sophos for work, a fairly large Active Directory network across several sites. Servers and freestanding Windows desktops all run Sophos and I manage systems remotely from the Sophos Enterprise Server. The Mac Client works the same way the Win client does and it’s free.

Sophos does work a little different than other AV software packages. It does not scan all files over and over. It checks files on access. So if it’s sitting there doing nothing Sophos ignores it. If something makes the system take a look at the file, read it, write to it, or run it, Sophos does a quick scan to see if the file is infected. You can kick off a full system scan, which I do every once in a while, but I’ve not found anything. On access scanning seems to take care of it.

I’ll take a look at Little Snitch.

Brad Cook

I installed iAntiVirus and tried to scan my MacBook twice. Both times, it got about halfway through the scan and stalled. Meanwhile, I received a warning that my hard disk was full.  I checked the Finder and saw 0 KB available.  I cancelled the scan and watched as the available disk space in the Finder climbed north of 8GB.

That was bizarre. Anyone else have that experience?

Mike R

One thing not mentioned here in the “being cautious” vein is to not run your mac day-to-day from an account having administrator privileges. I do wish that Apple would be more strident on the dangers of that. True, some things aren’t as “seamless” when not running as admin but it’s a whole lot safer.

Lee Dronick

One thing not mentioned here in the ?being cautious? vein is to not run your mac day-to-day from an account having administrator privileges. I do wish that Apple would be more strident on the dangers of that. True, some things aren?t as ?seamless? when not running as admin but it?s a whole lot safer.

I have been running my iMac as Admin, but this weekend I will switch that over. Not difficult because I already have a plain vanilla Admin account set up that I used for testing and troubleshooting.

As to the hassle of not running under Admin it is not that difficult, at least in my experience. Last year when my wife and I got MacBook Pros we set them up not run under Admin and disabled automatic login after a start. This was for security purposes as we both take our MacBook Pros out of the house. Anyway, I am now using my iMac and MBP about 50/50 and have found that I don’t need to use the admin password too often.

One thing I find interesting is that I can install Safari plugins without an admin password. I wonder if that is weak point in security.

Mike R

One thing I find interesting is that I can install Safari plugins without an admin password. I wonder if that is weak point in security.

Good point. The other one is Google Chrome that seems to update itself without asking for a password. I wonder if one should look at the binaries and their permissions to see if it is running setuid as “root” or something.

Lee Dronick

Correction. I meant to say Safari extensions not plugins, but either way is it a concern?

wab95

That was bizarre. Anyone else have that experience?

Agreed, but no; nor have I run that particular software.

I meant to say Safari extensions not plugins, but either way is it a concern?

I was not aware of that; it could be. You can always report it as a bug; it might end up as a security update (‘the Flashman fix?’).

wab95

Meanwhile, I received a warning that my hard disk was full.? I checked the Finder and saw 0 KB available.? I cancelled the scan and watched as the available disk space in the Finder climbed north of 8GB.

Just curious, but apart from the Finder window, did you look at either Activity Monitor or a third party app like iStat Menus to see if these also showed HD space loss? Also, does the software offer any services besides scanning for lifeforms?

archimedes

If you are concerned about security (but not privacy), you might consider running Chrome rather than Safari. Chrome has proven more resilient to exploits, partially because of its process-per-tab design (which helps to isolate “bad” sites from good ones) and browser sandboxing, which prevents the browser from doing things like writing files outside the Downloads folder. These are two good features which Safari would do well to implement.

brett_x

One thing I find interesting is that I can install Safari plugins without an admin password. I wonder if that is weak point in security.

That is because Safari extensions are installed into your own directory. Any non-admin has privileges to install to their own directory. Installing a Safari extension is really no different than copying a file into your own ~/Library/Safari/Extensions folder.
Generally, if you can do it in the Finder without authenticating another program (Safari) can also do it on your behalf without authentication.

Lee Dronick

Thanks Brett. I am assuming that Safari extensions are not a security concern, is that correct?

brett_x

I would not say that.  I think anyone can write Safari extensions (they don’t need to go through Apple to get approved.) According to Apple, they are “Signed and Sandboxed”, so their reach should be limited ( by Safari). But I certainly wouldn’t trust ones that aren’t being hosted on Apple’s Safari Extensions site.

Lee Dronick

I have always initially got extensions at Apple, but updates from the developer’s website. The process could be a phishing ground; Visit a webpage and be prompted to download a new version of Ghostery or whatever, but get some malware instead.

Log-in to comment