Recover from a Disaster - Take Control of Security for Mac Users (2015)

Take Control of Security for Mac Users (2015)

Recover from a Disaster

I wish I could tell you that merely following all the steps in this book will guarantee you’ll never have a security-related problem with your Mac. But no one could make such a guarantee—not even if you used every single Risk Level 4 option I describe here. The combination of software bugs, human error, and clever attackers could take down the best of us.

The question is what to do next. If you’ve lost data, or you’ve discovered malware on your Mac, or someone has stolen your personal information and applied for credit in your name, you need to take action to fix the problem as soon as possible. Regardless of the type of disaster, your first step is:

1. Don’t panic.

(Repeat this step as needed until you’re no longer panicking.)

Then you can methodically undo or repair the damage. Although the exact procedure will depend on your situation, this chapter contains some suggested general steps to get you started.

Recover from Data Loss

You have terrific backups. In fact, you have three kinds—versioned backups, a bootable duplicate, and an offsite copy of your backups. I know this because you read Prevent Data Loss with Backups, and I’m confident you followed those instructions immediately. Since you have backups, recovering from data loss should be easy. (If you don’t have adequate backups, you’re going to have a much harder time, but I’ll return to that topic in Recover Deleted or Damaged Data.)

Restore Data from a Backup

Whether you’ve lost a single file or the contents of an entire disk, backups can save your bacon. In general, you have two options—restore individual files or folders, or restore your entire disk.

Restore Individual Files or Folders

If you know exactly which file(s) were affected (lost or damaged)—and the number of such files is small (a single file or folder, or a handful of files all stored in one place)—your fastest path to recovery is to use either your versioned backup or an online backup (whichever one was updated more recently). For example, suppose you use both Time Machine and CrashPlan. Time Machine runs once an hour, but CrashPlan runs continuously (subject to your preferences), so the odds are that CrashPlan will have the more recent version of the file(s). On the other hand, if the files are quite large, you’ll be able to restore a local backup much more quickly than a backup stored in the cloud. Refer to your backup software’s documentation for restoration instructions.

Restore an Entire Disk

If your Mac is lost or stolen, if its hard drive or SSD suffers a hardware failure, if the damage to your disk’s data is extensive and widespread, or if you have malware that you’re unable to remove (see the next topic, Recover from Malware), you’ll need to restore everything on your disk. You can use any of three main approaches:

· Restore the disk from your bootable duplicate. Then, if necessary, use your versioned backup or an online backup to restore just those files that had changed since you made your duplicate. See Restore a duplicate.

· Using Recovery Mode, restore your entire disk from Time Machine. This process is more time-consuming than restoring from a duplicate (it could take anywhere from several hours to overnight), and you won’t be able to use your Mac for anything else during the restoration process. If you excluded any files or folders from Time Machine, they weren’t backed up and therefore can’t be restored—you may need to fetch them from another backup later on. See Restore a Time Machine backup.

Note: If you use an app other than Time Machine for versioned backups—and that app is configured to back up every single file on your disk—you can restore from that backup instead. But you’ll need to start your Mac from a duplicate (or another bootable drive) first in order to run your backup software and restore the data; unlike Time Machine, third-party backup apps can’t run in Recovery Mode.

· Wipe your disk, reinstall OS X and all your apps from scratch, and then restore your personal data from a local versioned backup or an online backup. This is, by far, the most time-consuming restoration process, and therefore the one I’d use only if I had no other options. But if you use only cloud-based backups, this is what you’ll have to do. See Wipe and reinstall everything.

Regardless of which type of restoration you plan to do, you’ll need to take some preliminary steps:

1. Don’t panic.

2. If your Mac was lost or stolen, replace the Mac. If the disk is physically damaged, you may be able to replace the drive without replacing the Mac. (An Apple Store or authorized service provider can help you with either of these, if need be.) If the disk itself is functional but the data is damaged beyond repair, boot from another drive (such as your bootable duplicate) and use Disk Utility to erase the misbehaving disk.

Now you’re ready to restore your disk using one of the following three methods. As a reminder, these directions are somewhat general; the exact steps will depend on your situation.

Restore a duplicate:

1. If you haven’t already done so, attach the drive containing the duplicate to your Mac, restart while holding down the Option key, select the duplicate, and press Return. (This boot will take longer than usual.)

2. Once your Mac has finished booting, run the app you used to create the duplicate (such as Carbon Copy Cloner or SuperDuper). Select the duplicate as the source and your Mac’s regular startup volume as the destination, and run the cloning operation.

3. After the restoration is complete, shut down your Mac, disconnect the external drive, and then restart your Mac. It should start from its regular startup volume.

4. If you added or modified any files since the last time you updated your duplicate—and those changes were backed up as part of your versioned backups or online backups—find and restore the most recent versions of those files from the appropriate backup.

Once you’ve done this, I recommend waiting a day or two before updating your bootable duplicate—you want to hang on to that known good safety net until you’re sure the new setup is working correctly.

Restore a Time Machine backup:

1. Boot your Mac in Recovery Mode: Restart while holding down Command-R, and let go of those keys when the Apple logo appears.

2. Select Restore from Time Machine Backup, click Continue, and follow the prompts.

After the restoration is complete—and note that this could take many hours—you can restart your Mac and continue using it normally. If you also used online backups, and they contain newer versions of any of your files, you can restore them now.

Wipe and reinstall everything:

1. Boot your Mac in Recovery Mode: Restart while holding down Command-R, and let go of those keys when the Apple logo appears.

2. Select Disk Utility and click Continue.

3. In Disk Utility, select your regular startup volume, click Erase, and then click the Erase button and follow the prompts to erase it.

4. Quit Disk Utility. Click Reinstall OS X and then Continue, and follow the prompts to reinstall OS X. Your Mac restarts at the end of the process.

5. Go to  > App Store > Updates and install any updated software—especially newer versions of OS X itself.

6. Reinstall the software you use for versioned and/or online backups.

7. Use your backup software to restore the latest version of all your personal data. (I suggest starting with your most recent versioned backup stored on a local hard drive, and if you also have an online backup that’s more recent, you can restore any newer files from that afterward.)

8. Manually download and reinstall your apps. (These would come along for the ride automatically when restoring a bootable duplicate or a Time Machine backup, but most software that does versioned or online backups excludes apps, because they often have components scattered all over your disk, and without all the pieces in exactly the right places, the apps won’t work correctly.)

I’m sorry to say that Step 8 is even more involved than it appears, because you’ll probably have to reenter many license codes, passwords, and other details too, including manually resetting each app’s preferences to your liking.

Recover Deleted or Damaged Data

What if you’ve lost data and you didn’t have backups? Or you did, but they were damaged, stolen, or otherwise useless? You have a harder row to hoe, but as long as you still have a hard disk (or SSD) on which the data used to reside, don’t give up hope quite yet. Do this:

1. Don’t panic.

2. Try a disk repair app. If your problem is files that have gone missing for no apparent reason, or that are visible but inaccessible, it’s possible that your disk merely has a problem with its hidden directory of files or some other readily repairable issue. So you could use, for example:

§ Disk Utility: Restart while holding down Command-R, and let go of those keys when the Apple logo appears to start in Recovery Mode. Select Disk Utility, click Continue, and then select your volume and click Repair Disk.

§ DiskWarrior

§ Drive Genius

§ TechTool Pro

3. Try a data recovery app. These apps can search for files that have been deleted but not yet overwritten, and sometimes restore them:

§ Data Rescue

§ Stellar Phoenix Mac Data Recovery

§ TechTool Pro

4. If you were unsuccessful using a data recovery app, contact a data recovery provider, which will charge you anywhere from hundreds to thousands of dollars to use sophisticated data extraction techniques. A couple of examples:

§ The Data Rescue Center

§ DriveSavers

Of course, there are no guarantees with even the most expensive of these services—and they’re no substitute for good backups—but as a last resort they often produce miraculous results.

Recover from Malware

As I said earlier, Mac malware is rare, and most people can protect their Macs using nothing but common sense. Even so, a malware infection could occur, and if it does (or if you suspect that it has), you should take immediate action:

1. Download, install, and run one or more anti-malware apps (see Use Anti-malware Software (or Don’t)). That’s the surest way to confirm that you do indeed have malware, and the easiest way to remove it.

Note: In the case of ransomware or other malware that prevents you from booting your Mac and accessing your data normally, you may need to start up from your bootable duplicate and run the anti-malware app from that drive.

2. Restore any deleted or damaged files from a backup. (If your entire system has been rendered unusable, or if the anti-malware software you use is unable to remove the malware, you may have to erase and restore your entire disk.) Flip back to Recover from Data Loss for instructions.

3. Set your anti-malware app to scan your disk regularly for future infections.

4. If you haven’t already done so, turn off any shared resources you aren’t actively sharing, such as Screen Sharing or Remote Login. For those you are sharing, restrict access to the smallest number of people possible. (See Share Resources Securely.)

5. If you didn’t already have a firewall turned on, turn it on. If you did, review your settings to make sure you haven’t granted access to third-party apps you’re not actively using. (See Use a Firewall.)

6. If you aren’t already using an outbound firewall, consider installing one. (See Use an Outbound Firewall.)

Although Steps 3–6 are optional, they’ll help to prevent the problem from recurring in the future. But you should also take the other advice I gave in Use Anti-malware Software (or Don’t) to reduce your risk of another malware problem.

Recover from a Network Intrusion

Someone has accessed your Mac over the Internet without your permission. Wait a minute…how would you even know? After all, someone could steal your username and password, and then use it to connect and download some files without leaving a clue. On the other hand, if someone connects to your Mac with malware, you’ve probably already seen its effects (and taken action to remedy them).

But sometimes, you might encounter a fairly obvious clue that your Mac is getting unwanted network attention. For example:

· Your Mac’s pointer is moving on its own and the Screen Sharing icon appears in your menu bar (someone could be controlling your Mac via screen sharing).

· Files are appearing or disappearing mysteriously (someone could be connected to your Mac via File Sharing).

· The green LED next to your Mac’s camera is on, but you have no apps open that use it.

· Your ISP reports that a computer with your Mac’s IP address is sending out spam.

· Your inbound or outbound firewall reports unexplained network access.

If you know or suspect that your Mac has been accessed improperly over the Internet, here are the steps I suggest taking:

1. Disconnect your Mac from the Internet. That means turning off Wi-Fi using the Wi-Fi menu, and unplugging the Ethernet cable (if any).

2. Determine whether malware is involved, and if so, remove it. (Refer back to Recover from Malware.)

3. Restore any deleted or damaged files from a backup. (If your entire system has been rendered unusable, or if you’re unable to remove any malware, you may have to erase and restore your entire disk.) Flip back to Recover from Data Loss for instructions.

4. Change the login passwords for every account on your Mac in System Preferences > Users & Groups (see Improve Users & Groups Security).

5. Change the Wireless Passwords for your Wi-Fi router(s) (see Wi-Fi Passwords). Since you’ve disconnected your Mac from the Internet, you’ll need to do this from another device. (After you do this, you’ll also have to update the Wi-Fi password on every device that connects to your Wi-Fi network.)

6. If you haven’t already done so, turn off any shared resources you aren’t actively sharing (like Screen Sharing or Remote Login), and for those you are sharing, restrict access to the smallest number of people possible. (See Share Resources Securely.)

7. If you didn’t already have a firewall turned on, turn it on. If you did, review your settings to make sure you haven’t granted access to third-party apps you’re not actively using. (See Use a Firewall.)

8. If you aren’t already using an outbound firewall, consider installing one. (See Use an Outbound Firewall.)

9. Change your DNS (domain name system) servers. Go to System Preferences > Network. Select any interface in the list on the left (such as Wi-Fi) that’s connected, as shown by a green dot next to it. Then go to Advanced > DNS, delete any entries under DNS Servers, and add these two from OpenDNS: and Repeat the procedure for any additional connected (green-dot) interfaces. (I explain more about DNS-based attacks and how this procedure helps you in Take Control of Your Online Privacy.)

Once you’ve done all that, you can reconnect to the Internet—either reattach your Ethernet cable or turn on Wi-Fi using the Wi-Fi menu.

Recover from a Phishing Attack

Anyone can fall prey to a phishing attack, in which you get tricked into entering your username and password (or other personal information) on a bogus site that looks like the real thing. Although the steps that I recommended in Surf the Web Safely can certainly reduce your risk, they aren’t a guarantee. (And, because you could respond to a phishing email on a device other than your Mac, the safeguards you put in place there won’t help you.)

Phishing is almost never intended to give the attacker direct access to your Mac itself, but more commonly to your online accounts (such as iCloud, Gmail, Amazon, PayPal, your bank, and so on). But a successful phishing attack can nevertheless have consequences for your Mac. For example, someone who tricked you into supplying your iCloud password could delete all your email, contacts, calendar items, and iCloud Drive documents—and potentially, even wipe all the data off your Mac.

The results of a phishing attack vary depending on who carried it out and for what purpose. Therefore, I can’t offer a one-size-fits-all recovery plan. However, I can offer a number of tips that may apply in your situation.

Was It Phishing?

How do you know you’re the victim of phishing? Often there’s no smoking gun, and you can only infer what the likely cause was. And, some of the symptoms of a phishing attack mimic those of a malware infection or network intrusion, so you may need to do some sleuthing (or ask your friendly neighborhood computer geek for help) to get to the bottom of it. But here are some signs to look for:

· One or more of your passwords is rejected even though you’re certain you entered it correctly—particularly those for your email account, iCloud, or your bank.

· A large amount of email, contact, or calendar data suddenly goes missing even though your account appears to be online. Or, new items of these types appear that you didn’t create.

· Documents mysteriously disappear from cloud storage services (iCloud Drive, Dropbox, OneDrive, and so on).

There are other reasons besides phishing that these things could happen, so don’t jump to any conclusions based on a single piece of data, such as a handful of missing email messages. But if you have one or more of these symptoms and recall entering your credentials in an unfamiliar way recently (such as clicking a link in an email message asking you to “confirm” or “verify” an account that’s been in use for a long time), phishing is almost certainly the cause.

Assess Phishing Damage

Phishing always starts somewhere—a gateway account, if you will. In some cases, the damage is limited to just that account, so fixing the problem is relatively straightforward. But if the password you used for the compromised account is the same as the one you used for other accounts, any or all of them could also be compromised. And, because email is often used as a password reset mechanism (to prove you are who you say you are), an attacker who gets access to your email account can go to lots of other sites, click the “forgot password” link, and use the information emailed back to your account to access those other accounts even if the passwords were different.

So the first thing to do immediately when you suspect you’ve fallen prey to phishing is to see how far the damage spreads (as best you can). Here are some things to look for, making a list as you go:

· Check the Inbox and the Sent, Junk, and Trash mailboxes for all your email accounts to see if the attacker has sent any messages under your name, requested or received password resets, or done other damage. Make a note of any accounts involved.

· Check your email provider’s preferences online (by going to, for example, or to see if the attacker has enabled forwarding messages to another account, or set up a different account for password recovery messages. (And if so, turn those off immediately—I’ll talk about additional steps you can take in a moment.)

· Check the online transaction history for your bank accounts, PayPal, and any other financial institutions.

· Check your online purchase history for Amazon, iTunes, and any other providers where you have stored credit card information.

I don’t want you to waste hours performing a forensic analysis. You should run through that list in just a few minutes and then turn your attention to repairing the damage—but your chances of staying ahead of the attacker are better if you have a fairly good sense of the scope of the damage.

Repair Phishing Damage

Undoing the damage of phishing can sometimes be a long, frustrating process, and the steps will vary according to the situation. Here are some suggestions.

Change Your Passwords

Your first step is of course to change your passwords. Begin with the account you know or suspect to have been the first one compromised, and then (as quickly as you reasonably can) change your passwords for all the other affected accounts on your list. (Even if you think they weren’t affected, it’s a good idea to change the passwords used for iCloud, online banking, and cloud storage or backup services.) Be certain each of your new passwords is unique, long, and random—a password manager can ease the pain of generating and storing these passwords. Refer back to Improve Your Passwords for more help.

You shouldn’t necessarily stop with the accounts you know to have been compromised—there could be others you haven’t found out about yet. But changing dozens of passwords will take a while, so I suggest taking care of those you know about first and then returning to other key accounts later on—especially any for which you used the same password as for another account.

What If the Attacker Changed Your Password?

If the attacker has already changed your password, you won’t be able to log in to your own account to change it again. Virtually all online accounts have some type of recovery method (such as the ubiquitous “forgot password” link), but if you use one of these and the recovery message is sent to an email account that’s also compromised, you might not get it—and the attacker will know you’ve caught on.

Every site and service deals with fraud of this kind differently; you’ll have to search each provider’s Web site for details. If you’ set up a secondary email account or phone number to be used for verification—and that other method hasn’t also been compromised—you can probably use that to prove your identity and change your password. Or you may have to telephone a customer service department and confirm your identity in some independent way (such as answering security questions to which you previously supplied answers), faxing a copy of your photo ID, or jumping through other hoops.

Restore Deleted Data

If any data (email, contacts, files, etc.) was deleted, you might be lucky enough to find it in the Trash of the relevant app or service, so you can restore it by dragging it back to where it should be. If you’re unlucky, you’ll have to restore your data from backups (refer back to Prevent Data Loss with Backups). If you don’t have adequate backups, but your data was stored in the cloud, contact the provider to see if it’s possible for them to restore your data from another source.

Take Additional Preventive Measures

Even though you have new and better passwords now, you ought to consider turning on two-step verification where it’s available (see Use Two-step Verification to learn about doing this for iCloud).

I also suggest setting up a new, separate email account with a provider you don’t already use (for instance, if your main provider is Gmail, try iCloud,, or Yahoo). Make sure that account has a super-strong, unique password, and use it only as the secondary (or password recovery) account for services that let you supply one.

Recover from Identity Theft

If someone merely steals your credit card or social security number, that by itself does not constitute identity theft. Rather, identity theft occurs when someone uses stolen personal information to impersonate you and make purchases, apply for credit, or commit other fraud in your name. Sometimes you may find out about this only after hearing from a bank or other financial institution that a new account was created for you when you didn’t initiate it, being denied credit because of activity you weren’t aware of, or receiving bills for accounts or services that aren’t yours.

Identity theft is more than an inconvenience—it’s a serious crime. The appropriate ways to deal with this crime vary according to your country of residence, but I’ll outline the steps you should take if you live in the United States. The U.S. Federal Trade Commission (FTC) has a helpful page on recovering from identity theft that makes several key suggestions. Based on the FTC’s list, here’s what I recommend:

1. Call any of the three credit reporting companies. Ask the person you speak with to place a fraud alert on your credit report. (Whichever agency you choose is obligated to inform the other two.) While you’re on the phone, request a copy of your credit report, which is free if you’re the victim of identity theft. The agencies are:

§ Equifax: 1-800-525-6285

§ Experian: 1-888-397-3742

§ TransUnion: 1-800-680-7289

2. Now call the other two agencies and again request copies of your credit report.

3. Contact the fraud department of each bank or other financial institution where there’s an affected account (whether that account is legitimately yours or not) and report what happened. In most cases, the institution will send you a fraud affidavit to fill out and return by mail.

4. Create an Identity Theft Report on the FTC’s Web site. At the end of the process, you’ll have a document called an Identity Theft Affidavit (and a reference number). Keep a copy of the affidavit and reference number in a safe place.

5. File a police report, which will require a printed copy of your Identity Theft Affidavit. Be sure to get a copy of the police report and save it with your other records.

At this point, the FTC, the police, and/or the affected financial institutions will begin an investigation, which may take several months. Depending on the circumstances, you may be asked to submit additional paperwork, and you may have to write letters to the credit bureaus and financial institutions to close fraudulent accounts and correct errors.

Meanwhile, be sure to change the passwords for any affected accounts. And, sorry to say, because you’ve been the victim of identity theft, your risk level has increased to at least 3 and perhaps 4—so review this book and take appropriately stronger security measures.