Take Control of Security for Mac Users (2015)
Fortify Your Mac’s Defenses
In the previous chapter, I talked about ways to ensure that the data you send and receive with your Mac isn’t intercepted, monitored, or hijacked in transit. But regardless of how secure your Mac’s connection with another computer may be, that computer could try to send your Mac dangerous software, or someone could attempt to break into your Mac remotely. Conversely, you could have software on your Mac that attempts to make connections to distant servers without your knowledge and send them information you’d rather keep private. This chapter discusses ways of keeping your Mac and its data safe from outside attacks, some of which could appear in the form of malicious software, or malware.
Use Anti-malware Software (or Don’t)
“I thought Macs didn’t get viruses.” I can’t tell you how many times I’ve heard statements like that, and how dizzy I’ve gotten from all the eye-rolling I did as a result. There’s a kernel of truth in that claim, but it’s far from the universal principle people often imagine it to be.
Let’s talk about the true-ish part first.
Malware that can run on Windows outnumbers Mac malware by a factor of at least 1,000. I’ve seen estimates ranging from a bit over 100,000 to many millions of Windows malware variants, but even the most generous estimate puts the number of Mac malware programs in the mere hundreds. Furthermore, of these however-many Mac malware programs, the vast majority are either outdated and thus unable run on current Macs, are only proofs of concept that have never been seen “in the wild,” or are effectively blocked by OS X’s built-in security measures. So, in terms of sheer numbers, the odds favor Mac users.
But let’s be clear: there’s nothing inherent to the design of OS X that makes it intrinsically immune to malware. Security holes have indeed been uncovered and exploited by malware, and that will continue to happen. Although the bad guys generally like to focus on the largest targets, the statistical accident that there are more PCs out there doesn’t count as protection. And sure enough, in the last few years there have been some dangerous and fairly widespread infestations of Mac malware.
You’ll notice, by the way, that I keep saying “malware” and not “viruses.” That’s because another true-ish aspect of the “Macs don’t get viruses” claim is that a virus is a very specific kind of malware that can replicate itself and become part of a file or another app, and I could probably count on one hand the number of actual Mac viruses that have ever been in the wild. Other kinds of Mac malware, particularly Trojan horses (malicious software disguised as something useful), are much more common. Although lots of people use the term “virus” loosely to mean any sort of malicious software, I prefer to call a spade a spade.
About Ransomware
One especially vicious type of malware is called ransomware. You download and run an infected app, and it immediately starts encrypting everything on your disk. Then it displays a ransom note: send hundreds of dollars (in difficult-to-trace Bitcoin or other virtual currency) to a certain address by the specified date and we’ll give you the key to decrypt it. Fail to comply, and we’ll erase your disk forever! (A less-severe variant simply tries to lock you out of using your Web browser.)
Ransomware for OS X is rare, but it does exist. You can guard against it in the same way you guard against any other malware. But if you have a full, offsite backup of your Mac’s disk (see Prevent Data Loss with Backups), you have an ace in the hole—it doesn’t matter if your whole disk is erased, because you can restore it without paying a penny. That’s just one of many reasons I consider excellent backups to be one of the most important security measures you can take.
We’ve established that Macs can be infected with malware, and sometimes are—even if statistics are on our side. Now the question is, what—if anything—should you do about it?
To answer this question, let me use the analogy of pathogens (viruses, bacteria, parasites, and so on) that can make humans sick. You were probably vaccinated against illnesses that are common in the area where you grew up. If you travel to an area where other diseases are widespread, you’ll want to get vaccinated against those, too—but there’s no point in going to the bother, expense, and pain otherwise.
Before I went to Indonesia the first time at age 19, I got a typhoid vaccination. There wasn’t any typhoid fever in the United States, but there certainly was where I was going, so it made sense. And sure enough, I didn’t get typhoid fever. Unfortunately, I did contract malaria—even though I was conscientiously taking anti-malarial medicine. It turns out that the mosquito that bit me was carrying a strain of malaria that was resistant to the particular drug I’d been given. (I survived, though. Thanks for asking.)
At the risk of oversimplifying, the same rules apply to Mac malware. If you avoid the circumstances in which malware typically spreads, your chances of being infected drop dramatically. When you can’t avoid those circumstances, appropriate software will boost your immunity. But just as I got malaria despite taking preventive drugs, running anti-malware software on your Mac doesn’t mean that a clever new exploit won’t find its way in—and meanwhile, you might experience unwanted side-effects from the very software you use to protect yourself.
As with everything in the world of security, all you can do is improve your odds. So, when it comes to malware, here are my recommendations. First, everyone (regardless of risk level) should do the following:
· Keep Your Software Up to Date. Don’t let your Mac fall victim to a security hole that has already been plugged! Staying on top of software updates—especially those from Apple—is a crucial defense.
· Use a Firewall. I cover this topic just ahead.
· Use a good spam filter. Email is one of the most common ways for malware to spread, and a good spam filter will zap it before it hits your Inbox. (If your email provider doesn’t offer effective server-side filtering, I recommend SpamSieve.)
· Stay out of the bad neighborhoods. I’ve said it before and I’ll say it again: sketchy Web sites, such as those that traffic in pirated software and media, porn, and gambling, are bad news for your security. If I were looking for malware, that’s where I’d go. For example, one highly publicized Trojan horse spread because it was inserted in a pirated version of a popular Mac app that was posted on a “warez” site. You play with fire, you get burned.
· Practice common sense. Don’t click links in email messages when you aren’t absolutely certain of the message’s authenticity, don’t download software from suspicious sites, and read all dialogs asking for your password—make sure you know who’s asking and why.
If you do all those things, then your odds of a malware attack are quite low, and that should be sufficient for people at Risk Level 1 or 2.
But if you’re at Level 3 or higher, if you share your Mac with family members who might be less careful than you when it comes to downloading apps, if your work as an undercover agent requires you to spend time in the shady corners of the Internet, or if your employer mandates anti-malware measures no matter what, then it’s time to think about adding anti-malware software to the mix.
You might be surprised that I don’t recommend anti-malware apps to everyone. That’s because, in my experience—I’ve tested lots of them—the cure is often worse than the disease. That is, many anti-malware apps use so much of my Mac’s resources constantly scanning for threats that my performance goes way down, and they’re often quite intrusive, repeatedly prompting me to make decisions or reminding me of their progress. (Some are certainly much less intrusive and resource-intensive than others—your mileage may vary.) But not once has an app found any malware installed on any of my Macs. Which means either that there wasn’t any (most likely) or that the software wasn’t effective. Either way, it wasn’t worth the hassle for me.
However, if I suddenly found myself at a higher risk level, if Mac malware started to become far more common, or if I didn’t feel Apple was addressing the threats promptly enough, I might well change my mind.
So, it’s entirely up to you—I’d hate for you to waste time (and perhaps money), slow down your Mac, and have to deal with lots of interruptions for nothing—but if you want to take every possible measure to protect yourself from malware, get an app.
There are a number of free anti-malware apps for Mac, including:
· Avast Free Mac Security
· Avira Free Mac Security
· ClamXav
· Comodo Antivirus for Mac
· Sophos Anti-Virus for Mac
Paid anti-malware apps (which are likely to offer better support and more-frequent updates) include:
· Bitdefender Antivirus for Mac
· F-Secure Anti-Virus for Mac
· Intego VirusBarrier (part of various software suites, including Intego Mac Internet Security, Intego Mac Premium Bundle, and Intego Family Protector Secure)
· Norton Security
· Panda Antivirus for Mac
Warning! Sometimes so-called security software is itself dangerous. A good example is a rather disturbing app called MacKeeper, which you should be especially wary of. See Peter Cohen’s look at MacKeeper and its business practices in What ‘MacKeeper’ is and why you should avoid it at iMore.
Now, if you were hoping for a detailed comparison of these apps or specific recommendations…sorry, I can’t help you. Regardless of performance, user interface, or any other feature, the question that matters most about any anti-malware package is: Will it find and stop the next threat? And because that threat hasn’t appeared yet, no one can know. I can say, “This company is highly regarded” or “This app isn’t so terrible when it comes to performance,” but those factors are neither here nor there if new malware appears and whichever app you chose doesn’t catch it. No matter how you slice it, it’s a gamble. All I can really say is look at the descriptions, pick a winner, and carry on.
About Windows Malware on Your Mac
OS X can’t run Windows malware, so even if a Windows virus appeared on your disk, it wouldn’t do any damage; it would simply be inert.
Many Mac anti-malware apps can identify Windows malware too (for example, if it comes as an email attachment, such as an infected Microsoft Office document). Even though it won’t harm your Mac, removing it can keep it from spreading to Windows users.
However, if you’re running Windows on your Mac (using Boot Camp, or virtualization software like VMware Fusion or Parallels Desktop), you should absolutely run Windows anti-malware software within your Windows installation—your Mac anti-malware app normally won’t help.
Tip: For another perspective on Mac anti-malware software, read Do You Need Mac Antivirus Software in 2013? by TidBITS Security Editor Rich Mogull—and yes, it’s still valid in 2015.
Use a Firewall
A firewall is a program that monitors all inbound Internet activity and selectively allows or blocks connections based on a series of rules. Firewalls are usually designed to protect your computer from malicious access over the Internet, although they can also censor data and perform a variety of less-helpful activities.
OS X includes a built-in firewall that’s expressly designed to be as simple as possible. In contrast to traditional firewalls whose rules are applied to particular ports, protocols, or IP addresses, the OS X firewall is based on applications—you can specify, for each app, whether to block or allow incoming connections. The firewall is easy to turn on and adjust, and it won’t do any harm, so I recommend using it. The worst that can happen is that an app will produce an error message, and then you allow it to accept connections with a couple of clicks, and the problem goes away.
To use OS X’s built-in firewall:
1. Open System Preferences > Security & Privacy > Firewall.
2. Click the lock 
icon in the lower left of the window, enter your administrator username and password, and click Unlock.
3. If the window doesn’t already say Firewall: On, click the Turn On Firewall button. The pane should now look like Figure 11.
Figure 11: Here’s where you configure the built-in OS X firewall.
The default settings should be adequate for just about everyone. You’ll be prompted to Deny or Allow access to specific apps when they begin listening for outside connections, and OS X remembers your choice. (You can always change your mind later.)
4. If you want to customize your firewall settings, click Firewall Options (Figure 12).
Figure 12: Customize your firewall options in this dialog.
I’m not going to detail every option here, but the screenshot above shows a bit of how I have my own firewall configured; click the Help 
button to learn about each setting. I do, however, want to draw your attention to two items:
§ Block All Incoming Connections: Don’t check this box. It might look fantastically secure, but it’ll make your Mac far less usable, and I don’t think it’s a reasonable trade-off.
§ Application settings: For any app in the list, click the pop-up menu to its right and choose either Allow Incoming Connections or Block Incoming Connections. Whichever setting you choose applies to the whole app—you can’t pick just certain activities to allow or block.
The firewall settings take effect immediately. When an app that’s not already listed starts listening for connections, an alert appears (see Figure 13). Click Deny or Allow; this choice is then reflected in the list shown in Figure 12, where you can later change it if you like.
Figure 13: When an app starts listening for incoming connections, click Deny or Allow in this dialog to modify the firewall’s settings accordingly.
Note: If your Mac uses NAT (as is the case for most computers that connect to the Internet via a home broadband router), you already have a certain amount of protection against outside access, but it’s not foolproof—and it doesn’t hurt to use your computer’s firewall too.
The Other OS X Firewall
Although the application firewall is simple to use, OS X also has another built-in firewall that’s many times more sophisticated. (In Mavericks and earlier, OS X includes the ipfw firewall; in Yosemite, Apple switched to a firewall called pf.) If you want endless flexibility in configuring exactly what your firewall can do, perhaps this secondary firewall is for you.
It takes some command-line mojo to do anything useful with pf. As an alternative, try Murus (Free, Basic, or Pro), which provides a more human-friendly (if still complex) graphical front-end to pf.
OS X’s built-in firewall should be adequate for nearly everyone, and (per the sidebar above) pf is there for those who want something more. But, for what it’s worth, there are also several third-party firewalls, and you might like the features or interface of one of these even better:
· Intego NetBarrier (part of various software suites, including Intego Mac Internet Security, Intego Mac Premium Bundle, and Intego Family Protector Secure)
· Little Snitch
· Norton Security
Securing Your Microphone and Camera
Most Macs (everything except the Mac mini and Mac Pro) have a built-in camera and microphone. I have heard of malware that’s designed to spy on you by listening to what your mic picks up and/or watching what your camera sees. In fact, it’s even possible for malware to turn on your camera without activating its little green activity LED. As always, preventing this malware from getting onto your Mac in the first place is the best defense. Next best is to use an outbound firewall (covered next) to catch and block the outgoing data.
If you’re exceptionally paranoid, you can use Parental Controls (described in the sidebar just ahead) to disable the camera, or for a more-certain solution just put a piece of opaque tape over it. To turn off your Mac’s built-in mic, go to System Preferences > Sound > Input and move the Input Volume slider all the way left, but be aware that software could override this setting without your knowledge.
Use an Outbound Firewall
I said a moment ago that a firewall monitors inbound Internet traffic, which is generally true. However, some firewalls monitor outbound traffic (instead of, or in addition to, incoming traffic). The main reason is to make you aware of—and enable you to block—software that might be sending out private information invisibly in the background.
Plenty of software connects to the Internet without any visible interface, and it’s nearly always perfectly legitimate. Your email program downloads messages in the background, many apps check periodically for software updates, Dropbox syncs newly changed files, and so on. These activities are fine, but if you downloaded malware that secretly logs your keystrokes and tries to connect to a server somewhere to send them to an attacker, that’s a problem. And, while some software “phones home” to validate licenses or send registration data, a few unscrupulous developers have been known to collect and send personally identifiable data without users’ consent, and that’s totally uncool.
Although some outbound firewalls can help identify the activity of malware (after it’s already installed and running), they’re less about security than about privacy. That is, you might use software like this to prevent personal information from falling into the wrong hands, but that’s not, in the strictest sense, a security measure.
I’ve tried a few outbound firewalls, and I’ve found most of them extremely annoying—given default settings, they’re constantly popping up alerts about outgoing connections, the vast majority of which are innocuous but all of which (thanks to the firewall!) now require attention. (To be fair, you can approve any outgoing connection so you’re interrupted only the first time it appears—but I find this happens often enough to be irritating.) And they tend to induce paranoia by making it seem that all this legitimate behavior is suspicious. As with anti-malware apps, this sort of annoyance might be worth it if the outbound firewall were in fact protecting my privacy, but if I end up approving every outbound connection anyway, it’s hard to see the benefit.
However, I’m not at Risk Level 4—candidly, I have little to lose if some rogue app leaks information about me behind my back. If you’re likely to be targeted individually for highly sensitive information, then I wouldn’t hesitate to recommend using an outbound firewall and enduring the inconvenience for the sake of privacy.
If you want to try an outbound firewall, here are some options:
· Intego NetBarrier (part of various software suites, including Intego Mac Internet Security, Intego Mac Premium Bundle, and Intego Family Protector Secure)
· Little Snitch
· Murus Basic and Murus Pro
· Norton Security
· Radio Silence
Parental Controls
Of the several varieties of OS X user accounts (see Improve Users & Groups Security), one of the least employed but most useful types is the managed user—one for whom an administrator determines exactly which apps, resources, and features are available, and when. Managed user accounts are most commonly created for children, and as a result the place where you set their restrictions is the Parental Controls pane of System Preferences. But you can use the same controls to expand or limit accounts for the guest user, temporary users, or anyone else who should have limited access to the Mac.
If you don’t yet have any managed users, you can add one in the Users & Groups pane of System Preferences, or you can go to System Preferences > Parental Controls, click Continue, and follow the prompts to add one there.
Once a managed account exists, you can select it in the Parental Controls pane and then configure numerous restrictions, divided into five categories:
· Apps: Permit only certain apps, widgets, and utilities to be used.
· Web: Specify which Web sites may be visited, or let OS X attempt to block adult sites automatically.
· People: Restrict the people with whom the user can communicate in Mail and Messages, and restrict Game Center access.
· Time Limits: Specify when the user may log in and for how long.
· Other: Disable the built-in camera or Dictation; hide profanity in the Dictionary app, limit printer administration, disable changing the account password, and limit CD and DVD burning.
Most of the settings in Parental Controls are self-explanatory, but if you want all the details, check out Chris Breen’s thorough Macworld article Configuring Parental Controls.