If you select “Set Access for specific services and applications,” you can either add things manually to the list or wait for the Mac to ask you whether to allow or block the incoming connections.
Posted on 09/23/2008 12:26:52 AM PDT by Swordmaker
Viruses are not the problem, you are. We separate fact from myth to expose the genuine security risks threatening Mac users everywhere.
When it comes to protecting your Mac from the dangers lurking in cyberspace, it’s sometimes difficult to know whose advice to follow. If Apple had its way, you’d take it on faith that your Mac is the most secure computing platform around. But if you scan the software shelves at an Apple Store, or even Best Buy, you’ll see lots of Mac security titles—from antivirus to Internet security to personal firewalls. You might assume that if the software exists, there must be some dire threats you didn’t know existed. As you might guess, though, the truth falls somewhere in between “There’s nothing to worry about” and “They’re out to get you.” To uncover the truth, we talked to a cadre of security experts with experience protecting Macs and Windows machines. Because as much as we’d like to live life without exposing ourselves to the W-word, it is the most common operating system in the world—at least for now—and like it or not, you’re exchanging info with Windows users all the time, which means that if you care about the integrity of your data—and your Mac—securing both should be a concern. Computer security’s not fun or sexy, but it’s one of life’s necessities. And it’s not a major undertaking to safeguard your Mac—as long as you know what the real threats are.
Harris Weisman is the information security officer for a regional bank. He oversees data and network security for the entire organization, including customers’ bank accounts and transaction information.
Weisman polices a network of 400 or 500 computers dominated by machines running Microsoft Windows. At home, however, the Certified Information Systems Security professional responsible for securing data worth millions of dollars has a different computer: a Macbook Pro. “I am tired of having to deal with all the Windows issues that keep popping up,” says Weisman. “I get enough of this at the bank and don’t want to deal with it at home.” Aside from the operating system, he has also been a longtime fan of Apple’s industrial design.
Enthusiastic Mac users have been boasting that the Mac OS X is more secure than Windows for over a decade. They rely on personal experiences and those of their friends, as well as anecdotes and marketing messages to come to this conclusion. Most Mac users considering the question don’t share Weisman’s experience as a security professional.
“I think out of the box, Mac OS X is more secure, and you can increase the security with other applications,” says Weisman. “And—joy of joys—it’s still usable. Couple that with small market share for the Mac, and you have a good combination…If you really lock down Windows, you can make it secure, but then you essentially get a useless box.”
Though Apple has been selling more Macs lately—it sold 2.5 million machines in the third quarter of this year, according to the company’s earnings call on July 21—Weisman doesn’t see the growing Mac user base as a problem. “I still think Mac OS X is better,” he says. “Apple is more willing to issue updates than Microsoft is, at least for now.”
Who's The Enemy?
Mac OS X’s Unix underpinnings and the lack of viruses on the platform relative to those that affect Windows lead many Mac users to believe that they are immune just because they use a Mac. The notion of catching a computer virus seems foreign to many Mac users, while Windows users have been dealing with the threat for over
a decade.
However, any discussion of computer security that limits itself to viruses is shortsighted. The real threat to Mac users—right now—is not virulent code. It’s the security holes in applications or the operating system, known and unknown, that attackers could try to exploit. True, such exploits are not technically viruses, but that doesn’t make them good for you or your Mac.
The truth about Mac security—if this “truth” actually has anything to do with the Mac at all—is that the biggest security hole in computing today is usually located between the chair and the keyboard. That’s what you’ll hear if you ask Mike Romo, Macintosh project manager for Symantec, which develops and publishes security software, including the well-known Norton Utilities suite. Romo cites user complacency as the No. 1 threat on the Mac.
“I am not going to jump up and down and rant that everyone needs to run antivirus—that would be idiotic,” says Romo. “But that being said, in mid-June we had four threats come out in six days, including a keylogger.”
Keyloggers record keystrokes. A legitimate use for a keylogger would be for a computer owner to record his computer’s keystrokes, perhaps to see how it is being used. When the computer owner is unaware that a keylogger is installed (as was the case with the AppleScript.THT Trojan Horse discovered in mid-June), that’s called malware or spyware, and odds are, a malicious person is trying to use it to capture passwords and gain access to sensitive data.
“Now I can’t say there is no real spyware for the Mac,” says Romo. “That’s a big deal, I think. We also saw the first dual-platform threat that masqueraded as a video codec on porn sites—things are changing, you know?”
Is your info safe from the black market?
“I doubt it will ever be like Windows,” Romo says of the security threats facing Mac users, “but even Windows isn’t like Windows a few years ago.”
Romo’s employer, Symantec, publishes a semiannual document called the Internet Security Threat Report, which analyzes and discusses threats and identifies trends. The April 2008 edition of the report notes that threats have moved largely onto the Web and that the primary targets have become individual users and their personal
information.
“Gone are the days of a single threat infecting hundreds of thousands of users,” says Romo. “Now the threats are much more targeted and only need to hit a few users to get the information the attackers are looking for.”
Perhaps one of the most alarming revelations in the report is what Symantec calls the emergence of a “mature underground economy,” an electronic black market in which criminals can buy stolen financial information, usually hosted on Internet Relay Chat (IRC) networks. Romo says that Symantec measures the products advertised “based on data that is gathered by proprietary Symantec technologies that monitor activity on underground economy servers and collect data.”
Symantec makes its money on security software, a lot of which gets sold to corporations and governments, so it’s understandable that company reps would use corporate-sounding terms like “mature underground economy” and “underground economy servers.” While Romo couldn’t go into much detail about how the data is gathered or analyzed, it’s easy to understand why attackers might want to steal financial information such as bank account and credit card numbers, passwords, and the like. While these types of attacks may not be Mac-specific, they can become more burdensome to affected people than viruses, if successful.
Can you spot the Mac malware?
The number of viruses affecting Mac OS X today can be counted on one hand. Of those, none is a serious threat. Two Mac worms were discovered in February 2006. The first worm, Leap, also known as the “Oompa-Loompa” virus, only spread under a specific set of circumstances involving user interaction. In an analysis of the virus posted soon after the file’s discovery, Ambrosia Software President Andrew Welch noted that “it could arguably be called a ‘very nonvirulent virus.’” The second worm, Inqtana.A, is considered by Symantec to be a very low-level threat, infecting fewer than 50 computers and not replicating easily.
A virus called Macarena appeared in February 2007. Symantec describes it as a “proof-of-concept virus” that isn’t found much in the wild. You probably have more friends on Facebook than there were infections of the Macarena virus.
A possibly more serious threat is a Trojan horse, so named because it’s malware disguised as something enticing. These spread because people are tricked into spreading them, thinking they’ll get some kind of reward. RSPlug.A, a Trojan horse from late 2007, masqueraded as software that would allow Mac users to view pornographic videos. Once installed, it changed domain-name server settings to point to malicious servers that could have been used for additional phishing exploits. It also installed a script that reverted the DNS settings to point to the malicious servers every few minutes, in case the user tried to correct the settings.
Are you inviting hackers in?
It’s actually quite difficult to write a virus for Mac OS X. But there are other ways to compromise a computer aside from infecting it with a virus.
Vulnerabilities in applications can give attackers a secret entrance into your computer—and access to your data. The April 2008 Internet Security Threat Report noted 22 vulnerabilities in Safari reported in the second half of 2007, while observing that Apple’s browser also had the shortest window of exposure to the vulnerabilities, with average exposure of less than a day. In the same period, 88 vulnerabilities were reported in Mozilla browsers. While the existence of a vulnerability doesn’t mean that anyone has actually exploited it, they are still cause for concern. Just because Apple was good about releasing patches on time doesn’t mean that Mac users are good about installing them.
Each layer of software adds a possible strike point for attackers. Some hackers have exploited holes in Apple’s QuickTime browser plug-in (though more attackers take advantage of vulnerabilities in Microsoft’s ActiveX).
Mac users who run Windows programs through virtualization may open themselves up to additional threats, at least in theory. VMware Fusion and Parallels Desktop for Mac can allow code running on the Windows side to access a home directory in Mac OS X. Also, if a Mac OS X disk is used in an operating system that doesn’t understand Mac OS X permissions, whatever protections Mac OS X gives to data disappear. This can happen by booting into Mac OS 9, which some older Macs can do, or by connecting the Mac to a computer running Windows, which can use Mac OS X disks with the help of utility software.
While nobody’s actually seen malware that uses Windows to infect a Mac, that doesn’t mean it isn’t possible. Some vendors offer security software products designed specifically to protect these configurations.
How strong are your passwords?
Daniel Adinolfi, senior security engineer for Cornell University’s information technology group, says he prefers a platform-agnostic approach to security. “There aren’t really risks that are unique to Mac users,” notes Adinolfi. He believes the biggest risks to computer users—on Mac or Windows—are weak passwords, weak configurations, out-of-date operating systems, a tendency to download things they shouldn’t, and system loss or theft. Most of these threats are preventable (see “Will the Real Mac Threats Please Stand Up,” for more on safeguards).
strong>How to: Turn on Leopard’s Firewall and Disable Unneeded Services
Mac OS 10.5 comes with a built-in firewall. By default, it’s not turned on. You can explore it by opening System Preferences > Personal > Security. The default setting is to allow all incoming connections. Clicking “Allow only essential services” will allow incoming traffic for what Leopard thinks is important. “Set access for specific services and applications” lets you specify which programs should and shouldn’t receive incoming traffic.The Advanced… button lets you enable “stealth mode,” which gives unwanted traffic the silent treatment.
Click the back arrow, and click on Sharing in the Internet & Network row. Inside Sharing is a list of services that Daniel Adinolfi suggests should be left off if they’re not being used. Consider each of these services a different way for an attacker to compromise your Mac. Only activate the ones you’re using, to minimize risk.
In general, Adinolfi advises, the way to secure your Mac is to keep all of its software patched and updated, use strong passwords, don’t install random software that you don’t fully trust, avoid using accounts with administrative access, back up regularly, run antivirus software, use the built-in firewall, and disable any services that aren’t necessary.
Nicholas Raba, CEO of SecureMac.com, offers some basic tips to keep computers secure from anyone with physical access to them. “Some good first steps include setting up a screen-saver password to lock down your machine when you are away, using the built-in FileVault feature of Mac OS X to protect your personal files, and setting up a firmware password to prevent users from bypassing startup security to gain access to your system,” says Raba.
Another way to stay ahead of the curve is by keeping track of new Mac-specific threats as they emerge. SecureMac.com is one source of news for weaknesses and exploits found on the Mac. While the company sometimes uses the news there to promote sales of MacScan, its anti-spyware scanner, it also links to security bulletins posted by other security software companies.
How will you protect your Mac?
It can be difficult to justify the purchase of antivirus software for a Mac, knowing that the threat of Mac viruses is so small. Antivirus software publishers realize this, so they program their apps to root out a variety of threats, including Mac Trojan horses and Windows viruses.
One of the ways a Mac can be part of a virus problem is by passing on Windows viruses to people who use Windows. While Mac users may not see this as a problem, network administrators trying to contain viruses do. Information-security pro Weisman uses the freeware ClamXav antivirus software (www.clamxav.com) at home.
Symantec’s Romo would likely approve of Weisman’s choice. “I think users should check out the free solutions out there too,” Romo says. “If you are [sharing] lots of files with Windows users, it’s just good computing to make sure you are not spreading viruses.”
Windows viruses can also affect Mac users unintentionally when a Mac user emails a file infected with a Windows virus. Some email hosts run antivirus software that rejects infected files, possibly preventing the email from reaching the recipient.
Security software publishers are naming and marketing their products in recognition that most threats on the Mac do not come from viruses. SecureMac MacScan ($29.99, macscan.securemac.com), for instance, looks for spyware, Trojan horses, and keystroke loggers, and removes them. It also scans for certain cookies that the company says could be used to track users’ online behavior.
Intego (www.intego.com) offers a diverse lineup of security software: FileGuard, which provides encryption; NetBarrier, which provides a firewall, network-intrusion detection, privacy-protection measures to alert users when an application is trying to use the Internet, and network monitoring; and VirusBarrier, which is software to guard against viruses. The titles are also available in Internet Security Barrier bundles.
Sophos Anti-Virus is intended for small businesses ($195 a year for up to five users, www.sophos.com). Sophos also offers its Security Suite ($332.50 per year for up to five users), which aims to shield small-business Macs from viruses, hackers, and spam. McAfee VirusScan ($39.99, www.mcafee .com) looks for “all types of viruses and other malicious code” when it scans, according to its website. And Avast! Antivirus Mac Edition ($39.95 for 1 year, www.avast.com) advertises that it protects against “the latest malware threats.”
Symantec’s Norton brand of products include Norton Confidential for Macintosh ($49.99 for 1 year, www.symantec.com), which integrates with Safari to protect against phishing attacks as well as offering other identity-protection features. Symantec also offers Mac versions of Norton Personal Firewall ($49.95) and Norton AntiVirus ($49.95).
Despite the diversification in security software titles, antivirus software on the Mac still flourishes, perhaps because many of the organizations that purchase it are legally or contractually obligated to protect computers from viruses, regardless of whether those computers are actually affected by them.
Many reasonable Mac users get by just fine without using security software, because a Mac on its own is relatively secure. A healthy skepticism and commonsense can guard against most Trojan horse and phishing attacks, and diligence in keeping systems up-to-date can go a long way toward keeping your Mac secure. While the emergence of Mac-specific threats has created quite a stir in recent months, scams that target Internet users’ financial data cause more lasting damage. Beginners who are unfamiliar with how a Mac ought to behave or how to conduct themselves safely on the Internet, stand to benefit the most from security software, while anyone who doesn’t want to spread Windows viruses should install and run free or commercial antivirus utilities. For more ways to protect your Mac.
Protect The Data on Your Notebook
Short of wrapping your notebook in razor wire, you can physically protect the data on your MacBook or MacBook Pro from being jacked along with your hardware in case of theft. The most direct way to keep thieves from getting into your system is to set a firmware password, which prevents someone from starting up your ’Book from a separate startup disk. If you’re running Mac OS 10.4 or later, grab your OS X install disc and look for Open Firmware Password inside /Applications/Utilities, then install it on your Mac and launch it. It’s also a good idea to disable automatic log-in. Go to System Preferences > Accounts and click Login Options. Click the lock and enter your administrator user name and password. In the top right, next to Automatic Login, select Disabled from the drop-down menu. Now click the lock again so your change takes effect. Now OS X will prompt you to enter your password every time you start up your Mac.
Will the real Mac threats please stand up?
Daniel Adinolfi, senior security engineer for Cornell University’s information technology organization, lists these as the most dangerous security risks facing Mac users:
THREAT: A behavioral issue that Adinolfi calls “Clickitis,” which is simply the tendency to click on links even if we don’t know where they lead. “These links can direct the user to malware.” Since many Mac users often run OS X with administrator-level privileges, if the malware is downloaded and run accidentally, their systems can be compromised.
SAFEGUARD: Users should be more suspicious of any URLs they receive. “Antivirus software can act as a safety net for accidental downloads, but antivirus software can be bypassed. Not allowing the malware to be downloaded in the first place is a better way to prevent compromise.
THREAT: Weak, easily guessed passwords. “An attacker can exploit this and gain access to the systems through AppleShare or ssh, for example, if those services are running. Since most Mac users run with administrator-level privileges, an account compromise leads immediately to a full-system compromise.
SAFEGUARD: A strong password includes upper- and lowercase letters, numbers, and symbols. For example, rather than using the relatively weak password rooster92, a stronger variation would be Ro8oster92. But it’s not enough to replace all the E’s with 3’s or all the O’s with zeros. A password manager like Agile’s 1Password ($34.95, agilewebsolutions.com) offers automatic Web-form filling and strong password generation.
THREAT: Weak Mac OS X configurations. Services running on the Mac (such as Apache, WebDAV, sshd, and others) may be installed with default configurations that are vulnerable to attack, according to Adinolfi.
SAFEGUARD: “Users must ‘harden’ these services, which involves changing some of those defaults to more secure settings,” Adinolfi says. “Since many users do not fully understand these services, this configuration change rarely happens.”
THREAT: Loss or theft of the system. “People lose their laptops in airports daily. Household burglaries are always a problem. Businesses get broken into or have trespassers. Therefore, physical security should not be forgotten. If there is sensitive data on your computer, some form of encryption should be used (such as FileVault, encrypted volumes, or a third-party tool like PGP). Login should require a password, as should waking from sleep or from a screen saver. Also, regular backups help users recover from system loss.”
SAFEGUARD: To protect sensitive data, some form of encryption is in order, such as FileVault, encrypted volumes, or a third-party tool like PGP Whole Disk Encryption for Mac OS X (price TBD, www.pgp.com). You can also physically protect your MacBook or MacBook Pro from theft with cables, slash-proof bags, and other measures (for solutions, see “They Can Look, But They Can’t Touch,” p32, Jul/08).
THREAT: Unpatched OS and applications. “New vulnerabilities are discovered all the time,” Adinolfi says, but busy Mac users rarely keep up with them.
SAFEGUARD: Adhere to a “patching methodology, which may be as simple as having auto-updates turned on, ” Adinolfi advises.
If you want on or off the Mac Ping List, Freepmail me.
ping for later read.
Bookmarked
Ping list please, SM.
Also, I just downloaded “Real Player” and can’t get it off my computer.
Do you know what to do?
You’re up early this morning. I haven’t been to bed yet...
Same here. It's 1:15AM in Stockton. I recorded Heroes on my DVR earlier and am now watching it and speeding through the adverts. (I know, the advertisers will be peeved at me. I really saw them... just at very high speed! Without sound.)
Thanks, good article
I read through it and will go back and institute some of the suggestions.
One thing I’ve done though.
I don’t use my MacBook Pro except for recreation. No Banking etc. with it.
While my losing it is unlikely, I don’t store any confidential info on it. The exception being passwords for FR, Yahoo and the like.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.