This time with feeling
March 31, 2009 8:09 AM   Subscribe

Can we talk seriously about Mac OSX security this time?

In light of this comment it seems pretty clear to me that OSX is not just "inherently secure" which was pretty much the advice I got last time I posed this question.

If we are to believe mock and basically everyone in the previous thread the reason viruses don't exists in abundance now is simply because there aren't that many OSX boxes compared to Windows machines. The "do nothing" advice from the previous thread sounds like security through obscurity to me. Now it may be that there are no good security tools for OSX (other than ClamXav and Little Snitch which I already use) which is something else entirely but that is part of what I'm asking.

What I am looking for is advice on how to secure my box and any tools that will help with this. Advice like this article and specific software recommendations (or software to avoid) are what I'm looking for.

I know that there are very very few OSX viruses RIGHT NOW that is besides the point and not what I'm asking about. I'm a good driver and haven't been in a wreck. But guess what? I still wear my seat belt every time I get in the car.

So in short, how do I keep my OSX machine secure?
posted by bytewrite to Computers & Internet (36 answers total) 17 users marked this as a favorite
 
You keep OSX secure in the same way you keep any other OS secure.

Don't use the default, high-profile products available for it. Safari is going to be the main browser to attack on OSX, so try Firefox or some other browser. Likewise, the built-in mail app will be the main vector of attack for mail programs, and so on. The smaller the profile of the application, the less likely it will be targeted for exploitation.

Run this software as an unprivileged user if at all possible - Not sure how well this works on OSX.

Use a hardware firewall.

Don't go to untrustworthy sites. If you need to visit something questionable, do so in a virtual machine if at all possible.

Keep backups. Now backup the backup.
posted by Rendus at 8:16 AM on March 31, 2009 [1 favorite]


No offense, but I think this is kind of a fool's errand. I mean, looking back at the comment you linked about pwn2own, the guy took advantage of a Safari vuln. There was no privelege escalation. So fine, you are running as a non-privileged user, but he can still wipe out your home directory. No third-party software is going to dramatically change the glaring weaknesses in OS X's security model, and every browser pwn2own attacked (except Chrome I think?) had a similar weakness. Basically, you have to wait for Apple to harden the system more, which they probably won't do unless stuff like this becomes a problem, which it isn't now.

The main software to avoid would be anything common. Pretty impossible, but you're using OS X so you're already 95% of the way there.

I think your best bet is to do exactly what Rendus says: run unprivileged, use a hw firewall (don't plug your machine directly into raw internet evar), don't spend time in the dark corners of the internet, and make use of backups. I would add "don't run unnecessary services (e.g. Windows file sharing)."
posted by jeb at 8:26 AM on March 31, 2009


If your so worried, you might consider using some BSD instead. I've never had security issues under Mac OS X, but I've had various hard drive crashes, so keep multiple incremental backups and multiple off site backups and even more backups of your work.
posted by jeffburdges at 8:43 AM on March 31, 2009


Sophos makes a Mac anti-virus program. FWIW.
posted by GuyZero at 8:47 AM on March 31, 2009


It isn't possible to totally "secure" your box. There are things you can do to increase security, but there is no guarantee that your machine will be totally safe. You can spend more and more time making your box incrementally safe, but at some point you have to be reasonable and accept a small amount of risk.

It's true that simply owning a mac can be considered "security through obscurity." But security through obscurity is a completely valid strategy in reducing your attack surface. It's one of many strategies you should employ.

That having been said, Rendus pretty much covered everything. The only other thing I would recommend is subscribing to a few tech news or security sites in your RSS reader to stay up to date on new exploits and how you can quickly patch them. This might actually save you if a worm is developed a couple of days after a major exploit is discovered.

For a replacement browser, I'd recommend downloading and using Google Chrome, because it was the only browser to make it through the Pwn2Own contest without being exploited, and the participants talked in depth about how difficult it is to exploit the browser due to its well-built "sandbox".
posted by helios at 8:49 AM on March 31, 2009


The other nice thing about OS X is that in the very unlikely event that something DOES get in, it's a piece of cake to get rid of it. There's no registry to dig through, no auto-run exe's hiding in the background, etc. You just locate the offender and nix it.

I mean, unless you're operating an OS X machine in a highly hostile environment, you're more likely to get brained by a chance meteorite. [citation needed]
posted by Aquaman at 8:51 AM on March 31, 2009


I disagree about the recommendation to use Firefox over Safari for security's sake. Sure, Safari may be the most common web browser for the MacOS, but Firefox is far more common overall, and the Mac version shares much of its codebase with the Windows and Linux versions. It strikes me as a much higher-profile target. A lot of what an identity thief would want is potentially stored in the browser anyway — stored logins to online banking websites, your name and address, etc. — so the underlying OS beneath the browser is a bit irrelevant; if the browser gets compromised, you're hosed if you're being careful already.

I don't really have a horse in the FF vs. Safari race (I use Firefox because I think it's the more functional browser, personally), but I wouldn't say that either of them make you that much more secure. (Maybe Firefox if you install NoScript and Flashblock, but only a little.)

What I would do, regardless of browser choice, is not allow it to store any passwords, usernames, or other personal data. Turn all the auto-fill features off. If that's too inconvenient, at least tell it not to store (and wipe out of the stored-passwords list!) anything financial, like your banking, eBay/PayPal, investment, or Amazon logins. And don't use the same password for an important site that you use for a relatively unimportant one that you let the browser store. This way, if the browser does get compromised and gives up some of your stored passwords, the worst the thief can do is impersonate you on MeFi.

To store passwords I would use Password Gorilla. It's free software, and the data files it produces are compatible with PC and Linux versions of similar programs, so you don't have too much worry about getting stuck with all your passwords stored in a proprietary database that you can't get into.

And, as always, keep backups. Offline backups — ones not connected to your computer in any way — if you can. Lots of vulnerabilities that IT security people will hand-wave away (because they don't involve privilege escalation) could allow an attacker to wipe away your entire home directory, which as far as I'm concerned is just as bad as a remote root. (Why do I give a crap if someone controls the system if they've destroyed all my data? That's all the computer is there for. If that's gone, wiping the OS and reinstalling is trivial.) So think very carefully about how much data you'd be comfortable losing in the event of an attack, and back up at least that often. I would use Time Machine and back up daily, and have two different Time Machine drives that you swap out once a week. In most cases you'd lose no more than a day; in an absolute worst-case where an attacker wiped the TM volume, you'd lose no more than a week.

I'd also install Little Snitch and learn to keep an eye on what your computer is doing. Little Snitch alerts you and gives you an opportunity to block or allow various programs from connecting to the Internet. They key to using it is not blindly clicking 'Allow' to everything. Learn what all the little programs that ask you for access do, and if something strange comes up, figure out what it is. This is time consuming, but nobody said security was easy. You can't be willfully ignorant of what's going on inside your computer and still have a hope of detecting a worm or spyware down the road.

I would also never have any consumer PC attached directly to an always-on Internet connection; put some sort of firewall/router in between. (But don't think that will protect you from everything; the operating systems that run on some routers have vulnerabilities, too!) Make sure to disable remote administration from the WAN side, if it has such an option.
posted by Kadin2048 at 9:08 AM on March 31, 2009 [3 favorites]


The NSA has hardening guides for different operating systems. The NSA recommends:

Don't access the Internet or read e-mail using an Admin Account. Admin Accounts should be used for system administration tasks only.

Use Apple's Software Update control panel to keep systems up-to-date. Set it to check for updates daily. In environments not connected to the Internet, verify that the SHA-1 digest of downloaded updates matches Apple's published digest.

In the System Preferences Accounts Pane, disable Automatic Login, User List, guest accounts, and sharing.

In the System Preferences Security Pane, set Require Password when waking the computer from sleep or a screensaver. Also, disable automatic login, use secure virtual memory, and disable remote control infrared receiver if present. Consider activating FileVault, particularly for portable systems.

In the Firewall tab, select "Allow only essential services." Click the Advanced button and enable Firewall Logging and Stealth Mode.

The NSA recommendations also cover securing users' home folder permissions, physical security, disabling IPv6, AirPort and other unnecessary services when not needed, disabling Setuid and Setgid binaries, configuring and using both firewalls, among other suggestions.

(Tip summary by Thomas Claburn of InformationWeek.com)
posted by sharkfu at 9:18 AM on March 31, 2009 [12 favorites]


For a replacement browser, I'd recommend downloading and using Google Chrome, because it was the only browser to make it through the Pwn2Own contest without being exploited, and the participants talked in depth about how difficult it is to exploit the browser due to its well-built "sandbox".

Um, Chrome is months away from even a beta build for MacOS.
posted by General Malaise at 9:22 AM on March 31, 2009


The other nice thing about OS X is that in the very unlikely event that something DOES get in, it's a piece of cake to get rid of it. There's no registry to dig through, no auto-run exe's hiding in the background, etc. You just locate the offender and nix it.

This isn't really true. Sure, there's no registry, but there's still configuration data scattered all over the place: NetInfo, /etc's, [~]/Library, etc. Also, there's plenty background processes you don't see, like all that stuff that comes up when you type ps -eax. There's also no reason why a malicious process couldn't masquerade as another benign-looking process. In the olden days, this was a common way of covering tracks when compromising Unixy systems: patch the binaries for ls, ps/shell etc. to hide the nefarious person's code, or disguise it as something benign. Some day, this _will_ happen to OS X.

For a replacement browser, I'd recommend downloading and using Google Chrome, because it was the only browser to make it through the Pwn2Own contest without being exploited, and the participants talked in depth about how difficult it is to exploit the browser due to its well-built "sandbox".

Google Chrome for OS X hasn't been released yet.

Security-by-obscurity is going to do you huge favors here. To make a crappy biological example, look how much crazy diseases domesticated animals who live in densely packed farming conditions get vs. closely related wild animals: you are running Aurochs while everyone else is running Cow. Cowpox is much more likely for a host of reasons to come from Cow, but none of these have to do with Aurochs' superior immune system (in fact, its almost definitely weaker).
posted by jeb at 9:29 AM on March 31, 2009


Sharkfu's NSA link doesn't seem to work. Here is a document called Mac OSX Security Configuration. It seems pretty detailed but I haven't had time to go through it yet.
posted by bytewrite at 9:31 AM on March 31, 2009


Right now I really don't think there is much you can do to stop virus's that simply don't exist.

If you are using pwn2own as an example you are aware safari dropped first last year. That news didn't start a huge rush of exploits for OS X, so why should it this year?

As f right now all you can do is follow the advice here and not be paranoid about it. As soon as there are exploits out there in the wild it will be such big news that the mighty Apple is now susceptible you will hear about it

However in the future aim to use a browser that runs in a sandbox like chrome. Which is scheduled i believe for a summer release.
posted by moochoo at 9:31 AM on March 31, 2009


Interestingly, you are asking for recommendations for software to solve a problem that doesn't (currently) exist! How would anybody be able to say if these countermeasures are effective? It's kind of like the anti-tiger rock. Maybe you should re-Ask once there is an established eco-system of Mac malware, because only then will people be able to say if configuration X or product Y actually help or if they are just placebos.
posted by steveminutillo at 9:33 AM on March 31, 2009


steveminutillo: I see you point about wanting software to cure something that doesn't exist. However, isn't that what most Windows anti-virus does? Once a previously unknown virus is discovered, the software is updated, then if it finds the virus it has the necessary tools and infrastructure to clean up the mess.
posted by bytewrite at 9:38 AM on March 31, 2009


You can drive yourself crazy obsessing about this. The only way to be completely secure is to never let anyone else touch your machine, don't install anything on it, and never hook it up to the net.

Obviously that's an impractical way to live, so you're just going to have to mitigate your risks using the steps mentioned above and make the best of it.

Another strategy would be to have one computer just for gaming and surfing the net, and another that handles your sensitive data, like your finances, taxes, etc. I did this for a number of years on Windows, but it was time-consuming and a giant pain in the ass. I finally said "Fuck It!" and switched to Macs. Simply following safe computing practices will almost always keep you safe on Unix-based platforms.
posted by LuckySeven~ at 9:42 AM on March 31, 2009


To a large degree, security and avoiding viruses is still about smart user behavior. The pwn2own exploit still required that the user click a link to the "hacker's" website. Now, that was totally within the rules of the competition, but you're smarter than that, right? Careful browsing, avoiding strange links and downloads, etc. will help a whole lot.
posted by explosion at 9:50 AM on March 31, 2009


Btw, the malware definitions for ClamXav are over a year old, last I checked, so they're really not doing you much good. If you feel the need to have an anti-virus program constantly running in the background, you'd be better off switching to something that maintains a current database.
posted by LuckySeven~ at 9:51 AM on March 31, 2009


bytewrite: "Sharkfu's NSA link doesn't seem to work. Here is a document called Mac OSX Security Configuration. It seems pretty detailed but I haven't had time to go through it yet."

Sorry... Fixed link.
posted by sharkfu at 9:58 AM on March 31, 2009


Man, I'm all fail today. I apologize:

www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf

I'm gonna go punch myself in the face.
posted by sharkfu at 10:00 AM on March 31, 2009


On Windows, we can look at which anti-virus packages have previously been updated very quickly in response to new viruses, and which clean up the damage most completely. On OS X, there is no "track record" to judge against.
posted by steveminutillo at 10:00 AM on March 31, 2009


Corsaire has a decent paper on securing Leopard (and an older Tiger version)
posted by HFSH at 10:02 AM on March 31, 2009


steveminutillo: On OS X, there is no "track record" to judge against.
OK that is exactly the kind of thing I wanted to know. I may have misinterpreted your last comment.

More generally, I think most of the advice here is pretty good. The PDFs linked in thread by sharkfu and HFSH are along the lines of what I'm looking for. I'm not gonna drive myself crazy with this I just want to be smart about it. And being relatively new to OSX I don't want to make dumb mistakes (like leaving some service running that I have no idea about).
posted by bytewrite at 10:15 AM on March 31, 2009


If we are to believe mock and basically everyone in the previous thread the reason viruses don't exists in abundance now is simply because there aren't that many OSX boxes compared to Windows machines.

If that were true, Mac infections would go up as Mac market share keeps going up. Since the infection rate hasn't gone up appreciably, the number of Macs out there is not the reason for their relatively better security.
posted by Blazecock Pileon at 10:24 AM on March 31, 2009


Apple's advice to end users on security emphasises user awareness over software defences. This is both because of the lower likelihood of it being a target and the unix-like security being less prone to gaping holes. Furthermore, the majority of breaches are preventable by using the correct setup and knowing what not to do - I have proved this myself on both sides of the divide by using Windows boxes for 6 years without a permanently running virus scanner or firewall (just NAT - security through obscurity again) and Macs for two and a half years with the same level of precautions. On my periodic scans I find minimal amounts of spyware, and never a single virus, trojan or worm on either platform.

It's certainly not a bad thing to take extra precautions to protect your Mac, but I do think that it's much easier to go over the top in protecting it than many people would have you believe. Owning a computer is like having sex. Get yourself checked out periodically and don't have one night stands with dirty warez hookers, and you'll be fine.
posted by fearnothing at 10:43 AM on March 31, 2009


The best protection is smarts. The most common vector for infection is you invoking the infector -- running the program that infects the machine.

Do not run as an administrator. That owns the entire box, thus, you are risking compromise of the entire box. When you run without admin privs, the vulnerability window is much less -- basically, you can attack your home directory and the files within. Typically, though, you run with Admin Accesss -- which means that if an admin action is needed, you are prompted for your username and password. If you do not understand why that box just appeared, *DO NOT ENTER YOUR USER/PASS*.

If you want another layer of security, set up three accounts. The first has admin access, this is used for installs and maintenance. The second has all your non-network applications. The *last* has your email and web browser.

This helps isolate the damage a web or email vectored attack -- the most common on OS X -- can do. It also means you have to take an explicit action to move a file from one of these realms to another, and you should NEVER EVER move a file from the Internet Account to the Admin accesible account. You would still be vulnerable to a privilege escalation attack, but the less vectors they have to attack, the harder such an attack becomes. Arguably, splitting web and mail would make sense as well.

You might think this is a huge PITA. On OS X, with fast user switching, it's not nearly as much of a pain -- you basically end up with multiple desktops. However, while I'd certainly have FUS enabled between the application and web account, I wouldn't have it for the admin enabled account. You should *think* before you use that account, and forcing yourself to log into that account should remind you to do so.

What I wish Apple had was a fully jailed user -- that would be ideal for the web/mail user account.

Do I do this? No, to be honest. I run stripped down apps, and am paranoid about downloads, and have locked the boxes down hard -- I've been a sysadmin for a long time, this is what I do. But that's even more of a pain for a non technical user.

Otherwise, the rules are simple. If you don't use a service, disable it. If you don't use a network interface, disable it. I don't care how buggy sshd may be on your box, if you make sure it can't run, it isn't a compromise.
posted by eriko at 11:38 AM on March 31, 2009 [2 favorites]


You protect your Mac, and any computer, best by not being an idiot and by taking simple, logical actions to keep it safe.

Can we talk seriously about Mac OSX security this time?

It's difficult to talk seriously with someone that is paranoid.
posted by Dennis Murphy at 12:19 PM on March 31, 2009


All of the above suggestions to run a non- admin account don't take into account the limitations imposed on such accounts. So you have to ask yourself which is worse. AFAIK even an administrator must enter his password to install any program with OSX, so as long as you are aware of social engineering attempts, phishing, trojans etc. you should be OK.
posted by Gungho at 2:04 PM on March 31, 2009


Honestly, I think Anti Virus is a loser technology. In a sense, it's trying to solve the Halting problem. Since you can't do that, this means AV software can get close but never perfect. You'll always be at the mercy of poorly written software.

As long as you balk at the expense of writing secure software, you'll be in jeopardy. The costs are not just dollars, but also features delivered to you at a slower rate, and maybe even less "powerful" software.
posted by pwnguin at 2:28 PM on March 31, 2009


You seem over-concerned both in this question and the previous question and the seatbelt analogy is specious. Seatbelts protect against a known and specific threat, which exists regardless of how good a driver you are. Today, that threat doesn't exist on Mac. My suggestion, and I don't mean this to be in any way condescending, is if you are truly that concerned with the security of your computer you'd be best to run something nearly attack proof (no Windows, no OS X). In my mind this would be a system running something like Linux on a Live CD with no hard drive at all. You can do a custom build that has all the programs and settings just how you want them and you're a restart away if the system ever actually got compromised.
posted by 6550 at 3:05 PM on March 31, 2009


Just out of curiosity, do you know anyone who has ever had a Mac virus? There's a reason why the answer is no.

When you first asked this question a few weeks ago, you said: "Maybe I am just a bit paranoid but I can't be comfortable just not doing anything."

My advice: Do something. Learn why Windows is so vulnerable to attacks. I'm not talking about statistics and 'in theory' possibilities. Learn about how attackers manipulate Windows day in and day out, and then learn why those same techniques don't work in OS X.

Beyond that - take time to learn your OS. As was recommended the last time you asked this question: "Only type your OS X password during software installs you initiate". Beyond that, I'd say to get a wireless router for a firewall.

I've been using Macs since before there was a real internet. I've never used any form of virus protection, etc, and I've never had spyware/viruses/etc. Not even once. On the other hand, I've had more than my share of Windows viruses on a PC that used every kind of security, and I only used Windows for 2 years.

...by the way - there's a new worm that's supposed to attack Windows tomorrow. It's bad enough that it made the national news. It's good to have a Mac (and my other OS is Linux).

P.S. "I'm a good driver and haven't been in a wreck. But guess what? I still wear my seat belt every time I get in the car. "

Your Mac is your seatbelt. And your airbag too.
posted by 2oh1 at 6:35 PM on March 31, 2009


If your so worried, you might consider using some BSD instead. I've never had security issues under Mac OS X, but I've had various hard drive crashes, so keep multiple incremental backups and multiple off site backups and even more backups of your work.

OSX is BSD.
posted by MesoFilter at 11:24 PM on March 31, 2009


Darwin is BSD. OS X is much, much more than just BSD. The services and userland apps that might one day get compromised will probably not have anything to do with Darwin or the kernel.
posted by bigtex at 3:27 AM on April 1, 2009


The only way to really be "safe" is to just turn the computer off. An exploit in a contest doesn't make an OS dangerous to use. Sure, no OS is perfect, OS X included. It's security model is neither as flawed as recent (pwn2own-related) press indicates, nor is it as indestructible as many might believe. But don't go getting paranoid over it.

Echoing what's been said before, keep backups (no, really, do it!), be smart about what dialog boxes you put your password into, etc. Also, using webmail is generally safer than using a mail client application because there's less chance for stuff to get downloaded by your machine.
posted by bigtex at 3:35 AM on April 1, 2009


OK, I realize the thread is a little too old for more comments now but I thought I would add a postscript for anyone that comes across this later. I favorited the comments that I believe have substantive advice.

I regret the way I phrased the question. I think it may have influenced some the direction of the comments. I'm not overly paranoid, I'm not gonna shut of web access to keep my machine "safe." The car analogy thing was stupid (my bad). I was just frustrated with the general "don't worry about" attitude I was getting. I do think it is foolish to believe that nothing can (even if that probability is low right now) happen to my machine. I just wanted to know some best security practices for OSX.

What I've taken away from all of this:
* The PDFs linked by sharkfu and HFSH have some pretty solid advice in them. Again some of them are a bit overboard for day to day useage. For example I'm not going to disable the bluetooth on my machine. However, even the things that are too intrusive on the daily use of my machine at least help me learn more of what to be aware of.
* Another great piece of advice by multiple people is not using the admin account for daily use.
* Backups, which I kind of taken as a given, importance can not be overstated.
* At this time no antivirus software for OSX has been sufficiently tested to rely on because of the small number of viruses in the wild.
* Exploits do exist for OSX (as they do for all operating systems) so the danger is real but right now very unlikely.
* Learning and being aware of security goes a long way.

Anyway, thanks to everyone for the advice.
posted by bytewrite at 9:08 AM on April 1, 2009


I disagree with the advice to run as a non-admin user, if the computer in question is a desktop machine used by a single person. It makes life harder and, at least to me, doesn't add any security. It represents misplaced priorities stemming from multiuser system security wrongly carried over to single-user systems.

Running as a non-administrator protects the rest of the computer from a compromise of your account. But if all your data — everything you care about, the singular reason why the computer is on your desktop at all — is in that user account, then it doesn't matter if an attacker can get beyond that.

It's like armoring a utility closet that's only accessible from inside a vault full of gold. If an attacker has already gotten at or destroyed everything of value, who cares if they gain root privileges? I certainly don't. My user data is the most important thing on my machine; the operating system and all the applications exist only to let me manipulate it.

Running as a non-administrator is good advice if you're running a server, or if your machine has multiple users. And it makes sense to run some applications (like web server software) with reduced privileges or in a sandbox, to prevent someone from escalating up to your user data. (On Linux and other Unix-like systems, there are special un-privileged users created for particular purposes — Apache typically runs as 'www' for instance — which keep someone who might take control of that application from hosing the rest of the machine.) But there's an inherent difference in priorities between a single-user and multi-user machine. On a multi-user machine the security of the entire system is paramount, because it affects many people; if one user's files get wiped out, it's bad for them but not really a catastrophe. A single-user machine is very different: if the files of the sole user get wiped out, it doesn't matter what other security is in place, because it's already failed to protect the only thing that's important.

So, assuming that you're the only person using your machine, I would advise strongly that you not spend any time fussing with user accounts, and instead spend it on a good backup plan (or a better backup plan, if you already have one), and on implementing the other techniques mentioned previously that will stop a hypothetical attacker before they get far enough into your system to do damage.
posted by Kadin2048 at 9:49 AM on April 1, 2009 [1 favorite]


Running as a non-administrator protects the rest of the computer from a compromise of your account. But if all your data — everything you care about, the singular reason why the computer is on your desktop at all — is in that user account, then it doesn't matter if an attacker can get beyond that.

I disagree, if you use backups, which everyone saying to run as non-admin is also saying. The reason is that, assuming no privilege escalation, the attacker can blow away your homedir, but you can restore it from backups. What this prevents the attacker from doing is tampering with system binaries, installing rootkits, etc. Basically, an attack on your home directory is likely to be either not-that-damaging or easily recovered. An attack via a priveleged account can be hard to detect and much more insidious.

If you don't back up your homedir, though, I agree with you completely, its a waste of time to run as non-admin.
posted by jeb at 10:27 AM on April 1, 2009


« Older Academic Librarian market   |   I need to make use of your Riyadh experiences Newer »
This thread is closed to new comments.