ONE YEAR IN MAC OS X HISTORY
In July 2016, NBC News channel reported news that “One photo could hack your Apple device,” which fortunately Apple found and patched through updating its software.
In Aug 2016, reported at HackRead, Apple issued an update v9.3.5 for its iPhone to patch three zero-day vulnerabilities that hackers could use to gain remote access to your device for surveillance.
“On 1st September 2016, the Citizen Lab updated its report to identify same vulnerability, dubbed as “Trident,” exist in Mac operating system as well. They also advised Mac users to update their OS X software.”
Follow these easy steps to give your Mac strong security and hard to penetrable:
CREATE STANDARD USER ACCOUNT
A standard user account is a non-admin account of Mac. It is recommended to use a standard user account for everyday activities and the administrator user accounts for system configuration. The benefit of this is that whenever an unauthorized app tries to install on your system it will ask for administrative privileges and you can identify whether the app is untrustworthy.
DISABLE AUTOMATIC USER LOGIN
By default, Mac is setup to automatically login in your user account. This is a potential problem when you are connected to a public Wi-Fi or traveling. You can change this in your OS X, to do this:
- Click on “Apple” button
- Click “System Preferences.”
- Choose “User & Groups” tab.
- Click the Lock button below, enter your administrator password.
- Click on “Login Options” tab
- Choose “Off” from pop-up window after you click “Automatic Login”
- Choose “Name and Password” from the pop-up window after clicking “Display login window as.”
TURN OFF JAVA AND AUTO DOWNLOAD IN SAFARI BROWSER
The attack discussed earlier exploited a vulnerability in Java, which Apple fixed but until it was late. It is advised to remove Java, but if it is a necessity then turn Java off if you are not using it. To disable auto download in Safari browser:
- Go to the settings of your safari browser
- Uncheck “Open safe files after downloading” in General tab.
REMOVE STANDALONE FLASH PLAYER
Flash player is a pain, it keeps on updating and patching vulnerabilities found. If you don’t need flash player standalone app remove it from the Mac system. To manually remove Flash Player follow this official guide of Adobe.
DISABLE REMOTE LOGIN
Apple has the option to allow other devices to remotely access your Mac. It is a good option if you traveling and would want to access your device. But, it is also a backdoor for hackers to access your device remotely. To disable this option go to:
- Click on “Apple” button.
- Select “System Preferences” to access the option.
- Choose on “Sharing” option.
- Remove check from “Remote Login.”
SET GATEKEEPER TO PREVENT DIGITALLY UNSIGNED APPS
GateKeeper is a malware check app which protects your Mac from malware and misbehaving apps downloaded from the internet. Set your GateKeeper to alert you when you download any digitally unsigned app, or if the file is not from Apple store. It adds an extra layer of protection to you Mac.
INSTALL MAC ANTI-VIRUS SOFTWARE
Download an antivirus, which is now mostly free these days, which keeps your system in constant check.
UPDATE YOUR MAC OS X REGULARLY
HighSpeed Internet conducted a survey and revealed that “82.5% of the people initially ignored prompts for system updates, and majority people confessed delaying the updates.”
Apple keeps on updating its OS X software regularly. It is recommended to update your Mac immediately as it receives the update from Apple. To do this:
- Click on “Apple” button.
- Select “System Preferences” to access the option.
- Choose “Software Update” option.
- Select “Check for update” option.
- Choose frequency to daily (or set manual frequency).
INSTALL A TRACKER APP
Install some tracker app as an insurance measure on your Mac and smartphone to secure your data. In case your Mac or smartphone gets stolen, you can delete your personal data remotely from either of the devices.
USE A VPN SOFTWARE
To ensure your network security and online privacy use some best VPN for Mac systems to ensure Mac encryption, online security and access to blocked contents.
USE TWO BUILT-IN FIREWALLS
Mac has two strong built-in firewalls in its system. These are IPFW Packet-Filtering Firewall and Application Firewall.
Application firewall prevents sets limit on program incoming connection from other computer networks. Setup Application firewall through Apple’s guide.
IPFW Packet-Filtering is an advanced level firewall which requires editing in the host file, which is hard for casual users to follow. You can keep it to default settings, or follow this guide by the University of North Carolina.
Don’t Surf or Read Mail Using the Administrator Account
Create a non-administrator user in the Accounts pane of System Preferences and use this account for everyday tasks. Only log in with an administrator account when you need to perform system administration tasks.
Use Software Update
Regularly applying system updates is extremely important.
For Internet-connected systems: Open the Software Update pane in System Preferences. Ensure that “Check for Updates” is enabled, and set it to “Daily” (or the most frequent setting). There is a command line version available as well, called Software Update. Read its main-page for more details.
For systems not connected to the Internet: Retrieve updates regularly from www.apple.com/support/downloads. Be sure to verify that the SHA-1 digest of any download matches the digest published there, using the following command: /usr/bin/openssl sha1
You want to disable Automatic Login. To do this, open the Accounts pane in System Preferences. Click on “Login Options.” Set “Automatic login” to “Off.” Set “Display login window as” to “Name and password.”
To disable Guest Account and Sharing, select the Guest Account and then disable it by unchecking “Allow Guest to log in to this computer.” Also, uncheck “Allow guests to connect to shared folders.”
Secure Users’ Home Folder Permissions
To prevent users and guests from perusing other users’ home folders, run the following command for each home folder: sudo chmod go-rx /Users/username
Set a firmware password that will prevent unauthorized users from changing the boot device or making other changes. Apple provides detailed instructions for Leopard (which apply to Snow Leopard) here:
Disable IPv6 and AirPort when Not Needed
Open the Network pane in System Preferences. For every network interface listed:
- If it is an AirPort interface but AirPort is not required, click “Turn AirPort off.”
- Click “Advanced.” Click on the TCP/IP tab and set “Configure IPv6:” to “Off” if not needed. If it is an AirPort interface, click on the AirPort tab and enable “Disconnect when logging out.”
Disable Unnecessary Services
The following services can be found in /System/Library/LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w System/Library/LaunchDaemons/
- – Bluetooth
- – iSight
- – NIS
- – VPN
- – ARD
- – ARD
- – User notifications –
- – WebDAV –
- org.postfix.master – email server
Other Services Can be found here: /System/Library/LaunchAgents and can be disabled the same exact way as the items listed above.
Disable Setuid and Setgid Binaries
Setuid programs run with the privileges of the file’s owner (which is often root), no matter which user executes them. Bugs in these programs can allow privilege escalation attacks.
To find setuid and setgid programs, use the commands:
- find / -perm -04000 -ls
- find / -perm -02000 -ls
After identifying setuid and setgid binaries, disable setuid and setgid bits (using chmod ug-s programname) on those that are not needed for system or mission operations. The following files should have their setuid or setgid bits disabled unless required. The programs can always have their setuid or setgid bits re-enabled later, if necessary.
- /System/Library/CoreServices/RemoteManagement/ – Apple Remote Desktop
- /System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper – Printing
- /sbin/mount_nfs – NFS
- /usr/bin/at – Job Scheduler
- /usr/bin/atq- Job Scheduler
- /usr/bin/atrm – Job Scheduler
- /usr/bin/chpass – Change user info
- /usr/bin/crontab – Job Scheduler
- /usr/bin/ipcs – IPC statistics
- /usr/bin/newgrp – Change Group
- /usr/bin/postdrop – Postfix Mail
- /usr/bin/postqueue – Postfix Mail
- /usr/bin/procmail – Mail Processor
- /usr/bin/wall – User Messaging
- /usr/bin/write – User Messaging
- /bin/rcp – Remote Access (Insecure)
- /usr/bin/rlogin – /usr/bin/rsh
- /usr/lib/sa/sadc – System Activity Reporting
- /usr/sbin/scselect – User-selectable Network Location
- /usr/sbin/traceroute – Trace Network
- /usr/sbin/traceroute6 – Trace Network
Configure and Use Both Firewalls
The Mac system includes two firewalls: the IPFW Packet-Filtering Firewall, and the new Application Firewall. The Application Firewall limits which programs are allowed to receive incoming connections. It is quite easy to configure the Application Firewall. Below, I mention how to configure Mac’s Application firewall. Configuring the IPFW Firewall requires more technical expertise and cannot be fully described here. It involves creating a file with manually written rules (traditionally, /etc/), and also adding a plist file to /Library/LaunchDaemons to make the system read those rules at boot. These rules depend heavily on the network environment and the system’s role in it.
How to Configure Application Firewall in Mac
In only Four steps you can easily configure the Application Firewallin Mac.
1. Select System Preferences from the Apple Menu
2. From the System Preferences Pane select Security. Then click on the Firewall Tab. Ignore the other Tabs (General and Firevault ).
3. On the Firewall tab, you may need to unlock the pane, if it is locked. To unlock, click on the small pad lock on lower left corner and enter your Administrator Username and Password.
4. Click Start to enable Mac’s Application Firewall. The green lightbeside Firewall Status and the ON notification will ensure that the Firewall is running smoothly.
You can further customize the Firewall configuration by clicking on the Advance button on the right side.
There are three Advance option in the Firewall Tab
1. Block All Incoming Connections: Blocking all incoming connections will disable most of the sharing services like File Sharing, Screen Sharing and others. It will only allow basic internet service. Keeping it checked or unchecked depends with on the user.
2. Automatically allow signed software to receive incoming connections: I prefer to keep this option unchecked. This will automatically add software signed by “any” valid authority to theallowed list of Software rather than prompting the users to authorize them.
3. Enable stealth mode: I always keep this option checked. This prevent your Mac from responding to ping requests and port scans
Safari will automatically open some files by default. This behavior could be leveraged to perform attacks. To disable, uncheck “Open safe files after downloading” in the General tab. Unless specifically required, Safari’s Java should be disabled to reduce the browser’s attack surface. On the Security tab, uncheck “Enable Java.” Also, private browsing in Safari is a great way to stop hackers from picking up bread crumbs and using them against you later.
Bonus Tip: Disable Bluetooth and Airport
The best way to disable Bluetooth hardware is to have an Apple-certified technician remove it. If this is not possible, disable it at the software level by removing the following files from /System/Library/Extensions:
The best way to disable AirPort is to have the AirPort card physically removed from the system. If this is not possible, disable it at the software level by removing the following file from /System/Library/Extensions:
If followed carefully, the above mentioned tips can outdo a hacker’s technology to compromise your Mac. However, as technology advances, hacker use ever-more innovative ways to penetrate your Mac.