mercoledì, Maggio 19, 2021
Home Politics Foreign Politics How to secure your Mac against hackers

How to secure your Mac against hackers

0
2003

ONE YEAR IN MAC OS X HISTORY

In July 2016, NBC News channel reported news that “One photo could hack your Apple device,” which fortunately Apple found and patched through updating its software.

In Aug 2016, reported at HackRead, Apple issued an update v9.3.5 for its iPhone to patch three zero-day vulnerabilities that hackers could use to gain remote access to your device for surveillance.

“On 1st September 2016, the Citizen Lab updated its report to identify same vulnerability, dubbed as “Trident,” exist in Mac operating system as well. They also advised Mac users to update their OS X software.”

Follow these easy steps to give your Mac strong security and hard to penetrable:

CREATE STANDARD USER ACCOUNT

A standard user account is a non-admin account of Mac. It is recommended to use a standard user account for everyday activities and the administrator user accounts for system configuration. The benefit of this is that whenever an unauthorized app tries to install on your system it will ask for administrative privileges and you can identify whether the app is untrustworthy.

DISABLE AUTOMATIC USER LOGIN

By default, Mac is setup to automatically login in your user account. This is a potential problem when you are connected to a public Wi-Fi or traveling. You can change this in your OS X, to do this:

  1. Click on “Apple” button
  2. Click “System Preferences.”
  3. Choose “User & Groups” tab.
  4. Click the Lock button below, enter your administrator password.
  5. Click on “Login Options” tab
  6. Choose “Off” from pop-up window after you click “Automatic Login”
  7. Choose “Name and Password” from the pop-up window after clicking “Display login window as.”

TURN OFF JAVA AND AUTO DOWNLOAD IN SAFARI BROWSER

The attack discussed earlier exploited a vulnerability in Java, which Apple fixed but until it was late. It is advised to remove Java, but if it is a necessity then turn Java off if you are not using it. To disable auto download in Safari browser:

  1. Go to the settings of your safari browser
  2. Uncheck “Open safe files after downloading” in General tab.

REMOVE STANDALONE FLASH PLAYER

Flash player is a pain, it keeps on updating and patching vulnerabilities found. If you don’t need flash player standalone app remove it from the Mac system. To manually remove Flash Player follow this official guide of Adobe.

DISABLE REMOTE LOGIN

Apple has the option to allow other devices to remotely access your Mac. It is a good option if you traveling and would want to access your device. But, it is also a backdoor for hackers to access your device remotely. To disable this option go to:

  1. Click on “Apple” button.
  2. Select “System Preferences” to access the option.
  3. Choose on “Sharing” option.
  4. Remove check from “Remote Login.”

SET GATEKEEPER TO PREVENT DIGITALLY UNSIGNED APPS

GateKeeper is a malware check app which protects your Mac from malware and misbehaving apps downloaded from the internet. Set your GateKeeper to alert you when you download any digitally unsigned app, or if the file is not from Apple store. It adds an extra layer of protection to you Mac.

INSTALL MAC ANTI-VIRUS SOFTWARE

Download an antivirus, which is now mostly free these days, which keeps your system in constant check.

UPDATE YOUR MAC OS X REGULARLY

HighSpeed Internet conducted a survey and revealed that “82.5% of the people initially ignored prompts for system updates, and majority people confessed delaying the updates.”

Apple keeps on updating its OS X software regularly. It is recommended to update your Mac immediately as it receives the update from Apple. To do this:

  1. Click on “Apple” button.
  2. Select “System Preferences” to access the option.
  3. Choose “Software Update” option.
  4. Select “Check for update” option.
  5. Choose frequency to daily (or set manual frequency).

INSTALL A TRACKER APP

Install some tracker app as an insurance measure on your Mac and smartphone to secure your data. In case your Mac or smartphone gets stolen, you can delete your personal data remotely from either of the devices.

USE A VPN SOFTWARE

To ensure your network security and online privacy use some best VPN for Mac systems to ensure Mac encryption, online security and access to blocked contents.

USE TWO BUILT-IN FIREWALLS

Mac has two strong built-in firewalls in its system. These are IPFW Packet-Filtering Firewall and Application Firewall.

Application firewall prevents sets limit on program incoming connection from other computer networks. Setup Application firewall through Apple’s guide.

IPFW Packet-Filtering is an advanced level firewall which requires editing in the host file, which is hard for casual users to follow. You can keep it to default settings, or follow this guide by the University of North Carolina.

 

Don’t Surf or Read Mail Using the Administrator Account

Create a non-administrator user in the Accounts pane of System Preferences and use this account for everyday tasks. Only log in with an administrator account when you need to perform system administration tasks.

 

Use Software Update

Regularly applying system updates is extremely important.

For Internet-connected systems: Open the Software Update pane in System Preferences. Ensure that “Check for Updates” is enabled, and set it to “Daily” (or the most frequent setting). There is a command line version available as well, called Software Update. Read its main-page for more details.

Apple-Download-Page

For systems not connected to the Internet: Retrieve updates regularly from www.apple.com/support/downloads. Be sure to verify that the SHA-1 digest of any download matches the digest published there, using the following command: /usr/bin/openssl sha1 download.dmg

Account Settings

You want to disable Automatic Login. To do this, open the Accounts pane in System Preferences. Click on “Login Options.” Set “Automatic login” to “Off.” Set “Display login window as” to “Name and password.”

To disable Guest Account and Sharing, select the Guest Account and then disable it by unchecking “Allow Guest to log in to this computer.” Also, uncheck “Allow guests to connect to shared folders.”

Secure Users’ Home Folder Permissions

To prevent users and guests from perusing other users’ home folders, run the following command for each home folder: sudo chmod go-rx /Users/username

Firmware Password

Set a firmware password that will prevent unauthorized users from changing the boot device or making other changes. Apple provides detailed instructions for Leopard (which apply to Snow Leopard) here:
http://support.apple.com/kb/ht1352

Disable IPv6 and AirPort when Not Needed

Open the Network pane in System Preferences. For every network interface listed:

  • If it is an AirPort interface but AirPort is not required, click “Turn AirPort off.”
  • Click “Advanced.” Click on the TCP/IP tab and set “Configure IPv6:” to “Off” if not needed. If it is an AirPort interface, click on the AirPort tab and enable “Disconnect when logging out.”

Disable Unnecessary Services

The following services can be found in /System/Library/LaunchDaemons. Unless needed for the purpose shown in the second column, disable each service using the command below, which needs the full path specified: sudo launchctl unload -w System/Library/LaunchDaemons/com.apple.blued.plist

  • com.apple.blued.plist – Bluetooth
  • com.apple.IIDCAssistant.plist – iSight
  • com.apple.nis.ypbind.plist – NIS
  • com.apple.racoon.plist – VPN
  • com.apple.RemoteDesktop.PrivilegeProxy.plist – ARD
  • com.apple.RFBEventHelper.plist – ARD
  • com.apple.UserNotificationCenter.plist – User notifications –
  • com.apple.webdavfs_load_kext.plist – WebDAV –
  • org.postfix.master – email server

Other Services Can be found here: /System/Library/LaunchAgents and can be disabled the same exact way as the items listed above.

Disable Setuid and Setgid Binaries

Setuid programs run with the privileges of the file’s owner (which is often root), no matter which user executes them. Bugs in these programs can allow privilege escalation attacks.

To find setuid and setgid programs, use the commands:

  • find / -perm -04000 -ls
  • find / -perm -02000 -ls

After identifying setuid and setgid binaries, disable setuid and setgid bits (using chmod ug-s programname) on those that are not needed for system or mission operations. The following files should have their setuid or setgid bits disabled unless required. The programs can always have their setuid or setgid bits re-enabled later, if necessary.

  • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent – Apple Remote Desktop
  • /System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper – Printing
  • /sbin/mount_nfs – NFS
  • /usr/bin/at – Job Scheduler
  • /usr/bin/atq- Job Scheduler
  • /usr/bin/atrm – Job Scheduler
  • /usr/bin/chpass – Change user info
  • /usr/bin/crontab – Job Scheduler
  • /usr/bin/ipcs – IPC statistics
  • /usr/bin/newgrp – Change Group
  • /usr/bin/postdrop – Postfix Mail
  • /usr/bin/postqueue – Postfix Mail
  • /usr/bin/procmail – Mail Processor
  • /usr/bin/wall – User Messaging
  • /usr/bin/write – User Messaging
  • /bin/rcp – Remote Access (Insecure)
  • /usr/bin/rlogin – /usr/bin/rsh
  • /usr/lib/sa/sadc – System Activity Reporting
  • /usr/sbin/scselect – User-selectable Network Location
  • /usr/sbin/traceroute – Trace Network
  • /usr/sbin/traceroute6 – Trace Network

Configure and Use Both Firewalls

The Mac system includes two firewalls: the IPFW Packet-Filtering Firewall, and the new Application Firewall. The Application Firewall limits which programs are allowed to receive incoming connections. It is quite easy to configure the Application Firewall. Below, I mention how to configure Mac’s Application firewall. Configuring the IPFW Firewall requires more technical expertise and cannot be fully described here. It involves creating a file with manually written rules (traditionally, /etc/ipfw.conf), and also adding a plist file to /Library/LaunchDaemons to make the system read those rules at boot. These rules depend heavily on the network environment and the system’s role in it.

How to Configure Application Firewall in Mac

In only Four steps you can easily configure the Application Firewallin Mac.

1. Select System Preferences from the Apple Menu

how to prevent mac from being hacked

2. From the System Preferences Pane select Security. Then click on the Firewall Tab. Ignore the other Tabs (General and Firevault ).
3. On the Firewall tab, you may need to unlock the pane, if it is locked. To unlock, click on the small pad lock on lower left corner and enter your Administrator Username and Password.
how to prevent mac from being hacked

4. Click Start to enable Mac’s Application Firewall. The green lightbeside Firewall Status and the ON notification will ensure that the Firewall is running smoothly.

You can further customize the Firewall configuration by clicking on the Advance button on the right side.

There are three Advance option in the Firewall Tab

1. Block All Incoming Connections: Blocking all incoming connections will disable most of the sharing services like File Sharing, Screen Sharing and others. It will only allow basic internet service. Keeping it checked or unchecked depends with on the user.

how to prevent mac from being hacked

2. Automatically allow signed software to receive incoming connections: I prefer to keep this option unchecked. This will automatically add software signed by “any” valid authority to theallowed list of Software rather than prompting the users to authorize them.

3. Enable stealth mode: I always keep this option checked. This prevent your Mac from responding to ping requests and port scans

Safari Preferences

Safari will automatically open some files by default. This behavior could be leveraged to perform attacks. To disable, uncheck “Open safe files after downloading” in the General tab. Unless specifically required, Safari’s Java should be disabled to reduce the browser’s attack surface. On the Security tab, uncheck “Enable Java.” Also, private browsing in Safari is a great way to stop hackers from picking up bread crumbs and using them against you later.

Bonus Tip: Disable Bluetooth and Airport

The best way to disable Bluetooth hardware is to have an Apple-certified technician remove it. If this is not possible, disable it at the software level by removing the following files from /System/Library/Extensions:

IOBluetoothFamily.kext

IOBluetoothHIDDriver.kext

The best way to disable AirPort is to have the AirPort card physically removed from the system. If this is not possible, disable it at the software level by removing the following file from /System/Library/Extensions:

IO80211Family.kext

If followed carefully, the above mentioned tips can outdo a hacker’s technology to compromise your Mac. However, as technology advances, hacker use ever-more innovative ways to penetrate your Mac.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.