MacOS Security Tips

Revision 46
© 2011-2019 by Zack Smith. All rights reserved.

Apple's Macintosh OS may be less commonly a target of hacking attacks and exploits than is Windows or Android, but delinquents and professional criminals are increasingly taking an interest in the Mac and macOS. What follows is a list of tips that I have devised to explain how you might make your Mac more secure. This is not a complete list and I cannot provide any guarantee or warranty on this advise. Use it at your own risk. In the end, protecting your computer is your own responsibility.

My computer security rules:

New! Concise format.

  1. Reinstall macOS every month.
    • If it gets infected, this will cleanse it.
  2. In Settings/Security & Privacy: Turn on the firewall.
    • Always have a firewall on to block attackers on your network.
  3. In Settings/Security & Privacy: Turn on FileVault.
    • This encrypts your hard drive so it can't be removed and read.
  4. Completely turn off your computer when not in use.
    • Because if there's malware on it, it can turn on Wifi and phone home.
  5. Completely turn off your Wifi router when not in use e.g. overnight.
    • Attacks on Wifi routers are common.
  6. At least put your phone in airplane mode when it is unlikely to be of use.
    • It is after all a beacon broadcasting your location.
  7. Change the administration password for your Wifi router to something than the well-known default.
    • Assume hackers can join your Wifi even with a password on it.
  8. Make sure your Wifi router has remote administration turned off even if your ISP wanted it turned on, and turn off as well Wifi administation and universal plug-and-play (UPnP).
    • Shut down avenues of attack.
  9. When you install macOS, create the following accounts:
    1. Call the initial account admin because the first account you create has by default admin rights.
    2. Create a second non-admin personal account that is your primary account which will then use 98% of the time.
    3. Create a third account called chrome because to run Chrome in, because Google can't be trusted to not spy on you.
    4. Create a fourth account quarantine for running various software that you have downloaded in binary form e.g.
      • Videoconferencing software
      • OpenOffice
      • TorBrowser
  10. Resist the urge to just download and try out some enticing program. If you need to download an app, get its source code and compile it yourself. (Type ./configure; make clean; make)
    • A large percentage of malware infections arise from users downloading and installing software in binary form.
  11. Resist the urge to install browser plug-ins except well-known ad blockers, as these have full access to your computer -- they are not sandboxed.
    • It's a very large security hole.
  12. Turn off any provided browser plugins e.g. QuickTime, Cisco's codecs and definitely Adobe Flash.
    • Every extra piece of rarely used software that is nevertheless running is a risk; it can be spying or may be exploitable.
  13. Beware people who rush you into installing software and don't install it to /Applications but rather to your desktop in the quarantine account.
    • They are either ignorant of the risks or may have bad intentions.
  14. Avoid free online email except for one-off needs like signing up for an online forum.
    • There is no free lunch. They profit by selling your data and/or using your data.
  15. When sending a private email, consider encrypting it e.g. with GPG. The recipient will have to use GPG as well.
    • This raises the cost of reading or using your email immensely.
  16. If you will be using Firefox, consider the plugins UBlock Origin and AdBlock Plus.
    • Most plugins are to be avoided (for now) however these are well regarded ad blockers.
  17. Your web browser should ideally have Javascript disabled for most purposes whenever possible e.g. use the Noscript plugin to selectively disable Javascript.
    • Limit this one avenue for exploits, cryptojacking and spying.
  18. Consider using a text-based browserlike Lynx or Links.
    • Many websites that are not graphics- or Javascript-intensive work fine in Lynx.
  19. Never use Java in a browser!
    • Java is a full programming language with access to your files.
  20. If a website requires Flash then use Google Chrome to visit it. Examples are Xfinity.com, Hulu.com.
    • Run it in a separate account and/or inside of a VM.
  21. Only ever run risky software inside of a virtual machine.
    • Just as how the CDC only works on biological pathogens in a BSL-2 or better biology lab, so you should not run risky code or open risky documents on your regular computer.
  22. In your email app, disable the feature to automatically load remote images.
    • This prevents tracking that can occur when the server that provides images records your IP address.
  23. Keep all critical personal data off of your computer and physically locked up.
    • Isolate sensitive activities (e.g. online banking) and data (e.g. tax files) from anything that might put them at risk.
  24. Encrypt your external drives including flash and portable hard drives.
    • Set up encryption in Disk Utility when you format the drive to prevent data larceny.
  25. Remove all personal data from your computer before taking it in for repair, and overwrite the empty areas of your drive to prevent undeletion of your deleted files.
    • Don't just assume the repair shop is trustworthy and you are safe. Don't forget the scandal of Best Buy Geek Squad employees exposed for recording customers' photos and videos to personal thumb drive.
  26. Try to avoid downloading risky files (PDFs, MS Excel files etc.) and if you must, run a virus scanner on them first.
    • These are vectors of infection because the software that interprets these files' contents can have vulnerabilities.
  27. Consider isolating all risky Internet activity to an burner iPad that is used only for that and wipe it after each use (select Erase all Contents).
    • This is like the chemical shower that is required when exiting a BSL-4 biopathogen lab.
  28. Don't use public wifi: Tether to your mobile phone instead.
    • Attackers can spoof the Wifi's name and offer a fake Wifi that hoovers your data.
  29. If you cannot use a VPN while on public Wifi, try to verify certificates of websites using this tool:
  30. In your browsers, disable website-provided fonts as there have been exploits that used vulnerabilities in the font file parsers.
    • Fonts are just another vector for malware.
  31. In Firefox's about:config screen, disable wasm (Web Assembly).
    • It's been used for cryptojacking, which is the misuse of a browser to perform cryptocurrency mining, typically of Monero. This usually causes a Mac to overheat badly.