© 2011-2018 by Zack Smith. All rights reserved.
- Apple's Macintosh is less commonly a target of hacking attacks and exploits than is Windows, but delinquents and professional criminals are increasingly taking an interest in the Mac and macOS. What follows is a list of tips that I have devised to explain how you might make your Mac more secure. This is not a complete list and I cannot provide any guarantee or warranty on this advise. Use it at your own risk. In the end, protecting your computer is your own responsibility.
My computer security rules:
1.1. Disconnect your computer from the Internet.
Most exploits occur over the Internet, so this is a no-brainer. When you do not need to have an Internet connection going, go to the Wireless icon and select Turn Wifi Off. (Or disconnect the Ethernet cable if you use that.)
1.2. Disable Bluetooth when not at home.
Bluetooth may be useful for connecting to an external keyboard at home, or to a fitness device, but if you don't need it, it is prudent to switch it off since it offers a potential if rare means of attack. (This is less so today that in its early days.)
It is also useful for surveillance. Your Bluetooth device's address can be obtained to identify and track you in public places. As a test, I tried detecting Bluetooth devices while driving down the road. The phones of people in passing cars were easily detected by my iSystem app.
1.3. Disable the Ethernet port if there is one.
Few people use the Ethernet port any longer. It is mainly useful for technology professionals in communicating with routers and servers. If you don't need to use it, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
1.4. Disable Firewire.
Most people never need Firewire. If you don't, go into the Firewire settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
Trivia: It has been discovered that a Mac that is asleep can provide access to the entirety of its RAM through the Firewire port via DMA (direct memory access). Thus it can be used to copy data. It's a rare exploit, especially since it requires physical access to a computer when it's asleep, but it's another reason to disable Firewire.
1.5. Do not use online storage.
It is unwise to use iCloud or any other
cloud-based online storage service such as DropBox, convenient though it may be.
If you do not encrypt your files before you upload them, they can be copied and used right away or years from now e.g.
by governments, by people who hacked into the cloud, and by employees of the cloud service.
The typical argument that it doesn't matter if they're stolen is a form of denial. Just because you don't want to imagine the numerous outrageous ways in which for instance your photos can be used, but that doesn't mean that others feel so inhibited.
The practice of encrypting data before storing it in the cloud is associated with a TNO (Trust No One) approach to security.
1.6. Avoid free online email.
You really should not use online
free email services either such as these:
- Yahoo mail
- Lycos mail
- Aol mail
- GMX mail
Most corporations that run such services are all too eager to turn over your personal information to any nefarious company or government agency that's paying. Betraying your trust is profitable and they view that betrayal as a no-brainer without consequences.
Surveillance is the
killer app of the Internet.
Long before Edward Snowden, it was exposed on Cryptome that Yahoo charges the US government only US $60 for a year's worth of a user's emails.
1.7. Keep critical personal data off of your computer
Not everything has to be on your computer. Critical data such as your social security number, tax records, legal paperwork, birth certificates, passwords, ID cards, immigration documents, sexy photos and revealing private videos should be located on encrypted external media RED(from start to finish).
1.8. Encrypt your external drives.
Any laborer or landlord who walks into your apartment and sees a USB drive sitting on the table could in theory steal it, or copy it without your knowing. It's wise to encrypt such drives to at least protect your data.
You may think you know what's on a drive, but in truth most people are largely ignorant of where they've put their numerous files.
To encrypt a USB or hard drive, format it for Mac OS (not Windows FAT) and tell Disk Utility to encrypt it.
External media that are not in use should be locked away.
1.9. Securely erase and wipe empty space
When you delete a file, use the Finder's Secure Empty Trash [sic] feature. You should go into the Finder preferences and set secure erasure to be the default method. (This features seems to have been removed in Sierra.)
But note, data deletion that is not done by the Finder, but rather is done automatically by programs like browsers, will probably not be done securely.
To make sure that no deleted data can be un-deleted, you can periodically run Disk Utility and use the Erase Empty Space feature. This will make sure important data like deleted web browser cache data and web history cannot be recovered.
1.10. Remove all personal data before taking your Mac in for repair
It was revealed on
Consumerist that workers in Best Buy's Geek Squad service were regularly copying customers' photos and other content onto personal thumb drives during the course of repairing their computers.
geniuses not do the same? Who can say, except an insider.
1.11. Avoid low-cost domain resellers and hosting services.
Don't be fooled by low prices. When you sign up with cheap services, they could just make up for the lack of profits by selling you out.
I discovered to my surprise that the Universal Terms of Service provided by GoDaddy and its various resellers
has an enormous qualification: They claim ownership of your
if it is within a subcategory called
The problem is, they never define what part of your data falls into that subcategory and what does not.
You should always take the time to read the fine print.
1.12. Practice good thumb drive isolation.
Never buy or use a USB thumb drive that cannot be attached to your keychain. A thumb drive without a keychain hook or that is not on your primary or only keychain is easily lost or stolen.
A thumb drive should always be encrypted unless it's solely for use in
- your car's audio system in which case it should only have your current MP3s and nothing else;
- your TV in which case it should only have MP4s you plan to watch soon.
Give each thumb drive a name indicating what it's for and mark it to indicate its purpose e.g. AUDIO BOOK FOR CAR.
Never use a thumb drive that you find sitting in public somewhere. Leaving a thumb drive on a ledge or table is a classic means of infecting computers at e.g. a nearby business or government organization.
Note also, thumb drives contain microcontrollers whose firmware can in theory be reflashed in order to infect other devices even if no file on them is opened.
2. Disable risky services
2.1. Inhibit Bonjour.
After you enable your firewall (see section 3 below) your should enable its stealth mode. This should prevent your computer from broadcasting its existence to other computers on a network.
An alternative method is to disable the Bonjour service. This tells other Macs near you what services you have to offer them, and tells you what they can offer you.
Two rules of thumb:
- You should not encourage others to be trying to get access to what is on your computer.
- You should not be accessing any data they have made available as it may contain malware.
In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Enable Stealth Mode (for good measure), and then Block All Incoming Connections.
Another approach is to use the command line to edit the file
You add to the section
ProgramArguments by inserting a string entry called
2.2. Disable Bluetooth discovery.
If you must use Bluetooth, disable
discovery in the Bluetooth settings.
You can also do this in the Bluetooth-icon pulldown menu.
2.3. Disable any Sharing services.
It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing settings and uncheck everything.
2.4. Remove Google spyware that comes with Mail
I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because:
- I was not running Mail at the time.
- I do not have a Gmail account.
- I was not logged into my Google account.
To prevent this kind of activity, whatever its actual purpose may have be, one can remove the offending plugin. But... warning! If you do this then you won't be able to use a Gmail account from within Mail. From Terminal, do this:
You'll need to enter your password to delete the plugin.
There are other plugins in that folder that you can delete if you are sure you don't need them. They include:
2.5. Disable Location Services and the IR receiver.
Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.
Location services is mainly useful for the Map program.
3. Block outsiders
3.1. Enable the basic Firewall.
You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple's built-in Firewall capability, especially if you will use your Mac on an unencrypted public Wifi.
Go into Settings, Security, and Firewall to find it and start it.
3.2. Enable FileVault to encrypt your hard drive
Encrypt your entire drive using FileVault. The first time you enable it, it will require up to an hour to encrypt your drive.
If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your Mac files, and that's generally good especially if your Windows setup get infected with malware.
3.3. Add a firmware boot password
firmware password is not your normal login password, but rather the
password that lets the Mac boot from a disk
other than your hard drive.
Adding it is done using the OS/X installation disk,
if you have one.
By enabling a firmware password, you prevent other people from booting up
your computer from an CD-R or DVD-R disc or from a USB flash drive.
This can be very important, because if you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne'erdowells can potentially walk up to your unattended Mac, boot from a thumb drive and steal all of your data.
3.4. Turn off your home Wifi router at night and when you are not at home.
At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet.
If you think such a thing is unlikely, just google
port 32764 backdoor.
There are several ways to break into a Wifi router and port 32764 is perhaps the latest one to be discovered.
Check it by clicking here.
Set the adminsitration password on your Wifi router (not just the encryption password) to something very hard to guess, and make sure you disable remote log-in. Also disable logging into the router via Wifi: require a connection with a cable.
3.5. Shut off the port forwarding.
If you must set up your Wifi router for port forwarding, make sure you turn off that feature immediately after you're done with it. Otherwise you're just providing a means for outsiders to bypass the firewall.
An example of an activity that often leads to port forwarding being left on is when gamers use it to play video games with other people from around the world. Since Macs are less commonly used for gaming than are Windows PCs and gaming consoles, this may not apply to you.
An example of a situation in which port forwarding is useful
but potentially dangerous
is when you set it up to permit you into into your Mac from afar using
ssh (secure shell). Remote login is a standard feature of OS/X that is
enabled in Settings, the Sharing section, by clicking Remote Login.
For such an activity you'd be enabling port 22 on your Wifi router to let outsiders (hopefully only you!)
who are utilizing
sftp to enter your machine.
If, in the worst case, you leave Remote Login enabled on your Mac and port forwarding enabled on your Wifi router and leave your router itself powered up e.g. at night, this could be very bad.
3.6. Shut off the router's uPnP service
Most Wifi routers support universal plug-and-play, which can reveal information about what's on your network to people who are far away. You should always make sure that uPnP is switched off. However you should also be aware that some routers, even if you tell them to switch off uPnP, leave it partially on anyway.
3.7. Set the Wifi encryption password
This is a no brainer. If people are able to get onto your Wifi network, they can read most of the data that is passing across the network. This means they can analyze it and record it. Even though much of your data will be useless to them, some of it could be quite useful. For instance, some email services even today fail to encrypt emails when your mail reader downloads them.
So enable the Wifi password, and use WPA2 encryption.
Note that WEP encryption is not secure and should not be used. It was not actually designed by security professionals.
3.8. Set up your Wifi router to not broadcast the name of your router i.e. the SSID.
If you know your router's name, you don't need to tell the world about it. Letting everyone in the neighborhood know the name (the SSID) is dangerous because it means they can then commence with trying to break into your Wifi network.
3.9. Check your file permissions.
If more than one person will use your computer, each with his own account, make sure that users cannot access one another's files.
This pertains to the files in your home directory. Most users don't need to worry about this since they don't put files in their home directory.
Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600.
The only directory that should be 0777 is
~/Public which is the sharing directory.
A pitfall: Files copied from a Windows thumb drive, which typically has a FAT32 file system, will often be automatically set to 0644, and directories to 0755, which lets any other user on your Mac access them if those files are in your home directory.
4. Browse the Web wisely
4.1. Disable third-party cookies
Third-party cookies are a means by which people are tracked when they use the Internet.
- Safari disables them by default.
- In Firefox it is possible to disable third-party cookies but it requires the extra effort of going into the browser preferences in the Privacy section and History subsection to enable blocking.
You can run the following cookie forensics test to see whether you are at risk: Cookie forensics.
4.2. Do not use unofficial Firefox plugins.
If you begin to check who writes plugins, it quickly becomes apparent that many authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases, or they are located in faraway countries. This might not matter except for two key facts:
- More nefarious plug-ins that you add manually are allowed to include object code.
Food for thought:
When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it's just not
Don't assume that experts are working to keep you safe in every possible way. They may care more about getting their kicks or winning security competition prize money than about protecting you.
4.3. Avoid PDFs except from reputable sources.
In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. Thus, you should not assume that PDFs are generally safe.
In 2011, a Mac-specific trojan OSX/Revir-B was found that hides inside PDFs. Sophos article.
4.4. Disable Java in each browser
It's a fact that 99.9% of the time, you do not need Java, but if it's enabled, it is a huge security risk and the hackers in far-flung places like Mauritius and Khazakstan know this.
Granted, some employers still require use of Java by their employees. Some Scandinavian banks allegedly require its use for online banking. On your personal computer however you generally do not need it.
To delete the Safari plugin:
4.5. Disable Flash in each browser.
It's very risky to leave Flash enabled or even installed. Flash may seem useful for watching videos on Youtube or Vimeo, outside of the limited context it is a pretty pathetic technology.
- Websites containing Flash can contain exploits.
- PDFs containing Flash can contain exploits.
- Ads containing Flash can contain exploits.
Give a listen to how it is being used for nefarious purposes, such as recording your keystokes:
In short, Adobe has done a horrific job of making Flash safe.
YouTube now supports HTML5 for watching many videos. Use that instead of Flash.
If you must use Flash, use it from within Chrome only and only go to specific websites, like YouTube, Xfinity, Netflix and Hulu. Chrome is the safer browser choice for Flash use because Google has their own variant of Flash that is based on Adobe's code but is more secure. Verge article
4.6. Remove Flash if possible.
The copies of Flash that Safari or Firefox would use should be deleted.
In the directory
/Library/Internet Plug-Ins, there is a part of the flash plugin
for Safari. Use this command to remove it:
4.7. Do not surf the Web in public places unless a password is required.
For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing.
An important point: It is in public Wifi locations that so-called
zero day exploits are most likely to be deployed.
A zero-day is simply one that security researchers have not yet become aware of, but the spooks and criminal gangs do know about.
The main way to make public Wifi secure is if encryption is enabled on their Wifi router, and they have to use WPA encryption. That protects you from other customers as well as people outside the building.
Without WPA encryption enabled, other people can potentially intercept your Internet traffic and even hijack your online account(s) using man in the middle attacks. If you must use non-encrypted public Wifi like at Starbucks, don't access personal online accounts such as email.
Actually, some have asserted that even having WPA enabled is not enough, since miscreants can still snoop the key-exchange that is done when WPA is starting up, which is done in the clear.
One way to make public Wifi secure for you only is to use a VPN connection. Companies often require this for their employees' computers.
4.8. Log out of website A before you log into website B.
A common type of exploit termed
Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that
hijacks a current session that you have open at a website like Facebook and Gmail.
This type of exploit cannot succeed if you are logged out.
Therefore always log out of your accounts when you are not using them.
4.9. Skip the media-related websites
The great masses of illicit video, music and photo content that are available on the web appear to be made available as-is. There is not much evidence that anyone checks them for malware. Let's say 1 in 1000 files has malware that stealthily takes over your computer. If you view such materials on a regular basis, it is inevitable that you will get an infection sooner or later.
Rule 1: If you want illicit movies or TV shows, buy the DVDs and play them on your TV. Or rent them from your local library, which may be quite cheap or free.
Rule 2: If you want to look at interesting photos of bikini-clad women or accidents or whatever, consider doing it from within a virtual machine
Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube rather than to download sites. This is where the artists expect and want you to go.
4.10. Disable Java in email client Thunderbird.
It turns out that Mozilla decided to allow add-ons in Thunderbird, and in the version I downloaded, Java is enabled by default. So if you use Thunderbird you will need to go into the Tools menu, select Add-Ons and disable all of them for your safety.
4.11. Add sites to your /etc/hosts as loopback.
Specific domains that cause excessive or unknown traffic can often be blocked using a simple method: Add them to your /etc/hosts file, specifying their IP address as 127.0.0.1. This is also a good way to block ads, if you know the domains they're using. Example:
Adding lines such as:
It's also wise to block Facebook, which is constantly tracking you from webpages:
4.12. When possible use a text browser e.g. Links
For visiting risky websites, don't use a mainstream graphical browser.
Use a text-based browser in Terminal.
Links is a good one. It does not come preinstalled
but you can download from
here build it and install it.
4.13. Install an ad blocker if available.
Firefox does not have an ad-blocker built in. Most people use Ad Block Plus, which is a Firefox extension.
4.14. If you must go to a risky website, run a site checker on it first
There are now websites that can run a series of tests on another website that you specify. You can thereby assess whether the specified sit will try to attack your computer. Malicious sites typically do this by exploiting vulnerabilities in web browsers.
One such scanner is: Sucuri SiteCheck
4.15. Tell your browser to not install software automatically.
Safari supports automatic software installation without your approval,
and exploiters have used this feature to install malware.
You can disable it ostensibly by going into preferences
and disabling automatic opening of
4.16. Tell your mail program to not load remote images.
Emails that contain images may seem like a safe convenience, but in fact there are risks to do with displaying them.
- Images can somewhat rarely contain malware.
- If you view a phishing email, loading the images can tell the attacker what your IP address is.
4.17. Tell your browser to not open
safe files automatically
Some browsers such as Safari have a setting that gives it your permission (set to Yes by default) to automatically open some files that it deems to be safe. The issue here is, it is not worth trusting the browser to make that decision for you.
4.18. Using public wifi: Change your MAC address.
When you log in to the free Wifi at a business such as a coffeehouse,
you often see a pop-up window appear saying
Click to accept our terms of service.
This is where your privacy gets violated.
puts your current MAC address into the URL that it sends to a server.
Why this is done only they know. My guess is that they are trying to make money by selling information about your doings and whereabouts using your MAC as the tracking identifier. If your MAC can be linked to your identity, for instance by examining your Web traffic, it can become even more valuable.
Furthermore if an alliance of retail companies were to share this information among themselves, they could track your movements throughout the day based on what businesses you go near. You don't even have to enter a business: The Wifi signal travels outside the store. You could drive past a business and still be identified.
If any of that makes you uncomfortable or creeps you out, you can change your Mac's Wifi MAC address like so:
5. Avoid risky software
5.1. Avoid products from Microsoft.
Even today, Microsoft's Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily leaves open a conduit for malware exploits to be launched. It is a vulnerability that has been exploited extensively by hackers in the past.
5.2. Skip the precompiled free software.
The best rule of thumb is, if you did not compile a free program yourself
from the source code, assume that it has malware in it,
and don't use it. In order to compile it you obviously need the source code,
and if the source code is not available (i.e. it is
then you should wonder what they are hiding.
Unfortunately some of the bigger apps are not made easy to build by users. Firefox, for example. Indeed it is the apps that are most critical to most people's workflows that are most difficult to build.
5.3 Use virtual machines with caution
Virtual machines like VMWare, Parallels and VirtualBox all present a potential risk of spying on your activities by the companies that make them. Think out it. These machines know every network connection your virtualized software is making, every keystroke that you type, every mouse click. If any of the companies that make these programs has a contract with an oppressive, spying-prone government or corporate espionage company, they could provide a record of everything that you do in a virtual machine to said malefactor company.
In addition, some virtual machines have vulnerabilities themselves. and bad people have written malware There are known to exist breakout exploits in which malware that is running within a VM can use vulnerabilities in the VM software to find a way out of the running VM and into your main OS.
6. Check for malware
6.1. Stop risky services from launching
When you log in, some programs automatically launch. Some programs that do so can be found and removed if you run Settings, click on Users and Groups, select the tab Login Items.
From the command line, you may also find launch data
You can stop them from launching after login by removing their launch plist files.
6.2. Look for keyloggers
A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals or spooks.
A common Mac keylogger is ABK. Look for it using Spotlight
or use the
find command to search in these directories:
You can also check your non-Apple KEXT files related to keyloggers. For example Blazing Tools Perfect Keylogger shows up as com.BT.kext.bpkkext in the output of this command:
Having a commercial antivirus running can be a security risk in its own right.
It expands the
- Some malware is now written to attack and take over the antivirus programs.
- Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent in order to
protectthem. This means that some antivirus programs are effectively trojan horse spyware.
- If any antivirus company has been required by a nefarious government agency to provide them with a means to get into their customers' computers, they will never tell you.
6.4. Periodically reinstall OS/X.
Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS from time to time, e.g. once per month, after reformatting the hard drive. Like brushing one's teeth or tying one's shoelaces, this is not difficult once it becomes routine.
6.5. Mainly use a non-administrator account.
The first account that you create is a given administrator rights. That's dangerous, because if you inadvertently run a malware-infected program, it can do more damage to your system that if you ran it from a regular user account.
Therefore, when you install OS/X, call your first account admin, and then create a separate non-admin account that you will use 98% of the time.
But you ask: Why? Isn't this just paranoia? No. An example: : Taiwanese security researchers found, and reported at the Black Hat Europe 2014 conference, that Apple foolishly allows any user with admin privileges to install kernel drivers. They found this ability was still present in Yosemite when that it was released.
6.6 If you have the technical skill, create your own firewall rules.
It can be important to block risky outgoing connections. You cannot be 100% sure that some random program you've downloaded is not a trojan horse than will upload your data to a server.
A simple script like the following, run using
sudo, can stymie some spying efforts.
6.7. Look for other malware
Four additional commands:
To disable Google's Updater, add this to your
7. Detect outsiders
It might help to get an idea of what computers are close enough to attack your computer.
Let's say for instance that you want to access your bank account online (bad idea) but you have roommates that you don't know very well. In this case it might be wise to wait until other people are not using your network. But how do you know if they are? You have to detect their presence.
7.1 Find out who else is on your network
If you're using a Wifi connection, especially in a public place, there may be many computers, phones, and tablets that are on the Wifi and able snoop on your activity or to attack your computer.
Even if the owner of a device is benign, there may be malware on his or her device that is programmed to automatically seek out vulnerable devices or look for interesting data.
Using Terminal, run this command:
This lists any devices that your computer has knowledge of now, which may include devices that were previously on the network but recently disconnected. It is usually an incomplete list.
A more proactive way to see whether there is anyone else on your network is to use the command
ping -i 5 -c 1 255.255.255.255
but this should only be done rarely as it makes your computer look suspicious.
There are a lot of things that you can do to secure your Mac, many of which do not require technical ability. They do require that you think though, and use common sense.