zsmith.co

MacOS Security Tips

Revision 42
© 2011-2019 by Zack Smith. All rights reserved.

Disclaimer:
Apple's Macintosh OS may be less commonly a target of hacking attacks and exploits than is Windows or Android, but delinquents and professional criminals are increasingly taking an interest in the Mac and macOS. What follows is a list of tips that I have devised to explain how you might make your Mac more secure. This is not a complete list and I cannot provide any guarantee or warranty on this advise. Use it at your own risk. In the end, protecting your computer is your own responsibility.

0. Commandments

My computer security rules:

  1. Reinstall macOS every month.
  2. In Settings/Security & Privacy: Turn on the firewall.
  3. In Settings/Security & Privacy: Turn on FileVault.
  4. Completely turn off your computer when not in use.
  5. Completely turn off your Wifi router when not in use.
  6. Completely turn off your phone when it is unlikely to be of use.
  7. Change the administration password for your Wifi router to something than the well-known default.
  8. Make sure your Wifi router has remote administration turned off even if your ISP wanted it turned on, and turn off as well Wifi administation and universal plug-and-play (UPnP).
  9. When you install macOS, create the following accounts:
    1. call the initial account admin because the first account you create has by default admin rights.
    2. create a second non-admin account that you will then use 98% of the time.
    3. create a third account called chrome becasue Chrome can't be trusted to not spy on you and your lifes.
    4. create a fourth account quarantine for running various other potential spyware e.g.
      • videoconferencing software.
      • OpenOffice.
      • Wine
  10. If you need to download an app, get its source code and compile it yourself. (Type ./configure; make clean; make)
  11. Resist the urge to install browser plug-ins except well-known ad blockers, as these have full access to your computer -- they are not sandboxed.
  12. Turn off any provided browser plugins e.g. QuickTime, Google codec support and Flash.
  13. Beware people who rush you into installing software and don't install it to /Applications but rather to your desktop in the quarantine account.
  14. Resist the urge to just download and try out some enticing program.
  15. Avoid free online email except for one-off needs like signing up for an online forum. There is no free lunch. They profit by selling your data.
  16. When sending a private email, consider encrypting it e.g. with GPG. The recipient will have to use GPG as well.
  17. If you will be using Firefox, consider the plugins UBlock Origin and AdBlock Plus.
  18. Your web browser should ideally have Javascript disabled for most purposes whenever possible e.g. use the Noscript plugin to selectively disable Javascript.
  19. Consider using a text-based browserlike Lynx or Links.
  20. Never use Java or Flash in a browser!
  21. If a website requires Flash then use Google Chrome to visit it. Examples are Xfinity.com, Hulu.com.
  22. In your email app, disable the feature to automatically load remote images.
  23. Keep all critical personal data off of your computer and physically locked up.
  24. Encrypt your external drives including flash and portable hard drives; you set up encryption in Disk Utility.
  25. Remove all personal data from your computer before taking it in for repair, and overwrite the empty areas of your drive to prevent undeletion of your deleted files.
  26. Only ever run risky software like Microsoft Windows inside of a virtual machine like Qemu.
  27. Try to avoid downloading risky files (PDFs, MS Excel files etc.) and if you must, run a virus scanner on them first.
  28. Consider isolating all risky Internet activity to an burner iPad that is used only for that, and wipe it from time to time (select Erase all Contents).
  29. Don't use public wifi: Tether to your mobile phone instead.
  30. When using public wifi: Use a VPN if possible.
  31. If you cannot use a VPN while on public Wifi, try to verify certificates of websites using this tool:
  32. In your browsers, disable website-provided fonts as there have been exploits that used vulnerabilities in the font file parsers.

1. Isolation

1.1. Disconnect your computer from the Internet.

Most exploits occur over the Internet, so this is a no-brainer. When you do not need to be connected to the Internet, go to the Wireless icon and select Turn Wifi Off. Or pull out the Ethernet cable if you use that.

1.2. Disable Bluetooth when not at home.

Bluetooth may be useful for connecting to an external keyboard at home, but if you don't need it, it is prudent to switch it off since it offers a potential if rare means of attack.

Bluetooth can also be used to surveil you. Your Bluetooth device's address can be obtained to identify and track you in public places. It can be used to get your Mac's name e.g. Fred's Macbook Pro.

1.3. Disable the Ethernet port if there is one.

Few people use the Ethernet port any longer. It is mainly used by technology professionals to communicate with routers and servers. If you don't need to use it, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.

1.4. Do not use online storage.

It is unwise to use iCloud or any other cloud-based online storage service such as DropBox, convenient though it may be. If you do not encrypt your files before you upload them, they can be copied and used right away or years from now e.g. by governments, by people who hacked into the cloud, and by employees of the cloud service.

The typical argument that it doesn't matter if they're stolen is a form of denial. Just because you don't want to imagine the numerous outrageous ways in which for instance your photos can be used, but that doesn't mean that others feel so inhibited.

The practice of encrypting data before storing it in the cloud is associated with a TNO (Trust No One) approach to security.

1.5. Avoid free online email.

You really should not use online free email services either such as these:

  • Yahoo mail
  • Gmail
  • Mail.com
  • Inbox.com
  • Lycos mail
  • Hotmail
  • Aol mail
  • GMX mail

Most corporations that run such services are all too eager to turn over your personal information to any nefarious company or government agency that's paying. Betraying your trust is profitable and they view that betrayal as a no-brainer without consequences.

Surveillance is the killer app of the Internet.

Long before Edward Snowden, it was exposed on Crytome.org that Yahoo charges the US government only US $60 for a year's worth of a user's emails.

1.6. Keep critical personal data off of your computer

Not everything has to be on your computer. Critical data such as your social security number, tax records, legal paperwork, birth certificates, passwords, ID cards, immigration documents, sexy photos and revealing private videos should be located on encrypted external media RED(from start to finish).

1.7. Encrypt your external drives.

Any laborer or landlord who walks into your apartment and sees a USB drive sitting on the table could in theory steal it, or copy it without your knowing. It's wise to encrypt such drives to at least protect your data.

You may think you know what's on a drive, but in truth most people are largely ignorant of where they've put their numerous files.

To encrypt a USB or hard drive, format it for Mac OS (not Windows FAT) and tell Disk Utility to encrypt it.

External media that are not in use should be locked away.

1.8. Securely erase and wipe empty space

When you delete a file, use the Finder's Secure Empty Trash [sic] feature. You should go into the Finder preferences and set secure erasure to be the default method. (This features seems to have been removed in Sierra.)

But note, data deletion that is not done by the Finder, but rather is done automatically by programs like browsers, will probably not be done securely.

To make sure that no deleted data can be un-deleted, you can periodically run Disk Utility and use the Erase Empty Space feature. This will make sure important data like deleted web browser cache data and web history cannot be recovered.

1.9. Remove all personal data before taking your Mac in for repair

It was revealed on Consumerist.com in 2013 that workers in Best Buy's Geek Squad service were regularly copying customers' photos and other content onto personal thumb drives during the course of repairing customers' computers. Would Apple's geniuses not do the same? Who can say, except an insider.

Geek Squad Accused Of Stealing and Distributing Customer's Naked Photos.

1.10. Avoid low-cost domain resellers and hosting services.

Don't be fooled by low prices. When you sign up with cheap services, they could just make up for the lack of profits by selling you out.

I discovered to my surprise that the Universal Terms of Service provided by GoDaddy and its various resellers has an enormous qualification: They claim ownership of your User Content if it is within a subcategory called User Submissions. The problem is, they never define what part of your data falls into that subcategory and what does not.

You should always take the time to read the fine print.

1.11. Practice good thumb drive isolation.

Never buy or use a USB thumb drive that cannot be attached to your keychain. A thumb drive without a keychain hook or that is not on your primary or only keychain is easily lost or stolen.

A thumb drive should always be encrypted unless it's solely for use in

  • Your car's audio system in which case it should only have your current MP3s and nothing else;
  • Your TV in which case it should only have videos that you plan to watch soon.

Give each thumb drive a name indicating what it's for and mark it to indicate its purpose e.g. MUSIC FOR CAR.

Never use a thumb drive that you find sitting in public somewhere. Leaving a thumb drive on a ledge or table is a classic means of infecting computers at e.g. a nearby business or government organization.

Note also, thumb drives contain microcontrollers whose firmware can in theory be reflashed in order to infect other devices even if no file on them is opened.

2. Disable risky services

2.1. Inhibit Bonjour.

After you enable your firewall (see section 3 below) your should enable its stealth mode. This should prevent your computer from broadcasting its existence to other computers on a network.

An alternative method is to disable the Bonjour service. This tells other Macs near you what services you have to offer them, and tells you what they can offer you.

Two rules of thumb:

  • You should not encourage others to be trying to get access to what is on your computer.
  • You should not be accessing any data they have made available as it may contain malware.

In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Enable Stealth Mode (for good measure), and then Block All Incoming Connections.

Another approach is to use the command line to edit the file /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist. You add to the section ProgramArguments by inserting a string entry called -NoMulticastAdvertisements. Then reboot.

2.2. Disable Bluetooth discovery.

If you must use Bluetooth, disable discovery in the Bluetooth settings. You can also do this in the Bluetooth-icon pulldown menu.

2.3. Disable any Sharing services.

It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing settings and uncheck everything.

2.4. Remove Google spyware that comes with Mail

I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because:

  1. I was not running Mail at the time.
  2. I do not have a Gmail account.
  3. I was not logged into my Google account.

To prevent this kind of activity, whatever its actual purpose may have be, one can remove the offending plugin. But... warning! If you do this then you won't be able to use a Gmail account from within Mail. From Terminal, do this:

 sudo rm -rf /System/Library/InternetAccounts/Google.iaplugin

You'll need to enter your password to delete the plugin.

There are other plugins in that folder that you can delete if you are sure you don't need them. They include:

 sudo rm -rf /System/Library/InternetAccounts/126.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/163.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/AOL.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Exchange.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Facebook.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Flickr.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/LinkedIn.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/QQ.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/TencentWeibo.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Tudou.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/TwitterPlugin.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Vimeo.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Weibo.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Yahoo.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/Youku.iaplugin
 sudo rm -rf /System/Library/InternetAccounts/iCloud.iaplugin

2.5. Disable Location Services and the IR receiver.

Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.

Location services is mainly useful for the Map program.

3. Block outsiders

3.1. Enable the basic Firewall.

You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple's built-in Firewall capability, especially if you will use your Mac on an unencrypted public Wifi.

Go into Settings, Security, and Firewall to find it and start it.

3.2. Enable FileVault to encrypt your hard drive

Encrypt your entire drive using FileVault. The first time you enable it, it will require up to an hour to encrypt your drive.

If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your Mac files, and that's generally good especially if your Windows setup get infected with malware.

3.3. Add a firmware boot password

The firmware password is not your normal login password, but rather the password that lets the Mac boot from a disk other than your hard drive. Adding it is done using the OS/X installation disk, if you have one. By enabling a firmware password, you prevent other people from booting up your computer from an CD-R or DVD-R disc or from a USB flash drive.

This can be very important, because if you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne'erdowells can potentially walk up to your unattended Mac, boot from a thumb drive and steal all of your data.

3.4. Turn off your home Wifi router at night and when you are not at home.

At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet.

If you think such a thing is unlikely, just google port 32764 backdoor. There are several ways to break into a Wifi router and port 32764 is perhaps the latest one to be discovered. Check it by clicking here.

Set the adminsitration password on your Wifi router (not just the encryption password) to something very hard to guess, and make sure you disable remote log-in. Also disable logging into the router via Wifi: require a connection with a cable.

3.5. Shut off the port forwarding.

If you must set up your Wifi router for port forwarding, make sure you turn off that feature immediately after you're done with it. Otherwise you're just providing a means for outsiders to bypass the firewall.

An example of an activity that often leads to port forwarding being left on is when gamers use it to play video games with other people from around the world. Since Macs are less commonly used for gaming than are Windows PCs and gaming consoles, this may not apply to you.

An example of a situation in which port forwarding is useful but potentially dangerous is when you set it up to permit you into into your Mac from afar using ssh (secure shell). Remote login is a standard feature of OS/X that is enabled in Settings, the Sharing section, by clicking Remote Login. For such an activity you'd be enabling port 22 on your Wifi router to let outsiders (hopefully only you!) who are utilizing ssh or sftp to enter your machine.

If, in the worst case, you leave Remote Login enabled on your Mac and port forwarding enabled on your Wifi router and leave your router itself powered up e.g. at night, this could be very bad.

3.6. Shut off the router's uPnP service

Most Wifi routers support universal plug-and-play, which can reveal information about what's on your network to people who are far away. You should always make sure that uPnP is switched off. However you should also be aware that some routers, even if you tell them to switch off uPnP, leave it partially on anyway.

3.7. Set the Wifi encryption password

This is a no brainer. If people are able to get onto your Wifi network, they can read most of the data that is passing across the network. This means they can analyze it and record it. Even though much of your data will be useless to them, some of it could be quite useful. For instance, some email services even today fail to encrypt emails when your mail reader downloads them.

So enable the Wifi password, and use WPA2 encryption.

Note that WEP encryption is not secure and should not be used. It was not actually designed by security professionals.

3.8. Set up your Wifi router to not broadcast the name of your router i.e. the SSID.

If you know your router's name, you don't need to tell the world about it. Letting everyone in the neighborhood know the name (the SSID) is dangerous because it means they can then commence with trying to break into your Wifi network.

3.9. Check your file permissions.

If more than one person will use your computer, each with his own account, make sure that users cannot access one another's files.

This pertains to the files in your home directory. Most users don't need to worry about this since they don't put files in their home directory.

Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600.

The only directory that should be 0777 is ~/Public which is the sharing directory.

A pitfall: Files copied from a Windows thumb drive, which typically has a FAT32 file system, will often be automatically set to 0644, and directories to 0755, which lets any other user on your Mac access them if those files are in your home directory.

4. Browse the Web wisely

4.1. Disable third-party cookies

Third-party cookies are a means by which people are tracked when they use the Internet.

  • Safari disables them by default.
  • In Firefox it is possible to disable third-party cookies but it requires the extra effort of going into the browser preferences in the Privacy section and History subsection to enable blocking.

You can run the following cookie forensics test to see whether you are at risk: Cookie forensics.

4.2. Do not use unofficial Firefox plugins.

If you begin to check who writes plugins, it quickly becomes apparent that many authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases, or they are located in faraway countries. This might not matter except for two key facts:

  • Plugins run Javascript which is a major conduit for malware exploits.
  • More nefarious plug-ins that you add manually are allowed to include object code.

Food for thought:
When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it's just not cool enough.

Don't assume that experts are working to keep you safe in every possible way. They may care more about getting their kicks or winning security competition prize money than about protecting you.

4.3. Avoid PDFs except from reputable sources.

In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. You should not assume that PDFs are generally safe.

4.4. Disable Java in each browser

It's a fact that 99.9% of the time, you do not need Java, but if it's enabled, it is a huge security risk and the hackers in far-flung places like Mauritius and Khazakstan know this.

Granted, some employers still require use of Java by their employees. Some Scandinavian banks allegedly require its use for online banking. On your personal computer however you generally do not need it.

4.5. Disable Flash in each browser.

It's very risky to leave Flash enabled or even installed. Flash may seem useful for watching videos on Youtube or Vimeo, but outside of the limited context of video watching, it is a useless and risky technology.

  • Websites containing Flash can contain exploits.
  • PDFs containing Flash can contain exploits.
  • Ads containing Flash can contain exploits.

Give a listen to how it is being used for nefarious purposes, such as recording your keystokes:
NPR story

In short, Adobe has done a terrible job of making Flash safe.

YouTube now supports HTML5 for watching many videos. Use that instead of Flash.

If you must use Flash, use it from within Chrome only and only go to specific websites, like YouTube, Xfinity, Netflix and Hulu. Chrome is the safer browser choice for Flash use because Google has their own variant of Flash that is based on Adobe's code but is more secure.

4.6. Remove Flash if possible.

The copies of Flash that Safari or Firefox would use should be deleted.

4.7. Do not surf the Web in public places unless a password is required.

For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing.

A cheap way to keep safe at a coffee shop is to tether to your phone and don't use their Wifi, if your phone allows tethering.

Another way to make public Wifi secure for you only is to use a VPN connection. Companies often require this for their employees' computers.

4.8. Close the tab for website A before you log into website B.

A common type of exploit termed Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that hijacks a current session that you have open at a website like Facebook and Gmail. This type of exploit cannot succeed if you are logged out. Therefore always log out of your accounts when you are not using them.

4.9. Skip the media-related websites

The great flood of video, music and photo content that are available on the web appear to be made available as-is. There is no evidence that anyone checks them for exploits that would cause a malware infection. Let's say 1 in 10,000 files has malware that stealthily takes over your computer. If you view such materials on a regular basis, it is inevitable that you will get an infection eventually.

Rule 1: If you watch a lot of movies or TV shows, buy the DVDs and play them on your TV. Or rent them from your local library, which may be very cheap or free. Or use Netflix.

Rule 2: If you want to look at interesting photos of bikini-clad women or whatever, consider doing it from within a virtual machine running inside of VMWare or Parallels.

Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube rather than to download sites. This is where the artists expect and want you to go.

4.10. Disable Java in email client Thunderbird.

Thunderbird allows plug-ins. If you're using an older version, you may even find that Java is in there and enabled by default. Go into the Tools menu, select Add-Ons and remove or disable all of them for your safety.

4.11. Add sites to your /etc/hosts as loopback.

Specific domains that cause excessive or unknown traffic can often be blocked using a simple method: Add them to your /etc/hosts file, specifying their IP address as 127.0.0.1. This is also a good way to block ads, if you know the domains they're using. Example:

 sudo vi /etc/hosts

Adding lines such as:

 127.0.0.1 coin-hive.net
 127.0.0.1 coinhive.net
 127.0.0.1 akamaiedge.net
 127.0.0.1 trafficjunky.net
 127.0.0.1 akamaitechnologies.com
 127.0.0.1 syndication.exoclick.com
 127.0.0.1 exoclick.com
 127.0.0.1 1e100.net
 127.0.0.1 pagead2.googlesyndication.com

It's also wise to block Facebook, which is constantly tracking you from webpages:

 127.0.0.1 www.facebook.com
 127.0.0.1 facebook.com
 127.0.0.1 login.facebook.com
 127.0.0.1 www.login.facebook.com
 127.0.0.1 fbcdn.net
 127.0.0.1 www.fbcdn.net
 127.0.0.1 fbcdn.com
 127.0.0.1 www.fbcdn.com
 127.0.0.1 static.ak.fbcdn.net
 127.0.0.1 static.ak.connect.facebook.com
 127.0.0.1 connect.facebook.net
 127.0.0.1 www.connect.facebook.net
 127.0.0.1 apps.facebook.com
 fe80::1%lo0 facebook.com
 fe80::1%lo0 login.facebook.com
 fe80::1%lo0 www.login.facebook.com
 fe80::1%lo0 fbcdn.net
 fe80::1%lo0 www.fbcdn.net
 fe80::1%lo0 fbcdn.com
 fe80::1%lo0 www.fbcdn.com
 fe80::1%lo0 static.ak.fbcdn.net
 fe80::1%lo0 static.ak.connect.facebook.com
 fe80::1%lo0 connect.facebook.net
 fe80::1%lo0 www.connect.facebook.net
 fe80::1%lo0 apps.facebook.com

4.12. When possible use a text-based browser e.g. Links

For visiting risky websites, don't use a mainstream graphical browser. Use a text-based browser in Terminal. Links and Lynx are good ones. They do not come preinstalled in MacOS.

You can also use Curl in Terminal to fetch the HTML and examine it.

4.13. Install an ad blocker if available.

Firefox does not have an ad-blocker built in. Most people use Ad Block Plus, which is a Firefox extension, and add Ublock Origin for good measure.

Ad blockers use filter lists (example: EasyList.to) to block ads and malicious content. These consist of regular expressions along with descriptions on how to apply them.

4.14. If you must go to a risky website, run a site checker on it first

There are now websites that can run a series of tests on another website that you specify. You can thereby assess whether the specified sit will try to attack your computer. Malicious sites typically do this by exploiting vulnerabilities in web browsers.

One such scanner is Sucuri SiteCheck.

4.15. Tell your browser to not install software automatically.

Safari supports automatic software installation without your approval, and exploiters have used this feature to install malware. You can disable it ostensibly by going into preferences and disabling automatic opening of safe downloads.

4.16. Tell your mail program to not load remote images.

Emails that contain images may seem like a safe convenience, but in fact there are risks to do with displaying them.

  1. Images can somewhat rarely contain malware.
  2. If you view a phishing email, loading the images can tell the attacker what your IP address is. The entire point of sending you the email may be to locate you.
    • The phisher may sell your location.
    • The attacker may want your IP address because they plan to attack your router.

4.17. Using public wifi: Change your MAC address.

When you log in to the free Wifi at a business such as a coffeehouse, you often see a pop-up window appear saying Click to accept our terms of service. This is where your privacy gets violated. When you press Accept, in some cases the Javascript that is running in that popup puts your current MAC address into the URL that it sends to a server. I have seen this happen myself.

Exactly why this is done only they know. My guess is that they are trying to make money by selling information about your doings and whereabouts using your MAC as the tracking identifier and using a specialized Wifi router that itself does this recording and sends the session log to a server.

If your MAC can be linked to your identity or employer. it can become even more valuable. This could be done by contacting retailers to find out which credit card was used to purchase your laptop.

Worst case

Image if an alliance of retail companies were to share your information among themselves i.e. name and MAC address. They could track your movements throughout the day based on what businesses you go to. If that alliance also has your phone's Bluetooth MAC address, all the worse, because that's two data to look for when you enter a business. But you don't even have to enter a store: Your phone's Wifi and BLE signals travel beyond stores' walls. You could drive past a business and if you device is not asleep or in airplane mode, you could be identified.

If any of that makes you uncomfortable or creeps you out, you can change your Mac's Wifi MAC address like so:

 ifconfig en0 ether NEW_MAC_ADDR
 sudo arp -a -d

I'm unsure how to change an iOS device's Bluetooth MAC addresses.

5. Avoid risky software

5.1. Avoid products from Microsoft.

Even today, Microsoft's Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily provides a means for malware exploits to be launched. It is a vulnerability that has been exploited extensively by hackers in the past.

5.2. Skip the precompiled free software.

The best rule of thumb is, if you did not compile a free program yourself from the source code, assume that it has malware in it, and don't use it. In order to compile it you obviously need the source code, and if the source code is not available (i.e. it is closed source) then you should wonder what they are hiding.

Unfortunately some of the bigger apps are not made easy to build by users. Firefox, for example. Indeed it is the apps that are most critical to most people's workflows that are most difficult to build.

5.3 Use virtual machines with great caution

Virtualization software like VMWare, Parallels and VirtualBox all present a potential risk of spying on your activities by the companies that make them. Think out it. These machines know every network connection your virtualized software is making, every keystroke that you type, every mouse click. If any of the companies that make these programs has a contract with an oppressive, spying-prone government or corporate espionage company, they could provide a record of everything that you do in a virtual machine to said malefactor company.

In addition, some virtualization software has vulnerabilities. Bad people have written malware known as breakout exploits which while running within a VM can use vulnerabilities in the virtualization software to find a way out of the running VM and into your main OS.

So a better alternative to virtualization is emulation e.g. using Qemu, but it is slow.

6. Check for malware

6.1. Stop risky services from launching

When you log in, some programs automatically launch. Malware may choose to place itself in the LaunchItems directory to cause it to be run upon log in. You can find and remove launch items in Settings, under Users and Groups, select the tab Login Items.

From the command line, which everyone should know how to use, you may also find launch data in ~/Library/LaunchItems. You can stop them from launching after login by removing their launch plist files.

6.2. Look for keyloggers

A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals or spooks.

A common Mac keylogger is ABK. Look for it using Spotlight or use the find command to search in these directories:

 ~/Library/LaunchAgents
 /Library/LaunchAgents
 /Library/LaunchDaemons
 /System/Library/LaunchAgents
 /System/Library/LaunchDaemons
 /System/Library/StartupItems

You can also check your non-Apple KEXT files related to keyloggers. For example Blazing Tools Perfect Keylogger shows up as com.BT.kext.bpkkext in the output of this command:

 kextstat -kl | grep -iv com.apple

6.3. Antivirus

Having a commercial antivirus running can be a security risk in its own right.

  • It may be written to steal your data, as when they come with a free cloud service that is enabled by default.
    • Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent in order to protect them. This means that some antivirus programs are effectively trojan horse spyware.
  • It expands the attack surface.
    • Some malware is now written to attack and take over the antivirus programs.
  • It may be a trojan horse.
    • If any antivirus company has been required by a nefarious government agency to provide them with a means to get into their customers' computers, they will never tell you.

6.4. Periodically reinstall OS/X.

Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS from time to time, e.g. once per month, after reformatting the hard drive. Like brushing one's teeth or tying one's shoelaces, this is not difficult once it becomes routine.

6.5. Mainly use a non-administrator account.

The first account that you create is a given administrator rights. That's dangerous, because if you inadvertently run a malware-infected program, it can do more damage to your system that if you ran it from a regular user account.

Therefore, when you install OS/X, call your first account admin, and then create a separate non-admin account that you will use 98% of the time.

But you ask: Why? Isn't this just paranoia? No. An example: : Taiwanese security researchers found, and reported at the Black Hat Europe 2014 conference, that Apple foolishly allows any user with admin privileges to install kernel drivers. They found this ability was still present in Yosemite when that it was released.