© 2011-2019 by Zack Smith. All rights reserved.
- Apple's Macintosh OS may be less commonly a target of hacking attacks and exploits than is Windows or Android, but delinquents and professional criminals are increasingly taking an interest in the Mac and macOS. What follows is a list of tips that I have devised to explain how you might make your Mac more secure. This is not a complete list and I cannot provide any guarantee or warranty on this advise. Use it at your own risk. In the end, protecting your computer is your own responsibility.
My computer security rules:
1.1. Disconnect your computer from the Internet.
Most exploits occur over the Internet, so this is a no-brainer. When you do not need to be connected to the Internet, go to the Wireless icon and select Turn Wifi Off. Or pull out the Ethernet cable if you use that.
1.2. Disable Bluetooth when not at home.
Bluetooth may be useful for connecting to an external keyboard at home, but if you don't need it, it is prudent to switch it off since it offers a potential if rare means of attack.
Bluetooth can also be used to surveil you. Your Bluetooth device's address can be obtained to identify and track you in public places. It can be used to get your Mac's name e.g. Fred's Macbook Pro.
1.3. Disable the Ethernet port if there is one.
Few people use the Ethernet port any longer. It is mainly used by technology professionals to communicate with routers and servers. If you don't need to use it, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
1.4. Do not use online storage.
It is unwise to use iCloud or any other
cloud-based online storage service such as DropBox, convenient though it may be.
If you do not encrypt your files before you upload them, they can be copied and used right away or years from now e.g.
by governments, by people who hacked into the cloud, and by employees of the cloud service.
The typical argument that it doesn't matter if they're stolen is a form of denial. Just because you don't want to imagine the numerous outrageous ways in which for instance your photos can be used, but that doesn't mean that others feel so inhibited.
The practice of encrypting data before storing it in the cloud is associated with a TNO (Trust No One) approach to security.
1.5. Avoid free online email.
You really should not use online
free email services either such as these:
- Yahoo mail
- Lycos mail
- Aol mail
- GMX mail
Most corporations that run such services are all too eager to turn over your personal information to any nefarious company or government agency that's paying. Betraying your trust is profitable and they view that betrayal as a no-brainer without consequences.
Surveillance is the
killer app of the Internet.
Long before Edward Snowden, it was exposed on Crytome.org that Yahoo charges the US government only US $60 for a year's worth of a user's emails.
1.6. Keep critical personal data off of your computer
Not everything has to be on your computer. Critical data such as your social security number, tax records, legal paperwork, birth certificates, passwords, ID cards, immigration documents, sexy photos and revealing private videos should be located on encrypted external media RED(from start to finish).
1.7. Encrypt your external drives.
Any laborer or landlord who walks into your apartment and sees a USB drive sitting on the table could in theory steal it, or copy it without your knowing. It's wise to encrypt such drives to at least protect your data.
You may think you know what's on a drive, but in truth most people are largely ignorant of where they've put their numerous files.
To encrypt a USB or hard drive, format it for Mac OS (not Windows FAT) and tell Disk Utility to encrypt it.
External media that are not in use should be locked away.
1.8. Securely erase and wipe empty space
When you delete a file, use the Finder's Secure Empty Trash [sic] feature. You should go into the Finder preferences and set secure erasure to be the default method. (This features seems to have been removed in Sierra.)
But note, data deletion that is not done by the Finder, but rather is done automatically by programs like browsers, will probably not be done securely.
To make sure that no deleted data can be un-deleted, you can periodically run Disk Utility and use the Erase Empty Space feature. This will make sure important data like deleted web browser cache data and web history cannot be recovered.
1.9. Remove all personal data before taking your Mac in for repair
It was revealed on Consumerist.com
in 2013 that workers in Best Buy's Geek Squad service were regularly copying customers' photos and
other content onto personal thumb drives during the course of repairing customers' computers.
geniuses not do the same? Who can say, except an insider.
1.10. Avoid low-cost domain resellers and hosting services.
Don't be fooled by low prices. When you sign up with cheap services, they could just make up for the lack of profits by selling you out.
I discovered to my surprise that the Universal Terms of Service provided by GoDaddy and its various resellers
has an enormous qualification: They claim ownership of your
if it is within a subcategory called
The problem is, they never define what part of your data falls into that subcategory and what does not.
You should always take the time to read the fine print.
1.11. Practice good thumb drive isolation.
Never buy or use a USB thumb drive that cannot be attached to your keychain. A thumb drive without a keychain hook or that is not on your primary or only keychain is easily lost or stolen.
A thumb drive should always be encrypted unless it's solely for use in
- Your car's audio system in which case it should only have your current MP3s and nothing else;
- Your TV in which case it should only have videos that you plan to watch soon.
Give each thumb drive a name indicating what it's for and mark it to indicate its purpose e.g. MUSIC FOR CAR.
Never use a thumb drive that you find sitting in public somewhere. Leaving a thumb drive on a ledge or table is a classic means of infecting computers at e.g. a nearby business or government organization.
Note also, thumb drives contain microcontrollers whose firmware can in theory be reflashed in order to infect other devices even if no file on them is opened.
2. Disable risky services
2.1. Inhibit Bonjour.
After you enable your firewall (see section 3 below) your should enable its stealth mode. This should prevent your computer from broadcasting its existence to other computers on a network.
An alternative method is to disable the Bonjour service. This tells other Macs near you what services you have to offer them, and tells you what they can offer you.
Two rules of thumb:
- You should not encourage others to be trying to get access to what is on your computer.
- You should not be accessing any data they have made available as it may contain malware.
In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Enable Stealth Mode (for good measure), and then Block All Incoming Connections.
Another approach is to use the command line to edit the file
You add to the section
ProgramArguments by inserting a string entry called
2.2. Disable Bluetooth discovery.
If you must use Bluetooth, disable
discovery in the Bluetooth settings.
You can also do this in the Bluetooth-icon pulldown menu.
2.3. Disable any Sharing services.
It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing settings and uncheck everything.
2.4. Remove Google spyware that comes with Mail
I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because:
- I was not running Mail at the time.
- I do not have a Gmail account.
- I was not logged into my Google account.
To prevent this kind of activity, whatever its actual purpose may have be, one can remove the offending plugin. But... warning! If you do this then you won't be able to use a Gmail account from within Mail. From Terminal, do this:
You'll need to enter your password to delete the plugin.
There are other plugins in that folder that you can delete if you are sure you don't need them. They include:
2.5. Disable Location Services and the IR receiver.
Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.
Location services is mainly useful for the Map program.
3. Block outsiders
3.1. Enable the basic Firewall.
You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple's built-in Firewall capability, especially if you will use your Mac on an unencrypted public Wifi.
Go into Settings, Security, and Firewall to find it and start it.
3.2. Enable FileVault to encrypt your hard drive
Encrypt your entire drive using FileVault. The first time you enable it, it will require up to an hour to encrypt your drive.
If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your Mac files, and that's generally good especially if your Windows setup get infected with malware.
3.3. Add a firmware boot password
firmware password is not your normal login password, but rather the
password that lets the Mac boot from a disk
other than your hard drive.
Adding it is done using the OS/X installation disk,
if you have one.
By enabling a firmware password, you prevent other people from booting up
your computer from an CD-R or DVD-R disc or from a USB flash drive.
This can be very important, because if you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne'erdowells can potentially walk up to your unattended Mac, boot from a thumb drive and steal all of your data.
3.4. Turn off your home Wifi router at night and when you are not at home.
At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet.
If you think such a thing is unlikely, just google
port 32764 backdoor.
There are several ways to break into a Wifi router and port 32764 is perhaps the latest one to be discovered.
Check it by clicking here.
Set the adminsitration password on your Wifi router (not just the encryption password) to something very hard to guess, and make sure you disable remote log-in. Also disable logging into the router via Wifi: require a connection with a cable.
3.5. Shut off the port forwarding.
If you must set up your Wifi router for port forwarding, make sure you turn off that feature immediately after you're done with it. Otherwise you're just providing a means for outsiders to bypass the firewall.
An example of an activity that often leads to port forwarding being left on is when gamers use it to play video games with other people from around the world. Since Macs are less commonly used for gaming than are Windows PCs and gaming consoles, this may not apply to you.
An example of a situation in which port forwarding is useful
but potentially dangerous
is when you set it up to permit you into into your Mac from afar using
ssh (secure shell). Remote login is a standard feature of OS/X that is
enabled in Settings, the Sharing section, by clicking Remote Login.
For such an activity you'd be enabling port 22 on your Wifi router to let outsiders (hopefully only you!)
who are utilizing
sftp to enter your machine.
If, in the worst case, you leave Remote Login enabled on your Mac and port forwarding enabled on your Wifi router and leave your router itself powered up e.g. at night, this could be very bad.
3.6. Shut off the router's uPnP service
Most Wifi routers support universal plug-and-play, which can reveal information about what's on your network to people who are far away. You should always make sure that uPnP is switched off. However you should also be aware that some routers, even if you tell them to switch off uPnP, leave it partially on anyway.
3.7. Set the Wifi encryption password
This is a no brainer. If people are able to get onto your Wifi network, they can read most of the data that is passing across the network. This means they can analyze it and record it. Even though much of your data will be useless to them, some of it could be quite useful. For instance, some email services even today fail to encrypt emails when your mail reader downloads them.
So enable the Wifi password, and use WPA2 encryption.
Note that WEP encryption is not secure and should not be used. It was not actually designed by security professionals.
3.8. Set up your Wifi router to not broadcast the name of your router i.e. the SSID.
If you know your router's name, you don't need to tell the world about it. Letting everyone in the neighborhood know the name (the SSID) is dangerous because it means they can then commence with trying to break into your Wifi network.
3.9. Check your file permissions.
If more than one person will use your computer, each with his own account, make sure that users cannot access one another's files.
This pertains to the files in your home directory. Most users don't need to worry about this since they don't put files in their home directory.
Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600.
The only directory that should be 0777 is
~/Public which is the sharing directory.
A pitfall: Files copied from a Windows thumb drive, which typically has a FAT32 file system, will often be automatically set to 0644, and directories to 0755, which lets any other user on your Mac access them if those files are in your home directory.
4. Browse the Web wisely
4.1. Disable third-party cookies
Third-party cookies are a means by which people are tracked when they use the Internet.
- Safari disables them by default.
- In Firefox it is possible to disable third-party cookies but it requires the extra effort of going into the browser preferences in the Privacy section and History subsection to enable blocking.
You can run the following cookie forensics test to see whether you are at risk: Cookie forensics.
4.2. Do not use unofficial Firefox plugins.
If you begin to check who writes plugins, it quickly becomes apparent that many authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases, or they are located in faraway countries. This might not matter except for two key facts:
- More nefarious plug-ins that you add manually are allowed to include object code.
Food for thought:
When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it's just not
Don't assume that experts are working to keep you safe in every possible way. They may care more about getting their kicks or winning security competition prize money than about protecting you.
4.3. Avoid PDFs except from reputable sources.
In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. You should not assume that PDFs are generally safe.
4.4. Disable Java in each browser
It's a fact that 99.9% of the time, you do not need Java, but if it's enabled, it is a huge security risk and the hackers in far-flung places like Mauritius and Khazakstan know this.
Granted, some employers still require use of Java by their employees. Some Scandinavian banks allegedly require its use for online banking. On your personal computer however you generally do not need it.
4.5. Disable Flash in each browser.
It's very risky to leave Flash enabled or even installed. Flash may seem useful for watching videos on Youtube or Vimeo, but outside of the limited context of video watching, it is a useless and risky technology.
- Websites containing Flash can contain exploits.
- PDFs containing Flash can contain exploits.
- Ads containing Flash can contain exploits.
Give a listen to how it is being used for nefarious purposes, such as recording your keystokes:
In short, Adobe has done a terrible job of making Flash safe.
YouTube now supports HTML5 for watching many videos. Use that instead of Flash.
If you must use Flash, use it from within Chrome only and only go to specific websites, like YouTube, Xfinity, Netflix and Hulu. Chrome is the safer browser choice for Flash use because Google has their own variant of Flash that is based on Adobe's code but is more secure.
4.6. Remove Flash if possible.
The copies of Flash that Safari or Firefox would use should be deleted.
4.7. Do not surf the Web in public places unless a password is required.
For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing.
A cheap way to keep safe at a coffee shop is to tether to your phone and don't use their Wifi, if your phone allows tethering.
Another way to make public Wifi secure for you only is to use a VPN connection. Companies often require this for their employees' computers.
4.8. Close the tab for website A before you log into website B.
A common type of exploit termed
Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that
hijacks a current session that you have open at a website like Facebook and Gmail.
This type of exploit cannot succeed if you are logged out.
Therefore always log out of your accounts when you are not using them.
4.9. Skip the media-related websites
The great flood of video, music and photo content that are available on the web appear to be made available as-is. There is no evidence that anyone checks them for exploits that would cause a malware infection. Let's say 1 in 10,000 files has malware that stealthily takes over your computer. If you view such materials on a regular basis, it is inevitable that you will get an infection eventually.
Rule 1: If you watch a lot of movies or TV shows, buy the DVDs and play them on your TV. Or rent them from your local library, which may be very cheap or free. Or use Netflix.
Rule 2: If you want to look at interesting photos of bikini-clad women or whatever, consider doing it from within a virtual machine running inside of VMWare or Parallels.
Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube rather than to download sites. This is where the artists expect and want you to go.
4.10. Disable Java in email client Thunderbird.
Thunderbird allows plug-ins. If you're using an older version, you may even find that Java is in there and enabled by default. Go into the Tools menu, select Add-Ons and remove or disable all of them for your safety.
4.11. Add sites to your /etc/hosts as loopback.
Specific domains that cause excessive or unknown traffic can often be blocked using a simple method: Add them to your /etc/hosts file, specifying their IP address as 127.0.0.1. This is also a good way to block ads, if you know the domains they're using. Example:
Adding lines such as:
It's also wise to block Facebook, which is constantly tracking you from webpages:
4.12. When possible use a text-based browser e.g. Links
For visiting risky websites, don't use a mainstream graphical browser.
Use a text-based browser in Terminal.
Lynx are good ones. They do not come preinstalled
You can also use Curl in Terminal to fetch the HTML and examine it.
4.13. Install an ad blocker if available.
Firefox does not have an ad-blocker built in. Most people use Ad Block Plus, which is a Firefox extension, and add Ublock Origin for good measure.
Ad blockers use filter lists (example: EasyList.to) to block ads and malicious content. These consist of regular expressions along with descriptions on how to apply them.
4.14. If you must go to a risky website, run a site checker on it first
There are now websites that can run a series of tests on another website that you specify. You can thereby assess whether the specified sit will try to attack your computer. Malicious sites typically do this by exploiting vulnerabilities in web browsers.
One such scanner is Sucuri SiteCheck.
4.15. Tell your browser to not install software automatically.
Safari supports automatic software installation without your approval,
and exploiters have used this feature to install malware.
You can disable it ostensibly by going into preferences
and disabling automatic opening of
4.16. Tell your mail program to not load remote images.
Emails that contain images may seem like a safe convenience, but in fact there are risks to do with displaying them.
- Images can somewhat rarely contain malware.
- If you view a phishing email, loading the images can tell the attacker what your IP address is. The entire point of sending you the email may be to locate you.
- The phisher may sell your location.
- The attacker may want your IP address because they plan to attack your router.
4.17. Using public wifi: Change your MAC address.
When you log in to the free Wifi at a business such as a coffeehouse,
you often see a pop-up window appear saying
Click to accept our terms of service.
This is where your privacy gets violated.
puts your current MAC address into the URL that it sends to a server.
Why this is done only they know. My guess is that they are trying to make money by selling information about your doings and whereabouts using your MAC as the tracking identifier and using a specialized Wifi router that itself does this recording.
If your MAC can be linked to your identity, for instance by examining your Web traffic or by contacting manufacturers to find out who bought your laptop at a big box store, it can become even more valuable.
Image if an alliance of retail companies were to share your information among themselves i.e. name and MAC address. They could track your movements throughout the day based on what businesses you go to. If they have your device's Bluetooth MAC address, all the worse. You don't even have to enter a business: The phone's Wifi and BLE signals travel beyond stores. You could drive past a business and still be identified.
If any of that makes you uncomfortable or creeps you out, you can change your Mac's Wifi MAC address like so:
I'm unsure how to change an iOS device's MAC addresses.
5. Avoid risky software
5.1. Avoid products from Microsoft.
Even today, Microsoft's Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily provides a means for malware exploits to be launched. It is a vulnerability that has been exploited extensively by hackers in the past.
5.2. Skip the precompiled free software.
The best rule of thumb is, if you did not compile a free program yourself
from the source code, assume that it has malware in it,
and don't use it. In order to compile it you obviously need the source code,
and if the source code is not available (i.e. it is
then you should wonder what they are hiding.
Unfortunately some of the bigger apps are not made easy to build by users. Firefox, for example. Indeed it is the apps that are most critical to most people's workflows that are most difficult to build.
5.3 Use virtual machines with great caution
Virtualization software like VMWare, Parallels and VirtualBox all present a potential risk of spying on your activities by the companies that make them. Think out it. These machines know every network connection your virtualized software is making, every keystroke that you type, every mouse click. If any of the companies that make these programs has a contract with an oppressive, spying-prone government or corporate espionage company, they could provide a record of everything that you do in a virtual machine to said malefactor company.
In addition, some virtualization software has vulnerabilities. Bad people have written malware known as breakout exploits which while running within a VM can use vulnerabilities in the virtualization software to find a way out of the running VM and into your main OS.
So a better alternative to virtualization is emulation e.g. using Qemu, but it is slow.
6. Check for malware
6.1. Stop risky services from launching
When you log in, some programs automatically launch.
Malware may choose to place itself in the
LaunchItems directory to cause it to be run upon log in.
You can find and remove launch items in Settings,
under Users and Groups, select the tab Login Items.
From the command line, which everyone should know how to use, you may also find launch data
You can stop them from launching after login by removing their launch plist files.
6.2. Look for keyloggers
A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals or spooks.
A common Mac keylogger is ABK. Look for it using Spotlight or use the
find command to search in these directories:
You can also check your non-Apple KEXT files related to keyloggers. For example Blazing Tools Perfect Keylogger shows up as com.BT.kext.bpkkext in the output of this command:
Having a commercial antivirus running can be a security risk in its own right.
- It may be written to steal your data, as when they come with a free
cloudservice that is enabled by default.
- Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent in order to
protectthem. This means that some antivirus programs are effectively trojan horse spyware.
- Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent in order to
- It expands the
- Some malware is now written to attack and take over the antivirus programs.
- It may be a trojan horse.
- If any antivirus company has been required by a nefarious government agency to provide them with a means to get into their customers' computers, they will never tell you.
6.4. Periodically reinstall OS/X.
Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS from time to time, e.g. once per month, after reformatting the hard drive. Like brushing one's teeth or tying one's shoelaces, this is not difficult once it becomes routine.
6.5. Mainly use a non-administrator account.
The first account that you create is a given administrator rights. That's dangerous, because if you inadvertently run a malware-infected program, it can do more damage to your system that if you ran it from a regular user account.
Therefore, when you install OS/X, call your first account admin, and then create a separate non-admin account that you will use 98% of the time.
But you ask: Why? Isn't this just paranoia? No. An example: : Taiwanese security researchers found, and reported at the Black Hat Europe 2014 conference, that Apple foolishly allows any user with admin privileges to install kernel drivers. They found this ability was still present in Yosemite when that it was released.