Most of the time, Mac users sit back, grab a bowl of popcorn and enjoy the show as Windows and Android users fight against the latest piece of nasty malware spreading across their patch of the internet. But the world is changing and the big threats are no longer malware or phishing scams (even though they are still out there). No, they are far more insidious and targeted.
ANTHONY CARUANA takes a look.
What’s out there?
The last year or so has seen a huge shift in the world of information security, or infosec. Until the middle of last year, most of us were content that the firewalls we had running in our routers or on our Macs were keeping the bad guys at bay and that, other than a few minor scares like Flashback, malware for the Mac was largely limited to science experiments that rarely made it out of the lab.
“The moral of these stories – keep your router’s firmware
One of the big changes has been the way our infrastructure has been compromised. Two of the leading router makers, SerComm and D-Link were caught with their pants down.
In the case of D-Link, several routers including the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 models, were found to have “a hardwired master key that lets anyone in through an unsupervised back door” according to respected security adviser Paul Ducklin of Sophos.
SerComm is probably not a name that’s familiar to many of you. It makes routers that are then sold under a number of other brands such as 3Com, Aruba, Belkin, Linksys, Netgear and WatchGuard. The problem didn’t apply to every router sold under those brands, rather software used by some of them.
The moral of these stories – keep your router’s firmware up-to-date. It’s important to remember that all of these devices are designed and constructed by human beings and that mistakes can happen.
Aside from these accidental problems, there are some more insidious issues to consider.
One of the revelations that came from the documents leaked by former NSA contractor Edward Snowden is that the US’s NSA (National Security Agency) was able to access data that was supposedly secure through devices it had compromised.
So, communications going through high grade, supposedly secure, routers and switches – the kinds used by ISPs and other large communications carriers – may not be as private as everyone thought.
Apple’s own woes
Earlier this year, Apple was embarrassed when the so-called ‘goto fail’ bug was revealed. A seemingly small error in one line of code, among millions, resulted in the communications of millions of people being compromised for months.
The problem was that the line of code that directed applications to check the credentials of sites using an SSL (Secure Sockets Layer) certificate did not do what it was meant to do. As a result, a malicious party could easily establish a man-in-the-middle attack and intercept data. For example, someone could pretend to be Apple and steal your iCloud account details.
Apple did respond once the problem was found. An iOS update was out quickly, with OS X also patched within a few days. But the reputation damage that was caused will take a long time to repair.
Who are the bad guys?
So, notwithstanding the security vulnerabilities and errors made by software developers, whom else do we need to worry about?
If you want to know about the sources of malware infections, the best way is to follow the money. Malware development is no longer the work of socially awkward teenagers sitting behind a screen, late at night, in darkened bedrooms. The development and distribution of malware is a coordinated and sophisticated business that takes advantage of large swathes of computing power – some of which is accessed nefariously – and some computing skill.
In many cases, what the bad guys like to use is a zero-day exploit. That’s an attack that targets a previously unknown vulnerability. If you’re still running Windows XP, even under virtualisation, it’s probably time to upgrade.
Microsoft has stopped issuing updates to that operating system – that means no more security fixes. And the bad guys have been stocking up on zero- day exploits, waiting for the day they can run wild.
Let’s play some defence
It’s easy to think that our Macs and iOS devices are immune from all this. And if all we did was work inside OS X or iOS, then that might be true. But many of us use Windows, either on separate computers or through virtualisation.
And not all Mac users are completely monogamous. Plenty prefer using smartphones running Android or use a non-iOS device as this is mandated at work.
Even though the bad guys are getting increasingly sophisticated, there are some basic rules that still work.
Start by keeping your systems up-to- date. That means checking software updates regularly or having your system set up to check for updates automatically. On your Mac, you’ll find the appropriate settings in System Preferences under App Store.
Left behind. After 12 years, Microsoft ended support of Windows XP in April.
When it comes to managing risks with the data on your Mac, you ought to think about what could happen if someone steals your computer. Our view is that once someone has physical access to your device, many security measures become irrelevant.
For example, we advocate turning on the login password so that you need to enter a password each time you start your Mac. But if someone has your Mac that can be bypassed reasonably easily using the process you’d use if you needed to recover a lost administrator password.
Staying secure. Ensuring the App Store automatically looks for updates will help you stay ahead of security issues.
We’d also recommend enabling FileVault, so that the entire contents of your hard drive are encrypted. That means, if someone without the correct username and password combination tries to access the drive they will be blocked. For example, if your Mac is disassembled and the drive is placed in an external drive casing or another computer, it won’t be able to be read.
FileVault can be enabled from the Security and Privacy section of System Preferences.
According to some reports, it can cause a slowdown with file access from your drive. We’re using a newer Mac that’s equipped with an SSD (Solid State Drive) and haven’t noticed any performance degradation.
Encrypted. Introduced with OS X Lion, FileVault uses the Mac’s CPU (central processing unit) to encrypt stored data but may impact performance.
Data in flight
Good security practice isn’t just about a single solution. It’s about creating a series of layers that make it hard for potential attackers. So far, we’ve suggested a couple of layers for your Mac – a password when logging in and FileVault.
Another important element of your security to consider is what happens to your data when it’s in transit – between your computer and the other parties you communicate with.
As mentioned before, one of the most startling revelations of Edward Snowden’s leaked documents is the degree to which the NSA can access what are supposed to be private communications.
However, there have been revelations regarding almost every single communications hardware provider. It’s alleged that the NSA could access communications that were supposed to be secured through those devices. And, it’s a fair bet that if the NSA can do it, so can someone else.
The key to securing communications over the internet is to use SSL. Secure Sockets Layer encryption makes the interception of data much more difficult. Any data that is encrypted using SSL looks like a stream of random, meaningless characters – like static on a radio signal – that’s useless to the interceptor.
Many of the communication applications that come with your Mac use SSL. For example, FaceTime, Safari and Mail all use SSL. In some instances, however, it is optional to apply this security tool. For example, when you add a new account to Mail, it’s possible that the account either doesn’t require or support SSL. If your email provider supports SSL then you should use it.
The security software debate
“Recent history suggests that most of the major security software vendors are better equipped at finding and defending against malware than Apple.”
Despite the myriad threats that exist, there are still many Mac users that insist there’s no need for Mac users to use any security software. We beg to differ.
Back in 2011, the Mac was targeted by a piece of malware called Mac Defender. It also went by the names Mac Protector, Mac Security, Mac Guard, Mac Shield and FakeMacdef. Although it was relatively harmless, it highlighted that Mac users were not immune from security threats.
As a result of this, Apple modified its stance with regards to malware – both in its product literature and through its software. Apple issued a security update that addressed the threat and removed the Trojan from affected Macs. It also added a feature that automatically updates malware definitions from Apple.
One of the criticisms levelled at Apple during the ‘goto fail’ issue was that it took the company several days to issue a fix for OS X – even though an iOS patch was delivered in a shorter time.
Recent history suggests that most of the major security software vendors are better equipped at finding and defending against malware than Apple.
One of the issues facing the security software industry, when it comes to Macs, is that they have traditionally been involved in the detection and remediation of a specific malware category – viruses. And viruses have not been a significant threat to the Mac since the switch to OS X back when the first public beta was released in 2000. It was codenamed Kodiak, in case you were wondering.
Security software protects you from elegant scams such as well-executed phishing and other malware, such as infected ads on web browsers and fake websites. Although not everyone is vulnerable to these types of attacks, there are times when we let our guard down.
If you’re using virtualisation software to run a version of Windows then it’s critical that you use up-to-date security software in that virtual machine. That doesn’t only mean installing it, but it means updating that application regularly.
If you only use that virtual system occasionally, we’d suggest that you check Windows Update and the settings for your security software before opening email, a web browser or any other application.
If you’re running Windows XP, then we’d recommend that you either upgrade to a more recent version of Windows – in our view Windows 7 will be the best option as it’s the one most like Windows XP. Microsoft closed off regular support for XP in April and that means there are no more security updates. So any unpatched issues will result in security vulnerabilities.
If you’re concerned about security issues with your Windows virtual machines, then one step you can take to protect yourself
is to limit the internet access given to the virtual machine. Unless the application you’re using specifically requires internet access, you can reduce your risk of attack by limiting what is exposed to the internet.
The basics. Make sure your Mac’s Firewall is switched on to protect your computer from unwanted connections.
It’s not all OS X and iOS
As much as we’d all find life easier if all we used were Macs running the most recent version of OS X and the latest iPhone or iPad with an up-to-date release of iOS, the reality is that we are sometimes forced to use other platforms.
Just for a moment we want to focus on Android – iOS’ Google competitor.
Like iOS, Android applications are generally distributed through a curated online store. Google calls this the Play Store. However, in the spirit of openness, the Play Store is not the only channel for Android apps. There’s also the Amazon Appstore for Android and it’s possible to load applications via other, unprotected, mechanisms.
If you’re using an Android phone with your Mac, then it’s important that you take reasonable precautions when procuring applications.
Only acquire apps through official app stores. A recent report by Trend Micro identified over three million pieces of Android malware on the internet. The very vast majority of these malicious applications, however, were being distributed as ‘apk’ files through online forums and via phishing emails.
One app we recently saw demonstrated purported to be an enhanced camera application. What it really did was record every text, email and other communication made on the phone. It could also, without the knowledge of the phone user, activate the camera and microphone to record what was happening. In other words, it turned the phone into a sophisticated surveillance device.
All of that activity was zipped into a file and sent via FTP (file transfer protocol) to the malware deployer’s file server. All of that activity was invisible to the person who downloaded the app and there was no record on the device of the action taking place. All of the malware deployer’s activity was done by sending text messages to the smartphone – messages that were invisible on the phone.
Apple is often criticised for its ‘closed garden’ approach, but the benefit of limiting application distribution does make the overall security of iOS much safer.
Apps and OS X
Over recent years Apple has started to apply a similar system with OS X applications. Now, there’s an OS X App Store that distributes applications.
The advantages for Mac users are that the programs have been checked, so there’s a level of quality control in place and application updates are handled centrally. In the past, you’d only know if an app needed updating on your iMac or MacBook Pro when it was set to check for updates when it launched or to manually go to the developer’s website. Either way – it was a pain and could be time consuming.
The often unheralded element of Apple’s approach to OS X apps is the way it has applied application signatures to its security model. Apple has created three levels of application security. If you’re using the most secure level, only applications that come from the App Store will be installed to your Mac.
If that’s too restrictive, if you change the setting in System Preferences under Security and then General to Mac App Store and identified developers, then you can easily install applications from developers that Apple has registered.
The most open level is Anywhere. As you’d expect, when you set your Mac’s security settings to this level, any application can be installed.
One often missed step is that if you try to install an app that is blocked by your settings, going into Preferences and reviewing the security settings will let you install that app without having to change the security level permanently.
Is Tor worth the effort?
If online privacy is important to you, one tool that may be worth considering is Tor. It received a lot of bad press attention during 2013 when it was revealed that people involved in the illicit drug trade were suing Tor to avoid being detected by law enforcement.
However, that’s not Tor’s sole purpose. Tor is a network of virtual tunnels that provides anonymity on the internet. Software developers can also use it to create tools with built-in privacy features.
Like many tools on the internet, Tor had its origins in the US military – the Navy to be specific. But the applications have become far broader and it can be used to connect to news sites, messaging services or other online services that may be blocked by local internet providers.
It’s used by journalists seeking to communicate with anonymous sources and a number of other legitimate activities.
The easiest way to use Tor is to download the Tor browser, making your web browsing effectively anonymous.
However, Tor does have some downsides. The main one, in our experience, is performance. When we browsed the web, websites took a lot longer to arrive than with other browsers. However, that doesn’t mean there isn’t a place for Tor.
We were also concerned about its support for emerging web standards and experienced a few instances where websites didn’t render as expected.
It’s possible to send all of your internet traffic through Tor, rather than just your web browser activity.
However, that will come at the cost of performance and some applications may not work correctly, as the network routes they expect to take will be altered by the Tor network’s routing.
MAC AND iOS SECURITY MUST DOS
There are a few things we suggest you should always do to ensure your Mac and iOS devices remain secure:
1. Only install apps from reputable sources.
While it’s tempting to save a few bucks by downloading software from ‘non standard’ sources, purchasing apps from trusted sources such as Apple’s App Stores is a good way to keep safe.
2. Keep your systems up-to-date.
Many of the software updates issued by Apple and other software makers include security enhancements along with other bug fixes and new functionality. Keeping your system up-to-date is a sure-fire way to cut the bad guys off at the knees. That goes for equipment such as routers as well as your computers, tablets and smartphones.
3. Don’t use public Wi-Fi hotspots for secure transactions.
Public Wi-Fi hotspots can be hacked quite easily. That means all communications, even encrypted ones, can be captured. It’s possible that some of the forms of encryption we use today may be broken in time, making that data potentially available to unauthorised parties.
4. Don’t hold on to old operating systems.
We’re thinking of Windows XP here, as it’s out of support now, but there are plenty of people holding on to systems running old versions of OS X, or even earlier systems. Staying up-to-date is a good way of ensuring you’re able to take advantage of the latest security fixes.
5. Encrypt everything.
Encryption is still the best way to ensure that your data and communications remain private. That means using SSL for all communications where possible, locking down Wi-Fi networks and using FileVault on your hard drive at the very least.