Ensuring your safety – The Mac and iOS Security Guide

Adam Turner
27 May, 2015
View more articles fromthe author
AAA
Features

Apple fans enjoy a relatively charmed life when it comes to security, but it still pays to play it safe. ADAM TURNER shows you how.

When you’re an Apple user it’s easy to become blasé about security, but malware and other security threats aren’t just for Windows and Android users to worry about. While hackers don’t tend to focus on Apple, history shows that Macs and iGadgets are not impervious to attack. It’s better to be safe than sorry.

There’s no magic bullet when it comes to security. The best approach is to rely on layers of protection and ensure you keep up with the latest software patches. You’ll want to take extra precautions if you’re trying to keep children safe online. Finally, a healthy sense of paranoia is a great last line of defence against security threats that target human foibles rather than technical flaws.

On your Mac

You can break down security threats into two main categories – remote threats coming in over the internet and local threats from removable media or someone who actually gets their hands on your devices. If you’re looking to guard against both on your Mac, then the best place to start is the Security & Privacy panel in System Preferences.

You should have set a password for your user account, but if you’re concerned about uninvited guests trawling through your Mac, then it’s best to disable automatic logins on the General tab, so you’re required to enter your password when you boot up your computer. Also, set your screensaver to demand a password. Many security precautions require striking a balance between safety and convenience – to make life easier you might set it to only ask for a password if you’ve been away for more than a few minutes.

The System Preferences panels feature a padlock at the bottom left that lets you lock each panel to prevent changes unless you enter your password. It’s a sensible security precaution to guard against accidental changes or deliberate tampering.

As an extra level of protection, FileVault encrypts your entire hard drive to make it virtually impossible for even the most skilled and determined intruders to access your files. Be warned, if you lose your password and recovery key, then you can’t ever recover your data. If the thought of losing your precious files forever upsets you more than the thought of them falling into the wrong hands, then think twice about enabling FileVault. At the very least, make sure you have unencrypted backups of irreplaceable files such as family photos.

Rather than encrypt your entire hard drive, you may use Disk Utility to create an encrypted Disk Image for storing particularly sensitive files. Alternatively, you can create encrypted vaults using third-party software such as Knox, Concealer or Boxcryptor. Once again, forget the password and your files are lost forever, so proceed with care.

Mac OS’s firewall is disabled by default, which is fine if you’re at home behind a broadband modem/router with a built-in firewall. That, of course, assumes that you trust all the other computers on your home network. It’s best to enable the firewall when you’re away from home and can’t vouch for the security of the network and the intentions of fellow users. Unfortunately, Macs don’t adjust firewall settings automatically when you switch networks, so on MacBooks it’s easier to enable the firewall and leave it on.

The built-in firewall only lets you configure incoming connections, there’s no easy way to manage outbound connections in an effort to catch apps surreptitiously trying to phone home. If you want a highly configurable two-way firewall, then look to Little Snitch.

Keep your secrets

Secure websites that use HTTPS create an encrypted link directly from your browser to the website’s server. This prevents other people who are using your network from eavesdropping on your traffic – including your internet service provider – but HTTP Secure doesn’t protect all of your internet traffic.

If you’re particularly concerned about security when you’re away from home then use a Virtual Private Network (VPN). This creates a secure link from your Mac to a VPN server, encrypting all of your internet traffic to protect it from eavesdroppers in between. You’ll find free VPN services, but the paid services tend to be faster and more reliable. Some VPN services offer Mac software, or else you can configure your Mac’s built-in VPN software under the Network panel of the System Preferences.

The big security question for Mac users is whether or not you need to install third-party anti-virus software. Don’t make the mistake of thinking there aren’t viruses targeted at Macs; we’ve seen a few major threats in recent years.

OS X features basic built-in XProtect anti-virus, which runs in the background checking downloads for a handful of known threats. Click the Security & Privacy Advanced button and ensure that you’ve ticked ‘Automatically update safe downloads list’. While you’re at it, in Safari you should disable ‘Open safe files after downloading’ on the General preferences tab to give you a chance to reconsider after downloading a file.

Security threats can also come from bogus websites masquerading as trusted websites – such as your bank – in an effort to steal your passwords and other sensitive information. You’re often directed to the website by a phishing scam email purporting to be from the bank. Your spam filter may pick it up as a scam, but, as a further line of defence, Safari may detect that it’s a bogus website and block access.

Some Mac users consider that Apple’s built-in security, combined with cautious web-surfing habits, offers enough protection. Others prefer the extra safety of third-party anti-virus software, which guards against a range of other threats.

Building on Apple’s built-in security, some third-party anti-virus suites use advanced link scanning to check websites for malicious activity in real time, rather than relying on a list of bogus websites. They also scan for a wider range of viruses, to stop you from inadvertently passing on infected files to Windows users. Some employ heuristics to detect and block suspicious activity on your Mac, which may be evidence of a yet unidentified virus.

Watch what you install

Whether or not you’re running third-party anti-virus software, there are sensible precautions you should take to reduce your risk of a security breach on your Mac. The first step is to keep your operating system and applications up-to-date, as updates often address security issues as well as adding new features. New versions of Mac OS like OS X 10.10 Yosemite often address security issues that can’t easily be patched in their predecessors, so it’s worth upgrading your older Macs to the latest version of Mac OS that they’ll support.

As for non-Apple software, the safest option is to install from the Mac App Store where possible. By default Gatekeeper stops you installing software from other sources, but you can override this on the General tab of the Security & Privacy panel. When you’re installing software from other sources, keep a close eye on the installation options to ensure that you’re not inadvertently loading bloatware like browser toolbars that can hijack your search options.

Always treat pop-up browser alerts with caution when they ask you to install new features and codecs or update plugins like Adobe Flash – especially if they pop up while you’re visiting a shady website. Also avoid installing such updates when you’re connected to a public network, including a café or hotel Wi-Fi hotspot. Even seemingly innocent sites can harbour security threats if the site, or the network you’re using, has been compromised.

Java is no longer pre-installed on new Macs and it’s best to leave it that way unless you really need it. If you do need to install Java for a specific application, you should still check that Java is disabled in your web browser. Under Safari’s Security tab you’ll see Enable JavaScript; you want to keep this ticked. Click on ‘Manage website settings’ and look for Java – from here you can control which plugins can work with which websites.

Java isn’t the only plugin that presents a threat. Adobe’s Flash is a common source of security flaws and you may find it safer to disable it by default – which may also help your Mac run more smoothly, as Flash can be a resource hog. Under ‘Manage Website Settings’ try changing Flash from Allow to Ask. Instead of automatically seeing the Flash content on web pages, you’ll see a notification ‘Flash blocked for this website’ – click on the notification and you can choose to allow Flash to run.

While you’re at it, uninstall Adobe Reader if Apple’s own built-in PDF reader meets your needs. Security flaws in Adobe Reader are another popular target for hackers.

Parental controls

If children regularly use your Mac, then you should create a separate children’s user account. While helping keep children safe online, this also stops them prying in your files, installing new software or inadvertently altering your settings.

Go to Users & Groups under System Preferences, click the plus icon to create a new user account and then select ‘Manage with Parental Controls’. Give them a name and password, then click Create User. Now you can open the parental controls for that user and configure a range of settings, including limiting the apps they can use, websites they can visit, people they can contact and times of day they can use the computer. Alternatively, children can use the Guest account on your Mac, although all their information and files will be wiped when they log out.

You’ll see a fast user switching drop-down menu on the Menu Bar, near the Spotlight icon, which makes it easy to switch between accounts without logging out. If you find this slows your computer down, though, try logging out of one user before you login as another.

If you’re looking for more protection against malicious and inappropriate online content, you might change the DNS settings in the children’s user account to a service like OpenDNS Family Shield or Norton ConnectSafe. These free services let you block website categories rather than specific websites, although they both offer advanced paid services with more granular control.

One great aspect of these DNS-level filters is that they won’t bog down your computer, unlike some desktop web filtering software. You can edit the DNS settings for individual wireless networks via the System Preferences Network panel, then lock the panel, but you can’t set it to automatically apply those settings when you join a new network for the first time. It is possible that changing your DNS settings could impact on your unmetered content deals with services like iView, Netflix and Presto, so if in doubt check with your internet service provider.

On your iGadgets

While you’re upgrading your Mac’s security it’s a good idea to lock down a few features on your iPhone and iPad in case they fall into the wrong hands.

Secure your iGadgets with a passcode to keep them safe from prying eyes. Use the Touch ID and Passcode option under the Setting menu – if you’re already using a code you’ll need to punch it in before you can make any changes.

From this menu you can control what’s visible on the lock screen, as well as switch from a simple four-digit passcode to something more complicated. You can also set a grace period during which you can unlock your device without the need to re-enter your code. Alternatively, you may configure the Touch ID fingerprint reader to act in place of a password in some circumstances.

While you’re at it, you should dip into the General, Auto-Lock menu to automatically lock your device when it’s idle. You should also explore the Restrictions menu to see if there are features you want to lock down temporarily or permanently, such as forcing the App Store to demand your password for every purchase rather than remembering it for 15 minutes. Don’t use the same passcode for your lock screen and Restrictions, because your kids will eventually catch sight of your lock screen passcode over your shoulder.

The lack of user switching on iGadgets is very frustrating if you tend to let children play with your devices – it’s one area where Apple really could learn from Google’s Android. Restrictions is a half-baked workaround; for example, it can’t limit access to your email. One workaround is to engage the General, Accessibility, Guided Access feature, which lets you use a triple tap on the button to temporarily lock the device to a single app.

While you’re setting up your device, make sure you enable Find my iPhone, under the iCloud settings. This lets you track lost devices, lock the screen and even remotely wipe them (you can also enable similar features on your Mac). There’s also an Activation Lock to stop someone else using your stolen phone.

As with your Mac, take care when using your iGadget on public Wi-Fi networks. If you’ve got a generous mobile broadband allowance, there may be no need to jump on potentially insecure Wi-Fi networks. If you’re particularly concerned about privacy and security, iOS has built-in VPN software.

The Restrictions menu is iOS’s equivalent of parental controls. If you’re looking for more protection against inappropriate online content, you may download a kid-friendly browser from the App Store. Alternatively, you could change the device’s DNS settings. Go to the Wi-Fi menu, click on the information icon next to your home Wi-Fi network and manually change the DNS settings. Unfortunately there’s no way to lock this down to stop someone changing them back. There’s also no way to change the DNS settings for your 3G/4G mobile broadband connection.

On your network

You may be surprised how many internet-enabled devices are scattered around your home. It’s important to keep them all up-to-date to address the latest security threats.

One of the biggest threats to your home security is an insecure Wi-Fi network. This lets your neighbours piggyback on your internet connection along with anyone parked in the street. Along with leeching your monthly bandwidth allowance, they could be snooping through your computers, listening in on your web traffic and even breaking the law online while leaving a trail of breadcrumbs that leads back to you.

It’s important to use a strong Wi-Fi password – at least a dozen characters long with a mix of upper and lower-case letters, as well as numbers and symbols. Use WPA2 or WPA2 encryption; if your old wireless base station only offers WEP (Wired Equivalent Privacy) then it’s time to upgrade. While you’re at it, make sure you change the default password for the modem/router and any other networking gear.

Just like your Mac, it’s important to regularly check for software updates for networking gear such as broadband modem/routers, wireless base stations, Network Attached Storage devices, network cameras, Wi-Fi extenders, network switches and smart home gear, such as smart light bulbs. Last year’s Heartbleed encryption flaw and Shellshock BASH vulnerability were particularly nasty and required security updates for a wide range of internet-enabled devices.

Any device or feature exposed to the internet is a potential security risk, so disable non-essential services. Pay particular attention to your modem/router and NAS, which may share your files online as well as allow remote FTP (File Transfer Protocol), SSH (Secure Shell), Telnet and WebDAV access. Familiarise yourself with the security settings on your networking gear, so you can configure these features correctly and disable whatever you don’t need. You may find advanced security options, such as blocking access from IP addresses after a certain number of failed login attempts.

Don’t think hackers won’t find you; they use software that automatically scans the internet looking for vulnerable devices. They’re particularly interested in network storage drives, because some are fully-fledged computers capable of running a wide range of applications. There are reports of hackers installing software to surreptitiously mine Bitcoin or even encrypting the contents of a NAS and demanding a ransom for your data’s release.

If you do want to use remote access features, such as Apple’s Back to My Mac, make sure you take the time to understand what you’re doing. Some internet-enabled devices in your home can use UPnP (Universal Plug and Play) to automatically enable port forwarding on your modem/router. Port forwarding is not the kind of thing you should attempt manually if you don’t know what you’re doing, as you could leave the door open for hackers.

When it comes to keeping children safe online, you can also implement DNS-level filters via your broadband modem/router. This way they’re automatically applied to every internet-enabled device in the house, unless you manually override the device-level DNS settings. Remember, your devices are only protected when they’re on your home network, not once they switch onto mobile broadband from the phone network. Also, remember that no amount of technical safeguards are a substitute for parental supervision.

Don’t drop your guard

People are generally the weakest link in the security chain, so it pays to keep your wits about you when you’re online.

Using strong, unique passwords is essential. If you have trouble remembering strong passwords, use tricks such as starting with the first line of a lyric or rhyme. The first lines of ‘Advance Australia Fair’ may become AaLuR+FwAyAf+1788, easy for you to remember, but difficult for a person to guess or a computer to crack by brute force. For more passwords, look to the next line of the song.

If you still have trouble remembering passwords, Apple’s iCloud Keychain can remember them for you. Alternatively, you may use a third-party password manager like LastPass or 1Password to safely keep track of all your secrets – only requiring you to remember a single master password.

A healthy scepticism when browsing the web and checking your email can also serve you well. No, you don’t win £15 million in the UK lottery, or inherit money from long-lost relatives. No, some shady foreign dignitary doesn’t need your help to smuggle gold out of the country. Also watch out for online romances that gradually become demands for money to help sick relatives or deal with other emergencies.

Your spam filter and browser may pick up phishing scams, but as a general rule you should never trust an unexpected email from a service provider asking you to click a link or open an attachment. Scammers are known to masquerade as banks, courier companies, law enforcement and even the tax office in an effort to trick you into installing malware or giving away sensitive information. No matter what the security threat, stopping to think twice is often your best protection.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Paul says:

    Great tips here. Unfortunately, it is far too common to for Mac users to see themselves as invulnerable to malware and data theft (I use both OS X and Windows), and not take adequate protection to protect themselves against the bad guys. I think FileVault and Firewall is a must these days – Paul Mah, commenting on behalf of IDG and FireEye.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us