Very basic security questions - Help!

[harryb2448]

Be very careful with FileVault. Do a search of the forums and see the number of folk who have forgotten their password. For mine, if you use your MBP at public hotspots, for sure have your firewall on. At home, there is a strong firewall in your router and off is the Apple default..

 

[toMACsh]

Good point about the password! If you forget it, your data is lost forever. No one, not even an FBI agent in San Bernardino can recover it.

Wouldn't it be safe to assume your router's firewall is on?

 

[Pasquanel]

Mine wasn't but when I turned it on my wife was unable to receive e-mail on her windows machine and I lost connection with my Vonage phone line.
So I went back to running the Apple firewall.

 

[yogi]

Based on what you've said, here are some tips that will keep you out of trouble and are easy to do:

1. Update to the latest version of OS X - always: macOS Big Sur (outdated link removed)
2. Make sure you use a good Mac user password: If you forgot your Mac login password
3. Turn on the Firewall: About the application firewall
4. Turn on FileVault to encrypt your Mac's disk: Use FileVault to encrypt the startup disk on your Mac
5. If you use a Time Machine Backup, make sure the disk of the backup is encrypted as well (but be aware that this involves "starting fresh" so you would lose previous backups on that disk): Time Machine backup
6. When you use your banking sites / Amazon etc., always look out for HTTPS (the green lock near the address) in your browser. You can use a browser plugin to force usage of HTTPS on many sites: HTTPS Everywhere
7. Install Ghostery and Adblock Plus for your browser (Chrome or Safari): Ghostery: Online Privacy Made Easy and Adblock Plus | The world's #1 free ad blocker
8. Be suspicious of any e-mails you receive and don't click through on links you don't trust: 10 tips for spotting a phishing email

In general, being secure depends on your personal threat model. What is more likely, that someone has access to your computer physically, or that someone hacks into your accounts online? Rather, what is the greater risk for you? The above steps would roughly cover both.

You can go the extra mile once you have mastered the above:

1. Use a VPN service such as ExpressVPN when in public spaces or when you just want to be extra secure online
2. Create a user account for yourself that does not have Admin rights, use that for daily use (but this means you may have to enter the Admin password quite often, and remember it alongside your user password). It's generally a good idea to run with as few privileges / rights as possible.

 

[pigoo3]

1. Turn on FileVault to encrypt your Mac's disk: https://support.apple.com/en-us/HT204837

Very nice post Yogi...lots of great info & tips there!

I would only slightly disagree with one thing...and that's the use of FileVault. FileVault is a very powerful tool. But if the user forgets thier FileVault password...they are in big, big trouble. Practically no way around the FileVault password. Mentioning the FileVault ability/tool is a great idea. I would include a warning as well as to the potential risks of using FileVault (don't forget the password)!!!

- Nick

 

[McBie]

You also have to think very hard why you would ever need FileVault .
What threat is FileVault protecting you against and what is the likelihood of that threat materialising ?
What other compensating control can you put in place that is equally good ? ( Read .... will not cause mahem if you forget the FileVault password )

Cheers ... McBie

 

[RadDave]

Concerning FileVault, I'm w/ Nick & McBie - virtually all of my Apple computers stay at home; I'm retired, so not of a lot of important data on these machines - all computers have logins and all have password apps - our house has a good alarm system, so I feel absolutely no need to use FileVault, just another layer of complexity w/ a potential disaster happening if the password is forgotten. Now, I occasionally take a MBAir on the road and have virtually no important data on the machine, and again login is needed. Thus, I feel that the recommendation to use FileVault should be tempered from a 'must' to an optional necessity based on ones need to protect important files and information. Dave

 

[toMACsh]

Bet there are people out there who don't realize that the internal firewall is only as secure as the version of the OS behind it. In other words regardless of how the firewall operates they are expecting it to be as up-to-date as more recent OS versions.

I saw this older post when revisiting this thread...
I've always maintained that security is related to the internet, and thus the browser more than the OS. Granted, the version of Safari is tied to the OS, but there are other browsers that work with an older OSX version that are still being updated.

 

[Ember1205]

Perhaps we newbies could benefit from learning what exactly a firewall does. I run both the router firewall and the software one on my mac. I have no idea what either one does and is it detrimental to performance to run both?

Think of a firewall like you would a security guard in a building. When someone approaches the building, the security guard stops them to understand why they want to come in. If they have no business being there (no one asked them to come), the guard turns them away. If they WERE specifically summoned (someone from the fourth floor ordered pizza delivery and notified the security guard), then they are allowed to enter. If the security guard doesn't have an entry on his list for who is supposed to be coming to the office building, they aren't getting in (No one gets in to see The Wizard! Not no one, no no how!)

You also have to think very hard why you would ever need FileVault .
What threat is FileVault protecting you against and what is the likelihood of that threat materialising ?
What other compensating control can you put in place that is equally good ? ( Read .... will not cause mahem if you forget the FileVault password )

FileVault "locks up" the data on your hard drive so that no one can get at it if they are able to get physical access to your hard drive. Folks like myself that use a laptop and travel for work risk losing the laptop (physically). If that happens, someone could try and break into my laptop by guessing my password. If they can't figure out my password but want my data, they can boot from their own drive and "mount" the filesystem from my laptop. If the drive is encrypted, they can't access any of the data on the drive.

I won't ever bother encrypting the drive on my desktop computer at my home because no one is going to get physical access to the drive (there isn't anything on there that's sensitive anyway).

 

[chscag]

If they can't figure out my password but want my data, they can boot from their own drive and "mount" the filesystem from my laptop. If the drive is encrypted, they can't access any of the data on the drive.

A firmware password does the same thing.

I won't ever bother encrypting the drive on my desktop computer at my home because no one is going to get physical access to the drive (there isn't anything on there that's sensitive anyway).

While a thief would be disappointed stealing my data, I'm not going to make it easy for him/her.

 

[Ember1205]

A firmware password does the same thing.

True. But, if they went to the trouble of acquiring my computer, they could pull the drive out of it, connect it to a different system, and bypass the firmware password, too.

When it comes to security, I always tell people that they need to think of it as an exercise in making yourself a very small needle in a very large haystack. The plain and simple truth is that, if a hacker wants your data, they WILL get it. The best you can do is to slow them down long enough to know that they're trying to get in and then do something to stop them cold (like power off, update software, change firewall rules, change passwords, etc.).

 

[Randy B. Singer]

Some thoughts:

I've been on a bunch of Mac discussion lists for decades now, and I have been a member of several Macintosh user groups, and I have some extremely popular Web sites. In other words I've been in touch with many many thousands of Mac users. Most of those Mac users have run with no firewall enabled at all. (Most users probably don't even know what a firewall is.) Yet...I've yet to hear first hand of a believable instance of a Macintosh user having been hacked.

So, it seems to me that if you enable the hardware firewall in your router, that's all that you need to do. And you probably don't even need to do that. But since it doesn't hurt anything to enable your router's firewall, and it doesn't cost anything, it would seem to be a good idea.

Second, the arrival of ransomware for the Macintosh seems to be inevitable. We have already seen an instance of it.
https://blog.malwarebytes.org/cybercrime/2016/03/first-mac-ransomware-spotted/

Here is a very interesting new product:

RansomWhere? (free)
https://objective-see.com/products/ransomwhere.html

RansomWhere? attempts to thwart OS X ransomware by continually monitoring the file-system for the creation of encrypted files by suspicious processes.

Sounds like it might be worthwhile protection given the extreme malicious nature of ransomware.

 

[McBie]

I have had the OSX firewall ON & configured since I bought the Mac.
Why ..... because I then don't have to worry about anything while I am on the road.
When I take a break at my local coffee shop and I want to do some work on the Mac, I can simply ask " 1 Caffe Latte please " instead of asking " is you WiFi protected by a firewall please ? "
You should never have to depend on what other might or might not do for you .... build your own controls.

Cheers ... McBie

 

[Randy B. Singer]

When I take a break at my local coffee shop and I want to do some work on the Mac, I can simply ask " 1 Caffe Latte please " instead of asking " is you WiFi protected by a firewall please ? "
You should never have to depend on what other might or might not do for you .... build your own controls.

A firewall monitors and limits traffic going into and out of your computer. That means that a firewall does nothing more than to keep bad guys from hacking into your computer. (Or, in the case of a reverse firewall, it keeps rogue processes running on your computer from phoning home.) I'm not sure that you have to be at all concerned about that happening at a coffee shop. Bad guys don't tend to go after transitory targets to hack into. For one thing, hacking into a computer takes time. Hackers looking to hack into a computer tend to go after more interesting targets than individual's personal computers. They tend to like to hack into businesses' computers. And they tend to look for Windows computers, which have more well known backdoors.

What you have to be worried about at a coffee shop is someone intercepting your Wi-Fi signal or otherwise hacking the public network. A firewall won't help with that in the least. For that you need a VPN (virtual private network.)
https://en.wikipedia.org/wiki/Virtual_private_network

 

[McBie]

Randy,
Your message is correct but as with most reports on the subject it is also full of assumptions. That is not a bad thing, it just shows that we don't know exactly what is going on, we are guessing most of the time and we live with a false sense of security.
All I want to say is that I configure my own controls based on the threats that I am faced with in my day to day job dealing with ICT threat intelligence.
I make no assumptions that somebody else has a control in place that might help me .... to be honest, I don't even want to think about it when I am out and about.
The coffee shop was just an example.
People should be able to use their devices safely on foreign networks, knowing that they have their device " protected " ( as they see fit ) against the threats that really matter ( for them ).
There is no such thing as " one size fits the world " ( Courtesy of Microsoft )

Cheers ... McBie

 

[Randy B. Singer]

Randy,
Your message is correct but as with most reports on the subject it is also full of assumptions.

I'm just going by many years of experience with tens of thousands of Macintosh users.

Once again, I've never heard of a first hand believable instance of someone hacking into a Macintosh. I'm sure that it is possible for someone with enough skill, but I think that it is so difficult and rare that the chances of it happening to an ordinary Macintosh user are just about zero and thus not at all a concern. I don't think that there are a lot of hackers out there, I don't think that there are many who are that good, and I think that those that are that good aren't interested in what is on an ordinary Mac user's computer.

Now, intercepting Internet traffic at a coffee shop *is* fairly common. Mainly because it is not terribly hard to do. So, if one is going to be using a public network one should either be very careful not to include sensitive/valuable information in the data that they are communicating (i.e. banking passwords, credit card numbers, etc.) or they should use a VPN.

You can do anything that you want if it makes you feel safer. However, if the topic is "things that Mac users should be doing to protect themselves from bad guys," then turning on their software firewall is very far down that list.

http://www.macworld.com/article/287...e-a-vpn-to-protect-your-datas-final-mile.html
"Your greatest security and privacy risk relates to data in transit, as it passes to and from your devices. In a coffeeshop, airport, or other public space using Wi-Fi, your information passes in the clear between your hardware and the network’s hub."

 

[McBie]

It is good to see different opinions on this topic and I like the fact that it is being discussed.
Again, there is no " one size fits all " ... there is no single response to a threat, given that we all have different operating environments ( not operating systems )

One thing I would like to clarify in your post is the reference you make to " ordinary Mac users " and " ordinary Mac users's computers "
If you look at this from a " bad guy " perspective, how would you differentiate between an ordinary Mac user/computer and a non-ordinary Mac user/computer, unless you profile the user/system first.
I mentioned it before, computers are no longer the target, people are.
In terms of skills of hacking ... the technical skills required to " hack into systems" have long been transferred to tools. The interpretation of the results are still with ( bad ) people.

For me it has always been a good thing to continuously investigate the ( ICT related ) vulnerabilities and the threats that my employer is faced with every day, and coming up with controls that are effective.
It was pretty clear more than 10 years ago , and still today, that your firewall on your device is an essential layer of your overall defence.
The biggest challenge is layer 8 of the OSI model .... the layer between the chair and the keyboard.

Cheers ... McBie

 

[Ember1205]

Making an assumption about who a target may or may not be is one of the "flaws" at Layer 8. In the world we live in today, you have to believe that you are always a potential target and act responsibly. Period.

If you walk into a coffee shop thinking that you won't be a target, there's a reasonably good chance you're right. But, what if (when) you're wrong? They're called "pre"cautions for that very reason - you take them BEFORE you need them. Adopting some basic and potentially simple things to keep yourself safe is the smart thing to do.

 

[Randy B. Singer]

One thing I would like to clarify in your post is the reference you make to " ordinary Mac users " and " ordinary Mac users's computers "
If you look at this from a " bad guy " perspective, how would you differentiate between an ordinary Mac user/computer and a non-ordinary Mac user/computer, unless you profile the user/system first.

As I said previously, it's not a bad idea to turn on your firewall. It's easy, it's free, and there is little to no downside. However, it's also not something that anyone here reading this should be particularly concerned about. In the real world hacking attempts just aren't something that a Macintosh user is going to be subject to.

In a discussion of security measures that a Macintosh user should be taking, on a discussion list such as this one, it is irresponsible to tell Macintosh users that having a firewall up is critical. It's not a step that they can take that is likely to be of any value. (But, once again, users can turn their firewall on if it makes them feel better. It won't hurt anything.) You should instead be talking about threat vectors that *are* routinely exploited and how to ameliorate the threat to them.

Off the top of my head, these are the things that Macintosh users have to do with regard to security (note that, for now, I don't list a need for anti-virus software):

- Set passwords and make them strong ones.
- Make sure to use the latest version of OS X and make sure to install all security updates.
- Know the latest social engineering threats (i.e. phishing attempts and scams).
- Don't update software anywhere but from the Web site of the developer (e.g. Adobe Flash and other media players).
- Have Java (*not* Javascript, which is something else) turned off in your browser. (No need to uninstall it completely. There has never been a Macintosh threat via a Java application.)

 

[Randy B. Singer]

I'm sure that I, and others, will think of more to add to the list that I just gave. A couple more, though of less importance than the above, are:

- Don't open e-mail file attachments from people you don't know. (Though malicious file attachments are just about always aimed at Windows users and usually are Windows executables that won't run on a Mac.)
- Don't click on links to Web pages in e-mails from people you don't know (however, you can hover your cursor over such a link, and a pop-up will appear telling you where the link will really take you, and you can then decide if it looks safe). (Once again, this is more of a Windows thing....it's good to be a Mac user.)
- Turn on "Macro Virus Protection" in the Microsoft Office applications (though macro viruses are exceedingly rare these days)
tps://kb.iu.du/d/agzk (outdated link removed)