Mac security tips and tricks
Mac security is important, but often overlooked. It's time to start taking the safety
and security of your Mac seriously.
Maintaining privacy and keeping data secure are hugely important for any Mac
user. Yet many of us give it scant attention and do little more than the bare
minimum, if anything at all to ensure that hackers, opportunists and, yes, even
the authorities are able to access as little of our personal data as possible.
Yet, macOS makes securing your data very simple, thanks to a host of tools in
System Preferences and Safari, and several third party apps.
There are two places threats to your data are likely to come from: over a network
like the internet, or from someone with direct access to your Mac. Taking steps to
protect yourself will minimize both.
Mac security tips: The basics
Share
Mac security tips: The basics
Let's start with the basic Mac settings you should be checking to ensure security
is watertight.
The first thing you should do is pay a visit to the Security & Privacy pane in
System Preferences. Here, you'll find four tabs that control various aspects of
security.
To change settings you'll need to click on the padlock at the bottom of the screen
and type in your user name and password. If you have an administrator account,
you'll be able to make changes that affect the whole Mac, if not they'll only apply
to your account.
Mac security tips: Firewall
The first step to securing any Mac is enabling the firewall, which blocks any
unwanted incoming network connections. You might think the firewall is enabled
by default but it often isn't. (And, no, we have no idea why not.) Luckily, enabling
it is dead easy and doing so is entirely wise.
Click the Firewall tab in the System Preferences > Security & Privacy pane we
just opened. Click the padlock icon at the bottom left to unlock system settings
(you'll need to type your login password when prompted), and then click the Turn
On Firewall button.
Then click the Firewall Options button and, in the dialog box that appears, click
the Enable Stealth Mode box. This last step means your computer will be largely
invisible on public networks, such as shared Wi-Fi in a cafe.
In the Firewall tab, click Firewall Options to make changes. Here, you'll see a list
of apps and services which are able to receive inbound connections. To add one
to the list, if, say you try to run an app and it displays an error telling you it has
been prevented from accepting an inbound connection, click the '+' beneath the
list.
It's important to note that macOS's Firewall, while useful, offers only limited
protection from malware. That's because it shields you from inbound traffic only.
Its job is to limit which apps and services can accept incoming connections. It
doesn't provide any control over outbound connections i.e. apps and services
which initiate connections. So, for example, if you download a piece of malware,
OS X's Firewall won't stop it connecting to the internet.
Some people choose to block outgoing network connections too, so that certain
apps can't "phone home" without their knowledge. This also means accidentally
installed malware is unable to leak your data without you being made aware.
Mac security tips: Passwords
Let's go back to the first tab in the Security & Privacy pane: the General section.
There are three settings here you should pay attention to. The first is the one
which allows you to set a password for your account if you haven't already done
so. You should have a password. The next allows you to specify if a password is
needed to unlock your Mac when it goes to sleep or a screen saver begins.
If you work in an office with other people, you should consider switching this
setting on. You can specify how soon after sleep or the start of a screen saver
the password is required. The most secure setting is 'immediately' but, like
everything else to do with security, you need to balance security and
convenience. So choose a time period that makes sense to you.
While we're on the subject of passwords, we'll remind you that good passwords
should be difficult to remember. They should also not be written down. That, of
course, presents a problem, particularly if you don't want Safari to auto-complete
them.
The solution is a password manager like 1Password or Dashlane. These apps
allow you to create and store robust passwords and sync them across all your
devices. Crucially, however, they encrypt the data and allow access when you
type in the master password.
Mac security tips: Automatic login
Next is the Disable automatic login setting. You should check this, particularly if
you use a mobile Mac. If your Mac gets stolen, you don't want the thief to be able
to access your data.
Mac security tips: Apps
At the bottom of the General page are three options relating to which apps can
run on your Mac. The safest, but most limiting option, is to only allow apps from
the App Store to run.
The least secure is to allow apps from anywhere.
The middle option is a good compromise, allowing you to run apps from the App
Store and from developers known to Apple.
Mac security tips: FileVault
The FileVault tab allows you to encrypt all the files in your user account. To
decrypt them, you'll need to type in either your account password or the recovery
key created when you switch File Vault on.
For most users, the inconvenience of having to type in a password to open a file,
together with the tine it takes initially to encrypt all the files on your Mac,
outweighs the security advantages. But if you have reason to keep data as
secure as it can be, switch it on.
Mac security tips: Privacy
The last tab, Privacy covers a number of different controls and settings. These
are listed in the window on the left of the pane. Location Services allows you to
control which apps have access to your location data. You can switch Location
Services off completely here, or prevent individual apps from accessing data.
Likewise, Contacts, Calendar, and Reminders allow you to specify which apps on
your Mac can access the information stored in those core OS X apps. If you've
added your Twitter, Facebook, and LinkedIn details to the Internet Accounts
System Preferences pane, you can control which apps have access to those
accounts here.
Lastly, but perhaps most importantly, is the Accessibility section. Despite sharing
a name, this, confusingly, has nothing to do with the settings available in the
Accessibility pane in the main System Preferences window. Here, you can
control which apps are able to control your Mac in some way. For example,
Deeper and Onyx allow you change settings which would normally require
Terminal commands. To use them, you'll need to enable them here.
Mac security tips: Safari privacy settings
Away from System Preferences, Safari has several settings that allow you to
control privacy. The first is New Private Window, from the File menu, which
allows you to visit websites, without a record of where you go being stored in the
History menu, or anywhere else on your Mac.
The second is Clear History and Website data, in the Safari menu, which if you
click it periodically, erases cached data from the sites you visit and removes
them from the History menu. In Safari's Preferences, the Privacy section allows
you to prevent websites tracking you, control which sites can store cookies on
your Mac, and specify how your location data is made available.
And if you're concerned about storing website username and passwords, or
personal data, go to the Auto Fill and Passwords sections and uncheck the
boxes that enable those services.
Mac security tips: Check what you're sharing
Your Mac is able to share files with other Macs, and can share data in various
other ways too - including sharing the whole screen to facilitate remote working.
Once a sharing service is enabled it's like fitting a new door or window to your
house
Yes, that door or window might be considered secure - people will need a
password to utilize screen sharing, for example - but there might be a flaw in the
door or window that makes it not quite as impenetrable as you might think. In
simple terms, it's a good idea to turn off any sharing service you're not using, and
the majority of Macs used in the home environment should have all sharing
services turned off.
To do so, open System Preferences and click the Sharing icon. Look at the list
on the left, and look closely for any checks in the boxes beneath the on heading.
Remove any checks you see but if in doubt take a look at the following list to
make absolutely sure you're OK disabling that particular sharing service.
Mac security tips: Screen sharing & file sharing
Screen sharing: Used mostly in corporate environments to let tech support
workers see or control your screen, and perhaps perform repairs/updates.
Windows and Linux computers can also use it to control your Mac's screen
via VNC. Not heard of VNC, not in a corporate environment, and never access
your Mac remotely? Ensure it’s turned off.
File sharing: Lets other computers on the network access your computer's file
system, including Linux and Windows computers - technically speaking, it
enables Windows File Sharing (SMB), Apple Filing Protocol (AFP), and Network
File Service (NFS). Notably, the file sharing system is also used by the Back To
My Mac service, which is part of iCloud and allows you to access your Mac's files
from another Mac via the internet (although it has absolutely nothing to do with
iCloud Drive, which performs a similar function). If you're not sharing files across
the network, and not using Back To My Mac, then this option should be switched
off.
Mac security tips: Printer sharing, remote login and more
Printer sharing: Shares any printer connected to your Mac with other computers
on the network, again including PCs. Should be turned off if you're not sharing
your printer, or if you don't even have a printer attached to your Mac.
Remote login: Allows connection to your Mac via SSH/SFTP, and mostly used by
techies to work at the command-line when away from their Macs. Should be
turned off if that description doesn't apply to you - and we're pretty sure it won't!
Remove management: Used in the corporate environment to let administrator’s
access your Mac to do things like perform upgrades, or make fixes. Should be
turned off in all other circumstances.
Mac security tips: Remote events, internet sharing and Bluetooth sharing
Remote Apple Events: One of Apple's many Good Ideas From Long Ago, this
lets one Mac control another to print, or do just about anything, in fact, thanks to
tie-ins with AppleScript, at one point a cool joke among Mac fans was to use
Remote Apple Events to make another Mac speak, via speech synthesis.
The user of that Mac would be scared half to death when his computer seemingly
came to life. However, if you need Remote Apple Events in our modern age then
you’ll already know all about it. The rest of us can switch it off without worry.
Internet sharing: Lets one Mac share a Net connection with other Macs. This was
created in the days of dial-up internet. It's extremely unlikely to be used now
that broadband, Wi-Fi routers and home networking are the norm, so should be
switched off.
Bluetooth sharing: Lets a Mac send and receive files to and from another
Bluetooth-enabled device, such as a mobile phone. IPhones and iPads can't
share files this way, so you're only likely to use it if you've got an Android phone.
You'll find guides online telling you how to do this. However, in all other situations
this option should be turned off.
Mac security tips: Apply a firmware password
Mac OS X/macOS turns on FileVault encryption by default nowadays, which
means the entire boot disk is encrypted and impossible to access unless it's
unlocked at login via the user's password. However, that doesn’t stop somebody
using a USB memory stick to boot the Mac and potentially wipe all the data from
the hard disk, or simply reinstall OS X/macOS.
The solution is to apply a firmware password. Unlike with a PC's so-called BIOS
password, the Mac's firmware password prompt will only appear if anybody tries
to boot your Mac in a non-standard way, which is to say, via a USB stick, or if
they try and boot to the Recovery Console. Most of the time you won't see the
password prompt.
In fact, it's from the Recovery Console that you'll need to activate the firmware
password, so restart the computer and, just before the Apple logo appears, press
and hold down Cmd+R. When the boot-time progress bar appears you can lift
your fingers from the keyboard.
Select your language and location when prompted, then click the Utilities >
Firmware Password Utility menu item. Follow the instructions. Be extremely
careful here! If you forget the firmware password then only Apple can unlock your
computer. This is probably why this feature is optional!
Mac security tips: Enable guest user
If you know anything about computer security you might be wondering if we've
gone mad: we're asking you to enable the guest user? Doesn't that let anybody
who's stolen your Mac actually use it?
Well, it's more that we're asking you not to turn it off, because it's a vital tool
within the Find my Mac service, which is a part of iCloud that lets you attempt to
track down a lost or stolen Mac. Apple says the following: "The guest account
works with the Find My Mac feature of iCloud, which can help you find your Mac
if you lose it. You can locate your Mac if someone finds it, logs in as a guest,
then uses Safari to access the internet."
So, don't turn off the Guest account if you have Find my Mac enabled in iCloud.
To check, open System Preferences, click the iCloud icon, and then ensure
there's a tick alongside Find My Mac at the bottom of the list at the right.
Mac security tips: Disable the FileVault 'Security Hole'
Those who take computer security very seriously indeed point out that, when
your Mac enters sleep mode (if you close the lid of a MacBook Pro, for example),
there's a potential security hole in the fact that the password required to decrypt
FileVault is stored in memory.
In theory somebody could wake the computer and somehow - and we genuinely
don't know how - retrieve this key, and thereby have access to the entire disk's
contents without the need for a login password.
The only people out there likely to take advantage of this are government
agencies that employ extraordinarily clever people and have unlimited budgets.
It's certainly too difficult for a burglar who steals your Mac to exploit, or a nosey
colleague.
However, if you’re truly security paranoid then here’s how to stop the FileVault
key being stored in memory. The only actual difference this will make in everyday
use of the Mac is that sometimes you’ll be prompted to type your login password
twice when waking your Mac, and your Mac will be a little slower when waking
from sleep mode.
We need to do two things. First we need to switch the Mac to enter standby
mode, rather than sleep mode, whenever you do something like close the lid of a
MacBook Pro. In Standby mode the contents of memory are saved to disk and
the computer put into a deep sleep mode that uses only a trickle of power.
Secondly, we need to tell the computer to not hold the FileVault key in memory
while in Standby mode.
Both these two steps can be achieved by opening a Terminal window (you’ll find
it in Utilities folder of the Applications listing in Finder) and then pasting in the
following:
sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25
To turn off this feature, and renable the security "hole", again open Terminal and
type the following:
sudo pmset -a destroyfvkeyonstandby 0 hibernatemode 3
Then reboot.
Mac security tips: Check for persistent apps
Some apps on your Mac are designed to start invisibly each time you boot, and
remain invisible while you're using the computer. These are called persistent
apps, and examples include the update checker apps that Google and Microsoft
install to ensure Google Chrome and Microsoft Office are always up to date.
Adobe installs a handful of persistent apps too as part of the Creative Cloud
package.
However, malware also uses persistent apps to do their nastiness without you
noticing and, to make matters worse, there are many locations in the file system
where malware can hide in order to have itself started at each boot-up. We could
advise you to keep an eye on each and every location, but it's a mammoth task.
Luckily, there are two free apps that'll do a lot of the hard work for
you. KnockKnock scans these locations and will tell you what's there. It's not a
malware scanner, so won't tell you if what you find is dangerous or not.
That's between you and a search engine, although a helping of common sense
will do no harm - for example, the aforementioned apps for Microsoft, Google and
Adobe apps are easy to spot (although as a caveat we suppose we ought to
point out that it’s possible some malware might masquerade as an app from one
of these companies).
The second app is from the same clever people who make KnockKnock, and it's
called BlockBlock. This runs in the background of your Mac via a menu bar icon
and monitors all the locations in which persistent apps install themselves.
If any app attempts to install persistently then a pop-up dialog box will appear
telling you, and it’s down to you whether you allow it or ban it. Again, BlockBlock
is not an anti-malware tool so doesn't know what's legitimate or not. That's for
you to work out. But as forms of malware protection both KnockKnock and
BlockBlock are pretty darned effective.
Mac security tips: Scan for malware
Although it's true there's more malware targeting Macs these days, we're still
nowhere near the tidal wave that Windows users face on a daily basis. This is
also true of the malware attack that crippled the NHS - it targets only Windows
PCs.
Because of this, and because OS X/macOS already features a powerful, always
running yet invisible anti-malware tool called Xprotect, we reckon that
antimalware software is still not a standard requirement for a Mac.
However, for peace of mind you can occasionally fire up an app like Bitdefender
Virus Scanner, which simply scans through your files in order to uncover
malware.
Unlike Windows antimalware apps, it doesn't install any system monitoring
software that can slow the computer down. The best news is that Bitdefender
Virus Scanner is free and very easy to use. Be aware that it also finds and
reports Windows malware, though.
For example, scanning my system typically shows a handful of spam mail
messages containing attachments into which Windows malware has been
hidden. This can be alarming but is actually harmless and, generally speaking,
Windows malware can be identified because the name of it usually begins with
"Win32" or "Win64". Even though this is harmless to Mac users, Bitdefender
Virus Scanner will still remove it.
In addition to Bitdeferender Virus Scanner, we also recommend the occasional
use of Malwarebytes Antimalware, which focusses mostly on uncovering and
removing adware - which is to say, hidden code within certain apps that aims to
hijack your computing experience to show adverts on the desktop or in your web
browser. Again, you can run Malwarebytes Antimalware infrequently to scan your
system.
Mac security tips: Enable two-step everywhere
Two-step authentication is a system whereby your login to services or websites
requires more than just your username and password. It requires an additional
numeric code. This is either sent to you as something like a text message or it's
generated by a special app that runs on your mobile phone (there are many such
apps but for the iPhone we recommend Authy).
We've already discussed how to setup two-step verification for your Apple
ID (look for the Securing Your Apple ID section), and we very, very strongly
recommend you set it up because it presents an insurmountable brick wall to
hackers trying to gain access to your account. In fact, stop reading this now and
go and do it if you haven’t already. We'll wait here until you've finished.
Done it? Terrific. But now you should go off and enable two-step it for all the
other sites and services you access. For example, if you use any Google
services like Gmail then you can also enable two-step verification. You can
enable it for Microsoft services and sites too, and for Dropbox.
Not all sites or services offer two-step verification just yet – notable hold-outs for
UK users are Amazon and eBay - but a surprising number are on-board. Sites
like https://twofactorauth.org provide a continually-updated list of those that do,
although they tend to be biased towards American use.
Setting-up two-step verification is pretty easy. Some sites and services text you a
number when you’re logging in, that you then enter when prompted, so to set
them up all you need do is provide your mobile number.
For those services or sites that use an authenticator app, like the aforementioned
Authy, you’ll need to switch to the app on your mobile or tablet, then choose to
add a code and simply point the device’s camera at a barcode that the site
displays when you opt for two-factor setup. It's pretty straightforward.
If your device doesn’t have a camera then you can type the auth code in
manually, and usually it appears just below the barcode.
Subsequently logging in to the service once two-step verification is setup will
involve opening the app and typing when prompted the code displayed (usually
after you've entered your password), or waiting for the text message/voice call to
arrive and typing it when prompted.
Mac security tips: Encrypt web page look-ups
The ages-old Domain Name System, or DNS, converts the addresses we
humans can read and remember - such as www.macworld.co.uk - into the
numeric internet addresses that computers better understand, such as
104.16.71.73.
All computers connected to the Internet consult DNS servers. They’re provided
by the Internet Service Provider as part of the overall package. The problem is
that, like many things online, DNS is in no way secure.
It was invented in a different era, back when people just didn’t think about things
like that. In other words, any and all requests you make for websites via DNS can
be snooped upon by others while the data is in transit.
The DNSCrypt app and project overcomes this by simply encrypting DNS
requests both to and from the DNS server. You can download the app from the
project's home page and setup is pretty simple once it's installed - just open
System Preferences, click theDNSCrypt icon at the bottom, then select the
General tab and put checks alongside Enable DNSCrypt and Automatically
Disable if Blocked. See our screenshot for an example.
You won't notice any difference to everyday internet tasks such as web browsing
when DNSCrypt is in use, although it adds a menu bar icon so you don’t forget
it's running (right-clicking this and selecting the hide option gets rid of this until
you next reboot). However, with DNSCrypt running your web page look-ups are
immediately more secure.
Mac security tips: Use a VPN
Never assume your Mac is safe when using a shared network, whether that’s out
and about in a café, or even in location such as an office. Unfortunately, it's
extremely easy for malicious interests to spy on data you send to and from
websites.
While out and about many people chose to utilise a virtual private network (VPN)
service. This encrypts all data and routes it to an end point operated by the folks
who run the VPN service.
Tasks such as browsing and downloading are entirely unaffected as far as the
user is concerned, but anybody on the same physical network - such as another
computer on the café's shared Wi-Fi service - is blocked entirely from snooping
on your Mac’s data.
Because a VPN service encrypts your data, you can also it at home to overcome
internet censorship imposed by the British government and ISPs.
A variety of companies offer VPN services and they're usually paid for via
monthly subscription fees of around $5-$10. Just search Google and you'll find
many examples. However, there’s been an increasing trend recently for some
companies to offer lifetime subscriptions to their VPN services for a one-off fee of
around $40. For the more casual user such deals are ideal.
For impartial and expert advice, try out article Best VPNs for Mac.
Typically, VPN services come with an app that you run when you want to make
use of the VPN connection, although OS X/macOS comes with a built-in VPN
tool that you can use instead - just open System Preferences, click the Network
icon, then click the plus button at the bottom left beneath the list of connections.
In the dialogue box that appears, click VPN from the dropdown list alongside
Interface, then select the service type from the list beneath (usually it's L2TP).
Then click the Create button, and fill in the server/login details provided by the
VPN service.
Mac security tips: HTTPS everywhere
For historical reasons most data is transmitted on the web in plain form and this
means anybody can eavesdrop at any stage of transit. The exception is secure
connections such as those made to banks, webmail services and online
shopping sites. These use secure HTTP, and you can tell because the website
address starts with https://.
Wouldn't it make sense if every site used HTTPS? Making a website secure in
this way is a bit more complicated and expensive than running a basic site but
nonetheless there is a slow revolution happening and many sites are making the
switch.
You could try adding an S to the middle of each web address - so
that http://example.com becomes https://example.com. There's an https:// version
of the Google home page, for example. However, an easier way if you're using a
browser that isn't Safari - such as Chrome or Firefox - is to install the HTTPS
Everywhere browser extension. This simply (and invisibly) consults a database of
sites that have an optional https:// entrance and switches you automatically
should you try to access one.
Alas, because of the way it works, a true HTTPS Everywhere extension for Safari
is presently impossible to implement in a way that provides maximum security.
Nonetheless, the SSL Everywhere extension brings something very similar to
Apple's browser.
The only difference is that the initial data transmission when you access a site
isn't encrypted, which can provide interested hackers or snoops with a little more
information than is ideal. However, once you've been switched over to secure
HTTP - which essentially happens immediately from the user's perspective - then
everything is, of course, encrypted.