Skip navigation

This is an archived version of the user tip. The current version can be viewed here.

Currently Being Moderated

Harden your Mac against web attacks

At the center of the Dark Zone
Level 7 Level 7 (30,305 points)
VERSION 37  Click to view user tip history Archived
Last Modified:  Apr 13, 2012 6:57 AM

Hello and welcome to my User Tip

 

 

We have all heard about exploits targeting Mac's, so I'll inform you how to go about hardening your Mac and yourself against these attacks.

 

 

Latest security info :

 

Flashback malware,

 

10.6 10.7 users

 

run your software update!  Will remove it and fix it so Java doesn't run if it's not used.

 

http://arstechnica.com/apple/news/2012/04/apple-updates-java-for-a-third-time-th is-time-with-flashback-malware-removal.ars

 

 

For 10.5 users

 

There is a checker and removal tool here works for 10.7 / 10.6 / 10.5 too supposedly

 

Primary removal tool

 

https://www.f-secure.com/weblog/archives/00002346.html

 

Secondary removal tool

 

https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

 

Update: Sendary removal tool being updated to fix glitches...try again later if you don't succeed.

 

 

Warning, none of the two softwares above are verified or promised to work correctly or 100% as the malware is changing etc.

 

Backup your user file folders off the machine and disconnect as soon as possible.

 

 

For OS X users of 10.5 and earlier, Apple is not fixing security issues, don't expect any Java updates or tools to remove FB.

 

http://reviews.cnet.com/8301-13727_7-57411535-263/java-updates-for-flashback-avo id-os-x-tiger-and-leopard/

 

http://ps-enable.com/articles/diginotar-revoke-trust

 

 

 

Hardening your Mac and yourself to prevent future attacks

 

 

Attacks can come in many different forms, I'm concentrating upon web browsing as that seems to be the most popular angle of attack.

 

It's important to harden your Mac, especially for those who can't upgrade their OS X operating system to within the last two OS X versions in circulation as that's the only two currently supported by Apple.

 

In the military there is a form of security called "compartmentalized security" and basically it's about not allowing anything to have access to everything, but rather to place more barriers, "hoops" and security checks in place before a target reaches it's goal, especially something of great value.

 

 

 

Browser attacks

 

These depend upon a flaw in the web browser itself, which may or may not include the assistance of scripts or plug-ins installed in the web browsers.

 

Keep your web browsers updated by running the built in updater, via the developers site or for Safari via Software Update under the Apple Menu.

 

Have more than one browser on your machine, this way you can switch to another until a update for your primary one occurs or in case you have problems with your Safari and Apple's website download version isn't updated yet.

 

Your alternate browser choices are Firefox (highly customizable, lots of add-ons), Chrome (more secure, but from a advertising company that tracks you online), Opera and some  others.

 

 

Script & plug-in based attacks

 

Web browsers use JavaScript, Java, Flash, Silverlight, QuickTime and many others to do do things in your browser. You need to keep the ones you control updated. If your not using any of these scripts on a constant basis then turn them off in your browsers preferences.

 

It's highly advised to turn off Java (not Javascript) in all your browsers preferences (if installed) unless you specically need it then only use it for trusted sites.

 

Javascript is used quite often, so you should leave that one on. Flash and Silverlight is depending upon use (read about NoScript below)

 

This handy online checker will inform you of outdated scripts, especially Flash and Silverlight which are the most commonly used ones that have to be maintained by the user.

 

https://www.mozilla.org/en-US/plugincheck/

 

 

Direct links to trusted source downloads:

 

Flash  (bookmark them in your browser)

 

http://get.adobe.com/flashplayer/

 

Silverlight

 

https://www.microsoft.com/getsilverlight/get-started/install/default.aspx

 

Perian

 

http://perian.org/

 

Flip4Mac

http://windows.microsoft.com/en-us/windows/products/windows-media-player/wmcompo nents

 

Java, Javascript and Quicktime for these, just run Software Update under the Apple menu. Apple will take care of them.

 

 

 

Virus attacks

 

Viruses are malware that attach themselves to files and shared amongst users. So far there hasn't been any Mac based viruses in a long long time. So I don't see the need yet to install a always on, CPU hogging, potentially conflictive software like anti-virus for Mac's which break when Apple issues a Software Update that changes something in OS X.

 

However a Mac can act like a Typhoid Mary and transfer Windows viruses to other Windows users on shared files, so perhaps it's would be good to clean these using the free ClamXav which you run as you need too.

 

Thing about malware is this, it has the opportunity of getting around before anyone knows about it. The reason Windows machines still get infected despite having anti-malware installed is the anti-malware is looking for signatures, definitions or behavior of what it's supposed to find. Since there isn't any for new exploits, the malware gets on and disables the anti-virus or worst, uses it to keep other malware off and trick the user into thinking they have a clean machine.

 

The user experiences heavy CPU load, assumes it's the anti-virus and doesn't even consider malware is on their machine.

 

The best offense against malware is a secure operating system and third party software, which so far the Unix/Linux based operating systems are more secure, like OS X your using.

 

Windows 7 has done a much better job of catching up compared to previous Windows versions where malware outbreaks were a almost weekly occurrence, still not near as good as OS X, although no operating system or browser is 100% perfect.

 

The problem with malware on the Mac's has mainly come from not viruses, but via exploits in third party browser plug-ins, driveby attacks, social exploits and trojans.

 

 

Trojan attacks

 

Trojans are programs you think are one thing and turn out to be another, or do what they say but have sinister portions to it, you need to trust the source of your downloads. Check with many others about the developer, the site your downloading from etc., before committing. Usually it's installing stuff from untrustworthy sources like from links on thread posts where there isn't a trust worthy site admin, P2P networks or other means like emails and such that it's hard to locate the person(s) responsible.

 

Apple has incorporated a Trojan check for all downloads, but again like viruses on Windows, it also suffers from the time delay with new ones.

 

 

Things to watch out for, social exploits, tricking the user attacks

 

If your asked for your password or to do something like install this or that "codec to watch this movie", or "update your Flash here" or Software Update window appears, or "OS X has found a virus" window appears while a web browser is open, consider not going ahead, rather exit the browser and reboot the computer to clear the memory.

 

Check the status of your plug-ins using the trusted Mozilla check or links above, or from a site you know is the developers site, run the Software Update from the Apple menu.

 

Browser scripts have the ability to mimic OS X looking and other programs windows, like the Flash updater.

 

Browser and scripts based exploits have the ability to access the Users files and upload them online. So if one has a plain file containing password reminders, private information, consider using a small third party program to encrypt files or folder, a encrypted USB key, Keychain Access, etc etc.

 

 

Driveby attacks

 

Driveby attacks occur simply by visiting a website which then taka advantage of a vulnerability in a browser or plug-in, no tricking of the user is needed. This is how Flashback first attacks, silent and deadly using your third party plugins, this time it was Java. Since Java isn't used too much at all online, I suggest you turn it off. The Firefox + NoScript method below will reduce your browser/script exploit possibilities as you surf the web.

 

 

 

Consider running as "General User"

 

There are four user permissions levels on Mac's. Root, , Admin, General and Guest

 

 

Root Level User

 

This is the most dangerous user, it or anything else can do anything on the machine, it's disabled for a very good reason. Programmers work in root all the time (and offline mostly) as they prepare code, so for them having to enter a Admin password each time to gain Root is a pain.

 

Single User mode is Root, and used as a troubleshooting and problem solving means when the computer isn't functioning normally.

 

Running as root user all the time is suicide for most anyone else.

 

 

Admin Level User

 

When a Mac user first sets up a machine that account is called a Admin account. Most single users of the machine keep it this way either unawares or to facilitate doing things with the machine, installing programs and having Software Update automatically run.

 

Running all the time as "Admin" is a bit dangerous, as anything that gets in via the web browser or anything else has a lot of freedom to move around and wait to attack at the opportune time, even alter other programs.

 

However to gain root level it must ask for the Admin password, trick the user or alter another program to use a "sudo window" (super user do, aka "root") which gives it a few minutes to do whatever it wants to your machine, once in root, it's all over.

 

If you in Admin Level user and something asks for your Admin password, it means it needs root user powers, so if this occurs while surfing with a fake pop-up window looking like a Software Update, you can see how easily a user can be tricked (that's how one of the Flashback attacks works)

 

If malware attacks while your in Admin User, even without needing your Admin password, the cleanup efforts likely still will require a complete erase of the entire OS X with a "fresh install" of everything and returning vetted user files from a clean backup.

 

So essentially, Admin and Root user require the same cleanup efforts if something awares gets on the machine.

 

 

General Level User

 

The next level down is General User, this restricts some things one can do (and thus malware) unless one enters the Admin name and password to effect change outside the General User account.

 

Admin level /single users can use the General User all the time as a form of protection by restricting whatever gets on one's machine unawares to less privileges and permissions access of the General User.

 

One would have to consciously give further permission to the malware, so it reduces the potential for behind the scenes malware from gaining further access and forces the malware to announce itself or try to deceive the user via a social exploit or trojan to do so.

 

For behind the scenes malware, if one suspects a attack occurred, they can reboot the machine, log into Admin user and delete the General User account, reboot, recreate it. Restore clean copies of files from backup.

 

To convert your present Admin level user account to General User, simply head to System Preferences, create a new Admin account, (different password obviously) and then log out and into this new Admin User. Head to System Preferences there and change the first Admin account to General User, log out and into the General User and use that.

 

When one needs to do more things that isn't allowed in General User, like trashing a program, a window will appear to ask for your Admin name and password just to make sure it's you making the change.

 

Run the Software Update manually once in awhile as it doesn't run automatically in General User. One must have at least one Admin User account on the machine, it's also beneficial to have another (admin) account on the machine for data recovery purposes if one can't log into their General user account.

 

 

Guest Level User

 

This is a temporary user account given to those who want to let someone to use their machine for a short period with nothing saved when they log out. It has no access to anything and nothing is saved.

 

 

Getting at your files may be the objective of the malware

 

Sometimes malware is after your personal information, which if it is in the account your accessing the Internet with and a exploit occurs, is theirs for the taking.

 

So that combined with the fact that your machine may die at any moment and need repair, you might want to consider having a self encrypting external drive/USB (like a Iron Key) to store personal data on.

 

Enabling Filevault is not exactly so private, it's more for if you should lose your machine the bad guys can't get your data. Because if you need your machine repaired, you have to give Apple etc.,  the password to fix your machine. Also law enforcement types will demand the password, along with Customs searches, court orders etc.

 

https://discussions.apple.com/docs/DOC-3045

 

 

Consider using Firefox web browser + NoScript

 

Safari is a good browser, it's fast, it's designed like most all other browsers to be easy for users as it must cater to all user experience levels.

 

So because of this all browsers allow the continuous running of all third party scripts, giving malware writers more of a surface area of attack to get into your machine if they find a exploit.

 

So I'm recommending a method that doesn't run the scripts all the time, until you first decide if you trust the website your visiting, then you can enable that trust for that website, either temporarily (ideal) or permanently.

 

Firefox has the NoScript Add-on that's only available on that browser and I haven't found anything even close to it on any other browser.

 

Use the Firefox's > Customize Toolbar option to drag the "Temporally Allow All" NoScript button to the toolbar. That's all you need to do to get started, no need to mess with the finer controls.

 

http://noscript.net/

 

NoScript is hands down the best "web cop" on the Internet and will protect one against web side based trickery and attacks. Instead of all the web browser scripts running all the time, and taking your chances as you visit various web sites, the scripts are turned off by default and only enabled as you need it. Once you trust the site and it requires it, then click the Temp button and the page reloads with the scripts on.

 

You'll be surprised how little you'll have to click it and soon it will become second nature.

 

If you visit a site often and trust it completely, you can whitelist it in NoScript too. Also have NoScript allow scripts for all your Bookmarks.

 

So this way if your surfing and get a "redirect" to a hostile site which can occur in a matter of milliseconds, your scripts are turned off by default, reducing their attack possibilities.

 

If one had the NoScript method enabled and came across a MacDefender or Flashback malware attack, they likely went by unscathed and unaware a attempt was even made.

 

I recommend you enable the "Show downloads window" in Firefox preferences to alert one of unauthorized or accidental downloads as it gives a window and a button to proceed or cancel before starting, not automatically downloads any link a user clicks like some other browsers do.

 

Consider installing the WOT add-on for Firefox (Web of Trust) that flags each link for trustworthiness and opinions of other users around the web this way before you click a link it will tell you the status of that site..

 

 

 

Consider installing LittleSnitch

 

LittleSnitch is payware outgoing firewall that loads upon boot time (kernel extension file: kext) and watches for outgoing network traffic. It's useful for the fact that it pops up quick window alerting you of the outbound network traffic. If a program that hasn't already cleared with you attempts to contact the network or Internet, use a different port that you initially allowed. LS will stop that from occurring until you give it the clear and set the access.

 

Most web traffic occurs on port 80, however sometimes you load a video or a game into the browser and it can open another port, LS will flag this to make sure it's ok before allowing it out, as it could be malware. However if the malware uses the browser and port 80, then there isn't much LS can do obviously, but it's another level of defense as it confines malware to the browser or gaining root access to disable LittleSnitch.

 

BTW, Flashback deleted itself if it saw LittleSnitch, not saying all malware will do this, but it didn't want to alert to it's presence on the machine.

 

 

Backup, backup, backup!

 

Everything can be replaced except your unique users files, keep at least two copies of these on separate hardware in easily accessible formats (in addition to TimeMachine and bootable clones) so you can take your files to any machine, Mac or PC and go on with your life.

 

My view in regards to malware, since it can take a long time to discover, is to have a archived bootable clone(s), DVD's/CD's of your files, dated so you can go back before the malware started making the rounds.

 

https://discussions.apple.com/docs/DOC-3045

 

 

Secure your WiFi and privacy

 

Some good advice I have to share here

 

https://discussions.apple.com/docs/DOC-3047

Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in this User Tip. Apple encourages you to first seek a solution at Apple Support. Any links in this user tip are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use this user tip at your own discretion.
Comments (1)
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.