Mac security reality check

More Stories in this Series

Security

Mac security: online hazards

The Internet has made using a Mac infinitely more rewarding than it was before we were all online—and somewhat riskier, too. It's not hard to manage those risks, though, if you take some elementary precautions.

Risky downloads

The Threat The most common source of Mac trojans is pirated software downloaded from the Net. In 2009, attackers released illegal copies of Apple iWork '09 and Adobe Photoshop that were soon circulating on file-sharing networks. Some users were infected when they downloaded and installed these pirated programs; others obtained and installed “free” copies from friends and became infected that way.

The next most common sources of infection are sites that ask you to download new QuickTime plugins or special applications to look at pictures or videos of people in various states of undress. Lastly, we do sometimes see trojans planted in free software, especially gambling software and simple games. These, like the other trojans, tend to appear on less-popular sites or online forums.

What You Can Do Don't try to find free copies of commercial programs. Don’t download random QuickTime plugins or video viewers unless you know, with absolute certainty, that the source is legitimate. When downloading software, avoid forums or sources that are off the beaten track. If there’s any doubt about a program, do a quick online search for it and see if it also appears on more mainstream download sites.

Another help: Snow Leopard includes a basic trojan check as part of its File Quarantine feature. A dedicated antivirus solution would provide more robust protection. But since the odds of encountering malicious Mac software are so low, I don’t recommend that investment unless you have special needs. (See “Mac Security: Antivirus” for more on what those needs are.)

Cross-Site Scripting

The Threat Cross-site scripting (XSS) may sound esoteric. But it’s the single most common vulnerability on Websites. In an XSS attack, a bad guy surreptitiously adds code to a Website you trust. That code then tricks your browser into doing things it normally wouldn’t—running Javascript it shouldn’t trust, downloading malicious code, changing account settings, or divulging your login credentials. This technique has been used against brand-name properties, including Facebook, Google, Microsoft and Yahoo.

NoScript
The NoScript Firefox add-in can prevent Website scripts from running automatically.

What You Can Do Defending against XSS is difficult, but not impossible. If you use Firefox, you can use the popular NoScript add-on for Firefox to specify which scripts you allow to run, on a site-by-site basis. (Be warned: NoScript is very effective, but it’s also disruptive; you’d be amazed how many scripts you run into during your daily browsing.) An easier option is to use one Web browser for financial sites and another for the rest of your browsing. Using a separate browser reduces the risk of an untrustworthy site using cross-site scripting to break into your bank or retail accounts. (For more on that, see my story “Super Safe Surfing”.)

Antisocial networking

The Threat Criminals love social networking sites; they’re cross-platform, based on trust, and often full of security flaws. We’ve seen social networking worms propagating through friend’s lists, attackers stealing contact e-mails for spam, fake advertisements, and direct browser attacks to take over systems. And once you start installing widgets and applications on a social site, you are essentially allowing arbitrary programs to run inside your browser with full access to your information.

What You Can Do When posting information on a social networking site, don’t put anything up there that you wouldn’t want the whole world to see. Also carefully consider the applications you allow the site to install—especially on Facebook, where you can’t always control the information an application accesses.

You might also consider using a single-site browser (SSB) for the site. Using a tool like Prism for Firefox, you can create a stand-alone browser specifically for that site; that way, any potential attacks are isolated to that SSB. Just install the Prism add-on in Firefox, navigate to the social networking site, and select Tools -> Convert Website to Application. A browser just for that site will be placed in your Applications folder.

Peer-to-peer sharing

The Threat Peer to peer (P2P) file-sharing can be a great way to distribute or download large files. But researchers have found reams of sensitive information on P2P networks. For example, there have been cases of public employees placing sensitive legal and government documents on home computers that were also running P2P software; those files turned up on the P2P networks. In my own research, I’ve seen everything from tax returns to scans of passports.

It isn’t that P2P file-sharing itself is evil (despite what the recording and motion picture industries might claim). It’s just that it’s all too easy to inadvertently share things you shouldn’t.

What You Can Do If you use P2P services, stick with popular programs (such as Azureus) and make sure you configure it to share only folders that contain no sensitive files. Many of these programs automatically share whatever directory you set as your own download destination, so it’s best to create a directory specifically for P2P usage, and occasionally check your application preferences.

Subscribe to the Apple @ Work Newsletter

Comments