Lock down your Mac with system and networking monitoring tools

A way to improve the integrity of your Mac is to know exactly what's happening on it.

macbook usbc port
Roman Loyola

Any malware powerful enough to overcome the defenses that Apple built to resist incursions may also be powerful enough to hide its traces. That’s not quite an axiom of security, but it’s generally true. If an attacker of any sort creates software designed to attack your system quietly, it typically tries to prevent security software and any other kind of inspection from noticing.

That’s very, very hard, and any exploit that’s sufficiently good at being entirely invisible is likely also good enough for a hacker to sell for a million dollars, with the advantage that the sale is probably legal in most places, and thus better than distributing malware that steals financial credentials or holds files for ransom. (I am not a lawyer, and that’s not legal advice.)

Such exploits, once discovered, are fixed at high priority by operating system makers, giving them sometimes short windows of utility. The more widely used the exploit is, the less likely it will remain available to use.

Unless you’re a highly valuable targeted individual, it’s more likely that what you’d see is malware that doesn’t hide its traces that well because most people aren’t set up to look for it. This can be especially true in macOS and iOS. Most macOS users don’t run software capable of spotting malicious behavior; they rely on Apple. iOS can’t run anti-malware or other monitoring software at all. And Apple has stayed on top of the biggest risks to iOS as they’ve been discovered, whether as zero-days (found in the wild before being patched) or ahead of widespread use.

Because Apple doesn’t lock down macOS as tightly as iOS, it’s thus more vulnerable to less-severe assaults. To forestall a large category of attacks, Apple added a powerful baseline feature starting in OS X El Capitan (10.11). System Integrity Protection (SIP) locks down major directories associated with macOS and Apple’s preinstalled apps.

littleflocker simple alert Little Flocker

Little Flocker lets you know when an app is trying to modify files. If it’s an app you don’t recognize, and it wants to access every user file you have, that could be ransomware, and this could help you stop it in your tracks. 

But there’s a lot of havoc that can be wrought without accessing files in those paths, and while SIP appears well designed, it’s absolutely a target of hackers. To my knowledge, it hasn’t been broken through yet, but that never means it can’t.

This column is another entry in my series of how to deal with security as if you woke up and were a dissident in your own country. Assuming the unlimited resources of a government agency or security apparatus, any vulnerability that can be found will be, and it will be used as skillfully as possible for as long as possible. Protecting against such vulnerabilities helps you fight malware as well as government-led attacks.

Multi-pronged resistance

In the olden days, I used to run firewall software, anti-virus software, and some other protective extensions. OS X was young, and there had been malware for System 7, 8, and 9. However, Apple had a very small percentage of the market share, and hadn’t built OS X to allow its email software to execute code. Security through obscurity worked.

All of those different pieces of monitoring and protection software did slow things down. I gradually stripped them off, as I felt Apple had improved the OS or certain kinds of threats disappeared. Now, I find myself in the reverse position, layering amulets one on top of each other.

There’s still the risk of adverse interaction and system slowdowns, but the kind of monitoring that will serve you best integrates at a level where it’s examining what’s happening instead of churning away at tasks.

If you want to monitor and block potential adverse actions, I recommend these four areas, some of which have a single product offering, often cheap:

Network monitoring. Little Snitch ($35) is a sort of firewall, although it’s more accurately an app-based network activity filter. You can whitelist and blacklist permitted network behavior by apps and system components, and have an alert spring up before new ones are allowed. I reviewed the initial release of the current version in 2012; it’s been updated all the way to 3.7.1 since, and works with Yosemite, El Capitan, and Sierra (10.10, 10.11, and 10.12).

little snitch Objective Development Software

Your first line of defense is monitoring what connects to the Internet. Enter Little Snitch.

Little Snitch can prevent malicious apps from reaching out to command-and-control systems they use to download full malware payloads or transmit information back to an attacker. Firewall apps from other companies take a different approach to a similar end, but I prefer Little Snitch’s conceptual framework.

File-access monitoring. Designed in part to block potential ransomware from gaining a foothold in macOS, Little Flocker ($15 to $25) works at a system level to control which apps and system components have access to which volumes, files, and directories. You can set up rules or have it learn your system’s behavior, and you’re prompted to allow or deny attempts that fall outside permitted actions you defined.

Little Flocker operates under the reasonable proposition that few apps need unlimited access to read, write, or otherwise modify every user-accessible file on all mounted drives. Ransomware gets called out, because such malware encrypts typically only user documents, which have less protection than system files. But apps also shouldn’t be trying to read files other than those you point it at—especially an app the name of which you don’t recognize or know why it would be running.

There’s nothing else quite like it available. I wrote up a detailed preview of the 1.0 release in November. The app is $15 for personal use (up to five computers) or $25 for a single-user business license. it works in El Capitan and Sierra.

blockblock alert Objective See

Your calendar app launching on startup? That’s convenient. Malware wanting to launch on startup? That’s bad, but BlockBlock lets you know.

Persistent software installs. BlockBlock (free, still in beta) is another nearly unique app, monitoring for attempts to create system entries that allow software to be persistent, or relaunched at every reboot. One of the first thing malware does is try to make sure that even if it’s killed off during a session, whenever a computer reboots, it simply launches again. You can allow or block such attempts. (I wrote about BlockBlock in the same article that covers Little Flocker.)

Mic and video activity. Keeping outsiders from gaining access to your Mac’s mics and cameras is key in ensuring privacy, and that kind of access is more likely from government players trying to surveille you than plain old malware operators, who just want to steal. I’ve written two columns about this, one about audio and one about video.

Several apps, free and paid, can monitor whether an audio or video source is being tapped, but because that monitoring relies on the system properly reporting what’s happening, they’re much more likely to be disrupted by clever software. This is why those most at risk of A/V snooping remove mics and video (or put tape over a video camera).

You may feel like you’re being watched

Too much monitoring can be irritating. I was just watching some of the old “I’m a Mac/I’m a PC” ads on the 10th anniversary of the launch of that multi-year campaign, and I saw the one that ridiculed Microsoft Vista’s excessively interferring security permission system.

No Mac user wants to relive that. But the joy of the two more frequently invoked of the four categories I note above is that they’re rules-based and you train them. There’s a learning period after which you’re asked less and less often, because new behavior only arises from installing new apps—or from malware. The other two categories only intrude when either something happens: software tries to install a persistent component or A/V hardware gets invoked.

I’m using two of the above regularly (A/V monitoring and Little Flocker) and am easing into installing the other two. I know a number of people who run all four. The lack of overlap between them should keep bad interactions low.

Shop Tech Products at Amazon