Securing Your Mac: A Guide for Reasonable People, Version 1.0
"How do I protect my Mac online? Should I run any 'security' applications on my Mac?"
That question arrived several weeks ago via the contact form here at TUAW, and I have been trying to come up with a reasonable answer to it ever since.
That question, or a variation of it, comes fairly regularly. Usually the person asking it has switched from Windows to Mac, and has brought with them an expectation that they should run some sort of anti-virus, anti-spyware, anti-malware programs.
It's easy to be glib and say that the only really safe computer is one that is turned off and locked away.
Conventional wisdom would have you believe that Mac users don't care about security, or think they are immune to security problems. That is a myth for everyone except Artie MacStrawman.
On the other side, you have tech pundits who have been predicting the "downfall" of Mac security since 2004, and every time there is even the slightest bit of security news, there are plenty who want to jump and point and say "See! We told you Macs were no better than Windows!" Many of those articles and much of the hype about protecting your Mac comes from companies which also happen to sell you protection against these potential harms.
The argument generally goes like this: "It is inevitable that Mac OS X will eventually have problems like Windows has, so you should buy one of our programs to protect yourself for when that inevitable day arrives."
Ironically, one of the biggest security problems that Mac OS X has faced was the Flashback Trojan in April 2012, and none of the Mac anti-virus companies made much of a big deal about it at the time because none of them caught it before it was already identified as a problem.
So What Is a Reasonable Person Supposed to Do?
I have spent some time gathering information on what I believe are reasonable steps which will allow you to continue to use your Mac on a regular basis, and which will also protect you in case something does happen of any sort of "malware" whether that is a trojan horse, a virus, spyware, or any such thing.
This advice comes to you from a neutral party. I do not have any financial stake in selling you software or services, nor do I believe the myth of the impenetrable computer, no matter what operating system you use.
You will notice that many of the suggestions that I make are not specifically about protecting yourself from malware, in fact, a lot of it would apply if all you were worried about was what might happen if your computer was ever lost, stolen, or destroyed in a fire or other disaster.
(Oh, and one last bit of prologue: while I did decide to number these so they could be easily referred to, I did not try to come up with a certain number of steps that you should take.)
Step 1) Make Backups: Use Time Machine.
Telling people to make backups is like telling people to eat better and get more exercise. Almost everyone knows that they should do it, almost everyone believes that they should do it, but far too many people still don't do it.
But if you ignore everything else I say, please listen to this: Make backups.
There's really no excuse not to make backups on your Mac. Every Mac comes with Time Machine, a built-in backup solution which is as easy as buying a second hard drive and plugging it into your Mac. Time Machine will prompt you to start using it, and will automatically keep things backed up.
Using Time Machine is like wearing your seat belt in a car. Just do it, no excuses.
Step 2) Make Backups: A Bootable Clone.
Time Machine is great, but don't stop there. If you really want to be safe, you should have a clone if your hard drive. A clone is an exact copy of your drive which you can use to boot your computer in case the hard drive dies. You can make one of these using Disk Utility, but I suggest SuperDuper or Carbon Copy Cloner.
Using Time Machine and bootable clone is like wearing your seat belt and having insurance. It's just a good idea.
Extra Credit: If your house or apartment burned down tomorrow while you were away, would it take out your computer and your backup? What if someone broke it and stole your computer and backup drive? For these reasons, people often suggest having an off-site backup. There are several ways you can do this.
The simplest path to offsite backup is making two clones of your drive, and bringing one somewhere like your office or a friend's house. OS X 10.8 Mountain Lion also makes it easier to alternate drives for Time Machine, allowing you to rotate drives in and out at will. Either way, you'd have a copy of your data locally and one someplace else.
But both of those approaches require you to update those backups periodically and physically move the drives around. A more hands-off solution would be something like BackBlaze or CrashPlan or Mozy or Carbonite or JungleDisk or another app that does real-time, off-site backups. CrashPlan actually allows you to "buddy up" with a friend or family member who has a high-speed Internet connection; you back up to a spare drive at their house, and they can do the same at your place.
Step 3) Use Dropbox for your most important files.
Dropbox isn't a backup system per se, but it does have a few things to offer that can be quite helpful when dealing with computer security.
The first is that as soon as you save a document to your Dropbox folder (or any of its sub-folders) it is immediately copied to the Dropbox website. That means that in a matter of seconds, there is an off-site backup copy. If you are working on a file at 10:15 a.m. and spill your coffee on your laptop at 10:20 a.m. Dropbox is the best chance you have of getting an up-to-date copy of that file.
Likewise, if some sort of a security breach affected your computer and corrupted or deleted your files, Dropbox can help here too. First of all, Dropbox keeps all revisions of a file going back 30 days. Using the Dropbox web interface, you can go back and compare versions, and find the last safe, clean copy of an infected file. Dropbox will also let you restore files which have been deleted in the past 30 days as well. (There's an add-on service called pack-rat which will let you recover files beyond 30 days -- indefinitely, in fact.)
File corruption can be a much more difficult problem to solve than file deletion. Being able to easily compare versions is a significant feature. Apple's Time Machine can do that as well, but by default it only runs once per hour, and a file you are actively working on may have been changed many times during that hour.
Dropbox and Security: Some people might object to recommending Dropbox as a security feature because what you are doing is copying a file to a 3rd party where it could (theoretically) be compromised by a security leak at Dropbox. To me, it comes down to a matter of trade-offs. First of all, I don't have anything that would quality as "state secrets" in my Dropbox. My most important confidential information is stored in 1Password, which is encrypted on disk before being sent to Dropbox and is protected by what I consider to be a very secure master password (based on the information I learned by reading Toward Better Master Passwords and Better Master Passwords: The geek edition).
Secondly, I consider accidental deletion or data corruption (or a hard drive crash) as much more likely than someone breaking into Dropbox to get at my files. Dropbox works for me because I don't have to think about it, it just runs, automatically, all of the time, on all of my computers.
A reasonable person might decide to encrypt sensitive files locally before saving them to Dropbox. (You can do this for free with Disk Utility and an encrypted disk image, or use something like Knox.) You can also achieve similar sync-to-the-cloud results with Google Drive, SkyDrive, SugarSync or Dolly Drive.
Step 4) Be Careful Where You Get Your Software.
Now we are moving beyond the realm of backups and multiple copies of files and getting into computer security from malware.
The most likely way that some sort of malware will get installed on your computer is by someone (or you) installing it, thinking that they are installing something else. If I can write a program and convince you to run it and enter your password when prompted, I can do pretty much anything to your computer.
If you find a program through BitTorrent which claims to be some high-end software for OS X that you want but don't want to buy (or can't afford), you might be tempted to download and install it. You might tell yourself that you aren't going to use it often enough to justify buying it, or maybe you want to try it out before you decide to buy it. Whatever the reason, the problem is that you don't really know what you're installing. It might be a "safe" version of a cracked program, or it might be a program that will also install some other kind of malware on your computer alongside of the program that you think you are getting.
Once you start installing software from an untrustworthy source, you're setting yourself up for trouble. So what is a reasonable person to do?
Use the Mac App Store Apple promotes the Mac App Store as a safe place to buy and install software. Many applications are available for free, and overall the price of software these days is incredibly low for what you get. While no system is 100% foolproof, the odds of downloading some sort of malware from the Mac App Store are extremely remote.
Use trusted third-party software. The downside to the Mac App Store is that Apple has placed so many restrictions on what apps can do, that many excellent, useful, trustworthy applications just are not available on the Mac App Store. I download and install third-party software all of the time, and I do so with confidence because I take what I consider to be reasonable precautions.
Starting in OS X 10.8 (Mountain Lion), Apple introduced Gatekeeper which is designed to be another layer of protection against malware. By default, Gatekeeper will only allow you to run applications from the Mac App Store or from "identified developers" who have paid US$100 for a developer license and cryptographically signed their software to make sure that it hasn't been tampered with. Macworld has a good article explaining what Gatekeeper is and isn't. It is possible for a malicious developer to develop a malicious program, sign up for Apple's developer program and distribute that program on their website. However, the chances of that seem relatively slim.
What is much more likely is that you might find a piece of software that you want to run, and see a warning that it is from an unknown developer. You might choose to open it anyway. This is where things start to get more difficult because there are legitimate apps out there which are made by legitimate developers who have not cryptographically signed their software. It may be that the software is a few years old and was developed before Gatekeeper was introduced. It may be that the developer made the app in his/her spare time and didn't feel like paying Apple for a developer certificate.
A reasonable person has to weigh the potential consequences and likelihood of this application being some sort of malware. Has the app been reviewed by a reputable Mac-related website? Is it a well-known app? Be careful of any software which arrives via email or on some random tucked-away page on a web forum, etc.
Step 5) Read first, install last.
Perhaps the most important thing you can do to protect yourself is to stay up-to-date on Mac news. A story about an actual Mac malware problem is going to be very widely-reported.
This does not mean that you need to refresh your browser or RSS feeds every 15 minutes, or that you need to read every Mac-related site out there. But take a quick glance through the headlines each day to stay informed. This goes along with checking for reviews of software that you are considering installing. Or try a simple search for the application and look for reviews from sites you've heard of before, like TUAW.
As a corollary to that point: don't be the first one to try every new app that comes out. Let tech writers risk their computers. If you find something brand new, bookmark it and make yourself some reminder to check it out in a day or two. 999,999 times out of 1,000,000 it's going to be just fine, but Not Being First might be your best chance of not being that unlucky "one in the million."
Do You Need Anti-Malware Software for Mac today?
My answer is no. Is it possible that at some point in the future, Mac OS X users will need to run real-time anti-virus and/or anti-spyware software? Yes. It is likely? No. Mac security software has not shown itself capable of catching new attacks in real-time, and there are not many attacks to be protected against.
If you insist on running anti-malware software for Mac, try either ClamXav or Sophos. Pick one but not both. Running two of these kinds of programs will cause far more problems than either one will solve.
Just remember, whenever you read a claim that Mac malware is either an unavoidable inevitability (or a current reality), check to see if the person who wrote the article sells Mac security software.
Use the tools Apple provides.
Apple gained a reputation for not being overly concerned with security, but that seems to be slowly changing. They have published a page of security features in Mac OS X 10.8 called Safety. Built right in.
There are several built-in features that you can control as well:
Mac OS X has a firewall built-in. Go to System Preferences » Security & Privacy and see if it is enabled. (Your router may also have a firewall built-in.)
While you are in System Preferences, look under "Sharing" and turn off anything that doesn't need to be on.
Safer Safari
There are several changes that you can make to Safari to make it safer.
First, go to Preferences » General and uncheck the box next to "Open 'Safe' files after downloading."
You may remember that browser security has most often been compromised through Adobe Flash, such that a security contest winner gave this advice: "The main thing is not to install Flash!".
Java was also a recent security hole on OS X. It is possible to disable both Plugins and Java by going into the Safari Security Preferences, and unchecking the boxes shown here:
I don't find myself needing Java in Safari all that often, so I find it simple to disable that altogether. I also regularly disable plugins, but I'm not sure I would go so far as to say that is a reasonable step for most people. Many would probably find it frustrating and annoying.
Instead, I would encourage you to consider using the ClickToPlugin & ClickToFlash Safari extensions which will prevent plugins from running automatically but which let you run them when you want. That seems to be a much more reasonable and balanced approach.
A Reasonable Protection
If you made it to the end, I have a bonus suggestion which I think offers the best balance between practicality and security in protecting yourself from future malware threats.
To understand how this tool works, you have to understand the system that Apple uses to launch programs (either visible apps or background daemons) whenever you reboot your computer and/or log into your computer.
For example, when I log in, several applications start right away. I can see some of these by going to System Preferences » Users & Groups and then selecting my user account and 'Login Items' as shown here:
But those are only some of the applications and daemons that run automatically. OS X has several different folders which can be used to auto-launch programs via the launchd system:
~/Library/LaunchAgents
/Library/StartupItems
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
/System/Library/StartupItems
I checked those folders on my computer and found there were over 400 entries. That does not concern me at all, because not all of those programs are running, and the ones that are running provide some kind of service or benefit.
However, this is also the most likely place that a piece of malware would try to hide.
What do most people do if their computer starts acting strangely? Chances are good that they will reboot it. So if you were trying to get some kind of malicious software on someone's computer, the first thing you would try to do is make sure that if someone reboots their computer, your software will start up again. In fact, to avoid detection you might not want your program to do anything at first except make sure that it will start up when the computer is rebooted.
Therefore, a good way to protect yourself is to keep an eye on these various auto-launch tools, and be notified whenever something is added to them.
The tricky part is making sure that you don't overreact just because something happens in one of those folders. Chances are good that you had no idea those 400+ things existed, and none of them were malicious. Computers do a lot of good things in the background that we don't want to be constantly bothered with knowing about. Think about this sort of like you think about your basement or storage area in your house: you might have a lot of stuff in there, and you might not even need to care about most of it, but you would want to know if someone put something in your basement without your knowledge.
The folks at CIRCL (Computer Incident Response Center Luxembourg) created a free tool to detect when something has been added to the automatic launch settings for OS X. You can download it at http://www.circl.lu/pub/tr-08/ and it will give you an alert whenever something is added to one of those folders. More detailed information about using that tool is available at MacFixIt.
As long as you remember that this system is detecting all activity not just malicious activity then this could be a very powerful "early warning" tool. Because it is only checking a few, very specific places, it should not add any noticeable performance drain on your computer, unlike many other anti-malware tools. It is not a 100% guarantee of protection, but it is a very good reasonable precaution to make.
Don't Panic, Do Plan
Despite warnings of the "inevitability" of malware on the Mac, the reality has been a very limited sphere of trouble. That doesn't mean that you should ignore the possibility of there ever being problems, but right now there just is not much that I can recommend for proactive protection beyond backups, caution, and common sense.
I have labeled this guide "Version 1.0" because it may need to be updated in the future, but this represent the most reasonable balance, in my opinion, for the reality of today's Mac user.
Version history:
2012/12/01 -- Minor typographical edits. Amended backup section to note multi-volume Time Machine, CrashPlan buddy backup. Amended sync section (Dropbox) to cite other sync vendors.
