The Rules Of Computing: Keeping Your Mac Secure

--
When I was a computer newbie, what I heard repeatedly was "The Number One Rule Of Computing is Make A Backup!" I've been working on an extended list beyond one item in order to help newer newbies consider further aspects of their computer experience that can help save them in a crisis. I don't consider my list definitive or even finished. But I like the list enough to publish it as a starting guide. So here I go:


The Rules Of Computing


1) Make a backup. Have two backup strategies. One strategy regularly backs up your crucial data to local external media away from your computer. The other strategy backup up this same data to an off-site location, such as in 'the cloud' or onto external media you take to a separate location each day. The idea is to have an off-site backup in case your computer site burns to the ground. Backups are also your first and best defense against malware damage and hardware failures. If you don't back up your data, you get what you deserve.


2) Verify all software before installing it. Verify your software source is reliable and that the software itself is reliable. Look up the software title on the Internet using a search engine to discover if it has been reported as problematic. Download software from reliable sources such as VersionTracker, MacUpdate, Major Geeks, etc. Don�t ever blindly install emailed software. It could be malware.


3) Verify that websites you visit are legitimate. This third rule is difficult to implement on your own. Use tools provided inside web browsers, as well as add-on browser extensions, that help you check websites you visit against a blacklist of known bad websites. One of the most popular ways of spreading malware at this time is via 'drive-by' infections via JavaScript and Java.  Don't ever blindly click on web links in email. The could be sending you to a malware infection or identity phishing website.


4) Keep your computer up-to-date with the most recent security updates. Apple provide security updates on a regular basis. Security Preferences, built into Mac OS X, should let you know when an update is available. You can also open Security Preferences yourself and have it check for you.


5) Use a 'Standard' account when surfing the Internet or using your Mac on any network. Do NOT use an 'Administrator' account in these situations. This is not a cure all to prevent your Mac from becoming hacked or malware infected. But it adds a terrific layer of security to help prevent malicious root access to your computer.


6) Password protect your user account. Make sure your account password is not a dictionary word or you'll be hacked in no time flat. Use something long and obscure that you can remember but that you expect no one could guess. To this day I run into people who tell me 'But I'm the only one who uses my computer!'. Cure your ignorance please. There is NO excuse for not protecting your computer with a password. If you don't protect your user account, you get what you deserve.

Yes, I'm that mean and cruel when it comes to computer security. There are wonderful security strategies and tools that Apple provide, such as Time Machine, Disk Utility, Standard user accounts and password protection. If you don't put them to use, I have no sympathy! If you have questions about how to make them work for you, write to me, talk to Mac users you know, contact users on the Internet or at your local Mac user group. These tools are not difficult. They are important and they are FREE.




A Few Further Strategies:


I'm only going to list these strategies as they are more complicated and involved to install and get running. What's important is that they are available, they are also FREE, and they may well save you from giving away data to the bad guys.

A) FileVault. You will find it inside the Security System Preferences. It lets you transparently encrypt your entire user account folder so no one can ever get to your data without knowing the decryption password. This is rock solid encryption you can rely upon. Apple will be providing an option for encrypting your ENTIRE computer hard drive in Mac OS X 10.7 Lion. I personally consider whold drive encryption to be overkill. But it is considered to be critical in Enterprise business situations. Note that there are some minor dysfunctions that result from encrypting your user account. But if you have critical data, it is an excellent security tool.

B) Firmware Password. Apple provide a utility to set their Firmware Password Utility on all Mac OS X installation DVDs. It adds another layer of security to keep the bad guys out of your computer. Sadly, it is not fool proof. A tech savvy bad guy can work around it. Encryption is a much more effective tool. Also note that you lose some minor computer functionality when you use a firmware password.

C) GnuPG, aka GNU Privacy Guard. I have been using GPG for many years at this point. I'm a fairly infamous critic of the bugs that have should up in the related tools from time to time. Also note that GnuPG has a steep learning curve and can be a bit frustrating. However, it is a FREE and brilliant tool with many users. You can encrypt and password protect anything you like. The Apple Mail tool lets you digitally sign all your email in order to verify exactly who you are to those who receive your email. You can encrypt your email such that no one can read it in transit over the Internet. It lets you create any number of encryption keys as well as collect public keys from your friends and acquaintances. And more! If you want to be serious about encryption, GPG is excellent. These days it also has a terrific group of developers dedicated to keeping it bug free and up-to-date.

D) Disk Utility. Among the many features of the Mac OS X Disk Utility application is the ability to create encrypted, password protected .sparseimage files. I absolutely love this feature and use a sparseimage I created all day, every day. I have my sparseimage open every time I log into my user account. I provide the decryption password and it sits on my desktop like a disk volume. Anything I put into it is encrypted and unavailable to anyone but me as soon as I close the disk image. Because its a sparseimage, it can grow to as large a size as you choose as you add more into it. Recently the DropBox application and server have become notorious because nothing-at-all is encrypted when you use it. That can be very bad. However, I work around this problem by putting only my sparseimage file into my drop box. No one has any access to anything I have in my DropBox ever, thanks to this great tool.

E) Anti-Malware applications. I own, use and love Intego's VirusBarrier X6 ($50). There aren't any better anti-malware applications, period. But I have to pay for malware signatures every year. If you are a professional user, VirusBarrier is well worth the cost. 

If you're a casual computer user, paying for anti-malware is a bit less critical. I've worked fairly closely with Mark Allan and friends who develop and support the FREE program ClamXav. There was a time when I had quite the run-in with the ClamAV Open Source project because most volunteers there cared not-a-whit about Mac OS X. But gradually Mark and I managed to turn a few heads and encourage them to get up-to-date with current Mac malware. At this point in time I can tell you that just about all current Mac malware is being detected by ClamAV. Therefore, I highly recommend downloading, installing and running ClamXav from time to time if you are concerned about malware. The GUI Mark provides is excellent. 

Also, if you own Snow Leopard Cache Cleaner ($15) you will find that it includes its own implementation of ClamAV, also highly recommended. I no longer recommend free iAntiVirus as it is now out-of-date and less effective than the ClamAV alternatives.


There are plenty more security tools and strategies, both free and for a fee. But the above is a good start with reasonable coverage.

For the extra security conscious, as ever I highly recommend the TWiT.tv podcast 'Security Now' with the most excellent Steve Gibson. It gets highly technical but is wonderfully presented and very contemporary. You can look up the podcast in iTunes or visit its dedicated webpage at:


http://GRC.com/SecurityNow


:-Derek
--

Another Scathing MacScan Review

--
If you read my stuff, you know I despise ripoffs. This week MacScan is being sold as part of the MacUpdate promo bundle, advertised as a 'security' program. Not much of one IYAM. Today I posted an updated review of MacScan at VersionTracker.com. I decided to provide it here as well:

Just to keep this issue hot on the burner:

Much as I very much like the idea of what MacScan is 'supposed' to do, it FAILs.

1) If you want to detect all the 'malware' on your Mac, you have to run the thing OVER and OVER and OVER. One run is never enough. That's crap programming. And yes folks: I personally have been telling them this for YEARS and YEARS and YEARS. Then they do nothing to improve their detection engine. Instead they post friendly little notes asking for more feedback. Right.

2) Their list of Trojan horses has NEVER been adequate. Right now there are 4 types of Mac OS X Trojans with a total of 22 different strains. MacScan does NOT detect all of them. So what's the point?

3) It claims to find 'spyware', but there is NO illicit spyware for Mac OS X. Not a one. Everything MacScan detects is 'legal' spyware that is freely sold commercially or as shareware to be used by employers or owners of computers in order to keep track of where their users are going and what they are doing with their computers, particularly useful for parents who care about their children. Detecting such stuff can be very useful if someone has secretly installed one of these things on your Mac for nefarious purposes. But this stuff is NOT malware.

4) It is debatable whether tracker cookies are malware. At worst they are a violation of your personal privacy. So turn on the setting in your browser that prevents downloading 3rd party cookies and turn off the setting in Flash that allows any site to put cached data on your computer. You're done. That's for free. It doesn't require MacScan.

I seriously hope MacScan can actually, factually improve and become a useful product that does what it says. But for now it is junkware, not worth paying for, well worth ignoring in favor of real anti-malware applications like VirusBarrier, ClamXav, and iAntiVirus.

--

Intego VirusBarrier Version 10.6 Review:Part I

--
Let's start with the GOOD NEWS:

Intego VirusBarrier is the only anti-malware program I can recommend for Mac OS X. Its interface and features are unmatched by any similar program. The signature updates are regular and reliable. Intego stay right up-to-date with all Mac OS X malware. The program is 100% compatible with Snow Leopard. Ignore all reports to the contrary. For Mac users who want a top notch single-user anti-malware program, this is the only one. Nothing compares, except perhaps Sophos, which is only designed for network users.

The new VirusBarrier 10.6 version adds a bunch of new security features worth the upgrade price. Some features are redundant to those already in Safari and FireFox. The reverse firewall is the only new feature I care about. Reverse Firewalls stop dead any way to zombie your Mac. They also stop all software from 'phoning home'. I've been using Little Snitch for years and love it. The reverse firewall in VirusBarrier 10.6 is not as good as Little Snitch. But it's there and it's useful.

A new single user license for VirusBarrier costs $49.95 and protects two Macs. A new family license is $69.95 and protects five Macs.The 10.6 upgrade is potentially free for those who purchased VirusBarrier 10.5 on or after November 25, 2009 through April 13, 2010. See Intego for details. Otherwise, the upgrade is $34.95 for single users. A family pack upgrade is $59.95 for protecting five Macs. Every new or upgrade license includes a year's subscription of malware signatures.

Intego also provide an occasionally useful and intelligent Mac Security Blog.

Now the BAD NEWS:

1) Accompanying the 10.6 update is a new advertising campaign that makes several wrong and ridiculous claims consisting of what is traditionally called BULL SHITE or FUD. Enjoy:

"More and more malware is discovered every day. Macintosh computers face threats from viruses, Trojan horses, worms and more."

Incorrect! There are ONLY Trojan horses for Mac OS X. Period. The End. If you believe otherwise, you've been duped.

"VirusBarrier X6, the Lowest-Priced Mac Antivirus"

No. FREE would be 'The Lowest-Priced Mac Antivirus', and there are a few of those to choose from. See below.

"... simply visiting a booby-trapped web page can compromise your Mac."

This has never happened on Mac OS X in the wild or in a 'Crack A Mac' competition without an account user providing deliberate sabotage assistance. However it 'could' happen if a JavaScript or Java security hole wasn't patched in your web browser or operating system. (Readers of my posts know what contempt I have for the state of JavaScript).


I hope Intego have brains enough to dump the false advertising before they get sued. I despise FUD and would hate to have to put Intego on a par with Symantec, the renowned masters of anti-Mac security FUD and makers of easily the worst anti-malware for Mac.



2) Yearly malware subscriptions for VirusBarrier are required and expensive. $29.95 for one year. Yikes! A two year subscription is 50% off the second year at $44.90. If you're up for renewal and are using version 10.5, you might as well upgrade to 10.6 at $34.95 and get the included one year subscription, saving yourself $25.

3) Intego outright refuse to provide a list of malware detected and removed by VirusBarrier. That's idiotic and I've directly told them so. They don't care. Instead, I follow the imperfect but useful Threats Database provided by the PC Tools site, the makers of the up and coming competitor program iAntiVirus.

4) And of course, if you turn on the Real-Time Scanner feature, expect VirusBarrier to eat your CPU. So turn it off. You don't need it unless you're dealing with LUSERs, in which case all you have to do is prevent them from having access to an administrator account and password. It's seriously that simple.

CONCLUSION:

So what is VirusBarrier for? It protects you from LUSER behavior and lets you find and wipe out Windows malware you may be passing along to Windows users.

If you're a conscientious Mac user who checks the validity of all software you install, you don't need VirusBarrier to protect your Mac. There are less reliable free alternatives if you want to try them out, such as ClamXav and iAntiVirus. (Avoid MacScan, which is ultra-lame).

I'll be posting a detailed feature review in Part II after I test the new VirusBarrier 10.6.3 update.
--

Security Concerns After Installing Snow Leopard

--
We all hopefully know that, at this time, Mac OS X is the safest commercial GUI OS on the planet. But in the spirit of perfection, here are some problems I found with the default installation of Snow Leopard. Some of them are very bad. Some are merely worrisome.

1) The firewall is OFF. So TURN IT ON!!! You can do this in the Security preferences.
--> I'm very annoyed with Apple on this blunder. Firewall protection is fundamental these days. A good scolding is in order. I have no doubt the professional security experts will do the job for me.

2) Automatic login is ON. So TURN IT OFF!!! You can do this is the Accounts preferences.
--> Again, Me = very annoyed. Again this is fundamental. Scold scold scold. You'd think no one at Apple had ever studied the security hell known as Windows. Both firewall protection and login protection were lacking in Windows for years, leading to major hacking and cracking.

3) In Accounts preferences, under the 'Guest Account', the checkbox "Allow guests to connect to shared folder" is ON. If you have no interest in guests doing anything on your Mac, turn this off.
--> If you are on a LAN with other people and want to allow sharing, leaving this on is important. But if you are on your own at home, it's safer IMHO to just leave this off until such time as you want to use it. Mobile laptop users most likely want this off by default until such time as they return to their LAN. I would have much preferred Apple left this off by default after installation.

4) In the Accounts preferences, Login Options, "Display login window as:" is set to "List of Users". I suggest you change this to "Name and Password".
--> Family computer users should ignore me on this one. At home, who cares. But if your computer is going out into the wild, I like the added security of forcing any would-be hackers to have to guess at BOTH your username AND password. Why give them a break and give away usernames?

5) In the Security preferences, General tab, "Require a password to unlock each System Preferences Pane" is turned OFF. I like this checked ON.
--> This is one of those fiddly things that maximize security but can also be annoying. Turning it on means that no rogue software running on your Mac can play around with your system preferences. As soon as it did you'd see boxes popping up requesting your administrator password. Theoretically this could happen with one of the current Trojan horses for Mac OS X. So to play it safe, check it on. But it's not a major deal. On the other hand, it's not exactly paranoia either.

6) This one is for MacBooks and iMacs only: In the Security preferences, General tab, at the bottom of the window are the setup switches for your infrared remote. The remote can be used to access Front Row, among other things. After installation it is important that you 'Pair' your specific remote with your Mac. Otherwise, as it says in settings, "This computer will work with any available remote." That's BAD. Therefore, hit the "Pair" button and go through the process.
--> This is a very good chore to follow immediately after your Snow Leopard installation. If you are extra paranoid about having a remote, or you lost your remote, you can always check ON "Disable remote control infrared receiver."

7) Software Update preferences are set to "Download updates automatically". Please turn this OFF.
--> Allowing your computer to automatically download anything is BAD. It has already been proven that it is possible to hijack a server address, have it fake being an update server, then have it spew at you malware downloads. No, it has never happened to Macs. But it can. Therefore, only YOU should approve ANYTHING that is downloaded. No auto-downloads EVER. OK?

8) Safari preferences, in the General tab, "Open 'safe' files after download" is checked ON. Please turn this OFF and leave it off forever.
--> Much as it is nice to have .zip and .dmg files open up for us immediately after they download, get out of the habit. This is another really BAD IDEA in all cases. It is as bad as auto-downloads. Instead, you personally want to open anything you have downloaded.

Imagine this: Some malware was somehow downloaded to your computer, via Safari, and automatically opens up its downloaded file. There it is in front of you in a window and you think everything is OK and run the application that was inside. You may have just infected yourself with the malware. Therefore, making sure that only you open anything you personally download is important as part of a deliberate process of verifying that you are not installing a Trojan or other malware. And remember to always verify a file or application is 100% legitimate before you download it or open it.

Once we get into the habit of clickity-click on every little thing, we can get ourselves into trouble. Some people say that going through all these extra steps of caring about exactly what you are doing can become drudgery and you end up doing clickity-click anyway. Nope! That never happens with me. Instead what I found is that I got into the habit of being careful. That is the entire point, and making that point a habit is very good for all of us.

There is some other minor stuff of concern in Snow Leopard, but I need a break. You can breathe now and/or break into joyful LaUGhTeR at all these extraneous security precautionary maniaism stuff things. It's OK. I'll just go cry quietly into my hanky. I can take it. (;_;)

Windows users have to be incredibly meticulous about all this security rigmarole. Every little nook and cranny of Windows can be a security hole. We Mac OS X users get to relax, mostly, about security regiments. At the moment, the worst we can do is download and install a Trojan and get out Mac zombied. That's all! ;-) If we think about being careful, no Trojans can get us.

Nonetheless, I'm attempting to show other Mac users how to be as safe as possible. Therefore, all of the above list applies if you are security conscious. I use myself as a guinea pig to see what it takes to be stealthed and defended to the MAX, and to see if I can stand it. The answer is yes, I can stand it. But I woudn't wish it on my granny!

Check this out: I have Little Snitch popping up asking if this app can go do that on the Internet. I have the mess known as 'JavaScript' turned OFF by default in my web browser. I only turn it on only for trusted websites. My browser is set to never accept cookies from third party sites. That stops Tracker Cookies. I read up on the latest security problems and updates via Apple, Intego, Secunia and SANS, among others. That means I've always got the lastest versions of Flash, Shockwave, AIR and Adobe Reader installed in order to avoid Adobe security vulnerabilities. The same goes for FireFox, QuickTime, iTunes, etc. I have Intego VirusBarrier installed, kept up-to-date with malware signatures and always running. I also have both ClamXav and iAntiVirus freeware installed (mostly for testing). And there's more! (0_0)

That's just me playing with Mac security for my interest and yours. You could ignore all this stuff, except the advice about Trojan horses!!!, and be happy as can be. You've got a Mac.

But there are ways to be SAFER. That's why I write this blog. Put it to use as you will. Hopefully you won't actually need any of this stuff. But maybe you will...

Share and Enjoy!
Glad to be of service!
Nothing ever goes wrong at
Cirus Cybernetics Corpororpororpor*@%

;-Derek
--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

Derek's Minor Intego Adventure

--
Intego VirusBarrier remains my favorite Mac anti-malware application. Yeah, like many of it's competitors, it's named incorrectly, (should be 'MalwareBarrier'). And yeah, they don't publish a list of their malware definitions, but I still... WHAT? No malware list?!

So I contacted Intego and had an email chat with a nice fellow at their Support Team. My question: Where is your malware list? Their reply:

We do not provide a list of every virus that VirusBarrier X5 protects against. If you have a question about a particular virus threat, please let us know and we will be more than happy to answer the question for you. You can also find information on our security blog about new threats:

The Mac Security Blog

This is actually a very good blog. However, it does not cover all Mac malware. So I persisted in my conversation with Intego. It turns out that there is a disconnect between their blog and their news releases; Therefore, you have to keep track of both:

Intego Press Releases

I found it is indeed possible to scavenge together a list of Mac OS X malware detected by VirusBarrier. I was also pleased to find the list is complete.

(The possible exception is Trojan.OSX.RSPlug.G, which for all I know is mythological. Only PCTools' iAntiVirus program notes it having been found in the wild. Or, on the other hand, Intego may include the G variant with the F variant. It's hard to tell thanks to the industry's insistent lack of conformity to malware description and naming standards).

So why doesn't Intego provide a simple list of detected malware with descriptions of each malware family and variant, like you know, everyone else does? I call it disorganization, which is a shame since they easily have the most organized and best written anti-malware program for Mac.

Until Intego get better organized, I suggest keeping track of the Mac OS X Threat List provided at the PCTools iAntiVirus site page. It contains a lot of baloney proof-of-concept, inert and ancient Mac OS (not X) malware. Otherwise I find it very useful. Yes, it has the same old problem of not adhering to malware naming standards resulting in the same old comprehension chaos. And yeah, this list has some incomprehensible duplication of malware, like DNSChanger and RSPlug being listed separately when in fact they are the same thing. *rolling eyes* But so far, it's the most complete, literate and up-to-date list I have found:

iAntiVirus Threat List

[I continue to ask: Why do I have to write this blog? Why isn't there a nice, up-to-date, simple, complete, sane, standards compliant site dedicated to Mac OS X malware? Until one appears, I'll continue trying to fill the void.]
--