Allison Sheridan, profile picture
Uploaded byAllison Sheridan
1,341 views

Security on the Mac

The document discusses the history and current state of Mac OSX security. It notes that while Macs were initially safer than Windows PCs due to obscurity, malware has increasingly targeted OSX in recent years. Some key points made in the document include: major Mac malware first emerged around 2004 but increased significantly after 2008; malware authors' motivations changed over time from vandalism to profit; and Apple became complacent on security after years without major threats. The document provides recommendations for users to help stay safe such as always installing software updates promptly.

Embed presentation

Downloaded 21 times
Mac OSX Security Allison Sheridan November 2012 http://podfeet.com Sunday, November 25, 12 1
Definitions Malware - a generic term to describe anything put on your machine with the intent to harm Virus - a self-replicating type of malware that moves from machine to machine without active participation by the user Trojan Horse - malware that masquerades as something else - e.g. free Photoshop, video codecs http://podfeet.com Sunday, November 25, 12 2
Agenda History Didn’t we used to be safe? State of the Union Where are we now? (Some good news) What practical things can we do to be safe? Email safety Software updates Protecting passwords Gatekeeper Anti-Virus http://podfeet.com Sunday, November 25, 12 3
2004 - 2007 Blissful Ignorance 2004 - Mostly ignored Renepo worm is proof of concept 2006 - Denial Leap-A first ever virus for OSX 2007 - I remember this year Office Macro Virus ran on OSX, Windows & Linux (we all blamed it on Microsoft) Bad Bunny (creepy pornographic bunny) and the first Financial Trojan for Mac (and Windows) - which also offered porn http://podfeet.com Sunday, November 25, 12 4
2008 - Things star t to heat up Macs and PCs attacked by poisoned adverts offering Scareware called MacSweeper and Imunizator - without which they threatened all your data would be erased Hovdy-A Trojan stole passwords, opened the firewall and disabled security settings RKOSX-A - Helped make more trojans Video Codec claims - you can't play the video without this codec… First time Apple suggested anti-virus software, and then deleted the suggestion http://podfeet.com Sunday, November 25, 12 5
2009 - Your Own Darn Fault iWorkS-A trojan horse in pirated versions of iWork and Photoshop Another video virus MacCinema How about some more porn? Enjoy your Jahlav trojan We're all still smug that we're too smart to get infected http://podfeet.com Sunday, November 25, 12 6
2010 - Star ting to Get Ner vous Pinhead trojan allowed hackers to gain remote control - but again through downloads of legitimate software from illegitimate sites like iPhoto Boonana worm uses a Java applet to target Windows, Mac and Linux http://podfeet.com Sunday, November 25, 12 7
2011 & 2012 Hard to Ignore BlackHole RAT allows hackers to gain remote access MacDefender hits the scene - pretending to be a legitimate security application - acquired through a search engine poisoning campaign Flashback Trojan hits disguised as an update for Adobe Flash Apple acknowledges and provides removal tools source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004 http://podfeet.com Sunday, November 25, 12 8
What Changed? Originally malware was plain old vandalism - destroy your hard drive and leave a signature for bragging rights Over time, malware has mutated into a multi-billion dollar business Hactivism - hacking for political purposes LOLSec & Anonymous Digital espionage and sabotage  Stuxnet malware distributed specifically to attack a Siemens computer system used by Iran’s nuclear program http://podfeet.com Sunday, November 25, 12 9
The Big Money - Botnets Technical bad guy writes some code and infects a lot of machines (millions) such that he/she can control those machines at will Technical bad guy sells the botnet to an extortionist Extortionist tells a gambling site, “It would be a shame if your site went down the night before your big tournament” If the gambler doesn’t pay up, extortionist tells all the machines in the botnet to attack the gambling site at the same time Creating a Distributed Denial of Service Attack http://podfeet.com Sunday, November 25, 12 10
Why was OSX Left Alone So Long? OSX is based on a relatively secure operating system - BSD with decades of security updates  Remember no OS is truly secure Secure as compared to Windows  Small number of computers meant less less profit Remember bad guys need to infect millions of computers to be Effective OSX wouldn't have added significantly to the numbers http://podfeet.com Sunday, November 25, 12 11
Apple Took Their Eyes Off the Ball Flashback Trojan didn't have to be as painful as it was Apple didn't patch Java for months after Oracle patched - would have saved so many from Flashback Apple grew complacent after decades of no real threats Microsoft in contrast became very vigilant Microsoft have implemented technologies for preventing exploits of bugs (DEP + ASLR) Apple has it NOW but they were late to the party http://podfeet.com Sunday, November 25, 12 12
#1 Thing You can Do to be Safe When Software Update tells you it’s ready to give you something - say yes! Don’t procrastinate when it wants to reboot With Lion+ resume all windows and applications it’s much faster to reboot Allow your applications to update as well http://podfeet.com Sunday, November 25, 12 13
I Have an Old OS, They Won’t Attack That Well...that’s not quite true Apple only updates one OS version back Mountain Lion is out - Lion is updated but not Snow Leopard Older OS’s often contain the same code that just got patched in the new OS Vulnerabilities still exist in the old OS so you’re not safe Best to upgrade say after the first two revs are out What’s the advantage of waiting? You know you’re going to upgrade eventually! http://podfeet.com Sunday, November 25, 12 14
Just Disable Java* Very few sites use Java these days Disable in your browsers (Tutorials on how to do that on Podfeet.com!) If you ever need Java, reenable on Chrome and then disable again Safari automatically disables Java if you don’t use it for a while (what does that tell you?) Another option is to keep one browser for Java that you never use for anything else * Apple removed Java from all browsers in late October http://podfeet.com Sunday, November 25, 12 15
Mountain Lion: Now for the Good News Gatekeeper controls how and what apps you can install Safer to download apps Harder to get malware Highest protection level: Set Security to allow apps from Mac App Store Only Apple reviews each app If an app slips by, Apple can remove from the store http://podfeet.com Sunday, November 25, 12 16
What if You Don’t Use the MAS? You: Set Security preferences Allow apps from MAS and from identified developers Developers: Register with Apple, they get a unique developer ID Digitally sign their apps with this ID Gatekeeper: Checks to see if the app is digitally signed and warns you if it’s not Result: Unsigned apps never land on your machine http://podfeet.com Sunday, November 25, 12 17
What if You Know an App is OK? An app you trust shows this when you try to open it You can still open it without turning off Gatekeeper Control-click to open the app Gatekeeper will still warn you but will give you the option to open http://podfeet.com Sunday, November 25, 12 18
I Want to Control My Own Destiny! What if you’re a sophisticated user and want to walk on the wild side? Set Security Settings to Allow from Anywhere Gatekeeper will give you one last chance to change your mind... Now you’re just as insecure as you were on Lion and before Personally, I keep it on Mac App Store and ID’d developers More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html  http://podfeet.com Sunday, November 25, 12 19
So What’s Sandboxing Then? Sandboxing doesn’t require you to do anything Sandboxing isolates apps from critical components of your Mac Apps as submitted to the Mac App Store must declare what features they need to access For example, an address book app would ask for access to your Contacts Some apps ask for access they shouldn’t need - Sandboxing will warn you of this Why would Chrome need my contacts? Just say no! http://podfeet.com Sunday, November 25, 12 20
More on Sandboxing Apple is even Sandboxing its own apps like Notes, Reminders, Game Center, Mail and FaceTime Result - if an app is compromised by malicious code, the damage is limited to what the app is authorized to access Any downsides to Sandboxing? Some of the more creative utilities can never be in the Mac App Store because they do access core services For Example: TextExpander 4, AppDelete http://podfeet.com Sunday, November 25, 12 21
Be Safer in Email Do you ever get email where the From field says thief@iwanttostealyourmoney.com? Of course not! The From field is VERY easy to fake Never ever ever EVER click on any links in an email requesting you update your information at a site Even if it says it’s from your bank or Google, or Apple or .gov Here’s why... http://podfeet.com Sunday, November 25, 12 22
You Can’t Trust Links Learn to hover over links Anyone can fake a link Example: See how the link says it’s from paypal.com? Hovering reveals it’s actually from eagleshell.com Even if hovering shows a link is from the expected source, I still don’t click them Enter the URL directly in your browser so you’re positive it’s the real deal http://podfeet.com Sunday, November 25, 12 23
Just Disable Flash Very few sites use Flash these days For some reason restaurants have Flash menus Most other sites have swapped to h.264 for video Disable in your browsers Flashblock on Firefox addons.mozilla.org/en-US/ firefox/addon/flashblock/  Click to Flash on Safari clicktoflash.com/ Both will stop those annoying animated ads, and make your system more stable Another note - you don’t need Adobe Acrobat, you have Preview! http://podfeet.com Sunday, November 25, 12 24
Time to Talk Passwords Don’t panic, this is easier than you think! Enter LastPass at http://lastpass.com You select one (last) password then store all the rest of your passwords in one place Encryption happens on your machine, not their servers I’m lazier than just about anyone, and I can use LastPass Easy to create passwords, easy to enter passwords Plugins for Safari, Firefox, Chrome LastPass browsers for iOS! http://podfeet.com Sunday, November 25, 12 25
LastPass is the Last Password You Need Save passwords Save websites Save license keys Save credit card info Create auto-fill forms - enter your address, phone number, everything a website is asking for in a few clicks Concerned it might not be safe to trust LastPass? Believe noted security expert Steve Gibson: http://twit.tv/sn/256 http://podfeet.com Sunday, November 25, 12 26
How to Choose Good Passwords Make sure your passwords are long and complex It’s not like in the movies... The longer your password, the harder to crack The more types of characters, the harder to crack Upper/lower case, numbers, punctuation As you add 1 more character to the password each time you get 64 TIMES (x) more strength How do we remember these passwords if not using LastPass to create and store? Consider http://xkpasswd.net to generate complex and yet memorable passwords http://podfeet.com Sunday, November 25, 12 27
Protect the Crown Jewels Anything financial - banking sites, stock trading sites etc. Anything which stores your credit card (including things like your Apple ID, Skype, and store sites like Amazon) All email accounts You’d be surprised how connected your emails are All passwords relating to your work You don’t want to be the person who allowed your company’s proprietary information to leak http://podfeet.com Sunday, November 25, 12 28
Silly Sites NEVER re-use passwords you use on sites like these I used the same password on silly site Gawker Media and Skype Didn’t change my Skype password - was a silly site Forgot Skype auto-loaded credits from my Paypal account Gawker got hacked I lost $200 in 1.5 hours Good news is Paypal and Skype took care of me http://podfeet.com Sunday, November 25, 12 29
Time for Anti-Virus? Sorry, but yes Recommend ClamXav from http://clamxav.com Non-intrusive, doesn’t slow your system down, adds a layer of protection I installed it and messed with the configuration till I got something that doesn’t annoy me but gives some protection Steps to configure ClamXav: http://www.podfeet.com/ wordpress/tutorials/how-to-install-clamxav-anti-virus-for- mac/ Demo time! http://podfeet.com Sunday, November 25, 12 30
Special Thanks Over the past 5 years I’ve been tutored in Security by Bart Busschots of http://bartb.ie Pretty much everything I know on this subject is because of him Follow him on Twitter at @bbusschots Listen to the International Mac Podcast which he hosts with Stu Helm at http://impodcast.com http://podfeet.com Sunday, November 25, 12 31
http://podfeet.com Sunday, November 25, 12 32
Blog/Podcast: podfeet.com Email: allison@podfeet.com Twitter: @podfeet Slides: slideshare.net/nosillacast/presentations http://podfeet.com Sunday, November 25, 12 33

More Related Content

PDF
Ceh v8 labs module 07 viruses and worms
byMehrdad Jingoism
 
PPTX
Computer Viruses
bymkgspsu
 
PDF
A tale of mobile threats
byVincenzo Iozzo
 
PPTX
How To Protect Your Home PC
bythatfunguygeek
 
PDF
Lenny zeltser social engineering attacks
byTravis Barnes
 
PDF
Configure The Unidentified ..
byCody
 
DOCX
Removing virus tri fold - white
byRozell Sneede
 
PDF
Avoiding Digital Disaster or Life After Death
byAllison Sheridan
 
Ceh v8 labs module 07 viruses and worms
byMehrdad Jingoism
 
Computer Viruses
bymkgspsu
 
A tale of mobile threats
byVincenzo Iozzo
 
How To Protect Your Home PC
bythatfunguygeek
 
Lenny zeltser social engineering attacks
byTravis Barnes
 
Configure The Unidentified ..
byCody
 
Removing virus tri fold - white
byRozell Sneede
 
Avoiding Digital Disaster or Life After Death
byAllison Sheridan
 

Similar to Security on the Mac

PDF
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
byConnecting Up
 
PPTX
Seminar project(computer virus)
bycdebraj16101991
 
PPTX
Computer Security and Ethics
byMohsin Riaz
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
PPT
Theory Of Computation-viruses Theory Of Computation-viruses
bySandeepGupta229023
 
PPTX
SECURITY THREATS.pptx SECURITY THREATS.pptx
byanovalexter
 
PPTX
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
by1230200206
 
PPTX
23 network security threats pkg
byUmang Gupta
 
PPTX
Malicious software and software security
byPrachi Gulihar
 
DOCX
Types of Malware.docx
bySarahReese14
 
PPT
Malware
byNikola Milosevic
 
PPT
ADM 316 Workshop 5 Slides
byRuss Ray
 
PPT
Safe Computing At Home And Work
byJohn Steensen, MBA/TM, CISA, CRISC
 
PDF
4 threatsandvulnerabilities
byricharddxd
 
PPTX
Computer-software (1).pptx
byJohnRebenRequinto1
 
PPT
Venture name Basics
bySathishkumar Vasudevan
 
PPT
Venture name Basics
bySathishkumar Vasudevan
 
PPT
Sangeetha Venture
bySathishkumar Vasudevan
 
PPT
Regression
bySathishkumar Vasudevan
 
PPT
Thur Venture
bySathishkumar Vasudevan
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
byConnecting Up
 
Seminar project(computer virus)
bycdebraj16101991
 
Computer Security and Ethics
byMohsin Riaz
 
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
Theory Of Computation-viruses Theory Of Computation-viruses
bySandeepGupta229023
 
SECURITY THREATS.pptx SECURITY THREATS.pptx
byanovalexter
 
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
by1230200206
 
23 network security threats pkg
byUmang Gupta
 
Malicious software and software security
byPrachi Gulihar
 
Types of Malware.docx
bySarahReese14
 
Malware
byNikola Milosevic
 
ADM 316 Workshop 5 Slides
byRuss Ray
 
Safe Computing At Home And Work
byJohn Steensen, MBA/TM, CISA, CRISC
 
4 threatsandvulnerabilities
byricharddxd
 
Computer-software (1).pptx
byJohnRebenRequinto1
 
Venture name Basics
bySathishkumar Vasudevan
 
Venture name Basics
bySathishkumar Vasudevan
 
Sangeetha Venture
bySathishkumar Vasudevan
 
Regression
bySathishkumar Vasudevan
 
Thur Venture
bySathishkumar Vasudevan
 

More from Allison Sheridan

PPTX
Why Do Strong Passwords Matter?
byAllison Sheridan
 
PDF
Video Conversion on iOS
byAllison Sheridan
 
PDF
Turbocharge Your Mac Productivity
byAllison Sheridan
 
KEY
Podcasting 101 no transitions
byAllison Sheridan
 
PDF
Introduction to Audio Podcasting Blogworld 2009
byAllison Sheridan
 
PPTX
Password Playdate 2015
byAllison Sheridan
 
PPT
Turbocharge Your Mac Productivity SVMUG
byAllison Sheridan
 
KEY
How to Grow Your Audience Through Accessibility
byAllison Sheridan
 
KEY
Podcasting live grouped
byAllison Sheridan
 
PDF
Social Media Presentation 2009 04
byAllison Sheridan
 
Why Do Strong Passwords Matter?
byAllison Sheridan
 
Video Conversion on iOS
byAllison Sheridan
 
Turbocharge Your Mac Productivity
byAllison Sheridan
 
Podcasting 101 no transitions
byAllison Sheridan
 
Introduction to Audio Podcasting Blogworld 2009
byAllison Sheridan
 
Password Playdate 2015
byAllison Sheridan
 
Turbocharge Your Mac Productivity SVMUG
byAllison Sheridan
 
How to Grow Your Audience Through Accessibility
byAllison Sheridan
 
Podcasting live grouped
byAllison Sheridan
 
Social Media Presentation 2009 04
byAllison Sheridan
 

Recently uploaded

PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PPTX
Cyber Security Overview-breif note .pptx
byxbitindiacom
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PPT
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PDF
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Cyber Security Overview-breif note .pptx
byxbitindiacom
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Information and Communication Technologies and Power
byJeffrey Hart
 
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 

Security on the Mac

  • 1.
    Mac OSX Security Allison Sheridan November 2012 http://podfeet.com Sunday, November 25, 12 1
  • 2.
    Definitions Malware - a generic term to describe anything put on your machine with the intent to harm Virus - a self-replicating type of malware that moves from machine to machine without active participation by the user Trojan Horse - malware that masquerades as something else - e.g. free Photoshop, video codecs http://podfeet.com Sunday, November 25, 12 2
  • 3.
    Agenda History Didn’t we used to be safe? State of the Union Where are we now? (Some good news) What practical things can we do to be safe? Email safety Software updates Protecting passwords Gatekeeper Anti-Virus http://podfeet.com Sunday, November 25, 12 3
  • 4.
    2004 - 2007Blissful Ignorance 2004 - Mostly ignored Renepo worm is proof of concept 2006 - Denial Leap-A first ever virus for OSX 2007 - I remember this year Office Macro Virus ran on OSX, Windows & Linux (we all blamed it on Microsoft) Bad Bunny (creepy pornographic bunny) and the first Financial Trojan for Mac (and Windows) - which also offered porn http://podfeet.com Sunday, November 25, 12 4
  • 5.
    2008 - Thingsstar t to heat up Macs and PCs attacked by poisoned adverts offering Scareware called MacSweeper and Imunizator - without which they threatened all your data would be erased Hovdy-A Trojan stole passwords, opened the firewall and disabled security settings RKOSX-A - Helped make more trojans Video Codec claims - you can't play the video without this codec… First time Apple suggested anti-virus software, and then deleted the suggestion http://podfeet.com Sunday, November 25, 12 5
  • 6.
    2009 - YourOwn Darn Fault iWorkS-A trojan horse in pirated versions of iWork and Photoshop Another video virus MacCinema How about some more porn? Enjoy your Jahlav trojan We're all still smug that we're too smart to get infected http://podfeet.com Sunday, November 25, 12 6
  • 7.
    2010 - Starting to Get Ner vous Pinhead trojan allowed hackers to gain remote control - but again through downloads of legitimate software from illegitimate sites like iPhoto Boonana worm uses a Java applet to target Windows, Mac and Linux http://podfeet.com Sunday, November 25, 12 7
  • 8.
    2011 & 2012Hard to Ignore BlackHole RAT allows hackers to gain remote access MacDefender hits the scene - pretending to be a legitimate security application - acquired through a search engine poisoning campaign Flashback Trojan hits disguised as an update for Adobe Flash Apple acknowledges and provides removal tools source: http://nakedsecurity.sophos.com/2011/10/03/mac-malware-history/#2004 http://podfeet.com Sunday, November 25, 12 8
  • 9.
    What Changed? Originally malware was plain old vandalism - destroy your hard drive and leave a signature for bragging rights Over time, malware has mutated into a multi-billion dollar business Hactivism - hacking for political purposes LOLSec & Anonymous Digital espionage and sabotage  Stuxnet malware distributed specifically to attack a Siemens computer system used by Iran’s nuclear program http://podfeet.com Sunday, November 25, 12 9
  • 10.
    The Big Money- Botnets Technical bad guy writes some code and infects a lot of machines (millions) such that he/she can control those machines at will Technical bad guy sells the botnet to an extortionist Extortionist tells a gambling site, “It would be a shame if your site went down the night before your big tournament” If the gambler doesn’t pay up, extortionist tells all the machines in the botnet to attack the gambling site at the same time Creating a Distributed Denial of Service Attack http://podfeet.com Sunday, November 25, 12 10
  • 11.
    Why was OSXLeft Alone So Long? OSX is based on a relatively secure operating system - BSD with decades of security updates  Remember no OS is truly secure Secure as compared to Windows  Small number of computers meant less less profit Remember bad guys need to infect millions of computers to be Effective OSX wouldn't have added significantly to the numbers http://podfeet.com Sunday, November 25, 12 11
  • 12.
    Apple Took TheirEyes Off the Ball Flashback Trojan didn't have to be as painful as it was Apple didn't patch Java for months after Oracle patched - would have saved so many from Flashback Apple grew complacent after decades of no real threats Microsoft in contrast became very vigilant Microsoft have implemented technologies for preventing exploits of bugs (DEP + ASLR) Apple has it NOW but they were late to the party http://podfeet.com Sunday, November 25, 12 12
  • 13.
    #1 Thing Youcan Do to be Safe When Software Update tells you it’s ready to give you something - say yes! Don’t procrastinate when it wants to reboot With Lion+ resume all windows and applications it’s much faster to reboot Allow your applications to update as well http://podfeet.com Sunday, November 25, 12 13
  • 14.
    I Have anOld OS, They Won’t Attack That Well...that’s not quite true Apple only updates one OS version back Mountain Lion is out - Lion is updated but not Snow Leopard Older OS’s often contain the same code that just got patched in the new OS Vulnerabilities still exist in the old OS so you’re not safe Best to upgrade say after the first two revs are out What’s the advantage of waiting? You know you’re going to upgrade eventually! http://podfeet.com Sunday, November 25, 12 14
  • 15.
    Just Disable Java* Very few sites use Java these days Disable in your browsers (Tutorials on how to do that on Podfeet.com!) If you ever need Java, reenable on Chrome and then disable again Safari automatically disables Java if you don’t use it for a while (what does that tell you?) Another option is to keep one browser for Java that you never use for anything else * Apple removed Java from all browsers in late October http://podfeet.com Sunday, November 25, 12 15
  • 16.
    Mountain Lion: Nowfor the Good News Gatekeeper controls how and what apps you can install Safer to download apps Harder to get malware Highest protection level: Set Security to allow apps from Mac App Store Only Apple reviews each app If an app slips by, Apple can remove from the store http://podfeet.com Sunday, November 25, 12 16
  • 17.
    What if YouDon’t Use the MAS? You: Set Security preferences Allow apps from MAS and from identified developers Developers: Register with Apple, they get a unique developer ID Digitally sign their apps with this ID Gatekeeper: Checks to see if the app is digitally signed and warns you if it’s not Result: Unsigned apps never land on your machine http://podfeet.com Sunday, November 25, 12 17
  • 18.
    What if YouKnow an App is OK? An app you trust shows this when you try to open it You can still open it without turning off Gatekeeper Control-click to open the app Gatekeeper will still warn you but will give you the option to open http://podfeet.com Sunday, November 25, 12 18
  • 19.
    I Want toControl My Own Destiny! What if you’re a sophisticated user and want to walk on the wild side? Set Security Settings to Allow from Anywhere Gatekeeper will give you one last chance to change your mind... Now you’re just as insecure as you were on Lion and before Personally, I keep it on Mac App Store and ID’d developers More on Sandboxing and Gatekeeper: http://www.apple.com/osx/what-is/security.html  http://podfeet.com Sunday, November 25, 12 19
  • 20.
    So What’s SandboxingThen? Sandboxing doesn’t require you to do anything Sandboxing isolates apps from critical components of your Mac Apps as submitted to the Mac App Store must declare what features they need to access For example, an address book app would ask for access to your Contacts Some apps ask for access they shouldn’t need - Sandboxing will warn you of this Why would Chrome need my contacts? Just say no! http://podfeet.com Sunday, November 25, 12 20
  • 21.
    More on Sandboxing Apple is even Sandboxing its own apps like Notes, Reminders, Game Center, Mail and FaceTime Result - if an app is compromised by malicious code, the damage is limited to what the app is authorized to access Any downsides to Sandboxing? Some of the more creative utilities can never be in the Mac App Store because they do access core services For Example: TextExpander 4, AppDelete http://podfeet.com Sunday, November 25, 12 21
  • 22.
    Be Safer inEmail Do you ever get email where the From field says thief@iwanttostealyourmoney.com? Of course not! The From field is VERY easy to fake Never ever ever EVER click on any links in an email requesting you update your information at a site Even if it says it’s from your bank or Google, or Apple or .gov Here’s why... http://podfeet.com Sunday, November 25, 12 22
  • 23.
    You Can’t TrustLinks Learn to hover over links Anyone can fake a link Example: See how the link says it’s from paypal.com? Hovering reveals it’s actually from eagleshell.com Even if hovering shows a link is from the expected source, I still don’t click them Enter the URL directly in your browser so you’re positive it’s the real deal http://podfeet.com Sunday, November 25, 12 23
  • 24.
    Just Disable Flash Very few sites use Flash these days For some reason restaurants have Flash menus Most other sites have swapped to h.264 for video Disable in your browsers Flashblock on Firefox addons.mozilla.org/en-US/ firefox/addon/flashblock/  Click to Flash on Safari clicktoflash.com/ Both will stop those annoying animated ads, and make your system more stable Another note - you don’t need Adobe Acrobat, you have Preview! http://podfeet.com Sunday, November 25, 12 24
  • 25.
    Time to TalkPasswords Don’t panic, this is easier than you think! Enter LastPass at http://lastpass.com You select one (last) password then store all the rest of your passwords in one place Encryption happens on your machine, not their servers I’m lazier than just about anyone, and I can use LastPass Easy to create passwords, easy to enter passwords Plugins for Safari, Firefox, Chrome LastPass browsers for iOS! http://podfeet.com Sunday, November 25, 12 25
  • 26.
    LastPass is theLast Password You Need Save passwords Save websites Save license keys Save credit card info Create auto-fill forms - enter your address, phone number, everything a website is asking for in a few clicks Concerned it might not be safe to trust LastPass? Believe noted security expert Steve Gibson: http://twit.tv/sn/256 http://podfeet.com Sunday, November 25, 12 26
  • 27.
    How to ChooseGood Passwords Make sure your passwords are long and complex It’s not like in the movies... The longer your password, the harder to crack The more types of characters, the harder to crack Upper/lower case, numbers, punctuation As you add 1 more character to the password each time you get 64 TIMES (x) more strength How do we remember these passwords if not using LastPass to create and store? Consider http://xkpasswd.net to generate complex and yet memorable passwords http://podfeet.com Sunday, November 25, 12 27
  • 28.
    Protect the CrownJewels Anything financial - banking sites, stock trading sites etc. Anything which stores your credit card (including things like your Apple ID, Skype, and store sites like Amazon) All email accounts You’d be surprised how connected your emails are All passwords relating to your work You don’t want to be the person who allowed your company’s proprietary information to leak http://podfeet.com Sunday, November 25, 12 28
  • 29.
    Silly Sites NEVER re-use passwords you use on sites like these I used the same password on silly site Gawker Media and Skype Didn’t change my Skype password - was a silly site Forgot Skype auto-loaded credits from my Paypal account Gawker got hacked I lost $200 in 1.5 hours Good news is Paypal and Skype took care of me http://podfeet.com Sunday, November 25, 12 29
  • 30.
    Time for Anti-Virus? Sorry, but yes Recommend ClamXav from http://clamxav.com Non-intrusive, doesn’t slow your system down, adds a layer of protection I installed it and messed with the configuration till I got something that doesn’t annoy me but gives some protection Steps to configure ClamXav: http://www.podfeet.com/ wordpress/tutorials/how-to-install-clamxav-anti-virus-for- mac/ Demo time! http://podfeet.com Sunday, November 25, 12 30
  • 31.
    Special Thanks Over the past 5 years I’ve been tutored in Security by Bart Busschots of http://bartb.ie Pretty much everything I know on this subject is because of him Follow him on Twitter at @bbusschots Listen to the International Mac Podcast which he hosts with Stu Helm at http://impodcast.com http://podfeet.com Sunday, November 25, 12 31
  • 32.
  • 33.
    Blog/Podcast: podfeet.com Email: allison@podfeet.com Twitter: @podfeet Slides: slideshare.net/nosillacast/presentations http://podfeet.com Sunday, November 25, 12 33