Secure Your Mac - Gentle Computer HelpersModel Airport Express Airport Extreme Time Capsule Mac OS Required 10.5.7 10.7.5 10.7.5 Price $99 $199 $299 / $399 Wireless 802.11n > 300Mbps

Secure Your Mac

Mike Inskeep Gentle Computer Helpers www.gentlehelpers.com

mike [at] gentlehelpers [dot] com 610-742-3927

Gentle Computer Helpers Secure Your Mac

About Mike

• Supported Macs for 25 years: - Director of Microcomputer Support, University of

Pennsylvania’s School of Arts & Sciences - Technology Teacher and Coordinator, Friends School

Haverford - Independent Macintosh consultant since 1999

• Mostly supports users’ personal computing or small businesses and organizations.

• Particular interest in data security and privacy.


Target Audience

• Those using Macs for personal use at home, around town or while traveling

• Home-based or small businesses using Macs


Macs Are More Secure

• Fewer threats target Macs (400,000 new pieces of malware for Windows per day vs 3-4 per week targeting Macs)*

• Apple builds a strong Chain of Trust (e.g. generally well-moderated App Store).

*Source: Graham Cluley on The Committed podcast Episode 65 at 29:44.

Source: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

The Value of a Hacked PC by Brian Krebs


Offense Is Way Ahead

It’s very hard to completely protect a computer, so our strategy is to make it harder and more time-consuming.

• An unlocked car with keys in the ignition is going to be stolen before a locked car with no visible keys (less work).

“If we were to score cyber security the way we score soccer, we'd be 20 minutes into the game and the score

would be 462 to 456.”

- Chris English, retired Deputy Director of the NSA


Cover Your Butt - Backup Your Mac

• An essential precondition for reliable security.

• Protects against ransomware.

• Buy an external drive ~3 times the size of your hard drive. Approximate prices from Micro Center or Amazon:

- $60 for Toshiba Canvio 1TB or $95 for 2TB portable drive

- $120 for Toshiba Canvio 4TB or $160 for 5TB desktop drive

- $300 for 2TB or $400 for 3TB 802.11ac Apple Time Capsule

• Plug it in. Follow the prompts to use it for Time Machine backups.

• I also recommend an encrypted cloud backup like CrashPlan or BackBlaze ($4-5/month individual; ~$10/month family).


Malware

• Types of malware and how they spread, in order of prevalence:

1. Trojan horses (applications that must be launched by user)

2. Worms (independent, self-replicating applications)

3. Viruses (self-replicating additions to other application)

• Rootkits hide the application and its processes, making detection and removal very difficult.


Can Anti-Virus Solve the Problem?

• No application will protect you against a new piece of malware because they are programmed to avoid detection by existing anti-virus programs.

• Anti-virus applications cannot protect you against rootkits.

• Apple security patches (bundled with updates) protect your Mac against malware by removing vulnerabilities. They’re usually issued at the same time as public disclosure.

• Apple will generally issue a patch that will protect you against publicly disclosed vulnerabilities within 1-2 weeks if you’re running the current OS or previous 2 versions.

• When to use anti-virus application: - Your older Mac can’t run the current Mac OS. - You collaborate regularly with Windows colleagues. - You want the extra couple days to two weeks of protection.


Anti-Virus Test Results

http://www.av-test.org/en/news/news-single-view/mac-os-x-under-attack-10-security-packages-put-to-the-test/

Source:


Anti-Virus Recommendation

• I think you’re better off practicing good computer hygiene. Anti-virus generally provides false security. It doesn’t protect you from the two greatest threats, as the next slide will demonstrate.

• If you do want to run an anti-virus, install one before you get infected.

• I recommend the free version of the BitDefender scanner: excellent detection; very little performance degradation.

• In the App Store version disinfection is limited by the privileges of the user running the app.

• Doesn’t scan applications stored in memory.

• Download: http://www.bitdefender.com/solutions/free.html

Review: http://www.pcmag.com/article2/0,2817,2421252,00.asp


How Threats Get to Your Computer

Source: http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf


Minimize Attack Surface

• Be thoughtful about granting physical access to your Mac.

• Get an Apple router and configure it to use OpenDNS servers.

• Set up a dedicated administrator account and standard accounts for each person using the Mac.

• Install the latest version of the Mac OS that your hardware will support. Keep your Mac OS up-to-date.

• Install applications from reliable sources. Keep them updated. Uninstall applications you don’t need or use.

• Use a password manager.

• Customize your Macs system settings.

• Use my 3 browser strategy on the web.

• Use a Virtual Private Network (VPN) on public Wi-Fi.


Minimize Access

• If it is not always in a physically secure location, set a firmware password.

• Log out or shut down at the end of every session.

• Be cautious about plugging devices or adaptors that you did not buy in thunderbolt, USB or other ports to protect yourself against malware like Thunderstrike (that gains complete control over your Mac).

• Set up Find My Mac in iCloud for MacBooks so you can remotely lock it if it goes missing.


Guard Access via Network

• Turn off WiFi and Bluetooth when not using them.

• Use an Apple router unless you buy one capable of running open source OpenWRT or derivative software1.

- Currently unpatched D-Link, Trendnet flaw allows “remote code execution.”2

- WPS PIN can be brute forced.3

- “The Moon” worm attacks Linksys routers with remote administration on.4

1https://en.wikipedia.org/wiki/OpenWrt 2http://arstechnica.com/security/2015/04/28/no-patch-for-remote-code-execution-bug-in-d-link-and-trendnet-routers

3http://krebsonsecurity.com/2011/12/new-tools-bypass-wireless-router-security/ 4http://www.linksys.com/us/support-article?articleNum=136147

Sources:


Apple Router Choices

Model Airport Express Airport Extreme Time Capsule

Mac OS Required 10.5.7 10.7.5 10.7.5

Price $99 $199 $299 / $399

Wireless 802.11n > 300Mbps 802.11ac > 1.3Gbps 802.11ac > 1.3Gbps

Frequency 2.4 GHz / 5 GHz 2.4 GHz / 5 GHz 2.4 GHz / 5 GHz

Radio Output 20 dBm max 32.5 dBm max 32.5 dBm max

WAN Port 10/100 10/100/1000 10/100/1000

LAN Ports 10/100 3 x 10/100/1000 3 x 10/100/1000

USB 2.0 Port printer only 2.0 2.0

Hard Drive - - 2 TB / 3 TB

Source: http://www.apple.com/compare-wifi-models/


Change the Router’s DNS Server• Switch from your Internet Service Provider’s (e.g. Comcast or

Verizon) Domain Name Servers (DNS) to those of OpenDNS.* A domain name server is like a phone book allowing your computer to look up the numerical Internet Address of a website (e.g. www.apple.com is 17.142.160.59)

- Blocks your Mac from communicating with known malware and phishing sites

- Locates last known address for a website when its authoritative name server is off-line

• For instructions, go to:

https://www.macinstruct.com/node/447

*Deivy Petrescu commented that OpenDNS did not necessarily work well with Comcast service, but is very valuable for Verizon customers.

Source: https://www.opendns.com/home-internet-security/


Use DNScrypt

• Encrypts all DNS traffic between your Mac and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks

• Download it at: https://github.com/alterstep/dnscrypt-osxclient

Source: https://www.opendns.com/about/innovations/dnscrypt/


Create a Dedicated Administrator Account

1. > System Preferences > Users & Groups

2. Click lock to make changes, authenticate.

3. Click plus to add a new account

4. Switch account type from Standard to Administrator

5. Enter full name (NOT admin or administrator or a name), e.g. string of unrelated words without adjectives

6. Use separate password.

7. Click on password helper.

8. Drag length to 15 or more. Pick Memorable or Random.

9. Click to view suggestions.

10. Write down the suggestion you like. Click on it. Hit close button.

11. Click

12. Quit Users & Groups preferences.


Demote Old User Account

1. > Log Out

2. Log into new administrator account

3. > System Preferences > Users & Groups

4. Click lock to make changes, authenticate

5. Click on old user account

6. Uncheck “Allow user to administer this computer”

7. Quit Users & Groups preferences.

8. Log out of administrator account.

9. Log into your standard user account.


Why Keep Your Mac OS Current?• Mac OS 10.10.3 patches FREAK vulnerability

- Available for: OS X v10.8.5, v10.9.5, v10.10 to v10.10.2. Open SSL: Multiple vulnerabilities existed in OpenSSL 0.9.8zc, including one that may allow an attacker to intercept connections to a server that supports export-grade ciphers. These issues were addressed by updating OpenSSL to version 0.9.8zd.

Source: https://support.apple.com/en-us/HT204659

• Mac OS 10.10.2 patches Thunderstrike vulnerability

- Available for: OS X Yosemite v10.10 and v10.10.1

Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.



Keep Your Mac’s Operating System Current

• Install the latest version of the Mac Operating System that will run on your Mac.*

- Upgrades are now free.

- Apple extends your AppleCare Protection Plan 90 days when you upgrade.

• Install updates as soon as they are released.*

- Apple provides free support for issues arising when applying new updates.

• Ensure your Mac backup is current before applying updates or upgrades.

*Ben Romney suggested searching the web to learn whether updates worked smoothly for other users before installing them. I support those who wish to wait to upgrade to a new version of the Mac OS, e.g. from 10.9 -> 10.10 until 10.10.1 or 10.10.2 is released, so any initial bugs are patched.


Installing Applications, Extensions, Plugins

• Each application is a potential security vulnerability.

• Read application reviews before installing them.

• Consider the revenue model of the developer. Do they make their money from selling the application or service, or do they make it from advertising?

• Don’t install applications (or browser extensions or browser plugins) until you need them.

• Once installed, keep them updated.

• Uninstall applications, extensions and plugins you don’t use.

“Less is more!”


Don’t Get Tricked

Many online threats depend on tricking you to install a malicious application:

• Pop-up windows frighten people into installing a “security scanner.”

• A site requires you to install a special “codec,” video player, or app to view a video or other content.

• Phone calls from “technical support” try to get you to install application.

• Consider what you might be vulnerable to. Think about times you’d be particularly susceptible. Role play with a friend or family member who knows you well.

Source: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf


Man-in-the Middle Download Attacks

Source: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf


Where to Get Applications

1. Apple App Store (only source for iCloud-enabled apps)

2. Developer’s website with https://

3. Reputable retailer (Amazon, New Egg, MacMall) with secure login and purchase pages https:// with lock icon.

4. Developer’s website with http://

***Don’t even consider installing pirated applications. You are giving an untrustworthy person permission to install anything they want on your Mac.***


Passwords

• Passwords are keys that unlock the doors to your computer and accounts.

• If hackers get your password for one account, they try it on others.


Brute Force Attacks on Passwords

Source: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/


Password Crackers Now More Sophisticated

• More than 20 million passwords have been posted to the Internet and have been analyzed statistically to produce the unconscious rules people use when they pick passwords: - embedded personally meaningful words, e.g. names - numbers at the beginning or end or between words - caps at the beginning or end or at beginning of words - substitute 1 for L, 3 for E, $ for S, etc.

• Password crackers become very fast and efficient - 350 billion password guesses per second by 5-computer

cluster - algorithms for common patterns built in - 100k dictionaries for common languages - name dictionaries for common languages - entire content of Bartlett’s quotations

Source: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/


Solution: Password Manager

• A password manager allows you to have a different user name and password for each account.

• Solution 1: Paper password manager - Pocket address book from office supply store. - Enter account, user name, password, security questions for

each account in pencil. - Make user name and password completely different for each

site (not just variations) - Enter “wrong” answers to security questions

• Advantages: - Feels familiar, comfortable - Greatly increases security - Works fine at secure home.

• Problems: - Have to enter each password by hand. - What if you lose it? - What if you take it traveling and someone steals it? - Doesn’t help pick good passwords.


Digital Password Manager

• An application that stores all your user names, passwords, etc. in an encrypted vault.

• All you have to remember is the password to the vault.

• Can suggest strong passwords.

• Can enter them automatically for you.

• The encrypted password vault is backed up by Time Machine.


Keychain Access

• /Applications/Utilities/Keychain Access

• Advantages: - Comes free with Mac OS - Fully integrated with Safari, Mail - Integrated password helper - Now can sync via iCloud with other Macs, iOS devices - Uses account password as master password

• Problems: - Difficult to use interface - Multiple versions of same entry - Includes lots of confusing entries you don’t put in - iOS version not password-protected


1Password

• Available from the Mac App Store at: https://itunes.apple.com/us/app/1password-password-manager/id443987910?mt=12

• Advantages: - 1-time purchase (not a subscription as Dashlane) - can sync with other Macs, iOS devices (as well as

Windows, Android phones, etc.) via iCloud or Dropbox - very clean, intuitive interface - well-maintained, regularly updated - extensions integrate it with Safari, Firefox, Chrome - can add custom fields for each site/entry - decent forum-based support - warns of insecure login page - stores credit cards, identities, software licenses, etc.

*Note: Only the App Store version can sync via iCloud. If purchased direct from Agile Bits, must sync via DropBox.


Key Passwords

• Passwords you need without password manager: - Mac login password - Mac administrator account password - Password manager master password - AppleID password

• Use password helper to choose strong, memorable passwords. Your AppleID and password manager passwords should be especially strong.

• If your computer is in a secure place, write these passwords on a card or sticky note. Be thoughtful about where you put it (e.g. if you have visitors, outside cleaners, etc.).

• Share them with your partner, executor, children.


Password Security Guidelines

• Whenever possible, use different long, random user names for each account. Use password helper to select.

• Make passwords 20+ random characters, including numbers and symbols when possible.

• Treat answers to security questions as another password. Never enter the right answer.

• Review your passwords every 6 months.

• If you no longer use an account, close it out.


Two-Factor Authentication

“Something you have and something you know.”

• To access an account you need a password and a device (e.g. iPhone or iPad).

• Much more secure than just a password.

• Use it whenever offered: AppleID, Dropbox, Google/Gmail.


Settings

• Changing settings on your Mac can significantly improve the security, sometimes with little or no impact on performance or convenience.

• Apple’s default settings are almost always geared toward ease of use rather than robust security.


Mac Security Preferences (1) “General”

1. > System Preferences > Security & Privacy

2. Click lock to make changes, authenticate.

3. Click “General” tab toward the top of the window.

a. Change your password if it’s not secure.

b. If others have access to your Mac

(1) Require password after sleep

(2) Disable automatic login

c. Allow apps downloaded from:

Mac App Store or Mac App Store and identified developers


Mac Security Preferences (2) “Firewall”

1. Click “Firewall” tab toward the top of the window.

2. Click “Turn On Firewall.”

3. Click on “Firewall Options.”

a. Uncheck “Automatically allow signed software to receive incoming connections.”

b. Check “Enable stealth mode.”

c. Click OK

After enabling the firewall, you’ll get dialog boxes asking if you want xxx application to accept in-coming connections (from the developer over the Internet). Pick “yes” if it’s an application you frequently use and trust. If unsure, do web search for advice: e.g. “xxx accept in-coming connections.”


Mac Security Preferences (3) “Privacy”

1. Click “Privacy” tab toward the top of the window.

2. Click on service on left, then enable sharing it with selected applications on right.

3. Start out with the minimum that you need. You can always activate others if you decide you want them activated later.


Mac Security Preferences (4) “Advanced”

1. Click “Advanced” button at the bottom right of the window.

2. Check “Log out after xx minutes of inactivity” (beware of consequences if watching a movie or listening to music).

3. Check “Require an administrator password to access system-wide preferences.”

4. Disable remote control infrared receiver if you don’t use a remote with your Mac.

5. Click OK.

6. Quit Security & Privacy preferences.


Network Preferences

1. > System Preferences > Network

2. Click Wi-Fi on left

- Check “Show Wi-Fi status in menu bar.” Turn Wi-Fi off when not using it. If you do use it:

- Check “Ask to join new networks.”

- Click Advanced

- On Wi-Fi tab

- Click on Wi-Fi networks you’re not actively using and tap to remove them.

- On DNS tab (Deivy Petrescu recommends against this when your provider is Comcast.)

- Add the OpenDNS server addresses. Hit . Enter 208.67.222.222 then 208.67.222.220

- Click OK


Network Preferences (2)

(Deivy Petrescu recommends against the following change when your provider is Comcast.)

3. Click Ethernet on left.

• Click Advanced toward bottom right.

- Click DNS.

- Add the OpenDNS server addresses:

- Hit . Enter 208.67.222.222

- Hit . Enter 208.67.222.220

- Click OK.

• Click Apply.

4. Quit Network preferences.


Bluetooth Preferences

1. > System Preferences > Bluetooth

2. Turn Bluetooth off when you are not using it.

3. Check “Show Bluetooth in menu bar” to toggle it on and off easily.

4. If you do not use a Bluetooth device with your computer, click “Advanced” at bottom right and uncheck:

a. “Open Bluetooth Setup Assistant at startup if no keyboard is detected.”

b. “Open Bluetooth Setup Assistant at startup if no mouse or trackpad is detected.”

c. “Allow Bluetooth devices to wake this computer.”

d. Click OK.

5. Quit Bluetooth preferences.


Sharing Preferences

1. > System Preferences > Sharing

2. Change “Computer Name” to a non-personally identified name, e.g. “Upstairs iMac,” “Uniblab,” “Sweetgum.”

a. Type new new in field. Hit [tab] key.

b. Confirm name in the text below the field matches with “-“ between words. If not, click “Edit” and correct it.

3. Uncheck all sharing services on the left. Only activate them when you need them.

a. Check “Ask me before allowing others to use my DVD drive.

4. To activate a sharing service:

a. Click in the square in front of the service.

b. When it asks to “accept incoming network connections,” click Allow.

5. Quit Sharing Preferences.


App Store Preferences

1. > System Preferences > App Store

2. Confirm all choices are checked except “Automatically download apps purchased on other Macs.”

3. If not, click on the padlock, authenticate and correct settings.

4. Quit App Store preferences.


Dictation and Speech Preferences

1. > System Preferences > Dictation & Speech

2. Check “Use Enhanced Dictation” to download the dictionary and supporting files to your computer rather than send voice data over the Internet to Apple’s server.

3. Quit Dictation & Speech.


Flash Player PreferencesIf Flash Player is installed on your Mac:

1. > System Preferences > Flash Player

2. Storage tab

a. Ask before allowing new sites to save info.

b. To manage storage click “Local Storage Settings by Site.”

c. To delete stored data, click “Delete All” button.

3. Camera and Mic tab

a. Check “Ask me when a site wants to use…."

4. Playback tab

a. Check “Ask me when a site want to use…."

5. Advanced tab

a. To delete stored data and settings, click “Delete All” button.

b. Check “Notify me to install updates.”


Browser Strategy

Visiting malicious websites is the single greatest threat to your Mac. To minimize the threat I recommend using 3 different browsers for different purposes:

• Firefox for ordinary browsing, searching, reading. I recommend you install several security extensions; minimize the others you install. Download at: https://www.mozilla.org

• Chrome for ordinary browsing when you need Flash. Download at: https://www.google.com/chrome/ (Javascript must be enabled for the page to load.)

• Safari only for monetary transactions (e.g. purchases, banking) or for viewing or entering sensitive data online (e.g. online tax service, medical info).

To set default browser:

1. > System Preferences > General > Default web browser


Remove Unnecessary Internet Add-Ons

1. Quit all browsers.

2. Open a Finder window.

3. Navigate to /Library/Internet Plug-Ins

4. Move all unnecessary plug-ins to a new folder /Library/Internet Plug-Ins (Moved). To save time, move all at once because you will need to authenticate. If in doubt, do a search to determine the plug-in’s purpose.

5. Do not move: - Default Browser.plugin - iPhotoPhotocast.plugin - nsIQTScriptablePlugin.xpt - Quartz Composer.webplugin - QuickTime Plugin.plugin - QuickTime Plugin.webplugin (Mac OS 10.5 only) - VerifiedDownloadPlugin.plugin (Mac OS 10.5 only)



Remove Unnecessary Internet Add-Ons (2)

6. Move any add-ons found in these folders to a new (Moved) folder: • /Library/Input Methods/ • /Library/InputManagers/ • /Library/ScriptingAdditions

7. Go to your user Library folder (~/Library) a. In the Finder hold [option] key, click Go on the main menu. b. Click Library in the drop-down menu.

8. Move any add-ons found in these folders: • ~/Library/Internet Plug-Ins/ • ~/Library/Input Methods/ • ~/Library/InputManagers/ • ~/Library/ScriptingAdditions

9. Close all open Finder windows.


Firefox (Main Browser) - Extensions

***Do NOT get extensions from third-party sites.***

Tools > Add-ons > Get Add-ons > Browse All Add-ons (scroll down to bottom right under “More ways to customize”)

• NoScript Security Suite (block Javascript, Flash, Java and other executable content)

• Web of Trust - WOT (website trustworthiness based on other users’ experience)

• HTTPS Everywhere (switches to secure version of site when possible) available from eff.org

***Do NOT install Flash!***


Firefox (Main Browser) Settings

• Firefox > Preferences

• General tab: Save files to either Downloads or Desktop

• Content tab: Block pop-up windows

• Privacy tab: Accept cookies from sites, but not third-party cookies (can add exceptions by clicking on “Exceptions” button); keep until I close Firefox.

• Security tab: Check “Warn me when sites try to install add-ons,” “Block reported attack sites,” and “Block reported web forgeries.”

• Advanced > Network: Check “Tell me when a website asks to store data.”

• Advanced > Update: Check “Automatically install updates,” “Warn me if this will disable any of my add-ons,” and Automatically update “Search Engines.” ***Only works from administrator account or the user who originally installed Firefox.***

• Advanced > Certificates: “Ask me every time.”


Be An Alert Browser

• If you didn’t look for it, don’t install or do it.

• If it doesn’t feel right, stop immediately. Log out. Quit the browser. Start over.

• Use bookmarks for sites you use regularly.

• Don’t keep multiple tabs open for prolonged periods. Drag the favicon in front of the URL (address) to your Desktop to temporarily save your place. Double-click on it to relaunch the browser and return. Trash the .webloc file when done.


Chrome (Ordinary Browsing with Flash)

• Use Chrome to view pages with Flash content in which you have confidence.

• Flash Player is directly integrated with Chrome and enabled by default.

• Updates for Flash Player are automatically included in Chrome updates.

• Copy URL from Firefox, paste it into Chrome’s address field.


Chrome Settings (1)

1. Chrome > Preferences > “Show advanced settings…” at the bottom

2. Under On startup, select “Open the New Tab page”

3. Under Privacy click “Content settings…” button. a. Under cookies, select:

- “Keep Local data only until you quit your browser” - “Block third-party cookies and site data”

b. JavaScript: “Do not allow any site to run JavaScript” c. Plug-ins: “Let me choose when to run plugin content” d. Pop-ups: “Do not allow any site to show pop-ups” e. JavaScript: “Do not allow any site to run JavaScript” f. Location: “Ask when a site tries to track your physical location" g. Notifications: “Ask when a site wants to show notifications” h. Mouse cursor: “Ask when a site want to disable the mouse…." i. Media: “Ask when…access to your camera and microphone” j. Unsandboxed plug-in access: “Ask…to access your computer” k. Automatic Downloads: “Ask…to download files after the first…” l. Click “Done” button.


Chrome Settings (2)

2. Under Privacy (continued), uncheck all except: a. “Automatically report details of possible security

incidents to Google” b. “Enable phishing and malware protection”

3. Under Passwords and forms, uncheck all.

4. Under Downloads, set location to your Downloads folder or Desktop.

5. Quit Chrome.


Safari (Only Secure Transactions)

• Online banking.

• Online purchases.

• Viewing, entering sensitive online data, e.g. financial, medical, legal.

• No searching. No browsing.


Safari SettingsSafari > Preferences

• General tab: - Safari opens with: “A new private window” - New windows and tabs open with: “Empty page” - Save downloaded files to “Downloads” or Desktop - Uncheck “Open ‘safe’ files after downloading

• AutoFill tab: uncheck all.

• Passwords tab: - If using Keychain Access to store passwords, check “AutoFill user names

and passwords.” - Otherwise, uncheck “AutoFill user names and passwords.”

• Search tab: Search engine: DuckDuckGo; check all boxes.

• Security tab - Check: “Warn when visiting a fraudulent website” - Uncheck all others.

• Privacy tab - Cookies and website data: “Allow from websites I visit” - Website use of location services: “Prompt for each website once each day”

• Advanced tab - Check “Show full website address - Check “Stop plug-ins to save power”


Safari Extensions

• Safari > Safari Extensions…

• Web of Trust - WOT (website trustworthiness based on other users’ experience)

• Click to Play


Safari Procedure

• Quit all other browsers before launching Safari.

• Safari > Clear History and Website Data…” first.

• Use only the direct web address of a site (don’t search).

• Create bookmarks for sites you visit frequently. If you have 1Password, use “open and fill.”

• Use https:// not http:// If there’s not a green lock in the address field, it’s not secure. You’re taking a big chance. Complete the transaction by phone instead.

• When done with transactions at one site always: - log out - quit Safari


Email Threats

• Link to a malicious website - Don’t click on links you did not request. - Ask sender in a new note (not reply) if they intended to

send it. - If you subscribe to email list, go to site to view new

content rather than clicking link.

• Attachment that contains a malicious application - Don’t click on links you did not request. - Ask sender in a new note (not reply) if they intended to

send it.

• Unsolicited offers - Don’t respond. Mark as junk and delete.


Mail Settings (1)

Get email client SSL settings (port #s) from email provider.

Mail > Preferences

• Accounts tab - Account Information tab

a. Click on button with Outgoing Mail Server name b. In popup menu click on Edit SMTP Server List c. Click on Advanced tab

1. Enter port # 2. Check Use SSL 3. Click OK

- Advanced tab a. Enter port # b. Check Use SSL


Mail Settings (2)

• Junk Mail tab - Check “Enable junk mail filtering - Check “Mark as junk mail, but leave it in my Inbox”

Once email is reliably marked as junk, switch to: “Move it to the Junk mailbox”

- Check all remaining boxes

• Viewing tab - Under Show message headers:

Uncheck Load remote content in messages Uncheck Use Smart Addresses

• Composing tab - Under Addressing: Check “When sending to a group, show…”


Wi-Fi Pineapple

Source: https://www.wifipineapple.com


Wi-Fi Pineapple

Source: http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html


Wi-Fi Pineapple

Source: http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html


Solution: VPN

• How a Virtual Private Network (VPN) works: 1. Encrypts your data on your Mac or iOS device. 2. Sends your data to a remote VPN server. 3. VPN server decrypts data and forwards it. 4. Response received by VPN server which encrypts it. 5. VPN server forwards it to you. 6. Your Mac or iOS device decrypts it.

• What using a VPN accomplishes: 1. Protects against eavesdropping, man-in-the-middle attacks. 2. Cloaks your location.

Source: https://www.privateinternetaccess.com/pages/how-it-works/


Recommended VPNs

• Private Internet Access - PC Magazine Editor’s Choice - many gateways in many countries, great performance - works with Macs, iOS devices - reasonably priced

$6.95/month $39.95/year

- site: https://www.privateinternetaccess.com

• Private Tunnel - decent performance - works with Macs, iOS devices - iOS app - priced by usage

free/500 MB $12/50 GB $20/100 GB $50/500 GB

- site: https://www.privatetunnel.com/

Source: http://www.pcmag.com/article2/0,2817,2403388,00.asp


Those with Different Security Needs

• Organizations with more than 5-6 people (businesses, schools, non-profits, governmental entities)

• Those handling valuable or sensitive information (proprietary, journalistic, political)

• Those likely to be targeted by professional hackers, organizations, or governments

• Those needing secure data/communications in an insecure environment


Components of Security

• Backup your Mac

• If you use an anti-virus, pick one that rates highly, but don’t expect it to solve the problem.

• Guard your Mac from unauthorized physical access

• Use an Apple router configured to use OpenDNS servers.

• Set up a dedicated administrator account. Use a standard account for routine work.

• Keep Mac OS, applications updated. Delete applications, plugins, extensions you don’t use.

• If you didn’t look for it, don’t install or do it. Pay a fair price for what you want.

• Use a password manager with strong individual passwords for each site.

• Customize your System settings.

• Use a 3 browser strategy.

• Use VPN, at least when on public networks.


What Security Requires of You

• Effort (everything from changing a setting to doing things in a different way)

• Often accepting less convenience

• Being thoughtful, paying attention

• Keeping up with security issues

Documents

Secure Your Mac - Gentle Computer HelpersModel Airport Express Airport Extreme Time Capsule Mac OS Required 10.5.7 10.7.5 10.7.5 Price $99 $199 $299 / $399 Wireless 802.11n > 300Mbps