OS X running Safari was hacked again at Pwn2own by Charlie Miller for the third year in a row. Tired of Apple’s (and other software companies) lackluster approach to securing their product, he announced he will not be disclosing vulnerabilities to them anymore. He’ll gladly show Apple how he finds them, hoping they will begin scanning and patching OS X.
While this doesn’t translate into a tsunami of OS X malware, nor is it a threat of impending doom, it reminds us that OS X is not the invulnerable OS you may think it is.
Since turning off the computer and hiding under a rock isn’t an option, follow these 10 tips to keep yourself secure.
1. Update OS X.
There’s a reason this is the number one tip. Those security updates aren’t just for show. Software Update keeps not only OS X up to date and secure, it patches iTunes, QuickTime, Safari, iWork, iLife and Java. In my experience with Windows, about 90% of the virus infested PC nightmares I’ve seen were due to not running updates. OS X is no different, the updates are just as important..
2. Keep your Apps up to date.
Firefox, Microsoft Office, Adobe CS, Flashplayer, Shockwave and other Browser Plugins are all known vectors of attack. What makes these apps scarier is that they are cross platform. A vulnerability in Flash Player, for example, can affect both OS X and Windows versions. Keep them up to date by running their updaters at least once a month. More frequently if you’re really concerned. A quick way to check Firefox’s plugins is to visit the Mozilla Plugin Check Page.
3. Be cautious with emails.
Its pretty obvious that the crown prince of Nigeria doesn’t really need help transferring money and we all know those online stock tips are spam. However online scammers are using emails containing “UPS Tracking”, top news stories, infected PDF and Excel files labelled important, and well crafted bank emails to get you to either run an infected application or enter in your passwords on a fake webpage. Carefully review all suspicious emails, especially when its a “There’s a problem with your account, please verify your identity” email.
4. Don’t download pirated software.
Legality and ethics aside, pirated software is the main source of infection for OS X Trojan Horses like RSPlug. That’s right, OS X. Applications like Adobe CS and the latest games are ripe for including a virus within its files.
5. Use OS X’s firewall.
The firewall included in OS X is pretty powerful and will block unwanted attempts to connect to your Mac. Use it to protect your computer from local network connection attempts and prying eyes. This is especially important if you connect to a public network at school, an airport, cafe, library, or anywhere you’re on the same local network as a bunch of strangers.
6. Download Little Snitch.
Little Snitch is a great way to limit your outbound connections. Firewalls (including the one in OS X) will stop traffic coming in to your Mac. However, they don’t stop anything from going out. If an application wants to secretly send data somewhere, Little Snitch will see it and alert you and deny the traffic if you choose. Also, once you install Little Snitch, you’d be surprised how many different apps contact servers on the internet. Its a must have.
7. Turn off Java in your browser.
Unless you use it all the time, turn off Java in Safari and Firefox. Why? Because like Flash and Adobe Reader, Java is a known vector for attack. Making things worse, Apple likes to micro-manage its Java implementation. There’s many a time that a known vulnerability will be exploited, with patches / updates issued. However, OS X is left hanging onto an old version for months, waiting for Apple to issue the patch in either a Security Update or a Java Update. If you don’t use Java applets on a daily basis, shut it off in the Preferences (Security tab in Safari, Content tab or disable it in the Add-ons / Plugins tab in Firefox).
8. Use proper passwords.
Nothing says “Hack me!” better than not changing the original passwords for any of your computer / network equipment. Default usernames and passwords are freely available online, and not hard to find. If anyone wanted to try to sign in these are the first to try. Change your passwords and when picking a password, use the following guidelines:
- Use capitals, lowercase, numbers and special characters.
- Nothing easily identifiable – favorite team, spouse name, birthdate etc
- No dictionary words.
- Try to make it at least 8 characters.
If you have trouble remembering passwords, utilities such as 1Password might help.
9. Secure your webmail.
Securing email is extremely important. Ever notice the secure page change to insecure the minute you type in your password to enter Yahoo! or Hotmail? That means, if someone’s monitoring your network, they don’t even need your credentials to eavesdrop on your email. If Hotmail or Yahoo! won’t let you force a secure SSL (HTTPS) connection at all times, change email addresses to a provider who will. Gmail does this. Just make sure its set in the preferences to always use https.
Securing Thunderbird, Mail and your iPhone can easily be done as well. Here’s a tutorial on how to do it.
10. Use SSL whenever entering a password.
Most of the time, a good website will redirect an insecure connection (http) to a secure (https) one automatically. However some, like Hotmail, don’t. this will cause anyone monitoring your network connection to easily catch your password and gain access to your account. Always look for the https in the address bar or the padlock either in the lower right corner (Firefox) or the upper right corner (Safari). If a site, such as hotmail begins with an http://, manually change it to https:// and press return to securely reload the page.
Note: Some low security sites, like forums and other small sites don’t use secure webpages. A good practice with sites like these is to create a special password for each, separate from your more important passwords.