secure your mac · icloud sync • files/folders between mac(s) and icloud disk - desktop and...

Secure Your Mac

Princeton Macintosh Users Group June 12, 2018

Mike Inskeep Gentle Computer Helpers

https://www.gentlehelpers.com mike [at] gentlehelpers [dot] com

610-742-3927

Gentle Computer Helpers6/12/2018

Secure Your Mac

About Mike

• Supported Macs for 25 years: - Director of Microcomputer Support,

Penn’s School of Arts & Sciences - Technology Teacher and Coordinator,

Friends School Haverford - Independent Macintosh consultant

since 1999

• Interested in data security and privacy.

Secure Your Mac

New Attacks

• VPNfilter router attack

• Flash attack embedded in Office doc

• Sophisticated Mac backdoors

• Apps access data (contacts, location)

• ISPs monitoring, using our data

• Malicious Chrome extensions

Secure Your Mac

New Resources

• Apple moves on security & privacy

• Mesh routers

• Anti-malware tools

• Public DNS services

Secure Your Mac

Basic Approach to Security

(How to limit our vulnerability)

1. Prepare for worst-case scenarios

2. Create layers of security

- How we set up hardware, apps, settings

- Change procedures

3. Slow down, attend in risky situations

Secure Your Mac

Worst-Case Scenarios

• Data lost or corrupted

• Mac stops working

- Mechanical failure

- Software update

• Mac lost or stolen

• House burns down

• Identity stolen

Secure Your Mac

Redundant Data Storage

• Protect against mechanical failure

• Revert updates or upgrades

• Recover from malware infection

• Restore damaged, lost items

• Restore previous version of item

Secure Your Mac

iCloud Sync

• Files/folders between Mac(s) and iCloud disk - Desktop and Documents - Files for iCloud enabled applications - Photos via iCloud Library or Photo

Stream - Music via Apple Music

• Contacts, Calendars, Reminders, Notes, Safari Bookmarks

• Keychain secrets

Secure Your Mac

iCloud Sync Characteristics

• Duplicates data

• Accessible via icloud.com

• Syncs between Macs, iPhones, iPads

• Sync goes both ways

• No versioning

Secure Your Mac

iCloud Sync +/-

• Can access data if:

- Mac lost or stolen

- Mac failure or malfunction

• Doesn’t:

- Protect against data corruption

- Allow restore of previous version

- Rollback upgrade

Secure Your Mac

• A disk whose content duplicates the master

• Does not retain previous versions

• Could start Mac from it and continue working if the internal hard drive failed

• SuperDuper! or Carbon Copy Cloner

Secure Your Mac

Good Backup Characteristics

• Automatic, requiring little or no action

• Robust, reliable

• Not always connected (ransomware encrypts connected drives)

• Multiple targets, including off-site

Secure Your Mac

Time Machine Backup

• Integrated into macOS

• Retains versioned copies of what is stored on the internal drive

• Supports multiple drives

• Connected USB or Thunderbolt drives

Secure Your Mac

External USB

• Get a Toshiba portable drive

• Size: ~ 3 times storage used

> About this Mac > Storage

• Set as encrypted Time Machine destination

> System Preferences > Time Machine

Secure Your Mac

Encrypting Backup Drives

• Using Finder in macOS 10.13 to encrypt a disk will convert it to APFS which is *incompatible* with Time Machine.

• Unplug the drive and plug it back in. It should offer you the option to encrypt it.

• If it doesn’t, go Time Machine preference pane:

1. > System Preferences > Time Machine

2. [Select Disk] > (click disk) > [Remove Disk]

3. (click disk) > [x] Encrypt > [Use Disk]

Secure Your Mac

Why Buy Toshiba?

• Though inexpensive, many Seagate drives do not support encryption.

• WDC drives are less reliable.

• HGST drives are most reliable and most expensive.

• Toshiba drives are nearly as reliable and are more reasonably priced.

Secure Your Mac

Time Machine +/-

Advantages:

• Reliable

• Apple-supported

Disadvantages:

• If you have a laptop, you must plug in the external drive

• Doesn’t protect against theft, fire

Secure Your Mac

Backblaze

Personal Backup Plan

• $5/month. $50/year. $95/2 years.

• Versions of files stored up to 30 days.

• Unlimited storage, transfer speed.

• Will send USB drive with data and refund the cost if return in 30 days.

‣ Use a private encryption key.

‣ Enable 2 factor authentication.

• Good choice for laptop (no need to plug in)

Secure Your Mac

USB Drive + Backblaze

• Set up USB drive as an encrypted Time Machine backup destination.

• Subscribe to Backblaze to also backup over the Internet.

• After macOS update or upgrade, disconnect the USB drive until you’re confident that everything is working smoothly.

• If not, you can use it to restore to the previous version of macOS.

Secure Your Mac

Backup Maintenance

• Regularly test restore (weekly?).

• Run Disk Utility First Aid on backup volume from time to time (monthly?). This will take many hours.

Secure Your Mac

Backup References

• Superduper! https://shirt-pocket.com

• Carbon Copy Cloner https://shirt-pocket.com

• Time Machine: https://support.apple.com/en-us/HT201250

• Backblaze: https://www.backblaze.com

Secure Your Mac

Worst-Case Scenarios

• Data lost or corrupted

• Mac stops working

- Mechanical failure

- Software update

• Mac lost or stolen

• House burns down

• Identity stolen

Secure Your Mac

Protect Your Identity

Secure the methods of verifying your ID:

• strong, unique passwords

• unique usernames if possible

• 2 factor authentication (2FA)

• provide untrue answers to security ?’s

• strong password, 2FA on associated email

• PIN on recovery phone account

Secure Your Mac

Too Much to Remember!

• Paper address book

• Digital password manager

Secure Your Mac

My Wife

Secure Your Mac

Her Password Manager

Secure Your Mac

Her Credentials

• User Names similar to: m1ddleage

• Passwords similar to: s1LlibR0unee

• Security Questions similar to: - First Car? a blue unaSSembledVW

Secure Your Mac

What’s Good

• Unique passwords for each site.

• Passwords not words with numbers and/or special characters before or after.

• Password of moderate length (~12 chars)

• Security question answer long (26 chars)

Secure Your Mac

What Could Be BetterPasswords • Longer • Random characters • More special characters • Easier to enter

Security question answers • Unrelated to the question • Or even better -> random characters

Could be lost or stolen • Easily read by others • No back up

Secure Your Mac

Password Manager App• Can generate truly random passwords,

user names, answers, etc.

• Can save passwords of any length.

• Built-in web browser.

• Can copy and paste in passwords.

• Automatically backs up and syncs with other devices.

• Can’t be read or used without master password.

Secure Your Mac

1Password Convenience

• Stores passwords, credit cards, etc.

• You must remember only 1 password

• Generates secure passwords

• Syncs Apple, Android devices

Secure Your Mac

1Password Security

• Passwords hidden from observers

• Secure (encrypted) vaults, transmission

• Easy to change weak passwords

• Security alerts for sites, services used

• Data automatically backed up

• Long track record with no breach

Secure Your Mac

Stand-Alone Mac App

• One-time purchase with free updates. Major upgrades cost.

• Mac App Store version can sync primary vault to iCloud drive; any vault to DropBox or 1Password.com

• Agilebits Store version can sync to Dropbox or 1Password.com

Secure Your Mac

1Password Subscription Features

• Annual fee

• All apps (all platforms; includes upgrades)

• 1password.com sync

• Web access to data on 1password.com

• Individual and shared vaults of passwords with the family plan.

• Recover deleted or changed passwords.

Secure Your Mac

1Password References

• 1Password website: https://1password.com

• Available in the Mac App Store at: https://itunes.apple.com/us/app/1password-7/id1333542190?mt=12

Secure Your Mac

Enable 2 Factor Authentication

• Requires a 1-time code in addition to user name and password to sign in.

• Sent to cell phone or trusted device.

• List of websites that support 2FA:

https://twofactorauth.org

Secure Your Mac

How to limit our vulnerability

- How we set up hardware, apps, settings

- Change procedures

Secure Your Mac

Layers of Digital Security

1. Network

2. Physical Access to Mac

3. macOS

4. Applications (especially email, browsers)

5. Internet services

6. Data storage

Secure Your Mac

Minimize Attack Surface (Doors)

• Keep hardware, software up-to-date.

• Enable only what you need or want.

• Remove or disable what you don’t.

• Limit permissions

Secure Your Mac

Strong Authentication (Lock Doors)

• Passcodes, Passwords

• Information used to verify your identity (security questions, birthday)

• Trust token (device/app for 2FA)

• Trusted communication channel to reset

Secure Your Mac

1. Network

3. macOS

5. Authentication for Internet services

6. Data storage

Secure Your Mac

Layer 1 - Network Hardware

1) Factory reset your router or gateway.

2) Replace modem, router every 3-4 years.

3) Disable Wi-Fi on gateway, install your own router.

Secure Your Mac

Gateway Login• Determine gateway IP address

- > System Preferences > Network

192.168.1.x -> 192.168.1.1

10.0.1.x -> 10.0.1.1

• Launch browser, enter address [return]

• Login (check label on gateway) or:

- User name probably: admin

- Password probably: password

Secure Your Mac

Change Gateway Set Up

- Change login user name, password

- Disable remote administration

- Automatically update firmware

Secure Your Mac

What is DNS?

• The domain name system matches domains (e.g. www.apple.com) with their numerical IP address (17.142.160.59).

• When you type in a domain, the request is transmitted from server to server until it reaches the authoritative endpoint for the domain.

Secure Your Mac

Problems

• Queries are sent in the clear so intermediaries can see where traffic going (but not its content).

• Responses can be “poisoned” - replaced with ones supplied by attacker (https largely prevents).

• Many domains host malicious webpages.

Secure Your Mac

Advantages of Quad9

• Non-profit organization founded by IBM, Packet Clearing House and the Global Cyber Alliance

• Provides free services to minimize exposure and risk

• Aggregated info shared with partners to alert them to, help them mitigate risks

• DNS blocklist: blocks millions of identified malicious addresses

Secure Your Mac

Layer 1 - Network Settings

• Change router DNS Server to:

- 9.9.9.9

- 149.112.112.112

Secure Your Mac

Configure Your Mac’s DNS

For laptop for use Quad9 on other networks:

1. > System Preferences

2. Network > Advanced > DNS tab

3. Click [+] under DNS Servers. Enter DNS server IP address 9.9.9.9

4. Repeat for: 149.112.112.112

5. Click [OK] then [Apply]

Secure Your Mac

Use DoT with Quad9

• If you’re adventurous, try enabling DNS-over-TLS with the Quad9 DNS service for even greater security:

https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5

Secure Your Mac

For More Info on DNS Services

• “Cloudflare and Quad9 Aim to Improve DNS” by Glenn Fleishman, published April 20, 2018 in Tidbits:

https://tidbits.com/2018/04/20/cloudflare-and-quad9-aim-to-improve-dns

Secure Your Mac

Install Your Own Router

• Apple discontinued Airport Wi-Fi routers

• Search for online reviews

• Automatic firmware updates

• Wired connections faster, more secure

• Good customer support

Secure Your Mac

Wi-Fi Router Options

• Check out:

- Eero (easy set up, small units, fast performance, best customer service, but expensive)

- Netgear Orbi (largest coverage, fastest, big units, 4 ethernet ports, USB, so-so support)

- Google WiFi (easy set up, slower, cheap, linked to Google account)

Secure Your Mac

Mac Network Settings

> System Preferences > Network

Secure Your Mac

WiFi Settings - Remove Unsecured

Secure Your Mac

Disable Proxies

Secure Your Mac

Disable Sharing

> System Preferences > Sharing

Secure Your Mac

Turn on Firewall

Secure Your Mac

Control App Network Access

Secure Your Mac

Show Bluetooth in Menu Bar > System Preferences > Bluetooth

Secure Your Mac

Subscribe to VPN

• Protects against Man-in-the Middle attack

- Rogue WiFi access points

- ISP monitoring

For reviews, see:

• https://thatoneprivacysite.net

• https://www.pcmag.com/article2/0,2817,2403388,00.asp

Secure Your Mac

Change Networking Practices

• Turn off Wifi, Bluetooth when not using

• When traveling with MacBook:

- Log out and Sleep or Shutdown

Secure Your Mac

In Public OK

• Compose or edit content

• View media (written, audio, video)

• Surf websites to read or view

➡ Check the SSID you connect to

Secure Your Mac

Unless VPN Is On, Do NOT

• Sign into accounts

• Make purchases

• Check email

• Send or receive texts

• Use iPhone, iPad cellular service instead

• But guard your iDevice passcode!

Secure Your Mac

1. Network

3. macOS

6. Data storage

Secure Your Mac

Layer 2 - Physical Security

• Don’t plug in untrusted devices.

• Shutdown when might lose possession.

• Install DoNotDisturb to detect physical access of laptop:

https://objective-see.com/products/dnd.html

Secure Your Mac

BadUSB

• Reprograms embedded firmware.

• USB device can act as keyboard that surreptitiously types malicious commands.

• USB device can act as network card to connect to malicious sites impersonating Google, Facebook, banks.

• Works with almost all USB devices.

Secure Your Mac

Layer 2 - Lockdown Access

macOS 10.13 supports Native Encryption so:

• Set Firmware Password

• Turn on FileVault full disk encryption

=> Especially on a laptop

Secure Your Mac

Set Firmware Password

1. Restart, hold ⌘ R to enter Recovery

2. Utilities > Firmware Password Utility

3. [Turn on Firmware Password]

4. Enter password [Set Password]

5. Store the password in a safe place*

6. Test by restarting and holding ⌘ R

* Lose firmware password, and you may have to take your Mac to Apple Store

Secure Your Mac

Turn on FileVault Encryption

1. > System Preferences

2. Security & Privacy > FileVault tab

3. Click

4. Enter administrator name, password

5. Click [Turn on FileVault]

6. If other user accounts, click [Enable User] to allow them to unlock the disk.

7. Choose to use iCloud account or create a local recovery key in case you forget the password

Secure Your Mac

For More Information

• Set Firmware Password

https://support.apple.com/en-us/HT204455

• Turn on FileVault full disk encryption

Secure Your Mac

1. Network

3. macOS

6. Data storage

Secure Your Mac

Layer 3 - macOS

• Apply macOS updates immediately.

• Upgrade macOS upgrades by 10.14.1.

• Work in standard user accounts.

• Set strong account passwords.

Secure Your Mac

macOS Updates

• e.g. 10.13.4 -> 10.13.5

• Interim release that fixes bugs, patches security vulnerabilities

• Apply update as soon as available

• Malicious individuals sometimes attack vulnerabilities within hours

• Back up first!

Secure Your Mac

macOS Upgrades

• Free.

• Often add new features or functions, e.g. fundamental security improvements

• Many wait for the 10.x.1 bug fix

• Search for others’ experience upgrading

• Check for compatibility with applications

• Upgrade to most recent version of the OS your hardware supports

Secure Your Mac

Backup First!

So you can revert if necessary!

1. Click in menu at top right of screen.

2. Drag to Back Up Now.

3. When completed, turn off back ups. > System Prefs > Time Machine Uncheck Back Up Automatically

4. Update/Upgrade.

5. When confident everything working, resume automatic backups.

Secure Your Mac

Can’t Secure Vintage Macs

It is not possible to protect Macs which can’t install the current version of macOS from known attacks.

Secure Your Mac

Apple Security Updates

“Available for: macOS High Sierra 10.13.4” means:

• Vulnerability found in 10.13.4

• Fixed only if you update to 10.13.5

Secure Your Mac

Work in Standard Accounts

> System Preferences > Users & Groups

1. Create single dedicated administrator account

- Non-standard name, e.g. “Diverges Snapshot”

- Strong password (same as Apple ID ok)

- Won’t ordinarily login to this account

Secure Your Mac

Demote Working Account

2. Restart Mac.

3. Log into new admin account.

4. > System Preferences > Users & Groups

5. Select working account.

6. Uncheck “Allow user to administer this computer”.

Secure Your Mac

Standard Account(s)

• Demote all regularly used accounts to standard accounts.

• Remove out-dated Login Items.

• Set strong passwords.

Secure Your Mac

1. Network

3. macOS

6. Data storage

Secure Your Mac

Layer 4 - Applications

Each application is a door into your Mac!

• Vet before installing (read reviews!)

• Pay for good applications

• Apply updates as soon as available

• Remove unused

Secure Your Mac

Where to Get Applications

1. Mac App Store

2. Secure (https://) developer webpage

3. Reputable retailer (Amazon, B&H Photo)

4. Highly rated eBay vendor

Secure Your Mac

Read App Reviews Before You Buy

Search the Internet: • “app name” or “type of app” iOS review • Look for reviews in MacWorld, Mac|Life,

CNet, Lifehacker, PC Magazine, etc.

iTunes reviews • Read bad and good

Secure Your Mac

Allow Apps from App Store

Secure Your Mac

Check App Privacy, Settings

• If a new app asks to access contacts or other data, decline if you don’t need it.

• Once new app installed, check settings: Settings > Privacy > Location Services Settings > Privacy > Each built-in app Settings > [new app name]

Secure Your Mac

Update Settings

Secure Your Mac

Check New App Network Access

Secure Your Mac

Malicious Webpages

• Malicious javascripts that serve malware

• Download sites with pirated software keys, installers

• Fake installers for legitimate software on hijacked site

• Piggy-back installers that install malware with legitimate applications

• Initiate tech support scams

Secure Your Mac

How to Protect Yourself

• *Uninstall Flash*!

• Use Safari for sites you sign into

• Use Firefox for searching, reading

• Install extensions to block ads, trackers

• Don’t let sites install extensions!

• Webpages can’t know Mac is infected!

Secure Your Mac

Uninstall Flash

Remove this buggy and insecure extension!

For instructions:

https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Secure Your Mac

Secure Browsing

• Safari - use only to: - Log into sites to view/edit sensitive data. - Make purchases - Bookmark sites - No searching, no browsing

Secure Your Mac

Secure Browsing (2)

• Chrome

- Log into sites that don’t work properly in Safari.

- If you *must* view flash content

- Turn Flash (built into Chrome) off in content settings when not needing it.

- For privacy, turn off advanced security settings.

Secure Your Mac

Chrome Advanced Settings

Secure Your Mac

Chrome Security

• Cookies: Keep local data only until you quit your browser.

• Flash: Block sites from running Flash.

Secure Your Mac

Chrome Content Settings

Secure Your Mac

Regular Browsing

• Firefox (default) with security extensions: - uBlock Origin to block ads - Ghostery (share nothing, block all) to

block ads and trackers - Random Agent Spoofer (set Profile to:

“Changes every 5 minutes to random Windows browser”)

Secure Your Mac

Monitor URL Bar

• Make sure the address shown matches your intended destination.

• Padlock indicates a secure connection. Only sign in, make purchases when displayed:

Secure Your Mac

Tech Support Scam

“A webpage cannot, by browser design, know that a user is infected and should never be using a flood of alerts with threatening messages to communicate with users.”

Najmeh Miramirkhani, Oleksii Starov and Nick Nikiforakis Dial One for Scam: A Large-Scale Analysis of Technical Support Scams

https://www.securitee.org/files/tss_ndss2017.pdf

Secure Your Mac

How to Contact Apple Support

• Call AppleCare: 800-275-2273

• Visit: https://support.apple.com/

• Do *NOT* call a number on a webpage for “Apple Support”!

• Do *NOT* trust a search on “Apple support”!

Secure Your Mac

Login Credentials

• Don’t use Facebook or Google credentials (username, password) to log into other accounts.

• Use a strong unique password

• Consider using a dedicated email address for important accounts (e.g. Apple ID)

Secure Your Mac

Surge of Phishing Emails

• With attachments: fake installers, Word documents, PDFs

• With links to malicious webpages

• With malicious javascript

Secure Your Mac

Layer 4 - Applications - Email

• Use Mail app not website or Outlook

• Examine emails with links, attachments

• Ignore unrequested links, attachments

• Confirm sender, actual link destination

Secure Your Mac

Use Mail Application

• Viewing on webmail using browser could execute embedded javascript

• Microsoft Outlook creates HTML email

Secure Your Mac

Email Attachments

• Slow down, pay attention.

• Confirm sender: - hover over name - click on the down arrow to the right

• If unrequested, ask in new note if sender intended to include.

• Use Quicklook to preview attachments.

• Drag Word attachments to Pages to view.

Secure Your Mac

Confirm Link URLs

Confirm link address by hovering over the link with the cursor:

Secure Your Mac

Use QuickLook for Attachments

Secure Your Mac

Nigelthorn Malware

Source: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

Secure Your Mac

Fake YouTube Page

Source: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

Secure Your Mac

Recent Mac Malware• Ransomware: Findzip

• Google docs phishing attack

• MitM proxy server: OSX/Dok

• Credential thief: MacDownloader

• Backdoors:

- Fruitfly/Quimitchin targets biomedical centers

- EmPyre and VBA distributed via Word macro

- XagentOSX/Komplex advanced cyber-espionage

- OSX/Pirrit injects adware from hidden account

Secure Your Mac

Malware Activities• Inject annoying adware

• Steal Google account contacts, email, calendars, documents

• Get user names, passwords from keychain

• Encrypt data for ransom

• Monitor communications, Internet activities

• Backdoors gain complete control of Mac

Secure Your Mac

Malware Techniques

• Check against VirusTotal, then “pack” until not detected (using e.g. UPX)

• Encrypt using integrated key

• Sign with stolen Apple developer certificate

• Access OAuth (Google’s authentication system) bypassing 2FA

Secure Your Mac

Anti-Virus Failure

• Traditional AV can’t detect new malware

• Invasive: hooks deep into macOS

• Large attack surface

• 6/2017 Google’s Project Zero found 25 high-severity bugs in Symantec/Norton (others found in Kaspersky, McAfee, Eset, Comodo, Trend Micro, etc)

Secure Your Mac

Objective-See Security Tools

Do Not Disturb

alerts you if someone opens your laptop

KnockKnock

identifies applications which are executed when your computer restarts, you log in, or you launch a browser and compares against malicious applications catalogued at Virus Total

Secure Your Mac

BlockBlock (beta)

monitors for new persistently installed applications, allowing you to block them

RansomWhere?

monitors for file encryption, allowing you to generically stop ransomware

OverSight

alerts you when your Mac’s mic or webcam is accessed or activated

Secure Your Mac

• They are free, but I encourage you to make a contribution to support their development and on-going support.

• Get more information, download them, and contribute at:

https://objective-see.com/

Secure Your Mac

Malwarebytes

• Malwarebytes for Mac (free)

- scans for viruses, spyware, malware infections

- premium version has roots deep in macOS so makes you more vulnerable if it is compromised

https://www.malwarebytes.com/mac/

Secure Your Mac

Other Alternatives

• F-Secure Xfence creates rules that control what macOS applications can access (originally developed by Jonathan Zdziarski who now works for Apple on security)

• Little Snitch monitors and controls applications’ network activity

Secure Your Mac

Have I Been Pwned

• Check if your account has been compromised in a data breach:

https://haveibeenpwned.com/

Secure Your Mac

- Backup (best: onsite and off-site)

- Strong methods to verify identity

- Web browsing

- Email

Secure Your Mac

1. Network

3. macOS

5. Authentication (verifying identity)

6. Data storage

secure your mac · icloud sync • files/folders between mac(s) and icloud disk - desktop and...

Documents

delete duplicate files on mac

icloud - apple technology

apple - icloud - everything you love, everywhere you go.some...

bonjour, icloud

iworks for icloud

breaking into the icloud keychain - media.rootcon.org...

take control of icloud (7.0)but icloud goes far beyond the...

icloud docs

icloud keychain

icloud help_ more resources

locate a lost mac, ipod, iphone, or ipad y...you can use...

how to open my digital studio projects in my memories...

icloud student manual - cloud county community … student...

icloud by apple

icloud v apple - azd

how to set up photo stream in icloud on your iphone and mac

icloud healthcare

netresident - tamos · services. owa outlook web access...

apple icloud inside out - deepsec · apple icloud inside...

which lets you customize your desktop and other settings...