diese Website in deutscher Sprache - this website in Dutch

Safe computing with a Mac

Some basic rules
- Keep your system software up to date. This already happens by default: automatically, but Miep wants to point this out to you anyway.
There are no updates for nothing. Apple also sometimes fails in that area and leaks and errors must be resolved as soon as possible.

You cannot fail to notice that there is a system update. You can see it in your Dock:



And in the Apple menu:



And also in System Preferences => Updates:



Under 'Advanced' you can choose to update your Mac fully automatically. This is also the default setting. You'll get a notification to restart your Mac:



You can choose to do restart at a later time:



- Download only from the App Store and from certified software manufacturers. This is the default setting in MacOS - and the safest.

NOTE: Of course it is possible to install non-certified apps. This has been discussed - as a warning - in chapter Software Tips.

- Keep your software up to date. Most apps have an automatic update function. Use these and don't be fooled by a fake update window in your browser! In case you're not sure: visit the site of the manufacturer.
Software from the App Store gives a notice:



- Never go via email to a money-related website (bank, PayPal, eBay, web shops) where you have to log in.
Clicking on a link in an email is very quick and easy, but the risk is too great to end up on a fake website.
Go to your browser and find the website in it. Make and use Bookmarks.


- Do not open foreign files that you receive by email - without first checking the origin.


- Don't be tempted by advertisements from software makers claiming to give your Mac a good cleaning. Maintenance software for the Mac is in principle NOT NECESSARY! Under the hood, a Mac is a UNIX system and has self-cleaning capability. Paying for cleaning or maintenance software is GONE MONEY.

Read more here: The-myth-of-the-dirty-mac, an article from 2012 but still relevant, as the basic principles of MacOS haven't changed.


Also ads or websites that tell you to clean your Mac: all nonsense!
They are getting more sophisticated and look very real. Recently I even got a voice message that my Mac was full of viruses and needed to be cleaned up. Yada yada yada...
Or you might get a webpage in front of where very real notifications suddenly appear. Just like on your Mac itself, in the upper right of your screen.
These notices report the so-called viruses on your Mac and of course there is a solution. They will solve it for you.

Don't be fooled! This is all fake!



In other words: keep your hands off the button 'Scan now'!


Further rules
- Use the two-factor authorization of your Apple ID and iCloud (more in chapter Privacy on the Mac.


- Always use different passwords for your Mac account, your email account, etc. Take care of it (write it down!). Never simply enter your administrator password, but do so with care.

NOTE: A good password has at least six characters and also has numbers and punctuation marks on board. Safari can also make up your passwords for you. These are always secure enough.


- Always leave the setting 'Warn when visiting fraudulent sites' in Safari under Preferences under 'Security'!


Make sure you stay well informed
A real virus for the Mac will be world news. Non-Mac sources will therefore quickly provide you with incorrect or exaggerated information, because Apple is of course a hip subject that attracts clicks (clickbait).

Read the right information in the right place
Instead of average news sites, it is better to keep an eye on Mac-specific news sites such as Macworld.com. For the relevant news in the Mac field. So if you read something in the newspaper, go to one of these sites to check the news for facts.



WARNING
- Only install Java if you absolutely need it.
- Flash must be completely removed from 2021. It has been abandoned.
All new Flash updates are fake!


Don't panic
Do not immediately think of a virus or the like. When your Mac is in trouble, also realize that despite your secure Mac you will never be 100% invulnerable.



What does Apple actually do to keep my Mac secure?
- MacOS has Gatekeeper, a process that checks downloaded software. It will issue a warning:


And will also block and remove known Malware.
- Plus your Mac has S.I.P. on board, or 'System Integrity Protection'.
This means that the 'root' account is limited by default and the most important system files are 'read only'.
Normally the 'root' user is the one who can and can do everything. In other words 'God' in a UNIX system.
Apple has limited this. The standard supplied software is protected against manipulation and the folders: / System, / usr, / bin, / sbin, and / var are also not accessible.

In plain Engish?
Basically, you can only install certified software. So from the App Store or from manufacturers known to Apple.
You can work around this, see the chapter Software tips.
S.I.P. You can also turn it off completely. This can sometimes be useful with older audio hardware whose drivers do not work properly with SIP. However, this is beyond the scope of this course.

Note: System Integrity Protection is there with MacOS 10.13 El Capitain and up.

A warning for password leaks
Safari warns you when you have a website password that has been victim of hacking or a data leak:



What Apple does to protect your Mac.

Secure your Mac against network attacks: the Firewall
A computer that hangs in a network and communicates with other computers, does so via so-called Ports (gates, virtual access roads).
Each port has a number. A number of port numbers are fixed. Internet traffic (surfing), for example, goes via port 80 and E-mail via port 25. Ports that are not used (there are theoretically thousands) can be misused. It is therefore important to keep all unnecessary ports closed.

What does a Firewall do?
This is what a Firewall does: allow the computer to use a limited number of ports while blocking outside traffic.
In addition, a Firewall can ensure that the computer cannot be seen at all from the outside. We call this Stealth. That's the safest setting.

Turn on firewall
MacOS has a built-in Firewall. This keeps all ports closed by default and opens some if necessary. You turn it on (or off) in System Preferences => Security & Privacy => Firewall.




Configure the firewall at 'Advanced'
Advanced users can adjust their Firewall here by clicking on the + symbol:



Insight into what is open
Here you can also see which software all "calls home". Most software does this on its own, because of checking for legality and updates.

Activate stealth mode
When you click on 'Advanced', you can activate the Stealth mode, among other things. This means that your computer is not 'visible' online.

NOTE: Most internet modems and routers also have a Firewall build in. This can usually be configured via your browser. See the modem manual.


Faulty websites
The website itself does not always have to be 'wrong', an extra can also be added without the administrator of that website knowing.
So by accident. For example, an advertisement that links to a false website or nasty software.

NOTE: Usually this joke is aimed at our Windows friends. But the increasing popularity of our platform means that we Mac users too can be affected.


Fishermen's BS: Phishing
I regularly receive e-mails that a security update has taken place at my bank that my credit card is no longer valid, that a new card is ready for me, my account has been blocked .. etc. "I need to log in ASAP".
Often these emails seem deceptively real:



This is called Phishing. Phishing has become a bigger problem than bad software. Variants of Phishing are SMishing fraud via SMS, and WhatsApp fraud about a friend in need of money with a new phone number.
All a form of 'Social Engineering'.

The link in this fake email takes you to a website that looks deceptively real like the original banking site. You have to log in there, enter codes and mobile number, etc.
Of course there are criminals behind this who are after the contents of your bank account.

DON'T GET POWNED

Always go to the bank's website via your browser to do something there. Never via email!!!

This also applies to so-called mails from 'Apple', FBI, NSA or anyone else.
Genuine Apple mails
Here's how to spot them:
Genuine Apple email, how does it look? .

Apple warning mails
Apple nicely warns you in case someone logged in on iCloud.com from an unknown machine:



Note: this email has been translated from Dutch to English.


What to do about fake web addresses
- Never go to a website via a link in an email. Go to your browser and use Bookmarks (Favorites) or do a quick search.

- Create a Bookmark (or Favorite). This is shown in chapter Safari. Always go to the site through this Bookmark. Then you know for sure that you always end up in the same place ... (if you did it right the first time, of course ...)

- Check whether the correct name of the site is in the address bar; a typo is quickly made. Safari uses Google Safe Browsing information to warn you for fraudulent websites. This can be found in Safari => Preferences => Security:



Also pay attention to the lock in front of the address
The lock in front of the address means that there is a secure (HTTPS) connection between your computer and that of the bank/webshop. The communication between them cannot be read by third parties.
However: any website can do HTTPS, MacMiep too. A lock does not say anything if the site is original!

Show full web address in Safari
By default, Safari only shows the website name in the browser bar.
You will not see the actual address. You can change this in Safari => Preferences => Advanced:


Examples of fake websites (look at the addresses):






Anti-virus programs
MacMiep worked without an anti-virus program since the introduction of MacOS in 2001 until March 2016.
Reason: In general, these programs presented more problems than they prevented. It made your Mac go slow. Plus there was no malware for MacOS.

Why now?
Apple is a lot more popular than it was twenty years ago.
Malware has come to the Mac in recent years. That's why MacMiep now uses Malwarebytes once a week. However, she does not leave the program on all the time. This is not necessary in the current situation.


Other forms of security software
MacMiep has been using the Little Snitch program for several years since the emergence of the Mac Trojans.

What does Little Snitch do?
Little Snitch keeps an eye on all your incoming and outgoing network traffic. No program calls home without Little Snitch noticing. It immediately reports the call attempt. Then you have to give permission - or not. And that has to be done quite often, especially in the beginning!



Banners on websites, for example, sometimes secretly want to make connections:

In Mail, Little Snitch also warns you about sneaky contacts. Many spammers or commercial mailers put pictures in their emails, that are located on webservers. Each time one reads the mail, the picture is loaded from the website and the sender knows his mail has been opened.

Is Little Snitch recommended?
Would MacMiep therefore recommend this program to every Mac user? Yes, but not for the beginner. Since Little Snitch sees EVERYTHING, and it is not immediately clear why network traffic is needed, it can be confusing. Let alone the annoyance it can cause.
After all, almost all software calls home, for example to check legality or for updates. And always automatically clicking 'Allow' is not an option, because then you might as well not use Little Snitch.


Java
Java is a platform independent language in which programs are written.
The problem with Java is that it has had quite a few security issues. Java is therefore no longer installed by default. If you absolutely need it (look for non-java alternatives first), you can download it from Java.com. Keep it updated!


Extra tough security for your Mac
There is a way to lock your entire Mac from outsiders. This goes further than logging into the MacOS system. It is the Firmware Password. This makes it impossible for the Mac to boot from an external drive or Recovery partition. In the event of theft, the Mac is worthless, as long as the administrator password is also kept secret!

Set firmware password
Boot from the Recovery partition or USB recovery drive *.
From the Utilities menu, choose => Program Firmware Password. Now enable the Firmware Password.
* Explanation about this in the chapter Problems.




Bluetooth detection
Bluetooth works with wireless mice and keyboards, but also with Macs, iPhones and iPads.
Did you know that anyone close by and in possession of a Bluetooth device or detector can see that you have a Mac (in your bag, backpack, trunk)?
You may not like that.
Then go to System Preferences => Bluetooth and choose Turn off Bluetooth.



Quickly turn off Bluetooth
You can also do this in the Menu bar:




Find My Mac: In case your Mac is stolen
Unfortunately, Apple products are loved by the thieves' guild. That is why there is a built-in retrieval system in every Mac, iPhone or iPad. It's called Find My Mac. You must have turned it on beforehand.
You can do this at System Preferences => Apple ID 'Find My Mac':



It is then necessary to have the Location Services on:




Once your Mac is nicked, log in to iCloud.com with your Apple ID to find the location of your Mac (or iPhone in this case):



Wait and see:



A map will appear showing the location of your Mac / iPhone / iPad that you can zoom in on:



The police are aware of this possibility. They can help you if an exact address appears. Unfortunately, this can be difficult in flats.
Good luck!


Secure the Mac physically
Macs always had a special hole that fits some sort of cable lock. This way you could secure your Mac to your desk. Detaching can only be done with brute force, so it will always be clear that the Mac is theft.



Unfortunately, the latest Macs no longer have such a hole. There are now solutions that work with industrial glue:




Finally, the best form of security MacMiep can name
run to the local shelter and get yourself a cat!


Tippie had his own ideas about security





The next chapter is:
privacy on the Mac






Disclaimer: MacMiep is independent. This means she writes what she wants, based on 30 years of Mac-experience. She doesn't get paid for stories (positive or negative) on this website. MacMiep is not interested in your data. However, she does use Google's services. Google is indeed interested. Are you happy with MacMiep? Please support your local cat shelter.