Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you secure your Mac?
137 points by jorangreef on April 18, 2019 | hide | past | favorite | 69 comments
Apart from full disk encryption and a password manager:

Do you use antivirus? Which antivirus?

Do you use two-factor SSH?

Do you use IDS?

What else do you recommend?

The thin I do that I think is most important is use Little Snitch (https://www.obdev.at/products/littlesnitch/index.html) to track/block/approve incoming and outgoing network requests.

It's how I caught a new Seagate external hard drive making calls to Baidu and Google. https://fosstodon.org/@lukewrites/100907932236227641

  > When it loads, the disk is unwritable; you have a choice of
  > a Mac executable or a Windows executable.
That's ridiculous. How do they justify that?

> When it loads, the disk is unwritable

This is where you put the disk back in the box and return it for a full refund.

+1 for Little Snitch, it's a bit overwhelming at first but totally eye-opening. After a few days you'll have a good ruleset going and it won't be as annoying.

>> I thin I do that

I appreciate that Quickstray.

I think FDE plus a VPN and DNS blocker tends to be enough for not state level actors.

I am a security professional and have thorough knowledge of macOS internals and the built-in security protections.

Almost all antivirus or security products on the Mac App Store should be treated with extreme skepticism. I recently saw that one of the top grossing apps was an antivirus product called Thor Antivirus. Looking under the hood, it was just ClamAV, and their claims about its protections were unsubstantiated. They probably made tens of thousands of dollars before Apple took them down in response to my report.

Several years before that, I audited SecureMac's MacScan[0], a once-popular antivirus app that had received accolades from MacWorld for years. It turns out it just checked file metadata such as modification times, and didn't even look inside.

Apple's app reviewers are not able identify bogus security products, and the result is that you might damage your system by allowing some half-baked program to run amok.

I don't run any third-party antivirus myself, but when I was investigating a piece of Mac malware, I discovered that Malwarebytes had beat me to the punch and published a great blog post on their investigation. I vaguely recall using their software to clean up a relative's Mac successfully.

By the way, at the time of writing, a program called Antivirus Zap - Virus & Aware is #6 on the Top Paid list of the Mac App Store. Antivirus VirusKiller is #41. I guarantee you they're both shit. (Antivirus Zap also uses ClamAV.)

0: https://web.archive.org/web/20110719013009/http://rgov.org/2...

My primary concern is someone physically stealing my Macbook or iMac. They are personal devices and the content on them would not be much of interest to others, foreign governments or other entities.

I have Prey[1] installed. On both devices, I have "admin" credentials taped to the back. The account is actually a locked down user-level account with very little authority, other than being able to get on wifi/browse the internet, etc. I suppose this would be a honeypot of sorts. My thought being if someone walks off with it, I want to be able to gather as much info on them as possible. I haven't given a whole lot of thought to this, so definitely curious if there are issues with this approach.

[1]: https://preyproject.com/

I more in the camp that if someone takes it, I write it off. I don't want to get my life dragged down in the minutia of "who took it, where is it". I just want to restore from (encrypted) backup and move on with my life.

Neat. I read once about someone who had their photo booth folder set with a folder action to automatically post photos to Instagram (or something). When their Macbook was nicked their feed got spammed with photos of the thief and their friends.

Your comment reminded me of this:

DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's Computer: https://youtu.be/Jwpg-AwJ0Jc

This is wonderful.

Wow that's a great idea to provide a fake admin account, so that you can get usage data. Could be useful even if you don't use prey if you have find my mac turned on.

I've donee something similar too, with with a script that'd continually poll a website upon user login and findmymac.

The only issue is a firewall on the router side, but, that's a highly targeted attack then.

You also can't set a bootup/EFI password.

Question - I used to use Prey and loved it, but stopped about 5 or 6 years ago because (IIRC) it didn't work with full disk encryption or something like that. Instead I ended up setting up a separate user and find my Mac (or whatever the apple one is called). Has this changed? If you have a couple of minutes could you tell me how you have it set up?! Thanks!

I use Prey with FileVault 2. I also have Find My Mac enabled.

I try to use Touch ID for everything it can be used for.

Touch ID for sudo http://osxdaily.com/2017/11/22/use-touch-id-sudo-mac/

Touch ID for SSH https://github.com/sekey/sekey (uses secure enclave)

I use this for 2FA https://krypt.co/ (uses secure enclave on your phone)

Touch ID for password management https://1password.com/

I upload dotfiles and other credentials in a keybase encrypted repo

So I assume your threat model is exclusively keyloggers? It's certainly not physical access. Your fingerprints are all over the device's surface, so a determined attacker can easily duplicate them. (And to a non-determined attacker, Touch ID does not make much of a difference to passwords.)

Having your ssh key password protected would be a lot more annoying than having them touch id protected. The threat model would be someone using your Mac if you left it unlocked for a minute or something.

do laptops without touchid have secure enclave(or a way to access it)?

I follow some parts on Bejarano's [0]. It was discussed on HN https://news.ycombinator.com/item?id=18099835 (6 months ago)

macOS Security and Privacy guide [1] also a recommendation you can try.

[0]: https://blog.bejarano.io/hardening-macos.html

[1]: https://github.com/drduh/macOS-Security-and-Privacy-Guide

I used to use little snitch and now came across lulu [0].

> LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.

I would love to know if anyone else has switched over and what's missing. I haven't had a whole lot of time to do a thorough investigation.

[0]: https://objective-see.com/products/lulu.html

I have been using lulu for several months and love it. The interface for managing rules is easy to follow.

Little Snitch [1], 1Password [2], macOS Filevault, {BlockBlock, RansomWhere, OverSight, ReiKey} by Objective-See [3]

Few years back I was a big fan of Little Flocker, which now is part of F-Secure as XFENCE [4]. But haven't used it since its rebranding, anyone using it anymore?

[1] https://www.obdev.at/products/littlesnitch/ [2] https://1password.com/ [3] https://objective-see.com/products.html [4] https://campaigns.f-secure.com/xfence/

What exactly is your threat model? Are you a developer of a very public software project? Are you a politician or a journalist? Or someone in HR? Or are you just an average Joe?

And what software do you use regularly? Do you pirate software?

These are important questions to answer, before you come up with how to secure your Mac.

That said, I'm just an average developer. I hardly run anything non-standard. I do make sure to not leave my laptop unlocked, but that's it.

Assume it's for a software developer.

Regarding software: only system apps with the exception of say a password manager, code editor and git.

I basically follow the NIST Guide to Securing Apple macOS: https://csrc.nist.gov/publications/detail/sp/800-179/rev-1/d...

Shameless plug since it's relevant:

We built a Slack bot [0] that shames (in good humor) people in the office who leave unlocked laptops unattended. We had a similar system at Twitter where we would tweet a certain codeword on unlocked laptops and it was very effective in stopping that behavior.

[0] https://sniped.app/

We, at Accenture, invite our colleagues 5-15 invitees to a cake celebration, from the person's unlocked laptop and Outlook a week into the future.

It's pretty hilarious because the person usually go through with it.

Around the lab I work at we do a similar thing, always some variation on dolphins. Dolphin background, messaging a dolphin on slack, etc.

It's recently escalated to sudolphin-ing (think a sudo alias involving cowsay and you're on the right track).

Hardening macOS https://blog.bejarano.io/hardening-macos.html

Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist https://www.nist.gov/publications/guide-securing-apple-os-x-...

Securing macOS in 2018 https://www.davd.eu/securing-macos/

Free OS X Security Tools https://objective-see.com/products.html

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems https://github.com/CISOfy/lynis

For me the most important aspect is the use of a VPN, security software, and the combination of multiple layers of authentication. These are of course just general good practices, but how you implement them is what's unique compared to Windows or Linux. A full list would be too long for an HN comment, but a few months ago I put together something of a reference guide listing the methods I apply to secure Macs in a roughly organized fashion. It's brief in most aspects, but but hopefully it can be of use to someone. It's licensed under Creative Commons, so feel free to redistribute it. I've uploaded it to iTunes[1], but if Freedom is a concern I can email[3] a PDF of it directly.

[1] https://itunes.apple.com/us/book/kickstart-security-macos-mo...

[2] contact@austinlasota.com

As others have mentioned, Little Snitch + Block Block is a powerful combination that lets you (1) see what is phoning home, and (2) know what crap apps are installing in the background.

I like to set up a lock screen message with your name/phone. https://support.apple.com/en-us/HT203580. Not "security" per say, but can help get your computer back to you if stolen.

Set a firmware password to prevent your mac from being reformatted: https://support.apple.com/en-us/HT204455

If you're using Filevault, you may want to ensure you are not backing up your recovery key to iCloud. There's a terminal command (I think) to discover if it is.

You should also go in and show hidden files. In terminal: "defaults write com.apple.Finder AppleShowAllFiles true"

I don't do any of the above! I lock it, keep it up to date and are not foolish about what to run/download.

While I strongly advise avoiding traditional "antivirus" software like Symantec, EtreCheck[1] if a wonderful diagnostic tool for checking your Mac's general health. Included in that health check is a full disk sweep for any known adware. I used it just this past year to help identify and remove some adware on my parents' computer just this past year, and would highly recommend.

[1] https://etrecheck.com

Filevault, no antivirus (except what comes with macOS), Objective See's Do Not Disturb [1], 2F SSH depending on the host.

What's your threat model? My recommendations are going to be based wholly on that. Are you an average Joe/Jane, or a reporter for The Intercept?

1. For evil maid attacks. https://objective-see.com/products/dnd.html

Anti virus - Sophos home Free & according to me the only real antivirus Little snitch is excellent for severing unintended network connections Search engine - startpage.com. This one has been excellent as I get privacy + search results same as Google I use adguard... Very effective. Dns from cloud flare

My friend built this audit / lockdown tool for enhancing security defaults in Mac. Maybe you will find it useful :) https://github.com/0xmachos/mOSL

FileVault, strong system password, Little Snitch.

Everything else (2FA, password manager) is not macOS specific.

Full disk encryption, that's it. When I get up, I lock the screen.

To add to this: the shortcut key for locking the screen is Cmd+Ctrl+Q. There's also the possibility of configuring a Hot Corner for this.

I’ve been using hot corners for approximately 5 years I think. It works very well.

Just configure the top right corner to lock the computer (AFAIK it’s new in Mojave) or start the screensaver with an n-second delay for password prompt (configured separately under the screensaver tab). The delay is important because you will trigger it by mistake many times. The new lock option does not have a delay, which makes it a little less convenient.

Also if you have a Touch Bar Mac you can add a “lock” button to the Touch Bar. I mostly use that one and unlock with my watch when I come close.

Thanks for posting this. I have been missing the Cmd-Shift-Power ever since getting a TouchBar.

Yeah I'm very happy with that shortcut :) others mentioned a shortcut with Ctrl-Shift-Escape, to force it to sleep. But doesn't seem to work in my case (I'm often using my MacBook in clamshell mode).

Didn't know this, I was using an Alfred command instead. Thanks!

I was using some other workaround as well. The shortcut is new since Mojave! :)

I use Ctrl+Shift+Esc to put my screen to sleep (which locks it).

Whoops. I never actually look at the keyboard (too late to edit my comment). It's Ctrl+Shift+Power

Is this a default shortcut key?


Hot corner it is for me.

If you're paranoid:

- Full Disk Encryption - Use Little Snitch - Don't use iCloud - Disable SSH except for your account - Turn off remote login - Run developer software in Docker containers

Genuine question: Is iCloud any more insecure than any other cloud service? I was thinking of shifting a lot of stuff to it.

How does FireVault work with Google cloud ?. I have a google cloud folder which is synced with my local drive. Now if I enable Firevault, it will encrypt all the data... but im not sure what will happen to the Google Drive folder on mac. How will google drive manage my encryption then.

FileVault is encryption at the disk level; you unlock at startup. Unless you have other encryption methods for files or directories, once you're logged in, they are unencrypted as far as Google Drive or any other app sees it.

Ah thanks. that helps.

Quick question; what's the point of running development software in docker from a security perspective?

in addition to FileVault I have uBlock Origin installed on all browsers and Malwarebytes running. but I have no idea if these programs are working, are looking for the correct threats or potentially have malware themselves. so far so good...

I follow this: https://spreadprivacy.com/mac-privacy-tips/

Not really an exhaustive list, but at least gets you started off.

saaspass.com for 2FA on MAC OS

SAASPASS Authenticator for regular 2FA

SAASPASS Browser extension for autofill of 2FA Authenticator codes

SAASPASS Password Manager for websites


And here:



2fa all the time. And I dont usually join public connection.

I don’t. I keep my super sensitive data in my head. I never believed in computer security and never will. But the I never believed in security in general. Why on earth you would need an antivirus for a Mac ? I don’t even remember the last time avast gave me a virus warning on Windoom 10. Nowadays it’s mostly worms, ransomeware and spyware , rarely a Trojan horse. The age of virus has long gone after the start of the age of not slow internet.The only thing I do is to backup my data via Dropbox and megasync.

If you really need security, get a computer , disconnect it from the internet. The end.

If the concern is ransom-ware, what works well?

I don't. Never had an issue. 2FA for secure web needs if it is offered.

most useful tools: - Little Snitch - Firefox with lots of privacy settings + umatrix + decentraleyes

I use them more for privacy, but security is an added benefit.

it doesn't matter what you do, Apple controls and share your data.

My recommendation stay offline as much as you can.

it doesn't matter what you do, Apple harvest and share your data..

My recommendation stay offline as much as you can.

Do you have any evidence that Apple harvests data stored on Macs and shares it with third parties? If so, that would be big news given Apple's stance on security and privacy.

I update my hosts file to stop communication with the bad guys: https://github.com/StevenBlack/hosts/blob/master/alternates/...

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact