Do you use antivirus? Which antivirus?
Do you use two-factor SSH?
Do you use IDS?
What else do you recommend?
It's how I caught a new Seagate external hard drive making calls to Baidu and Google. https://fosstodon.org/@lukewrites/100907932236227641
> When it loads, the disk is unwritable; you have a choice of
> a Mac executable or a Windows executable.
This is where you put the disk back in the box and return it for a full refund.
I appreciate that Quickstray.
I think FDE plus a VPN and DNS blocker tends to be enough for not state level actors.
Almost all antivirus or security products on the Mac App Store should be treated with extreme skepticism. I recently saw that one of the top grossing apps was an antivirus product called Thor Antivirus. Looking under the hood, it was just ClamAV, and their claims about its protections were unsubstantiated. They probably made tens of thousands of dollars before Apple took them down in response to my report.
Several years before that, I audited SecureMac's MacScan, a once-popular antivirus app that had received accolades from MacWorld for years. It turns out it just checked file metadata such as modification times, and didn't even look inside.
Apple's app reviewers are not able identify bogus security products, and the result is that you might damage your system by allowing some half-baked program to run amok.
I don't run any third-party antivirus myself, but when I was investigating a piece of Mac malware, I discovered that Malwarebytes had beat me to the punch and published a great blog post on their investigation. I vaguely recall using their software to clean up a relative's Mac successfully.
By the way, at the time of writing, a program called Antivirus Zap - Virus & Aware is #6 on the Top Paid list of the Mac App Store. Antivirus VirusKiller is #41. I guarantee you they're both shit. (Antivirus Zap also uses ClamAV.)
I have Prey installed. On both devices, I have "admin" credentials taped to the back. The account is actually a locked down user-level account with very little authority, other than being able to get on wifi/browse the internet, etc. I suppose this would be a honeypot of sorts. My thought being if someone walks off with it, I want to be able to gather as much info on them as possible. I haven't given a whole lot of thought to this, so definitely curious if there are issues with this approach.
DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's Computer: https://youtu.be/Jwpg-AwJ0Jc
The only issue is a firewall on the router side, but, that's a highly targeted attack then.
You also can't set a bootup/EFI password.
Touch ID for sudo http://osxdaily.com/2017/11/22/use-touch-id-sudo-mac/
Touch ID for SSH https://github.com/sekey/sekey (uses secure enclave)
I use this for 2FA https://krypt.co/ (uses secure enclave on your phone)
Touch ID for password management https://1password.com/
I upload dotfiles and other credentials in a keybase encrypted repo
macOS Security and Privacy guide  also a recommendation you can try.
> LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.
I would love to know if anyone else has switched over and what's missing. I haven't had a whole lot of time to do a thorough investigation.
Few years back I was a big fan of Little Flocker, which now is part of F-Secure as XFENCE . But haven't used it since its rebranding, anyone using it anymore?
 https://www.obdev.at/products/littlesnitch/  https://1password.com/  https://objective-see.com/products.html  https://campaigns.f-secure.com/xfence/
And what software do you use regularly? Do you pirate software?
These are important questions to answer, before you come up with how to secure your Mac.
That said, I'm just an average developer. I hardly run anything non-standard. I do make sure to not leave my laptop unlocked, but that's it.
Regarding software: only system apps with the exception of say a password manager, code editor and git.
We built a Slack bot  that shames (in good humor) people in the office who leave unlocked laptops unattended. We had a similar system at Twitter where we would tweet a certain codeword on unlocked laptops and it was very effective in stopping that behavior.
It's pretty hilarious because the person usually go through with it.
It's recently escalated to sudolphin-ing (think a sudo alias involving cowsay and you're on the right track).
Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
Securing macOS in 2018
Free OS X Security Tools
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems
I like to set up a lock screen message with your name/phone. https://support.apple.com/en-us/HT203580. Not "security" per say, but can help get your computer back to you if stolen.
Set a firmware password to prevent your mac from being reformatted: https://support.apple.com/en-us/HT204455
If you're using Filevault, you may want to ensure you are not backing up your recovery key to iCloud. There's a terminal command (I think) to discover if it is.
You should also go in and show hidden files. In terminal:
"defaults write com.apple.Finder AppleShowAllFiles true"
What's your threat model? My recommendations are going to be based wholly on that. Are you an average Joe/Jane, or a reporter for The Intercept?
1. For evil maid attacks. https://objective-see.com/products/dnd.html
Everything else (2FA, password manager) is not macOS specific.
Just configure the top right corner to lock the computer (AFAIK it’s new in Mojave) or start the screensaver with an n-second delay for password prompt (configured separately under the screensaver tab). The delay is important because you will trigger it by mistake many times. The new lock option does not have a delay, which makes it a little less convenient.
- Full Disk Encryption
- Use Little Snitch
- Don't use iCloud
- Disable SSH except for your account
- Turn off remote login
- Run developer software in Docker containers
Not really an exhaustive list, but at least gets you started off.
SAASPASS Authenticator for regular 2FA
SAASPASS Browser extension for autofill of 2FA Authenticator codes
SAASPASS Password Manager for websites
If you really need security, get a computer , disconnect it from the internet. The end.
I use them more for privacy, but security is an added benefit.
My recommendation stay offline as much as you can.