MacMost.com
The Practical Guide to Mac Security
!1
MacMost.com
The Practical Guide to Mac Security
The Practical Guide to Mac Security by Gary Rosenzweig
Second Edition, January 2017
For Use With: macOS 10.12 Sierra
Copyright 2017 Gary Rosenzweig. All Rights Reserved.
!2
MacMost.com
The Practical Guide to Mac Security
This free e-book is a product of
! Check out http://macmost.com for daily new Mac and iOS video tutorials, tips and news. Sign up for the MacMost newsletter to get free tutorials sent right to your inbox each week.
http://macmost.com/newsletter 
!3
MacMost.com
The Practical Guide to Mac Security
1. Online Password Security Improving Your Passwords
8 9
Using Different Passwords Everywhere
16
Moving Up To Two-Factor Verification
18
Dealing With Security Questions
24
What To Do If Your Accounts Have Been Compromised
26
Chapter Actions
29
2. Malware and Hackers Do You Need Antivirus Software?
30 32
Following Three Simple Rules
32
Using Gatekeeper
35
Protecting Your Data With Mac User Accounts
37
Setting Up Guest User Accounts
39
Do You Need macOS Firewall?
42
Staying Safe With Secure Connections and VPN
44
Chapter Actions
47
3. Scams and Tricks Recognizing Phishing Scams
48 49
Avoiding Social Engineering Tricks
53
Ignoring Misleading Web Ads
53
Help Stop False and Misleading Sharing
54
Stay Away From Email Scams
56
4. Physical Disasters Backing Up Your Mac
58 58
Storing Your Files in the Cloud
60
Using FileVault and Encrypted Backups
64
Backing Up Online
67
Cloning Your Hard Drive
69
Preventing Problems With a UPS
70 !4
MacMost.com
The Practical Guide to Mac Security
Find My Mac
73
Chapter Actions
75
5. Frequently Asked Questions Suspicious Sharing
76 76
Peek-A-Boo
78
Stopping Spam
79
PIN Problems
81
Wi-Fi Passwords
82
Exploits Versus Malware
84
Keep It Secret
85
Keep It Secret 2
86
What’s Your Location?
87
Selling Your Mac
88
Private Web Browsing
90
More Help
91
More Information
92
!5
MacMost.com
The Practical Guide to Mac Security
Introduction What do you think of when you hear “computer security?” Do you think about viruses that could infect your computer? Do you think about someone breaking into your Facebook, Gmail or eBay account? Do you think about losing all of your files and photos if you lose your computer or its hard drive crashes? Securing your Mac means protecting against these dangers and more. But the steps many people take to protect themselves are often ineffective. Installing antivirus software or using what people consider good passwords are well-intentioned steps, but they fall short of providing real security. In this book, I’ll review the different types of security threats that you face as a Mac user and as an Internet user. For each, we’ll look at how to best protect yourself. This book is a guide for the practical Mac user. It is not a book on how to keep yourself 100 percent secure in every way. The only way to do that is to stay offline completely and never leave the house. If you wish to make your Mac and your entire digital life completely secure in every sense, this is not the book for you. This is a guide for those who want to use their Mac to connect to the world. This is for those who want to buy things online, share over social media and travel with their Mac while maintaining a decent level of security. I’ll show you common sense techniques for staying safe online. The idea is not to build a wall around you, but to learn how to look out for problems and avoid common security pitfalls. I’m going to give you honest advice. You’ll learn my personal approach to protecting myself, and I’ll share what I recommend to friends and family. Sometimes this advice will go against what you have heard elsewhere. I don’t have any agenda except to be straightforward and to teach what I practice. Even if you don’t follow every piece of advice I give you, I hope that this book makes your computing life a little more secure and safe.
!6
MacMost.com
The Practical Guide to Mac Security
About the Author Gary Rosenzweig is the host and producer of MacMost.com, a website dedicated to helping people get the most from their Macs and other Apple products. Gary has been writing about computers and technology for 21 years. His books include the best-selling My iPad series (2010-present) and the MacMost Guide to Switching to the Mac (2009). He has created more than 1,300 free video tutorials for MacMost.com. He also creates iOS and web-based games and apps. Gary’s first computer was a TRS-80 Model III in 1982. His first Apple product was an Apple IIe in 1986. He has a bachelor’s degree in computer science from Drexel University and a master’s degree in journalism from the University of North Carolina. You can follow Gary at MacMost.com, on Twitter @rosenz and on Facebook at http://facebook.com/macmost.You can email him at questions@macmost.com.
!7
MacMost.com
The Practical Guide to Mac Security
1. Online Password Security Where are you most vulnerable? Are you worried about computer viruses? Are you worried about hackers listening in on your conversations? Are you worried about your money being stolen or purchases being charged to your credit card? These are all legitimate concerns. But the chances of them happening to you are far less than something else, something very simple. It is easy for someone to break into your online accounts by guessing your password.
  ! !8
MacMost.com
The Practical Guide to Mac Security
Improving Your Passwords So you think you have a password that can't be guessed? Take this simple test to determine the strength of your password: Is the password something you thought up? If your answer is "yes" then you have a weak password that can easily be guessed. It is probably just a matter of time before your online account is compromised. Let's take a look at what comprises a weak password and the dangers associated with them. Then, we'll learn about strong passwords and how to create one. We'll also look at more ways to improve your online security using techniques like twofactor authentication.
Avoid Weak Passwords Ever wonder how celebrity accounts are hacked, revealing their personal correspondence and candid pictures? It doesn’t usually involve covert operations or expert black hat hackers. Someone just guessed their password. With celebrities, it is easy. Someone tries to log in to their Facebook or Twitter account using well-known information—the name of their dog or child, or a favorite catchphrase—to guess their password.As a non-celebrity, you may think you are safe from this. But that is not the case. A malicious hacker doesn’t need to know anything about you to guess a weak password. What is a weak password? Anything that can be guessed. Dictionary words are the most common weak passwords. But names, patterns (like dates) and misspellings of dictionary words are also weak. Think you are clever by using a zero instead of the letter “O” or a 3 instead of the letter “E”? Those are still weak passwords. You see, malicious hackers will use networks of thousands of compromised computers to try to log into millions of accounts per day. They will use real email addresses and then try to guess your password from lists of millions of common passwords. Programs will try all sorts of variations using names, dates, dictionary words and other patterns. Using a password like “Joe21808,” the name and birthdate of your child, means that you are vulnerable to these sorts of attacks. It might not happen today or !9
MacMost.com
The Practical Guide to Mac Security
tomorrow, but at some point you may find that someone has gained access to your Facebook or iCloud account. First they change the password and lock you out. Then they message all of your friends and tell them about the latest deal on imported erectile disfunction medication. So how do you protect yourself? At the very least, you should use a strong password. But you should also use two-factor authentication when possible. Here are some examples of weak passwords: • letmein • jack0322 • w0nd3r • pr1ncess • bartlisamaggie • 071692
Use Strong Passwords What is a strong password? It would use a combination of letters, numbers and maybe even some symbols. Some letters would be uppercase and some lowercase. It would be long, perhaps 12 characters or more. Most importantly, it would be random. A random password isn’t a dictionary word. It isn’t a name. It isn’t a date. It doesn’t even resemble any of these things. If you have a strong, truly random password, and someone bet that they could guess what it was, you would take that bet. You would bet all your money, your reputation and your deepest secrets. In fact, that’s what you are doing when you set up passwords for websites and services. So make it a sure bet by using a strong random password. Here are some examples of strong passwords: • wHx9vm5Gs7zR • vxqCIKypD7 • 5Pjil.TqYh !10
MacMost.com
The Practical Guide to Mac Security
• Ptp/:*0F;#hm2, • Lf5TL0NIh6WoIvB9 Use Strong Passcodes, Too If you use an iPhone or any smartphone, you are probably logged in to all sorts of services and sites on that phone right now. Someone who steals your phone would have instant access to much of your life. That’s why you need to have a passcode on your phone. Without a passcode, no one can access your phone even if they are holding it in their hands. But a four- or six-digit code may not be enough. Certainly avoid passcodes like 123456 or 777777. Consider going to Settings, Touch ID & Passcode and turning on the option to use a full alphanumeric password instead of a four-digit passcode. If you have a newer iPhone with Touch ID, then you really have no excuse not to use a strong password since your fingerprint can be used to unlock your phone as well.
Use Your Mac’s Keychain How do you come up with a strong password? The answer to that question is: You don’t. A strong password needs to be completely random. That means you should leave it up to your computer to come up with it. Your Mac has the ability to generate strong random passwords, and you should let it. Starting with Yosemite, it is easier than ever before. When you create an account at a new site, or try to change your password, Safari suggests a random password for you to use.
!11
MacMost.com
The Practical Guide to Mac Security
! Safari will suggest a password when you try to sign up or change your password on a site.
This is usually a 12-character password with additional dashes thrown in. It uses uppercase and lowercase letters and numbers. It is random, looks very hard to enter and is nearly impossible to memorize. You may have seen this before and decided to use your own password instead. You may have considered how hard it would be to memorize and then retype the password every time you enter the site. Installing a deadbolt in your front door, then carrying the key around with you and using it every time you enter and exit your house is difficult, too. But you do it because you know that is much safer than leaving your door unlocked. Plus, what you may not have realized is that your Mac will remember that password. When you go back to that site and need to enter your password again, your Mac will do this for you. So you don’t need to memorize the password after all. You may never even need to type it again. Safari will remember these passwords. You can access them in the Safari Preferences. You can view them there, and even delete them if you wish.
!12
MacMost.com
The Practical Guide to Mac Security
! You can access your stored passwords by going to Safari, Preferences, Passwords.
Better still, these passwords are saved to iCloud—meaning you’ll also have access to them on your iPhone or iPad. How is this safe, you may think? All of your passwords would be in one place, just waiting for someone to come by and break into your treasure chest of online passwords. However, they are protected by your Mac’s login password and your iCloud password. No one can get to them without one of those two. So make sure that those passwords are strong as well. As a matter of fact, you can log into your Mac using your iCloud password, so there is really only one strong password you need to memorize. Plus, you can use two-factor authentication to further secure your iCloud account. We’ll look at that later in this chapter. Step-By-Step: Change Your Apple ID/iTunes/iCloud Password 1. Go to https://appleid.apple.com. 2. Log in with your current Apple ID and password.
!13
MacMost.com
The Practical Guide to Mac Security
3. Look for the Security section and click Change Password... 4. Enter your current password and your new password in both places it is asked for. Click on the key icon on the right side of the new password field to have Safari give you a strong password.
Passwords Outside of Safari Sometimes you need to create a password in an app, not on the web. In this case you can’t use Safari’s password generator, at least not directly. Other times, websites are not designed to allow Safari’s password generator to work. In these cases, you can still use your Mac to create strong random passwords. You’ll need to run the app called Keychain Access. It can be found in your Applications/Utilities folder. Keychain Access will allow you to view your Safari passwords outside of Safari. Plus, it will include a lot of other saved passwords from Apple-made apps. If you choose File, New Password Item it will allow you to create a new item independently from Safari. Step-By-Step: Access Your Passwords in Keychain Access 1. Look in your Applications/Utilities folder and run Keychain Access. 2. On the left, under Keychains, select login. 3. Further down on the left, under Category, select All Items. 4. Use the search field at the upper right to search for password. For instance, type “Facebook” to search for your Facebook login password. 5. In the list, look in the Kind column for “Web form password” to quickly identify Safari passwords.
Next to the Password field, you’ll see a little button with an icon of a key. Click that and it will bring up the Password Assistant. This little tool will generate new random passwords for you.
!14
MacMost.com
The Practical Guide to Mac Security
! The Password Assistant tool in Keychain Access will allow you to create strong random passwords.
Since you’ll be making a password that is intentionally difficult to memorize, be sure to use Keychain Access to store this password as well. Then you have a place to look it up days or months from now when you need it again. When To Change Your Passwords The ultimate answer is to change all of your passwords every few weeks or months. But that is usually not practical. I spend an hour or so changing all of my passwords at least once per year. I often do it when returning from travel where I have been forced to use Internet connections outside of my home and work. What a lot of people don’t realize is that old passwords can come back around to haunt you. When you read about some massive security breach where “millions of passwords” are leaked to the public, these are often old passwords. I have searched these databases and found some of my old IDs and passwords from more than a decade ago. Because I change my password every year or less, I don’t need to worry when my old passwords leak out like that. They are useless to anyone. However, if you have not changed your password in more than a year, then your current password could be included in these lists of “old” passwords.
!15
MacMost.com
The Practical Guide to Mac Security
Third-Party Password Keepers In addition to using macOS’s built-in password system, you can also use one of many third-party apps. The two most popular for Mac users are 1Password and LastPass. Both will generate random passwords for you, store them and protect them with a strong master password so that only you have access to them. They work across multiple devices by storing your encrypted password database in a cloud service of your choosing. You can even access your information on your phone using mobile apps from these services. On your Mac, they will work with your browser through an extension. You can simply press a button to fill in passwords on websites when you need to sign in. One big advantage of using 1Password or LastPass is that they will work with third-party browsers like Chrome or Firefox. In fact, they will work on Windows PCs and Android phones as well. So if you are cross-platform, this is the way to go. 1Password -- https://agilebits.com/onepassword LastPass -- https://lastpass.com These apps also allow you to store miscellaneous data, such as the combination to your safe or your bank account numbers. It can come in handy to have a secure place to store these pieces of information.
Using Different Passwords Everywhere Another common practice for most people is to use the same password for multiple sites. For instance, your Amazon password would be the same as your iCloud password. In fact, you may have the same password for every website and service you use. As you may have guessed, this is a bad idea. And totally unnecessary. It is a bad idea because if someone actually got a hold of your password to one site, then they know the password to all of your sites.
!16
MacMost.com
The Practical Guide to Mac Security
For instance, it is possible that someone could steal passwords from a website. Perhaps the website is something not very important that doesn’t store valuable or personal information. For instance, perhaps it is just a casual game, a to-do list app or something similar. Once someone has a list of a million IDs and passwords from this not-so-important site, it would be easy for them to check those same IDs and passwords against logins for Facebook, Amazon, banks and more. You can bet that many of those passwords will work. A good website doesn’t actually store your password. Someone breaking into the site, or even working at the company with physical access to the servers can’t get your password. Instead, it stores a special code that can be used to determine if you have entered your password, even though it doesn’t know what that password actually is. This is called a hash. For instance, say passwords were simple three-digit numbers and your password was 956. The site may have the code 20 stored as your hash. It takes the three digits of your password and adds them together. It compares this to the hash and if they are equal then you are granted access. But the site doesn’t store “956” anywhere. It just knows “20.” Armed bandits could break in to the company and hold a gun to the CEO’s head demanding your password and the CEO couldn’t reveal it because the company just doesn’t have it. In reality, hashes are much more complex, so guessing a password, like 677, won’t be that easy. However, if you use the same password for 100 sites and services, then what are the chances that all 100 will use a secure hash system to hide your actual password? Chances are, some of them store your password in a database, just waiting for someone to steal it. So that one time you use that same password to create an account for a game or a little to-do list app becomes the weak point. If that site is hacked, your email address and password are now in the hands of some bad people. They can simply try that combination at Facebook, iCloud, Yahoo and your email provider and your life is in their hands. But if you used a unique password for that little app, then they only have access to your game score or to-do list. If it is compromised, you only need to take action for that one service. The Most Important Password !17
MacMost.com
The Practical Guide to Mac Security
Which password is the most important? The one that guards your email address. Whether you use iCloud, Gmail, Yahoo or your company’s system, your email address password is critical. Think about it: If you forget a password, you can often click a button asking for a reminder or reset email to be sent to you. So anyone with access to your email could simply go to another site, like your bank or a shopping site, click the “I forgot my password� link, and then then access your email account to get the new password.
Using different passwords for every site sounds like a good policy. But is it practical? An average computer user will have more than 100 sites and services with IDs and passwords. Some they use every day. Others less than once a month. How can you remember each and every unique password? This is another time password keepers come in handy. Whether you use the one built into Safari and macOS, or you use 1Password or LastPass, keeping your passwords in one of these storage solutions is the way to go. Not only will you not have to remember the passwords, but your computer will enter them for you when you log into sites.
Moving Up To Two-Factor Verification A more secure way to log into sites and services is to use a two-factor verification system. iCloud uses this, and so does Google and many other sites. It is much more secure than a simple password. But it requires that you have a mobile device, such as a mobile phone, with you at almost all times. The two steps involved in two-factor verification are: Step 1: Enter your password. Step 2: Receive a randomly-generated code on your phone, iPad or Mac. Enter that as a second password. The idea is that you enter your password and then also enter a second password that is generated on the spot when you try to log in. This is sent to you either as a
!18
MacMost.com
The Practical Guide to Mac Security
text message, notification or sometimes a special system alert box. You enter that code in order to be granted access to the site. The code is for one-time use. Plus, if you don’t use it right away, it expires. Someone would not only need your password to log in, they would also need physical access to your phone, and they would need to be able to unlock your phone to see the code. For example, you try to log in to the Gmail web page. You enter your password. Then you are prompted for a security code. You go to your phone which has a special app from Google that shows you a code. This code changes every 60 seconds or so. You enter the current code on the web page and you are granted access. The same happens when you use two-factor verification with your Apple ID. You’ll first get a prompt to enter your code on your Mac.
!
When you use Apple’s two-factor verification, you will be prompted to enter a verification code sent to your Mac, iPhone or iPad. You will receive this prompt when you try to log in to modify your account, and in a variety of other transactions.
The first thing you will see on your device is an alert that a login was attempted. You will need to click or tap Allow to continue with the login.
!19
MacMost.com
The Practical Guide to Mac Security
! The alert you receive on your devices that a login is being attempted will include a location. It won’t be accurate past a general region, but it will be enough for you to get a sense of whether this is you trying to log on or not.
Next, you will get a 6-digit code that you can use to gain access. Once you are done with the code, you can click or tap OK to dismiss it.
! The six-digit code sent to your phone is for one-time use and will expire quickly. Someone without your password plus physical access to your phone won’t be able to log in to your Apple accounts.
If entering in a password and a code sounds cumbersome, remember that you usually don’t have to do it that often. Google, for instance, will keep you logged in for 30 days on your computer. Apple will only ask for your password and code when you log out and back in, or try to do something like access your account details. You don’t need to go through it every time you buy an app or a song on iTunes. But what if your phone is lost or stolen? There is a backup plan for that. Many twofactor systems will allow you to print out a recovery key or a list of one-time use codes that you can use in place of the normal code. You can store these in a safe !20
MacMost.com
The Practical Guide to Mac Security
place. By themselves, these codes are useless. But in conjunction with one of the other two pieces of information (your password or a new code from your phone) you can access your account. Apple’s two-factor system allows you to include one or more trusted phone numbers where you can get your codes by text message. So even if you don’t have access to one of your trusted Apple devices, as long as you have access to your phone number, perhaps on a non-Apple device or a web-based system like Google Voice, you can get your two-factor code to log in. Backup Codes/Recovery Keys I can’t stress enough how important it is to save and secure your two-factor backup codes or recovery keys. If you forget your password and you don’t have your codes, you will not be able to get into your account. No amount of phone calls or pleas for help will do it. In most cases, the company (Google, etc.) can’t help you even if they wanted to. The whole point is that the account is secure and someone can’t get in by pretending to be you. They are also important if you lose your phone, or simply switch phones without thinking about two-factor first. Suddenly you can’t get your regular code because you switched phones, and you don’t have your backup code either. With Apple’s system you would be able to get your code via a text message, so switching phones but keeping your same phone number won’t lock you out as long as you have included your phone number in Apple’s twofactor system. Another time these are necessary is if someone tries to break into your account. In this case, your account may freeze and your password is revoked. You’ll need a backup code to get in. If you don’t have it then you are locked out forever. So please remember to save this code!
Basically, you have three things you can use to access your account: your password, codes from your phone and backup codes/codes from a text message. You need two out of the three to get in. To set up two-factor verification, go to the security or password settings of the site you are using and see if they offer it. Below are links to set up two-factor verification for Google, Apple and Facebook. Other sites may call this “two-step authentication,” so look for that too.
!21
MacMost.com
The Practical Guide to Mac Security
Google/Gmail -- https://www.google.com/landing/2step/ Apple/iTunes/iCloud -- https://support.apple.com/en-us/HT204915 Facebook -- Go to Settings, Security and select Login Approvals. 
!22
MacMost.com
The Practical Guide to Mac Security
! To enable two-factor verification for your Apple account, go to http://appleid.apple.com and sign in. Then look for Two-Factor Authentication and click Get Started...
! The site will walk you through the set-up process.
Note that Apple also has an older system called “two-step authentication.” That is “step” instead of “factor.” This older system is still in place as devices running much older versions of macOS and iOS cannot use Apple’s modern “two-factor” !23
MacMost.com
The Practical Guide to Mac Security
system. Only use this old system if you have devices that are too old (iOS 8, Yosemite or earlier). You can read about it here: https://support.apple.com/en-us/ HT204152. You can also set up two-factor authentication in the password portion of the settings controls for sites like Facebook, Twitter, Dropbox, PayPal, Yahoo!, Microsoft, LinkedIn, WordPress and many others. My recommendation is that you use two-factor everywhere you can. Just don’t forget to print out and store the recovery keys or backup codes for each site or service! App Passwords One problem with two-factor authentication is that you sometimes need to log into your account in an app that doesn’t support two-factor. A site that offers two-factor authentication will also allow you to generate an app-specific password that can be used to log in to one specific app. For instance, you can get an app-specific password for Gmail to let you sign in to your Gmail account in an email app. You wouldn’t then be able to use that password for anything else, so it is still relatively safe. In cases where you need an app-specific password, you can go to the password or security settings for the service you want to access and there is usually an explanation there about how to create and use this password.
Dealing With Security Questions It used to be the standard security model that when you signed up for an account, you not only created a password, but also added answers to some security questions. For instance, “Where did you go to high school,” “Who was the manufacturer of your first car” or the classic “What is your mother’s maiden name?” This is a very flawed security model. If someone was out to get you, specifically, as unlikely as that is in reality, it would be easy to figure out these answers. Even a random attack has a good chance of success. A full one percent of all maiden names in the U.S. are Smith. Johnson, Jones, Williams and Brown increase !24
MacMost.com
The Practical Guide to Mac Security
the chances of success to nearly five percent. How many car manufacturers are there? Probably the top five account for more than 50 percent of the answers. Apple still uses questions like this if you sign up for an Apple ID and opt not use two-factor authentication. While they are a bad idea, they offer the only hope of someone recovering their Apple accounts if they forget their password and are not using two-factor.
! At http://appleid.apple.com you can set up security questions that can be used to access your account if you have not set up two-factor verification. The way to protect yourself against this security weakness is to never use security questions on a site or service where two-factor is offered as a better alternative. However, some sites don’t offer anything else. And some people don’t use mobile phones, meaning they can’t use two-factor. There is a way to set up security questions to be more secure: Don’t use real answers. Don’t use fake answers either. Instead, use non-answers. If the question is “What is your mother’s maiden name,” answer with a randomlygenerated password from a password manager like 1Password or LastPass. Or, use !25
MacMost.com
The Practical Guide to Mac Security
Apple’s Keychain Access app that is on every Mac: Choose File, New Password Item, then click the little key icon to generate a password. Using this system, the answer to “What is your mother’s maiden name” may be something like “GHkjE0x6.” Store this in your Mac’s Keychain manually as a note, or use 1Password or LastPass to store them. Alternatively, you can simply print them out and put them in a file in your home—as long as they are somewhere safe and secure. Using non-answers is fine since none of these sites and services actually care about the real answers to these questions. They just want to be able to ask you the questions to confirm your identity. So if you need to answer the question online, you just type it in or copy and paste. If you need to answer the question on the phone to a customer support representative, then they may get a good chuckle out of your answers. But it won’t be the first time they encounter these kinds of answers because many people use this secure technique. Step-By-Step: Storing Secure Notes in Your Keychain 1. Find Keychain Access in your Applications/Utilities folder and launch it. 2. Choose File, New Secure Note Item. 3. Under Keychain Item Name, enter something like “Apple ID Security Questions.” 4. In the Note field, put any text you like. For security questions, type each question and answer on a separate line. 5. Click Add to add the note to your keychain.
What To Do If Your Accounts Have Been Compromised Let’s say that despite your best efforts, someone gets access to one or more of your online accounts. What do you do?
!26
MacMost.com
The Practical Guide to Mac Security
First, do not hesitate. This isn’t the sort of problem that can wait until tomorrow. Treat the situation as a priority. Things could get worse if you give the malicious individuals with control over your account time to do more damage. The first step is to access the account or accounts that have been compromised and change those passwords. But don’t stop there. If the site uses security questions to recover passwords, such as “What is your mother’s maiden name,” you’ll need to change those. It could be that the intruder has already changed them. It could be that the intruder simply noted what the answers were. Either way, they could get back in easily if you don’t change them. If you think, “Well, I can’t change my mother’s maiden name,” then check out the section of this chapter on Security Questions. You should be using random passwords for these security questions, not real answers. Don’t stop with the sites that you know have been compromised. It could be that your other sites and services have been compromised as well, but the intruder hasn’t done anything using that site that you have noticed. Start with your email accounts. Make sure you change all of those passwords. Then move on to all of your critical accounts like Facebook, Amazon, eBay, your bank, iCloud, Google and so on. They should all be using unique random passwords. It is a good idea to change your password every once in a while anyway, so think of this as that opportunity. If you no longer have access to an account because the intruder changed your password, you will have to contact customer support for that service. Here are some links to get you started: Apple
http://www.apple.com/support/icloud/contact/
https://www.facebook.com/hacked
Google/Gmail
https://www.google.com/accounts/recovery
Yahoo!
https://edit.yahoo.com/forgotroot/
eBay
http://pages.ebay.com/help/account/securing-account.html 1 (866) 540-3229
Amazon
http://www.amazon.com/customerservice 1 (888) 280-3321
!27
MacMost.com
The Practical Guide to Mac Security
For smaller sites and services, like your bank, visit their webpage and look for support links. If you know or suspect that your bank account has been compromised, I would go directly to a phone call to work as quickly as possible at securing it. Your ATM Pin Did you know that you can change your ATM pin if you suspect that it may have been compromised? Thieves use hidden cameras and special devices attached to ATM machines to get the data from your card’s magnetic strip, and also to access your pin number. If you think this may have happened to you, you can simply call your bank and request a new pin. You can also use one of your bank’s dedicated ATMs— usually, you’ll find that changing your pin number is an option in the menus. You can select a new pin and the bank will send a new card. I try to do this once a year, usually after traveling when I may have been using many assorted ATMs.
You will also want to change the passwords for your devices. Change your Mac user account passwords, if you are not using your iCloud password to log in to your Mac. Change your iPhone and iPad passcodes. Change your Wi-Fi router passwords too. Once you are sure you have control over your sites and services, here are other steps to take: • Check your social media feeds. Has the intruder posted anything on your behalf? If so, delete it. Look for comments to other peoples’ posts as well. • Ask some of your closer friends if they have received any messages or emails from you that may have been sent by an intruder. If they have, you will want to contact all of your email address contacts and message your friends over social media. Alert them to the problem and let them know that those messages may have not been from you. • Check any email rules for changes. iCloud email and Gmail both allow you to set up rules/filters that do things like forward messages. You should check those because an intruder can set up a rule to forward email from Amazon to him. That means he can return next week and ask Amazon for a forgotten password. Your email account then forwards the message with the reset link to him, and once again, he has access. Some email services allow you to simply forward all messages to another address. Check that in the settings for those accounts. !28
MacMost.com
The Practical Guide to Mac Security
• Check your email accounts for alternate or backup email addresses or phone numbers. These are used to send recovery messages or confirmation messages when you try to make a change to the account before you can access your email. Make sure the intruder didn’t add his phone number or email address. • If you think your financial accounts may have been compromised, you may want to contact your credit card companies and have them check your account. Soon after, you may want to order your credit reports which could show accounts opened in your name. Or, hire a firm that specializes in checking up on such things.
Chapter Actions • Go through all of the websites and services you use. Change your password for each one. Use strong, randomly-generated passwords. Use a different password each time. • If the site or service offers two-factor authentication, use it. • When using two-factor, be sure to save your backup codes in a safe place. • Otherwise, use a strong, randomly-generated password and store it in Safari/ Keychain or a third-party password storage app. • If the site or service uses security questions, answer each with another strong password and record your answers.
!29
MacMost.com
The Practical Guide to Mac Security
2. Malware and Hackers If you mention the words “virus” and “Mac” to some people, you’ll get one of two responses: Either they will say, “Macs don’t get viruses,” or they will say, “Don’t listen to people that say Macs don’t get viruses.” It can be confusing, because both are right. The problem is the word “virus.” When people say “virus,” they usually mean malware. Malware is any software that does harm to you or your computer. It is software with malicious intent. A virus is a type of malware that is particularly harmful because it can find its way on to your Mac even if you haven’t done anything wrong. It infects a computer without any specific user action. Real viruses for Macs are pretty much nonexistent. They are theoretically possible, but macOS has many safe-guards against them, making them something you really don’t need to worry about. But another type of malware, called a trojan, is something you should be aware of. Most of the time, when people say “Mac virus” they really mean “Mac trojan.” A trojan, named after the fabled trojan horse, is software that hides malware, just as the horse hid soldiers. For instance, you may find a website that offers a “free” version of something that usually costs money, like video editing software. You download it and install it. The software may actually work. Or it may just throw up an error message or do nothing at all. Either way, you installed it, you ran it, and you gave it permission to alter your computer by doing so. It installed some malware and now you are stuck with it. When people talk about Mac viruses or malware, they are almost always talking about trojans. Those that say “Macs don’t get viruses” are talking literally about computer viruses. Those that say “Yes they do” are talking about the fact that Macs are vulnerable to other types of malware, like trojans.
!30
MacMost.com
The Practical Guide to Mac Security
!
!31
MacMost.com
The Practical Guide to Mac Security
Do You Need Antivirus Software? If you came from the Windows world, or if you are getting advice from someone who uses Windows, you will think that you need to install some sort of antivirus or anti-malware security software. It used to be the case that Windows users couldn’t operate without it. But you don’t need such software on your Mac. Here are the reasons why: 1. Apple includes anti-malware software in macOS. It is part of the operating system. As new threats appear, Apple will update macOS to counter those threats. Apple’s track-record has been very good in this respect, usually beating anti-malware software makers with updates that protect against threats. 2. Anti-malware software often goes too far. You’ll get warnings about all sorts of things that aren’t really threats, and the software may disable functions of your Mac in an attempt to be overprotective. I’ve seen this happen many times. I’ve seen people panic over nothing. I’ve seen anti-malware software do more harm than good. 3. Much of what anti-malware software does isn’t really protecting you. Because there isn’t much for this software to do, the developers have added all sorts of features, such as cleaning out caches or detecting Windows-only malware. You don’t need any of this. macOS takes care of itself. 4. It costs money. If you look at 1, 2 and 3 above and think, well, it still might be worth it, just consider that it does cost money, usually. If it isn’t helping you, why spend the money? I have been advising people for years to avoid Mac security and cleaner software. You just don’t need it because it just doesn’t help. What you really need to do is follow the three simple rules in the next section.
Following Three Simple Rules If you follow these three rules, you will not have to worry about malware on your Mac. But it is important that you understand each rule and take the time to follow it. !32
MacMost.com
The Practical Guide to Mac Security
1. Keep Your Mac Updated macOS updates contain security patches. When you investigate a threat, you will usually find that it only affects people running an old version of macOS. This is because Apple updates macOS frequently and fixes security flaws. Just keep macOS updated and you won’t have to worry about most of the malware out there. The same goes for all of your other software. Do you use Microsoft Office on your Mac? Keep that updated. Adobe Photoshop? That too. Keep all of your software updated to the latest versions and use the features in this software that automatically updates them, or at least alerts you to new updates.
2. Download Software Only From Sites You Trust Any time you read about a trojan, you’ll find that the trojan needs to be downloaded from some third-party site or network. That’s pretty easy to avoid. Just always think carefully before downloading something. Most Mac software is available in the Mac App Store. If you download from there, you know two things about the software. First, that Apple has looked at it and determined that it isn’t a trojan. Second, Apple has verified the identity of the company or person that makes the software. This doesn’t make it impossible for a trojan to slip into the Mac App Store, but it does make it very unlikely. It would be like handing your driver’s license to the cashier in a bank before robbing it. If you use software from sites you trust, like Microsoft or Adobe, that’s fine too. But if you find yourself at a site that you haven’t heard of before, think twice. Do some research. If the site or company are not trustworthy, that fact will show up quickly in a quick web search. Search for the company’s name and words like: trojan, scam, virus, malware, etc. When in doubt, ask yourself how badly you need the software and whether it is worth risking the security of your Mac.
3. Stay Informed When new threats arise, they aren’t kept quiet. This is especially true in the Mac world where the potential existence of malware is headline news. Sites like MacRumors.com and CultOfMac.com would be all over any real threat. Just by checking these sites occasionally, you are educating yourself against threats.
!33
MacMost.com
The Practical Guide to Mac Security
Using a computer isn’t like using a car or a home appliance. Your computer is connected to the Internet. Your software is updating and changing all the time. You are constantly coming into contact with code on websites and app updates. Things are always changing. Not staying informed would be like driving on the same highway every day and ignoring construction signs and lane closures. You have to pay attention and adjust to changes. A Safari Setting To Know About Rule number 2 is basically about stopping and thinking before you download something. But sometimes malware can be sneaky. Hackers have been known to trick people into clicking on links that start malicious downloads. Usually this is not a problem, because just downloading something doesn’t hurt. It is just a file in your Downloads folder until you decide to “run” or “open” the file. However, there is a setting in Safari called “Open safe files after downloading.” It is meant to make it easy to view videos, pictures and PDF documents while browsing the web. Unfortunately, in the past hackers have figure out how to sneak malware into such things. I recommend turning off this setting to make sure that a website can’t trick you into downloading malware, and then having that malware automatically run.
!34
MacMost.com
The Practical Guide to Mac Security
! You can find the “Open safe files” setting in Safari, Preferences, General.
Using Gatekeeper An important weapon in your fight against malware is a feature of macOS called Gatekeeper. This was introduced in OS X Lion (10.7.5) and continues to be a part of macOS, although it no longer uses this name and is now simply a part of macOS. You can find this feature in System Preferences, Security & Privacy, General. It appears as just a series of three options under “Allow apps downloaded from.”
!35
MacMost.com
The Practical Guide to Mac Security
! Gatekeeper is now just a part of the System Preferences, Security & Privacy, General settings. You can choose from one of two options under “Allow apps downloaded from.”
If you use the “Mac App Store” setting, then you prevent any software from being installed unless it came from the official Mac App Store using the Mac App Store app. You won’t be able to download software from independent sites. The other setting will allow software from outside the Mac App Store, as long as the developer has signed up for a developer account from Apple and Apple knows who they are. The software still comes directly from the developer, not through Apple, so the developer can put anything in the software. But any developer trying some sort of malware shenanigans cannot do so anonymously. It is unlikely that anyone with malicious intent will be able to get away with something. These two settings will not completely stop you from installing unapproved software. For instance, say a friend of yours is a developer and wants you to test out software for them. You trust your friend, so you want to install the software. But Gatekeeper will stop you since this software isn’t from the Mac App Store nor has it yet to be set up with the proper credentials to identify the developer. That that case, you will get a warning from Gatekeeper that stops you from installing it at that moment. You can then go to System Preferences, Security & !36
MacMost.com
The Practical Guide to Mac Security
Privacy, General and see a button that asks you if you want to proceed to install the software anyway, even though it goes against your Gatekeeper settings. I keep Gatekeeper set to the second setting. But I recommend that everyone stick to the Mac App Store only setting. If you need to install something else like an Adobe or Microsoft app, you can go to System Preferences and bypass the warning to complete the install. At the very least, Gatekeeper makes you think about what you are installing. And that is all a lot of people need to avoid installing untrusted software that they really don’t need.
Protecting Your Data With Mac User Accounts Using multiple accounts on a Mac should be the standard way to operate when there is more than one person using the Mac. Even a husband and wife who are close and don’t mind sharing the same account should use separate accounts. Remember that things like preferences, browser bookmarks and email accounts are all separate on different Mac user accounts. Just being able to leave all of your apps and windows open while the other person switches to their account to check email makes this all worth it. And there will never be an argument such as, “Did you delete that file?” if you use separate accounts. Step-By-Step: Creating a New User Account 1. Go to System Preferences, Users & Groups. 2. Click on the padlock icon at the bottom left and enter your password. 3. Click the + button on the left side to create a new user account. 4. For a responsible adult, set the new account to Administrator. For a child, use Managed with Parental Controls. For anyone in-between, create a Standard account which limits their ability to mess with the Mac’s system and apps. 5. Enter the full name.
!37
MacMost.com
The Practical Guide to Mac Security
6. Enter an account name. Their user account folder and many other aspects of their account will use this account name, so be sure to choose one with care and keep it short. A first name is usually a good idea. 7. Select either Use iCloud password or Use separate password. The first is good for most uses. The second is good if the user does not have an iCloud account. 8. Click Create User.
Every user account on your Mac needs to have a strong password set, or use your Apple ID with a strong password for login. This is critical. A hacker on the same network can easily see your Mac and attempt to access it with a password. If your passwords are weak, or you have even one account with no password set, they can get in. Naturally, if you find yourself logging out and then back into your account often, you may want to choose a shorter-than-usual password, something you can memorize and type quickly. But I still recommend using at least an 8-character password of random characters. Alternatives to User Account Password Entry There are currently two alternatives to entering your user password when switching accounts on a Mac. The first is to use an appropriately-configured Apple Watch. In that case, just wearing the watch while logging in will substitute for a password. The other method is to use the Touch ID button that comes as part of the Touch Bar on newer MacBook Pros. Perhaps in the future all MacBooks and maybe even other Macs will come with a Touch ID button so you can use your fingerprint to log in.
You also need to set up your Mac so that you use this password to gain access to the Mac. For instance, if you close your MacBook and then someone steals it, they would need to enter your password when they open the MacBook. To do this, go to System Preferences, Security & Privacy, General. Set your Mac to “Require password” and choose a short time period, like 5 minutes after sleep. You may want to consider “Immediately” instead if you are using a MacBook in a public setting like a school, or while traveling.
!38
MacMost.com
The Practical Guide to Mac Security
! You can set your Mac to require a password for access after it sleeps. Set Lock Message You may have noticed the “Set Lock Message” button in System Preferences, Security & Privacy, General. You can use this button to set a message that appears on the login screen. For instance, you can write “If found, please call...” there. If your MacBook goes missing, it can often fall into the hands of someone like yourself that is interested in helping out. This message gives them the chance to do that and return your Mac to you.
Setting Up Guest User Accounts Once you have established separate user accounts for each human using your Mac, you need to make sure that any other person uses a special guest account. !39
MacMost.com
The Practical Guide to Mac Security
I often get email pleas for help from people with trojan-infected or otherwise broken Macs that start off with something like: “I let a friend use my Mac and now something is wrong.� Even if it is for just a few minutes while they check their email during a visit, letting someone else use your Mac is problematic. You have all sorts of things set up on your Mac just the way you like them: your browser bookmarks, email settings, system preferences, app preferences, etc. Just by using your browser for a minute, they are adding items to your cache and search history. While you may realize that installing an app is something that should be done with great forethought and care, they may install apps like others send text messages. There is a safe way to let someone use your Mac. It is simple and easy, and you should do it 100 percent of the time anyone else besides you touches your keyboard. Just use a feature of macOS called the Guest User. You can turn on the Guest User account in System Preferences, Users & Groups.
! You can set up the Guest User by going to System Preferences, Users & Groups.
!40
MacMost.com
The Practical Guide to Mac Security
Once you have it turned on, you can switch to the Guest User by choosing “Log Out” from the Apple menu, and then selecting the Guest User. Or, you can click on the fast user switching icon at the top right corner of your screen and switch users from your account to the Guest User. This works better, as you aren’t logging yourself out—meaning you can switch back later on and find all of your apps and windows just the way you left them.
! Fast User Switching allows you to quickly move between users on your Mac. When you switch back, you can pick up right where you left off, with open apps, documents and windows right where you left them.
The Guest User does a few different things to protect you. First, since the Guest User is a different account than your account, your friend won’t have access to your documents, pictures, movies and other stuff. They just can’t get to it. Second, they can’t install any apps. That includes being tricked into downloading and installing something they shouldn’t. Third, when they log out, the Guest User account is wiped clean. Any documents they created or junk they have downloaded will be erased. Guest User and FileVault One problem with Guest User accounts is that if you are using File Vault to protect your hard drive, then the Guest User account turns into a simple web browser account that doesn’t allow them to do very much. You can certainly let your friend use that. But if they need more, an alternative is to create a Standard user account in System Preferences, Users & Groups. Using that account, they can’t get to your stuff and they can’t install apps. When they are done, you can just delete that account. This also
!41
MacMost.com
The Practical Guide to Mac Security
comes in handy if you want to give a house guest a way to use your Mac over a length of time. You can create this account and then switch back and forth over several days. They get to keep documents until you delete the account, so they can work on something if they like. Just make sure they have those documents before you delete the account. You can also set up a Managed account with Parental Controls in the same manner.
Do You Need macOS Firewall? If you have been using computers for a while, the first word that may come to mind when you think of security is “firewall.� So why haven't I mentioned firewalls before now? A major defense against malware in the Windows world of the late 1990s and early 2000s was to install a good firewall. Movies and television shows since then have been peppering scripts with the word when characters need to sound like they know what they are doing on a computer. In reality, firewalls aren't that useful for typical Mac users. A personal computer firewall blocks incoming data and commands. But incoming data and commands need something running on your computer that is listening and waiting to receive them. Old Windows computers had a variety of system processes that listened for incoming information and did things with them. When malicious information was sent to these computers, bad things could happen. But Macs don't have these sorts of processes that listen for general data or commands. They really aren't something that you find on modern computers. Instead, apps listen for specific things. For instance, Spotify will receive streaming music from that music service, but only from that service and not from just anyone or anywhere. It is possible to install software that will listen for instructions from outside and then do malicious things. But if the software is already installed, it hardly needs to do anything that complex to cause harm. It would be like letting a burglar into your house and then taking away his phone so he can't invite more burglars.
!42
MacMost.com
The Practical Guide to Mac Security
So what is the point of the Mac firewall? Well, if you are running some networking or server software that has vulnerabilities, then you could find it useful. That is something some developers may need, but not the typical Mac user. You can find the firewall in System Preferences, Security & Privacy panel. If you decide to enable it, you can use a Firewall Options button to fine-tune the settings, including deciding which apps will allow incoming connections.
! You can find the Firewall switch in System Preferences, Security & Privacy, Firewall.
!43
MacMost.com
The Practical Guide to Mac Security
! Once you turn on the firewall, you can control which apps can receive information from the Internet.
Staying Safe With Secure Connections and VPN Say you are at a coffee shop with your MacBook. How do you get online? Maybe you tether your MacBook to your phone for a connection. Or, maybe you use the "free" Wi-Fi offered by the coffee shop. Free Wi-Fi is another security hole that you have to be aware of. Whether it is at a coffee shop, restaurant, store or hotel, using free Wi-Fi exposes you to a variety of nasty attacks. And it doesn't have to be free. Any Wi-Fi that is not your own is a potential hazard. Here are some of the issues with using untrusted Wi-Fi:
!44
MacMost.com
The Practical Guide to Mac Security
• If you can log on without a password, it means the data sent between you and the Wi-Fi router is unencrypted. Anything you do can be seen by someone else nearby if they have the right equipment. Identity thieves use this technique to get passwords, credit card numbers and other information. This is called snooping. • The Wi-Fi router could have software on it that records information you send. This can also be used by identity thieves. It is possible that the router is "infected" with this software and the owner of the Wi-Fi router has no idea it is a problem. • The Wi-Fi network you are connecting to may be a trap. Scammers can set up their own Wi-Fi routers and name them "Free Public Wi-Fi” or even use the name of the location to trick you. Then they record information you send, and perhaps even show you fake login pages for sites like Facebook or Gmail so that you willingly hand over your ID and password. Fortunately, there are a variety of ways to protect yourself from these problems. First, use secure connections between your MacBook and the site you are visiting. Secure connections are easy to spot because you may be visiting web pages that start with a https instead of http. That "s" makes all the difference. It means that your MacBook and the website are sharing information using encryption. If someone were to look at the data going back and forth, all they would see is encrypted gibberish. Second, try to stick to Wi-Fi connections that require a password. For instance, a hotel may give you a password to use their Wi-Fi. A password that is created just for you and expires when you are done with it is best, but I've never seen a hotel that does that. Any password is a little better than no password. Now note that there are two types of passwords involved. One is the macOS dialog box that pops up, informing you that the Wi-Fi requires a password. That's what you want. Another kind is a simple web page that appears before you are allowed to surf anywhere else. That type of password is just to restrict access to the Wi-Fi and won't actually encrypt anything. An easy way to know if the password is encrypting the data sent is to look to see if there is a padlock icon next to the Wi-Fi name when you select it on your Mac.
!45
MacMost.com
The Practical Guide to Mac Security
! In the drop-down menu you get by clicking on the Wi-Fi icon in the Mac menu bar, you’ll see padlock symbols next to routers that have password-protected encrypted connections. Avoid connecting to anything that doesn’t have that padlock.
The best way to protect yourself while using untrusted Wi-Fi is to get a VPN service. VPN stands for Virtual Private Network and it encrypts all data traveling between your MacBook and the VPN service, which then communicates with any website or Internet service you might be using. To get a VPN going on your MacBook, you'll need to pay to subscribe to the service. Then you'll need to install their software package on your Mac. I've been using SurfEasy VPN. My subscription to their service allows me to protect my MacBook and also my iOS devices. There are dozens of others, just search for "Mac VPN" and they will come up. Some even provide apps in the Mac App Store, so search there as well. Another option is to avoid public Wi-Fi altogether and tether your MacBook to your phone when out of the house. This can use up your monthly bandwidth allowance pretty quickly. But if you only need it occasionally, it is a good option and may be cheaper than using a VPN service. You can also get dedicated wireless Internet connection devices from most major wireless providers. These also cost a bit, but are very good options for someone !46
MacMost.com
The Practical Guide to Mac Security
who often needs to connect away from the home or office. As a bonus, you do not have to rely on any Wi-Fi at all, which means you can connect in places that don't offer it, such as outdoors.
Chapter Actions • Learn and use the three rules to keep your Mac safe. 1. Keep your Mac updated. 2. Download software only from sites you trust. 3. Stay informed. • Set “Allow apps downloaded from” to “Mac App Store Only” in System Preferences, Security & Privacy. • Set up different Mac user accounts for every person who uses your Mac. • Every user account on your Mac should have a good password. • Use Guest accounts for anyone who needs temporary access to your Mac. • If you travel, consider using a VPN service while connecting through hotel or conference center Wi-Fi.
!47
MacMost.com
The Practical Guide to Mac Security
3. Scams and Tricks Years ago, the weakest point in your computer’s security lay in your computer’s operating system. Cleverly designed malware could infiltrate your computer and do harm. But over the years, systems have become more secure. It is harder for software to fight software, so those that mean you harm have found a new weak point: you. Instead of breaking into your computer when you are not looking, they now ask you for permission to come in. And many people give it. Let’s take a look at phishing and other scams that try to trick you into letting the bad guys in.
!
!48
MacMost.com
The Practical Guide to Mac Security
Recognizing Phishing Scams Guessing passwords isn’t the only way to get to you online. There are people out there, just like in the physical world, who will try to scam or con you. You’ve probably heard of scams that involve emails from people claiming to be Nigerian princes. Those seem to be pretty obvious cons, yet some people are still tricked every year. Most cons are much more subtle and sophisticated. The main ones you need to watch out for are called phishing scams. Phishing scams work like this: You get an email from, say, eBay. It mentions that there is a problem with your account, or that you need to update something on the site. The email provides you with a link to log in. The email looks real. You see the official eBay logo and it all sounds above-board. So you click on the link and it takes you to a website. The site also looks real. There’s the logo, and the navigation bar at the top, and everything you recognize You enter your eBay ID and password. Gotcha. The email was fake. It may have looked like it came from eBay, and the from and reply-to email address were even official eBay addresses. But those can all be faked very, very easily. As easily as getting a letter in the mail with the correct return address and appearing to be on official stationary. Anyone could have sent the email. The site, while it looked real, was actually not eBay at all. It may have even looked like an eBay web address, but upon closer inspection it was something like www.ebay.com.xxyyzz.net. So it was actually xxyyzz.net you were going to, not eBay.
!49
MacMost.com
The Practical Guide to Mac Security
! This email looks like it comes from eBay and even uses their logo. If you move your cursor over any of the links, like the logo, you’ll see the real URL that it will take you to, which is not an eBay.com address.
Then you entered your email address and password. Instead of being logged in, your ID and password were simply passed on to those with malicious intent who now have your eBay password. You may have even been taken to a real page at eBay right after you gave up your password. It could have been rigged to look like you simply entered the wrong password and now, actually at ebay.com, you enter the right one and get in. You don’t even realize that you have been scammed.
!50
MacMost.com
The Practical Guide to Mac Security
! This email pretends to be from PayPal and plays on your fears that something is wrong with your account. But you can see that the big button links to a completely different site. Many phishing scams try to blind you with fear to try to lower your guard.
So how do you protect against this? Very simple, if you think ahead. First, learn to question any email you receive. Is it really from who it appears to be from? Is it really eBay/Amazon/Apple/Google emailing you? A little skepticism goes a long way. If there is a link in the message, move your cursor over it in Mac Mail and it will reveal the URL. Look at the last part of the domain name, just before the .com or .net. The URL www.ebay.com is right, but www.ebay.com.xxyyzz.net is wrong. Keep in mind that some phishing attacks will have multiple links in them, and all might be correct except for one. Don’t be fooled just because one is right. If the email is asking you to log in to take some action, don’t use the links in the email. Instead, open your browser and manually enter the website address. Phishing scams can’t get you if you don’t use their links.
!51
MacMost.com
The Practical Guide to Mac Security
! This message looks like it comes from a real bank. Millions of copies of this message were sent, and thousands probably reached customers of that bank. But you can see that the URL is using a URL shortening service to hide its real destination. If you receive something like this and you use the bank represented, simply ignore the links in the email and go to the bank’s website by typing in the address or using your saved bookmark. Never click on a link in an email like this.
Another failsafe against phishing is to use one of the password storage methods from the previous section. If you use Safari’s passwords, or 1Password or LastPass, then when you go to a fake site, like www.ebay.com.xxyyzz.net, the software will not recognize your password for eBay as the one for this not-eBay site. One of the strengths of a phishing attack is how they seem to know information about you. An email may know your name, email address and the fact that you have an account. For instance, an email may seem to come from your bank with your name and email address. How did they know you had an account at that bank? Well, they didn’t. They simply sent out millions of emails to millions of people, most of whom did not have an account there. It was just a guess.
!52
MacMost.com
The Practical Guide to Mac Security
Avoiding Social Engineering Tricks There are also scams that use the telephone to try to get your online information. People who are normally suspicious of email and websites may let their guard down when they get a call. The most common of these scams is when someone calls claiming to be from Apple, Microsoft or your Internet service provider, and they say they have detected a problem with your computer. They want you to give them access so they can fix the problem (for free!). This, of course, is a scam. No one is going to call you out of the blue like that. And if they do, simply tell them that you’ll call them back. Don’t ask for or pay attention to a phone number they give you. Instead, go to the official website for the company, say your Internet service provider, find the number for their customer support and call them directly. Only do this if you are really concerned. Otherwise, just ignore the call as it is almost certainly a scam. Mac users have been laughing at these sorts of scams for years now, as the person calling usually says they are from Microsoft and that there is a problem with their Windows computer. That’s pretty easy to see as a scam if you own a Mac instead. But it is only a matter of time before they start claiming to be from Apple calling about your Mac.
Ignoring Misleading Web Ads Another type of phishing scam involves something much simpler than email. You just see an advertisement at a website stating that your computer is infected with a virus or some other malady. Sometimes the ads take over the whole screen. Sometimes they pop up as windows that almost make it look like they are from your computer’s system, not the web browser. But these are nothing more than advertisements. Sometimes they are extremely malicious. A hacker may take over a website and place these messages on the site. The real owner of the site may have no idea they are even there.
!53
MacMost.com
The Practical Guide to Mac Security
Sometimes they are only somewhat malicious, just tricking you into buying software that you don’t need. Here’s the important thing to know: Just because you see text on your computer screen doesn’t mean it is coming from your computer, or from an authorized source. It could just be an advertisement on a website. Sometimes you do get legitimate messages, like a notification about an macOS upgrade, or a required update for a web browser plug-in. System messages will not come from your web browser. If you get a message to update or download something, simply quit your web browser. If the message remains, then it is not a window of your browser and it is coming from your system or some other app. For example, it could be Adobe notifying you of a legitimate update. Malware For Malware If you find yourself getting windows and messages about updates or downloads all the time, then you may have already been infected by trojan malware. This malware might want you to open the door for more, or to submit to a scam. Apple has a regularlyupdated page that gives instructions on how to look for and disable such problems. https://support.apple.com/en-us/HT203987
Help Stop False and Misleading Sharing If you grew up with newspapers in the 60s, 70s and 80s, you probably learned to take the printed word as truth. Major city newspapers and other publications would fact-check and edit their stories and present balanced news articles on their front pages. The Internet allows anyone to be a publisher. It is easy to write an article that looks official, cites sources and appears to be balanced. But in reality, it could just be one person making up facts and figures to push their agenda. Or, maybe just to get attention. These articles then get shared on Facebook or sent to you by friends via email. They can be political, such as making claims about a candidate for office. They can !54
MacMost.com
The Practical Guide to Mac Security
be about medicine or health, claiming that you should avoid some food or product, or seek out another. Here are some of the most common articles of the past few years: • Children's Tylenol Recall (False: Cites a recall notice from 5 years ago). • Arizona Iced Tea Uses Human Urine (False: From a fake news site). • Post this to your Facebook page to protect your privacy rights (False: neither the problem nor the solution are true). • If you are forced to withdraw money from an ATM at gunpoint, enter your code in reverse to summon the police (False: completely fabricated). • The U.S. dollar will officially collapse (False: a sales pitch to buy financial information). • Drinking ice water could give you a heart attack (False: completely fabricated). In addition to these, 2016 saw a huge amount of “fake news” articles being posted by people in hopes that they would be shared over and over again on social networks. Much of the time these articles are outright lies. But they are scary lies. They attempt to do the same thing as a computer virus—self-replicate. They want you to forward the email or “like” the Facebook post. Before you do so, realize that by sharing an article or a link to an article, you are, in a sense, endorsing it. You may have good intentions, but the result could be that you are misleading your friends, and perhaps losing their trust and respect. Remember to always remain skeptical. Just because a friend forwarded something to you doesn’t mean the friend checked it out first. In fact, they probably didn’t. So check it out for yourself. It is fairly easy to examine the facts for yourself. The website http://snopes.com specializes in this. It looks into the most popular shared articles and tries to find out the truth. Search there and you’ll usually find out about the article you are reading. It is also convenient to be able to send a link back to a friend, or post it as a comment to their Facebook share. Instead of saying “I don’t think this is true,” you can just post the link to Snopes and let them read the research for themselves.
!55
MacMost.com
The Practical Guide to Mac Security
The spread of misinformation on the Internet in a kind of security threat. Even if you do not wish to research the facts for yourself, don’t help spread this “virus” by reposting or sharing information without checking it first.
Stay Away From Email Scams Scams and cons have been around for centuries. But with the Internet, con artists can try to con millions of people at once. By simply sending out mass email messages, they can try to hook a few gullible people. Don’t think that you are too smart to be hooked—con artists are masters of manipulation, and often the people who are harmed thought they were immune to such ploys. Here are some common email scams to watch for. New ones appear all the time, so remember to always be skeptical. • “Make money working from home.” These business scams usually involve you using your own money to buy supplies or equipment, and then never getting much, if any, back for your work. • “Your computer is infected, we can help.” They don’t really know anything about your computer. They are just trying to sell you software you don’t need. • “I am traveling and all of my money has been stolen!” This email appears to come from a friend, but in fact their email account has been compromised and a hacker is trying to trick people into sending money. • “You have won money in a foreign lottery.” You didn’t. They will ask you to send some money so you can get your winnings. You won’t. • “Help me get some money out of my country.” The classic Nigerian email scam. No one will ask you for help like this. They are really trying to get money from you, not send money to you. • “Work as a mystery shopper.” Usually leads to a check-cashing scam. You are sent a bad check. You cash it at your bank and use it to send money to check whether a money transfer company works. A week later your bank tells you the check was bad and you lose the money you sent. There are many variations on the above, and many more unique scams. It helps to train your brain to recognize these by doing things like reading Snopes.com
!56
MacMost.com
The Practical Guide to Mac Security
occasionally to see what new scams appear. Also, check out the website www.onguardonline.gov for information on the latest scams and cons.
!57
MacMost.com
The Practical Guide to Mac Security
4. Physical Disasters Of all of the threats discussed in this book, this next one is the most likely to happen to you. You may never get malware or have your online accounts compromised, but if you use computers long enough, you will almost certainly lose some data due to a hard drive failure, physical disaster or simply by accidentally deleting files.
!
Backing Up Your Mac Data loss is not only the most common problem, but it is also the simplest to protect against. You just need to back up your data. Yet many people do not. They spend big money on a computer. Then they start working hard on one or more projects, professional or otherwise. But they never think to set up a system to backup their computer. Then one day, they find that days, weeks or even years worth of effort has been reduced to nothing more than a memory. Backing up your data protects you from a long list of things that could go wrong: !58
MacMost.com
The Practical Guide to Mac Security
• Hard drive failure • Physical damage to your Mac • Accidentally deleting files • Software malfunction that deletes files • Malware that deletes files • Lost or stolen Mac • Fire, flood or other disaster that destroys your computer Fortunately, backing up your Mac is easy because the backup system is built right into macOS. It is called Time Machine. It is a system that copies your files to an external hard drive or networked hard drive. Time Machine can back up to either an external hard drive, like a USB drive, or to a drive that is part of your Wi-Fi network device. The most common example of the latter is Apple’s Time Capsule Wi-Fi base station. Time Capsule includes a large hard drive for backups. Generally, if you have a stationary Mac, like an iMac, Mac Pro or Mac mini, then you will probably want to use an external USB drive. These are the cheapest and simplest solution. If you use a Mac laptop, you can still use a USB drive. You just have to remember to plug it in every time you sit down at your desk. It is easier to have a Time Capsule in your home and use that instead.
!59
MacMost.com
The Practical Guide to Mac Security
! Turn on Time Machine in System Preferences.
If you shop for a USB hard drive, you’ll want to get one that is significantly larger than your Mac’s internal drive. For instance, if you have a 1 TB internal drive in your iMac, you’ll want at least a 2 TB USB drive for backups. This is because Time Machine will save multiple copies of each file, giving you the opportunity to revert to previous versions of the file if something goes wrong. Fortunately, hard drives are cheap. You can find them online on sites like Amazon.com or NewEgg.com for about $100 or less. Get a USB 3 drive, which will transfer data between your Mac and the drive much faster than USB 2. Even if you have an old Mac that still uses USB 2, a USB 3 drive will be useful in the future when you next upgrade your Mac. Apple’s page on using Time Machine will walk you through setup and how to use it to restore files. https://support.apple.com/en-us/HT201250
Storing Your Files in the Cloud Before I tell you more about iCloud, it may be useful to define it. iCloud is a service from Apple that includes many different things, all related. It is basically a
!60
MacMost.com
The Practical Guide to Mac Security
bunch of servers that allow you to store your data online, rather than on your computer’s hard drive. iCloud lets you store documents and other files on Apple’s servers so you can access them from one or more Macs or iOS devices. You can also back up your iOS devices to iCloud. Among other things, iCloud is an email, contacts and calendar service allowing you to access your messages, contacts and events from any Mac or iOS device. There are also smaller components to the service,such as the ability to store your passwords (Keychain), locate your Mac or iOS device (Find My Mac/iPhone), store all of your music online (iTunes Match) and store your entire photo library online (iCloud Photo Library). If you use iCloud, iTunes or another Apple online service, you have an Apple ID and password. You use the same Apple ID and password to access all of these. When someone says “iCloud password” or “iTunes password,” they really mean Apple ID password. Using a cloud service like iCloud becomes more and more necessary as our digital lives spread across multiple devices and as we expect to have access to our data everywhere. You can now take a photo on your iPhone, edit it later that day on your Mac, and then show it to someone on your iPad the next day, all without needing to “move” it from device to device. When you think of the cloud and security, you might also think of security problems. For instance, once you have your documents, contacts, email and photos in the cloud, someone could hack into your account and access all of your stuff. But that isn’t a problem if you use strong passwords and two-factor authentication. When you hear about someone’s cloud service being broken into, it is because they are using a weak password or some other basic security misstep. The cloud can actually help you keep your digital life more secure by making your data portable. iCloud Desktop & Documents Folders When first using macOS Sierra you will be asked if you want to make your Documents and your Desktop folder part of iCloud Drive. The option for manually turning this on is in System Preferences, iCloud, then the iCloud Drive “Options” button. Once you enable this, not only will files you store specifically in iCloud Drive appear across all of your devices, but your
!61
MacMost.com
The Practical Guide to Mac Security
Documents and Desktop folders become subfolders of iCloud Drive, so they do as well. This is an excellent way to keep all of your files instantly and effortlessly synced across multiple Macs. They are then even available in the iCloud Drive app on your iOS devices. As useful as this is, there are reasons not to have this option turned on. One is if you have a slow Internet connection and syncing will be difficult because of that. Another is if you have a huge Documents folder, maybe full of video editing projects, and that would also make it hard to sync. Or, you may prefer to use your multiple Macs for very different purposes, like one Mac for video work and one Mac for writing or playing games. You could still create and use other folders in your main Home folder for things you don’t want to be on iCloud Drive, but it can get complicated very quickly.
Years ago, I used a top-of-the-line MacBook Pro as my main computer. This was before most cloud services. I would get quite nervous when traveling. If I left my hotel room to do something as simple as go to dinner, I would think about my entire digital life sitting up in my room on that MacBook. Of course, I backed up my MacBook before leaving on the trip. And the user account on the MacBook was password protected. But losing it would mean that I would be without access to my data for the rest of the trip, and I would also lose any work I had done since I left home. Then, there was the long process of getting back up and running once the trip was over. The cloud turns this all around. I’m using iCloud Drive for some things, and the third-party service DropBox for others. My email is through iCloud or Gmail. And all of my apps are downloaded from the Mac App Store, Adobe’s Creative Cloud or Microsoft’s Office 365. What happens if my MacBook goes missing from my hotel room now? Well, it is probably the most expensive thing I am traveling with, so I’ll be a bit upset about that. But as for my data, I don’t have to worry one bit. I'd run out to the nearest Apple Store and get a new MacBook. That would cheer me up a bit, as it is probably a newer model than what I was using before. The Documents folder on my stolen would have been empty. All of my files are in iCloud or DropBox. So as soon as I sign in to iCloud, download DropBox and sign
!62
MacMost.com
The Practical Guide to Mac Security
into that, I have all my files back. I log into my Gmail account in the Mail app and all of my email appears, even my Sent folder and Drafts. Then I head to the Mac App Store and get the apps I need right away. Maybe I’ll do that at Adobe and Microsoft too, if I need those apps before I get back to the high bandwidth at home. Pretty quickly, my new MacBook looks just like my old one, at least as far as the files and data are concerned. And my old MacBook doesn’t give up any of its secrets because it is password-protected with FileVault encrypting the data. The best the thieves can do is wipe it clean. Note that what I am describing is identical to what I need to do any time I buy a new MacBook, even if I’m just buying it for the upgrade. By signing into my cloud services and downloading apps from other cloud services, I can get up and running on a new laptop in less than an hour with a good Internet connection. Storing your files and data on cloud services doesn’t work for everyone. If you have a slow Internet connection, using cloud services can be an issue. One way to deal with that problem is to pay for a faster connection. Perhaps you weren’t able to justify the cost before, but when you take the advantages of cloud storage into consideration, it now makes sense. Some people work with large files. If you use your Mac for video editing, for instance, then using cloud services for massive video files isn’t going to be a good option. Step-By-Step: Storing Files With iCloud Drive 1. In System Preferences, go to iCloud. 2. Make sure iCloud Drive is turned on. 3. In the Finder, open a new Finder window (File, New Finder Window). 4. Make sure the sidebar is turned on (View, Show Sidebar). 5. Click on iCloud Drive in the sidebar. 6. Try not to go into folders marked for specific apps, like Pages, Keynote, TextEdit, etc. Access those files only through those apps. 7. Create folders in the iCloud Drive folder as needed to organize your files. !63
MacMost.com
The Practical Guide to Mac Security
8. Access this iCloud Drive folder in Open and Save dialog boxes from any app, whether it officially supports iCloud or not.
Using FileVault and Encrypted Backups Let’s say that you have a MacBook and are on the go. You’ve set up your MacBook’s user account with a password. Then someone swipes your MacBook and it's gone. They can’t get into your account to see your files, right? They’d need your password for that, right? Not exactly. True, they can’t log into your account. As long as any other accounts are also password-protected, then they can’t log in to those either, nor can they create new ones. They can’t do anything with your Mac as-is. But they can startup your Mac using an external hard drive as the system drive, instead of your internal one. Then they can access the files on your MacBook without needing to log into your account at all. They are all just plain files sitting there on the hard drive. They can also remove the drive from your MacBook and hook it up to another computer to access the files. You don’t hear about this happening too often. It is a lot of effort for very little return. Chances are, your files aren’t worth much to someone else. But it is possible that identity thieves could be looking through your files to try to gather information about you. Apple has a way for you to protect yourself against this. It is called FileVault. You can turn it on in System Preferences, Security & Privacy.
!64
MacMost.com
The Practical Guide to Mac Security
! To turn on FileVault, go to System Preferences, Security & Privacy, FileVault.
What FileVault does is encrypt the entire contents of your Home folder. Your Home folder is the one with your short user name that contains your Documents, Pictures, Movies, Desktop and other folders. Basically, it contains all of your files. Once you have turned it on, you shouldn’t notice any difference in how your Mac works. Everything should seem normal. But what is happening under the hood is very different. When you open a file, say a Pages document, the file is decrypted and given to Pages. When you save it, the file is encrypted and put on the hard drive. This is true for every file in your Home folder. If someone were to rip out your drive and plug it into another computer, all that they would see in your Home folder would be an encrypted mess. Without the decryption key, which is your user account password, they couldn’t access any of it. Sounds like a no-brainer to turn this on, right? There are some disadvantages. For one, there is a slight speed hit. When Apple first introduced FileVault, this speed hit was enough to affect tasks like video recording. !65
MacMost.com
The Practical Guide to Mac Security
But with today’s hardware and improvements to macOS, it shouldn’t be a noticeable problem anymore. Another disadvantage is stability. Having all of your files encrypted makes it much harder to recover from a system or hard drive issue. I’ve had one MacBook die on me due to a slight problem that turned into a big problem because of FileVault. My recommendation is to only use FileVault on portable Macs. Then, turn it on from the very beginning, from before you even start using the Mac. So you get a new Mac, turn on FileVault, then begin using your Mac. If you are going to turn on FileVault after you start using your MacBook, I recommend making sure your Time Machine backup is up-to-date and perhaps even making a second cloned backup before turning on FileVault. Also, keep in mind that turning on FileVault on a Mac that already has files in the Home folder will take a little bit of time. It needs to encrypt everything. This is a task for a time period when you don’t need to use your MacBook for a while. For instance, before going to bed on a Friday night with no plans on Saturday morning. With all of these warnings against using FileVault, you may wonder if anyone actually uses it. Many people work for companies that have security procedures in place to protect data. I would expect a company MacBook to have FileVault turned on as a matter of policy. I may also expect employees to use it on their personal MacBooks too, especially if they check their work email or occasionally work on documents away from the office. Encrypt Your Time Machine Backup If you encrypt your Home folder with FileVault but also back up your Mac with Time Machine (which you should), you’ve got a slight flaw in your security. True, FileVault is good at protecting you if your MacBook is stolen while you are out of the house and your Time Machine backup is in the house. But what if your Time Machine drive is stolen? When you set up your Time Machine backup drive, you have the option to select “Encrypt backups.” You can also turn this on by re-selecting the Time Machine drive in System Preferences, Time Machine. Naturally, this will clear your drive and restart your backups from scratch as it needs to get rid of all of your unencrypted backups.
!66
MacMost.com
The Practical Guide to Mac Security
! If you need it, switch on Encrypt Backups when you first select your Time Machine backup drive.
Backing Up Online While backing up to a hard drive is undeniably a good idea, it does have one major flaw. If your computer and your backup are in the same location, what if something happens in that location? It could be a fire, flood or other natural disaster. It could be a thief that takes both your computer and the backup drive. It could be a power surge that takes out both devices. How do you protect both your computer and the backup at the same time? To do that, you’ve got to put the backup in a different location. Online backups make that possible. They work like local Time Machine backups, except that instead of a hard drive, you are backing up to a server in some other location. There are several companies that offer online backups for Mac users. Here are four to look into: Backblaze
https://www.backblaze.com !67
MacMost.com
The Practical Guide to Mac Security
CrashPlan
https://www.code42.com
Carbonite
http://www.carbonite.com
IDrive
https://www.idrive.com
I’ve been using Backblaze, and have also used CrashPlan in the past. I like them both. You install software on your Mac and it will automatically back up the files on your drive. You can customize it to only back up some files and not others, or to only back up when you are not using your Mac for a moment.
! The Backblaze control panel lets you set up the service and restore files.
Online backups have many advantages over local Time Machine backups: • You don’t need to buy an external hard drive to store your backup. • Backup is located offsite to protect against disasters that would destroy both your Mac and your backup drive. • Backup would be available remotely, from anywhere, as long as you have your password to the service. There are also some disadvantages to online backups:
!68
MacMost.com
The Practical Guide to Mac Security
• Online backups use your network bandwidth, so they won’t be good options if you have a slow connection, a connection with slow upload speeds or metered bandwidth. • In case of a disaster, it would take a long time, even over a fast connection, to download all of your data. Some services will send you a hard drive containing all of your data in case of an emergency. • Monthly payments for online backup services will cost more than a cheap hard drive purchased once. You can get all of the advantages and none of the disadvantages (except for price) by using both local and online backups. This is what I do since I make my living working on my Mac. If you only use your Mac for personal use, it may make more sense to stick to one or the other. If you are already storing most of your files and data in cloud services like iCloud, then online backups may be totally unnecessary.
Cloning Your Hard Drive Before Time Machine and online backups, people who cared about protecting their data still backed up their drives. They used a rather unsophisticated technique called cloning. Cloning is simply making a complete copy of your hard drive on another hard drive. It is a complete backup and can save you from a disaster. But it has two major drawbacks. The first is that it requires you to manually create the clone and remember to do so on a regular basis. Even diligent individuals may only do this once per week. Imagine cloning your drive on Monday morning and then starting work on a new project Monday afternoon and working on it all week. Then your hard drive fails on Friday and you lose everything since Monday morning. If you had been using Time Machine, you would have lost only an hour's worth of work at most. Another drawback is that you don’t have versions of files, only a single copy of each file at the time the clone was made. So if you want to roll back a document to what you had two days previous, you can’t. An advantage to cloning was that if your hard drive failed, you could pop it out of your computer and pop the clone in, and get back to work within minutes. But the !69
MacMost.com
The Practical Guide to Mac Security
days of computer towers with easily swappable hard drives are over, especially for Mac users. With solid-state drives, you really can’t do this anymore. Instead, you could get a new drive, or a whole new Mac if the whole computer failed or was stolen, and then copy the clone back to the internal drive. But you can already do that with Time Machine. Cloning does have its place in today’s world. It is an excellent second backup. Creating a clone every week or month and then storing it in another location is a good idea. It leaves you with something if both your Mac and Time Machine backup disappear in a fire or theft. Another thing you can use cloning for is to create a secondary backup before performing a particularly risky task. For instance, before taking your Mac in for service, getting a new hard drive installed, or turning FileVault on for the first time. It is sometimes good to know that you have your digital life backed up in more than one place before doing such things. There are two competing software packages that do an excellent job of creating clones. SuperDuper! -- http://www.shirt-pocket.com/SuperDuper Carbon Copy Cloner -- https://www.bombich.com Both are excellent pieces of software that have been serving the Mac community for years. Both allow you to create “smart” clones. This means that after cloning your drive to an external one the first time, the next time it can simply compare the clone to your drive and add and remove files to update the clone. This is much faster than starting a new clone from scratch and copying every bit.
Preventing Problems With a UPS One threat to your Mac comes from the very thing that gives it life: electric power. You've got to worry about getting too much, such as a spike or surge, or getting too little, such as a power outage.
!70
MacMost.com
The Practical Guide to Mac Security
You can protect against power surges with a simple surge protector. Many power strips have them built in. And some houses have surge protection for the whole house. But this simple solution doesn't protect against power outages. If you are using a MacBook, you have your internal battery as protection. If you lose power, your MacBook will simply use its battery just as if you had unplugged it. Desktop Macs can use batteries as well. These are called Uninterruptible Power Supplies, or UPSes. They are basically power strips with batteries.
! The APC BE550G Back-UPS 550VA 8-outlet Uninterruptible Power Supply is a basic, inexpensive UPS that sells for less than $60 on Amazon.com.
During normal use, the battery stays charged and AC power flows through the UPS to your Mac just like it would with a plain power strip. When your power goes out, the battery kicks in and supplies power to your Mac for a limited time. Your Mac shouldn't notice the difference and you can keep on working. However, the battery in a UPS can only hold out for a few minutes before being drained. An iMac, Mac Pro or Mac mini uses much more power than a MacBook. More expensive UPSes can supply power for longer periods of time. !71
MacMost.com
The Practical Guide to Mac Security
The correct way to use a UPS is to take advantage of those few minutes of extra power to save your work and shut down your Mac gracefully. Without a UPS, your Mac would switch off during a power outage just as if you had pulled the plug out from the wall. The document you were working on would go unsaved. It may even suffer from file corruption if it was right in the middle of writing to the hard drive. Having a UPS saves you from any of these problems. Many UPSes even have a USB port that allows you to connect them to your Mac. Your Mac's System Preferences Energy Saver panel will then recognize the UPS and give you information about the battery. You can set your Mac to shut down gracefully if the UPS reports that power is out and the battery is being used. That comes in handy if you are away from your Mac while it is on, and the power goes out. Many power outages (or most, for some people) are only a few seconds long. Power goes out, and then comes immediately back on again. In those cases, a UPS comes in very handy as you can keep working, perhaps without even noticing the outage unless you see the lights blink. A standard UPS comes with one cord to plug into the wall, and then a set of power outlets for you to plug in devices. Note that some of those outlets are labeled to indicate that they will use the battery in case of an outage, while others do not. You can use those other outlets for non-critical devices, like your printer or phone charger. Use the battery-connected outlets for your Mac and perhaps your display if you are using a Mac Pro or Mac mini. The less you have plugged into the battery-connected outlets, the longer the battery will last in an outage. You can buy a UPS at most electronics stores and office supply stores, such as Best Buy or Staples. You can also find a wide variety of them online at Amazon and NewEgg. There are only a few major brands: APC, CyberPower and Tripp Lite. The price of a UPS is usually a direct reflection of the size of the battery, which is in turn a direct reflection of how long it will last in the case of a power outage. A $50 UPS will give you a few minutes, whereas a $500 model will let you keep working for much longer. In addition to buying a UPS and connecting your Mac through it, I also recommend buying a second UPS for your cable or DSL modem and your Wi-Fi router. Since these devices use only a fraction of the power of a computer, the UPS !72
MacMost.com
The Practical Guide to Mac Security
will actually provide much more battery time. You can continue to connect to the Internet with your Mac, iPhone or iPad for a little while after a power outage begins. I also have one attached to my digital video recorder. Those things deal with power outages poorly. A split second of lost power could mean a 10-minute reboot where you miss a whole chunk of your favorite TV program. A big downside to UPSes is that you need to replace them every few years. Their batteries age just like batteries in any device. But unlike a laptop or phone that seems really out of date after 5 years, a UPS is just a UPS. So replacing it, or at least getting a new battery for it, after 5 years seems like an annoying expense. But you have to remember why you are using a UPS in the first place, and know that you'll need to replace the battery every so often. Check the documentation for the UPS to see how often you should replace the battery, or if there is a function in the UPS to tell you when it is time for a replacement.
Find My Mac What happens if someone steals your Mac? Say you are using your MacBook in a public place, you turn around for a minute and it is gone! What do you do next? Assuming you have your accounts password-protected and you are using FileVault, you don’t need to worry about your data being stolen or your online accounts being compromised. Still, you do the safe thing and change all of your online passwords right away. But you’d like to get your MacBook back, if possible, or at least make life difficult for the thief. You can do this using the Find My Mac feature. To turn it on, go to System Preferences, iCloud and look for the Find My Mac option.
!73
MacMost.com
The Practical Guide to Mac Security
! You can turn on Find My Mac in the System Preferences, iCloud pane. It is located at the bottom of the list.
This is the same service that can be used by iPhones and iPads. It is called Find My iPhone and Find My iPad in the Settings app of those devices. If your Mac is stolen, you can use the Find My iPhone app on any iOS device to locate it. Or, if your’e using another computer, you can go to iCloud.com and click on the Find My iPhone button. This will also show you Macs and iPads. From there, you’ll see a map showing all of your devices, and it will update when possible. Unfortunately, it is easy for a thief to shut down a MacBook so that it doesn’t send a signal. Plus, it is likely that the MacBook won’t be connected to WiFi anyway. But it is possible that a thief will take the MacBook home and start using it. If that’s the case, you’ll see its location on the map. There are reports online of people using this function, in conjunction with the help of local police, to recover their Mac. Police should love this, as it usually leads them to even more stolen goods. But how high the police prioritize a stolen laptop may vary according to your location. Still, you should never try to confront a thief on your own as you don’t know what you may be dealing with.
!74
MacMost.com
The Practical Guide to Mac Security
! In addition to a map, you can trigger one of three commands with Find My Mac. In addition to location, you can also send a signal to your MacBook to play a sound, lock, or erase the hard drive. The first option is for when you have simply lost it—perhaps you don’t know where in the house you last left it. The second option is to be used only if you didn’t set your Mac to automatically lock in the System Preferences, Security & Privacy, General settings. The third option will erase your drive, giving you peace of mind that the thieves cannot access your data. You’ll even be given the option to enter a message that will appear on the screen once the Mac has been erased. If your Mac is offline and you do this, then the erase will start the next time the thief connects to the Internet.
Chapter Actions • If you are not already using Time Machine to back up your Mac, start doing so as soon as possible. • Consider an online backup solution as well. Use both if you can. • Consider storing your documents on a cloud service, either Apple’s iCloud Drive or a third-party service like DropBox. • If you use a MacBook and frequently find yourself in situations where your laptop could be easily taken, consider using FileVault. • If you use a desktop Mac, buy a UPS to provide emergency power. Also buy one for your network hardware.
!75
MacMost.com
The Practical Guide to Mac Security
5. Frequently Asked Questions The previous four chapters cover the basics of keeping your Mac secure. But there are many side issues that need to be addressed. Here are some frequently asked questions, and answers, about Mac security and related topics.
Suspicious Sharing
Why do I see other peoples’ computers in my Finder sidebar? Can they also see me? I’ve already warned about using public Wi-Fi. But if you find yourself connecting your Mac to community Wi-Fi anyway, say at a workplace, conference center, hotel or coffee shop, take a look in your Finder sidebar under “Shared.” You just may see some things there you don’t recognize. If you see “Jill’s Mac” or “Bob’s MacBook” or something similar, you are seeing some other Macs on the same network. This also means that they could be seeing you. If you have File Sharing turned on and are using a public Wi-Fi connection, you are sharing your Mac with everyone else on that network. You may only have the default Public folder available to those people. But that includes the Drop Box folder inside it. Those people could potentially put any file they want in your Drop Box folder on your hard drive. It is unlikely that anyone will do so. And it would be nearly impossible for them to do any harm. But if the idea of them seeing your Mac on the network and poking around in your Public folder makes you uneasy, you should disable it.
!76
MacMost.com
The Practical Guide to Mac Security
! In System Preferences, Sharing, you can disable File Sharing by unchecking it on the left.
Go into System Preferences, Sharing and turn off File Sharing when you are using a public network. In fact, keep File Sharing off in most cases, unless you really need to use it often to transfer lots of files between computers at home. There are better options for file sharing with modern Macs. If you need to share files between computers that are yours, like a desktop and a laptop, then you should be using cloud storage like iCloud Drive or DropBox to keep those files in sync. If you need to send an occasional file to a colleague at work or anther family member at home, use AirDrop instead of file sharing. AirDrop, however, has a similar problem. If you set your AirDrop discovery setting to “Everyone,” you can be seen by other Mac users, and iOS users, that are nearby. You don’t even need to be using the same Wi-Fi network, or any Wi-Fi network at all. This can be handy. If you are at a gathering with a group of friends, you can send each other files, pictures and other data without needing to fuss over Wi-Fi !77
MacMost.com
The Practical Guide to Mac Security
connections or user permissions. And you can’t receive a file without accepting it first, so no one can dump an unwanted file on your Mac. If it makes you uneasy that someone nearby can suddenly attempt to send you something, it is easy to block them. Just switch your AirDrop setting to “Contacts Only.” Or, you can switch it to “No One” if you don’t plan to use AirDrop in the immediate future.
! To switch AirDrop to “Contacts Only,” open a Finder window, click on AirDrop on the left sidebar. Then click on “Allow me to be discovered by” at the bottom of the window.
Peek-A-Boo
Can people snoop on you using your camera? Every once in a while, you may hear that malicious individuals can spy on you through the camera in your MacBook or iMac. You may even hear that there is a way to activate the camera and watch you without the tell-tale green light coming on. If the green light next to your camera is not on, then your camera is not on. Rumors that this security feature can be bypassed come from a report on MacBook cameras from old models dating from 2008 and earlier. In those reports, researchers !78
MacMost.com
The Practical Guide to Mac Security
theorized that it would be possible to do this with cameras in the future as well. But no such exploit ever materialized. So can someone spy on you using your MacBook’s camera? Is it necessary to put a piece of opaque tape over your camera when not using it? Well, it is theoretically possible. But it’s so unlikely that it isn’t worth worrying about. Consider what it would take to do this. First, there would need to be malware that could bypass all of the security measures on your Mac. Most likely, it would need to be installed by someone with physical access to your Mac. Then this malware would need to be able to record from the camera and send that video somewhere. Plus, it would need to somehow get around the fact that the green light and the camera are physically wired to each other so that when one is on, the other is on. If an exploit like this were to exist, you can be sure the tech media would be all over this “scandal” and Apple would be working around the clock to patch macOS to prevent it. If you are going to worry about this possibility, you should also consider other possibilities that are more likely, like someone looking through your window with a telescope or trailing you as you go about your business during the day. These things are easy to accomplish compared to the secret service-level hacking that would be required to spy on you through your Mac’s camera without your knowledge.
Stopping Spam
Is there anything I can do about the junk email I receive? A piece of junk (spam) email arrives in your inbox. Or, perhaps you decide to look through your junk folder in your Mail app and you see it all there. What should you do? The answer is pretty straightforward. Delete any junk email you get in your inbox, or move it to the junk folder. As for the messages in your junk folder, ignore them. They will be cleaned out over time.
!79
MacMost.com
The Practical Guide to Mac Security
Sometimes you feel like doing more. You may feel like responding in anger to the messages. You may want to try to block the message in case it's sent again. You may want to try to “bounce” the message back to the sender so it appears as if your email address is invalid. None of these actions are worth your time. Spammers send out millions of copies of these messages in hopes of getting a handful of responses. They don’t pay any attention to negative replies or bounces. It won’t slow down the flood of junk mail you are receiving. The best defense against junk mail will come from your email server. If you are using iCloud, then Apple is already blocking the worst-offending junk email. If you are using Gmail, then Google is doing it. But if you are using a company email server, or have set one up for yourself at a hosting company, then you may be letting the whole flood of junk email in. If you are using a hosting company, check with them to see if there are anti-spam controls you can access. Only Use the Junk Button For Junk You know that “This is Junk” button at the top of Apple’s Mail app and other email clients? That’s useful if you see a piece of email that is legitimate spam. But don’t use it for anything else. For instance, say you buy something online from a store and then get an email from them a week later with their “specials.” It may be tempting to hit “Junk” and be done with it, but that is not spam. You did business with the company and probably signed up for their newsletter when you checked out. If all that pressing the Junk button does is to move the message to your Junk email folder, then what’s the harm? The problem is that it does more than that. In many cases, it also reports the sender of the email to services that gather information about spammers. If the email was sent by a legitimate business, one that you have interacted with, then pressing Junk will actually hurt that business. Creators of legitimate email newsletters deal with this all the time. In order to get my MacMost newsletter, a weekly email with videos and tips for Apple users, you need to sign up by giving me your email address. Then you need to confirm that you want to get the newsletter by clicking on a link in a confirmation email.
!80
MacMost.com
The Practical Guide to Mac Security
It is impossible to accidentally sign up for my newsletter. Yet each week, I see one or two reports that someone receiving my newsletter has hit the “Junk” button in their email client. They probably see this as a quick way to delete the email or unsubscribe. But as a business owner, it is a rock through my window.
PIN Problems
Is there a way I can protect my ATM card? If this were a book about home security, I would be remiss if I didn’t also mention how to keep your car safe. Likewise, in a book about computer security, it is important to mention ways to keep things like your credit and bank cards safe. There is an easy technique, one that many people don’t know about, to protect yourself against someone charging things to your credit cards or bank cards. Say I am at a restaurant and I have just handed my credit card to the waiter at the end of the meal. The waiter walks away with it. A few seconds later, my phone vibrates with an incoming notification. I glance at it to see that my credit card has just been charged. It shows the amount and the name of the restaurant. All is well. It is easy to set up such alerts with most major credit cards. Start by logging into your account online. If you haven’t been using your credit card’s online services, now is the time to start. One of the many things you can do is set up alerts that send you notifications or text messages each time your card is used. With one of my cards, I get a notification through the card’s iPhone app. That usually happens within seconds of the charge. After swiping my card at a payment terminal, the alert comes before I can even put my card away. Unfortunately, another card I use will send the same alert but usually a whole day later. Hopefully this will improve soon. Either way, I can rest easy knowing that if someone is using my credit card or number, I will receive alerts for purchases I haven’t made and I’ll be able to take action right away. !81
MacMost.com
The Practical Guide to Mac Security
ApplePay, the service from Apple that works with iPhones, will give you these notifications naturally. It also masks your credit card or banking information, meaning that the store only deals with Apple and doesn’t get your credit card number to lose. An unscrupulous cashier or hacker that has broken into the store’s payment systems can’t get to you through an ApplePay transaction. It is basically like using cash.
Wi-Fi Passwords
Should I set a password for my home WiFi? When you choose to set up your Wi-Fi without a password, data sent between your Macs and other devices and the Wi-Fi router are sent without encryption. It is possible for someone to listen in on the signal and see what you are doing online. When you set a password, that password is used as the encryption key for the data that travels back and forth between your devices and the Wi-Fi router. Someone listening in will see what appears to just be a random set of bits. It is also possible that without a password, someone could simply park in front of your house or apartment and use your Wi-Fi. You are paying for the service, and they are taking it for free. If that doesn’t bother you, consider that they could be using it for illegal purposes. They could be downloading music and movies from copyright-infringing sites, for instance. An investigation into such crimes could lead back to you.
!82
MacMost.com
The Practical Guide to Mac Security
! If you use an Apple Airport base station or Time Capsule, run the Airport Utility app on your Mac to set the Wi-Fi password. Select the base station and click “Edit.” Then choose the “Wireless” section to set up a password.
Note that below the section in Airport Utility where you set a Wi-Fi password, there is another section where you can set up a guest network. Like a guest account on your Mac, a guest network is a good way to share your Internet connection with friends and houseguests. You can let them connect their iPhones and MacBooks to this network, which seems to operate as a separate Wi-Fi device, even though it is using the same Airport Extreme or Time Capsule. The advantage is that they will not see your File Sharing, AirPlay or other networked services. In addition to a Wi-Fi password, most network hardware also includes an administrator password. This is a separate password that you need in order to change the settings or access special features of the Wi-Fi router. Make sure you set that to a strong password. Often, people leave that blank or go with the default password. This could make it easy for someone to connect to your Wi-Fi router from anywhere in the world, then plant malware on it. Malware on routers can do things like take you to the wrong websites, show you ads while surfing the web, or record your online actions. Hackers know the default passwords that are set on these routers, and every day they try to access them by the millions. !83
MacMost.com
The Practical Guide to Mac Security
! You can set an administrator password In the Base Station section of Airport Utility. This will make it harder for someone else to break into your Airport Extreme or Time Capsule and change the settings.
If you are not using an Airport Extreme or Time Capsule, check your router’s documentation to see how to set a Wi-Fi password and a router admin password. If the router belongs to your cable or phone company, you may need to contact them to ask for help.
Exploits Versus Malware
I just read about a Mac exploit. What do I need to do? If you follow rule number 3, then you are reading up on the latest Mac news and keeping an eye out for security issues. Every once in a while, you’ll see something that seems pretty scary, like an alert about a “potential exploit” or “vulnerability.” There is a big difference between a potential exploit and malware. Think of it this way: a potential exploit is like someone telling you that a thief can throw a rock !84
MacMost.com
The Practical Guide to Mac Security
through your window and break into your house. That’s a far cry from a thief actually standing in your house. Potential exploits mean that security professionals have identified a way in which malware can get onto your computer, or what malware can do once it is there. It doesn’t mean that the malware exists. In fact, it is good news because it means that the good guys figured out something before the bad guys. Chances are, the problem will be fixed before any bad guys can use the potential exploit to create or distribute malware. A lot of security news is like this in that it won’t directly affect you. An alert about a trojan, for instance, will probably only affect people who have tried to download an illegal copy of some software from a certain site. A database exploit may only affect computer servers, not personal computers. When you see an article warning you of a Mac security concern, read it carefully. Does it affect regular Mac users? Is your version of macOS or a specific app affected? Is there a way to determine if you are affected? Has Apple already patched macOS, or has a software vendor already patched their software? If you can’t seem to get a handle on the situation, try a different news source. You can always search Google for the name of the threat, and if it is a serious problem you’ll see dozens of results.
Keep It Secret
What information should I avoid sharing on social networks to keep myself safe while traveling? There is no right answer to this question. Some people share everything about themselves, including where they are and what they are doing. Others share nothing and avoid using social media altogether. The only way to be completely safe is to not use the Internet at all and not tell friends anything they don’t need to know. But then you’ll miss out on the benefits of using the Internet and connecting with others.
!85
MacMost.com
The Practical Guide to Mac Security
For instance, you’ve probably received advice to never post to social media that you are on vacation. The fear is that someone can figure out that your house is empty and break in to steal your possessions. But there are a lot of benefits to sharing your photos and thoughts while traveling. I love feeling connected to friends and family while away from home. I love showing them what I am seeing during my travels. In return, I can get advice and recommendations from others who have preceded me at a location. You can find a middle ground if that suits you. You can dig into your Facebook settings, for instance, and set your posts to only go to select friends and family. Ultimately, you have to decide what level of sharing you are comfortable with.
Keep It Secret 2
What information should I avoid sharing to protect myself against identity theft? If you go to the U.S. government’s page of advice on how to prevent identity theft (http://www.usa.gov/topics/money/identity-theft/prevention.shtml), you’ll find a list of tips. One thing you may notice about these tips is that they are almost all not related to the Internet. The weak spots that thieves tend to exploit to pull off identity theft are all lastcentury, offline techniques like stealing a wallet or purse, swiping your mail, taking receipts from your trash or trying to get information from you via physical mail or the telephone. Think about it: Why try to hack in to computer system to steal credit cards when all you need to do is get a below-minimum wage job as a waiter and people will hand you their cards each day and allow you to take the card into another room? But people do try to steal credit card information online. They do it for the volume of cards they can steal at once. By breaking into a major retailer’s system, they can get access to millions of card numbers. When this happens, there’s not much you can do about it. There’s no way to protect yourself. All you can do is to continue to monitor your purchases like I describe in the section “PIN Problems” earlier in the book. If you can’t do that, then be sure to carefully check your monthly statements, or perhaps log on to your bank and credit !86
MacMost.com
The Practical Guide to Mac Security
card accounts weekly and check things over. If something looks amiss, contact the bank immediately to report it. Other than that, follow the other things I have taught in this book, such as keeping an eye out for phishing emails and websites. As a general rule, stop and think hard before giving any of these out over the Internet: your social security number, credit card numbers, bank numbers, driver’s license number, address or security question “answers” like your mother’s maiden name or which high school you attended. There are sometimes real reasons why you need to provide these bits of data. For instance, if you're applying for something on an official state government website, you may need to provide your driver’s license number. It is just a matter of using these as triggers that will get you to stop and think before continuing on a site. When you do stop to think, check the URL in the browser’s address field. Does it look right? Have you ordered from this website before? Open another browser tab or window and type “scam con warning website.com” or something similar to see what comes up.
What’s Your Location?
An app on my Mac or phone is asking me to allow it to access my location, contacts or other information. Is this OK? It is easy to freak out every time an app asks for permission to access your location. You may think that some nefarious individual will be tracking your every move, but this is not the case. Most apps just want access to your location so that they can give you relevant information based on where you are. For instance, a movie times app can list theaters that are nearby. A music app may show you songs that are popular near you, or concerts that are coming to your area. A social media app may give you the option to “check in” to restaurants and other locations. There are many reasons why apps want access to your location. Apps may also ask for access to your contacts. This is also usually for benign reasons. A photo editing app may request access to your contacts so that it can help
!87
MacMost.com
The Practical Guide to Mac Security
you send photos to friends. A word processor may use the names in your contacts to check spelling or to assign document authorship to you by default. It is important to realize that often, apps ask for permission for something but rarely use it. For instance, an app may ask for permission to use the microphone on your iPhone. Some people jump to the conclusion that the microphone must then always be on, listening in and broadcasting your voice to the offices of the app developer. But in reality, it is to support some minor feature such as a voice search function.
Selling Your Mac
How do I make sure all of my information is gone from my Mac before I sell or recycle it? Before you give your Mac to someone else, whether you are donating it, selling it, recycling it or giving it to a friend, you want to wipe it clean and restore it to “factory conditions.” It is unlikely that if you simply handed your Mac over to someone, they would do something malicious with it. But it is technically possible to scour the hard drive for things like credit card numbers or account IDs. If you are really careless, you can leave yourself logged in to your Apple accounts or other accounts such as streaming music services, cloud services, email servers, etc. What you really want to do is avoid any chance of that by clearing off the drive completely and restoring the Mac to how it was when you first got it. Today’s Mac’s don’t come with CD/DVD drives or a bootable “install disk.” Instead, they come with a way to restore the drive from a tiny hidden partition called macOS Recovery. Before you clear and reformat your Mac’s drive, make sure all of the data is off of your Mac and transferred to your new Mac or archived somewhere else. Once you are sure this process is complete, log out of all systems and services you use. Don’t forget things like: • Choose Store, Deauthorize This Computer in the iTunes app, then Store, Sign Out. !88
MacMost.com
The Practical Guide to Mac Security
• In System Preferences, sign out of iCloud. • In Mail or System Preferences, remove all email accounts. • In Messages and FaceTime, make sure you are signed out and all accounts are removed. • In System Preferences, under Internet Accounts, make sure you are signed out and have removed everything. • In System Preferences, iCloud, sign out of iCloud. • Think of other third-party software programs like Adobe Creative Cloud and Microsoft Office 360 that you also need to sign out. • If you use cloud services like DropBox, sign out of those as well. • Finally, run one last Time Machine backup or clone the hard drive. This will save you if you suddenly realize you forgot something. Now you are ready to clean the hard drive. To do so, reboot your Mac with Command+Option+R held down. This will reboot into a special Internet Recovery system. From there, you can run Disk Utility or reinstall macOS. First, run Disk Utility. Select the main hard drive and erase it. If your Mac uses a standard hard drive, not an SSD, then be sure to press the Security Options button before erasing and choose 1-pass erasing so that the drive is overwritten with 0s. If you are recycling a Mac, then you can stop here. No need to install macOS. Otherwise, exit Disk Utility and choose Reinstall macOS. When you finish with the reinstall, you’ll be prompted for a location or language. Stop there and turn off the Mac. This will cause this introduction screen to reappear when the new owner of the Mac first turns it on. For more information, visit Apple’s support page: https://support.apple.com/en-us/ HT201065
!89
MacMost.com
The Practical Guide to Mac Security
Private Web Browsing
I noticed that in Safari I can choose File, New Private Window. What does that mean? The ability to privately browse the web seems like it would be an excellent security tool. Unfortunately, the name is a little misleading. Here’s what private web browsing gets you: • Safari will not record the pages you visit in your Mac’s local history. • Safari will not add data from forms you fill out to your Autofill database for later use. • Safari will not show the page in your other devices, meaning you won’t be able to jump from one device to another while browsing. • Your searches aren’t recorded in your local search history. • Your downloads aren’t recorded in your downloads list. • Cookies or other web browsing data saved to your local Mac will not be retained after you close the window. • The window will be isolated from other Safari windows, so if you are logged into a website in one window, it will appear as if you are not logged in with the private window. That’s basically it. What it essentially does is to stop recording things on your Mac about what you are looking at online. Here’s what it doesn’t do: • Stop your ISP from logging the websites you visit. • Stop websites from knowing who you are when you log in to their sites. • Prevent websites from knowing your IP address, which can then be used to track you. • Stop your employer (if you are at work) from logging which sites you visit. • Prevent you from downloading malware.
!90
MacMost.com
The Practical Guide to Mac Security
The most useful thing about private browsing is that it allows you to log into two accounts at once. For instance, you can be logged into your primary Gmail account in your regular browser window, and then you can log into a second Gmail account in another. It also provides you with some local privacy from others in your home. For instance, say you are shopping for a present for your spouse. You can use a private window to do this so they won’t see the pages you were looking at in the browser history. At this point, you can probably guess what else some people use private browsing for at home. However, as a security measure, private browsing doesn’t offer much in the way of security.
More Help
What if I need more help? Where can I find assistance? What if something is wrong with your Mac, or you have a security concern and wish to get help? Apple offers excellent customer support through the Genius Bar section of its Apple Stores. The service is free. You can ask any question you like about your Mac, or bring your Mac with you for first-hand assistance. You can even schedule an appointment ahead of time so you don’t need to wait. Start at https://www.apple.com/retail/geniusbar/. Posting at online forums like http://discussions.apple.com or http:// forums.macrumors.com is another option. But diagnosing a problem online is very difficult. You wouldn’t expect your car mechanic or your doctor to be able to diagnose and fix problems that way. Computer issues are no different. An expert often has to see the problem firsthand. If an Apple Store isn’t nearby, you can look for a computer shop or expert that handles Macs. Sometimes there are local Mac clubs that can help. Other times you need to rely on friends or family members that may know more about Macs.
!91
MacMost.com
The Practical Guide to Mac Security
More Information
What other resources are there for learning more and staying up-to-date? Rule 3 of my Three Simple Rules is to “Stay Informed.” Here are the websites and pages I suggest you check regularly. MacMost.com/newsletter Subscribe to the weekly MacMost newsletter for daily tutorial videos and news. MacMost.com/virus-and-malware This is a page at my own site that I keep updated. In case of a real emergency, such as a major malware threat to Mac users, I would post information here. MacRumors.com In addition to rumors, this is probably the best site for general Mac and Apple news. If new Mac malware appears on the scene, you can bet that MacRumors will be all over it. Snopes.com Use this site to check any “information” you may get from your family and friends before panicking. OnGuardOnline.gov The FTC’s site has good warnings and information about malware and scams. Much of the malware information will apply to Windows computers, but it is still good to know.
!92