QR Code contains TinyURL of this article.macOS Security Essentials

Stylised rendering of a lion

On any computer, there are two things we need to monitor and regulate in order maintain basic security:

  • Network Access
  • File-system Access

Network Access

We want to know what external resources our apps are connecting to when they “phone home.” We need to be able to prevent or allow such connections at our discretion. We should also be able to prohibit an application from accepting incoming connections.

In short, we don’t want any of our applications passing information out without our approval, and we certainly don’t want our applications receiving instructions from a hostile Internet.

Little Snitch dialogue

Little Snitch, from Objective Development Software GmbH, has been around for a long time now. A cornerstone of the Mac security ecosystem, we have trusted network monitoring to Little Snitch for over a decade and with good reason, it’s reliable, stable and does exactly what it says on the tin.

“Whenever an application attempts to connect to a server on the Internet, Little Snitch shows a connection alert, allowing you to decide whether to allow or deny the connection. Your decision gets stored as a rule which Little Snitch will automatically apply to future, similar connection attempts from the same application.”

File Access

Out of the box, macOS gives us almost zero visibility of the file access operations on our computers. Sure, we can choose where to write and what to name the files we create and we can browse the file-system to locate a file to open. But what about the countless file transactions that our operating system and applications perform behind the scenes? What about that piece of malware we just unknowingly downloaded, the one that’s silently encrypting our precious files while we look at cat pictures on the Internet?

Little Flocker dialogue

Little Flocker is a recent addition to the macOS security arsenal. It’s author is Jonathan Ździarski, a well-known security expert (particularly in regards to iOS). Little Flocker, in Ździarski’s own words, is “like a firewall for your file system: It allows you to control access to your personal files and prevent unauthorized access by potentially malicious or snooping applications.”

“Little Flocker protects your files by integrating with the operating system on a low (kernel) level, and has capabilities higher than root, making it effective against a number of types of root kits and malware.”

In addition to network and file-system activity, there are a couple of other attack vectors we should monitor carefully:

Persistent Application Installations

Malware works best when it installs itself in a manner that allows it to be persistent (that is: it will re-spawn if terminated, and will run automatically upon a restart or cold boot). After all, what is the use of a rogue program if it only runs once?

Therefore, it behoves us to monitor those locations where persistent applications get a foothold, for example: the LaunchAgents and LaunchDaemons folders.

Block Block dialogue

Patrick Wardle’s BlockBlock does just that.

“Once installed, BlockBlock will begin running and will be automatically started any time you restart your computer, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock will display an informative alert.”

“If you do not trust the process or persisted component, simply click the ‘Block’ button to remove, or block, the installed component. Of course, if the process and component are legitimate (e.g. trusted OS or 3rd-party software), clicking ‘Allow’ will instruct BlockBlock to take no action. Click the ‘remember’ checkbox to tell BlockBlock to automatically re-perform the same action (block or allow) for the same event, until the next reboot.”

Webcam and Microphone Access

Laptop computers have had integrated webcams and microphones for years now. These are fantastic peripherals to have available and make it possible for us to FaceTime or Skype our friends and family, amongst other things.

But, think about it, they also mean we have potentially bugged our own homes and offices. If a bad actor can surreptitiously turn on the microphone or camera, then she has unrestricted access to just about everything we say or do. That’s a scary thought.

Our webcams generally have interlocked LED indicators that tell us when the camera is active,1 but our microphones have nothing.

OverSight microphone active notification

Once again it is Patrick Wardle who comes to our rescue, with his free-of-charge OverSight application. OverSight monitors microphone and camera usage and produces actionable notifications of the their activity, allowing us to allow or block the process that is using them.

Uniquely, Oversight is clever enough to recognise when a rogue process hijacks a legitimate camera stream (for example, when the NSA records your video chat with your mother).

There’s No Magic Bullet

While this collection of software can assist us in protecting our Macs from attack, we have to remember that the landscape of computer and network security is multi-faceted and complex. No single package or process can guarantee the integrity of our machines. We must remain ever vigilant and cautious, along with exercising good opsec procedures. Never blindly trust security software, the bad guys know about them too and they work around the clock to bypass them.

  1. iSeeYou: Disabling the MacBook Webcam Indicator LED↩︎