If you own an Apple Macintosh computer and you think your machine is immune to malware, you had better think again.
In April the long-standing belief among many Mac owners that Windows-based machines are virus magnets while Macs are immune was convincingly dispelled after some 600,000 Macs — about 1 percent of Mac owners worldwide — were infected by a virus called Flashfake.
The virus installed malicious code that allowed infected computers to be remotely monitored and controlled by hackers, leaving them vulnerable to the theft of personal and banking information. And while the problem was quickly addressed by Apple, it was a clear illustration that as long as there are hackers, any operating system is vulnerable to attack.
Mac security and ways to keep your computer safe were the topics of this month’s meeting of Princeton Macintosh Users Group (PMUG) on December 11. The talk was given by PMUG President Khurt Williams, an information security compliance manager at Bristol-Myers Squibb.
PMUG holds monthly meetings on the second Tuesday of each month at 7:30 p.m. in Stuart Hall at Princeton Theological Seminary, and also holds special interest groups for beginners and intermediate Mac users before each monthly general meeting beginning at 6:30 p.m.
Upcoming meetings are Tuesday, January 8, “Digital Assets of the Library,” by Erica Bess and Janet Hauge of the Princeton Public Library; Tuesday, February 12, “Gizmos and Gadgets: a report on Consumer Electronics Show 2013,” by PMUG’s Bill Achuff; Tuesday, March 12, Dave Marra, senior engineer for Apple; Tuesday, April 9, Dave Hamilton, president and CEO of the Mac Observer and co-host of the Mac Geek Gab Podcast; and Tuesday, May 14, Bob LeVitus, well-known Mac author and columnist.
“The initial hype for the Macintosh was so great that everyone at the university who could scrape together a couple of thousand dollars signed up the first day,” says co-founder and former president Philip Thompson in a letter on the group’s website (pmug-nj.org).
But these early adopters faced problems, says Thompson. “The vendor who was handling the purchase for the university was doing a poor job of support and the (university) computer center (being primarily concerned with the operation of its IBM mainframe) was indifferent if not hostile to the needs of Macintosh users.”
It soon became obvious that a new organization would need to be created to address the problems of Macintosh users. An informal group was started, quickly evolved, and then named itself the Princeton Macintosh Users Group. Through its affiliation with the university, the group got special consideration from Apple as a conduit for support of Macs on campus.
Membership in the club costs $30 a year; $15 for students; and $5 for each additional family member.
Meanwhile, the Flashfake virus wasn’t the first time that Macs were targeted by hackers — in 2011 there was an outbreak of malware called Mac Defender, which duped its victims into thinking it was security software — but Flashfake was far more pervasive and sophisticated.
An April 6 article in the New York Times titled, “Widespread Virus Proves Macs Are No Longer Safe From Hackers,” reported that than Macs may increasingly be a target for malware attacks. “Last year’s attacks were a turning point — criminals realized they could make money targeting Apple users,” Roel Schouwenberg, a senior researcher at security software company Kaspersky Lab, told the Times. “As Apple gains more market share, it will also see more attacks.”
Also, since hackers haven’t historically targeted Apple computers due to their smaller market share, Mac owners have been lulled into a false sense of security. “The problem is that the security industry has much less visibility in Mac than Windows,” said Schouwenberg. “Mac users have been led to believe they’re safe and turned off their paranoia filter. There is a lot of easy prey out there.”
The Flashfake attack forced Apple to recognize the fact that Macs might not be any more secure than Windows-based computers. According to the Sophos Naked Security online blog (nakedsecurity.sophos.com), Apple changed its marketing message shortly after the attack.
Before Flashfake the company’s “Why You’ll Love A Mac” webpage stated: “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.”
Post Flashfake it said: “It’s built to be safe. Built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac.”
Also before the attack, the webpage claimed: “Safeguard your data. By doing nothing. With virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware.” After the attacked it was changed to: “ Safety. Built right in. OS X is designed with powerful, advanced technologies that work hard to keep your Mac safe.”
In the wake of the attack, tech website Cnet.com released several tips for Mac owners to help guard their computers against malware attacks.
Get a security suite. Many Mac owners express concerns about security suites degrading the performance of their machines. According to Cnet, this belief generally comes from the way that most security programs used to bog down Windows-based computers. While the Windows suites have gotten significantly better, their Mac counterparts have never taken such a harsh collective toll on their host machines, says Cnet.
“It’s important to have a security suite on your Mac because they block the kind of automatic drive-by downloads that afflict otherwise safe websites, and if one does get through, they can warn you when it attempts to install something,” says Cnet. “Around 70 percent of the top 100 Web sites have inadvertently distributed malware. In the case of Flashback, it actually had a piece of ‘greener pastures’ code written into it that would abort the installation if it detected a security suite.”
Lockdown your administrative privileges. The default account that you create on your Mac is an administrator account, which can be exploited by hackers to infect your machine. Cnet suggests the creation of a non-admin account for daily use such as E-mail, browsing, and music and video watching, and only use the admin account when necessary.
Update your software. “Make sure that you let Software Update do its job,” says Cnet of the Mac’s built-in updater. “Programs are rarely updated on a whim, so make sure that you’ve got the latest versions because they may contain security fixes. This includes the latest security patches from software makers and Apple itself.”
Uninstall Adobe Reader if you don’t need it. “Adobe has been notoriously slow in the past about patching security holes in Reader,” says Cnet. “They’ve gotten somewhat better, but why risk it when the latest Macs can handle most PDF-reading tasks on their own.”
Cnet also recommends getting rid of Java and Flash. “If you use your Mac mostly for Web browsing, media, and document creation, and you’re a big fan of Apple’s own content-creation tools, you can probably uninstall Java and Flash without worry.”
This would mean downloading and switching to Google Chrome, which is the only browser that has Flash built-in. “Google updates Chrome regularly, and the browser has earned its reputation alongside Firefox as a safe browser that patches security problems when discovered,” says Cnet. Computer owners can disable Java by going to the Applications folder, then Utilities, and unchecking the Java version boxes under the General tab.
Take control of your passwords. Unlike Microsoft, Macs come with a password manager called Keychain. As often as possible, use “strong” passwords.
“The truth is no computer system is immune from attack,” warns PMUG. “While there are no true viruses for OS X, that doesn’t mean Macs are impenetrable. They’re still vulnerable to malware, spyware, spam, trojans, and user error.”