Lock down your Mac with system and networking monitoring tools


Any malware powerful enough to overcome the defenses that Apple built to resist incursions may also be powerful enough to hide its traces. That’s not quite an axiom of security, but it’s generally true. If an attacker of any sort creates software designed to attack your system quietly, it typically tries to prevent security software and any other kind of inspection from noticing.

That’s very, very hard, and any exploit that’s sufficiently good at being entirely invisible is likely also good enough for a hacker to sell for a million dollars, with the advantage that the sale is probably legal in most places, and thus better than distributing malware that steals financial credentials or holds files for ransom. (I am not a lawyer, and that’s not legal advice.)

Such exploits, once discovered, are fixed at high priority by operating system makers, giving them sometimes short windows of utility. The more widely used the exploit is, the less likely it will remain available to use.

Unless you’re a highly valuable targeted individual, it’s more likely that what you’d see is malware that doesn’t hide its traces that well because most people aren’t set up to look for it. This can be especially true in macOS and iOS. Most macOS users don’t run software capable of spotting malicious behavior; they rely on Apple. iOS can’t run anti-malware or other monitoring software at all. And Apple has stayed on top of the biggest risks to iOS as they’ve been discovered, whether as zero-days (found in the wild before being patched) or ahead of widespread use.

Because Apple doesn’t lock down macOS as tightly as iOS, it’s thus more vulnerable to less-severe assaults. To forestall a large category of attacks, Apple added a powerful baseline feature starting in OS X El Capitan (10.11). System Integrity Protection (SIP) locks down major directories associated with macOS and Apple’s preinstalled apps.

littleflocker simple alertLittle Flocker

Little Flocker lets you know when an app is trying to modify files. If it’s an app you don’t recognize, and it wants to access every user file you have, that could be ransomware, and this could help you stop it in your tracks. 

But there’s a lot of havoc that can be wrought without accessing files in those paths, and while SIP appears well designed, it’s absolutely a target of hackers. To my knowledge, it hasn’t been broken through yet, but that never means it can’t.

This column is another entry in my series of how to deal with security as if you woke up and were a dissident in your own country. Assuming the unlimited resources of a government agency or security apparatus, any vulnerability that can be found will be, and it will be used as skillfully as possible for as long as possible. Protecting against such vulnerabilities helps you fight malware as well as government-led attacks.

Multi-pronged resistance

In the olden days, I used to run firewall software, anti-virus software, and some other protective extensions. OS X was young, and there had been malware for System 7, 8, and 9. However, Apple had a very small percentage of the market share, and hadn’t built OS X to allow its email software to execute code. Security through obscurity worked.

Recommended for you

Leave a Reply