Mac Does Stuff

Month: May 2017

  • I don’t need Anti-Virus on my Mac…Right?

    Wrong – on so many levels. 

    Since my article yesterday about protecting your stuff, a few people have asked me about Anti-Virus (AV)protection for their Apple Macs. The general assumption out there seems to be that you don’t need AV protection on a Mac. I think this is wrong.

    It’s true there’s far fewer malware and virus packages targeted at OSX – and because of this the probability of you getting hit by such a thing is far lower. But probability isn’t protection is it?

    Apple themselves used to claim that the Mac ‘doesn’t get PC viruses’ and told owners they could ‘safeguard your data’, ‘by doing nothing’. They quietly dropped this claim in 2011/2012 following the outbreak of the Flashback Trojan on OSX.

    So if you have a Mac, and you’re not running any form of AV….you’re protected by the lower volume of targeted malware out there, and that’s it. You’re playing the probability game.

    The other thing to consider is that for some strange cultish reason people who like OSX/MacOS (to be clear, I’m a big, big fan) seem to think it’s a fully secure operating system, and often compare it to Windows. Usually in a facetious ‘lol Windows’ sort of way. 

    Here’s the thing though – MacOS mostly fairs worse than Windows when it comes to hacking and security testing. Read that again – it’s true. Didn’t expect that did you?

    Time and time again MacOS has come out badly on InfoSec & hacking tests.

    So as I say – no virus protection, you’re playing the game of numbers rather than offering any real protection.

    The other element to consider is that of being a good net-citizen. What do I mean by this? Well, if you’re not careful you could find yourself passing along virus & malware code that while it couldn’t infect your MacOS machine it could of course infect a Windows machine who you happen to send stuff too – via email for example. 

    So how do I protect my stuff…? From a scenario point of view I have a couple of MacOS laptops, and a main big spec iMac that is the centre of the my digital life. Each one of those units also runs Windows in Parallels. I.e. Virtualised. So how do I protect my environment?

    As per the previous article, I start at the basic level and then work up to some more specific stuff that is probably more due to my paranoia than any great technical need – so let’s work through them.

    Don’t do stupid

    This is probably the core to all of your security really. Don’t do daft things like download hooky software, or click on links in suspicious emails. That last one is an interesting one – when I get emails saying ‘login to your account’ for example, I never do it from the email links, I always go directly to the website myself.

    There’s also other core stuff to do, including:

    Encrypting your hard disk (Encryption – it’s for everyone)

    Use a password manager (Why don’t more people use password managers?)

    Protecting Core MacOS/OSX

    There’s various anti-virus/malware products out there for OSX. There’s a decent review of the products here at Tom’s Guide:

    Best Antivirus Software and Apps 2017

    Personally, I use BitDefender. Quite pleased that my own assessment of products out there comes top of the list at Tom’s Guide too! Anyways, it’s a great product – works well and is not intrusive.

    There’s various other products out there – another common one is ClamXAV for example.

    Protecting my Windows Machines

    I run a number of Windows machines in Parallels. Windows comes with its own anti-virus built in – something called Windows Defender. I will  say that Windows Defender never seems to fair very well in most testing scenarios. It is of course far better than nothing.

    If your core OSX platform is protected by a good platform like BitDefender, it’s arguable that Windows Defender would suffice in your Windows machines. Personally, I don’t believe in ‘average’ security. You may have spotted this. So…in my Windows machines I use the AVG product. I only use the free one in Windows now rather than the subscription model, mainly as my core MacOS platforms are so well protected.

    UPDATED: I no longer use AVG – after issues getting it installed and working with my account, I gave up. Interaction with tech support was terrible. I now use Bitdefender in Windows as well.

    For most people, the above would be enough to provide you a decent level of protection. There are however additional things you can do. This is perhaps where I start moving in to the area that’s beyond most people’s requirements. I work in IT, and am constantly on people’s systems – so protecting me and them is absolutely critical to my day job.

    So, some of the extra stuff I do.

    LittleSnitch for OSX

    While MacOS has a decent in-built firewall, it doesn’t tell you an awful lot about what your machine is up to in terms of network connections. Who are you connecting to right now…? You probably have no idea. Anyways, this is where LittleSnitch steps in. You can read a bit more about it here:

    Little Snitch keeps an eye on your Mac’s Internet connections

    It essentially allows you to view exactly what your Mac is connecting too.

    Sandboxed Machines

    Using virtualisation it’s pretty easy to build new machines – whether MacOS or Windows. In view of this, I have some sandboxed machines for each of the common OS environments I use. What’s a sandbox? Well it’s an isolated machine that you can use to test stuff on.

    I have some MacOS and Windows Sandbox environments that I use for testing stuff in. 

    Summary

    Protecting your environment is key to protecting your data. It’s also part of being a good net-citizen really. Don’t risk your stuff – and don’t risk mine either.

  • Protect your stuff!

    Haven’t blogged for a while. I’ve been busy with the day job, doing some properly interesting stuff. Without boring you all to tears I’ve moved back from being constantly in a sale/pre-sales environment and gone back to actually doing stuff. It’s what I enjoy, it’s what I’m good at – I think.. and it produces defined actual outcomes. Mac is in a happy place.

    Anyways, that’s not the point of this blog. I’m sure by now you’re all sick to death reading about the recent ransomware attack. Now, in the press it was all about the NHS – the UK’s National Health Service for my overseas readers. FREE DOCTORS for my American friends. The actual scope of the attack was far wider of course – lots and lots of people got hit by it.

    I’m not going to delve into that attack too much – like I say, you’re probably sick of hearing about it – but I did have an interesting conversation about how to protect your stuff against such things. It set me thinking about how I protect my data. 

    I’ll be honest and say I’m quite paranoid about my data. Why? Well, I’ve experienced losing some important things – think photos and some videos. Stuff you cannot reproduce. It’s utterly gutting. Some stuff would just be a pain in the backside to lose – but you can reproduce it. Documents and the like. Others – irreplaceable. 

    This paranoia has led me to have a really robust backup system – I think. So I thought I’d share my thoughts on how you make your stuff resilient to such attacks.

    There’s more to just protecting your data by having a copy of it – you need to protect against corruption too, regardless of whether that corruption is accidental or malicious. The malicious bit may take some explaining – let’s say for example you have a weeks worth of backups of your stuff. Now, you get infected by some pesky ransomware that slowly sits in the background encrypting your data….and in week three pops up the dreaded ‘Give us ONE MEEEELION DOLLAARS’ for your data. You’re utterly stuffed. It’s outside your backup window – all the stuff in your backups will already be infected with that crappy malware.

    Now I’m not going to preach to you about how to protect your stuff, but I thought some of you may find it interesting to see how *I* protect my data.

    For perspective, my typical active data is about 50Gb of work stuff, and about 200Gb of personal video/photos etc. I generate, on average, about 1Gb of work data a month (email and documents), and around 5Gb of personal stuff. I will point out that I archive and keep everything however, so your data production will likely be lower. Personally, storage is cheaper than my time to go through deleting emails I will never need. I just keep everything.

    If you’re not very techy, or don’t have the inclination, I’ve ordered the below stuff in a list of importance and ease to do.

    So, how do I do stuff? See below. Just to be clear – before I get a kicking in the comments – there are other things you need to do: Anti-Virus, keeping updates…updated etc. I’m specifically talking about how I handle backups.

    Automate your backups

    Firstly, and a really, really important point, is make your backups automatic. Why? Well, stuff that takes effort does not get done as often as it should. Also, it’s an effort. You have to do stuff. Both Windows and Mac OSX can fully automate backups for you:

    Apple Mac OS TimeMachine

    Windows 10 Backup

    I will honestly say that Apple’s TimeMachine absolutely knocks the socks off Microsoft in this area. You setup TimeMachine, and it backs up every hour for you. That’s it. You never need to do anything else. Windows – sure, you can do it, but it seems a lot more involved.

    Anyway, make the point of it automatic and you’ll *always* have backups of stuff. If I had one single recommendation, this would be it,

    Backup Media

    I have two backup media sets of 20Tb (Yer, I know – you probably won’t need anything like that) that I swap out once a month. What do I mean? Well, imagine in my setup that TimeMachine backs up my main machine every hour, on the hour, to that backup set. Let’s call it SetA. At the end of the month, I physically disconnect that backup set and stick it in a drawer – don’t panic…we’ll get to offsite in a minute – and then I connect another drive called ‘SetB’.

    Why? Well, it does numerous things: It protects against a failure of my backup drive(s), lengthens my backup window, and also provides a longer backup set and will protect against such ransomware encryption attacks. Perhaps not totally – more on that in a second.

    So how could you use this? Well, 2Tb drives are cheap. Let’s imagine you have a reasonable amount of data that a 2Tb drive could accommodate – buy two, and on the 1st of the month swap them over. Stick the other one in a drawer. If you want to be really fancy then stick it in a draw at your office.

    Offsite Backups

    Due to where I live, I’m blessed with a very good internet connection. I use this to backup up all of my stuff to an online service. Now, I use BackBlaze. It’s on my main machine, and it just sits there uploading my stuff to the BackBlaze service. OMG THEY’VE GOT ALL YOUR DATA! Calm your boots. I encrypt everything. Not the subject of this blog but if anyone’s interested happy to write about how I protect my own data when it hits the cloud? Let me know in the comments and I’ll sort something.

    I’ve the best part of a couple of Tb up in BackBlaze now and it works really well. It also keeps an archive of up to 30 days for each file so you have an archival history of each file backed up too. It’s a good service. NOTE: With any backup service, make sure you test restoring!

    Point-In-Time-Backups

    The other thing I do is take snapshot or point in time backups. What do I mean by this? Well, in addition to the automated stuff above – the regular TimeMachine backups, and the backup to BackBlaze – I also take ZIP (Well, RAR, but people know what ZIP is) backups of my changed data, usually weekly. I put these into a folder that:

    • Gets backed up to BackBlaze
    • Gets backed up to my normal hard disk regular backups

    Why do I do this? Well, simply to give me a point of time roll-back. I.e. I can go back and find all of my photos/documents etc. at a particular date. WAIT. Isn’t this covered above in the Offsite/Auto-stuff?? Well, yes, it is, but it enables one more thing……

    Non-Syncronised Offsite Backups

    This bit is key to protecting against ransomware. What I do is I take those point in time backups above, and I put them somewhere that isn’t synchronised anywhere on any of my machines. Think about this. I have a backup archive dated say 1st May 2017. I put it in a folder in DropBox that is *only* in DropBox. It’s not synchronised to any of my machines. How could any ransomware possible encrypt that and block me access? It can’t is the answer.

    It’s an incredibly simple thing to do. On DropBox for example you can do selective synchronisation. I create a folder on DropBox, and ensure it isn’t synchronised to any of my kit – all using that selective synchronisation. If you’ve already uploaded the stuff you can use the DropBox web site to copy the stuff to the folder too – you don’t need to upload it twice. This is important as if you’ve got a ton of data up there you don’t want to be uploading it again.

    So what does this give me? Well, it gives me a copy of all my stuff that my end-points (I.e. PCs, Macs etc.) can’t access to encrypt. It’s a simple solution to a complex issue.

    Summary

    Protecting your stuff shouldn’t be that hard, and it shouldn’t take very much technical know-how really. It would utterly break my heart to lose some of the photos, videos, content that I have – stuff that isn’t reproducible. So with some effort, I do my best to avoid that happening. As a side-result of that I protect other reproducible stuff in the same way……I don’t like having to re-do stuff.

    Anyways, it’s an interesting subject. As data-sets get bigger this is going to become more challenging, not less. I’m sure technology will keep up however.