Defending Your Mac from Net Attacks

The Internet is a major source of threat to the health and well-being of your Macs and the network to which they are connected. You face two fundamental types of threats: viruses and hackers. Although viruses receive more media attention, it is easier to defend against viruses than against attacks from hackers. However, with some relatively simple activity, it is possible to protect yourself from either threat.

Defending Your Mac from Virus Attacks

No matter what level of computer user you are, because of the extensive media hype about viruses, you are likely to be keenly aware of them. Although many viruses are relatively harmless, some viruses can do damage to your machine. Part of practicing smart computing is understanding viruses and taking appropriate steps to protect your machine from them.

CAUTION

Under previous versions of the Mac OS, there were many fewer viruses on the Mac platform than for Windows or other operating systems. However, because Mac OS X is based on Unix, it is possible that Unix viruses will be a threat to machines running Mac OS X. Until this threat is more fully understood, Mac OS X users would do well to pay additional attention to virus threats.

Understanding the Types of Viruses

Although there are many types of individual viruses, there are two major groups of viruses of which you need to be aware:

• Application viruses These viruses are applications that do something to your computer. What they do might be as harmless as displaying a silly message, or as harmful as corrupting particular files on your hard drive.

• Macro viruses A macro virus can be created in and launched by any application that supports macros (such as the Microsoft Office applications). When you open a file that has been infected by a macro virus, that virus (the macro) runs and performs its dirty deed.

Covering the multitude of viruses that are out there is beyond the scope of this book, and besides, there is no real need to become an expert on the viruses that exist. It is more important that you understand how to protect yourself from these viruses and be able to recover from an infection should one occur.

Preventing Virus Infection

I hate to use this cliché, but when it comes to viruses, an ounce of prevention is indeed worth a pound of cure. The main way to avoid viruses is to avoid files that are likely to have viruses in them. Following are some practices to help you "stay clean":

• Find and use a good antivirus software program; keep the virus definitions for that application up to date.

• Be wary when you download files from any source, particularly e-mail. Even if an e-mail is apparently from someone you know, that doesn't mean that attachments that it contains are safe. Some users will unknowingly transmit infected files to you (especially beginning users). Some viruses can use an e-mail application to replicate themselves. Before you open any attachment, make sure that it "makes sense" given who the recipient is.

• When you do download files, download them from reputable sites, such as magazine sites or directly from a software publisher's site. These sites scan files for viruses before making them available so your chances of getting an infected file are lower. Remember the expression "Consider the source."

• After you download a file, run your antivirus software on it to make sure that it isn't infected. Most programs let you designate the folder into which you download files and will automatically check files in this folder.

Identifying Virus Infection

Even with good preventive measures, you might occasionally become infected. Hopefully, you will find out that you have been infected by being notified by your antivirus software that means it is doing its job. But if you suddenly notice that your computer is acting peculiarly, you might have become infected. What does acting peculiarly mean? Viruses can have many different effects on your computer; some of the more common effects are the following:

• Weird messages, dialog boxes, or other unexpected interface elements Sometimes viruses make themselves known by presenting something odd onscreen. So, if you suddenly see a strange dialog box, you may have stumbled across a virus (for example, one of the Word macro viruses causes a happy face to appear in Word's menu bar). They can also cause menu items to disappear or to be changed in some way.

• Loss in speed Viruses often make your computer work more slowly.

• Disappearing files Some viruses cause files to be deleted or hidden.

• Errors Many viruses will cause various errors on your computer and will prevent applications from working properly. If you haven't changed anything on your machine for a while, and you suddenly start experiencing errors, you should check your computer for a possible infection.

Using Antivirus Software

Although the best defense against viruses is being very careful about the files you transfer onto your machine, you should also obtain and use a good antivirus application. Good antivirus applications generally perform the following functions:

• Monitor activity on your computer to identify potential infection.

• Periodically scan your drives to look for infections.

• Notify you if an infection is discovered.

• Repair the infected files and eliminate the virus.

• Delete infected files if it is not possible to repair them.

• Enable you to identify particular folders that they should scan automatically, such as the folder into which you download files.

• Update themselves automatically.

NOTE

Most viruses are identified by their code. The antivirus software knows about the virus's code through its virus definition file. As new viruses appear, this virus definition file needs to be updated so that the new viruses will be recognized as being viruses. You can usually obtain an updated virus definition file from the Web site of the manufacturer of your antivirus software. Most programs automate this process and can update the virus definition at intervals that you set.

NOTE

One of the important things to look for in an antivirus program is that it can detect and repair macro viruses. Macro viruses are easy to create and spread, and some of them are quite nasty.

As with previous versions of the Mac OS, there are several major antivirus applications, which include Norton AntiVirus for Mac and Virex.

These applications provide most of the features in the previous list, and they work well. You should obtain and use one of these applications to protect your Mac against viruses and to repair your Mac should it become infected.

If you have a .Mac account, you can download a free copy of Virex. When you download and install Virex, you can keep its virus definitions current and you can access other virus resources as well.

To get more information about Virex and to download it (if you have a .Mac account), visit www.mac.com.

Defending Your Mac Against Net Hackers

If you have a broadband connection to the Internet such as a cable or DSL modem, being attacked by hackers is a much more real threat than are viruses. And with a broadband connection, you will be attacked, daily if not hourly or even more frequently. Hackers are continuously looking for machines that they can exploit, either to do damage to you or to use your machine to do damage to others (such as using your machine to launch a spam attack). Most of these attacks are carried out by applications, so that they can be both automatic and continuous.

CAUTION

Never expose a machine containing sensitive or production data to a broadband connection without protecting that machine from network attack. Doing so makes everything on such a machine vulnerable to exposure to a hacker, and the machine itself can be used to carry out attacks on other networks and machines.

There are two fundamental ways you can prevent your Mac from being hacked through your broadband Internet connection: Use a server/hub to isolate the machines on your network from the outside world or use a software firewall to protect each machine on the network from attack.

Using a Server and Firewall to Protect Your Network

You can isolate the machines on your network from attack by placing a physical barrier between them and the public Internet. You can use a Dynamic Host Configuration Protocol (DHCP) server that provides Network Address Translation (NAT) protection for your network, or you can add and use a hub that contains a more sophisticated firewall to ensure that your network can't be violated. A benefit to these devices is that you can also use them to share a single Internet connection.

To learn how to install and use a DHCP server or firewall, see Chapter 26, "Sharing an Internet Connection," p. 755.

NOTE

One of the easiest and best ways to protect machines on a local network from attack and to share an Internet connection is to install an AirPort Hardware Access Point. These devices provide NAT protection of any computers that obtain Internet service through them, and for most users, this is an adequate level of protection from hacking.

Using a Software Firewall to Protect Your Network

You can also install and use a software firewall; a software firewall prevents unexpected access to your Mac from the Internet. Software firewalls can be quite effective and might be the best solution if you have only a single Mac connected to the Internet.

CAUTION

Unlike a hardware firewall or NAT hub, a software firewall must be installed on each computer that is attached to your network.

A software firewall works by blocking access to specific ports on your Mac; these ports are linked to specific services. If hackers can access these ports on your machine, they can use them to attack your machine directly to launch attacks on other computers, servers, and networks (such as Denial-of-Service attacks, in which a system is overloaded by repeated requests from many machines).

Because Mac OS X is based on Unix, it has built-in firewall protection. You can enable this firewall to protect a Mac from Net attacks.

Only the services you allow will be permitted to access your Mac. All others will be denied. This provides more than adequate protection for most Mac users.

You can gain more specific control over the firewall if you choose to. However, configuring this firewall directly requires a fairly complete understanding of Unix and firewalls and requires more energy and time than most Mac users will care to spend on it. A better solution is to use an application that provides an interface for the firewall so that it is much easier to configure.

One such application is Brian Hill's Brickhouse.

NOTE

To download a copy of Brickhouse, go to www.versiontracker.com and search for it.

NOTE

Brickhouse is shareware; the registration fee is $25. If you use the application, you should register it by going to http://order.kagi.com/?5MG.

Using Brickhouse to protect your Mac requires two tasks: install the application and then configure it. After it is running on your machine, you can use its log feature to monitor attacks on your machine.

NOTE

Brickhouse includes documentation that provides details about how to use it. You can access this information by choosing Help, Brickhouse Help. You should refer to this help to get more detailed information about how to configure the firewall than I have room to provide here.

Install and configure Brickhouse with the following steps:

TIP

You can learn more about each service listed in the Configuration window by pointing to it and reading the information window that pops up.

Following are some other features of Brickhouse you should explore:

• Expert mode If you click the Expert button, you can use the command line to configure the firewall.

• Monitor The Monitor window displays the activity of the firewall at specific points in time so that you can assess how it is working. You can see the traffic across specific services, whether it has been allowed or denied, the amount of data transferred and so on. Using the Monitor is a good way to get familiar with what the firewall does.

• Settings You can use the Settings tool to create, use, and manage different sets of firewall configurations.

• Firewall Log You can log the activity on your firewall in order to have a record of it. This is disabled by default. To enable it, open the Firewall Log window (press +4) and click the Enable button. When you are under frequent attack, this log can become large quickly, so after you are sure that the firewall is providing the protection you need, you should disable it again.

NOTE

One of the services most used by hackers is the Network News Transfer Protocol (NNTP). If you don't use this service, you should make sure that it is disabled by Brickhouse.

After you have applied and installed the firewall configuration, its protection remains on until you disable it. The configuration you install applies to all user accounts for your Mac; in other words, this is a system-level service, not a user account level service.

The firewall configuration is stored in the directory Mac OS X/Library/StartupItems/Firewall, where Mac OS X is your Mac OS X startup volume.

You can disable the firewall by deleting this directory or by choosing Options, Remove Startup File from within Blockhouse.

You can also control the firewall directly by using the command-line interface. You can do this from within Brickhouse by choosing Options, Expert Configuration or by clicking the Expert button. In the Brickhouse window, you will be able to directly enter commands. To see how the current configuration translates into commands, click the Import Current button (see Figure 27.11). You can modify the commands directly in this window and apply them just as you would apply settings using the GUI window.

TIP

You can also configure the firewall in the Terminal application. To see the commands that are available, in the Terminal, type man ipfw.

To learn about using Unix commands, see Chapter 9, "Unix: Working with the Command Line," p. 213.