Security from Malware and Intruders

CNET staff

Sept. 2, 2009 3:16 a.m. PT

6 min read

If you turn on your computer's firewall, many times upon launching applications you will be prompted to either allow or deny that application access to the Internet. You may also wonder exactly why an application such as Microsoft Excel or Apple's Numbers would need Web access. In most cases these are for support features, such as help documentation, Microsoft's .NET, and the new iWork.com collaboration features from Apple, but there is no way of knowing that by the prompts the users gets.

With all the Internet connectivity and multi-user capability of operating systems these days, many people are concerned about exactly who and what has access to their systems. Recently, Windows users had an alert with the Conficker malware, and Mac computers were used in the first known botnet for this platform. In addition to malware from hackers and small mischievous groups, people may also be concerned about information being gathered by companies and government agencies.

In referencing this Wired magazine article on FBI Spyware, MacFixIt reader "Ron Norman" writes:

"I saw this at 'Wired' and would like your thoughts on how to block this intrusive program:
Documents: FBI Spyware Has Been Snaring Extortionists, Hackers for Years

As first reported by Wired.com, the software, called a 'computer and Internet protocol address verifier,' or CIPAV, is designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia. The FBI's use of the spyware surfaced in 2007 when the bureau used it to track e-mailed bomb threats against a Washington state high school to a 15-year-old student.

But the documents released Thursday under the Freedom of Information Act show the FBI has quietly obtained court authorization to deploy the CIPAV in a wide variety of cases, ranging from major hacker investigations, to someone posing as an FBI agent online. Shortly after its launch, the program became so popular with federal law enforcement that Justice Department lawyers in Washington warned that overuse of the novel technique could result in its electronic evidence being thrown out of court in some cases."

There are several trains of thought around the notion of companies and government having software send information to them (even if it's not personal information): enthusiastic cooperation (anyone?), reluctant cooperation, and defiance. Let's assume for the sake of this article that you and maybe a couple of others out there are of the third "defiance" mindset and would prefer the information on your system be kept private and not be running programs like CIPAV.

Some people may assume that if they turn on the built-in firewall that their computers are safe from spyware. This is not true. Most firewalls are built to prevent an outside intruder from accessing your machine or local network, and, as such, are designed to prevent hacking, but if your computer is already hacked (for example, if there's spyware on it), then there's not much a firewall can do. Advances in firewalls and alternative approaches such as OS X's application-firewall tackle this problem to some extent, but do not monitor all outgoing traffic.

Despite the limitations of firewalls, they do serve their purpose well and we recommend you always keep one enabled on your computer as well as on the local network (most routers are firewall-enabled). In addition to a firewall, however, we recommend you install Little Snitch, which is a firewall for the reverse direction. If you have applications on your computer that want to "phone home," Little Snitch prevents them from doing so without your explicit permission. Since so many applications access the Internet or local network (updates, time corrections, help files, online storage, game servers, etc.), running Little Snitch can result in more warning messages and notifications than you care to see (Windows Vista, anyone?), but if set up correctly, it should give a robust and largely notification-less computing experience.

In addition to filters and firewall solutions, one easy way to keep data safe is to encrypt it. Apple offers options to create up to 256-bit AES encrypted disk images using Disk Utility, which are great ways to encapsulate documents. This does not prevent a program from accessing the document when you have the disk image mounted; however, if you keep all your documents in these disk images and unmount them when you are done with your work, you will not have to worry about anyone else accessing them. Just be sure to not save the disk image's password in your keychain. Read our article on securing files in single-user environments for more information on disk images.

So what's the best way to protect your system? This may sound like a cheap and easy (if not obvious) way out, but avoidance is your best bet. If you don't want to get mugged, don't walk down dark alleys at night. Likewise, avoidance is probably the best way to protect your computer. We don't mean put your computer on a shelf and never use it (though for some people that may be the best advice in the world), rather, since most malware gets distributed through deception and software piracy, the best advice we can give is for you, the user, to avoid these situations. Anytime you stumble across seedy Web sites that offer easy money, pornographic content, and pirated software, close them down. Many browsers, including the Safari 4 beta, have built-in phishing filters, but do not rely on these to be correct 100 percent of the time.

If you or family members regularly use peer-to-peer (P2P) downloading services, understand that many of the files available through these services have resided (at least in part) on someone else's personal computer and could be infected. Additionally, hackers actively take advantage of P2P networks to distribute malware disguised as or embedded in other software that people may wish to pirate. This was seen earlier this year with pirated versions of iWork and Adobe CS4 containing Trojans in them. As such, if you have multiple users on your computer, consider giving them managed accounts where they cannot install software, and do not install any software (even seemingly legitimate software titles) unless you have either an official installation disk or a disk image from the developer's Web site.

To help tackle instances where lapses in avoidance measures occurred and malware presence is suspected, having a robust antivirus scanner installed can help. Since Mac OS X does not have an abundance of malware available (yet?), we do not yet see the need to keep a scanner on and active at all times; however, having a regularly updated one on the system and performing regular scans of your drive should be adequate to detect malware. If you download files on a regular basis, even from reputable sources, you might consider setting up more frequent scanning of the download folder or even have the folder be scanned immediately when a new file is downloaded. This includes scanning the home folders of other users on your system. Everyone you ask will have a preference for the "best" antivirus software to use, but some to consider are: ClamXav, Sophos, and Avast, in addition to Symantec Norton AV. Also be sure to install antivirus on your Bootcamp and virtualization environments. One popular Windows antivirus in addition to those listed previously is McAfee VirusScan.

If you suspect you've been hacked or have malware on your system, the solution is very simple: unplug it. Keep it off the Internet and scan it or take it to a service center to have a technician test it out for malware. Even with programs such as Little Snitch, your safest route is to cut the physical connection any malware may use to send information. In some cases malware can easily be deleted, but in the future this may not be the case. And for the super paranoid, you might consider first ensuring that your data is backed up, then formatting the drive and starting over.

Items and resources for managing malware: