Check out the latest special “splinter” episode of the “Smashing Security” podcast – where Vanja Svajcer, Carole Theriault and I discuss Mac malware.
Do you run an anti-virus on your Mac or MacBook? Should you?
Smashing Security: 'Macs and malware'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Show notes:
- 600,000 Macs infected with Flashback trojan, 274 in Cupertino
- Flashback to the biggest Mac malware attack of all time – Is it still a threat?
- Hackers target Iranian activists’ Mac devices with revamped malware
- Microsoft Office macro malware targets Macs
- 12 security suites for Mac OS X put to the test
Hope you enjoy the show, and tell us what you think. You can follow the Smashing Security team on Bluesky.
Remember: Subscribe on iTunes to catch all of the episodes as they go live and thanks for listening!
Regarding this story there's some interesting research which has been published and it also touches upon your previous article [No, disabling your anti-virus software does not make security sense] and this podcast:
"The Security Impact of HTTPS Interception" *. In fact only one AV vendor did it correctly (Avast AV 11 on Windows) – the others failed.
*https://jhalderm.com/pub/papers/interception-ndss17.pdf
Another good blog post, Decoding Chrome’s HTTPS UX, can be found at:
https://noncombatant.org/2017/02/15/decoding-chromes-https-ux/
Whilst we're on the topic of browser security there's some research that shows how easily Firefox can be fingerprinted – concerning, considering that it's the browser of choice for TOR:
https://threatpost.com/intermediate-ca-caching-could-be-used-to-fingerprint-firefox-users/123834/
Do I think Mac users need AV? Yes.
The podcast made no mention of this excellent utility, written by well-known forensic scientist Jonathan Zdziarski – he specialises in all things Apple.
"Little Flocker – Privacy, Enforced"
https://www.littleflocker.com/
For $19.99 you get protection for 5 computers and this sits alongside your existing security software. It provides a very high level of protection and it'd be good to hear you talk about complementary software like this Graham as it provides different (and somewhat better) protection than conventional AV alone.
https://www.littleflocker.com/downloads/Little%20Flocker%20User%20Guide.pdf
Thanks Bob, as always, for your thoughtful comments.
I agree that anti-virus vendors have often screwed up and fallen short of the standards we would wish for. However, I think in the main anti-virus is a positive not a negative. Would be great to see the security vendors and browser developers working more closely together to make screw-ups happen less frequently.
And yes, Jonathan Zdziarski's Little Flocker is probably well worth a look at – especially for more technically-minded Mac users.
However, I'm not sure that it would be a good fit for everyone as some users might find it difficult to determine whether they should allow an app to perform a particular behaviour or not.
Tools like Little Flocker can in theory warn of malicious behaviour that your anti-virus may miss, but it does need an operator who knows what they're doing.
I'm definitely a fan of AV, even as a technically inclined user because of the ancillary benefits.
I use a Sophos UTM appliance at home for my firewall and VPN router and have AV software on all endpoints (Kaspersky on Windows, Bitdefender on my Mac and Sophos Anti-Virus on my Linux system). I don't use AV on my BSD system.
Little Flocker is an exceptionally good piece of software which works similarly (but a little differently) to Windows EMET. There is an 'advanced' interface but I think the 'basic' mode is good enough for most people. In 'basic' it learns on what 'normal' activities are for you and it doesn't require a technically savvy operator.
Incidentally Google have found their first SHA1 collision.
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Their official site is below. They have 2 PDFs, both identical SHA1 hashes but different content. It has now been broken in practice as well as theory.
https://shattered.it/
Obviously this is really big news considering how many organisations still use SHA1*.
"Consistent with Google's security disclosure policy, the source code for performing the collision attack will be published in 90 days."
https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
"Starting from version 56, released in January 2017, Chrome will consider any website protected with a SHA-1 certificate as insecure. Firefox has this feature planned for early 2017."
"Who is capable of mounting this attack?"
"This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations."
*Digital Certificate signatures
Email PGP/GPG signatures
Software vendor signatures
Software updates
ISO checksums
Backup systems
Deduplication systems
GIT
Hi Graham. Which are there AV that you recommend for Mac? Thank you!
Have a look at the results from the independent tests. Below are the top four products, in no particular order:
AVG (100%)
Bitdefender (100%)
SentinelOne (100%)
Sophos Home (100%)
Visit the website below and click on the horizontal bar chart entitled "12 MacOS Sierra products in the detection test".
https://www.av-test.org/en/news/news-single-view/strong-protection-for-macos-sierra-12-packages-put-to-the-test/