New Mac - Preparing to go online (safely)

[Hoff]

I just got my first Mac. 15" MBP. Will be taking it to public wi-fi to do my work.

What do I need to do, or what should I do, to keep it safe before I start surfing the web?
(so no bad stuff gets installed, or nothing sends my private files to somewhere online, or my banking details don't get taken, etc).

Other than try not to surf bad websites...

Should I use a firewall? If so, which one? Was considering Little Snitch, until I heard it might make us more vulnerable. In Windows I had ESET. Was nice to see whenever a program tried to connect to the internet, that I didn't want to. I could block it from connecting. Is there a good one for the Mac?

Or an adblocker? Is that useful? Which one?

Or something else?

Appreciate any hints. Thanks

 

[hobowankenobi]

You don't really need a third party firewall. The OS has one built in...inside the Security and Privacy area in System Preferences.

You can use one if you like to monitor such things, but honestly 99% of Macs ever run don't use 3rd party firewalls. But most folks don't even know what to look for regarding outbound traffic...so would be of little use.

Outbound traffic is rarely a threat anyway; if something bad is leaving your Mac, the horse is already out of the barn. If you want to see and tweak beyond what Apple gives you, something like Murus might be worth a look; the free version does inbound, and the paid version adds features including outbound as I recall.

Little snitch has been well liked for over a decade, maybe two. Have not used it in years...found it to be useful but too naggy. Radio Silence looks better/easier to use, but have never used it.

To secure your machine, try to live without running Flash and Java (two of the most common attack vectors) and consider running from a standard (non-admin) account at least when on public wifi. Malware Bytes (the free version you have to run manually) is handy to have for nuisance adware/malware.

May be overkill, but there are a few options out there for those that end up on high threat wifi. Sophos Home might be worth considering.

 

[Spoon!]

Just get a VPN and connect to it as soon as you connect to the public WiFi. It’ll encrypt your traffic so nobody can snoop on you. I recommend either NordVPN or ExpressVPN ... with ExpressVPN having the simpler interface (it’s basically a big connect button). NordVPN has something called CyberSec built in that automatically filters baddies out of the connection. Everything else is just overkill, IMO.

 

[jtara]

None of what you mentioned is very helpful. And it's simply not possible to be 100% secure, because you do not have physical control of the local network.

First thing is to use a VPN connection.

Ideally, a VPN to your home, where hopefully you have a fast, symmetrical Internet connection.

Something like Netgate/pfSense. You can make do with VPN software installed on your consumer router running OpenWrt or AsusWrt-Merlin.

Maybe some VPN on one of the cloud services. I dunno, haven't looked into this very much, since I work from home and have no need or interest working from a coffee shop or need to work from client sites, etc.

If you can't/won't do that, use a VPN provider, but accept that they might have a horrible security breach. I have an OpenVPN subscription that I got as a toy to access BBC iPlayer from the U.S., but I use that from home, and VPN to home Asus router/Webpass 1gbit symmetrical connection from iOS and on the rare chance that I might take my ancient 2008 Aluminum Macbook out of the house.

Best advice for browsing the web from a coffee shop: don't. If you have to, it's better in a VM, using a tiny throwaway Linux. (Keep a virgin handy.)
[doublepost=1544349288][/doublepost]

To secure your machine, try to live without running Flash and Java

There's nothing wrong with Java. And there's plenty of desktop Java software that needs it, particularly many of the backup programs. If you happen to do Android development, you can't avoid Java.

It's Java browser plugins that you need to avoid. Just don't. Java plugins were way kewl in 1997. I remember that. "Wow, the little triangle is waving at us!" Web sites could draw things with a Java plugin. Today they can draw things without a Java plugin, and without a Flash plugin.

 

[Spoon!]

Seriously just use a VPN. Nothing can ever be 100% safe, but that’s true for anything, but a VPN should fit your needs most of the time. All the crazy measures the first poster suggested will just end up making you paranoid. If you’re doing something super sensitive, then just wait until you’re at home if it brings you peace of mind.

 

[Hoff]

Thanks everybody. I probably should have broken this into two threads - one about keeping the Mac safe online in general, and another thread about VPN from cafe. Excellent ideas so far for both.

For firewall, I mainly want to stop programs from phoning home. An "Adaptive firewall" that asks me for permission if no rule has been set. Does the Mac's native firewall do that? (Murus or Radio Silence look to be good options for that)

Also want to block malicious content on websites I might happen to be browsing.

My ESET Smart Security on Windows does that - when browsing a website, it pops up a window saying "ESET Blocked such and such" (in my words, potentially malicious) thing on that page. So if I'm on a site with bad content, it recognizes and blocks it.

Here's a screen shot I found online of it doing that. Couldn't get ESET to do it right now myself.
Is there something like this for Mac? Or we just don't even need it? Thanks



[doublepost=1544370827][/doublepost]Also, basically, before I put my Mac on wi-fi and check email, do banking, surf news sites with potentially dodgy ads, etc from home, do I need to install or do anything? Or just turn on native firewall and go for it?

 

[hobowankenobi]

There's nothing wrong with Java.

It may not be the threat that it used to be, but for the average user that does not need it, it would still be wise to not to install Java....as with all third party tools that have any potential as possible avenue of attack, plus yet another thing to keep patched. More info for OP.

OP: If you stick with Chrome as your browser, Flash is included and kept patched, so as long as you keep Chrome patched, one less thing to watch and keep track of.

No: Native firewall is not going to do what you are describing. It is a traditional firewall that blocks ports or unneeded services.

AVG for Mac seems to be lightweight tool with some live content blocking. I used it and it seems to work without being a resource hog, but can't say how well it blocks live malicious content. It has warned a few times, so it does seem to have some value.

Lots of paid tools to choose from, including ESET.


Question:

VPN would always be the first choice. But for those without, I do wonder if it would be worth using a trusted DNS provider when on public wifi, like OpenDNS or Cloudflare. Any thoughts folks?

 

[Hoff]

OP: If you stick with Chrome as your browser, Flash is included and kept patched, so as long as you keep Chrome patched, one less thing to watch and keep track of.

Good info, but not a fan of Chrome. I could be persuaded though. On windows, it was phoning home even when it wasn't running. Perfect example of why I want an "adaptive firewall." To be aware of and put a stop to such shenanigans.

 

[ginhb]

When using a VPN for everything, online banking, investment accounts and other financial transactions, I guess we have to hope the VPN service we're using and it's employees are completely honest. How do we really know what's going on behind the scenes on their servers. Rogue employees sometimes end up in the news by doing something very unscrupulous.

Most say don't use a free VPN service, and I don't, I use a paid service. Still, we're putting a lot of trust in them. I guess you have to put your trust in somebody, right? Even your ISP and/or the browser you use.

 

[Hoff]

When using a VPN for everything, online banking, investment accounts and other financial transactions, I guess we have to hope the VPN service we're using and it's employees are completely honest. How do we really know what's going on behind the scenes on their servers. Rogue employees sometimes end up in the news by doing something very unscrupulous.

Most say don't use a free VPN service, and I don't, I use a paid service. Still, we're putting a lot of trust in them. I guess you have to put your trust in somebody, right? Even your ISP and/or the browser you use.

Agree. Ideally, I would set up my own VPN to my home internet connection. But that is well beyond my knowledge and skill level. So would look for a 'most reputable as possible' paid vpn service until then, and limit my most sensitive web surfing to my phone in public or home wifi.

(I'm assuming my phone's connection to my wireless provider is the safest connection in public, is that accurate?)

If it is, would using something like a USB cellular connection be the safest bet for my laptop? Something like this from Verizon?

 

[ginhb]

Based on what I've read in the past, I would use my cellular connection if needed for online banking or similar activities when away from home, if I had no way to use a VPN connection. It's supposed to be secure.

At the risk of drifting more off topic, here's what worries me the most about security and personal information. I mentioned VPN services, we extend a lot of trust to those companies simply by installing their client software onto our personal computers.

That in itself may be fine, but there's still the chance of dishonest employees or subcontractors. Imagine one of them adds some extra code to the latest version of their VPN client software. And the extra code sets up a key-logger on your computer when you install it, sending the data to any place on the internet he chooses. That's like a nightmare.

I don't know how the Mac OS would monitor that kind of outbound activity. Maybe it does, I just don't know. I wonder how difficult key-loggers are to detect.

There will always be risks from something or someone, it's impossible to avoid all risk unless you stay offline completely. To work online you have to extend your trust to some of these companies or individuals, even though it's almost like a leap of faith.

 

[Hoff]

Hey guys. I might make a separate thread about Public wi-fi safety. For now I'm focusing on using my new Mac online at home.

In Windows, I felt I had to install Anti-Virus before I went online, even at home. To be relatively safe.

I've turned on the firewall in System Preferences -> Security and Privacy. Is there anything else for the Mac I should install or set up before I go online?

Thanks

 

[hobowankenobi]

Based on what I've read in the past, I would use my cellular connection if needed for online banking or similar activities when away from home, if I had no way to use a VPN connection. It's supposed to be secure.

At the risk of drifting more off topic, here's what worries me the most about security and personal information. I mentioned VPN services, we extend a lot of trust to those companies simply by installing their client software onto our personal computers.

That in itself may be fine, but there's still the chance of dishonest employees or subcontractors. Imagine one of them adds some extra code to the latest version of their VPN client software. And the extra code sets up a key-logger on your computer when you install it, sending the data to any place on the internet he chooses. That's like a nightmare.

I don't know how the Mac OS would monitor that kind of outbound activity. Maybe it does, I just don't know. I wonder how difficult key-loggers are to detect.

There will always be risks from something or someone, it's impossible to avoid all risk unless you stay offline completely. To work online you have to extend your trust to some of these companies or individuals, even though it's almost like a leap of faith.

Agreed. A VPN you can't trust...could be worse than no VPN.

 

[Hoff]

Agreed. A VPN you can't trust...could be worse than no VPN.

What if it's a VPN you make yourself, back to your home internet connection?

 

[hobowankenobi]

Hey guys. I might make a separate thread about Public wi-fi safety. For now I'm focusing on using my new Mac online at home.

In Windows, I felt I had to install Anti-Virus before I went online, even at home. To be relatively safe.

I've turned on the firewall in System Preferences -> Security and Privacy. Is there anything else for the Mac I should install or set up before I go online?

Thanks

Nope...assuming you have a decent router with NAT and a reasonable firewall running.

You will likely get other answers, but behind reasonable routers, millions of Macs surf with no AV and likely no firewall active with no issues every day for more than a decade. Dive in.
[doublepost=1544421710][/doublepost]

Agreed. A VPN you can't trust...could be worse than no VPN.

Good question. I am not wise enough to say that one can 100% secure a public wifi connection via a VPN...or any other way. I am conservative, and would never do anything using a password that could be sniffed. Surf? OK. Bank? Nope.

Perhaps other can give a better answer.

 

[Hoff]

Nope...assuming you have a decent router with NAT and a reasonable firewall running.

You will likely get other answers, but behind reasonable routers, millions of Macs surf with no AV and likely no firewall active with no issues every day for more than a decade. Dive in.

Ok. Awesome. Thanks.
Is it likely, if I got a router in the last year, that it is for sure NAT? How do I tell?

Also, when you say "reasonable firewall running" do you mean the basic one that comes with the Mac in System Preferences -> Security & Privacy -> Firewall ?

 

[hobowankenobi]

Ok. Awesome. Thanks.
Is it likely, if I got a router in the last year, that it is for sure NAT? How do I tell?

Also, when you say "reasonable firewall running" do you mean the basic one that comes with the Mac in System Preferences -> Security & Privacy -> Firewall ?

Yes, all modern routers (that I have seen) use NAT in their standard config.

Yes, the default MacOS Firewall does a good job of blocking inbound threats like most traditional firewalls do, by closing unwanted/uneeded ports. Be sure to peak at the advanced tab and check out your options.

 

[SuppleCoffee]

Just throwing this in here. I had setup an OpenVPN server on a raspberry pi at home and it seemed to work alright. I only did a bit of testing from the iPhone but haven't really found myself using public Wi-Fi.

You could also run pi-hole on that same pi and see all the different DNS requests your device is issuing and block accordingly. It's not a firewall but just another level of security.

 

[Hoff]

Nope...assuming you have a decent router with NAT and a reasonable firewall running.

Can you look at my router's firewall settings please? Which one should I pick?
Low, Medium, or High?

And should "Respond to Ping" be on or off?

 

[SuppleCoffee]

You definitely don't want to go with low or medium. High looks pretty standard, but I personally wouldn't allow some things like telnet or ftp. Shouldn't matter though since it would have to be a computer within your LAN that would initiate the connection.

I'm guessing the "respond to ping" is a respond to pings coming from the WAN. Usually it's disabled by default. The idea is you don't want someone with a group of computers pinging your network to death so your router will do it's best to drop pings as they come. But with the firewall on High it's showing you can ICMP out so you can still do the class ping to 8.8.8.8 to check if your internet is up.

 

[hobowankenobi]

High looks to be a standard config, and fairly safe: blocking ALL incoming traffic, while allowing all (listed) outgoing traffic. Fairly standard stateful firewall that blocks connections initiated from the internet (WAN).

Best to disable "Respond to ping". No need for it, unless you plan to test remote connections from outside your network.

And don't forget, this is the perimeter for all devices, including phones or TVs or other wifi gear. You can always crank up settings on the Mac beyond this too.....to block services you don't need or want.

 

[Hoff]

You definitely don't want to go with low or medium. High looks pretty standard, but I personally wouldn't allow some things like telnet or ftp.

High looks to be a standard config, and fairly safe: blocking ALL incoming traffic, while allowing all (listed) outgoing traffic. Fairly standard stateful firewall that blocks connections initiated from the internet (WAN).

Best to disable "Respond to ping". No need for it, unless you plan to test remote connections from outside your network.

That is very helpful. Really appreciate it!
I've set it to High and disabled Respond to Ping. Thank you.
[doublepost=1544625863][/doublepost]Last router question.

How should I set the options on the "Remote Access" page?
Someone else had said "Disable WAN (Internet Side) Remote Access" (for higher safety)

I have 4 different use cases.
Currently doing #1 & #2. Planning to do #3. May do #4.

1) for just surfing the web from inside the home network
2) VPN'ing into another company's private system (for work from home) Not sure if any of these settings will block that.
3) VPN'ing into my home internet connection from public wifi (to be safer)
4) connect remotely to my home network to do something like - access a render farm at home from my laptop on the road

(I'm not sure if 'connect remotely' is the correct technical term for #4, but hopefully you know what I mean by it)