Securing an iMac from remote access / "hackers" - Advice required.

We have a user very concerned that his iMac has had its security breached. The particular user is a bit upset so it’s not easy to get clear information from him and he does give us inconsistent information and some which are red herrings from his own research.

We have taken some steps to secure his system such as changing his passwords, ensuring that remote access things like screen sharing and VNC are turned off. The user themselves has been clicking on various things in a panic to secure things and has for example used FileVault to encrypt the data.

From what we can see at present there are no signs of remote access and we are sure that we have now secured it by taking the obvious previsions such as those listed above..
But are there any other steps we should be taking to ensure the Mac is secure? Any input appreciated in advance. Want to ensure we are turning over every stone.
IT Man200Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Off the top of my head (if not done already):

- Check logs on Mac (e.g: syslog)
- Monitor in and outgoing network/Internet traffic (great tool for the paranoid and not so paranoid)
- Change passwords of all Internet accounts (mail, Facebook, Twitter, etc...)
- Check if Firewall is enabled

I'll see if I can come up with more ... What's the Mac OS version?
Little Snitch as suggested by spravtek is great. You could also download free antivirus software like Avast and run a scan.
If the computer has been hacked and it has already a spyware (for example), File Vault is not helping! The purpose of FileVault is to assure the information confidentiality in case of a theft. FileVault encrypt the access to the HDD information, so the information cannot be read if you do not provide a FileVault password at computer boot, even if someone remove the hdd and attached it to another computer.

So, if there is a spyware, as long as the FileVault password was provided, the spyware is running without any restriction, along with the rest of the applications.

You can see if the computer it was hacked by looking in Activity Monitor, searching for strange processes which else should not run. Also you can see the hacking/virus/etc, if you monitor the computer's network traffic.

As a sysadmin I saw (and I am seeing) a lot of cases of paranoia among users. When I am sure that is just paranoia, I ask them to show me a real prove that they are wright. :)

Best regards!
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

There aren't many viruses that run on OSX yet.   Browsers are the main vectors of attack now with Cross Site scripting, insecure plugins and general browser security failures.

The main thing you need to scan for on a Mac is a root kit, just as you would on any linux/unix system.  Many of the script rootkits can run and compile on OS X, but may be imperfect.

The other way to find trojans or rootkits on a Mac or any linux/unix system is to search for "hidden" files.  Those are things you have always been able to do on your own with the built in find command.

Find all "hidden" files with a dot(.) as a first character, followed by a space and one or more additional characters.  Most linux script kiddie files are "hidden" in this manner.
find / -name ". ?*"

Find all "hidden" files with 2 dots(.) followed by one or more characters.
find / -name "..?*"

After the user has turned off all sharing, he can open Terminal and check for open network ports by running:
netstat -a -Ptcp |egrep 'LISTEN'

He can also run the built in Network Utility (search for it in spotlight.) and do a port scan on his own system.  Enter and scan all ports between 1 and 65535 to see if something is open and running.  The ports returned here should match the listening ports from the netstat command.

Once you've identified open ports, you can open Terminal and use lsof to identify running programs associated with open ports.
lsof -i tcp

Don't be alarmed by the results of lsof.  Many programs connect to the internet or network and just sit there listening for activity.  The system process launchd, just listens to everything and directs traffic to the correct programs.

There's plenty more you can do if you know some basic linux/unix commands.

The vast majority of viruses and trojans still only work on Windows.  There are currently only a handful of known ones that specifically target a Mac, but that will increase as more people use Macs.  Virus scanners for the Unix/Linux/Mac still mainly detect Windows viruses to prevent them from spreading to Windows users.  Windows is still the largest OS market out there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AndersTechnician Commented:
Adware is how most people notice anomalies on their Mac.
AdwareMedic deals with the most common ones in the wild.
Suggesting he read the articles about Mac infection may ease his concern.
David AndersTechnician Commented:
Oh, and installing the myWOT addin in all his browsers and demonstrating it's protection may help.
IT Man200Author Commented:
This is great input. I will update on this soon.
The client is also paranoid that his SMS text messages are being monitored. He has an iPhone 6 and while my original reaction was that they would not be, not being familiar with iPhone / Apple myself, I have seen it when the text messages appear on say an iPad or something and the text messages are also synchronised.

I did learn that he does have two factor authentication enabled on his Apple account.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.