• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

Securing an iMac from remote access / "hackers" - Advice required.

We have a user very concerned that his iMac has had its security breached. The particular user is a bit upset so it’s not easy to get clear information from him and he does give us inconsistent information and some which are red herrings from his own research.

We have taken some steps to secure his system such as changing his passwords, ensuring that remote access things like screen sharing and VNC are turned off. The user themselves has been clicking on various things in a panic to secure things and has for example used FileVault to encrypt the data.

From what we can see at present there are no signs of remote access and we are sure that we have now secured it by taking the obvious previsions such as those listed above..
But are there any other steps we should be taking to ensure the Mac is secure? Any input appreciated in advance. Want to ensure we are turning over every stone.
0
IT Man200
Asked:
IT Man200
4 Solutions
 
Zephyr ICTCloud ArchitectCommented:
Off the top of my head (if not done already):

- Check logs on Mac (e.g: syslog)
- Monitor in and outgoing network/Internet traffic (great tool for the paranoid and not so paranoid)
- Change passwords of all Internet accounts (mail, Facebook, Twitter, etc...)
- Check if Firewall is enabled

I'll see if I can come up with more ... What's the Mac OS version?
0
 
strungCommented:
Little Snitch as suggested by spravtek is great. You could also download free antivirus software like Avast https://www.avast.com/free-mac-security and run a scan.
0
 
matrix8086Commented:
If the computer has been hacked and it has already a spyware (for example), File Vault is not helping! The purpose of FileVault is to assure the information confidentiality in case of a theft. FileVault encrypt the access to the HDD information, so the information cannot be read if you do not provide a FileVault password at computer boot, even if someone remove the hdd and attached it to another computer.

So, if there is a spyware, as long as the FileVault password was provided, the spyware is running without any restriction, along with the rest of the applications.

You can see if the computer it was hacked by looking in Activity Monitor, searching for strange processes which else should not run. Also you can see the hacking/virus/etc, if you monitor the computer's network traffic.

As a sysadmin I saw (and I am seeing) a lot of cases of paranoia among users. When I am sure that is just paranoia, I ask them to show me a real prove that they are wright. :)

Best regards!
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
serialbandCommented:
There aren't many viruses that run on OSX yet.   Browsers are the main vectors of attack now with Cross Site scripting, insecure plugins and general browser security failures.

The main thing you need to scan for on a Mac is a root kit, just as you would on any linux/unix system.  Many of the script rootkits can run and compile on OS X, but may be imperfect.

http://www.maketecheasier.com/check-for-rootkits-on-linux-bsd-and-osx/
http://www.chkrootkit.org/
http://www.rootkit.nl/projects/rootkit_hunter.html

The other way to find trojans or rootkits on a Mac or any linux/unix system is to search for "hidden" files.  Those are things you have always been able to do on your own with the built in find command.

Find all "hidden" files with a dot(.) as a first character, followed by a space and one or more additional characters.  Most linux script kiddie files are "hidden" in this manner.
find / -name ". ?*"

Find all "hidden" files with 2 dots(.) followed by one or more characters.
find / -name "..?*"


After the user has turned off all sharing, he can open Terminal and check for open network ports by running:
netstat -a -Ptcp |egrep 'LISTEN'

He can also run the built in Network Utility (search for it in spotlight.) and do a port scan on his own system.  Enter 127.0.0.1 and scan all ports between 1 and 65535 to see if something is open and running.  The ports returned here should match the listening ports from the netstat command.

Once you've identified open ports, you can open Terminal and use lsof to identify running programs associated with open ports.
lsof -i tcp

Don't be alarmed by the results of lsof.  Many programs connect to the internet or network and just sit there listening for activity.  The system process launchd, just listens to everything and directs traffic to the correct programs.

There's plenty more you can do if you know some basic linux/unix commands.

The vast majority of viruses and trojans still only work on Windows.  There are currently only a handful of known ones that specifically target a Mac, but that will increase as more people use Macs.  Virus scanners for the Unix/Linux/Mac still mainly detect Windows viruses to prevent them from spreading to Windows users.  Windows is still the largest OS market out there.
0
 
David AndersTechnician Commented:
Adware is how most people notice anomalies on their Mac.
AdwareMedic deals with the most common ones in the wild.
http://www.adwaremedic.com/index.php
Suggesting he read the articles about Mac infection may ease his concern.
http://www.thesafemac.com/mmg/
0
 
David AndersTechnician Commented:
Oh, and installing the myWOT addin in all his browsers and demonstrating it's protection may help.
https://www.mywot.com/
0
 
IT Man200Author Commented:
This is great input. I will update on this soon.
The client is also paranoid that his SMS text messages are being monitored. He has an iPhone 6 and while my original reaction was that they would not be, not being familiar with iPhone / Apple myself, I have seen it when the text messages appear on say an iPad or something and the text messages are also synchronised.

I did learn that he does have two factor authentication enabled on his Apple account.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now