1. 18
  1.  

  2. 7

    Go to System Preferences > Security & Privacy > Privacy > Camera/Microphone and remove any app you don’t want to have access to the camera or microphone, if any

    If you need apps to access the camera/microphone (e.g. for web conferencing), it can be useful to install Micro Snitch:

    https://www.obdev.at/products/microsnitch/index.html

    This is from the developers of Little Snitch and warns you visually if an application accesses the microphone or camera.

      1. 1

        I don’t have any controls for Camera/Microphone, on High Sierra. Do you know if that’s a Mojave thing?

        1. 2

          Could be, I definitely have them on Mojave.

          Edit: indeed seems to be Mojave-only: https://www.cnet.com/how-to/stop-apps-from-accessing-your-macs-camera-and-microphone/

      2. 4

        Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for 1.1.1.1 and 1.0.0.1 and remove any other server

        Try doing this on any network that I maintain and you’ll find your DNS queries are being dropped. Allowing outbound traffic to any DNS server is not recommended. Well, allowing unrestricted outbound traffic is not recommended. It’s 2018. Don’t trust anyone or any device. Only allow out the traffic you need out.

        1. 2

          Honestly I think it’s bad advice just to tell people to “hey use this DNS server instead” anyway. It actually doesn’t protect your privacy by doing so, because anyone with tcpdump on a host between you and that DNS server can still record what you are looking up.

          1. 2

            If you want privacy should probably be using a VPN on foreign networks.

            Restrictive networks need to become the new norm now. Allowing strangers on your network to spew DNS is asking for problems because this is the type of crap that infected machines do. I don’t need to permit infected gear on my networks sending thousands of pps of DNS traffic all because some people might have taken bad advice and hardcode DNS servers on their workstations/laptops. Catering to people taking bad advice on the internet should no longer be acceptable.

            Sane traffic allowed out:

            • HTTP
            • HTTPS
            • IPSEC
            • OpenVPN

            Nothing else. You use the internal NTP, DNS servers (which do use dnscrypt for its upstream), etc.

            1. 4

              If you want privacy should probably be using a VPN on foreign networks.

              This is also advice we need to be careful with, because it’s usually really difficult to tell whether public VPN services are run by bad actors or not. You can never remove the need to trust a network altogether with a VPN, you just shift that need onto a different network. The average VPN user likely does not realise that.

              Restrictive networks need to become the new norm now.

              There is a time and a place for restrictive networks.

              1. 2

                Nothing else? What about SSH? SMTPS? IMAPS and POP3S? Are you suggesting that checking your email should be disallowed on most networks?

                1. 1

                  Yes. None of those legacy mail protocols support 2FA and are frequently attacked by botnets because it helps evade IP rate limits while still executing their dictionary attacks.

                  End users don’t need SSH. Those that do should be smart enough to have a VPN.

                2. 1

                  So infected machines tunnel over HTTP(S). Now you are relying on an HTTP specific firewall?

                  1. 1

                    That’s fine. They can be infected and backdoored, but they won’t be spewing thousands of PPS of UDP and it’s very easy to deal with bad actors attempting to spam SYNs. It’s rather hard to DDOS TCP in comparison

                    1. 1

                      Setup two DNS servers; one inside the firewall the other outside. Firewall rules only permit DNS traffic between inside and outside DNS server. Intranet nodes can only query the inside DNS. Internet nodes can only spam the outside DNS.

                      Blacklist IPs that spam the outside DNS. If DDoS is active, only serve requests from the Intranet, rely on the cache. Alternatively, only accept requests/responses from whitelisted DNS servers.

            2. 3

              Without a description of exactly what these things do (especially, forcing your DNS to Cloudflare ?!), this list is just black magic and snake oil.

              1. 2

                There used to be a MacOS-specific section on EFF’s site, but this will do for now: https://ssd.eff.org/en/searchapi?keys=macos

                1. 2

                  The nice folks over CIS does a yearly security benchmark of every major OS. They provide a nice guide on how the benchmark is conducted and how to remediate known issues.

                  1. 1

                    This looks interesting. Is CIS a non-profit? Should I be worried giving them my information to download their benchmarks or can I get the guide a different way?

                  2. 1

                    There used to be an official Apple doc on hardening Mac OS X, for admins. It described cool methods like permanently disabling WiFi module or turning on secure boot (one more password during startup). That was for Snow Leopard, I wonder if they still wrote it for Mojave.

                    1. 4

                      NIST maintains a document on hardening OSX. It’s a couple years old, though.

                      1. 1

                        i remember this. But hey, they don’t care anymore.