This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from, and , these chapters are available only to ; see  for details.
Macs usually connect to the outside world using Wi-Fi or Ethernet. (“Outside world” might mean another Mac across the room or a server on the other side of the planet.) In fact, most of us have become so dependent on network access that we find it hard to get any work done if that all-important Internet connection goes down.
That dependence on interacting with other devices is both a strength and a weakness. It gives us access to massive power and instantaneous global communication—but it also gives the bad guys an attractive target. This chapter discusses the reasons for protecting your network connection and how to go about doing so.
Broadly speaking, the point of network security—or at least, the particular subset of network security I cover in this chapter—is to protect data as it flows to and from your Mac over both local networks and the Internet. (In Chapter 7, Fortify Your Mac’s Defenses, I talk about another aspect of network security—protecting your Mac itself from intrusions and damaged caused by network-based attacks.) But what sort of threats might your network communication face, and from whom?
In a word, you’re trying to protect your data against eavesdropping. If someone is able to see the data that enters and leaves your Mac, then anything you send or receive over a network—email, Web searches, photos, passwords, chats, files, and so on—is no longer private. But it’s not just a privacy issue; someone who intercepted just the right kind of information could use it to break into your Mac, install malware, steal your identity, or do other sorts of damage. In this case, privacy and security are two sides of the same coin.
Eavesdropping sounds passive—like someone listening in on a phone call because the line was tapped—but in skilled hands it can be used actively for more sophisticated wrongdoing. One example is something called a man-in-the-middle attack. In a simple case, imagine that someone tricked your Mac into connecting to a bogus instant messaging server. You continue to send and receive messages with your friends or colleagues as though nothing happened, but all incoming and outgoing text is actually funneled through the attacker’s rogue server. That means any message could be altered (or even deleted) on its way from sender to recipient—and neither party would know the difference!
Why would someone want to eavesdrop on your network activity in particular? Unless you’re at Risk Level 4—that is, you’re being targeted individually—most likely no one cares about your data specifically. It’s not personal! Rather, there are people (and, much more often, software “robots”) who constantly probe any network connection they can find for vulnerabilities, slurp up any useful bits of information, and use it for everything from petty scams to identity theft.
Although, in principle, nearly the entire Internet is vulnerable to this sort of monitoring, the least secure link in the chain is almost always your Wi-Fi connection—especially if you’re using an open, public network. Someone sitting nearby you at a coffee shop or library—or even across the street, in a car, or in a different building—can use freely available software to “sniff” the Wi-Fi signal, and monitor all the Wi-Fi sessions nearby. It’s not hard. I’ve done it myself (for research purposes only, mind you), following directions I found on the Web, and I was shocked and appalled at what information I found floating freely through the air around me.
Other potential weak links include the Wi-Fi router itself (someone could hack into it, or attach a monitoring device between it and the Internet), your ISP (where numerous employees and contractors might be able to access data as it flows through), and any other router through which your data may pass between source and destination.
Fortunately, there are simple steps you can take to eliminate the most common network vulnerabilities. Although these won’t protect you against every possible means of eavesdropping, they make it significantly harder for eavesdroppers—and the goal is to make it hard enough that they’ll move on to easier targets.
You may have only a desktop Mac that’s connected to a router with an Ethernet cable and doesn’t use Wi-Fi at all. If so, you can skip ahead to the sidebar ahead. But most of us use Wi-Fi at least some of the time.
Assuming that you own or control the Wi-Fi router or base station, you should take immediate action to make certain no one else can eavesdrop on your communications—see the documentation that came with your router or refer to the manufacturer’s Web site for specific instructions.
First, use WPA. Wi-Fi Protected Access (WPA) is the most secure standard for Wi-Fi encryption currently in widespread use. It comes in several flavors, so you may see options like “WPA/WPA2 Personal” and “WPA2 Enterprise” (Figure 1). I can’t get into the details here, although I’ll mention that if you use an Apple AirPort base station or Time Capsule for wireless networking, you’ll find lots of good information in Glenn Fleishman’s.
Choose any variety of WPA, but do not use WEP (Wired Equivalency Protocol)—it’s trivially easy to crack. (I know; I’ve done it myself.) And do not skip wireless encryption. You could choose “None” as the wireless encryption type, but don’t; that’s ridiculously insecure and never the right choice if you can avoid it.
In addition, be sure to use good, unguessable passwords for both your wireless network password and your router’s administration interface. I discussed both of these topics back in, in Chapter 5.
What if you’re on someone else’s Wi-Fi network? If it happens to use WPA, that’s good, but since other people will know the password, your connection is somewhat more vulnerable to hacking than your own network would be. If the network uses no encryption or WEP—or if you want extra insurance on a public WPA network—you need to take matters into your own hands by using a VPN, as I describe next.
A Virtual Private Network, or VPN, is a special type of network connection that encrypts all Internet traffic flowing between your device and a VPN server somewhere on the Internet. Think of a VPN as a tunnel running through your physical (Wi-Fi, cellular, or wired) Internet connection that’s impenetrable from the outside but open on both ends. Since VPNs encrypt everything, they even make it safe to use an unencrypted Wi-Fi connection.
With a VPN, your computer or other device appears to be on the same local network as the VPN server. So, for example, if that server is located in your employer’s data center, connecting to it gives your computer the same access to your corporate network that it would have if it were in the same building—access that would otherwise be blocked from the outside by a firewall. And your IP address will be assigned by the VPN, so if the VPN service is in, say, France but you’re physically in Los Angeles, your IP address will most likely appear (from the perspective of any server you connect to) to be in France.
Large corporations often run their own VPNs, and if you work for such a company, your IT people can explain how to get up and running. But ordinary Mac users can also take advantage of VPNs by signing up for any of numerous commercial services. Some (such as) offer free, ad-supported VPN service, while others (such as , , , and ) require paid subscriptions. A quick Web search will turn up numerous other options.
Macs have built-in VPN software, so in many cases, all you have to do is sign up for a service, enter a few settings (including your username and password), and click a button to activate the VPN (Figure 2). In cases where a VPN requires custom software, it’s nearly always a free (or free-with-purchase) download. In any case, the VPN service you select will provide detailed online instructions for setting up each of your devices.
If you’re at Risk Level 1, a VPN is probably a waste of your time and effort. At Risk Level 2, consider using one when you’re connected to a public Wi-Fi hotspot or another untrusted network, like a hotel’s Ethernet. At Risk Level 3 or 4, you should probably use a VPN all the time. Yes, even at home! (Keep reading to find out about an interesting, if expensive, always-on VPN.)
VPNs are great, and I use them all the time on public Wi-Fi networks. However, I should mention a few qualifications:
I’ll mention another, related option here: proxy servers. A proxy server, like a VPN, can disguise your physical location by routing your Internet connection through a device somewhere else in the world. Some proxy servers do additional tricks, such as filtering or caching data. But proxy servers by themselves don’t offer the encryption of VPNs, so although they might keep your identity private from the server on the other end, they are less likely to improve privacy in your immediate vicinity. Some services, like, offer your choice of proxy or VPN services.
Read More: Chapter 12 |  |  |  |  |  |  |  |  |  |  |  |