I recently attended the Defcon conference which is well know to be the most hostile network in the world. One common advice is to hide all your devices.
Of course, you know I could not spend a week without the Internet, so I finally looked into securing my computer which I should have done a long time ago. In this post, I want to share some recommandations on how to really secure your mac computer and protect your privacy when surfing online.
We will go through setting up the MacOS firewall and a VPN to an amazon EC2 box. This is still quite technical so if you have never opened a terminal this is probably not for you might still want to read the next paragraph to understand the risks and have some basic ideas of how to protect yourself.
Every script described here is published on my github as the Voodoo Privacy project.
When you log onto a public network, you directly connect your computer or your phone to an unsecure network and need to understand that you do not get the same level of protection that you would when you are on your office network or your home network. Other people around you can listen to your network traffic and they can also connect directly to your computer and access any information that you make publicly available.
A few examples:
This is not always a big deal: I dont care that people around me know what books I am shopping for on amazon or what articles I like on the nytimes.
When you do care, there is a relatively easy and quite efficient way to protect yourself: use HTTPS. If your website url starts with https://
and your browser shows a little green lock then your communication is crypted and people will not be able to intercept your exchanges.
So always use https when surfing in public place, this applies to your gmail account, to facebook or any other social networks that you probably want to keep private. Also, read carefully the warning from your browser. If it tells you that the certificate for gmail.com or facebook.com can not be verified, it usually means that someone is trying to intercept your communication and put themselves in the middle. If that happens, do not trust the certificate. Get out and go surf somewhere else.
Finally be careful of what you share from your computer. You might have decided to share files when you were at home. Remember that those shares will still be available to other people around you. In any Starbucks with more than 10 poeple, there is always someone sharing pictures of their last holidays… If you dont want to be that person, disable file sharing when you are not using it, or enable the built-in firewall in MacOS (Settings -> Firewall -> Enable firewall).
Now the built-in firewall is pretty good but if you know what you are doing, I highly recommend direct control of the firewall through a few simple scripts. This will give you the best control on what goes in but also what goes out of your computer.
Since Lion, MacOS uses OpenBSD packet filter which is managed by the pfctl
command. The basic setup is built around the file /etc/pf.conf which loads some basic rules and provides anchors to hook some more rules when you enable the firewall, file sharing, etc.
What Voodoo Privacy does is that when you want to go into a full secure mode, it loads a different configuration file for the packet filter which does not contain the OS anchors so that even if the firewall or network sharing are enabled, they wont work because only your explicit rules will be effective.
You only need two files (which are available from my github), the first one is a shell script to enable the custom rules:
The other one is the actual rules that will be loaded (get the latest version on github):
Copy and paste those lines or (clone my github on your computer), and execute .sudo /voodoo.sh hostile
to disable OSX default firewall and enable these very basic (and much more strict) rules. Then run sudo ./voodoo.sh log
to see all the traffic that is being dropped. By default, DNS, HTTP and HTTPS are not allowed so you really wont do much.
You now have three options:
Oh and when your back at home and want to go back with the default OSX rules, just run sudo ./voodoo.sh safe
. This will load the default file from /etc/pf.conf
.