My solution to keep Mac OS X protected from trojans and other nasty Internet virus related problems is an easy to use, easy to understand firewall software: Little Snitch.
Having a virus attack your computer and render it useless is annoying. Having a trojan install itself on your computer and send out your sensitive personal information is catastrophic. What sensitive information could be that important you ask? How about Internet banking and online stock trading accounts, usernames and passwords? You don’t even need to have that information written down somewhere on your computer for it to be stolen. Keylogger programs can capture your login and passwords as you use them on your favorite sites and send them off to eagerly awaiting crackers in some far off foreign land. This actually happened to me back in 2004. Without the help of a firewall, I would never have known. More on this later.
How do we prevent our sensitive information from being beamed out to cyberspace? Setup a gate around our computer and hire a guard to watch all the traffic coming and going. Well, in a digital sense. The digital version is known as Little Snitch from Objective Development, Germany.
Little Snitch works by checking with you, a human, whenever a new program on your Mac tries to connect to the Internet. Each time a new program that tries to send information out to the Internet, Little Snitch asks you whether you want to allow this to happen and if it should remember your decision for the next time. This is really not as intrusive or bothersome as it may sound. After a day of using your computer as per normal, you’ll have just about all the programs you use normally setup with Little Snitch and the questions will stop. After this point, any time Little Snitch asks you about new outbound Internet traffic, you should pay attention: this is possibly information being sent out without your knowledge nor consent.
With Version 2 of Little Snitch, ObjDev came out with a great feature: Network Monitor. This feature unobtrusively pops up a window in the top right hand corner (by default, but moveable) with the name of the program and the Internet address it is trying to reach, every time data is sent out over the Internet. This is the ultimate in keeping a watchful eye on your system. You’ll quickly get to know which Internet addresses your Mac normally talks to on a regular basis and which addresses should set off alarm bells.
So how is all this useful? Let me provide an example.
In 2004, I was trying to figure out some network issue with a game or what not so I popped up my firewall’s network monitor. I noticed something funny: an outgoing email connection was being attempted every minute from my computer to an email server that was completely foreign to me. I thought this somewhat odd, so I tried to load up the server address in a web browser. It was a Lycos free email account. I had no Lycos email accounts. At this point I could see the alarm bell in my head, but the ringing wasn’t too loud yet. Next I inspected what program was trying to make this Internet connection. It was a program that I had never heard of, installed in my windows directory. Looking at the compiled source code of this program it was referencing a file named “password” something or other. Returning to the directory I found this file and opened it up in a text editor. To my horror this file contained my usernames and passwords for web sites I used normally. This is when the five alarm signal started screaming in my head. In a panic I tried to delete the program, but it was constantly “in use”, making connections out to this Lycos email server, and monitoring Internet Explorer for logins that I was performing. Somehow this trojan program made it into my system, had collected all my usernames and passwords for web sites that I normally use and was trying to email them to an anonymous email account that the cracker/trojan author obviously had access to. This trojan was so successful that the email box at Lycos had hit its size limit and was rejecting incoming emails. Luckily for me, the emails with my credentials were being bounced, not delivered. The only thing that saved me was the firewall network monitor showing me the outbound connections. Had I not seen this unusual Internet traffic coming from my computer and stopped it, the cracker would have cleared out his email box, allowing new stolen passwords to arrive and I would have been compromised. I was extremely lucky.
Little Snitch 2 with Network Monitor can help you prevent this type of nightmare. If you’re interested in keeping your banking and other sensitive personal information safe, I’d certainly recommend it.
You can try Little Snitch before buying. The default install allows you to run the firewall for three hours at a time before it will switch off automatically. This will give you a flavour of how it works and what to expect. At that point you can decide whether its worth the $24.95 or not. For the piece of mind I get from knowing what information is being sent out of my computer, Little Snitch is well worth it.
What features could be improved?
- A list of addresses or programs to not show in Network Monitor. There are a bunch of Internet addresses that my programs talk to on a regular basis. I don’t need to see these constantly in the Monitor. Example: GMail connects to its servers every few seconds to check for new mail. Obviously an allowed action, but, very repetitive and not interesting from a security standpoint. Being able to setup a “whitelist” of addresses with programs for Network Monitor to ignore would be nice. UPDATE 080207: After writing this review, Karl from Objective Development was kind enough to let me know that this feature is already available and I had simply missed it. To not show a program within Network Monitor simply select the program within Network Monitor you wish to exclude then click on the “gear” symbol within the pop-up monitor window. One of the choices from the pop-up menu is “Don’t show [program] within Network Monitor”.
- Opacity of the Network Monitor window. I’d like to adjust the transparency so it doesn’t affect the visibility of the programs I’m using below the Network Monitor when it pops up.
- The purchase clearing house Objective Development has chosen for North America: Plimus. These guys are slow, unresponsive, and annoying. Why?
- It takes them 12+ hours to complete an order.
- No one answers their phones PLUS its very difficult to find the number for customer service reps (they ask you to repeat the order and choose “Pay by Phone” in order to get the customer service number. I’m not kidding). I phoned in multiple times at the 12 hour mark trying to get the order completed, to be greeted only with recorded messages asking me to leave a message (as no one was answering) and someone would call me back. I finally stumbled upon the correct phone menu choices which allowed me to confirm and complete my order without having to talk to anyone. In my opinion, what’s the point of having an automated system that forces order confirmation by a service representative, when the original person ordering can enter the system and confirm the order themselves? Doesn’t that defeat the purpose of having a third party verify and check for fraud?!?
- They lie about having tried to contact you to confirm the order. After about 8 hours I received an email from them saying “your order couldn’t be confirmed because your phone number was incorrect or you could not be reached”. Since I have a Skype number which records all incoming call attempts, I know when someone has dialed my number. No one had dialed my number. To make sure I didn’t enter my phone number incorrectly on the order form I found my order on their website. Sure enough, I had listed the correct phone number. Thus, they were lying when they sent the email saying they had tried to contact me. Why would they do this? It allows them to be slow in confirming orders and it maintains their “claimed” service response times by asking the purchaser to “correct” their phone number. In most cases it takes a few hours for users to read and respond to such emails, giving Plimus extra time to get around to processing the order. This is weak. And it pisses people off, laying the blame on the customer in order to justify their slow turnaround time. Whether this practice is employed by the line employees without management knowledge, or whether it is an accepted practice at Plimus, it’s poor customer service. I would encourage Objective Development to find a better service provider for North America. If I had had the choice to cancel and refund my order, I likely would have, all due to Plimus’ poor service. This is unfortunate, considering that Little Snitch is a great a program.
Enough complaining. Little Snitch rocks. Danke ObjDev!