How To + Security & Privacy

Drop a pin on a map. Pick a random city and random street. Chances are if you were to actually go to that location, your Mac or iPhone will pick up several Wi-Fi networks. Some may even be free and open to use: think of Starbucks, the Apple Store, the library, on college campuses, or possibly even the networks of some homes.

While free Wi-Fi is very convenient, there are risks involved in its use. This article will cover some of the risks associated with public networks and how you can keep your Mac safe when using them.

Fake Wi-Fi networks

Make sure that the network you connect to is the right one. You may have seen similarly named networks when you’re at a Starbucks, such as “Starbucks Free Wi-Fi” or “Starbucks High-Speed Internet.” These are not owned by Starbucks but someone hoping you will connect to it, so they can get their hands on your communications or login credentials. If you are not sure which network is the right one, ask the staff of the establishment you’re in.

Previously joined networks

By default your Mac will remember Wi-Fi networks that it has previously joined—a time saver, for sure, but also a risk. If your Mac has “Apple Store” or “Starbucks” in its memory, there is nothing stopping it from joining my fake “Apple Store” network. If the network has the same name and the same password (or lack thereof), your Mac thinks, “it must be the one I remember from before, right?” Your Mac does not know any better, and it “helpfully” connects automatically, while perhaps it shouldn’t. We recommended that you delete free Wi-Fi networks from your history, so that your Mac will not auto-join them the next time you’re in range. For a step-by-step on how to do this, have a look at Intego’s article here.

Disable sharing services

Your Mac has sharing capabilities built in. To view them, open your System Preferences and go to the Sharing pane.

Make sure all services in this pane are unchecked. Optionally, you can change your computer’s name to be a bit less revealing. For instance, instead of “Bob’s 2015 MacBook Pro” use “Bob’s Computer.”

Disable Bluetooth

Another radio sending out signals is your Bluetooth. Use your laptop’s built-in trackpad instead of a wireless mouse and turn Bluetooth off. This can be done in your System preferences > Bluetooth pane.

Set AirDrop to allow contacts only

With your Bluetooth disabled, AirDrop can’t function; however, next time your Bluetooth is on, have a look at your AirDrop settings. The setting that controls who can send you files when AirDrop is active has to be changed in the AirDrop window itself. Click on AirDrop in a Finder window sidebar and a window similar to the image below will appear:

Click on the “Allow me to be discovered by” menu, and make sure it is not set to “Everyone.” If you never use AirDrop, then you can also set this to “No One” and never worry about it again.

Use a trusted Mac firewall

A firewall is required to block and monitor connection attempts made to and from your Mac. A firewall is your Mac’s personal body guard that won’t let anything, or anyone, through without your express permission. It worries about incoming and outgoing network traffic, so you won’t have to. (Note: Apple’s built-in firewall only offers inbound traffic protection.)

Intego NetBarrier, included with the Mac Internet Security and Mac Premium Bundle packages, is the right tool for the job.

Loaded with three presets, Home, Work and Public Hotspot, adjusting the flow of traffic is as easy as toggling a profile. At home, your trusted network, NetBarrier will allow local network traffic to flow free, but switch it to Public Hotspot and the gates are slammed shut. Nothing enters your Mac unless you allow it.

If all you need is the Internet, you can block outgoing local connections for an even more closed off environment. You can browse the web, check your email and message with your friends without having to worry about someone else on the network attempting to access your Mac.

Of course, the preset profiles can be edited and customized to suit your needs, but the default settings offer excellent protection. If a process or application wants access to the network, Intego NetBarrier will let you know and you decide what happens next.

Alright. You’re on a network that you know is not a fake, and access to your Mac is actively blocked and monitored by the firewall, ready to start browsing? Not quite yet. The network you’re on is still accessible to multiple people, and even though they now can’t get into your Mac, someone could be monitoring and capturing the network traffic itself. If the information to and from your Mac is not secure, then you can still be at risk; login credentials to websites may be stolen and privacy may be compromised.

Tunnel out

The best way to avoid security and privacy risks on public networks is by using a VPN. This can be a paid service or a homemade solution, but whatever the case, it should be used at all times when you connect to a network that is not your own. We don’t recommend using a free VPN service, because VPNs aren’t free to operate, which means your privacy is probably at greater risk when using a “free” VPN service.

A VPN will create a secure, encrypted tunnel from your Mac, straight out of the network you are connected to and to the VPN host. This host will be an off-site server from your preferred solution: a VPN provider, a VPN router at your home, or a macOS Server with the VPN service enabled. The result is that your use of Facebook, messaging, email or online banking can all be done knowing your communications are not watched by anyone on the network.

For more about VPNs, see our article on why you need a VPN, or listen to our Intego Mac Podcast episodes all about VPNs and about CyberGhost VPN in particular.

If VPN is not an option

Really try to get a VPN solution. It’s worth it. If this is not an option though, here are a few tips to keep your communications as secure as possible.

• Make sure every website you visit starts with https://, because this means the site you’re visiting secures the traffic to and from your Mac with some sort of encryption. It’s a mini-VPN between you and the website.
• Even with https it’s best to stay clear of websites where any kind of login credentials are required. Social media sites, email, purchasing sites that require credit card information and especially online banking are best left until you are back on a trusted network. (Depending on how the websites are configured, the encryption method may be old and unreliable or only partially encrypt the traffic. With almost anything worth doing online requiring credentials of some sort, the need for a good VPN solution becomes clear fast.)
• Disconnect from the network when you’re not using it.

Better DNS

You type in “intego.com” but your Mac has no idea where to find that website—or rather, it wouldn’t without DNS (short for Domain Name System). Instead of crawling the web in the hopes of accidentally running into the server that hosts the site, it contacts a DNS server. The DNS server knows that “intego.com” is hosted on a server with the IP address “96.126.119.191.” Your Mac contacts that IP address and finds “intego.com.” This happens in a fraction of a second every time you type in a website address and hundreds of times more in the background without you even knowing.

You want your Mac to contact a fast and reliable DNS server, ideally one that can also filter out malicious websites like botnets, phishing, fraud and malicious websites that attempt to infect you with malware. Various services with similar functionality exist, with varying degrees of freely available versus paid filtering options. An old standard is OpenDNS (now owned by Cisco; here are setup instructions), and a couple more recent options worth looking into are 1.1.1.1 DNS by Cloudflare and 9.9.9.9 “Quad9” DNS (we discuss these on episode 26 of the Intego Mac Podcast).

Using a public network usually means you are not alone. So here are a few additional tips for added security.

• Make sure no-one is looking over your shoulder. Take a quick look around when you are about to type in a name or password or when writing an email containing sensitive information.
• Use a password manager to store your credit card details in so your wallet can stay in your pocket or purse.
• Secure your data storage with FileVault.
• Set a screensaver password and configure a hot corner so you can lock your Mac with a single swipe.
• Enable Find My Mac just in case your Mac decides to grow feet and disappear.

On campus, at a Starbucks, in an airport or at work, these tips should help you stay safe on any network that is not your own.

For more ways to keep your Mac safe at Universities and public networks, check out these 15-Mac hardening security tips from Intego to lock down your computer.

About Jay Vrijenhoek