Nicholas Raba, SecureMac: “if you’re on the Internet, you’re already a target — even if you don’t know it yet”

Despite the fact that there are millions of ransomware and malware strands out there, many individuals and enterprises still feel as if they are immune to such attacks.

While the recent data breaches and attacks have made certain organizations step up their cybersecurity measures, the fact that cybercriminals continue successfully carrying out their activities shows that there is still a long way to go. According to our guest today, the reason behind this problem is that many people, especially Mac users, falsely believe that their device already has all the necessary security features built-in.

To discuss the ins and outs of macOS security, we caught up with Nicholas Raba, Founder and CEO, SecureMac – a company not only providing security solutions but also educational content for Mac users.

How did the idea of SecureMac originate? What has the journey been like since your launch in 1999?

We founded SecureMac because we saw a need for it: In 1999, there was no centralized news and information portal dedicated to Mac security. And Apple, for better or worse, was still treating malware as something that wasn’t an issue on OS X (remember all those “Macs don’t get viruses ads?”). But we knew from our own experience as malware researchers that Macs could indeed be infected with malware — because we’d seen it happen! So in the beginning, we wanted to give people a way to learn more about Mac security, new types of Mac malware, and, above all, find out how to protect themselves.

After doing that for a couple of years, we started to hear from more and more everyday Mac users who wanted a level of security that, frankly, Apple wasn’t providing. They wanted to know if their computer was infected with a Trojan, adware, a keylogger, scareware, or stalkerware without having to take their Mac to the local repair shop.

So we put together a development team and began working on a complete Mac security solution, which is how our flagship app, MacScan, came to be. We released MacScan in 2006, and it was really a hit: I think mainly because it was an easy-to-use, comprehensive security solution.

Then in 2012, we released PrivacyScan, which was similar to MacScan in some ways, but as the name implies, was more focused on Mac privacy threats: things like helping people to remove tracking cookies and cache files from their browsers, and securely delete old files.

For the past 10 years, we’ve continued to develop both apps, improving their ability to detect novel Mac security and privacy threats, making performance and UX improvements, releasing new versions, and so on. We’ve also been heavily involved in Mac threat hunting and malware research. On that front, SecureMac has always been a big contributor to the Mac security community. Our security researchers have discovered major new Mac malware variants (for example, the BlackHole RAT Trojan and the Boonana Trojan). We’ve also sponsored Mac security research conferences as a way of giving back to the community and helping to support the next generation of Mac security pros.

But despite all these changes, we’ve stayed true to our roots: we try to be a go-to resource for Mac users who want to learn more about macOS security, and who want to know how to keep themselves safe online. In 2016, we launched The Checklist, a weekly security podcast aimed at everyday Apple users looking for practical ways to stay safe online. In addition, we have a regular security blog that offers Mac news and updates, security tips and how-tos, and interviews with cybersecurity experts.

Can you tell us a little bit about what you do? What are the main challenges you help navigate?

SecureMac is really focused on helping everyday Mac users stay safe — and also feel safe. We do that in a few ways:

First, there are the apps: MacScan and PrivacyScan, which detect and remove security and privacy threats.

But there’s also a related issue here that we help users with: namely, the fact that there’s a ton of anxiety about cybersecurity and digital privacy. It can start to feel a little scary to go online, or to think about, say, your kids going online, or perhaps your elderly relatives who may not be as tech-savvy as you are. So one of the things we do is help Mac users navigate our digital world with confidence: without having to worry that they’re going to be infected with malware or have their privacy compromised by some shady website.

In addition, there’s the informational and educational side of SecureMac. And here we have a somewhat different philosophy than a lot of people in the industry. It’s extremely common to hear people in cybersecurity refer to computer users as “the weakest link” in security. The idea is that you can do everything technologically possible to protect a system, but human beings are still going to be vulnerable to social engineering or just making bad decisions.

But we like to turn that conventional wisdom on its head. We try to do a great job of threat hunting, and of building a security app that will detect all of the malware variants out there. But you know what? At the end of the day, the very best cyber-defense, the one you can rely on, arguably even more than apps and engineering, is an educated and well-informed user: a user who has been empowered with the tools they need to make good cybersecurity decisions on their own. That’s why the educational aspect of SecureMac’s mission of “protecting and educating Mac users” is so important to us and has been for over 20 years now.

Are there any early signs that indicate that there is malware or viruses hiding in one’s computer?

The first sign of a malware infection has nothing to do with your computer — it has to do with your gut! A lot of people say (after the fact) that they had a feeling that something wasn't right after they clicked on something malicious or downloaded a Trojanized app. So if you find yourself saying, “Hmm. That seemed sketchy, I probably shouldn’t have done that…” then don’t just ignore the feeling — reach out to someone for help or use your malware detection tool!

In terms of whether there will be technical symptoms of a malware infection, the answer is yes and no. It all depends on the type of malware and on how well engineered it is.

There are some malware variants that will produce symptoms of infection on your Mac. For example, adware is often fairly easy to spot. This is because, in a sense, adware wants to be spotted: it’s going to throw up all sorts of weird ads or pop-ups on web pages or in search results for you to click on because that’s how adware creators make money. So, if your computer starts showing you all sorts of ads or pop-ups that you never used to get, it’s a pretty safe bet that you have an adware infection.

Or to offer another example, there’s macOS cryptojacking malware. This is a form of malware that “borrows'' your Mac’s processing power to mine cryptocurrency. It’s causing your computer to do a lot of extra work, and that may have observable effects. If you notice that your computer seems to be running hot, has unexplained high CPU usage, or that the battery is draining more quickly than usual, those can all be signs of a malware infection.

But you also have Mac malware variants that are specifically designed to remain hidden and run in the background as stealthily as possible. For example, keystroke logging apps. These apps record every keystroke that you press on your computer and can do other things as well, such as take screenshots of your desktop or your messaging apps and so on. Keyloggers are purpose-built to spy on people and they’re often installed by someone with physical access to a computer (e.g., a jealous romantic partner, an overprotective parent, a nosy roommate, etc.). They run very, very quietly. With this type of malware, unless you go looking for it, and unless you know exactly what you’re looking for in advance, you’re not going to find it. And that’s just one example, but in addition to keyloggers, you have things like remote access Trojans (RATs), spyware, and so on, that are built for stealth and can be quite sneaky about how they hide from users.

How did the recent global events affect your field of work?

If you mean COVID-19, I’d say that we saw what everyone else in cybersecurity did: a threat landscape that got far more dangerous virtually overnight. In 2020, everything went online in the space of a few months: remote work, online learning, online shopping, and so on. And at the same time, people were obviously scared, anxious, and exhausted: due to health concerns, due to trying to work from home with young children in the house, or simply due to the stress of everything that was going on in the world!

So basically, you had this perfect storm where all of the sudden everything was online and people were not in a frame of mind to make good cybersecurity decisions. And the bad guys pounced. There was an uptick in scams, phishing attacks, in social engineering threats. People got hurt. Companies got hurt. The cybersecurity community did the best it could to protect people, but I think what we saw over the past two years is how much we now rely on the digital world — and also how important it is, collectively, as a society, that we take steps to strengthen our cyber-defenses and to better educate the public on security and privacy issues.

Despite all the solutions and providers available today, some companies and individuals still refuse to update their cybersecurity. Why do you think that is the case?

The real reason? People don’t think it can happen to them. Hacks, data breaches, ransomware, spyware — for a lot of people, these are things that happen to “other people”.

There are lots of justifications that a company might use, internally, for not updating their security: the cost, not having enough internal IT staff to implement a cybersecurity solution, not having any legal requirement to do so, etc. But the root cause is that these companies believe, on some level, that they don’t really need to do it. Unfortunately, that’s not true at all. These days, if you’re on the Internet, you’re already a target — even if you don’t know it yet.

Usually, until there is an incident at a company and until they have that first breach, cybersecurity will remain in the realm of the hypothetical. Sometimes companies get lucky and just have a close call. In many cases, that can be enough to motivate them to act. Companies may begin investing in cybersecurity, or take out cybersecurity insurance — which is not only financial protection, but has security benefits as well, since many cyber-insurance providers advise companies on best practices and governance, conduct audits, or help with breach preparation, and so on.

You see a similar sentiment among some Mac users. If you go on any Internet forum, or on Twitter, you’ll see people (sometimes supposed “experts”) telling users not to worry about malware on macOS, not to install security apps, to simply avoid doing “dumb things”, whatever that means. This is sort of parroting Apple’s old marketing around Macs not getting malware — a position that Apple, incidentally, has long since abandoned. But people who work in Mac security have seen the danger with our own eyes. We’ve seen the keyloggers. We’ve seen the malware infections. We’ve seen the Trojanized apps.

You can tell people, you can warn people, you can show people the evidence… and unfortunately, with a certain subset of individual users, just like with some companies, they’re not going to listen until it happens to them or someone they know.

Can you share with us some maintenance tips that help Mac computers last for years to come?

Macs are great machines. They’re high-end, they’re expensive—but they’re also really well designed. So if you take care of your Mac, your Mac will take care of you!

In terms of basic preventive maintenance, we’d recommend a few standard best practices:

• Make sure you’re updating your OS and apps regularly
• If you have a MacBook, don’t leave it plugged in all the time, let it run on battery once it’s charged. It’s possible to “overcharge” a battery, which can degrade performance over time.
• Don’t install unnecessary apps on your Mac, and remove any apps that you don’t use regularly. These can clutter up your system and can also become a security risk if they have vulnerabilities down the line.
• Clean out old files and clear out your browsers from time to time. Today’s Macs come with a lot of storage space, but if you keep too much on your machine you may take a performance hit.
• Use the First Aid function in Disk Utility every few months to check for disk errors on your Mac.
• Follow Apple’s cleaning guidelines — here I’m talking about physically cleaning your computer, to make sure that you don’t inadvertently damage your Mac.
• Maybe a bit obvious, but take the same basic physical precautions you would with any piece of technology: don’t expose your Mac to extremes of heat or cold; don’t work on your Mac in a place where it might be damaged by the elements (for example, working on a laptop at the beach is fun, but moisture, salt, and sand aren’t really great for computers!).

Talking about cybersecurity, what measures do you think everyone should implement on their devices?

That’s a very big question! So rather than go for an exhaustive answer, I’m going to offer six tips that would present the most benefits for most users:

Set up automatic updates for your OS and apps. Apple and Apple developers are always on the lookout for vulnerabilities and roll out patches as quickly as they can. But if you don’t install the update, you’re still exposed. So make sure you’re getting your updates as soon as possible — and set your Mac up for automatic updates, so you don’t have to remember to do it!

Get a password manager. A lot of account breaches are the result of poor password practices like weak passwords or reused passwords. Password managers let you create strong, unique passwords for every single account you have — and they do all the hard work of remembering the passwords for you!

Use two-factor authentication. The mobile device is a powerful security tool because you can use it for two-factor authentication (2FA) – you’re sent a one-time code on your mobile device every time you try to log in to an account. In other words, you enter your password, and then the account prompts you to enter the code you just received on your phone. So, if a bad guy gets hold of your account password somehow, they still won’t be able to get into your account, because they don’t have the mobile device that’s getting the code.

Perform regular backups. If you have some issue with your Mac, whether it’s a malware infection or, you know, your cat knocks over your cup of coffee and destroys your computer, having a backup of all your files and settings can save you from losing weeks of work and all your important files.

Get a malware detection app. Naturally, we like to recommend our own app, MacScan 3, but there are other great anti-malware solutions for Mac out there as well. In terms of choosing one, our suggestion is always to research a few options that meet the standards for quality, try a few of them out, and pick the one that feels easiest to use.

Use a VPN. Most people don’t realize it, but even in supposedly “Incognito” or “Private Browsing” modes, your Internet Service Provider (ISP), network administrator, and other parties may be able to see what you’re doing online. VPNs create a secure, encrypted connection between you and the websites you visit. With a VPN, an external observer will only be able to see that your computer is reaching out to an IP address owned by a VPN company — but they won’t be able to see what you’re doing, or what website you’re visiting. VPNs are important at home, and essential when you’re on public Wi-Fi networks that can be compromised by threat actors who monitor and collect data. Bottom line: if you care about your digital privacy, get a VPN for your Mac!

What changes do you hope to see in the personal computer scene in the upcoming years?

From a security standpoint, we hope to see a larger number of users taking control of their personal cybersecurity — both through better knowledge of cybersecurity threats and through more widespread adoption of essential security tools like password managers and two-factor authentication apps.

In terms of digital privacy, we like a lot of what Apple is doing: requiring developers to disclose their data collection practices; giving users the option to turn off ad tracking (on iOS); building tools like Mail Privacy Protection and Private Relay right into their OSes. In general, people are waking up to the fact that tech companies and digital advertisers (not to mention their own governments!) have been collecting tons of data about them every time they go online. Tools like VPNs and even Tor are becoming mainstream. There seems to be a cultural shift toward a greater awareness of privacy issues, and even within the tech industry, toward giving users more control over who can collect and use their data. We hope that Apple continues to push forward with this — and that other companies follow suit.

What does the future hold for SecureMac?

Exciting things! Macs are growing in popularity all around the world, and are showing up in enterprise and organizational settings more and more. We want to be able to support all of these new users, so we’re taking steps to make sure we can serve them well. We’re going to be expanding into other markets, starting with Japan, South Korea, Singapore, Malaysia, and Germany, and then more countries in the coming years. We’ve also been working on the next version of our flagship app, which will be released as MacScan 4, and are looking at the possibilities for offering it in the Mac App Store.

We’re also expanding our development, security & malware research teams so that we can continue to stay ahead of the curve. The bad guys never sleep, and it’s a never-ending battle to keep one step ahead of them, so we want to make sure that we’re up to the challenge.

Longer-term, we want to continue to improve MacScan by enhancing the app’s malware detection capabilities and optimizing the user experience, and also by incorporating next-gen technologies like AI and machine learning into our software. As Macs become more prevalent in large organizations, we’re also going to begin offering security services to hospitals, governments, and enterprises — and we have plans to expand our suite of security products as well.

But no matter what, SecureMac will be SecureMac. Our mission will be what it always has been: to empower and inform end-users so they can protect themselves from Mac security threats and to help make the world just a little bit safer.