August 16th, 2010

10 steps to better secure protect Mac laptop from physical data theft

MAC Tips, by Albel.

Introduction

Sophos’s recent danger report1 showed that spell the Mackintosh program is now proper the place of the equal category of ordered transgression that affects Windows users, these attacks are soothe really restricted in range and in combat. Nonetheless, we Mac users cannot afford to be content. The success of many collection thieving attacks depends more on the reference system’s soul and the way in which they create with their machine, than on which operative method they hit korea to pose.
Laptops are author prone to material struggle than desktop systems by their nature beingness portable they are oftentimes condemned out of the role to make from lodging, on the educate or regularise in the localised Starbucks.
When you acquire your tool out on the moving, you also work the information it contains away from the area of the organized surroundings with its section controls and into new environments with new risks and threats.
Location users too staleness create that when winning their MacBook out of the beguiler entrance, writer of their operator is on showing than only their preferred laptop form.
In this article I exposit 10 steps that can improve the security of a Mac scheme, remunerative part attention to laptop considerations. I change on rising physical warrant that is, protecting the grouping from attackers who can get their keeping onto the computer.

1 Does it need to come with you?

The first step in securing your remote computing lifestyle and the increase of data protection is necessary to consider whether we need to take everything. All of the attacks that involved here to stop retrieving data from the computer – the easiest way that happens is sufficient to ensure that the data is not there in the first place. In some environments, the attacker does not even need a computer, I have been in many cafes sat on the trains where I could see online banking sites from other customers, and could (if I so inclined) read their account numbers, assets and the payments they made. Simply put, I could see all the information that works to gain an identity thief. While losing ministries such as the UK HMRC, information on millions of people, most of the data on your laptop very important to person: you. The decision as to whether all this information really needs to get with you is the first and most important step on the path to safer use.
In some cases this might not be so easy. John Gruber, author of Mac blog Daring Fireball2, says: “My main computer is a PowerBook that I is both at home and on the road. The only difference in how I am it’s on the road that at home, I am always connected to the Internet, but on the road, access depends on the availability of Wi-Fi. Otherwise no difference. “In such a situation, so that everything at home (perhaps on an external drive) will lose the convenience of the exercise of your work when you are away. But I would say it is worth a compromise.

2 Change your Keychain password and settings

I asked John Gruber, he had his Mac OS X configuration made with respect to security changes. His answer: “The only significant change I’ve made that I use a different password for my keyring as my user account is for.” This is a change that I make on all my systems. The key allows you to keep Internet passwords, notes, and SSL certificates in an encrypted and synchronize them with between machines. Mac. So far, so good – of course there is only one password to unlock all this information, but it means that you have a really good password, which you can choose to remember, use different passwords for all sites, e-mail accounts and so on that you use, you do not need to keep in your head (or on a Post-it note), because it always at it from the keyring. The problem with the default keyring is configured, the password is synchronized with your login password when you are logged on, the items in your keychain to be unlocked and available to any application that asks for them.

It is simple to fix this: firstly, open the Keychain Access application in /Applications/Utilities. In the Edit menu, choose “Change password for Keychain ‘login’…” and set a new password. Now when an application needs a password out of the Keychain, it has to prompt you for that password; a slight reduction in convenience but with a huge payoff in being able to control when your stored passwords are used. You can also control when the Keychain is automatically locked (so that you get re-prompted for the password) through the Keychain’s settings, accessed from the “Change Settings for Keychain ‘login’…” menu item.

3 Lock the screen when away from the computer

Imagine this scenario: You are logged in a website (perhaps checking your credit card balance, or see how many people have stopped by now) in the cafeteria when the barista tells you your drink is ready. You will not be far away, and you can still see the laptop, it will not get stolen … but as long as you do, the nice girl at the next table makes a few notes on a napkin, and by the time you get home your credit card a few hundred pounds lighter.

This situation can be easily avoided by using the password-protected screen saver built into Mac OS X. In the Security system preferences pane, make sure that “Require password to wake this computer from sleep or screensaver” is enabled. Now it is also useful to have a quick way to activate the screensaver, and two options are available.

The gear is to set up a hot construction in the screensaver preferences, so that when you relocation the steal pointer into that plight of the sort, the screensaver module alter. The wares can be constitute in the preferences of the Keychain Reach thought: take “Show position in schedule bar.” The padlock icon which appears shows whether the Keychain is currently locked; clicking on it provides a carte from which one choice is to hair the select.

4 Filevault

It is horny to envisage that you would e’er lose your laptop and pass it at the teach post, but it does materialize. You score belike got insurance to dress the expenditure of the computer, and piece it leave be a devil to better all those files from a duplicate (less so with Example Machine, of course) you can shortly get support to employed again. Anyway, that MacBook Air looks so dejected on the ridge all by itself… but what has happened to the assemblage on the iBook you mitt down? If it was picked up by a cracker, then they belike didn’t smooth
development the machine on, but retributive removed the conniving actuation and dropped it into a opposite computer. Then, without change needing to sustain your arcanum, all of the files – application history, downloaded collection, Pages documents and so on – on that traverse are ripened for the pick.

Filevault solves that problem in a simple way: it replaces your home directory, the area on the hard drive where all your personal files are stored, with an encrypted container. This container can only be unlocked by supplying one of two passwords – either your login password or the “master password”, a catch-all password in case the login password is forgotten. The encryption used by Filevault is of a standard deemed safe to use by US government agencies.3

To enable Filevault, go to the Security pane in System Preferences, and choose the Filevault tab. Click on the “Turn On Filevault…” option, and you will be asked both to enter a master password and your own account’s password. The Mac will convert your home directory into an encrypted container, and you cannot log in until this is complete.

It is important that this step isn’t interrupted, so if you are using a laptop plug it into the mains before enabling Filevault.

The master password can be used to remove the Filevault encryption from your home folder, so it’s best to use a very complex password here, although if you are going to write it down then of course you have to keep it somewhere it won’t be found.

Using Filevault or any remaining encryption (see beneath for two many options built-in to Mac OS X) raises a ask about backups: do you maintain your backups encrypted, or rearwards up the files exclusive the encrypted container in the yield? There is no correct fulfil, but I select to dungeon unencrypted backups because my support saucer stays at interior where I can be cocksure virtually who accesses it. Moment Organization, the built-in duplicate group on Mac OS X, gift only rearward up the Filevault volume when you log out, not on the
steady schedule.

5 Encrypted disk images

Hiding your object internal directory with encryption may seem same overkill, especially if you exclusive soul a few responsive files. You can use the synoptical coding execution that Filevault employs to create your own encrypted platter images, which can be old from the Viewfinder in exactly the same way as habitue images omit that you cannot see the table without entry your password.

Launch the Disk Utility application from /Applications/Utilities, and click on “New Image”.

From the drop-down which appears, choose the 128-bit option from Encryption, and configure the image as you like. (By the way, this is a great way to make an encrypted USB key drive – format the drive, then create an encrypted disk image on it using some – or all – of the free space.)

6 Keychain secure notes

For short notes, which are from the perspective of others are hidden, you can Secure Notes in Keychain Access application, which can then be accessed only by entering your Keychain password. This could be useful if you write yourself a reminder, with no one want to see it, to remind you about such a task in your online banking website.

7 Secure Empty Trash

When you delete a file from the hard drive in your Mac, it is not really deleted – the info telling the computer where to find the file is removed, but the data will remain on the disk until the space is needed to store something else. It is really easy to recover deleted files, you can buy off-the-shelf programs such as FileSalvage5which can do it. Therefore even your deleted files are not safe from the interested cracker.

By selecting “Secure Empty Trash” from the Finder menu to empty the Trash, you can make recovery of the deleted files much harder. It’s still not impossible, although it will require complex (and expensive) forensics equipment to do. Secure Empty Trash writes over the files a number of times before deleting them, which makes it difficult to discover the original contents. Securely deleting files can be a slow process.

8 Encrypted swap files

Many news sites have the story that security researchers have a way passwords6 from the RAM of computers with a variety of operating systems, including Mac OS X. The constraints that are particular attack reported found again very limited (the attacker needs physical access and must be able to restart the system, then you start from their own removable media in less than a minute), but the wider applicability to Mac OS X for one simple reason: It is possible for your login password to get into the swap file to simulate a file on the hard drive more memory. If that happens, who can access the files on the hard disk – you can locally or remotely – can read the password.

Luckily, a solution to this problem is incredibly simple. From the security pane in System Preferences tick “Use secure virtual memory”. Once you have done this, reboot and the swap file will be stored in an encrypted format.

9 Firmware Password

Referring back to the attack described above in “Encrypted swap files”, the attacker needed to be able to boot into their own operating system to recover the passwords from RAM. It is possible to stop that from happening by password-protecting the firmware.

This is slightly higher than the encryption of virtual memory involved, but it may make sense, on workstations and laptops, depending on the environment – even without the password, an attacker can not start from the OS X installation CD again to Administrator passwords or otherwise manipulate resets the contents of the disk. It also keeps your computer with full physical access, such as Internet cafes or university computer labs, from being in a different operating system to boot a local policy to avoid.

On the installation disk that came with your Mac, go to the Applications/Utilities folder (Apple has hidden this folder on my copy, which means that to get there I had to choose “Go To Folder…” (Command-Shift-G) in the Finder, and type “/Volumes/Mac OS X Install Disc 1/Applications/Utilities.” The good news is that you don’t have to type all of that, you can type the first few characters of each part then hit Tab to complete it). The application is called “Open Firmware Password.app” on PowerPC computers and “Firmware Password.app” on Intel Macs. You need to provide an administrator password before you set the firmware password, and it is very important not to forget that password as without it you cannot change what operating system the computer boots into, nor boot in Verbose, Safe or Single-User modes. Apple has a support article7 with a detailed description of the consequences of entering a firmware password. Setting a firmware password also gives protection against attackers using a FireWire connection to snoop the contents of your computer’s memory, which can include your login password. By connecting a FireWire cable to any Mac in its default configuration, a bad guy can see, or even change, what is in the Mac’s memory8 without having to install any software on the system and without any record of the intrusion. Setting the firmware password causes the FireWire drivers to operate in a secure mode, removing this direct memory access.

10 Automatic logout

Improve the final point in this discussion of Mac OS X features for physical security, is also the least because it offers little additional security at a cost of some comfort. In the Security preference pane, you can log off the Mac settings automatically for you if you do not actively for a period of time are. The problem with this is that inactivity is bad guys a chance to use the computer while locking the screen (or even shut down the computer) they would stop on the way to do that.
VN:F [1.9.10_1130]
Rating: 0.0/10 (0 votes cast)

People who read this also read:

  • Video – Password protect Mac files
    Well I was able to figure it out and then decided that maybe other people could benefit from the knowledge, so I made a tutorial which explains how, so anyone with a Mac can password protect their files....
  • Password Protect Macbook
    Do you protect your Mac from prying-eyes? If not, now is a good time to start. We'll show you two ways to password protect your Macbook....
  • Protecting Data to Secure Mac OS
    Mac's can not catch viruses, but they are definitely not of an attack by a hacker or maybe someone who secured the your Mac NABS at the airport. Here is a small series that keep your information only where you want to have. We start with the core of ...
  • Password Protect on Waking From Mac Sleep Mode
    Even if you have confidence in your IT environment enough, it is your job to secure it to your Mac from prying eyes and secure your data. An effective way to do this is to require that the password is entered for access to your computer after it wake...
  • How to password-protect In Mac OS X
    Since Mac OS X is Unix-based operating system provides native support for a multi-user is protected. By default, you must define a single user with a password. ...

Tags: , , , ,

Back Top

Responses to “10 steps to better secure protect Mac laptop from physical data theft”

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Back Top