Salvation Data 0800 075 0720

Our Address: Salvation Data 105 Upper Lisburn Road, Belfast BT10 0LG Email us 24x 7 at sales@salvationdata.co.uk

 

    10 steps to better secure your Mac laptop from physical data theftSummary: This paper describes changes Mac users can make to improve the physical security of their laptops, discussing the context and benefits of each change.

IntroductionSophos's recent threat report showed that while the Macintosh platform is nowbecoming the target of the same sort of organized crime that affects Windows users,these attacks are still very limited in scope and in impact. Nonetheless, we Mac userscannot afford to be complacent. The success of many data theft attacks depends more onthe target system's user and the way in which they work with their computer, than onwhich operating system they have chosen to install.Laptops are more prone to physical attack than desktop systems by their nature - beingportable they are often taken out of the office to work from home, on the train or even inthe local Starbucks. When you take your machine out on the road, you also take the datait contains away from the safety of the corporate environment with its security controlsand into new environments with new risks and threats. Home users too must realize thatwhen taking their MacBook out of the front door, more of their identity is on display thansimply their preferred laptop brand.In this paper I describe 10 steps that can improve the security of a Mac system, payingparticular attention to laptop considerations. I concentrate on improving physical security- that is, protecting the system from attackers who can get their hands onto thecomputer.

1 Does it need to come with you?

The first step in securing your remote computing lifestyle is considering whether you needto take everything out. All of the attacks discussed here involve getting data from thecomputer - the easiest way to stop that from happening is to ensure that the data isn'tthere in the first place. In some environments, the attacker doesn't even need a computer;I have been sat in numerous cafés and on trains where I could see the online bankingpages of other customers, and could (were I so inclined) read their account numbers,balances and the payments they were making. Simply put, I could see all of theinformation that an identity thief works to collate. While governmental departments suchas the UK's HMRC may lose information about millions of people, most of the data onyour laptop concerns one important person: you. Deciding whether all of this informationreally needs to come with you is the first, and most important, step to take on the road tosafer computing.In some cases this might not be so easy. John Gruber, author of Mac blog DaringFireball2, says: "My primary computer is a PowerBook that I use both at home and on theroad. The only difference in how I use it on the road is that at home, I'm alwaysconnected to the internet, but on the road, network access depends on the availability ofWi-Fi. Otherwise, no difference." In such a situation, leaving everything at home(perhaps on an external drive) loses the convenience of carrying on your work when you'reout. But I would say this is a compromise well worth making.

2 Change your Keychain password and settings

I asked John Gruber what changes he had made to his Mac OS X configuration withrespect to security. His answer: "The only significant change I've made is that I use adifferent password for my Keychain than for my user account." That's a change I alsomake on all of my systems. The Keychain allows you to keep internet passwords, notesand SSL certificates in an encrypted store, and synchronize them between differentmachines with .Mac. So far, so good - of course there is only a single password to unlockall of this information, but it means that you can choose one really good password thatyou can remember, then use different passwords for all of the websites, mail accountsand so on that you use, which you don't need to keep in your head (or on a Post-It note)because you can always get them out of the Keychain. The problem with the defaultKeychain configuration is that this password is synchronized with your login password;whenever you are logged in, the items in your Keychain are unlocked and available to anyapplication that asks for them.It is simple to fix this: firstly, open the Keychain Access application in/Applications/Utilities. In the Edit menu, choose "Change password for Keychain 'login'..."and set a new password. Now when an application needs a password out of theKeychain, it has to prompt you for that password; a slight reduction in convenience butwith a huge payoff in being able to control when your stored passwords are used. Youcan also control when the Keychain is automatically locked (so that you get re-promptedfor the password) through the Keychain's settings, accessed from the "Change Settings forKeychain 'login'..." menu item.

3 Lock the screen when away from the computer

Imagine the scene: you are logged into a website (perhaps checking your credit cardbalance, or seeing how many people have poked you today) in the coffee shop, when thebarista tells you your drink is ready. You won't be far away and you can still see thelaptop, so it is not going to get stolen... but while you're up, the nice girl on the next tablemakes a few notes on a napkin, and by the time you get home your credit card is a fewhundred pounds lighter.This situation can be easily avoided by using the password-protected screen saver builtinto Mac OS X. In the Security system preferences pane, make sure that "Requirepassword to wake this computer from sleep or screensaver" is enabled. Now it is alsouseful to have a quick way to activate the screensaver, and two options are available.The first is to set up a hot corner in the screensaver preferences, so that when you movethe mouse pointer into that corner of the screen, the screensaver will activate. The secondcan be found in the preferences of the Keychain Access program: choose "Show status inmenu bar." The padlock icon which appears shows whether the Keychain is currentlylocked; clicking on it provides a menu from which one option is to lock the screen.

4 Filevault

It is hard to imagine that you would ever forget your laptop and leave it at the trainstation, but it does happen. You have probably got insurance to cover the cost of thecomputer, and while it will be a hassle to recover all those files from a backup (less sowith Time Machine, of course) you can soon get back to working again. Anyway, thatMacBook Air looks so lonely on the shelf all by itself... but what has happened to the dataon the iBook you left behind? If it was picked up by a cracker, then they probably didn'teven turn the computer on, but just removed the hard drive and dropped it into a differentcomputer. Then, without even needing to crack your password, all of the files - browserhistory, downloaded mail, Pages documents and so on - on that drive are ripe for thepicking.Filevault solves that problem in a simple way: it replaces your home directory, the area onthe hard drive where all your personal files are stored, with an encrypted container. Thiscontainer can only be unlocked by supplying one of two passwords - either your loginpassword or the "master password", a catch-all password in case the login password isforgotten. The encryption used by Filevault is of a standard deemed safe to use by USgovernment agencies.3To enable Filevault, go to the Security pane in System Preferences, and choose theFilevault tab. Click on the "Turn On Filevault..." option, and you will be asked both toenter a master password and your own account's password. The Mac will convert yourhome directory into an encrypted container, and you cannot log in until this is complete.It is important that this step isn't interrupted, so if you are using a laptop plug it into themains before enabling Filevault. The master password can be used to remove the Filevault encryption from your home folder, so it's best to use a very complex password here, although if you are going to write it down then of course you have to keep it somewhere it won't be found.

Using Filevault or any other encryption (see below for two more options built-in to MacOS X) raises a question about backups: do you keep your backups encrypted, or back upthe files inside the encrypted container in the clear? There is no right answer, but I chooseto keep unencrypted backups because my backup disk stays at home where I can beconfident about who accesses it. Time Machine, the built-in backup system on Mac OS X,will only back up the Filevault volume when you log out, not on the regular schedule.

5 Encrypted disk images

Covering your whole home directory with encryption may seem like overkill, especially ifyou only have a few sensitive files. You can use the same encryption mechanism thatFilevault employs to create your own encrypted disk images, which can be used from theFinder in exactly the same way as regular images except that you cannot see the contentswithout entering your password.Launch the Disk Utility application from /Applications/Utilities, and click on "New Image".From the drop-down which appears, choose the 128-bit option from Encryption, andconfigure the image as you like. (By the way, this is a great way to make an encryptedUSB key drive - format the drive, then create an encrypted disk image on it using some -or all - of the free space.)

6 Keychain secure notes

For short notes which should be hidden from the view of others, you can create SecureNotes in the Keychain Access application which can then only be viewed by entering yourKeychain password. This could be useful if you want to write yourself a reminder withoutletting anyone else see it, for example to remind you about a task in your online bankingwebsite.

7 Secure Empty Trash

When you delete a file from the hard drive in your Mac, it is not really deleted - the infotelling the computer where to find the file is removed, but the data will remain on the diskuntil the space is needed to store something else. It is really easy to recover deleted files,you can buy off-the-shelf programs such as FileSalvage5which can do it. Therefore evenyour deleted files are not safe from the interested cracker.By selecting "Secure Empty Trash" from the Finder menu to empty the Trash, you can make recovery of the deleted files much harder. It's still not impossible, although it will require complex (and expensive) forensics equipment to do. Secure Empty Trash writes overthe files a number of times before deleting them, which makes it difficult to discover the originalcontents. Securely deleting files can be a slow process.

8 Encrypted swap files

Many news websites have reported the story that security researchers have found a wayto recover passwords6 from the RAM of computers running a variety of operating systemsincluding Mac OS X. The constraints on that particular attack are very limited (theattacker needs physical access, and must be able to reboot the system, then boot fromtheir own removable media within less than a minute), but the applicability is wider onMac OS X for a simple reason: it is possible for your login password to get into the swapfile, a file on the hard drive used to simulate more memory. When that happens anyonewho can get access to the files on the hard drive - locally or remotely - can read thepassword.

Luckily, a solution to this problem is incredibly simple. From the security pane in SystemPreferences tick "Use secure virtual memory". Once you have done this, reboot and theswap file will be stored in an encrypted format.

9 Firmware Password

Referring back to the attack described above in "Encrypted swap files", the attackerneeded to be able to boot into their own operating system to recover the passwords fromRAM. It is possible to stop that from happening by password-protecting the firmware.Doing so is slightly more involved than encrypting the virtual memory, but it may makesense on workstations as well as laptops, depending on the environment - without thepassword, an attacker can't reboot from the OS X installation disk to reset administratorpasswords or otherwise manipulate the contents of the hard drive. It also stops computerswith unrestricted physical access, such as those in internet cafés or university computinglabs, from being booted into another operating system to circumvent any local policy.On the installation disk that came with your Mac, go to the Applications/Utilities folder(Apple has hidden this folder on my copy, which means that to get there I had to choose"Go To Folder..." (Command-Shift-G) in the Finder, and type "/Volumes/Mac OS X InstallDisc 1/Applications/Utilities." The good news is that you don't have to type all of that, youcan type the first few characters of each part then hit Tab to complete it). The applicationis called "Open Firmware Password.app" on PowerPC computers and "Firmware

Password.app" on Intel Macs. You need to provide an administrator password before youset the firmware password, and it is very important not to forget that password as withoutit you cannot change what operating system the computer boots into, nor boot inVerbose, Safe or Single-User modes. Apple has a support article7 with a detaileddescription of the consequences of entering a firmware password.Setting a firmware password also gives protection against attackers using a FireWireconnection to snoop the contents of your computer's memory, which can include yourlogin password. By connecting a FireWire cable to any Mac in its default configuration, abad guy can see, or even change, what is in the Mac's memory8 without having to installany software on the system and without any record of the intrusion. Setting the firmwarepassword causes the FireWire drivers to operate in a secure mode, removing this directmemory access.

10 Automatic logout

The last item in this discussion of Mac OS X features to improve physical security is alsothe least, because it offers little additional security at a cost of some convenience. In theSecurity preference pane you can configure the Mac to log you out automatically if youare not active for a certain amount of time. The problem with that is that the inactivitytime gives bad guys a chance to use the computer, while locking the screen (or even shutting the computer down) would stop them from being able to do that.

About the Author

Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.