BACKGROUND

According to the 2008 Annual CSI/FBI Computer Crime and Security Survey, over 500,000 laptops were stolen in the US each year, of which 97% are never recovered. 42% of the responding organizations experienced laptop theft. This represents a tremendous financial loss in the form or hardware, but an even greater potential loss is the gold mine the thief has access to in the form of your data.

Keep in mind that unless you have taken steps to secure your data, anyone with physical access to your computer has full access to that information. All that is necessary to break into a Macintosh that is protected with only a password is a Mac OS X system installer DVD and 2 minutes.


LEVELS OF SECURITY

ANTI-VIRUS

Malware can take control of your Mac, giving the cracker access to all of your data from anywhere on the Internet. Though Mac OS X is less vulnerable than Windows to such attacks, it is not invincible. It is imperative to have an active, effective anti-malware installed and working on your Mac, and to maintain it with daily updates. I currently recommend using Intego VirusBarrier, or if there is no budget, the open source ClamXav. See my blog regarding anti-virus protection for more information.

PASSWORD

At the very least all user accounts should have a decent password. What’s decent? At a bare minimum the password should be 14 characters long. Don’t worry about the foolish upper case/lower case/bizarre characters passwords of past. Just make it a phrase you can easily remember, like “Maestro’s eyes are brown”. This will keep the novice crackers out of your computer should they gain physical access, and keep everyone out over the network. Keep in mind that if someone has physical access to your computer, any password can easily be broken in under 2 minutes.

To change your password:

1. Log in to your user account.
2. Select the Apple menu > System Preferences > Accounts.

   

3. Select your account from the left side bar.
4. Click the Change Password button.
5. Enter your Old Password, then your desired new password.

   

6. Click the Change Password button.
7. Quit System Preferences.

FIRMWARE PASSWORD

A minimally-knowledgeable cracker knows all user passwords can be erased or reset in a minute using a Mac OS X system installer DVD. To help prevent this route of entry you will need to set a firmware password. With a firmware password in place, it must be entered in order to boot from other than your default boot drive.

The Firmware Password.app - located on your Mac OS X system installer DVD - is used to set this password. It is critically important not to forget this password as without it, it is not possible to perform technical support on your computer.

Be aware that more knowledgeable crackers do know how to bypass even this security level.

To set a Firmware password (see the Apple Knowledge Base article for more information):

1. For Mac OS X 10.1 to 10.3.9, download and install the Open Firmware Password application, which you can get here.
2. For Mac OS X 10.4.x, you must use the updated version that can be copied from the software installation disc (located at /Applications/Utilities/ on the disc).
3. For Mac OS X 10.5.x and 10.6.x, start from the Install DVD and choose Firmware Password Utility from the Utilities menu, then skip to step 5.
4. Open the Open Firmware Password application.
5. Click the icon to authenticate. Enter an administrator username and password when prompted.
6. Click Change.
7. Click to select the checkbox for "Require password to change Open Firmware settings".
8. Type your password in the Password and Verify fields.
9. Click OK. A confirmation appears.
10. Click lock icon to prevent further changes.
11. Choose Quit from the application menu.

ADMINISTRATIVE-LEVEL USER ACCOUNTS

Do you login and use an administrative-level user account on a regular basis? If so, you are leaving another door or two open for trouble to enter.

While logged in as an administrator, it becomes easier for malware to take control of your computer as your user account has full access to the OS. Also, should you turn your back and someone else gains access to your computer, they now have administrator access.

Instead, create an administrator account for use when installing software or performing maintenance, but login under a non-administrator account for day-to-day work.

If you think that is simply too wimpy a way to operate a computer, keep in mind that the geniuses that created Mac OS X follow this guideline.

KEYCHAIN

Mac OS X includes an encrypted database to hold all of your usernames and passwords, named “Keychain”. Data is stored in Keychain using military-grade encryption, so unless the hacker knows your password, data in Keychain is safe from prying eyes. By default the password to unlock Keychain is the same as your login password. When you login to your Mac, the your login password is sent to Keychain, unlocking it.


This presents a security hole. With Keychain unlocked, if you turn your back and someone else has physical access to your computer, they have full access to your Keychain database and all of your usernames and passwords.

You can easily remedy this by assigning a different password to Keychain. When this is done, Keychain does not unlock during the login process. Instead, when a password is requested by a service (such as a network server, wireless network, email server, etc.), you will be prompted to enter the Keychain password, unlocking it temporarily to allow the service to retrieve your stored password.

To change your Keychain password:

1. Open Keychain Access.app, located in /Applications/Utilities/.
2. Select Edit menu > Change Password.
3. Enter your Current Password, then your desired password for Keychain.
4. Click the OK button.

Next add a time-out, so that once unlocked Keychain will auto-lock after a short period of time:

1. With Keychain Access.app open, select Edit menu > Change Settings for Keychain Login.
2. Enable Lock after XX minutes of inactivity. Though you can set this to any length of time, I recommend 5 minutes.
3. Enable Lock When Sleeping.
4. Click the Save button.

Storing Sensitive Data in Keychain

Though many applications will automatically store user name and password data in the Keychain, it is also useful for manually storing sensitive information.

For example, let’s say you want to store your bank account information securely. Keychain is a great place to do so. Here are the steps:

1. Open the Keychain Utility (located in /Applications/Utilities/).
2. Select the File menu > New Password Item:
3. This will display the New Password Item window:
4. Enter a recognizable name for this entry, along with your account or user name and the password, then click the Add button.
5. You will be returned to the main Keychain Utility window, where you will see your new entry:

When you need to have access to your account or user name and password:

1. Open the Keychain Utility.
2. Double-click on the name of the data you wish to access. The information window will appear:
3. To see your password, enable the “Show Password” check box, enter your computer user name and password, the the account password will appear.

FILEVAULT

FileVault is a technology built into Mac OS X that allows your entire home folder to be military-grade encrypted when you log out. This can thwart all attempts to gain access to your data. Great in theory, sometimes not so great in practice.

For users with 50GB or more of data, the login and logout process can be slow. Also, you will need to have as much free disk space as your home folder occupies. So if you have 100 GB of data in your home folder, you will need to have 100 GB of free disk space on your boot drive.

If your FileVault protected home directory becomes corrupted, there is very little hope of recovering the data. This mandates a very good backup strategy! (See my blog on creating good backup system).

Lastly, to prevent a determined attack, you must turn off your computer after logout. Simply logging out will leave your encryption keys in memory. A determined attack can access these keys, giving full access to your encrypted home folder.

Advantages:

• Automatic encryption/decryption
• Entire home directory is protected, never need to give thought to “will this file be protected”
• Military-grade encryption

Disadvantages:

• May become overly slow during login and logout with large home folders
• Must have as much free disk space as the size of the home folder

To enable FileVault:

1. Open Apple menu > System Preferences > Security.

   

2. Select the FileVault tab.
3. Set a master password for this computer. This should be a password not used for any other purpose.
4. Select the Turn On FileVault button. This step must be done while logged into the account to be protected. If multiple accounts are on this computer, the user must log in to their own account and repeat this step to protect that home folder.

ENCRYPTED DISK IMAGE

FileVault is a great security tool, but there is one potentially deal-breaking drawback - performance. The larger your home directory, the longer time it will take to log in and log out. At some point this will become too long. There is another option - Encrypted Disk Image. By using an EDI, you only need to encrypt your sensitive data, not your entire home directory.

An EDI is a folder that holds anything you wish, that is then encrypted to a file. Double-clicking on the encrypted file will prompt for a password. Once entered, the file is decrypted, mounting to the Desktop as a disk. When you are done working with the disk, eject it, which will again encrypt all data to a file.

Advantages:

• Encrypts only targeted data
• May be easily copied from one computer to another by file transfer or email
• Accessible only on Mac OS X computers
• Military-grade encryption

Disadvantages:

• Accessible only on Mac OS X computers

To create an Encrypted Disk Image:

1. Open Disk Utility (located in /Applications/Utilities/).
2. Click the New Image icon from the tool bar.
3. From the New Image window > Save As field, enter a name for the image.
4. In the Volume Name field, enter a name for the mounted disk image.
5. From the Volume Size pop-up, set the size for your image. Make sure to set the size to at least as large as you expect you will ever need.
6. From the Volume Format pop-up, select Mac OS Extended (Journaled).
7. From the Encryption pop-up, select 128-bit AES Encryption.
8. From the Partitions pop-up, select Single Partition - Apple Partition Map.
9. From the Image Format pop-up, select Sparse Disk Image.
10. Click the Create button.
11. In the Password window, enter your desired password.
12. Click the OK button.

To access your Encrypted Disk Image:

1. Double-click the Encrypted Disk Image.
2. At the Password window, enter the password.
3. Click the OK button.

To re-encrypt the Encrypted Disk Image:

1. When you are done using the EDI, unmount/eject the volume.

WHOLE DISK ENCRYPTION

Expanding on the concept of FileVault, Whole Disk Encryption encrypts not only your home, but the whole disk.
The advantages of WDE include:

• All home folders, and the entire drive are encrypted.
• No need to have free disk space to perform the encryption.
• Normal login and logout times.

The disadvantages of WDE include:

• Cost - all options are 3rd-party, and may require expense to purchase and labor to install and configure.
• In the event of disk or directory corruption, it is unlikely repair is possible, though the drive can be erased and reused. This mandates a very good backup strategy.
• Some degradation of system performance induced by real-time encryption/decryption.

Options for WDE include (for full details, see Wikipedia):

• PGP $119. Includes whole disk encryption, pre-boot authentication, external drive encryption, flash/thumb drive encryption.
• CheckPoint $129. Includes whole disk encryption, pre-boot authentication, integration with Active Directory and Open Directory networks. Fastest, least intrusive.
• TrueCrypt $0 (open source). Includes whole disk encryption, external drive encryption, flash/thumb drive encryption, plausible deniability with hidden volume.

RECOVERING YOUR STOLEN COMPUTER

According to the FBI statistics, only 3% of stolen laptops are recovered. According to Absolute Software, they have been able to recover 80% of stolen laptops that have their LoJack for Laptops installed.

LoJack is available in several editions, with increasing service offerings. With the $40 per year Standard Edition, you get geo location of your laptop with police notification. The $60 per year Premium Edition adds remote data deletion and a $1,000 service guarantee of recovery.

However, I personally take that $60 and use it to purchase computer insurance from Safeware. Wouldn’t you rather get an insurance settlement for a new computer than get the old (and probably beat up) computer back?


BACKUPS

In the event of catastrophe - be it theft, fire, flood, or even hardware failure or data corruption - it is imperative to have a current backup of your data. At the very least you must have both an on-site and off-site duplicate of your data. This is a topic I have discussed in depth in my blog.


DATA SECURITY AND INTEGRITY REVIEW

Are you certain your personal and company data are maintained and managed at the most appropriate level of security and integrity? If not, it may be time for a check up by The MacXperts.

Tags: anti-virus, password, open firmware, LoJack, Safeware, TrueCrypt, Security, encrypted disk image, backup, Check Point, user accounts, file vault, whole disk encryption, PGP