[HOM]

Recently I began doing more and more transactions online and I needed a way to securely store my receipts from credit card transactions, bank transfers, bill paying, ect so I created an encrypted disk image to store them on. I assumed that even if someone stole my PowerBook they wouldn't have access to my important personal information. I'm a little nervous about File Vault after the initial problems, but I wonder if the kinks have been worked out. But it got me thinking, how could I take more proactive steps to protect my information. Which leads me to my question.


What steps do you take to secure your computer and the personal information contained within?

[DMBand0026]

I have a 12" PB, so needless to say, security is a big thing for me. I don't worry about anyone breaking in and taking the thing, so I don't secure it to my desk, but when I go out I always keep it in a bag. When I go to class, if it's not on my desk my leg is through the strap of the bag so that if someone wanted to run by and grab the bag, they'd have to take me with them.

I have it setup to require my password each time the lid is opened, and to authenticate the screen saver too. I don't let this thing out of my sight when I'm in public, so I don't worry too much about data loss. I try to avoid leaving it in my car anywhere either, if I have to, it's in the trunk or tucked under a seat.

[Wickers]

Quote:

Originally Posted by DMBand0026 When I go to class, if it's not on my desk my leg is through the strap of the bag so that if someone wanted to run by and grab the bag, they'd have to take me with them.

Oh my, DMB you just painted a very funny picture in my head. . .

[PhenixReborn]

First of all, I have a Citibank card that I use for online purchases; their Virtual Account Numbers (VAN) are great because they are only good for that one purchase. The means I can store the reciepts and if anyone gets into my desktop or steals my laptop, the card numbers there won't do them any good. There is a little app that runs in background that you can pump your login and password into and it spits out a VAN right there (and you can't save your l/p, so no worries there).

I use a Dell laptop with XP, so I don't know if this applies to Macs, but requiring a Bios password on boot-up is one of the best things. The only way to defeat it is to drain the Bios battery to reset the password and that requires disassembling the laptop without breaking anything.

Also, if you're a developer, you can use an encryption library, write your own program and encrypt/decrypt files that way. Just use Crypto++, which has a plethora of algorithms to choose from and is free (plug to Brad for the linkie). I should mention that roll-your-own programs are harder to crack if you do them right because the person cracking on them hasn't dealt with yours before.

And just a side note: when using wireless, make sure there is some type of encryption being used for the login and password to a site !!! While most sites will encrypt the personal info, I've come across some (including NCSU's own Unity system) that do not encrypt the l/p.

[Wickers]

Quote:

Originally Posted by PhenixReborn I use a Dell laptop with XP, so I don't know if this applies to Macs, but requiring a Bios password on boot-up is one of the best things. The only way to defeat it is to drain the Bios battery to reset the password and that requires disassembling the laptop without breaking anything.

Sorry sir, but there are other ways of getting passed that.

There are programs that can replace the BIOS password. . . and others that can read the password from the BIOS.

And on top of that most CMOS batterys don't need to be drained, just reverse the battery for a sec then place it back in. . . They are also easy to get at, and you don't need to disassembl it fully or even partly for that matter. Most laptops have it neer a pop-off plate for easy access. . .

Face it, if a hacker want's your information, he/she will get it.
But if some punk just needs a quick buck, he will sell it as is, or just do a clean install.

[HOM]

Quote:

Originally Posted by PhenixReborn First of all, I have a Citibank card that I use for online purchases; their Virtual Account Numbers (VAN) are great because they are only good for that one purchase. The means I can store the reciepts and if anyone gets into my desktop or steals my laptop, the card numbers there won't do them any good. There is a little app that runs in background that you can pump your login and password into and it spits out a VAN right there (and you can't save your l/p, so no worries there).

That's really nifty. I'm going to have to look into that.

Quote:

I use a Dell laptop with XP, so I don't know if this applies to Macs, but requiring a Bios password on boot-up is one of the best things. The only way to defeat it is to drain the Bios battery to reset the password and that requires disassembling the laptop without breaking anything.

Mac have a similar feature. The password is embedded into the firmware so I'm not sure draining the battery would have any effect. However it doesn't restrict access to the info on the HDD if it is removed.

Quote:

And just a side note: when using wireless, make sure there is some type of encryption being used for the login and password to a site !!! While most sites will encrypt the personal info, I've come across some (including NCSU's own Unity system) that do not encrypt the l/p.

I'm not always sure that there is encryption for the L/P, but I have my base station to not broadcast the name and the signal has all the security that 802.11B can offer. Can a sniffer still grab the packets?

Anyone have experience with File Vault? It would seem that this would solve all the issues about protecting the info on the HDD if it ever got into the wrong hands.

[kretara]

HOM wrote:

Quote:

Mac have a similar feature. The password is embedded into the firmware so I'm not sure draining the battery would have any effect. However it doesn't restrict access to the info on the HDD if it is removed.

Yup, just remove the disk and put it into another Mac and you will have full access to the data.
It is fairly easy to get the users password off of the HD depending on how much RAM the computer had/has.

We may have talked about this before on this board, not sure.
Try this at the terminal:
sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname

There is a decent chance that your system password will be listed for you (or anyone who has your disk).

I went to the 3 other Macs in our office (where I have sudo rights) and was able to get the passwords of the 3 people who use these computers in seconds. Kind of scary.

[Brad]

The key thing to keep in mind with the above post:

That command requires administrator access.

You can access any files anywhere belonging to anyone as the admin. That's why you don't give out admin accounts to everybody!

[kretara]

Quote:

Originally Posted by Brad The key thing to keep in mind with the above post: That command requires administrator access. You can access any files anywhere belonging to anyone as the admin. That's why you don't give out admin accounts to everybody!

Very close.
As a test (2-3 months ago) I removed the HD from an officemates Mac and installed it in my Mac and I was able to access the files on his HD that was in my Mac. I was able to find his password using the "command" that I posted.

Of course, you can pull a HD out of many computers (most OS's) and pull data off of them.
Imagine. If I had access to your business (say I'm a cleaning person) and I was able to sneak in a laptop and usb/firewire external HD case. I could pull out HD's from the desktops and get info from them as I wanted. I could eventually (with this OS X issue) find most peoples passwords.

[alcimedes]

I stopped using Windows.

[Brad]

Quote:

Originally Posted by kretara I removed the HD from an officemates Mac and installed it in my Mac

Well, you could have stopped right there.

Once you physically start removing comonents of any computer, Mac or otherwise, there's no way you can secure the data other than through encryption... and even encryption will only delay the most determined intruder.

My point earlier was that on Mac OS X in a typical setting, you can't just run that command as a regular user and expect to see passwords showing up. If a guy has enough access to be removing hard drives, you've got a lot more to worry about than just Joe Blow knowing your password.

I have seen a number of people trying to use your argument as a scare tactic that Mac OS X has some horrible gigantic security flaw. In reality, it is a very tiny one. For someone to exploit that flaw they need either a) administrator access or b) to physically remove the drive. In either case, letting out a password is really among the least of the problems.

But, yes, this is a real security threat and, yes, Apple really should prioritize to get it fixed. I will agree with you there.

[Wickers]

Quote:

Originally Posted by kretara Very close. As a test (2-3 months ago) I removed the HD from an officemates Mac and installed it in my Mac and I was able to access the files on his HD that was in my Mac. I was able to find his password using the "command" that I posted. Of course, you can pull a HD out of many computers (most OS's) and pull data off of them. Imagine. If I had access to your business (say I'm a cleaning person) and I was able to sneak in a laptop and usb/firewire external HD case. I could pull out HD's from the desktops and get info from them as I wanted. I could eventually (with this OS X issue) find most peoples passwords.

You see this is the main problem.

Once the computer is physically in the hands of someone who wants the data, he/she will have it.

You can only protect yourself from non-local attacks. . . unless you wish to get creative with 'booby' traps within your computer case, consider yourself helpless if someone swipes your drive.

IMO the best defense is a theft deterrent, like a security system around the office, locked doors, and plenty of visible cameras. . . this would be in an friendly office environment of course. And a lock kits for laptops and PCs.

In the end, you have to ask yourself, is my data worth that much? And would someone steal my computer for the computer itself, or the data on it?

[Crusader]

1024 bit encryption and big magnets.

[PhenixReborn]

Granted, if someone removed the HD and put it in another computer, then there is nothing to be done but to use encryption.

But one question: how can a program be used to hack the Bios password? I mean, since there is no OS or anything booted up until after you enter it? For my notebook, it does the RAM check and then asks for the password and won't even check the floppy or CD drive until you unlock it with the right password. So how do you use a program to crack it?

[alcimedes]

does the BIOS password kick in before target disk mode?

[Brad]

Quote:

Originally Posted by PhenixReborn But one question: how can a program be used to hack the Bios password? I mean, since there is no OS or anything booted up until after you enter it? For my notebook, it does the RAM check and then asks for the password and won't even check the floppy or CD drive until you unlock it with the right password. So how do you use a program to crack it?

I'm not sure how it works in the Windows world, but in the Mac world, the boot sequence is handled by Open Firmware. The various options for booting are stored in NV-RAM and PRAM. Like PCs, Macs can have a password required at boot by the Open Firmware. I don't know how the OF stores the password, though. OF can also disable booting from CDs, etc.

Apple does give a warning, however:

Quote:

The Open Firmware Password will be reset if a user changes the amount of the physical memory in the machine and reboots. Systems which require Open Firmware Password level security need to be protected from users gaining physical access to the internals of the computer.

So, again, it's worth noting that no matter how hard you try with these "solutions", once someone gets *inside* the machine, there's really no way to stop them.

Apple has a TN about "Creating Kiosks on Mac OS X" that mention some related features. Apple also has a section dedicated to Security on the developer site.

Back to your question about hacking the BIOS password: that all depends on how that password is stored. In the Mac world, you have to have administrator access to run any commands that access NV-RAM from within Mac OS X. Even then, though, I don't know if the password is stored in a human-readable format or if it's a hash. Documentation on this is very sparse.

[Brad]

Quote:

Originally Posted by alcimedes does the BIOS password kick in before target disk mode?

Yes.

[sunrain]

Quote:

Originally Posted by alcimedes I stopped using Windows.

Ditto.

[Wickers]

Quote:

Originally Posted by PhenixReborn But one question: how can a program be used to hack the Bios password? I mean, since there is no OS or anything booted up until after you enter it? For my notebook, it does the RAM check and then asks for the password and won't even check the floppy or CD drive until you unlock it with the right password. So how do you use a program to crack it?

In that case, if gaining access to your system is worth the trouble of running the hack in the first place. . . Then the 'hacker' would just reverse the contacts of the CMOS battery for a second (which is not hard to do) then place the battery back in and reboot. The BIOS will revert to the default settings and the 'hacker' gets in.

Now, if you just have a password to get into the BIOS setup, but the computer will boot off a CD if there. Then you could boot a Linux distro (Knoppix STD in this case, but others have the same program) and read the Password right off the chip, or just replace the password at will.

like I, and many others have said, once someone who wants information on your computer has physical access to it. . . it is only a matter of time till he/she gets the information.


Now, leaving that behind. This popped into my head.

One way of keeping vital information safe is ONLY saving it to a removable USB flash drive and keeping the flash drive hidden some where at home.

That way, before work you load the contents of the flash drive into a RAM disk. You can then play with the information all day, as long as you don't reboot. And at the end of the day you sync the changes back to the USB flash drive.

If someone steals your computer looking for that information. The person would have to reboot it to gain access via a Live CD, thus killing the RAM disk.

Just a little thought that came to mind.

[Koodari]

Quote:

Originally Posted by Brad Once you physically start removing comonents of any computer, Mac or otherwise, there's no way you can secure the data other than through encryption... and even encryption will only delay the most determined intruder.

Just how does this determined intruder get through encryption, delay or no delay, if the whole disk including swap and boot are encrypted?

I'd really like to see Apple add encryption for swap and hibernation data.

[alcimedes]

couldn't you just pull the drive out of said machine, attach it to another computer and start hammering away at the encryption then?

[Brad]

Quote:

Originally Posted by alcimedes couldn't you just pull the drive out of said machine, attach it to another computer and start hammering away at the encryption then?

Yup!

All you have to do is break the encryption password and, voila, there's all the data. Most people use simple words for their passwords (often names or nicknames of family members); so, if you know a little bit about the person and have a program that'll run tests from a dictionary, you greatly improve the chance of breaking that password. The most difficult case would be a hash of random letters and numbers, but most people aren't smart enough to use and remember passwords like that.

Of course, even with a random hash, it's only a matter of time before a brute force method succeeds. It may take a long time, but it'll happen.

[Koodari]

Quote:

Originally Posted by Brad All you have to do is break the encryption password and, voila, there's all the data. Most people use simple words for their passwords (often names or nicknames of family members); so, if you know a little bit about the person and have a program that'll run tests from a dictionary, you greatly improve the chance of breaking that password. The most difficult case would be a hash of random letters and numbers, but most people aren't smart enough to use and remember passwords like that. Of course, even with a random hash, it's only a matter of time before a brute force method succeeds. It may take a long time, but it'll happen.

What you're saying there is that there is no secure identification besides physical tokens. How fast is it really to brute force an 8 or 12 character random alphanumeric hash?

[Brad]

I've seen a program that can break a typical password in about a day of processing on a moderately fast PowerMac. I can't remember the name of it... I read a discussion of some members over at MSJ having success with it, but MSJ went kaput a few months ago.

[PhenixReborn]

Concerning the BIOS password, it is stored in SRAM on the main board. You have to go through the password screen before booting up or accessing the BIOS setup. Pretty much the only way to get around it is to reverse the battery and reset the password. What would be nice would be the ability to set a default password so that if you do flip the battery, it would reset to having a password. Really, the only way to protect your data from someone who has your computer is sometype of self-destruct (or apparent self-destruct) that just makes it impossible (or apparently impossible) to access the data.

Concerning encryption and cracking it, here's some basic stuff I picked up while doing my senior project (encrypting a database of fingerprints used for ID):

To decrypt something requires only two things: an "idea" of how it was encrypted and something to check it against. That means even if the entire hard drive was encrypted, including swap files and what have you, it could still be hacked as long as the hacker can compare some part (any part) of the encrypted hard drive with something he/she knows to be an unencrypted version.

So if there is a standard header somewhere in the boot files or something like that, it would only take time. Also, since it would only be a small part that needs to be compared to determine a successful crack, many different algortihms (AES, DES, M5, etc) could be tried in rapid succession without taking much more time.

The best way to use encryption is to use a passphrase of letters, numbers, and best of all, something misspelled. Most of my passwords are words I constantly misspell, so I can easily remember them. Since they aren't real words, a dictionary hacker like what Brad mentioned (where the program just tries common pass phrases) wouldn't work so well. Also, make it a long passphrase. Mine is 14 characters for the important stuff.

When you just have to "brute force" hack the encryption, it can take a long, LONG time. I think the best record so far for 128-bit AES (Federal Standard, aka Rjindahl) is 3-days on a Cray geared just for hacking the encryption.

And don't worry about your credit cards zipping around the net: they are encrypted with 128-bit RSA using disposable keys. Cracking it only gives them the number once. It's a lot more complex than you might think. Most stolen card numbers are intercepted from unencrypted channels or ripped from unsecured databases where they are (illegally) stored by companies for future use (note: illegal unless you agree to it in the EULA or TOS that you never read :smokey: )

[Koodari]

I did some calculating. 3 days on a tuned Cray sounds pretty good (if you only need to hide stuff from private persons, not the government), but you need about 26 alphanumeric characters for 128 bits of randomness. Obviously no one is going to *have* a key with 26 totally random alphanumerics, and the effect of the length is exponential, so it seems a 8- or 12-length key isn't so great even if totally random. I wonder - how long will it take a Powermac or a fast PC to crack a random, 10 character (~ 50 bit) password? That's about as much as I could handle just in memory.

Damn, this stuff gets me worked up, I really need to take some computer security courses.

[iLikeMyiMacG4]

Some of my passwords are in a language besides english(cryllic, german, latin...ect) so I guess a dictionary attack wouldn't work to well. I try not to have one password for everything that way if someone gets one they won't have access to everything.

[Spart]

Quote:

Originally Posted by Brad I've seen a program that can break a typical password in about a day of processing on a moderately fast PowerMac. I can't remember the name of it... I read a discussion of some members over at MSJ having success with it, but MSJ went kaput a few months ago.

You're probably referring to John the Ripper...

Were they breaking the MD5 hashes from 10.2, or the SMB hashes from 10.3?

An odd thing about 10.3, while Apple went to great lengths to make password hashes more unbreakable, for some stupid reason every account created in 10.3 also spawns an easily cracked hash for use with Windows file sharing, regardless of whether sharing is turned on.

[Spart]

Quote:

Originally Posted by Brad The key thing to keep in mind with the above post: That command requires administrator access. You can access any files anywhere belonging to anyone as the admin. That's why you don't give out admin accounts to everybody!

The thing to keep in mind with your post is that administrator accounts aren't hard to come by if single user mode isn't disabled on the machine in some way.