The Elder™
Join Date: May 2004
Location: The Rostra
|
Recently I began doing more and more transactions online and I needed a way to securely store my receipts from credit card transactions, bank transfers, bill paying, ect so I created an encrypted disk image to store them on. I assumed that even if someone stole my PowerBook they wouldn't have access to my important personal information. I'm a little nervous about File Vault after the initial problems, but I wonder if the kinks have been worked out. But it got me thinking, how could I take more proactive steps to protect my information. Which leads me to my question.
What steps do you take to secure your computer and the personal information contained within? |
quote |
Veteran Member
Join Date: May 2004
Location: Chicago
|
I have a 12" PB, so needless to say, security is a big thing for me. I don't worry about anyone breaking in and taking the thing, so I don't secure it to my desk, but when I go out I always keep it in a bag. When I go to class, if it's not on my desk my leg is through the strap of the bag so that if someone wanted to run by and grab the bag, they'd have to take me with them.
I have it setup to require my password each time the lid is opened, and to authenticate the screen saver too. I don't let this thing out of my sight when I'm in public, so I don't worry too much about data loss. I try to avoid leaving it in my car anywhere either, if I have to, it's in the trunk or tucked under a seat. Come waste your time with me |
quote |
is not a kind of basket
Join Date: May 2004
|
Quote:
|
|
quote |
Member
Join Date: Jul 2004
|
First of all, I have a Citibank card that I use for online purchases; their Virtual Account Numbers (VAN) are great because they are only good for that one purchase. The means I can store the reciepts and if anyone gets into my desktop or steals my laptop, the card numbers there won't do them any good. There is a little app that runs in background that you can pump your login and password into and it spits out a VAN right there (and you can't save your l/p, so no worries there).
I use a Dell laptop with XP, so I don't know if this applies to Macs, but requiring a Bios password on boot-up is one of the best things. The only way to defeat it is to drain the Bios battery to reset the password and that requires disassembling the laptop without breaking anything. Also, if you're a developer, you can use an encryption library, write your own program and encrypt/decrypt files that way. Just use Crypto++, which has a plethora of algorithms to choose from and is free (plug to Brad for the linkie). I should mention that roll-your-own programs are harder to crack if you do them right because the person cracking on them hasn't dealt with yours before. And just a side note: when using wireless, make sure there is some type of encryption being used for the login and password to a site !!! While most sites will encrypt the personal info, I've come across some (including NCSU's own Unity system) that do not encrypt the l/p. |
quote |
is not a kind of basket
Join Date: May 2004
|
Quote:
There are programs that can replace the BIOS password. . . and others that can read the password from the BIOS. And on top of that most CMOS batterys don't need to be drained, just reverse the battery for a sec then place it back in. . . They are also easy to get at, and you don't need to disassembl it fully or even partly for that matter. Most laptops have it neer a pop-off plate for easy access. . . Face it, if a hacker want's your information, he/she will get it. But if some punk just needs a quick buck, he will sell it as is, or just do a clean install. no sig, how's that for being a rebel! |
|
quote |
The Elder™
Join Date: May 2004
Location: The Rostra
|
Quote:
Quote:
Quote:
Anyone have experience with File Vault? It would seem that this would solve all the issues about protecting the info on the HDD if it ever got into the wrong hands. |
|||
quote |
Cynical Old Bastard
|
HOM wrote:
Quote:
It is fairly easy to get the users password off of the HD depending on how much RAM the computer had/has. We may have talked about this before on this board, not sure. Try this at the terminal: sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname There is a decent chance that your system password will be listed for you (or anyone who has your disk). I went to the 3 other Macs in our office (where I have sudo rights) and was able to get the passwords of the 3 people who use these computers in seconds. Kind of scary. |
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
The key thing to keep in mind with the above post:
That command requires administrator access. You can access any files anywhere belonging to anyone as the admin. That's why you don't give out admin accounts to everybody! The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Cynical Old Bastard
|
Quote:
As a test (2-3 months ago) I removed the HD from an officemates Mac and installed it in my Mac and I was able to access the files on his HD that was in my Mac. I was able to find his password using the "command" that I posted. Of course, you can pull a HD out of many computers (most OS's) and pull data off of them. Imagine. If I had access to your business (say I'm a cleaning person) and I was able to sneak in a laptop and usb/firewire external HD case. I could pull out HD's from the desktops and get info from them as I wanted. I could eventually (with this OS X issue) find most peoples passwords. |
|
quote |
I shot the sherrif.
|
I stopped using Windows.
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Once you physically start removing comonents of any computer, Mac or otherwise, there's no way you can secure the data other than through encryption... and even encryption will only delay the most determined intruder. My point earlier was that on Mac OS X in a typical setting, you can't just run that command as a regular user and expect to see passwords showing up. If a guy has enough access to be removing hard drives, you've got a lot more to worry about than just Joe Blow knowing your password. I have seen a number of people trying to use your argument as a scare tactic that Mac OS X has some horrible gigantic security flaw. In reality, it is a very tiny one. For someone to exploit that flaw they need either a) administrator access or b) to physically remove the drive. In either case, letting out a password is really among the least of the problems. But, yes, this is a real security threat and, yes, Apple really should prioritize to get it fixed. I will agree with you there. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
is not a kind of basket
Join Date: May 2004
|
Quote:
You see this is the main problem. Once the computer is physically in the hands of someone who wants the data, he/she will have it. You can only protect yourself from non-local attacks. . . unless you wish to get creative with 'booby' traps within your computer case, consider yourself helpless if someone swipes your drive. IMO the best defense is a theft deterrent, like a security system around the office, locked doors, and plenty of visible cameras. . . this would be in an friendly office environment of course. And a lock kits for laptops and PCs. In the end, you have to ask yourself, is my data worth that much? And would someone steal my computer for the computer itself, or the data on it? no sig, how's that for being a rebel! |
|
quote |
Senior Member
|
1024 bit encryption and big magnets.
|
quote |
Member
Join Date: Jul 2004
|
Granted, if someone removed the HD and put it in another computer, then there is nothing to be done but to use encryption.
But one question: how can a program be used to hack the Bios password? I mean, since there is no OS or anything booted up until after you enter it? For my notebook, it does the RAM check and then asks for the password and won't even check the floppy or CD drive until you unlock it with the right password. So how do you use a program to crack it? |
quote |
I shot the sherrif.
|
does the BIOS password kick in before target disk mode?
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Apple does give a warning, however: Quote:
Apple has a TN about "Creating Kiosks on Mac OS X" that mention some related features. Apple also has a section dedicated to Security on the developer site. Back to your question about hacking the BIOS password: that all depends on how that password is stored. In the Mac world, you have to have administrator access to run any commands that access NV-RAM from within Mac OS X. Even then, though, I don't know if the password is stored in a human-readable format or if it's a hash. Documentation on this is very sparse. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
||
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
|
|
quote |
Veteran Member
Join Date: Jun 2004
Location: Portlandia
|
Quote:
|
|
quote |
is not a kind of basket
Join Date: May 2004
|
Quote:
Now, if you just have a password to get into the BIOS setup, but the computer will boot off a CD if there. Then you could boot a Linux distro (Knoppix STD in this case, but others have the same program) and read the Password right off the chip, or just replace the password at will. like I, and many others have said, once someone who wants information on your computer has physical access to it. . . it is only a matter of time till he/she gets the information. Now, leaving that behind. This popped into my head. One way of keeping vital information safe is ONLY saving it to a removable USB flash drive and keeping the flash drive hidden some where at home. That way, before work you load the contents of the flash drive into a RAM disk. You can then play with the information all day, as long as you don't reboot. And at the end of the day you sync the changes back to the USB flash drive. If someone steals your computer looking for that information. The person would have to reboot it to gain access via a Live CD, thus killing the RAM disk. Just a little thought that came to mind. no sig, how's that for being a rebel! |
|
quote |
Veteran Member
Join Date: Jun 2004
|
Quote:
I'd really like to see Apple add encryption for swap and hibernation data. |
|
quote |
I shot the sherrif.
|
couldn't you just pull the drive out of said machine, attach it to another computer and start hammering away at the encryption then?
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
All you have to do is break the encryption password and, voila, there's all the data. Most people use simple words for their passwords (often names or nicknames of family members); so, if you know a little bit about the person and have a program that'll run tests from a dictionary, you greatly improve the chance of breaking that password. The most difficult case would be a hash of random letters and numbers, but most people aren't smart enough to use and remember passwords like that. Of course, even with a random hash, it's only a matter of time before a brute force method succeeds. It may take a long time, but it'll happen. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
Veteran Member
Join Date: Jun 2004
|
Quote:
|
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
I've seen a program that can break a typical password in about a day of processing on a moderately fast PowerMac. I can't remember the name of it... I read a discussion of some members over at MSJ having success with it, but MSJ went kaput a few months ago.
The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Member
Join Date: Jul 2004
|
Concerning the BIOS password, it is stored in SRAM on the main board. You have to go through the password screen before booting up or accessing the BIOS setup. Pretty much the only way to get around it is to reverse the battery and reset the password. What would be nice would be the ability to set a default password so that if you do flip the battery, it would reset to having a password. Really, the only way to protect your data from someone who has your computer is sometype of self-destruct (or apparent self-destruct) that just makes it impossible (or apparently impossible) to access the data.
Concerning encryption and cracking it, here's some basic stuff I picked up while doing my senior project (encrypting a database of fingerprints used for ID): To decrypt something requires only two things: an "idea" of how it was encrypted and something to check it against. That means even if the entire hard drive was encrypted, including swap files and what have you, it could still be hacked as long as the hacker can compare some part (any part) of the encrypted hard drive with something he/she knows to be an unencrypted version. So if there is a standard header somewhere in the boot files or something like that, it would only take time. Also, since it would only be a small part that needs to be compared to determine a successful crack, many different algortihms (AES, DES, M5, etc) could be tried in rapid succession without taking much more time. The best way to use encryption is to use a passphrase of letters, numbers, and best of all, something misspelled. Most of my passwords are words I constantly misspell, so I can easily remember them. Since they aren't real words, a dictionary hacker like what Brad mentioned (where the program just tries common pass phrases) wouldn't work so well. Also, make it a long passphrase. Mine is 14 characters for the important stuff. When you just have to "brute force" hack the encryption, it can take a long, LONG time. I think the best record so far for 128-bit AES (Federal Standard, aka Rjindahl) is 3-days on a Cray geared just for hacking the encryption. And don't worry about your credit cards zipping around the net: they are encrypted with 128-bit RSA using disposable keys. Cracking it only gives them the number once. It's a lot more complex than you might think. Most stolen card numbers are intercepted from unencrypted channels or ripped from unsecured databases where they are (illegally) stored by companies for future use (note: illegal unless you agree to it in the EULA or TOS that you never read :smokey: ) |
quote |
Veteran Member
Join Date: Jun 2004
|
I did some calculating. 3 days on a tuned Cray sounds pretty good (if you only need to hide stuff from private persons, not the government), but you need about 26 alphanumeric characters for 128 bits of randomness. Obviously no one is going to *have* a key with 26 totally random alphanumerics, and the effect of the length is exponential, so it seems a 8- or 12-length key isn't so great even if totally random. I wonder - how long will it take a Powermac or a fast PC to crack a random, 10 character (~ 50 bit) password? That's about as much as I could handle just in memory.
Damn, this stuff gets me worked up, I really need to take some computer security courses. |
quote |
Member
|
Some of my passwords are in a language besides english(cryllic, german, latin...ect) so I guess a dictionary attack wouldn't work to well. I try not to have one password for everything that way if someone gets one they won't have access to everything.
|
quote |
Member
Join Date: Jun 2004
Location: Iowa
|
Quote:
Were they breaking the MD5 hashes from 10.2, or the SMB hashes from 10.3? An odd thing about 10.3, while Apple went to great lengths to make password hashes more unbreakable, for some stupid reason every account created in 10.3 also spawns an easily cracked hash for use with Windows file sharing, regardless of whether sharing is turned on. |
|
quote |
Member
Join Date: Jun 2004
Location: Iowa
|
Quote:
|
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Info about importing powerbook from US to UK? | feend | General Discussion | 13 | 2005-03-16 21:42 |
New iPod info from ThinkSecret! | psmith2.0 | Speculation and Rumors | 49 | 2004-07-15 22:58 |
Official Tiger Info from WWDC (and Apple.com) | Brad | Apple Products | 60 | 2004-07-08 14:07 |
Spotlight info | feend | Apple Products | 2 | 2004-07-05 09:25 |