Posted on 2010/07/30 10:41 AM by admin

In the past year both Dave Gallagher and myself have had a personal laptop stolen. The experience highlighted the issue of security and our findings were depressing indeed. Here are a few points highlighted for your attention and further research. Neither Dave nor I are security experts and this should not be considered legal or professional advice; just a caution against taking security for granted.

Foreword

Anytime an article on security is published it raises the question on whether the author should highlight weaknesses. My personal stance on this is absolutely firm: the people who want to bypass your security already know everything I’m writing below. Literally an intelligent 10-year old could find the information in under 10 minutes using google, and much of the information is posted publicly in Apple’s own help documents. This article is to help honest people understand what is needed to guard themselves against dishonest people.

OSX Password

All Mac user accounts must have a password associated with them. This password is required to make any low-level changes to the system like installing applications or changing important system preferences. If you’ve disabled “Auto-Login” in the system [System Preferences > Security] panel then the password is required to log into the computer. In addition [System Preferences > Security] can be set so that the computer automatically logs you out after X minutes of inactivity and requires a password to log back in. This is a pretty good level of security right?

Breaking the OSX Password

How long does it take to break past the OSX password? Using a good password makes it next to impossible for someone else to guess or “crack” your OSX Password. But they don’t have to. Anyone can change your OSX password by inserting an OSX install DVD and booting from the DVD. They even have a step-by-step guide to do this on Apple.com. Bottom line: if someone has physical access to your computer and more than 5 minutes then your OSX password is useless.

But I use a Firmware Password!

OSX allows you to set a “firmware password” which is required before a user can boot from a DVD. Since the procedure above requires the user to boot from the OSX DVD the idea is that the Firmware Password will prevent someone from subverting your OSX Password. Unfortunately it’s really easy to subvert the firmware password.

Breaking a Firmware Password

The Firmware Password can be reset by opening the computer and physically removing one of the sticks of ram, then booting the computer holding command-option-P-R (the shortcut to reset the PRAM). That’s it – the firmware password has been reset and you can boot from an OSX DVD to reset the OSX Password. If the bad-guy has physical access to the computer this entire process requires a OSX DVD, a screwdriver, and less than 10 minutes and your system is completely unlocked.

So what Can I Do?

So far as I can find, the only way to truly secure your system is FileVault. It may be possible for the NSA or CIA to crack a FileVault password, but as far as I can find, it’s impossible for any average bad guy. So unless you’re carrying state-secrets you’re probably more than safe using a FileVault with a good, hard to guess password. FileVault encrypts the entire contents of your home folder where the vast majority of programs store their data. Your Desktop, Documents, Pictures, Music, and Settings files are are located within your Home folder.

The Damage Possible

Nearly everyone I know stores sensitive information on their computer, even if they don’t know it. Here are some of the things a thief might do after unlocking your computer:

  • Open and view all the passwords you’ve stored on the computer by selecting “Remember this password” in any application
  • Read your email (if you use Mail)
  • Send email in your name to your contacts (“e.g. Hey Mom, I can’t remember my ATM PIN – do you remember it??”)
  • Check popular websites to see if you are auto-logged in (e.g. your gmail/hotmail/AOL email)
  • Go to banking websites and use the “forgot my password” to email your secure passwords to your email address or initiate a password reset

Overall Recommendations

  • Use a reasonably secure OSX password, set up a firmware password, and set up File Vault.
  • Only store confidential documents in your user folder where File Vault will protect it.
  • Turn your [System Preferences > Security] to disable automatic OSX login, and to require a password when coming back from a screen saver, set your screen saver to come on after only a few minutes of inactivity.
  • Tier your passwords. Anything really important like bank accounts, tax information, etc., should be very secure passwords which are not directly related to your less important passwords. When creating throw-away accounts (e.g.  you have to create a username/password for a stupid giveaway) use a dedicated low-security and unrelated password like “nothing123” so that anyone able to view such passwords cannot use them to access your important accounts.
  • Do not use “auto logins” on any website or program which should be secure.
  • Remember that many websites, even some financial websites, will email you your password with only a few (easy to guess/find) questions like date-of-birth. So whichever email address you use with secure accounts needs to be, itself, a high security password and should not be set to auto-login. For example a “hacker” (read: smart alec kid) gained access to one of Sarah Palin’s secure email address by using the “reset password” function which emailed the secure password to a much less secure email address.
  • NEVER write your password down or type it into any document (only password entry fields). If needed write yourself clues on what the password is that are obscure/personal enough that they won’t be decipherable by anyone else. For instance if your password is “John4Galt2 you might remind yourself “Rand Also Can’t Remember” which easily jogs the memory of the originator but would be impossible to reverse engineer.
  • If you ever suspect your computer or smart phone has been stolen immediately reset every password you have. If you have a smart phone which can be remotely wiped do so immediately as anyone who is stealing a phone in order to mine data off of it will know they only have a limited time to take advantage of it.
  • If you have so many passwords you can’t keep track then consider creating an encrypted disk image file where you can type your passwords and other ultra-confidential information. Doing so in OSX takes only a few minutes.
MENU