6

What setup do you recommend to protect data on a MacBook in the event of theft/loss of the device?

I'm specifically interested in Macs here, rather than laptops generally, and in concrete recommendations rather than what's theoretically possible. In particular the new MBAs, as these don't seem to have a way to physically lock the device to anything.

I'm interested in addressing attacks that a reasonably sophisticated attacker who was interested in obtaining the data on the device, rather than the device itself, might attempt (e.g. booting an alternate OS from a USB key, trying to put the Mac into target disk mode, physically removing the drive, etc.)

AviD
  • 72,138
  • 22
  • 136
  • 218
frankodwyer
  • 1,907
  • 12
  • 13
  • There is data one would need to protect on a Macbook? Didn't Apple reveal all of its iPad customers' emails? It appears that they also track you via your iPhone GPS data. I wouldn't trust them for anything! – atdre Apr 23 '11 at 23:51
  • @atdre, the iPhone tracking has been debunked (this data is only used locally, and for GPS-enabled apps, like maps). Besides, thats not the point of the question, please keep your rants on-topic. – AviD Apr 24 '11 at 07:55
  • @AviD: Smoking gun -- http://marcoramilli.blogspot.com/2011/04/iphone-tracker.html -- guess you were wrong about the iPhone tracking, right? – atdre Apr 26 '11 at 17:03
  • It's not just iPhones, btw. With the newer smartphones, from the OS to the applications you load will use your GPS location as well as your mic (listening to ambient noise to gather more information) to gather information. Obviously not all will, and if you pay attention to permissions you can protect yourself, but it still happens. Also, here's another article for you guys... http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=41040 – Ormis Apr 26 '11 at 18:20
  • @atdre, not exactly a smoking gun, but there is a lot of disclarity as of yet. Also, I asked a [question](http://security.stackexchange.com/q/3364/33) here, based on the points you raised... You've piqued my curiosity, I'd appreciate if you can jump in. – AviD Apr 26 '11 at 20:30
  • @AviD: Here is a smouldering bazooka -- http://gawker.com/?_escaped_fragment_=5795442/apple-patent-reveals-extensive-stalking-plans – atdre Apr 28 '11 at 07:43
  • 1
    @atdre, here is not the place for anti-mac rants, fud or otherwise. Please refrain from this here... 'course, you could always pop over to the chatroom to give us an earful ;) – AviD Apr 28 '11 at 14:51
  • @AviD: I want to be on the chat, but I hate idlers and everyone just seems to idle. As for the rants -- I have plenty, but they are security/privacy focused usually. I'll try to keep them less anti-mac-related. – atdre Apr 28 '11 at 15:14

4 Answers4

5

As everyone else has covered encryption:

  • don't put data on the MacBook in the first place if you don't need it. I use an iMac as my regular work machine, and synchronise the files I need on my MacBook when I take it out.
  • firmware password will make it harder for people to boot into other operating systems / recovery disks. Interestingly the FireWire drivers on OS X also deny DMA requests when the firmware password is enabled. This stops someone dumping the memory of your live laptop.
  • Kensington lock when you're settled into your working location.
  • automatic, and hot-corner-activated, screen locking requiring password to unlock. To reduce the chance that when they make off with your laptop, it's unlocked. For similar reasons, change your keychain password and set that to lock automatically too.

May as well say that I summarised a lot of this a couple of years ago in a paper for Sophos. I no longer work there.

  • Great point about not putting the data on there in the first place if you don't have to. – frankodwyer Apr 24 '11 at 09:25
  • Regarding "automatic, and hot-corner-activated, screen locking requiring password to unlock". Don't forget instead of hot-corner you can use the keybind too turn off screen. Ctrl + shift + power, and that combined with the same password to unlock screen is also helpful for those of us that do not like the hot corners. –  Jan 14 '16 at 19:13
4

The #1 most important defense: use full-disk encryption.

Apple's FileVault 2 makes it easy to encrypt your disk. It is built into the operating system and very easy to use. (Truecrypt, PGP full disk encryption, and Bitlocker also get good reviews, but they're more useful for Windows machines, which don't have built-in support for full disk encryption. On Macs, I recommend using the built-in FileVault 2.)

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • any suggestions for products? I have used PGP full disk encryption previously but have been leery of putting it on my new MBA and am holding out to see if the disk encryption in Lion is any good. – frankodwyer Apr 22 '11 at 08:00
  • @frankodwyer, I have heard positive reviews of Truecrypt and PGP full disk encryption from others I respect, but I don't have enough information to make a recommendation of my own, and I don't have any experience with how well they work on Macs. Sorry to be useless. – D.W. Apr 23 '11 at 05:41
  • I use Sophos's product. Works fine for me so far, no performance hit I've noticed. I wish it integrated with their central management tools (like the windows version does) but it's better than not having the disk encrypted. – Graham Hill Jul 13 '12 at 10:52
1

I have to first suggest a disk encryption. I believe that one of the most common tools, True Crypt, does not work pre boot on macs. It will still work post boot but it is not as secure.

Any type of encryption will protect from information leaks in most attack cases. But... if you don't use a full disk encryption there might still be the possibility of information leaking. Consider, as an example, a tool that displays the sys log file on the desktop and saves a lot of data like access filenames, errors etc. A lot of applications store data in their own data stores. So, to be on the safe side you would want to encrypt everything.

I would also suggest that you lock down the device while on the go. At the OS/user level, go to the Security section of System Preferences and check everything that wont make you go nuts :). You should also visit the Sharing section and uncheck anything you don't plan to use.

George
  • 2,813
  • 2
  • 23
  • 39
KilledKenny
  • 1,662
  • 4
  • 19
  • 28
  • I also sugest that you might take a look at [What are the good use cases for disk encryption?](http://security.stackexchange.com/q/3214/2023) – KilledKenny Apr 21 '11 at 21:44
  • And if you are interested in more mac specific questions then http://apple.stackexchange.com/ might be something to check out. – KilledKenny Apr 21 '11 at 22:11
  • yes it is was that question which reminded me of this one - as some people are suggesting full disk encryption is not all that useful for this scenario, I was interested to know what controls they do suggest. – frankodwyer Apr 22 '11 at 07:59
  • @frankdwyer please explain why it's not useful. There's no setting/ application that can protect you from someone taking out the hdd and opening it as a external drive. The only way to protect static data is by preventing access to it or encrypt it. – KilledKenny Apr 22 '11 at 08:30
  • I didn't say it wasn't useful - I said some people suggested that it isn't. I'm not one of them :-) – frankodwyer Apr 24 '11 at 09:23
1

A self-encrypting disk (SED) is generally preferred. It has all of the benefits of whole/full disk encryption (FDE), but it also is accelerated in hardware so that the OS or another program doesn't have to bother. Perhaps this also makes it more secure, although the general worry would be with cold boot attacks on the physical DRAM.

Linux is a better choice because you can utilize secure memory deletion/freeing utilities. However, I would suggest an Asus laptop/netbook/pad to run Linux -- or a similar machine, especially if it has switchable graphics (e.g. nVIDIA Optimus) support for Linux.

Macbooks are notoriously difficult to get a working SED. SEDs require a BIOS; Macbooks (and Apple computers in general) have EFI (not a BIOS).

For Mac, you can use a $120 program called SecureDoc from WinMagic. Note that the last MacBook to support pluggable drives that support SED technology (someone please correct me here if I'm wrong) is the 2012 MBP 13" model, which is still on sale -- http://www.apple.com/shop/buy-mac/macbook-pro?product=MD101LL/A&step=config

atdre
  • 18,885
  • 6
  • 58
  • 107