FileVault
Latest
Your Mac's connection to Harry Potter
The next time you wish to hack into a Mac, it may help to grab your wand and book of spells. At the NoSuchCon security conference this week, security architect Alex Ionescu presented a talk where he revealed that special undocumented code on a Mac's SMC (system management controller) can be invoked by entering a secret spell used in J.K. Rowling's Harry Potter series. That spell is "SpecialisRevelio," the words used by a wizard to "reveal charms and hexes that have been cast onto a target" or "reveal the ingredients of a potion." In an Ars Technica post about the secret spell, blogger Dan Goodin notes, "While most details are far too technical for this article, the gist of the research is that the SMC is a chip that very few people can read, but just about anyone with rudimentary technical skills can 'flash' update." One of the possible attacks that Ionescu pointed out is infecting the SMC with code to pull out the FileVault key used to encrypt a Mac drive, although to implement this, an attacker would have to know details of the Mac like the model, year and screen size in advance. Much more likely attacks provided by the spell backdoor include marking targets. The SMC could be programmed to emit audible or visual alerts through the fans or LED displays, which could point out a specific Mac to an attacker. A Mac could even be programmed to turn off at a certain time and refuse to boot again. There's good news in all of this scary talk: to reflash the firmware an attacker has to have physical access to the Mac. Ionescu also reported that many of the SMC security holes were plugged in OS X Mountain Lion. A full copy of the presentation can be downloaded here (PDF file).
New command line tools in Mountain Lion manage encryption, sleep and sharing
For fans of the Terminal, Mountain Lion brought some new command-line utilities. Perhaps the most notable is fdesetup, which Apple explains briefly: "fdesetup allows third-party management tools to enable FileVault, determine encryption status, capture and manage recovery keys, and add users to a FileVault-encrypted system as well as synchronize directory-based user authentication credentials with the local credentials for FileVault access." Apple provides a 'man' page for fdsetup, but if you want more information about it, Rich Trouton at Der Flounder has a very thorough walk-through with a bunch of screenshots and excellent explanations. I'm definitely keeping this one in Pinboard for the inevitable day when I want or need to use fdsetup. I'm also glad to have a more low-level tool for working with FileVault. I had written previously about the "hoops" which were necessary to disable certain users from being able to unlock the computer with FileVault. That process is now a lot easier. But wait, there's more! Patrix over at the Ask Different blog discovered several other new command-line utilities. Some of them are generic Unix utilities (pgrep and pkill) but there are also some OS X specific ones, including: caffeinate – prevent the system from sleeping on behalf of a utility serverinfo – determine server status (is this OS X Server, and, if so, are these things enabled) sharing – create share points for AFP, FTP and SMB services tccutil – manage the privacy database See the original article for more details. Of these, caffeinate seems like the most interesting. I have used Caffeine, the free app from Lighthead Software, to keep my Mac awake at times, but being able to do it in shell scripts could definitely come in handy. Still missing your favorite Unix utility? If Mountain Lion still doesn't have your favorite utility, don't forget you have other options. I have used Rudix when I wanted precompiled binaries, and Homebrew when I want to make my own. Mostly these days I stick with Homebrew, which is regularly updated by a bunch of people, versus Rudix which has a smaller library and seems to be mostly the labor of love of one developer. Others may prefer Fink or MacPorts; I have used both in the past but haven't kept up with them recently. Both of them appear to have been updated for Mountain Lion.
Mountain Lion 101: Finder encryption via contextual menu (updated)
[Post updated, see below.] Whole-drive encryption isn't one of the sexiest features in OS X, but it's nice to know it's there. FileVault 2 (introduced in Lion; the original FileVault began in 10.3 Panther) can be very useful, especially for Mac users with sensitive information on their hard drives. The ability to lock down either a boot disk or a removable drive means additional security for Mac users when they need it. In Mountain Lion, Apple has made the encryption process easier and faster by adding a contextual menu option to the Finder. Removable drives can be encrypted simply by choosing the Encrypt option when you right-click (or control-click, or two-finger click -- we need a better word for that task) the drive icon. Note that only drives with a GUID partitioning setting can be encrypted, and the resulting encrypted volumes can only be read on other Macs running Lion or Mountain Lion. Mountain Lion also adds encryption as an option for Time Machine backups, and there's a new command-line tool (fdesetup, well-described by Rich Trouton) that allows third-party tools and system administrators to monitor and adjust FileVault settings. ML's FileVault can sync credentials with a directory system in enterprise environments, and the overall encryption scheme is in the process of certification under the US government's FIPS 140-2 standard, appropriate for "sensitive but unclassified information." Encrypting removable drives is now three-clicks easy, but if you want to encrypt your startup disk completely the process has not changed markedly from Lion. Head into System Preferences under Security & Privacy and choose the FileVault menu. You will need to turn on FileVault there. You'll also need to make sure Recovery HD is installed on your hard drive. It should have been when you first installed your system, but it may not have if something went wrong. Then you'll need to have a password for all users using the encryption. Once you activate FileVault, you'll get a recovery key, which is a last-ditch effort to recover your files if your password is lost or forgotten. After that, your files are locked down. You can use the computer normally, but if you ever lose your password and that recovery key (or if someone tries to sneak in without those), your files won't be accessible. There is an option to save the key with Apple itself, but you'll have to answer some other security questions to retrieve it. FileVault also offers an "instant wipe" feature, which will wipe the encryption key and all of your files from your Mac. So if you do encrypt your files and ever need to pass it on to someone else, you can be sure none of your secrets will make the trip. FileVault is a powerful feature, and if you need to keep a secret, it can make an important task very simple. Update: Clarified that the new features in Mountain Lion are the Finder contextual menu, encrypted TM backups and the command-line fdesetup tool, not the underlying FileVault 2 encryption. Our apologies for the mixup.
More updates: Safari 5.1.7 will block out-of-date Flash plugins, tech note updated on FileVault bug
It's a busy Wednesday in the software mines of Cupertino, as Apple followed up the release of OS X 10.7.4 with a patch to the Safari browser and a tech note detailing how to back out from the password/plain text issue in legacy FileVault accounts and other circumstances. Safari 5.1.7 patches three Webkit security flaws, but the big change in user-observable behavior is that it will automatically disable any version of Flash Player older than 10.1.102.64. If the plugin is out of date, Safari will gracefully move it aside and offer to download the latest version. Of course, Safari no longer includes the Flash Player plugin by default. For FileVault or remote home folder users, Apple now recommends upgrading to 10.7.4 followed by a series of steps to change passwords and clear out the log files that may contain the user password in clear text. There are quite a few places where the passwords may have ended up, so be careful to go through all the steps in turn. Apple also provides a set of Terminal commands that will clear the offending logs if needed.
Passwords stored in plain text after Lion update
Legacy FileVault users (those who used FileVault before Lion) running a recently updated version of Mac OS X Lion should consider changing their login passwords. According to a report in ZDNet, an Apple programmer inadvertently left a debug flag in the latest 10.7.3 version of Mac OS X that turns on a system-wide debug log file. This log file stores the user's login passwords in plain text and is located in an unencrypted area. Any user with admin or root access can read this file, grab the login credentials and access your encrypted data. If you use Time Machine to backup your system, this log file is also available from your archive. This glitch affects users who enabled FileVault encryption, upgraded to Lion and kept folders encrypted using FileVault. FileVault 2 users are not affected by this bug. This glitch was first noticed by an Apple Support Community member who posted about the plain text passwords back in February.
OS X Lion update accidentally outs user passwords in plain text, stumbles over FileVault
Are you an avid user of OS X's FileVault encryption and running a recently updated version of Lion? It may be time to consider changing your passwords. According to security researcher David Emry, users who used FileVault prior to upgrading to 10.7.3 may be able to find their password in a system-wide debug log file, stored in plain text outside of the encrypted area. This puts the password at risk of being read by other users or enterprising cyber criminals, Emry explains, and even opens the door for new flaw-specific malware. FileVault 2, on the other hand, seems to be unaffected by the bug. The community doesn't currently have a way to fight the flaw without disabling FileVault, so users rushing to change their password now may find it being logged as well. Obviously, we'll let you all know once we hear back from Apple regarding this matter.
Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it
Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its "Forensic" edition software can decrypt files protected by FileVault 2 in just 40 minutes -- whether it's "letmein" or "H4x0rl8t0rK1tt3h" you chose to stand in its way. Using live-memory analysis over firewire, the encryption key can be accessed from FileVault's partition, gifting the pilferer privy access to keychain files and login data -- and therefore pretty much everything else. If you want to try this out for yourself, conveniently, Passware will sell you the software ($995 for a single user license) without so much as a flash of a badge.
Prevent certain accounts from unlocking FileVault 2
FileVault 2 is a huge improvement over the original FileVault implementation, offering whole disk encryption with no noticeable performance penalty. The only downside is that every account on the computer (even "standard," non-administrator accounts) is given access to decrypt the drive. The good news is that you can control which accounts are allowed to decrypt the drive by removing the password to any account which should not be able to decrypt FileVault (Don't worry, it's only temporary.). Temporary insecurity leads to increased security My MacBook Air has 4 user accounts on it: for me, my wife, my son, and my mother-in-law (long story). My wife and I both use secure passwords, but my mother-in-law and son do not. If a chain is only as strong as the weakest link, I had 4 links, and 2 of them were pretty weak. I could not find any way to control which accounts can decrypt FileVault, but I did learn that any account which does not have a password is automatically disqualified from decrypting FileVault. Even if you add a password back to that account, FileVault will be disabled for that account unless you specifically re-enable it. I'll walk you through the steps. (Note: I recommend reading through all of the instructions before starting any of this.) Step 1: Log in to the account that will not be able to unlock FileVault. Step 2: Open /Applications/Utilities/Terminal.app Yes, I know. You hate Terminal. But you have to use it because you can't remove your password via the GUI. But you can delete it in Terminal. Just type passwd at the prompt. You will be asked for your "Old Password" (that is, your current password), and then you will be asked for a new password, twice. Enter your current password, then just press the Enter/Return key when asked for a "New Password" and "Retype New Password." Once you do that, you will have an account with no password. Now we are ready to go to FileVault. Open FileVault Go to System Preferences » Security & Privacy » FileVault and you will see a new warning "Some users are not able to unlock the disk." Click "Enable Users" (above) and then "Set Password..." (below) and then you will see this: Do not click "Enable User..." or this whole trip will have been for nothing. Once you leave this window, if you click on the "Enable Users..." button while logged into an account which is not setup to unlock FileVault (but which does have a password set), it may be automatically enabled. Moral? Don't open that window unless you want to enable the account, or be ready to repeat this process. You may want to set "Require an administrator password to access system preferences with lock icons" in the "General" tab under System Preferences » Security & Privacy. "So how do I use that account?" You may wonder how you can use that account. After all, when the computer reboots, there will be no option to choose that account, and any account you do choose will be automatically logged into after the computer starts up. Start by choosing one of the available accounts to decrypt/unlock FileVault. This will begin the booting process. From there, you have a choice: either let the automatic login process complete and then log out (which will let you log in to the other account), or hold down the Shift key when you see the grey Apple logo which will prevent auto-login and leave you at the main login window. FileVault 2 locks or unlocks the entire drive, be careful gets the 'keys' I consider FileVault 2 an essential feature for any portable Mac. I also recommend separate accounts for every member of your household old enough to press keys on the keyboard (or, at the very least, a separate account for your important data and one for other family members). But if you don't want to risk the possibility that someone in your household thinks that one two three four five is a great password, consider only letting some accounts decrypt FileVault. Finally, remember that whichever account you use after FileVault is decrypted, the drive will be encrypted again when you reboot or shutdown.
Will 10.7 add a "safe deposit box" to your Mac?
It seems as though Apple is hard at work on new features for OS X 10.7 Lion this summer, and the latest possible addition to the OS is something that would solve a huge problem plaguing the tech world today -- insecurity with remote file storage. According to this find by Patently Apple, we may see a new "Safe Deposit Box" in Lion that aims to protect your files using cloud architecture in the same way that a physical safe deposit box protects your assets at a bank or other location. The basic idea described in the patent revolves around a single icon that, when the user drops a file onto it, would instantly upload and protect the file using Apple-backed cloud servers (which could possibly be located at their new $1 billion North Carolina data center). All of one's secure files would then be available by logging into the Safe Deposit Box service with a user name and password. For enhanced security, the patent also mentions a small window of time before the login expires to prevent accidental viewing of files by other individuals. This storage center would presumably also store digital copies of iTunes purchases, therefore solving the age old problem of losing your precious collection of tunes in a hard drive failure. We've seen similar technology in OS X already with FileVault, which encrypts and stores secure files on the fly. However, we've never seen deep internet-based secure storage from Apple, and it would be a welcome addition for those of us who are working with sensitive documents on multiple Macs (I know I'd be more comfortable with this than, say, Dropbox). It certainly looks like a step in the right direction. Let's hope that this idea is under active development at the big fruit company.
Mac 101: 7 tips for Data Privacy Day 2009
Today is Data Privacy Day, a global initiative to highlight information security rights and practices, especially among teens, professionals, corporations, and the government. As part of the celebration, TUAW (along with our sister blog Download Squad) has seven good ideas for you about how to keep your data safe and away from prying eyes with Mac OS X Leopard. Also, be sure to browse TUAW articles filed under Security for other tips and alerts about keeping your data safe. 1: Turn on your firewall Leopard, as we all know, comes with a built in firewall to prevent other computers from connecting to internet-facing ports on your computer. But: Did you know it's turned off by default? To turn on your firewall, open System Preferences, and click the Security icon. Then, click the Firewall tab. Make sure either "Allow only essential services" is selected, or you can choose to "set access for specific services and applications" yourself. You can also use "Stealth Mode": when enabled, computers that send data to blocked ports won't even get acknowledgement that the data was received. To enable Stealth Mode, click the Advanced button on the Firewall tab of the Security preference pane, and click the check box next to "Enable Stealth Mode." 2: Set a screen saver password A feature popular with Windows users, Mac OS X can also lock your screen when your computer sleeps or when the screen saver comes on. Simply open System Preferences, select Security, and choose the General tab. Click the check box next to "require password to wake this computer from sleep or screen saver," and you're all set. If you have automatic login enabled and click the "require password" check box, Mac OS X will recommend that you disable automatic login. This means you'll have to enter your password to turn your computer on, too; nefarious nogoodniks won't be able to restart your Mac while the screen saver is on to circumvent the need for a password. Good thinking.
Mac 101: Protect your data with FileVault
If you use a notebook Mac, then the risks are higher for getting your computer stolen. However, Apple has included a tool to protect your entire home folder (documents, pictures, movies, etc.) right within OS X. FileVault protects your computer against stolen data by encrypting/decrypting your home folder each time you login and logout. To use FileVault, you must first set a Master Password. This password is a fail-safe if you forget your user login info. However, if you lose both your user login info and the master password, you will not be able to decrypt your home folder and your data (if not backed up in unencrypted form) will be lost forever. To set the master password, navigate to System Preferences > Security > FileVault > Set Master Password. Once you have the master password set, you will be able to turn on FileVault and begin protecting your data. Click the "Turn on FileVault" button in the FileVault section of the Security preference pane. You will be asked for your master password, and a disclaimer will be displayed explaining the process. Please note that you will not be able to login to your Mac via SMB (Windows file sharing) after turning on FileVault. FileVault provides a high level of data security, but some applications have a history of incompatibility with the feature; it's also very important that you have a secure and solid backup strategy if you choose to use FileVault. For best results with Time Machine, make sure that your FV home folder is upgraded to the Leopard image format (if you were using FV under Tiger, you may have to turn it off and back on to convert your home folder) and log out of your account periodically to allow backups to run.
Behind the scenes with FileVault
FileVault is the Home directory encryption feature of OS X (introduced in Pather) which Apple bills as offering, 'Eternal Protection.' Apple hasn't produced much documentation on FileVault, I suppose in hopes that no one would find an easy way to hack it. A presentation at the 23rd Chaos Computing Congress focused on FileVault, how it works, and possible vulnerabilities.Luckily for us, the general conclusion is that FileVault is a good way to secure your drive, if used correctly. FileVault does not encrypt the contents of system memory by default in Tiger (It doesn't do it at all in Panther) and it does not, by design, encrypt anything outside of a user's home directory.There are a few possible attack vectors, but the easiest seems to be a good old brute force Dictionary attack on the 'Master Password' that you must set when enabling FileVault. Remember, if your password is weak all the encryption in the world won't help you.[via MacSlash]
Your data is safer on a Mac
Ok, so I'm using a dash of hyperbole in the title of this post, but Simson Garfinkel (writing for Computerworld) does recommend Apple portables based on security functionality alone. He highlights Filevault, secure virtual memory, and secure empty trash as the features of OS X that make Apple portables so secure. Sure, as he points out, one can get Windows up to this level of security (Lenovo does include similar utilities with their ThinkPads) but not without tinkering with Windows. OS X has it all built right in.The one thing that Simson would like to see Apple do? Enable all of these features by default.How many folks out there are using a combo of these features on their Macs?
How do I reset my Keychain password?
Yesterday I was singing the praises of Keychain, and I still stand by my assessment. Keychain is a key feature of OS X that makes it stand apart from Windows. But what happens if you forget your Keychain password? You know, the password that lets you access all your other, heavily encrypted data?That is exactly what happened to one poor soul who put the question to the MetaFilter community. It isn't as bad as forgetting your FileVault password, however, the sad truth of the matter is that you're going to have to generate yourself a new Keychain folder and starting from scratch. I know it sucks, but that is the price we pay for security. If you are in the same situation check out the MetaFilter discussion for the steps you need to take.
Knox version 1.0.7 is available
I'll admit it, I don't want people poking around my Mac. While I may want certain files encrypted, Apple's File Vault would be overkill for my needs. That's why I use Knox. With Knox, you can quickly create password-protected, encrypted volumes that you alone can gain access to. You can even schedule backups to occur whenever your iPod is docked. If that's not your cup of tea, you can use a remote server or even your .Mac storage space as a backup destination for Knox. Moving from volume to volume is easily accomplished via a menu bar item.How secure is secure? From the website: "Knox’s encryption—based on Apple’s FileVault technology—protects files with the U.S. Government’s new Advanced Encryption Standard (AES)." So there you go. Changes to version 1.0.7 include: Fixed a problem with opening the Preferences window after upgrading to 1.0.6. Fixed a crashing bug in Knox task handling. There is a free trial available, and a single license will cost you $29.95US (€29.95 w/ VAT). Knox requires Mac OS 10.3.9 or later.
