or Connect
AppleInsider › Forums › Software › Mac OS X › Is there a "Back Door" in FileVault 2??
New Posts  All Forums:Forum Nav:

Is there a "Back Door" in FileVault 2??

post #1 of 21
Thread Starter 

First time poster here, so be nice!!  1smile.gif

 

I have been a Mac user since 2008, and am looking to upgrade and get a new 13" MacBook Pro with a regular HDD in it.

 

As part of this upgrade, I want to catch up with the times and start using Full-Disk Encryption of some sort to protect *all* of the data on my HDD.

 

The logical choice would be to use Mountain Lion's built in FDE, i.e. FileVault 2, however, I stumbled across this article that has me freaked out...

 

FileVault 2's Apple ID Backdoor

http://mjtsai.com/blog/2012/08/07/filevault-2s-apple-id-backdoor/

 

 

If that is true, I find it very disturbing that Apple would do that...

 

Anyone here have actual experience with FileVault 2 and this particular issue??

 

 

Also, are there any alternatives I could use if I still lack confidence in Apple's FDE?

 

I was originally going to use TrueCrypt, but after spending the day reading up on various FDE software, TrueCrypt seems to get low marks and people say it is easily hacked on a Mac.

 

I also started to check out companies like Sophos, CheckPoit, and Symantec.  Unfortunately the first two expect you to "register" and then wait for a Sales E-mail or Call.  WTF?!  1oyvey.gif  (Umm, I'm not some corporation looking to spend $1 million dollars and establish a life-long contract.  And I think CheckPoint only sold a "subscription" so you'd be tied in to them for life!!  Hey, I just want to spend $50-$100, get my software, and be done with things!!)

 

 

Anyways, I feel really bummed, because until I come up with and acceptable game-paln to protect my data using FDE, I won't be buying a new Mac...

 

Sincerely,

 

 

Debbie

post #2 of 21
Quote:
Originally Posted by DoubleDee View Post

As part of this upgrade, I want to catch up with the times and start using Full-Disk Encryption of some sort to protect *all* of the data on my HDD.

If that is true, I find it very disturbing that Apple would do that...

You have to remember that Apple has a lot of customers, the majority of whom are probably more likely to forget their passwords than have anything important enough to require encryption. They even give you the option to set a recovery key and then a further option to store that key with Apple behind 3 security questions, which makes the password as secure as those 3 questions.

If you turn off all the recovery options though, there's no reason to think it's an insecure system and it's way more convenient than any other disk encryption as well as faster because it uses Intel's hardware encryption (AES-NI), which I think got added in Sandy Bridge processors. This gives it a very minimal overhead when running your system from it. Other encryption systems will have more severe performance overheads.

If there's some files you really don't want someone to access, you can manually encrypt those in a disk image with a different password on top of Filevault 2.

Jon Callas who was one of the co-founders and chief scientist at PGP worked at Apple:

http://www.theregister.co.uk/2010/04/22/jon_callas_joins_apple/

It's unlikely that he would have put an insecure backdoor into the system on purpose. Just make sure to disable recovery options and use strong and varied passwords for every service you use.
post #3 of 21
Thread Starter 
Quote:
Originally Posted by Marvin View Post


You have to remember that Apple has a lot of customers, the majority of whom are probably more likely to forget their passwords than have anything important enough to require encryption. They even give you the option to set a recovery key and then a further option to store that key with Apple behind 3 security questions, which makes the password as secure as those 3 questions.

If you turn off all the recovery options though, there's no reason to think it's an insecure system and it's way more convenient than any other disk encryption as well as faster because it uses Intel's hardware encryption (AES-NI), which I think got added in Sandy Bridge processors. This gives it a very minimal overhead when running your system from it. Other encryption systems will have more severe performance overheads.

If there's some files you really don't want someone to access, you can manually encrypt those in a disk image with a different password on top of Filevault 2.

Jon Callas who was one of the co-founders and chief scientist at PGP worked at Apple:

http://www.theregister.co.uk/2010/04/22/jon_callas_joins_apple/

It's unlikely that he would have put an insecure backdoor into the system on purpose. Just make sure to disable recovery options and use strong and varied passwords for every service you use.

 

Well, what about the part of the article claiming that OS-X forced you to allow recovery using your AppleID?

 

And how the author could not uncheck that option?

 

In my mind, I want to install FDE, choose a secure Pass-Phrase, print out the Recovery Serial Thingy, and be done with it.

 

Only I should be able to get into my system using the Pass-Phrase, and that's it.

 

No other ways in, no "back doors", etc.

 

Sure I can trust Apple?

 

Also, on a "Conspiracy Theory" level, I read a fair amount online that implies that all manufacturers of FDE leave "back doors" in their software to allow Law Enforcement and the Feds access to your HDD if they really want it.

 

What do you think?!

 

 

As far as the AES-NI thing, are you really sure that the new Macs with Mountain Lion use *hardware* FDE??  (If so, that is awesome, since it is supposed to be more secure...)

 

Sincerely,

 

 

Debbie

post #4 of 21
Quote:
Originally Posted by DoubleDee View Post

Well, what about the part of the article claiming that OS-X forced you to allow recovery using your AppleID?

And how the author could not uncheck that option?

It's not forced, that checkbox is disabled on my system and I actually can't enable it until I enter an Apple ID to be linked with my user account. Either the guy migrated a system where this was the case or he actually did enable it. It's not possible for it to be enabled on a factory system because it doesn't know what your Apple ID is until you enter it.

The checkbox is hidden when you enable Filevault so you can't disable it once you encrypt the drive but you can unset the Apple ID from the user account. If you make sure it's unchecked before you encrypt the drive or don't associate an Apple ID, it's not a problem and you can decrypt and uncheck then encrypt again. That checkbox binds the Apple ID to your user account and when you encrypt the drive, the encryption key is also assigned to your user account. Leaving the checkbox on would allow people to enable it after encryption. Apple could disable it before encrypting but the person has to enable the option to reset the password via Apple ID in the first place so they likely wanted the feature on.
Quote:
Originally Posted by DoubleDee View Post

Also, on a "Conspiracy Theory" level, I read a fair amount online that implies that all manufacturers of FDE leave "back doors" in their software to allow Law Enforcement and the Feds access to your HDD if they really want it.

That's not true but they do have a variety of techniques to get round them. Direct memory access is one way they can use if passwords are stored in RAM. In some countries, authorities can imprison you just for refusing to decrypt your drive. It doesn't work in all cases:

http://www.engadget.com/2012/02/26/court-upholds-fifth-amendment-prevents-forced-decryption-of-dat/

That case was about someone suspected of having explicit images of children and law enforcement naturally wanted to be able to decrypt the drives and couldn't. If you don't have a long enough password, they'll be able to crack it:

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Quote:
Originally Posted by DoubleDee View Post

As far as the AES-NI thing, are you really sure that the new Macs with Mountain Lion use *hardware* FDE??  (If so, that is awesome, since it is supposed to be more secure...)

That's what the reviews suggest:

http://arstechnica.com/apple/2011/07/mac-os-x-10-7/13/
http://www.anandtech.com/show/4485/back-to-the-mac-os-x-107-lion-review/18

"Apple also leverages the special-purpose AES instructions and hardware on Intel's newest CPUs, further reducing the CPU overhead. The end result is that regular users will be hard-pressed to notice any reduction in performance with encryption enabled."

If it didn't use hardware encryption, the CPU load would be higher.
post #5 of 21
Thread Starter 

(I'm really struggling wit the Editor on this website!!!! How do you quote someone, but insert new comments and questions??)

 

 

> It's not forced, that checkbox is disabled on my system and I actually can't enable it until

> I enter an Apple ID to be linked with my user account. Either the guy migrated a system

> where this was the case or he actually did enable it. It's not possible for it to be enabled on

> a factory system because it doesn't know what your Apple ID is until you enter it.

 

So if I don't enter my AppleID, then I'm safe?

 

 

> The checkbox is hidden when you enable Filevault so you can't disable it once

> you encrypt the drive

 

Why is that?

 

 

> but you can unset the Apple ID from the user account. If you make sure it's unchecked

> before you encrypt the drive or don't associate an Apple ID, it's not a problem and

> you can decrypt and uncheck then encrypt again.

 

You lost me on the last part...

 

Why would I leave "Allow user to reset password using AppleID" unchecked - with no AppleID in the field - then encrypt the drive, and then decrypt the drive and uncheck it and then encrypt again??

 

Wouldn't you just leave the AppleID blank, not check the box, encrypt, and be done with it?

 

 

> That checkbox binds the Apple ID to your user account and when you encrypt the drive,

> the encryption key is also assigned to your user account. Leaving the checkbox on

> would allow people to enable it after encryption.

 

So checking the box creates 2 Encryption Keys?

 

 

> Apple could disable it before encrypting but the person has to enable the option to reset

> the password via Apple ID in the first place so they likely wanted the feature on.

 

I would expect that box to be checked *if* you entered an AppleID, otherwise I would expect it to remain unchecked...

 

 

Coming at this topic from a different angle, is this really a "Back Door"?

 

Is it really a security risk?

 

I guess I don't understand its purpose if you have a Pass-Phrase you set yourself, PLUS you get whatever that 20+ character "Recovery Key" as well before you encrypt?!

 

It seems silly to need a 3rd way to get back into your System...

 

 

BTW, do you know the exact sequence of steps you follow to turn an AppleID into successfully re-logging in to your Mac?

 

I guess I fail to see how providing someone's AppleID is a reasonable way to let someone in?!

 

To me, it would be like letting me in to your encrypted Mac because I know your Usename is "Marvin"...

 

Sincerely,

 

 

Debbie

post #6 of 21
Thread Starter 

Debbie

>> Also, on a "Conspiracy Theory" level, I read a fair amount online that implies that all

>> manufacturers of FDE leave "back doors" in their software to allow Law Enforcement

>> and the Feds access to your HDD if they really want it.

>

> That's not true but they do have a variety of techniques to get round them.

 

What is to stop Manufacturers and the Feds from having such an agreement?

 

And how would "we" - the Public - ever really know?!

 

I can see your Dick Cheney's of the world threatening the hell out of CEO's if they didn't comply...

 

 

> What is to s Direct memory access is one way they can use if passwords are stored in RAM.

>In some countries, authorities can imprison you just for refusing to decrypt your drive.

> It doesn't work in all cases:

> http://www.engadget.com/2012/02/26/court-upholds-fifth-amendment-prevents-forced-decryption-of-dat/

> That case was about someone suspected of having explicit images of children and

> law enforcement naturally wanted to be able to decrypt the drives and couldn't.

 

Scary...

 

 

> If you don't have a long enough password, they'll be able to crack it:

> http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

 

Equally scary!!!

 

So, what is a *reasonable* Pass-Phrase Length and Pass-Phrase Pattern to use?

 

In the past, I have read that using simeple sentences with maybe a few special characters sprinkled in is typically enough.

 

For example...

 

"I met my husband when I was playing softball at Roberts Park"

 

or

 

"The Chicago Cubs are my favorite team of all time!!!"

 

 

Oh, and another thing, I have recently read that using those "Password Key Chains" is a bad idea because they are stored in MEMORY and thus can easily be compromised in the RAM Attack you mentioned above.  (And if I understand things correctly, not only would they be able to crack your Encryption Pass-Phrase, but every other Password and Pass-Phrase in your Key-Chain, i.e. your life)!!!

 

 

Gee, the more I learn about security and prvacy, the more powerless I feel...  :(

 

Sincerely,

 

 

Debbie

post #7 of 21
Originally Posted by DoubleDee View Post
(I'm really struggling wit the Editor on this website!!!! How do you quote someone, but insert new comments and questions??)

 

Hit the quote button… 

post #8 of 21
Thread Starter 
Quote:
Originally Posted by Tallest Skil View Post

But if I want to insert comments in between lines there is no way to know who said what...

 

Hit the quote button… 

 

Who is typing this?

 

That and it takes 30-60 seconds before this editor loads and I see a formatted message that I can type in...  (Horrible website design)

 

It would so much easier to be able to do plain-text or us bbcode, but anyways...

 

 

Debbie

post #9 of 21
Originally Posted by DoubleDee View Post
[quote post]

 

Ah. Then you can trim, cut, and repaste using the editor's quote button:

 


It would so much easier to be able to do plain-text or us bbcode, but anyways...

 

Go here, you'll see a button in the top right that isn't in this screenshot:

 

 

At the bottom is a dropdown where you can switch between the two.

 

post #10 of 21
Thread Starter 
Tallest Skil,

Okay, thanks for the tips on my Account Settings!

Now back on topic...


Debbie
post #11 of 21
Quote:
Originally Posted by DoubleDee View Post

So if I don't enter my AppleID, then I'm safe?

You can still enter it into iTunes and the App Store, just don't link it with your user account.
Quote:
Originally Posted by DoubleDee View Post

Why is that?

I don't know why they chose to hide it but it might not actually work properly while Filevault is enabled. It's not another way to decrypt the volume, it's a way to reset your account password but the account password as you can see in the PDF below has intermediary keys associated with it, which would have to be regenerated on changing the password. Apple's support documents suggest that you can't reset the Filevault password with the Apple ID.
Quote:
Originally Posted by DoubleDee View Post

Why would I leave "Allow user to reset password using AppleID" unchecked - with no AppleID in the field - then encrypt the drive, and then decrypt the drive and uncheck it and then encrypt again??

Wouldn't you just leave the AppleID blank, not check the box, encrypt, and be done with it?

If you leave the box blank and don't check the checkbox, that's fine. The steps I described would be how to disable the Apple ID recovery if the encryption was setup.
Quote:
Originally Posted by DoubleDee View Post

So checking the box creates 2 Encryption Keys?

No, it just associates the ID with the user account. The actual key to decrypt the drive isn't the account password - if it was, creating/deleting a new user account would require encrypting the whole drive again, as would changing the account password. The following document details how the whole process works:

http://eprint.iacr.org/2012/374.pdf

The biggest concern really is that some parts of the intermediary keys are in plain text in memory so if you have direct memory access, it's possible to obtain the master key. If you have a laptop for example, you typically won't shut it down so while logged out or asleep, the part required to decrypt the master key is in RAM, which can sometimes be accessed via Firewire or Thunderbolt. This applies to all full disk encryption. You really have to shut down the machine to clear it all out. This is the case for disk images too while logged in.
Quote:
Originally Posted by DoubleDee View Post

It seems silly to need a 3rd way to get back into your System...

It depends, you might setup Filevault and not take a note of the recovery key. Some people might even save a note of the recovery key on the drive itself. You can't assume that people who use these features know how to use them properly. It makes Apple's tech support easier for people who don't know how to use it and it doesn't really cause any harm to people who do know how to use it.
Quote:
Originally Posted by DoubleDee View Post

I guess I fail to see how providing someone's AppleID is a reasonable way to let someone in?

It doesn't let people in directly, it let's you reset your account password, which then lets you in. Like I say though, it's not clear that the password reset process actually does work with Filevault. That wasn't demonstrated in the article.
Quote:
Originally Posted by DoubleDee 
What is to stop Manufacturers and the Feds from having such an agreement?
And how would "we" - the Public - ever really know?!

We would have found out by now if the government was working with security software providers. If you were a developer and they asked you to put a backdoor into your software and therefore compromise your entire security, it would be on a blog somewhere. People in government agencies have to use the software themselves. Hackers find security vulnerabilities in binary data in operating systems all the time. A backdoor in encryption software would be uncovered.
Quote:
Originally Posted by DoubleDee 
So, what is a *reasonable* Pass-Phrase Length and Pass-Phrase Pattern to use?

In the past, I have read that using simeple sentences with maybe a few special characters sprinkled in is typically enough.

Longer than 8 characters should be ok but phrases are better and easier to remember. Anything less than 8 should be fairly ineffective this year:

http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm#.UXcvzb9Er8s

I personally would rather that passwords were done away with in favour of file-based keys as long as they can be used conveniently. There are rumours that Apple will implement a fingerprint sensor into the next iOS devices to help with this - they bought a company that makes the sensors.
post #12 of 21
Thread Starter 
Marvin,
Quote:
Apple's support documents suggest that you can't reset the Filevault password with the Apple ID.

But you're unsure of the specifics, right? (I looked at the PDF's you attached, but honestly, the one on FileVault 2 was pretty deep to process...

Quote:
The biggest concern really is that some parts of the intermediary keys are in plain text in memory so if you have direct memory access, it's possible to obtain the master key. If you have a laptop for example, you typically won't shut it down so while logged out or asleep, the part required to decrypt the master key is in RAM, which can sometimes be accessed via Firewire or Thunderbolt. This applies to all full disk encryption. You really have to shut down the machine to clear it all out. This is the case for disk images too while logged in.

So since this would apply to all FDE, you can't single out FileVal=ult 2 as "weak", right?

Quote:
Quote:
Originally Posted by DoubleDee 
What is to stop Manufacturers and the Feds from having such an agreement?
And how would "we" - the Public - ever really know?!

We would have found out by now if the government was working with security software providers. If you were a developer and they asked you to put a backdoor into your software and therefore compromise your entire security, it would be on a blog somewhere. People in government agencies have to use the software themselves. Hackers find security vulnerabilities in binary data in operating systems all the time. A backdoor in encryption software would be uncovered.

You really stand behind that?

If so, then I guess I can put my "Conspiracy Theories" back in the closet, huh? (BTW, I almost never subscribe to such things, but I am growing increasingly PARANOID the more I learn about security...)

Quote:
Quote:
Originally Posted by DoubleDee 
So, what is a *reasonable* Pass-Phrase Length and Pass-Phrase Pattern to use?

In the past, I have read that using simple sentences with maybe a few special characters sprinkled in is typically enough.

Longer than 8 characters should be ok but phrases are better and easier to remember. Anything less than 8 should be fairly ineffective this year:

No opinions on the examples I provided?

Quote:
I personally would rather that passwords were done away with in favour of file-based keys as long as they can be used conveniently. There are rumours that Apple will implement a fingerprint sensor into the next iOS devices to help with this - they bought a company that makes the sensors.

I see that as a major PROBLEM.

No way in heck I want a copy of my fingerprint or iris in some database that will ultimately get hacked...

Do you know of any consumer FDE solutions that also allow you to use an RSA Key Fob, or some sort of Security Token? (The only ones I have seen are for Enterprise Solutions....)


So, in the final analysis, what do you think about FileVault 2's attempt at FDE?

Should entrust my life with it?

I have ruled out Sophos and CheckPoint since they clearly don't care about "the little guy".

And TrueCrypt seems to have too many issues...

I have heard a few good things about Symantec's PGP, although you could argue it will slow down my new MacBook Pro versus FileVault 2.

I think what is more important to me is have COMPLETE TRUST in the solution that I choose.

I don't want to have to worry about Back-Doors, or Weak Encryption, or some other Flaw that gives me a "false sense of security" but actually put me and my life at great risk...

Sincerely,


Debbie
post #13 of 21
Quote:
Originally Posted by DoubleDee View Post

But you're unsure of the specifics, right?

The only way to be sure if you can reset your password that way would be to test it out. You should really thoroughly test out encryption you rely on to make sure it's setup correctly and there isn't a weakness. There's a reset guide here that says Apple ID reset doesn't work:

https://kb.wisc.edu/helpdesk/page.php?id=22678

"In order to reset an account password in Mac OS X 10.7 or 10.8, you must have access to your Apple ID username and password. Please note that this method won't work for users with FileVault 2 protection enabled."

It's a weakness if it does work but you can disable it so it's not really a problem.
Quote:
Originally Posted by DoubleDee View Post

So since this would apply to all FDE, you can't single out FileVault 2 as "weak", right?

That's right.
Quote:
Originally Posted by DoubleDee View Post

You really stand behind that?

If so, then I guess I can put my "Conspiracy Theories" back in the closet, huh? (BTW, I almost never subscribe to such things, but I am growing increasingly PARANOID the more I learn about security...)

There's nothing wrong with being paranoid about security. Sometimes it's shocking to see how much information is out there. A quick trip to Facebook lets you see that.

Computer security can be compromised very easily. Take the vulnerabilities in Flash or Java. Just visiting a web page that exploits a severe flaw can get higher privileges and install a keylogger than can record everything you type for months before you'd even know about it. If it can happen to the military, it can happen to anyone:

http://www.pcmag.com/article2/0,2817,2394374,00.asp
Quote:
Originally Posted by DoubleDee View Post

No opinions on the examples I provided?

Your pass phrase examples would be fine. You mainly have to think about combinations. When it comes to characters, it's around 128-256 options per character so an 8 character password has over 128^8 combinations. With phrases, they can use dictionary attacks but it would be something like 100,000 options per word so a 4 word password would be 100,000^4 combinations. It helps to use random words and punctuation but phrases with a few words have loads of possibilities.
Quote:
Originally Posted by DoubleDee View Post

I see that as a major PROBLEM.

No way in heck I want a copy of my fingerprint or iris in some database that will ultimately get hacked...

The fingerprint data can stay on the phone like an account password would and be used to unlock other data that gets used elsewhere.
Quote:
Originally Posted by DoubleDee View Post

Do you know of any consumer FDE solutions that also allow you to use an RSA Key Fob, or some sort of Security Token? (The only ones I have seen are for Enterprise Solutions....)

The Yubikey supports FDE:

http://www.yubico.com/applications/disk-encryption/full-disk-encryption/

but I don't know what performance overheads their encryption will have.
Quote:
Originally Posted by DoubleDee View Post

So, in the final analysis, what do you think about FileVault 2's attempt at FDE?

Should entrust my life with it?

I think what is more important to me is have COMPLETE TRUST in the solution that I choose.

I don't want to have to worry about Back-Doors, or Weak Encryption, or some other Flaw that gives me a "false sense of security" but actually put me and my life at great risk...

Whatever you choose depends on what you're protecting and who you're protecting it from. You mentioned earlier that you'd print out the recovery key. That's not going to offer much protection if someone gets hold of the printout. If all you are protecting is personal files, Filevault 2 will be secure enough and it won't come with a significant performance hit. If you need to secure something further, you can use another encrypted container inside the Filevault drive so even if someone manages to access the drive, they have to access another virtual drive.
post #14 of 21
Thread Starter 
Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

So since this would apply to all FDE, you can't single out FileVault 2 as "weak", right?

That's right.

Can you please give an overview of how these "RAM Attacks" occur? By that I mean, sure, if your laptop is on, and you are logged in, and the screen-saver isn't on, and you walk away, I can see how someone could compromise things.

But let's say my MacBook is on, I'm logged in, but my Password Screen-Saver came on immediately after I walked away.

How would someone hack into that and ultimately get my FDE Encryption Keys?

More so, isn't there a way to "purge" RAM of such things without having to shut down every time you have to go pee?! lol.gif

Quote:
Originally Posted by Marvin View Post

There's nothing wrong with being paranoid about security. Sometimes it's shocking to see how much information is out there. A quick trip to Facebook lets you see that.

Computer security can be compromised very easily. Take the vulnerabilities in Flash or Java. Just visiting a web page that exploits a severe flaw can get higher privileges and install a keylogger than can record everything you type for months before you'd even know about it. If it can happen to the military, it can happen to anyone:

http://www.pcmag.com/article2/0,2817,2394374,00.asp

Scary indeed!!

Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

I see that as a major PROBLEM.

No way in heck I want a copy of my fingerprint or iris in some database that will ultimately get hacked...

The fingerprint data can stay on the phone like an account password would and be used to unlock other data that gets used elsewhere.

But if your phone was stolen or compromised, now some hacker has an image of your Fingerprint or Retina...

Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

Do you know of any consumer FDE solutions that also allow you to use an RSA Key Fob, or some sort of Security Token? (The only ones I have seen are for Enterprise Solutions....)

The Yubikey supports FDE:

http://www.yubico.com/applications/disk-encryption/full-disk-encryption/

but I don't know what performance overheads their encryption will have.

Wow, that looks great. I will go read up on it.

But on second thought, would buying and using something like that really add much security to my laptop?

I mean if I am connecting to the Internet securely using my AT&T Hotspot and Witopia, and I have FDE set up, and I choose a l-o-n-g and fairly complex Pass-Phrase, and I don't leave my laptop on and unattended, then would owning something like Yubico add much more security?

Also, would it do anything to protect me if I did leave my laptop on but with the Screen-Saver Lock on while I wen to the bathroom?

Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

So, in the final analysis, what do you think about FileVault 2's attempt at FDE?

Should entrust my life with it?

I think what is more important to me is have COMPLETE TRUST in the solution that I choose.

I don't want to have to worry about Back-Doors, or Weak Encryption, or some other Flaw that gives me a "false sense of security" but actually put me and my life at great risk...

Whatever you choose depends on what you're protecting and who you're protecting it from. You mentioned earlier that you'd print out the recovery key. That's not going to offer much protection if someone gets hold of the printout.

If I store that in a safe or Safe Deposit Box it would be secure.

And, to be sure, if I ever lost that paper or thought it was compromised, couldn't I just decrypt my HDD, and then recrypt it and get a new "Recovery Key"??

Quote:
Originally Posted by Marvin View Post

If all you are protecting is personal files, Filevault 2 will be secure enough and it won't come with a significant performance hit. If you need to secure something further, you can use another encrypted container inside the Filevault drive so even if someone manages to access the drive, they have to access another virtual drive.

Well, the reason behind all of my paranoia and questions is this...

I am trying to start a small business, and just finished building a website which holds customer data and also has an e-commerce portion (minus any financial info).

My day job keeps me thousands of miles from home, and so I have no choice but to develop and manage my website via my laptop and wireless connections.

As mentioned before, I broke down and got an AT&T mobile hotspot so I can securely connect to the Internet. +1

I am also planning on buying a subscription to WiTopia or HideMyAss this week, so I additional have greater anonymity on "the first hop". +1

I will be buying a new 13" MacBook Pro which will have the sole purpose of being what I use to manage my website and server. And since I will not be "surfing" on it or downloading or whatever, and since it will have FDE - and whatever else I can do to secure it - I am assuming that will add a great amount of security when I need to access my server?! +1

(BTW, I understand that FDE doesn't protect you from malware, but it does protect data at rest which is important still.)

I feel by having a Hotspot, Personal VPN, and dedicated laptop with FDE, I have taken a leap forward in protecting my server, myself, and ultimately my future customer's data.

I'm sure there is much more I need to do, but this seems like a good start.

Sincerely,


Debbie
post #15 of 21
Quote:
Originally Posted by DoubleDee View Post

Can you please give an overview of how these "RAM Attacks" occur? By that I mean, sure, if your laptop is on, and you are logged in, and the screen-saver isn't on, and you walk away, I can see how someone could compromise things.

But let's say my MacBook is on, I'm logged in, but my Password Screen-Saver came on immediately after I walked away.

How would someone hack into that and ultimately get my FDE Encryption Keys?

There's an example here:

http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/

Apple did add restrictions to prevent direct memory access when the machine is locked so if you put it to sleep (shut lid), it would be ok. A screen lock isn't enough but it's really not likely someone would do this.
Quote:
Originally Posted by DoubleDee View Post

But if your phone was stolen or compromised, now some hacker has an image of your Fingerprint or Retina...

The sensors apparently sample portions of your fingerprint and just use that sample, not a complete scan.
Quote:
Originally Posted by DoubleDee View Post

I mean if I am connecting to the Internet securely using my AT&T Hotspot and Witopia, and I have FDE set up, and I choose a l-o-n-g and fairly complex Pass-Phrase, and I don't leave my laptop on and unattended, then would owning something like Yubico add much more security?

I think you'd be fine with the Filevault 2 setup.
Quote:
Originally Posted by DoubleDee View Post

And, to be sure, if I ever lost that paper or thought it was compromised, couldn't I just decrypt my HDD, and then recrypt it and get a new "Recovery Key"??

Yeah, if you found out someone had stolen it, you can just encrypt the drive again.
Quote:
Originally Posted by DoubleDee View Post

I am trying to start a small business, and just finished building a website which holds customer data and also has an e-commerce portion (minus any financial info).

I feel by having a Hotspot, Personal VPN, and dedicated laptop with FDE, I have taken a leap forward in protecting my server, myself, and ultimately my future customer's data.

If you aren't storing financial info, it's not likely that any attack would be useful but it's good that you are taking steps to protect the information. The server would be the most important thing to keep secure but for everything you keep offline, the setup you describe would be secure enough.
post #16 of 21
Thread Starter 
Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

Can you please give an overview of how these "RAM Attacks" occur? By that I mean, sure, if your laptop is on, and you are logged in, and the screen-saver isn't on, and you walk away, I can see how someone could compromise things.

But let's say my MacBook is on, I'm logged in, but my Password Screen-Saver came on immediately after I walked away.

How would someone hack into that and ultimately get my FDE Encryption Keys?

There's an example here:

http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/

Apple did add restrictions to prevent direct memory access when the machine is locked so if you put it to sleep (shut lid), it would be ok. A screen lock isn't enough but it's really not likely someone would do this.

Some follow up questions on this...

1.) Do you know of any articles/documentation that verifies this?

2.) Awesome link above!! In it the author mentions that some kind of PIN would prevent this type of attack. Did I understand that correctly?

If so, how would I set that PIN on my new MacBook Pro?

And would such a PIN also protect against other types of RAM attacks?

3.) I record a lot of radio shows on the weelends, and when I have to step away from my Mac, I don't want to miss the show. Is there a way to have it both ways, and leave my MacBook recording - using Audacity - in the background, but safe from RAM attackers?


Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

I am trying to start a small business, and just finished building a website which holds customer data and also has an e-commerce portion (minus any financial info).

I feel by having a Hotspot, Personal VPN, and dedicated laptop with FDE, I have taken a leap forward in protecting my server, myself, and ultimately my future customer's data.

If you aren't storing financial info, it's not likely that any attack would be useful but it's good that you are taking steps to protect the information. The server would be the most important thing to keep secure but for everything you keep offline, the setup you describe would be secure enough.

Glad to hear!!

Thanks,


Debbie
post #17 of 21
Thread Starter 
Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

I am trying to start a small business, and just finished building a website which holds customer data and also has an e-commerce portion (minus any financial info).

I feel by having a Hotspot, Personal VPN, and dedicated laptop with FDE, I have taken a leap forward in protecting my server, myself, and ultimately my future customer's data.

If you aren't storing financial info, it's not likely that any attack would be useful but it's good that you are taking steps to protect the information. The server would be the most important thing to keep secure but for everything you keep offline, the setup you describe would be secure enough.

I knew I forgot another question!

So WiTopia offers two different types of plans. Their "Basic" plan allows you to connect to their servers via: PPTP, IPSEC, and L2TP.

And their "Advanced" plan allows you to connect to their servers via: OpenVPN.


I was told by WiTopia that IPSEC would be the way to go for the "Basic" plan, but that it would require a Username and Password. (They said to just use my email, but I don't like that idea...)

(If I chose the "Advanced" plan - which costs more - you at least get a "certificate"?!)


My question is, "Now that I will need a Username/Password for my 1.) MacBook Pro, 2.) AT&T Mobile Hotspot, 3.) FileVault 2, and 4.) WiTopia what should I use??"

It will be hard enough for me to switch from my prior recycled *Password* to a new Pass-Phrase for just my MacBook, but having to manage the other account is insane?!


Others have told me to get one of those "Keychains", but my understanding is that they reside in memory, and so they would be susceptible to the attack we talked about earlier. (That would be really bad if someone performed a RAM attack and stole every Password/Pass-Phrase for every account I have?!)

Seems like a topic that could easily be a whole other thread... 1hmm.gif

Sincerely,


Debbie
post #18 of 21
Quote:
Originally Posted by DoubleDee View Post

Awesome link above!! In it the author mentions that some kind of PIN would prevent this type of attack. Did I understand that correctly?

If so, how would I set that PIN on my new MacBook Pro?

To setup the EFI password, you boot up from the recovery partition by holding command-r. Be careful not to forget that because it would need a hardware reset to get round it.
Quote:
Originally Posted by DoubleDee View Post

And would such a PIN also protect against other types of RAM attacks?

There isn't any other way to access the RAM except through the ports.
Quote:
Originally Posted by DoubleDee View Post

3.) I record a lot of radio shows on the weelends, and when I have to step away from my Mac, I don't want to miss the show. Is there a way to have it both ways, and leave my MacBook recording - using Audacity - in the background, but safe from RAM attackers?

The EFI password should let you do this but remember, this is a local attack. Someone would have to walk up to your laptop, plug a device in, dump the RAM, analyse the data and then unlock your machine on a separate occasion. It's not likely anyone will even know there's customer information on your laptop and if someone had physical access to your machine, they'd most likely take the laptop too.
Quote:
Originally Posted by DoubleDee View Post

My question is, "Now that I will need a Username/Password for my 1.) MacBook Pro, 2.) AT&T Mobile Hotspot, 3.) FileVault 2, and 4.) WiTopia what should I use??"

It will be hard enough for me to switch from my prior recycled *Password* to a new Pass-Phrase for just my MacBook, but having to manage the other account is insane?!

Your password for the Macbook Pro and Filevault 2 will be the same. It unlocks the disk and your account with the same password. That's actually another advantage over other full disk encryption software.

You will have a password for the hotspot but the Macbook Pro will remember it so you should only have to type that once. You'll only have two passwords to type in regularly at most.

Witopia is a good idea if you frequently use free unsecured wifi - if you were for example backing up a customer database in Starbucks, someone could capture the transfer or worse, server passwords - but it wouldn't be necessary for using with your hotspot. Their basic IPsec service would be fine if you do need it and if their software allows you to store your password in your account keychain, that would save you typing it. It doesn't matter if that password is in the keychain as it's just a password to use the service.
post #19 of 21
Thread Starter 
Quote:
Originally Posted by Marvin View Post

To setup the EFI password, you boot up from the recovery partition by holding command-r. Be careful not to forget that because it would need a hardware reset to get round it.

What is a "Hardware Reset"?

How would you do that?

Quote:
Originally Posted by Marvin View Post

Quote:
Originally Posted by DoubleDee View Post

And would such a PIN also protect against other types of RAM attacks?

There isn't any other way to access the RAM except through the ports.

So it sounds like this is another case where things get blown out of proportion?

I mean, if choosing an EFI Password is all you need to do to thwart RAM Attacks, that seems pretty straightforward, right?

Quote:
Originally Posted by Marvin View Post

The EFI password should let you do this but remember, this is a local attack. Someone would have to walk up to your laptop, plug a device in, dump the RAM, analyse the data and then unlock your machine on a separate occasion. It's not likely anyone will even know there's customer information on your laptop and if someone had physical access to your machine, they'd most likely take the laptop too.

So someone could walk up to mu unattended laptop, plug in some device to, say the FireWire Port, analyze things, and then when they tried to use the Encryption Keys that they got, the EFI Password would stop them cold?

No other ways around this for the hackers, right?

Quote:
Originally Posted by Marvin View Post

Your password for the Macbook Pro and Filevault 2 will be the same. It unlocks the disk and your account with the same password. That's actually another advantage over other full disk encryption software.

Great!

Quote:
Originally Posted by Marvin View Post

You will have a password for the hotspot but the Macbook Pro will remember it so you should only have to type that once.

I've been typing it in manually every time think that is more secure?

BTW, I love my new AT&T Hotspot, BUT am really disappointed about it from a device security standpoint...

It allows me to set an Admin Password, along with a Wi-Fi SSID and Password, however, there is no way to lock the device some someone couldn't just walk up and write everything down?! 1oyvey.gif

I'm not sure what to do other than make sure it never leaves my side. (And since I can't secure the Passwords, does it even do any good to use Pass-Phrases?! 1hmm.gif

Quote:
Originally Posted by Marvin View Post

Witopia is a good idea if you frequently use free unsecured wifi - if you were for example backing up a customer database in Starbucks, someone could capture the transfer or worse, server passwords - but it wouldn't be necessary for using with your hotspot.

Well, I was going to get it because the Hotspot provides security and WiTopia would provide privacy and prevent websites and AT&T from know where I surf to and tracing it back to my laptop's IP...

Quote:
Originally Posted by Marvin View Post

Their basic IPsec service would be fine if you do need it and if their software allows you to store your password in your account keychain, that would save you typing it. It doesn't matter if that password is in the keychain as it's just a password to use the service.

A few things...

1.) Does a personal need to choose both "strong" Username and "strong" Passwords for every Account and Device?

2.) Is it a major sin to re-use a Username (e.g. same between MacBook and WiTopia)?

3.) I had heard that using password management software was dangerous because it is stored in memory, and thus is susceptible to RAM attacks?

4.) If Keychains or whatever they are called are safe, then where are you supposed to store them?

If you save them on your computer, then it sorta defeats the purpose if you can't log in to your computer, right?

5.) How do you actually use a Keychain? Do you just open it up and look at or copy & paste the passwords, or what?


WiTopia recommends using my E-mail for the Username, but that seems like a bad idea for a couple of reasons (e.g. Privacy, Email Changes, Can't Change username Later)...

Thanks,


Debbie
post #20 of 21
Quote:
Originally Posted by DoubleDee View Post

What is a "Hardware Reset"? How would you do that?

You have to open up the machine:

http://www.youtube.com/watch?v=uKW84G2vQb8
Quote:
Originally Posted by DoubleDee View Post

So it sounds like this is another case where things get blown out of proportion?

I mean, if choosing an EFI Password is all you need to do to thwart RAM Attacks, that seems pretty straightforward, right?

Yes, it's pretty straightforward. I doubt many people do it though.
Quote:
Originally Posted by DoubleDee View Post

So someone could walk up to mu unattended laptop, plug in some device to, say the FireWire Port, analyze things, and then when they tried to use the Encryption Keys that they got, the EFI Password would stop them cold?

Disabling memory access means they don't get the keys.
Quote:
Originally Posted by DoubleDee View Post

I've been typing it in manually every time think that is more secure?

In a way it's less secure as someone could see you typing it in. It doesn't matter if the computer remembers the hotspot password.
Quote:
Originally Posted by DoubleDee View Post

It allows me to set an Admin Password, along with a Wi-Fi SSID and Password, however, there is no way to lock the device some someone couldn't just walk up and write everything down?!

They shouldn't be able to write anything down.
Quote:
Originally Posted by DoubleDee View Post

1.) Does a personal need to choose both "strong" Username and "strong" Passwords for every Account and Device?

Ideally but some things are more important than others and for trivial things, a long password is inconvenient.
Quote:
Originally Posted by DoubleDee View Post

2.) Is it a major sin to re-use a Username (e.g. same between MacBook and WiTopia)?

I wouldn't say so.
Quote:
Originally Posted by DoubleDee View Post

3.) I had heard that using password management software was dangerous because it is stored in memory, and thus is susceptible to RAM attacks?

It depends which passwords. Passwords that connect to your web server or database are more important to protect. Passwords that just connect to your hotspot are not that important. It comes down to what people can do with them if they got hold of them.
Quote:
Originally Posted by DoubleDee View Post

4.) If Keychains or whatever they are called are safe, then where are you supposed to store them?

The operating system stores them in files but you can see them if you open /Applications/Utilities/Keychain Access
Quote:
Originally Posted by DoubleDee View Post

5.) How do you actually use a Keychain? Do you just open it up and look at or copy & paste the passwords, or what?

When there's a password dialog, there are sometimes options to remember the password. If you select it, the details go into a keychain. Then, when it needs it again, it gets it automatically from the file without you typing it.
Quote:
Originally Posted by DoubleDee View Post

WiTopia recommends using my E-mail for the Username, but that seems like a bad idea for a couple of reasons (e.g. Privacy, Email Changes, Can't Change username Later)...

They probably said that as email addresses are already unique. If you pick a username, you have to guess one someone hasn't already taken and then you might end up with something harder to remember. It can be a privacy issue, some people do it on forums and that's not a good idea. I wouldn't do it for something where your email address would be published online but for services, it's not such a big problem.
post #21 of 21
Thread Starter 
Marvin,

Thanks for all of the help and insight!! 1smile.gif

(I'm going to kick all of this stuff around for a week or so, and then hopefully implement things!)

Sincerely,


Debbie
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Is there a "Back Door" in FileVault 2??