Take Control of Security for Mac Users (2015)
Prevent Data Loss and Theft
Most of the topics in this book address ways of protecting your data in one fashion or another. For example, you want to keep people from breaking into your accounts, from sniffing your Wi-Fi signals, and from using malware to collect private information. But I haven’t yet addressed two key pieces of data security—preventing loss and theft of your data while it’s stored on your Mac.
Perhaps I should explain what I mean by “loss” and “theft” here:
· Data loss is when you no longer have access to your own data. For example, a file you need (or a portion of a file) disappears from your disk, or is overwritten or damaged in such a way that you can no longer read it. The data is just gone—it doesn’t exist anymore.
· Data theft is when someone else gets access to your data illicitly. A curious thing about data theft is that—unlike with theft of physical objects—you usually still have your data after it’s been stolen! But the point is, it’s no longer under your exclusive control.
The way to prevent data loss is to have excellent backups. That way, no matter what catastrophe might wipe out data on your disk, it isn’t truly lost—you have a copy that you can restore easily. Backups are one of the most crucial security measures you can take—they’re a form of insurance. Just as you insure your home and your car so that, if they were to suffer theft or damage, you can put them right again, you insure your data with good backups.
Data theft can occur in many ways, as we’ve seen throughout this book, but what I’m thinking of here is data theft that results from losing physical control of your Mac. That is, someone steals your Mac, or uses it when you aren’t around, or picks it up from the train where you accidentally left it. Given access to your Mac, all your data is there for the taking. And the way to prevent that is with encryption.
Prevent Data Loss with Backups
You can back up your Mac’s data in numerous ways, using any of about 100 different backup apps. Each method and storage medium has its pros and cons, and everyone has different backup needs and preferences. Nevertheless, for most people, most of the time, I can summarize my backup recommendations in three steps: versioned backups, bootable duplicates, and offsite storage.
Note: I can only scratch the surface of backup options and strategies here. For the full treatment, read Take Control of Backing Up Your Mac.
Each of these elements solves a different type of problem, and only with all three together do I consider my data reasonably safe from loss. I recommend all three types of backup for anyone at Risk Level 2 or above. People at Risk Level 1 should still have backups, but if you have next to no personal files on your Mac, picking just one form of backup is a reasonable approach.
A versioned backup is one in which the backup app stores multiple versions of each file. When it runs the first time, it copies all the files you specify. Later, when the backup runs again, it copies only the files that are new or changed since the previous run, but it doesn’t delete the earlier files from your backup—even if they’ve been deleted from your Mac’s disk. Although Mac backup apps refer to this capability by a variety of names and implement it in many different ways, the key characteristic you’re looking for is the capability to recover your disk (or a particular file) to its state from a week or a month ago—even though your Mac has been backed up numerous times since then.
Here’s the basic problem versioned backups solve:
· You have a Very Important File.
· Something bad happens to that file. Maybe you delete it accidentally. Or you mistakenly delete a portion of the file before you save it. Or a buggy app deletes it. Or it becomes infected with malware. Or a random disk error damages it. Or a hacker breaks into your Mac and vandalizes your data.
· You don’t notice the problem with the file immediately.
· Then, your backup software runs (either automatically or at your explicit request), backing up your files so that your backup disk contains exactly what’s on your main disk. That means if the file was missing or damaged on your main disk, it’ll be missing or damaged in the backup, too.
· You discover that the file is gone or damaged. And you go to your backups, but…oops! Because of the last point, no help there.
This is a simplification. In fact, versioned backups can solve lots of problems, but the point is that if your only backup(s) merely duplicate the latest contents of your disk, your data is seriously at risk—from hackers, from random errors, and most importantly, from yourself!
Fortunately, there’s nothing exotic about versioned backups—nowadays this type of operation is standard in the vast majority of Mac backup apps, including Time Machine, Prosoft Data Backup, Retrospect, CrashPlan, and dozens more. For the most part, as long as you’re using an app that supports versioned backups, you set it up—often as simple as specifying what you want to back up (or, in some cases, what you want to skip) and where you want to store your backups (typically on an external hard drive). And then you let it run.
Note: To learn about the wide variety of Mac backup apps, including detailed feature comparison tables, see my online appendixes.
Some backup apps work continuously, backing up any new or modified files as soon as you save them. Others run automatically on a schedule—say, once an hour. And some make you specify an explicit schedule, like every 4 hours or every day at midnight. If your versioned backup software gives you a choice of how often to run, don’t skimp—if you use your Mac every day, backing up every few hours is not too often. I’d consider once a day a bare (and barely passable) minimum.
Since I don’t know which software you’ll use for versioned backups, I can’t tell you exactly how to use it. But if you’re unsure or find the selection process daunting, the path of least resistance is to use Time Machine, since it’s built into OS X. It’s not the fastest, most flexible, or most transparent backup app, but it’s a million times better than nothing. To get started with Time Machine:
1. Attach a new (or freshly erased) hard drive to your Mac.
2. If a prompt appears asking whether you’d like to use the new drive for Time Machine, click Use as Backup Disk, and you’re done. Otherwise, continue with…
3. Open System Preferences > Time Machine.
4. Click Select Backup Disk.
5. Select the newly attached external drive.
6. Click Use Backup Disk.
Time Machine then runs automatically every hour. You can restore files, if need be, by opening /Applications/Time Machine, navigating to the location and time you want, selecting one or more files, and clicking Restore.
Note: When you select a disk, you can optionally select Encrypt Backups (or Encrypt Backup Disks) and supply a password when prompted to encrypt your Time Machine backups. This is a good idea, especially if you also encrypt your disk with FileVault (see FileVault).
Versioned backups can solve a lot of problems, and if you happen to use software (such as Time Machine) that backs up your entire disk—not just selected folders—then you can restore your whole disk to an earlier state if something goes dreadfully wrong. I’m talking about problems that take out more than just a few files—things like disk crashes or malfunctions, the loss or theft of your Mac, or major errors that occur while upgrading to a new version of OS X.
Unfortunately, restoring an entire disk can take anywhere from several hours to a day or more (depending on the size of the disk, the speed of the computer, the type of backup drive you have, and so on). During that time, you won’t be able to use your Mac for anything else. So, if you happen to suffer a disk crash first thing in the morning, forget about getting any work done that day.
This problem—combined with the fact that many otherwise great versioned backup apps don’t back up every single file on your Mac in such a way that the entire disk could be restored later—leads me to recommend a second type of backup: the bootable duplicate.
A bootable duplicate (sometimes called a clone) is just what it sounds like: a complete, exact copy of everything on your Mac’s main startup volume, stored on an external drive in such a way that you can start your Mac from the backup if necessary. Once you’ve done that, you can continue working normally. You’ll lose a few minutes of work time rather than hours or more. And then you can restore your entire disk at your leisure—overnight, say.
I want to repeat here, because I know there’s some confusion about this fact, that Time Machine does not create bootable duplicates, even though it does, by default, back up every file on your disk. In some configurations, you can indeed boot a Mac from its Time Machine backup volume (using Recovery Mode), but that doesn’t mean you can use your Mac or access all your files; you have to wait out the restoration process before you can get back to work.
Numerous Mac backup apps can create bootable duplicates if you configure them just so, but two apps in particular specialize in bootable duplicates and do an outstanding job—Carbon Copy Cloner (my personal pick) and SuperDuper. (For further options, consult the online appendixes.)
Both apps are easy to use. You pick the source and destination drives, optionally customize a few settings, and click a button. You can (and should) also instruct the software to run on a schedule, updating your bootable duplicate at regular intervals.
Tip: If your external hard drive is large enough, you can use Disk Utility to create two partitions, and then store versioned backups on one and a bootable duplicate on the other.
Some backup apps attempt to give you the best of both worlds by combining bootable duplicates and versioned backups in a single operation. For example, Carbon Copy Cloner has an option to create a bootable duplicate while moving any old or deleted files from the destination into a special archive folder. That gets the job done, although the process of finding and restoring individual files from that sort of archive is far more cumbersome than using something like Time Machine. Still, if you’re looking for maximum simplicity and want to economize on backup hardware, something like that may be a viable option.
The third component your backup plan needs in order to provide essential security is offsite backups—an extra backup (or two!) stored somewhere far from your Mac.
Picture this: You scrupulously create versioned backups and bootable duplicates, updating them multiple times a day, and storing them on a nice, fast hard drive you keep connected to your Mac. And then… your home or office suffers a fire, flood, tornado, earthquake, burglary, or some other disaster. Your Mac is gone—and so are your backups! (And, if your backup disks were stolen and not encrypted, you have an additional problem: now all your data is in someone else’s hands. It’s always preferable to encrypt your backups.)
For this reason, I strongly suggest having a backup of your backup, and keeping it someplace where it won’t be jeopardized by any of the threats that your Mac itself may face.
One way to do this—the hard way—is to have an extra hard drive or two on which you store backups, rotate one of these every week or so to another physical location (a safe deposit box, a friend’s house, or whatever), and retrieve the earlier backup stored offsite so that you can update it the next time your backups run. There’s nothing wrong with this approach except that it’s time- and labor-intensive, and your offsite backup will always be farther out of date than your local backup.
A far easier way is to use a secure, cloud-based backup system such as Backblaze, CrashPlan, or DollyDrive. With one of these services (or any of dozens of competitors), you install a backup app that encrypts your data locally, sends it to a secure server somewhere else in the world, and automatically updates your backup as your files change. Prices for such services tend to run about $5 per month for unlimited data from a single computer, although multi-year and multi-computer plans can bring the cost down. You don’t have to worry about hardware, shuttling equipment around, or remembering to swap drives. And your data is still protected if something wipes out your local backups.
Note: As a bonus side-effect of storing your backups in the cloud, most online backup services offer remote access to your files using the Web or a mobile app. So you could, for example, grab an important file you left at home by fetching a backup from the cloud using the provider’s iOS app.
For all their advantages, cloud backups aren’t perfect, and aren’t ideal for everyone. For one thing, your initial backup could easily take weeks, even with a fast broadband connection. (Some companies let you bypass this lengthy process by sending them a hard drive containing your first full backup—this is called seeding.) Similarly, restoring large amounts of data over the Internet can take a long time (again, you can often get a copy sent overnight on a hard drive—for a price). And although online backup services use heavy-duty encryption, some of them hold the encryption key themselves, making it possible for them to access your data. (With CrashPlan, my personal pick, you can choose any of three types of security—one of which lets you use a private encryption key that isn’t available to the company.)
Cloud backups alone aren’t a very good idea, either. There’s the speed issue, of course, but also the fact that you can’t have a bootable online backup. Even if you weren’t concerned about speed and decided to use online backups in lieu of a local, versioned backup, you’d still want to have a bootable duplicate.
By the way, I mentioned earlier, in the sidebar About Ransomware, that a rare type of malware can encrypt everything on your disk, holding your data for ransom—the attacker won’t give you the key to decrypt it unless you pay big bucks. In theory, ransomware could also affect data on external disks connected to your Mac at the time it took effect. But it can’t affect backups already stored in the cloud and definitely can’t get to a disk you’ve physically moved offsite. That’s yet another argument for offsite backups—they let you recover from ransomware by wiping your disk (removing its encrypted contents plus the ransomware itself) and restoring everything from an uninfected source. Of course, if your offsite backup is stored in the cloud and thus isn’t a bootable duplicate, restoring an entire disk won’t be so simple. I say more about this in Recover from Malware.
Prevent Data Theft
If your Mac should fall into the hands of a thief or snoop, or if someone else has the opportunity to use your Mac when you’re not present, you run the risk of data theft in its most blatant form—someone reading all your files directly from your disk. That unauthorized person can see your email, bank statements, medical records, business secrets, browsing history, and any other information on your Mac that you may prefer to keep private.
Fortunately, the solution is simple—encrypt the data on your disk so that it’s completely useless to anyone who doesn’t have your password.
Note: Like every other security measure you might use, strong encryption can be foiled by a weak password. Make sure your passwords are up to snuff—see Improve Your Passwords.
Anyone at Risk Level 1 can ignore encryption—it’s not worth the extra effort if you truly have nothing to protect. On the other hand, those at levels 3 and 4 should encrypt everything without hesitation. If you’re at level 2, it’s more a matter of your personal comfort—you can decide for yourself whether the benefits outweigh the (minor) inconvenience.
In the pages ahead, I discuss several approaches to encryption (using FileVault or a third-party whole-disk encryption app, creating encrypted disk images, and using software that encrypts individual files and folders), as well as the related topic of secure deletion.
FileVault is a security feature built in to OS X that can encrypt the entire contents of your Mac’s startup volume. That might sound like overkill—after all, there are lots of ways to encrypt individual files and folders instead (and I’ll mention a few later in this chapter). But FileVault is a better option for most people.
FileVault’s approach, which is sometimes called Full-Disk Encryption (FDE) or Whole-Disk Encryption (WDE), is simpler for you because a single password—your login password, by default—locks and unlocks everything, and most of the time you can interact with your disk exactly as you did when it wasn’t encrypted. (After its initial encryption pass, FileVault has virtually no effect on your Mac’s performance.) It’s also safer because there’s no chance you’ll forget to encrypt a particular file, or that you’ll leave behind an unencrypted copy afterward.
As soon as you turn off your Mac, everything is automatically locked securely. And a thief won’t be able to see anything on your disk—not even how many files you have or what their names are.
I want to emphasize that last point—FileVault gives your data excellent protection when your Mac is turned off, but zero protection after it’s turned on and you’ve logged in. (When your Mac is asleep, your data is reasonably safe, but attacks are at least theoretically possible—and you have more to worry about if you’re a Risk Level 4 person who might be targeted individually.) The assumption is that if someone has entered your password, that someone must be you, and you shouldn’t have to jump through any additional hoops to access your own data.
But there are some in-between states (besides your Mac being off, or on with you logged in)—for example:
· Logged out: If you log out of all accounts (Apple > Log Out Username) without shutting down or sleeping, you can’t access anything on your disk until someone logs in. That means there’s a nice, sturdy gate across the door, as it were—but technically, it’s not completely secure because the FileVault encryption key is still stored in RAM. In the past, situations have arisen in which FileVault was found to be vulnerable during this phase, and although I don’t know of any current vulnerabilities of this type, I wouldn’t rule out the possibility.
· Sleep: When you put your Mac to sleep (or it goes to sleep automatically) with FileVault enabled, you’ll need to enter a password to wake it up, just as when you’re logged out, but again, the encryption key is in RAM, so someone with physical access to your Mac could theoretically find a way to access it.
· Hibernation: Notebook Macs can enter a state called hibernation after they’ve been asleep for a while—the contents of RAM are copied to your disk or SSD, and power to the RAM is turned off. This is safer than sleep, but not entirely invulnerable.
In other words, FileVault is nearly bulletproof only when your Mac is off (even if someone removes your disk) and—in combination with OS X’s other security features—pretty darn good when you’re logged out or your Mac is asleep or hibernating. When you’re logged in, you (not FileVault) are in charge of securing your Mac.
Note: FileVault is easy to enable, but there are a number of options, special cases, and extra features you may want to know about. I cover all this, as well as supplying an extensive FAQ, in my book Take Control of FileVault.
Here are the basic steps to enable FileVault in Yosemite (Mavericks and earlier are a bit different):
1. If any other users are logged in using Fast User Switching, switch to those accounts (or have the other users do so) and log out—you should be the only user logged in when you complete these steps.
2. Go to System Preferences > Security & Privacy and click FileVault (Figure 14).
Figure 14: Click Turn On FileVault to begin the process of activating FileVault.
3. If the lock icon is locked, click it and enter your login password to unlock it.
4. Click Turn On FileVault.
5. You see a dialog (Figure 15) asking whether you want to use your iCloud account to unlock your disk or create a recovery key.
Figure 15: Choose a recovery method in this dialog.
Here’s what these options mean:
§ Allow my iCloud account to unlock my disk: If you forget your login/FileVault password, you can use your iCloud password to reset it. This is the simplest method, but it also means that someone who obtained both your Mac and your iCloud password could decrypt your disk. If you select this method, next click Continue. Then, if you have two or more user accounts on your Mac, follow the prompts to grant other users access (if you want to) and click Continue again.
§ Create a recovery key and do not use my iCloud account: If you forget your password, you can use a 29-character recovery key to unlock your Mac’s disk. This is more secure in the sense that your iCloud password won’t be doing double duty, but it’s also riskier in the sense that you must remember that recovery key, because if you lose both that and your password, you’re totally out of luck. If you select this method, click Continue, write down the key provided (and put it in a safe place), and then click Continue again.
6. Click Restart.
When your Mac reboots, the first thing you see is a login screen with icons for each of the users authorized to unlock FileVault. Click a username (if there’s more than one), enter the corresponding password, and press Return.
Once your Mac finishes booting (which may take longer than usual), the encryption process continues in the background until it’s done. You can use your Mac however you like—run apps, create documents, log out, or even restart—and FileVault will do its best to stay out of your way. You may notice slower performance, and extra fan noise and heat, during the encryption process. FileVault’s initial encryption run can take anywhere from an hour to a day, depending on the type, size, and speed of your storage. If you’re concerned, just let it run overnight.
Other Encryption Options
FileVault is great for what it does, but I wouldn’t pretend that it solves all encryption problems—or even all encrypted file-storage problems for Mac users. After all, FileVault doesn’t protect your data at all when you’re logged in to your Mac, and it doesn’t protect files you might want to share with other people. There are numerous other uses for encryption you may want to explore, too. For such situations, you can add or substitute other forms of encryption.
Third-party Full-disk Encryption
Third-party apps such as Check Point Full Disk Encryption and Symantec Endpoint Encryption offer features roughly similar to FileVault, but with more of an enterprise focus. Their main priority is convenient, cross-platform institutional management. There’s nothing wrong with that, but these tools aren’t the sort of things that individual users would typically buy and install on their own Macs.
Encrypted Disk Images
Most Mac users are familiar with disk images—files that, when you double-click them, mount as if they were removable storage. A great deal of Mac software is distributed on disk images, because they make packaging convenient and compact.
You can easily create your own disk images using Disk Utility, and you have the option to encrypt them. In so doing, you can make a container on your disk that securely holds any files or folders you like, and which can still be locked even when FileVault is unlocked.
To create an encrypted disk image:
1. Open Disk Utility (in /Applications/Utilities).
2. Choose File > New > Blank Disk Image (or click New Image on the toolbar). (Alternatively, to create a disk image from an existing folder, choose File > New > Disk Image from Folder and select the folder you want to use.)
3. Fill in the filename (the name of the disk image in the Finder), location to save the file, volume name (the name of the disk image’s mounted volume), and maximum size; leave the format as Mac OS Extended (Journaled).
4. Choose either 128-bit or 256-bit AES encryption from the Encryption pop-up menu. As the menu says, 256-bit AES is more secure, but slower (when creating, opening, and saving data). Leave Partitions set as it is.
5. From the Image Format pop-up menu, choose either Read/Write Disk Image (for a fixed-size disk image), Sparse Disk Image (for a variable-size disk image), or—my favorite option—Sparse Bundle Disk Image (which can vary in size and is friendlier to backup software such as Time Machine).
6. Click Create. Then enter and verify a password. Before you click OK, consider deselecting Remember Password in My Keychain. Storing the password in your keychain is more convenient (you won’t have to enter the password to mount the disk), but that convenience would extend to anyone else who had access to your computer while you’re logged in (which kind of defeats the purpose).
7. Now click OK.
Your new disk image appears in the designated location. It mounts automatically so you can begin storing files on it immediately.
To eject (and thereby lock) the disk image, click the eject icon next to it in the sidebar of any Finder window, or drag the mounted volume icon (not the disk image file itself!) to the Trash, which turns into an eject icon.
To reopen the disk image later, double-click it, enter the password, and click OK. Again, I suggest avoiding the temptation to select Remember Password in My Keychain.
Files and Folder Encryption
Encrypted disk images are easy to make and highly secure. But you may prefer to encrypt individual files or folders without having to create and manage disk images manually. Fortunately, numerous third-party encryption tools can do this sort of thing. Here are a few examples (for more, search for “encryption” in the Mac App Store):
· 1Password: Although primarily a password manager, 1Password lets you attach files to any login or note item. They’re encrypted along with your other data and can sync across devices and platforms.
· Espionage: Espionage lets you encrypt individual folders by drag-and-drop; it also hides those encrypted folders so they’re not visible in Finder windows. You can even set it to automatically lock a folder after a period of inactivity.
· Hider 2: This app creates an encrypted database on your disk, adds to it whatever files and folders you want to protect, and then securely erases the originals.
· Knox: From the makers of 1Password, this app uses encrypted disk images (like the ones Disk Utility makes), but gives you an easier way to create, organize, and manage them.
Except for 1Password, the apps above are Mac-only. So they won’t help you sync encrypted files across platforms, and even 1Password doesn’t let you send an encrypted file to someone else. (If the other person is a Mac user, you can send an encrypted disk image, but those won’t work on a Windows or Linux PC, or even on an iOS device.)
Here are a few examples of cross-platform tools you can use for encrypting and decrypting files:
· Boxcryptor: This utility can run on a Mac or Windows PC, or on an iOS, Android, Blackberry, or Windows Phone device. It lets you selectively encrypt items in your Dropbox (or other cloud storage). You can even share an encrypted folder, as long as the other users also have Boxcryptor installed.
· GNU Privacy Guard: This cross-platform implementation of the OpenPGP public-key encryption standard lets you encrypt files and email messages in such a way that others with compatible software can decrypt them. The Mac version is called GPGTools.
· WinZip: Despite its name, WinZip is available for both Mac OS X and Windows. It lets you compress and/or encrypt individual files and folders, which you can then send by email or share in other fashions. Anyone with a copy of WinZip and the item’s password can then decrypt it.
Deleting files may not mean what you think it means. Deleting a file (for example, by putting it in the Trash and then emptying the Trash) doesn’t erase the file from your disk or SSD. It simply makes a change to the disk’s catalog indicating that the space occupied by that file is available and can be overwritten with something else if and when necessary. As a result, even if you’ve deleted a file, someone using file-recovery software could potentially undelete it later, as long as no other file has been stored in exactly the same spot since then.
Moreover, with hard disks (as opposed to SSDs), even overwriting a file isn’t a guarantee that the previous file can’t be recovered. With specialized equipment, it’s sometimes possible to retrieve old versions of files that have been overwritten one or more times with new data. It’s painstaking, technically challenging, and expensive work—which means it would happen only when the stakes are quite high—but it can be done.
I bring all this up under the heading of data theft because it’s possible (although unlikely) that a sufficiently motivated thief could—with physical access to your Mac—dredge up old data that you thought was erased or encrypted long ago. This is somewhat less of a worry if you use FileVault, but if you encrypt individual files, folders, or disk images, the originals (which you likely deleted after encrypting them) could still be retrievable.
OS X includes three methods to deal with this problem:
· Secure Empty Trash: Instead of choosing Finder > Empty Trash, choose Finder > Secure Empty Trash. Doing so causes OS X to overwrite the files (once), not merely delete their catalog entries.
· Secure Erase: When erasing a disk or volume, you can overwrite everything that had been on it. Open Disk Utility (in /Applications/Utilities), select the volume, and go to Erase > Security Options. Move the slider to the desired level of security and click OK; then click Erase. The slider has four notches:
§ Fastest: Regular erase—doesn’t overwrite the data.
§ One-pass (second notch): Overwrite the data once with zeroes.
§ Three-pass (third notch): Overwrite the data three times—twice with random data, and once with non-random data.
§ Most Secure: Overwrite the data seven times.
The three-pass and Most Secure options can take a long time, and are necessary only in extreme cases, but if you want to make it all but impossible for someone to recover a file, you can.
· Erase Free Space: To securely overwrite all existing free space on your disk (including files you’ve previously deleted), open Disk Utility, select the volume, and go to Erase > Erase Free Space. Move the slider to the desired level of security (Fastest is one-pass, Most Secure is seven-pass, and the middle setting is three-pass) and click Erase Free Space. This does not erase any visible files, so it’s safe to use on an active volume.