Mac 101: 7 tips for Data Privacy Day 2009
Today is Data Privacy Day, a global initiative to highlight information security rights and practices, especially among teens, professionals, corporations, and the government.
As part of the celebration, TUAW (along with our sister blog Download Squad) has seven good ideas for you about how to keep your data safe and away from prying eyes with Mac OS X Leopard. Also, be sure to browse TUAW articles filed under Security for other tips and alerts about keeping your data safe.
1: Turn on your firewall
Leopard, as we all know, comes with a built in firewall to prevent other computers from connecting to internet-facing ports on your computer. But: Did you know it's turned off by default?
To turn on your firewall, open System Preferences, and click the Security icon. Then, click the Firewall tab. Make sure either "Allow only essential services" is selected, or you can choose to "set access for specific services and applications" yourself.
You can also use "Stealth Mode": when enabled, computers that send data to blocked ports won't even get acknowledgement that the data was received. To enable Stealth Mode, click the Advanced button on the Firewall tab of the Security preference pane, and click the check box next to "Enable Stealth Mode."
2: Set a screen saver password
A feature popular with Windows users, Mac OS X can also lock your screen when your computer sleeps or when the screen saver comes on. Simply open System Preferences, select Security, and choose the General tab. Click the check box next to "require password to wake this computer from sleep or screen saver," and you're all set.
If you have automatic login enabled and click the "require password" check box, Mac OS X will recommend that you disable automatic login. This means you'll have to enter your password to turn your computer on, too; nefarious nogoodniks won't be able to restart your Mac while the screen saver is on to circumvent the need for a password. Good thinking.
3: Use encrypted disk images
I use Quicken to manage what little finances I have. The version of Quicken I use (Quicken 2006 -- I know, I need to upgrade) stores its data in an unencrypted file on my hard disk. ¡No es bueno! What can we do to protect that information? We can keep it on an encrypted disk image.
To create an encrypted disk image, start Disk Utility (which lives in /Applications/Utilities). Click the New Image button in the toolbar, or from the menu bar, choose File > New > Blank Disk Image.
Once you choose a name and location to store the disk image, a size, and a format, make sure to select strong 256-bit encryption for your image (though for large disk images, 128-bit encryption can be faster). Make sure also that the image format allows you to both read and write to the disk image. Then, click Create.
You can copy what files you want to securely store onto the disk image. Once that's done and the disk image is un-mounted, your data is safely stowed away on your hard disk. To use data on the disk image, simply double-click it to mount it first.
But what to do with the files you just copied that still live on your hard disk? Securely delete them, of course!
4: Delete your files securely
When you delete a file from your hard disk, the file still exists on the physical drive: it's just hidden from view, and the system can write over the file if it needs to. But if there's a file you need to delete and make sure it can't be recovered, Secure Empty Trash is for you.
It couldn't be easier to use: From the Finder menu, choose "Secure Empty Trash." It takes a little longer than emptying the Trash regularly, because the Finder writes data over the top of the files you just deleted. Think of it as not only erasing a pencil mark, but also obliterating it with White-Out.
5: Erase old hard disks securely
If that old bondi-blue iMac is finally going to Goodwill, you'll want to make sure that its hard disk is well and truly erased before putting it on the truck. Similar to emptying the Trash, erasing a hard disk can sometimes leave traces of files on the drive, and possibly leave sensitive files recoverable. Make sure your data is completely wiped from that hard disk by securely erasing it with Disk Utility.
With Disk Utility, select the disk in the source list, and then choose the Erase tab. After choosing a format and a name for the erased disk, click the Security Options button.
There are three degrees of secure erasitude -- each more secure than the last. "Zero Out Data" works like "Secure Empty Trash" -- writing a single layer of zeroes over the top of whatever is on the disk. If a single pass still sounds risky, a "7-Pass Erase" repeats this process seven times: Good enough for the U.S. military. For the truly paranoid, "35-Pass Erase" zeroes out all the data on the disk 35 times.
Each pass takes a while to write (depending on the size of the disk), so setting this process up to run overnight (or over a weekend) isn't a bad idea. The time it takes, though, is a small price to pay to prevent someone from stealing your sensitive information.
6: Encrypt your home folder
Laptops and the forgetful (like me) are often a terrible mix. Leaving your laptop in a café or at an airport checkpoint can be the beginning of a terrible day. But with good backups and FileVault, things might not be so bad.
FileVault encrypts your entire home folder, much like an encrypted disk image. Without your master password, your home folder is gobbledegook to prying eyes after your important data. To turn on FileVault, open System Preferences and click the Security icon. Then, click the FileVault tab.
First, set a strong master password -- different from your login password -- that you can remember in case you forget your login password. You might even write it down and keep it in a safe deposit box at the bank. Do this first by clicking the "Set Master Password" button.
Then you can turn on FileVault. Enabling FileVault takes some time (depending on the size of your home folder). It might be a good task to run overnight. Once its turned on, the contents of your home folder are available only to you with either your login password or the master password you just set.
Several commenters have noted that using FileVault can be a little troublesome in certain circumstances. Also, note that using encrypted disk images and FileVault is unnecessarily redundant, so feel free to choose which one is right for you. Thanks, all!
7: Browse the Web safely
There are lots of reasons to buy a Mac, and freedom from the popups and malware that Windows web browsers fall prey to is one of them. Since you're already using Safari or Firefox, you've taken a good first step in browsing safely. But there's more to do.
In Safari, you'll want to make sure files don't automatically open after you download them. From the Safari menu, choose Preferences. In the General section, make sure the "Open 'safe' files after downloading" check box is not checked. That way, you can rest assured Safari won't automatically unwrap any presents you don't want.
The best and easiest advice for browsing the web doesn't even require software: Slow down, and think about what you're downloading. If you have any doubts about the website you're on (whether its trustworthy, honest or otherwise forthright), close the browser window straight away.
If you've clicked a link and something mysterious has begun to download, don't panic: If you followed my advice above (about Safari's "safe" files setting), you have nothing to fear. Simply find the file on your hard disk (usually in your Downloads folder or on your Desktop) and throw it in the Trash. Easy peasy.
There are plenty of internet tools to disguise your identity online, too, and erase any path you may have took to where you are now. An excellent list by Alisa Miller is available here.
Be safe out there!
Many -- myself included -- are cynical about data privacy. With so much information about us online, privacy is not anonymity, and both are something of an illusion. If you're truly worried about someone getting their hands on something of yours, don't keep it on a computer at all. Write it down, and keep it locked away.
Even so, with these few simple steps, you can try and protect yourself at least. As Mad-Eye Moody says, constant vigilance! is your task when it comes to securing your data.
Share
Today is Data Privacy Day, a global initiative to highlight information security rights and practices, especially among teens,...
Add a Comment
Due to the fact that over time, MACs will tend to have a much lower likelihoood of getting a virus, people do not take propoer pre-caution and always work behind a firewall.
This puts data at severe risk more often than a PC would.
I had a question on something I wanted to do. I have a bunch of files on a Western Digital External hard drive and I wanted to gradually pull them onto my laptop. It's annoying to plug in, connect, etc on my laptop so what I wanted to do was leave my Western Digital External Hard drive connected to my Mac Mini (which will always stay on - unless there's a way to do this with keeping the Mac Mini in sleep mode and waking it up somehow remotely when needed) and then just log into the machine and pull the files off the connected volume.
The thing is I would like to have the Mac Mini not have access to the this external firewire western digital hard drive that it's connected to because that's the family computer (I don't want anyone accidentally erasing anything). But by keeping this external hard drive always connected to the mac mini, I know that I have the freedom to pull the files I want whenever I feel like it.
any thoughts?
I like the part about encrypted images, as I use them quite often.
B u t b e w a r e : Especially inexperienced users may click on the "store password in keychain" command when first opening the encrypted image, because it seems so convenient. But of course, with that all the security is gone .. Have seen it done and just thought I'd share.
I always use encrypted disk images for my mobile data, i.e. iPod, USB sticks and so forth, because once they get stolen or lost (which happens often), one has no control as to what happes with the data.
Even though I have different feeling about some points in the article (I would never ever recommend File Vault to anyone who likes a fast, responding Mac. Especially, if they use encrypted images anyway. It's redundant), I really enjoyed it because it will start a few people actually thinking about what they are doing with their information and data.
File Vault does not affect speed except at login and logout, when it decrypts and encrypts the sparse image.
January 29 2009 at 8:05 PM Report abuse Permalink rate up rate down Reply@Le Big Mac: Time Machine does not work very well with Filevault. All Time machine will get from a FileVault home directory is just one big encrypted file for each backup snapshot. Although it would be possible to restore one of those with time machine and then mount it using your password, that's not the user-friendly way that Time Machine is supposed to work. Best just to backup files inside a FileVault some other way.
Here is a description of using "rsync" to do it:
http://fixlog.blogspot.com/2008/03/reasonable-backups-of-filevault.html
Be careful with only using a screensaver to protect your machine while you are away. If you have a work machine where IT etc has an administrator account they can easily log in to your running session. This is one gripe I have with Leopard. On Windows, if an admin logs in while you are currently logged in, it will log you out then log in the other admin. On Leopard, when they enter their login it will simply unlock the screensaver allowing the user access to your session. Email, iChat etc are all now visible. With Quicksilver there is a command to "Fast Logout" which I believe works with fast user switching. When the admin logs in, they are logged into their own session, not yours.
When IT tried to take over our work machines a couple of coworkers and I decided to learn how to really harden our machines. We enabled the Firmware password so you couldn't boot to anything without a password. Next we set a master password on the machine then turned on file vault to encrypt our user folders. Turned on the firewall and used an extra app called Waterroof to shut down ARD and other remote services to only specific network IPs. Also put Little Snitch on there just for good measure. Then we found out they were trying to sniff the network traffic without telling anyone, so we got a cheap dreamhost account and piped all of our internet/chat etc traffic through an SSH tunnel with 128bit aes encryption.
All in all it was fun and we learned a lot.
File Vault? Don't you mean 'Vile Fault'? That thing causes a number of problems for a number of apps, and most developers hate it. Sorry, but I have nothing to point to. Don't trust me if you don't, but I am a tester for a well-established Mac software company and I have heard plenty of complaints about File Vault.
January 28 2009 at 8:03 PM Report abuse Permalink rate up rate down ReplyPeople who follow your advice may create an encrypted disk image inside a FileVault protected home folder. This redundant protection is unnecessary, inconvenient, and can create problems - especially for backups. FileVault is an encrypted sparse disk image that opens automatically at login.
January 28 2009 at 5:45 PM Report abuse Permalink rate up rate down Reply7-pass erase and 35-pass erase are just gimmicks.
One pass with dd is enough.
Don't believe me? See the Great Zero Challenge: http://16systems.com/zero/
I don't trust the FBI to be unable to recover it (not that I have particular reason to worry). There's a proof-of-concept recovery that has been done from a 7-pass delete.
January 28 2009 at 6:13 PM Report abuse Permalink rate up rate down Reply@Nick: Link, please.
I strongly doubt they'd be able to recover from a zeroed out disk, especially if partitioned into two or more partitions (i.e., new FS on a "random" place on the disk).
Furthermore, the nature of various filesystems make it difficult to just undelete something.
With HFS+ (or any other journaled FS, for that matter), the actual meta data about a file gets zeroed out.
This means that the FS has *no* idea where the data chunks are located on the fragmented filesystem.
If you have a un-fragmented filesystem, you can make educated guesses based on file format headers and the data coming after it, but still don't have filenames, creation/access times etc -- this is what undelete utilities do on HFS+ and ext3, for instance.. and they have very poor success.
Compare this the FAT filesystems where a file is just marked as deleted in the MFT and you see that deleting a file on a journaled FS is a rather good (if not totally guaranteed) way of making sure a deleted file stays deleted.
Zeroing out the disk (as opposed to the partition table) means there's no way to know what partitions were on it, how fragmented the disk was, what any random chunk of data was etc.
While the cash prize for the Great Zero Challenge is negligible, the prestige in being able to prove that you can actually recover purposely cleaned data is huge.
The big labs (OnTrack etc) have better success where the MFT (or similar) is intact, which helps with data analysis. They also deal with *damaged* drives -- i.e., drives where the actual hardware is damaged.
They can still image the platters and read the ones and zeroes on it and hopefully recover enough metadata to recover some parts, but even that is not guaranteed.
If you're the FBI, the NSA or your favorite TLA agency with insane amounts of money and hardware to throw at the problem, the big problem is that you only have one original disk.
It's theoretically possible to read "stale" magnetic data (i.e., what was on the disk before it was zeroed), but it's far, far, far from consistent -- i.e., you might be able to find out what a particular bit was set to on the previous bit (hint: it's either a 0 or a 1... 50% chance!), but recovering 100 bits in a row? A kilobyte? A megabyte? On a fragmented filesystem? With today's storage densities?
If they image the drive to crunch it on a big farm, they lose the magnetic data from the disk (the image is X gigabytes of fresh zeroes).
On the other hand, recovering the original would -- even if possible -- take too long.
Like I said though, if you have a link I could check, that'd probably be a fun thing :)
Are there any drawbacks to turning on your firewall? I used to really hate when windows would require permission from me to permit everything internet-realated every 2 seconds. (New user)
January 28 2009 at 3:25 PM Report abuse Permalink rate up rate down ReplyIt pops up once for each program with odd (i.e. not POP/SMTP/HTTP) ports. Azureus pops up at each start, for some reason
January 28 2009 at 6:11 PM Report abuse Permalink rate up rate down ReplyGreat article!
Nice to share data privacy tips! Here's another post: http://jashsayani.com
Its more general and platform independent like TrueCrypt and Firefox add-ons.
Hot Apps on TUAW
Deals of the Day
more deals- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
- Philips wOOx Alarm Clock Radio for Apple iPod / iPhone for $60 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
34 Comments