Thursday, January 21, 2016

Substantially Increase the Security of your Mac

Privacy, or the lack thereof, as well as electronic data security has become an increasing concern for many computer users.  The fact of the matter is that the majority of computer users store vast amounts of personal data on a computer, that if opened by the wrong hands, could cause a great deal of trouble.  In addition to the NSA's unrelenting mass-surveillance programs, which are a blatant invasion of privacy, anything that you search on the internet can be tracked, traced back to your computer's unique IP address, and thus directly to you.  While the NSA seems to be content to sit on incredibly massive amounts of collected data for now, I am incredibly disturbed by the notion that any activity you have performed on your computer can potentially be used against you, no matter the original intent.  You may feel that what I am writing is somewhat sensationalistic and "tin-foil hat" in nature, however many cyber-security experts and internet rights advocates will agree that this is a serious and contentious privacy issue.  Let's discuss ways to protect your locally stored data on your Mac, prevent a user with physical access from bypassing or replacing your password, and remain as anonymous as possible online.

The first rule of protecting sensitive data on your computer is to always know where it is, and who has access to it at all times.  No matter what security measures put in place, an individual with enough technical knowledge, and time, can usually bypass most of these countermeasures. Our goal, is to make this as absolutely difficult as possible.  With a combination of security efforts, only an extremely advanced computer user with a very long amount of time with unobstructed physical access to your machine will be able to access any of your data.

Let's start off with the basics.  I am going to assume you are at least using a still supported version of OS X on your Mac (10.9 Mavericks or higher). You of course, want to set up a password to protect access to your administrator account.  For maximum protection, create a password at least ten to twelve characters long, with at least one capital letter, number, and symbol.  Create something truly unique, that won't be guessable by anyone.  During my time fixing computers and removing passwords as part of my job, I have come across countless bad passwords, that are easily cracked. "Password," "P@ssw0rd," "123456," and "654321" don't make for good passwords.  Neither does passwords that are based from personal information that someone could glean, such as your date of birth, husbands/ wife's name, girlfriend/ boyfriends name, last name, your pet, or where you were born.  Also, while you are at it, delete the "Guest" account if it is enabled, by going into Users & Groups in System Preferences.  In the Security and Privacy section of System Preferences, be sure to require a password immediately after sleep or screen saver begins, and setup a screen saver or have the computer lock after a specified amount of time while not in use.

FileVault in OS X 10.11
The next step is to encrypt your hard disk or SSD by enabling "File Vault."  This is once again located in the Security & Privacy section of System Preferences under the "FileVault" tab.  Once enabled, the system encrypts the entirety of the disk with 256-bit AES encryption.  This process can take awhile to complete, depending on the speed of your computer and the amount of data stored on the drive. The data on the disk is decrypted by entering your login password while you use the machine, and re-encrypted every time the computer, locks, logs out, goes to sleep, or shuts down.  Be sure to absolutely have your login password committed to memory before enabling FileVault, as your data will essentially be left in an encrypted state without the password, and you won't have access.  If you have a newer Mac, you have the benefit of added security, as most newer Mac laptops use either proprietary or not as widely used standards for connecting the SSD to the machine, such as custom PCI-E connections or M.2 connections.  Someone with prolonged physical access to your machine could theoretically unscrew your laptop and remove the storage drive, but they would have to deal with the often proprietary nature of the storage drive, and still break the 256-bit encryption.  Seem's Apple's proprietary ways can be difficult on everyone.

Next step is to enable an "Open Firmware Password." This prevents an unauthorized person from booting to an external disk that can be used to crack your passwords and encryption, and from booting into Super User mode, which opens a super-user or admin level terminal that can be exploited to remove your pre-existing password or remove your account entirely.  The "Open Firmware Password" essentially requires the input of another password to do anything other than boot to your already password protected and encrypted account.  For added security, I recommend choosing an entirely different password or a variation of your login password when setting up the Open Firmware Password.  While the methodology for setting this added layer of security is a bit more complex than the aforementioned procedures, it is still relatively straight forward.  Either boot into your Mac's built-in recovery partition, or create a bootable OS X installer disk to boot off of.  Once inside the recovery, choose "Open Firmware Password" from the "Utilities" drop-down menu.  This is another case of absolutely, DO NOT forget your password.  If you have a newer Mac such as an Air, Retina Pro, or the new MacBook, there is no way to reset your Open Firmware Password aside from going to the Apple store if you forget it (and you will have to provide evidence that you are the original computer user to get the password lifted.)

Firewall settings in OS X 10.11
Now that we have prevented an unauthorized individual from booting to anything other than your Mac's startup disk, it's time to delve into your Mac's wireless and network security settings.  In Security & Privacy, make sure that your firewall is enabled. Click on "Firewall Options" and enable "Stealth Mode" in order to hide your Mac's existence on a network.  Back in the Firewall tab, click the "Advanced" button on the bottom-right hand corner and check "Require an administrator password to access system-wide preferences."  Always click the lock in the bottom left-hand corner to require your login password to make any changes to settings in System Preferences.

Now for online anonymity.  A paid VPN is the best way to remain as anonymous as possible when surfing the web.  I have tried free VPN's, and they simply are not reliable and require a decent amount of fiddling in System Preferences.  Private Internet Access offers extremely reasonable prices, and integrates perfectly with OS X.  A VPN routes your web traffic through a protected tunnel and through several different servers.  It also encrypts your traffic with selectable 128-bit or 256-bit AES encryption, and obfuscates your computers original IP address with an anonymous one. This makes it much more difficult for ISP's and government surveillance agencies to ascertain the type of data being sent to and received from your computer, as well as the location of your machine geographically. All they see is undeterminable data that's encrypted.  Keep in mind however, that the NSA essentially pioneered electronic data encryption, and they can certainly break it given enough of an inclination to do so.  A VPN still add's a substantial privacy blanket to your online activity however, and has the added benefit of encrypting all of your web traffic if enabled, which is handy when you are surfing on unprotected public wifi.  In addition to a VPN, you can also opt to use the Tor browser for Mac, which routes all of your searches and web content viewed on the browser through the Tor network.  The NSA has proven that it has the ability to de-anonymize Tor users, but combining Tor and a VPN would make de-anonymization relatively tricky.  The only downside of Tor is that it significantly slows down your connection, and is not suitable for P2P situations or downloads, but rather light browsing and reading.

Through a combination of these methods and software, you have created a very resilient and hard to crack system that protects your data and your online anonymity.  Of course, no computer system and security is infallible, but your Mac will certainly be far more secure than the average computer.  The good news is that OS X is a UNIX based operating system and thus has far less virus and infection issue's than a Windows machine.  There is still antivirus software available for the Mac, my two favorite being Malwarebytes for Mac and Avast! Mac Security.  I would recommend both if you are concerned about the rare possibility of getting a serious infection.  Both are free, Avast will actively protect your system from infections and has added paid features such as security browser plug-ins to redirect you away from phising and virus infected websites.  Malwarebytes is a removal tool for removing viruses, malware, and trojans that may have crept onto your system. Avast has virus removal tools as well. I personally keep both on my system, but in my twelve years of using a Mac, have never once gotten a virus on my system.

The first line of defense is always to be careful about what you download and the sites you visit, as well as restricting physical access of your machine to people you don't trust. Also, don't ignore those OS X security updates for too long. If you have a Mac laptop with all of the aforementioned security steps put in place, you can rest assured that it's highly unlikely that your personal data is in peril if it's lost or stolen.  Furthermore, if your Mac is tied to an iCloud account, you can track it's location via GPS, and assuming it's connected to the internet, remotely wipe the machine or lock it with a 6-pin passcode (creating a lock over a lock over a lock, at this point!).  Using these methods, your Mac can become an extremely well protected system that you can feel safe storing personal or customer data on.  Through the combined use of these methods, you will have essentially "Fort-Knoxified" your Mac.

Private Internet Access Website
OS X Daily: Set Firmware Password


  1. The superb highly informative blog I’m about to share this with all my contacts. best wireless headphones

  2. Hi Dear,

    I see your blog daily. your blog is very useful for me & i like so much..

    AUDBOS Double Driver In-ear Deep Bass Noise Isolating Earphones|Headphones|Earbuds with Mic and Remote (Silver Hoop)

    Buy Now High Quality Earphone with good sound :- Earphones DB-02 | Audbos