May 10, 2020

Stolen Paperweight

I was in an all hands meeting in IT where the CIO asked us to raise our hands if we have encrypted hard drives. I was the only one to raise their hand. I was utterly horrified. How can a room full of IT professionals be so careless as to risk our company secrets every day and not make an active change to fix it? This complex question has a simple answer: because it’s hard. You can’t just image a machine and hand it out anymore, data level encryption must be made and information kept to only the owner (IT should never know this). If the end-user is responsible, they probably won’t do it. We’re living in the modern information age where we want our data and we want it now. Too much security and it becomes cumbersome, not enough we might as well pull down our pants and expose ourselves to the world. Because that’s what you’re doing, and it’s time to pull those pants up and tighten that belt.

For the longest time developers were issued large desktop workstations, with password protected accounts (potentially with encrypted storage if you were brave enough to attempt this). Security was never really important, seeing as how anyone already inside the building can probably access plenty of company secrets whenever someone walked away from their workstation unlocked. As time moved on, workstations became a thing of the past: everyone gets laptops now. Developers are mobile, they’re not tied to their desk anymore and can often be found in coffee shops and conference rooms (or as the industry likes to call them: War Rooms), and hell I still see people leaving their laptops on the sink in the restrooms for anyone to grab. Ask yourself this simple question: how hard would it be to walk off with someones laptop and sell it to their biggest competitor?

And what about the recent Wikileaks documents describing the various EFI firmware and Ethernet hacks the CIA employs to compromise Macs and iOS devices, surely no one else can do the same right? These are all easily solved with options built into your base Mac, and if you throw on a couple inexpensive utilities you can sleep at night knowing full well that laptop being given out to developers is completely worthless to them.

Password Protect Firmware

If you boot your Mac into recovery mode (command + r) you can password protect your firmware, requiring any modification to be challenged (this includes booting from something other than your main disk, such as a network boot). If your laptop is stolen, this will prevent said thief from re-installing the base OS. Apple has this article describing more about this feature and how to enable it. But what about your data?

Enable File Vault

Your modern Mac has specialized hardware in the CPU which can handle disk encryption with an extremely negligible performance impact. Apple has this article describing how to enable, it can be as simple as clicking a radio button. If you’re creating a fresh image for your machine, you can also choose this as an option for your file system. I’m not sure if it’s still a requirement, but it’s still best practice to enforce a case-sensitive and journaled filesystem when encrypting your drive (if you aren’t already using a case-sensitive filesystem you should be whacked on the head anyway). Apple’s new filesystem looks like the long term winner, in the meantime we have to live with the archaic HFS+. With this in combination with firmware protection, you can rest assured your physical hardware and storage held within are completely safe (assuming of course you don’t tell anyone your password). The laptop hardware will be essentially worthless seeing as how the thief cannot boot in any way, and the only way to access the data will be to remove it from the machine and spend decades brute forcing the password. But what about when the machine is running?

Extreme Paranoia

If you follow the above recommendations in addition to turning off file sharing and remote connection services along with enabling the firewall, your Mac will most likely be extremely safe and secure. With modern Mac apps running in their own jail (yes, those Mac App Store apps are running in containers) there are very few avenues people can take to compromise you. If however, you are extremely paranoid the following two tools will take care of most your concerns.

Are you one of those people so paranoid of technology that you’re convinced people are watching and listening to you while you’re using your machine? Do you put tape over your web cam (please don’t)? Checkout Micro Snitch which will alert you whenever the microphone or webcam is accessed. Want something more than a firewall which will warn about outgoing connections? Checkout Little Snitch which will alert you as much or as little as you want.

Posted in DevOps
Write a comment