dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1197
share rss forum feed


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

[Security] Hardening iOS 7, OS X Lion, and iCloud

Every once in a while, I look to harden up security on my current devices, and I've been digging pretty deep to find good Apple security hardening advice. Obviously, it's always a trade-off between functionality/convenience and security, and I'm experimenting with what increases security but still offers a level of protection I'm comfortable with (and each person's situation would dictate where that comfort zone is).

I've used primarily these as my guide:

iOS: »wikis.utexas.edu/display/ISO/App···hecklist

MacOS (has a list of multiple guides): »isc.sans.edu/diary/The+Ultimate+···on/12616

And also other sites here and there. And I looked at a number of options on location services: on, on with restricted apps, or off altogether (finally opting to allow it for only 2 apps: Weatherbug and Apple Maps). I don't have state secrets to protect, but I certainly don't want my life an open book either… (hence, no Twitter nor Facebook)

A tip I'd like to pass along: one site mentioned something I never knew existed… "My Support Profile", hosted by Apple: »supportprofile.apple.com/

The article is here (see page 3 for specifics): »arstechnica.com/apple/2012/05/ho···edition/

If you log into that apple support site, a list of hardware associated with that iCloud account is generated. When I logged in, not ONE of my current devices was listed… not ONE! All were older devices that I had sold or were no longer in service and discarded. I deleted all those items, and registered all my current devices. Not sure how that plays into overall security… but I had no idea Apple was keeping a digital running list with serial numbers. It also links an Apple Support Communities ID to that iCloud account. It's worth a look.

So I'd like to ask the following… anyone aware of any other Apple "login sites" beyond "iCloud" and "My Support Profile" that deserve a look (for security or otherwise)?

And any hardening strategies for iOS, MacOS, or iCloud that DSLR members have found particularly effective? Or any hardening guides anyone can point to that they have used with good success?



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

One other point... I didn't mention it specifically in the previous post, but obviously the Apple ID site should be checked as well. I didn't know Apple now allows for 2-step authentication. I enabled it before I played around with "Find My iPhone" and "Find My Mac". If an iCloud ID was hijacked with FMM enabled, it could lead to being tracked or someone remote wiping the Mac. Security should be much better with 2-Step enabled.

»appleid.apple.com/



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to SwedishRider

*crickets*

Maybe a better question would be: does anyone here do anything to harden their Apple device security? Or do you just let factory settings stand as-is?



Count Zero
Obama-Biden 2012
Premium
join:2007-01-18
Winston Salem, NC

Turn on FileVault, use a good router firewall, enable system preference panel locks, screen saver password and use common sense.



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

said by Count Zero:

Turn on FileVault

You actually use FileVault? It seems cumbersome to use on a daily-use machine. Obviously you've chosen to use it.. so how does the benefit outweigh the nuisance factor?


spinJR
what exit?

join:2002-01-07
reply to SwedishRider

an apple site that does show icloud users and devices is a great idea man.
i had a one itunes account for years, now me and my ex have our own. aside from changing passwords and such a site like this would be helpful.

check out this.

»it.toolbox.com/blogs/securitymon···62?rss=1

its how google secures osx
--
welcome to NJ, pay the 7% and go home!



Count Zero
Obama-Biden 2012
Premium
join:2007-01-18
Winston Salem, NC
reply to SwedishRider

With FileVault2 it is seamless and painless. The entire hard disk is encrypted and on newer machines it taps into the central processors AES-NI cryptographic accelerator so there isn't even a perceivable speed hit.



rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1
reply to SwedishRider

There's no nuisance. The whole hard drive is encrypted, and the machine boots off the recovery partition. Once you log in, your password decrypts the volume. It's completely seamless and fast.



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

I have a Core 2 Duo MacBook running Lion. How much of a performance hit are we talking in my case (if at all)?



Count Zero
Obama-Biden 2012
Premium
join:2007-01-18
Winston Salem, NC

Not sure if it is compatible or not. If it isn't one of the 2010 (i think) or newer models probably fairly significant hit.


Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net
reply to SwedishRider

said by SwedishRider:

I have a Core 2 Duo MacBook running Lion. How much of a performance hit are we talking in my case (if at all)?

I see a ~20% disk performance hit on Macs of that era. Core 2 doesn't have hardware accelerated decryption, which increases overhead significantly. On a newer Mac, especially those with an SSD, the performance difference is negligible.

I don't harden machines that aren't running world-accessible services, because the attack vectors are so much smaller. For servers I manage at work, I do, but none of those are Macs. The most likely attack vectors these days are password database breaches, which means one should use unique passwords at all websites that act as lynchpins of your online identity. (iCloud, in which a breach can let a 3rd party wipe your phone; Gmail, where a breach can result in a 3rd party getting password reset emails for all other accounts, etc). I recommend enabling 2-factor auth where available, as I do for iCloud and twitter, but not gmail since it's a PITA to set up with the number of devices I use.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to SwedishRider

said by SwedishRider:

I have a Core 2 Duo MacBook running Lion. How much of a performance hit are we talking in my case (if at all)?

Likely there will be an impact, but how noticeable this will be depends on several factors.

I had used full disk encryption on my Thinkpad T41 with a 1.7 GHz Pentium Mobile and 7200 RPM hitachi spinning rust drive. The impact was noticeable only on large copies, and even then it was not unacceptable. To be honest I didn't notice it other than when doing a benchmark.

You don't mention if you've upgraded/changed your drive but if it is original it likely is a 5400 rpm drive. The encryption overhead may not be noticeable unless you run benchmarks.

The best option if you would be interested is to actually try it. Set up FileVault2 and leave the MB running to encrypt the drive overnight. Use it for a few weeks to see if your normal usage is noticeably impacted. If you are not happy you can just as easily turn off FileVault2 (again leave the MB running overnight to fully decrypt).

On my laptops I always encrypt the drive. If the laptop is ever stolen or lost the drive is still secure (being encrypted).


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

Completely agree. I use FileVault 2 on a MacBook Pro (Core 2 Duo). I upgraded to a SSD and activated FV at the same time, so there was actually a performance boost for me.

Even if you don't want to upgrade to a SSD, the small performance penalty is far outweighed by the huge benefit of security without hassles.
--
University of Southern California - Fight On!



Elite

join:2002-10-03
Orange, CT
Reviews:
·Optimum Online

1 edit
reply to SwedishRider

For starters, get off of Lion. I would suggest Mavericks if you have enough RAM and a 64 bit CPU.

Secondly, last I checked, FileVault 2 could be bypassed pretty easily via connecting another computer to the Firewire/USB/Thunderbolt port. See »www.breaknenter.org/projects/inception/ for more details. If this is still the case, I wouldn't bother wasting time with FileVault.

Edit: Turns out Apple has worked around the DMA stuff by turning it off when the machine is locked or logged out, effectively thwarting this attack, minus a few exceptions.



SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

said by Elite:

For starters, get off of Lion. I would suggest Mavericks if you have enough RAM and a 64 bit CPU.

This is a plastic white MacBook with a 2.4 GHz Core 2 Duo and 2 GB DDR2 RAM. OS 10.7.5 is as far as she'll go..

Does 10.7.5 have FileVault or FileVault 2? System prefs just calls it "FileVault". I wouldn't be against trying it, as it seems to be the way to go. I just don't want to have time to grab a coffee and a donut every time I want to open a file. I tried FileVault on a Core Duo MacBook years ago... and it was painful!

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to Elite

said by Elite:

Secondly, last I checked, FileVault 2 could be bypassed pretty easily via connecting another computer to the Firewire/USB/Thunderbolt port. See »www.breaknenter.org/projects/inception/ for more details. If this is still the case, I wouldn't bother wasting time with FileVault.

This was not unique to FV2 and was applicable to every full disk encryption scheme on every platform that supported firewire. It was an attempt to try to find the decryption key stored in memory after the drive had already been unlocked by using another specific exploit device physically connected via firewire.

While this was a risk much more hype was made around this than anything else. Understanding the attack vector is important here to understand the actual risk.

To say full disk encryption should not be used due to this is poor advice. This had a very specific and very limited attack vector that was largely closed a long time ago on many platforms including MacOS


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to Count Zero

What is your backup strategy with your Mac running FileVault2? I use SuperDuper every once-in-a-while to make a full backup to a portable external drive. I don't use Time Machine since it's a laptop that comes on and off my home network.



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

said by SwedishRider:

What is your backup strategy with your Mac running FileVault2? I use SuperDuper every once-in-a-while to make a full backup to a portable external drive. I don't use Time Machine since it's a laptop that comes on and off my home network.

SuperDuper will still work with FV2. Obviously, the data on the external won't be encrypted.

Alternatively, you could use Disk Utility to create an encrypted external HD and use that for backups.

And to answer your earlier question, 10.7 has FV2:
»support.apple.com/kb/ht4790

Sidenote: I know your laptop doesn't support 10.8, but there is a new function where a local TM backup is created on the laptop drive when away from the home network. When you're back on your network, it syncs the snapshots that were created while you were away to your TM disk.
--
University of Southern California - Fight On!

Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net
reply to SwedishRider

said by SwedishRider:

said by Elite:

For starters, get off of Lion. I would suggest Mavericks if you have enough RAM and a 64 bit CPU.

This is a plastic white MacBook with a 2.4 GHz Core 2 Duo and 2 GB DDR2 RAM. OS 10.7.5 is as far as she'll go..

Does 10.7.5 have FileVault or FileVault 2? System prefs just calls it "FileVault". I wouldn't be against trying it, as it seems to be the way to go. I just don't want to have time to grab a coffee and a donut every time I want to open a file. I tried FileVault on a Core Duo MacBook years ago... and it was painful!

It's FV2: »support.apple.com/kb/ht4790
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to Thinkdiff

I think I'll give FV2 a try. I've just updated my SuperDuper external backup just in case, and keeping an unencrypted backup seems reasonable so long as I keep it physically secured. I'll see what kind of a performance hit I'll take (if any) and go from there. Interesting that you can entrust Apple to keep the recovery key protected by 3 challenge question. Um, think I'll pass on that one.

And I'm glad to hear that Apple has improved Time Machine. Last I used it, it was a nightmare for wifi laptops (but made sense for desktops). I'd consider it again whenever I upgrade my Mac. Have to say though, SuperDuper does a fine job at making bootable backups. I have used it for years with zero issues.



rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1
reply to SwedishRider

said by SwedishRider:

What is your backup strategy with your Mac running FileVault2? I use SuperDuper every once-in-a-while to make a full backup to a portable external drive. I don't use Time Machine since it's a laptop that comes on and off my home network.

You can encrypt your Time Machine backups too. I have an external drive plugged into an AirPort Extreme so it backs up over wifi. Works fine.


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1

That sounds good now... But when I used TM over wifi, once a backup started, I couldn't leave until it was done. And if I did forget and leave, it corrupted the backup (it happened a few times actually). I don't remember what version of OS X I was using at that time. Anyway, I ended using TM and went to SD, and haven't looked back since. When I get a new Mac that can run Mavericks, I'll check time machine out again.



rjackson
Premium,VIP,MVM,Ex-Mod 2005-13
join:2002-04-02
Ringgold, GA
kudos:1

I can't say I've ever had that happen. In fact I never really even pay attention to whether a TM backup is running or not. If it gets interrupted when I leave, it seems to resume just fine.



Elite

join:2002-10-03
Orange, CT
Reviews:
·Optimum Online
reply to Shady Bimmer

said by Shady Bimmer:

This was not unique to FV2 and was applicable to every full disk encryption scheme on every platform that supported firewire. It was an attempt to try to find the decryption key stored in memory after the drive had already been unlocked by using another specific exploit device physically connected via firewire.

While this was a risk much more hype was made around this than anything else. Understanding the attack vector is important here to understand the actual risk.

To say full disk encryption should not be used due to this is poor advice. This had a very specific and very limited attack vector that was largely closed a long time ago on many platforms including MacOS

For starters, I understand that this is an issue beyond FileVault, but I think you missed the bottom part of my post where I said things look ok for Lion. I guess you also didn't bother reading the part of that site where they mention current OSes affected and ways to mitigate such attacks. It still works on lots of different OSes and configurations. OS X is probably more hardened from it than most right out of the box.


Count Zero
Obama-Biden 2012
Premium
join:2007-01-18
Winston Salem, NC
reply to SwedishRider

I have a Mac Mini server that has a RAID array attached and all of my computers back-up to that. All of the drives (except for the boot drive) are encrypted on the server. I previously had encrypted the boot drive, but since Mavericks broke fdesetup authrestart functionality I had to decrypt the drive for the time being.



Uncle Paul

join:2003-02-04
USA
kudos:1
reply to SwedishRider

I would suggest the CIS Baselines:

»benchmarks.cisecurity.org/downlo···ltiform/


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to Elite

said by Elite:

For starters, I understand that this is an issue beyond FileVault, but I think you missed the bottom part of my post where I said things look ok for Lion.

I most certainly did read your full post but that doesn't change anything.

Even if the OS does not provide protections this is still a very specific very unlikely scenario. Understanding the details of the method of attack is important to realize that while this was a risk it was more hype and is something that is easy to protect against even if the OS does not do so.

It is also by far not a reason to consider not encrypting a disk (IE: if the disk is not encrypted there are many more simple methods to gain access).


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to SwedishRider

I encrypted my drive and have been using it with FileVault 2 for about a day now, and so far, I've noticed no performance difference whatsoever. I used my Mac for research and word processing mostly, but even loading and playing HD videos didn't seem to make a difference.

Granted, this is just my perception. I really don't care about squeezing every last bit of performance out of my machine… I just don't want it to bog down while doing everyday tasks.

So far, I'm impressed. MUCH better than the original FileVault!


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to Uncle Paul

said by Uncle Paul:

I would suggest the CIS Baselines:

»benchmarks.cisecurity.org/downlo···ltiform/

There are also the DISA STIGs at »iase.disa.mil/stigs/

MacOS is listed under 'Operating Systems' only for 10.5 and 10.6, but the guidelines are still valid to review for later versions.


SwedishRider
Rider on the Storm
Premium
join:2006-01-11
not Sweden
kudos:1
reply to SwedishRider

I'll have to give FileVault2 2 thumbs up. I haven't noticed a performance difference at all, and that's probably the highest compliment I could give. I'll still keep an unencrypted backup under lock and key- just in case I need to access that data… but for use on the road, it seems to be a non-invasive way to physically secure data over an unencrypted drive.

Good stuff!