How secure?

[allen-uk]

I have a 22 character password for logging-in to my Mac Mini.

Sensitive files are protected by a Disk Utility procedure (File/New image/Image from folder) which ends up with a .dmg file, also protected by a long (different) password.

Without going completely paranoid, is this 'reasonably' secure against a robber taking my Mac Mini - would it stop him getting access to my sensitive files?

Thanks for your opinion.


Allen.

 

[MacInWin]

IMHO, no. All the thief would need to do is remove your drive from the Mini and attach it to another Mac and all your files are available to him. The .dmg may not be available, given he password. The only way to protect sensitive files absolutely is to encrypt the drive.

But then again, unless you are an assassin, or are dealing in stolen weaponry, or a spy for (name your favorite agency here), why worry? Just have duplicates somewhere so you can contact various companies, banks, etc, to say your stuff was stolen and sign up for credit watching to protect yourself.

 

[allen-uk]

Thanks. I should have added that the entire drive is FileVault encrypted, as well. Does this help?

 

[MacInWin]

Yes. That will protect it. A bit overkill with both that AND the passworded .dmg, but you spies can't be too careful...

 

[pigoo3]

Thanks. I should have added that the entire drive is FileVault encrypted, as well.

Don't forget that FileVault password (we've had folks do that...just like any password...it can be forgotten). Don't want your next thread post to be..."How can I get access to my HD if I've forgotten my FileVault password?"

Basically in thier pursuit of greater security...some users end up causing themselves MUCH more of a problem with a forgotten FileVault password. It's probably MUCH more likely that someone will forget their FileVault password...then incur a security issue that the FileValt password was used to protect against in the first place.

Basically what I'm saying is...think very hard before using (or continuing to use)...a FileVault password.

- Nick

 

[allen-uk]

Thanks Nick,

Good advice. I carry my passwords on a double-protected memory stick, which comes with me when I go out (and my partner carries a duplicate!)

No, neither spy nor assassin, just trying to keep the wolves from my door...

Allen

 

[pigoo3]

No, neither spy nor assassin...

Yeah right. MI5 I'm thinking! Lol

- Nick

 

[macgig]

this is how I store my sensitive files. I think this is what you're referring too? An Encrypted Disk Image.

https://www.howtogeek.com/183826/how-to-create-an-encrypted-file-container-disk-image-on-a-mac/

 

[pm-r]

I carry my passwords on a double-protected memory stick, which comes with me when I go out (and my partner carries a duplicate!)

And do you both keep your cyanide or equivalent pills hidden, dry but handy??? Seriously… Must be some super special data…




- Patrick
======

 

[allen-uk]

Busted. Should have known better than to try and fool North Americans...

But maybe I am guilty of (a) complacency and (b) keeping all my eggs in one basket. If you got access to my memory stick, you could clean me out in hours, so maybe I should rethink my security.

Allen

 

[macgig]

for years I kept my passwords in a password protected word file. sounds great, until I realized if you drag and drop the file to the text edit app, it opens up... no password required.

 

[Cr00zng]

for years I kept my passwords in a password protected word file. sounds great, until I realized if you drag and drop the file to the text edit app, it opens up... no password required.

Doing so would still protect you against around 80-90% of the people trying to access it...;D

On the other hand, the level of protection depends on the version of the word app. MS Word 2010 and later actually uses the password as salt for AES encrypting the document. I can drop my MS Word 2013 in to a text editor and read the type of encryption used:

<keyEncryptors>
<keyEncryptor uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password">
<p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="xNrx6wiDy+0CCSlLVA6XbQ==" 
encryptedVerifierHashInput="9nSVkY2xIsKe5VDWQvqL2Q==" encryptedVerifierHashValue="s3xxHgXFiMLslKe//oUGy3m3Odk+M6gU1MkvWGe0TZjOTFgivfsR6ZUDZ4YN3RQzYL5vnCa+Cl3Dlv7tEqW5vg==" encryptedKeyValue="l8/MZDwH+CHQDaQq6fiKVD8tSckzT141hOzEtkce9wc="/>
</keyEncryptor>
</keyEncryptors>

The actual content of the word document is the usual gibberish, that encrypted text looks like...

The length of the hash values depend on the length of the password, but in either case, knowing the hash value and cipher algorithm does make it possible to recover the password. Just good luck doing it on home system, albeit spooks probably have no issues doing it with their super computers...

 

[Cr00zng]

I have a 22 character password for logging-in to my Mac Mini.
Etc., etc...

Yes, it should protect your data, in case the mac mini is stolen. On the other hand...

Then you logon and connect the mac mini to the internet, at which point all bets are off. The remote user will have the same access to your files, as you do...

https://arstechnica.com/information-technology/2018/01/man-charged-in-malware-mystery-that-allegedly-spied-on-mac-users-for-13-years/

 

[MacInWin]

Can I suggest a password holder for that critical data on the stick? I use 1Password, but there are others. It stores not only passwords, but just about anything you want to put in. I have software licenses, passport information, drivers license information, etc., all stored in 1Password. All of that then syncs across my MBP, iPad and iPhone through either iCloud or Dropbox (I use iCloud as the sync conduit). Access to iPassword requires both unlocking my iPhone/iPad or logging into my password on the MBP and then also providing the 1Password password (a strong password both long and complex).

 

[allen-uk]

Thanks MacInWin, I'll have a look at that 1Password. Seems to be what I do, but better!

But Cr00zng, you have bamboozled and worried me... Are you saying that even with my total FileVault encryption, someone could plug my MacMini SSD into a different machine and read it? If so, what's the use of FileVault? Also, even if they could somehow get past the encryption and its password, how could they read a .dmg file with its different password? Or are you just assuming they get lucky?

I thought I was doing reasonably okay, but your answer has given me the wobblies.

Allen.

 

[pm-r]

@allen-uk

I thought I was doing reasonably okay, but your answer has given me the wobblies.

I'd suggest that you do some reading about Apple's OS X FileVault at some non-apple sites.
Lots of good valuable information out there.

The info may help calm your wobblies.




- Patrick
======

 

[Cr00zng]

I thought I was doing reasonably okay, but your answer has given me the wobblies.

Allen.

From the physical security perspective, you are doing a OK. With Filevault2 enabled, most people will not be able to access your files, no matter where they plug in your SSD/HDD. Most people, since there are ways periodically that circumvent the encryption or rather accesses the password. Like this one from a little over a year ego:

https://thehackernews.com/2016/12/hack-macbook-password.html

The chances are that Apple already patched this vulnerability, but new one comes to light on occasions. That's just the nature of software security...

I was referring to the over the network access to your mini mac, when you are logged in and connected to the network. You could get some malware from the internet and it could upload the files in plain text to the command and control server. And as the link showed in my previous posting, the malware could actually activate the camera and record whoever is front of it.

Yes, encrypting the drive is a good idea, if you need protection for the data at rest. On the other hand, Filevault does nothing for data in motion or remote access.

 

[allen-uk]

Thanks Patrick, interesting article.

Point taken, crooz. Our desktop is a fixed item, doesn’t travel, and we aren’t on any networks, but I’ll bear your points in mind.

Allen

 

[MacInWin]

From the article Cr00zing linked:

There's no indication it exploited vulnerabilities, which means it probably relied on tricking targets into clicking on malicious Web links or attachments in e-mails.

Clicking on links you don't know about is the weakness here. Just don't do that. If you get a link in email, don't click. Similarly, clicking from one URL to another is a sure way to end up in dangerous territory. Take the time to check where the link is taking you before you go there.

Allen, an encrypted drive is encrypted. Putting it in another machine won't change that encryption. Ditto with the .dmg. Stop wobbling.

 

[Cr00zng]

From the article Cr00zing linked: Clicking on links you don't know about is the weakness here. Just don't do that. If you get a link in email, don't click. Similarly, clicking from one URL to another is a sure way to end up in dangerous territory. Take the time to check where the link is taking you before you go there.

That advise is not as useful as it used to be in yesteryears. That's mainly due to malwertisement, where the actual ad at a legit site redirects the visitor, behind the dancing/climbing/driving or whatever ad, to the site where the malware stored. Most website, like this forum, connects to 15-20 other websites that are not known for most visitors.

Then there's the issue of short URLs, like this one:

https://tinyurl.com/y7tgkdvj

Go ahead, the link is for this site, including 10-15 other sites that analyze/tracks the visitor's activity...