Computer Security - Encryption, Antivirus, Passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
DocInColo
Posts: 98
Joined: Tue Aug 11, 2020 9:20 pm

Computer Security - Encryption, Antivirus, Passwords

Post by DocInColo »

All of the recent high-profile computer security hacks have me thinking about my own computer security.

Since most people store a LOT of confidential files on their computers (bank statements, passwords, tax returns, etc.) how do you keep them safe, especially on a laptop that is easily stolen? On a Mac you can turn on FileVault encryption, but is that enough? I read that FileVault only works when the computer is completely shut down. So if I have my laptop turned on, but the screen "locked" does that mean the disc is completely unencrypted?

The Mac also does not have a feature that automatically erases the laptop after a certain number of wrong passwords, so what would keep someone from "brute force" attacking the login password to compromise my account?

I also really like the Apple Keychain password manager because it can create strong passwords and sync them across all devices. But, on a Mac, if you are logged into an account it will autofill the password without asking for ANY sort of master password. At least the iPhone requires Face/Touch ID before a password is autofilled. This seems like a huge security issue on the Mac because if someone can gain access to your account, they have access to all of your passwords.

I'm curious what Bogleheads are doing about online/computer security, especially on Macs. I love Apple's integrated system (and all my tech is Apple), but it seems like there are some major security holes that I need to plug.
oldfort
Posts: 2657
Joined: Mon Mar 02, 2020 8:45 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by oldfort »

DocInColo wrote: Sat Jan 16, 2021 7:00 pm All of the recent high-profile computer security hacks have me thinking about my own computer security.

Since most people store a LOT of confidential files on their computers (bank statements, passwords, tax returns, etc.) how do you keep them safe, especially on a laptop that is easily stolen?
You're worrying about the wrong risks. Most hacks don't involve anyone stealing your personal laptop. It's far more likely your computer gets infected with malware or ransomware, you fall for a phishing attempt, some password database gets compromised on the server side, or a SIM swap allows hackers to reset your account passwords.
Alchemist
Posts: 622
Joined: Sat Aug 30, 2014 6:35 am

Re: Computer Security - Encryption, Antivirus, Passwords

Post by Alchemist »

As a fellow Mac and Keychain user concerned about security, I will try to give some answers to your concerns.
DocInColo wrote: Sat Jan 16, 2021 7:00 pm Since most people store a LOT of confidential files on their computers (bank statements, passwords, tax returns, etc.) how do you keep them safe, especially on a laptop that is easily stolen? On a Mac you can turn on FileVault encryption, but is that enough? I read that FileVault only works when the computer is completely shut down. So if I have my laptop turned on, but the screen "locked" does that mean the disc is completely unencrypted?
The particulars of this answer can change a little based on which model of Mac you have and whether or not it has a T2 chip. Let's assume you have an older Mac like the one I am typing on right now, as a worst case scenario. Your files are encrypted when the Mac locks/sleeps but is still powered on. However, the decryption key is kept in RAM while the computer is running so it can quickly decrypt the drive when you unlock the device. This is a theoretical vulnerability if someone was able to physically remove the RAM and use some rather advanced techniques to retrieve the data. Considering that Mac laptops have RAM soldered to the motherboard this isn't really a concern. It is also a technique requiring the sophistication of state-level actors, not coffee shop bandits.

Or in other words, when the Mac is locked your data is safe.
DocInColo wrote:The Mac also does not have a feature that automatically erases the laptop after a certain number of wrong passwords, so what would keep someone from "brute force" attacking the login password to compromise my account?
Here there are only two possible defenses:

1) create a long, complex passphrase so that it would take many years to brute force even using a super computer. This is good advice for all passwords.

2) iCloud has the ability to enable remote wiping of your hard drive . Thus your computer can be commanded to wipe itself (including the decryption keys) assuming it is given internet access at some point (likely if the thieves want access to your online accounts).

DOcinColo wrote:I also really like the Apple Keychain password manager because it can create strong passwords and sync them across all devices. But, on a Mac, if you are logged into an account it will autofill the password without asking for ANY sort of master password. At least the iPhone requires Face/Touch ID before a password is autofilled. This seems like a huge security issue on the Mac because if someone can gain access to your account, they have access to all of your passwords.
Two things to consider with this. The first is that to access your passwords in plain text (like through Keychain Access), they still need the master password for the device. The second is that this is where two factor authentication comes in. Also to get to this point, they would have had to somehow gain physical access to your device AND defeat filevault encryption.

I use Keychain and all my devices are Apple (MacBook Pro, iPad pro, iPhone, Apple TV, etc). I also use Google services with my main email account being Gmail and I use Google One/Google Drive for cloud backups as I do not want everything in the Apple basket. Additionally, I have Google's Advanced Protection enabled on my Google Account to ensure that the repository of my data is under the strictest security possible to a retail customer.

Ultimately you need to build a threat model to know what you are trying to protect against. For me it is cyber criminals and foreign state actors. The NSA and FBI are not part of my threat model so I am unconcerned about their ability to get a lawful warrant for my Google or iCloud data (given my job as a military officer I would have to hand it over anyway to keep my clearance even if zero-knowledge encrypted). You may have a different threat model that drives you to different choices and that's ok.
User avatar
Tejfyy
Posts: 155
Joined: Mon Aug 26, 2019 9:18 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by Tejfyy »

I agree with DocInColo, the laptop itself isn't your biggest threat particularly if it's in your house, one that's locked and perhaps with a security alarm to boot. I'm a laptop user, Mac, my machine never leaves my house. The most recent change in my security habits has been moving my password manager off the cloud. I used Lastpass for many years, now I have a local database with Strongbox. As to the real threats Doc mentioned, I minimize and pay attention to my internet goings on. For example, I use a separate email account for my financial institution which emails when there's activity on my account. I change up 2-factor authentication methods. If I'm not using a device, it's offline.
lazydavid
Posts: 3742
Joined: Wed Apr 06, 2016 1:37 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by lazydavid »

Alchemist wrote: Sat Jan 16, 2021 9:44 pm The particulars of this answer can change a little based on which model of Mac you have and whether or not it has a T2 chip. Let's assume you have an older Mac like the one I am typing on right now, as a worst case scenario. Your files are encrypted when the Mac locks/sleeps but is still powered on. However, the decryption key is kept in RAM while the computer is running so it can quickly decrypt the drive when you unlock the device. This is a theoretical vulnerability if someone was able to physically remove the RAM and use some rather advanced techniques to retrieve the data. Considering that Mac laptops have RAM soldered to the motherboard this isn't really a concern. It is also a technique requiring the sophistication of state-level actors, not coffee shop bandits.
You actually don't have to take the RAM out. Thunderbolt ports, like the Firewire ports they replaced, fully support DMA (Direct Memory Access), so attacking those ports directly is a lot more straightforward than trying to move memory (even when it is removable) without losing its state.

But that doesn't change your conclusion. These are not attacks that are practiced by common thieves.
jayk238
Posts: 836
Joined: Tue Jan 31, 2017 1:02 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by jayk238 »

DocInColo wrote: Sat Jan 16, 2021 7:00 pm All of the recent high-profile computer security hacks have me thinking about my own computer security.

Since most people store a LOT of confidential files on their computers (bank statements, passwords, tax returns, etc.) how do you keep them safe, especially on a laptop that is easily stolen? On a Mac you can turn on FileVault encryption, but is that enough? I read that FileVault only works when the computer is completely shut down. So if I have my laptop turned on, but the screen "locked" does that mean the disc is completely unencrypted?

The Mac also does not have a feature that automatically erases the laptop after a certain number of wrong passwords, so what would keep someone from "brute force" attacking the login password to compromise my account?

I also really like the Apple Keychain password manager because it can create strong passwords and sync them across all devices. But, on a Mac, if you are logged into an account it will autofill the password without asking for ANY sort of master password. At least the iPhone requires Face/Touch ID before a password is autofilled. This seems like a huge security issue on the Mac because if someone can gain access to your account, they have access to all of your passwords.

I'm curious what Bogleheads are doing about online/computer security, especially on Macs. I love Apple's integrated system (and all my tech is Apple), but it seems like there are some major security holes that I need to plug.
I have a mac.
My security concerns do not revolve around this

I currently use ubiquiti for my router. I thought it was safe until evidence came out that some level of entry took place within their networks. I recently changed passwords to my ubiquiti access.

I make sure to have a different password for every important website- all finance sites like chase, vanguard etc.

I also make sure to enable 2 factor authentication. I only use chip based authentication such as Yubikey. I do not trust cell phone text passcodes. I hate vanguard for this because there is no way around it but so be it.

I use protonmail for ONLY banking/finance accounts. This way I reduce my chances of being phished. It is highly secure and unlike google does not freely scour your emails to sell ads.

Once I the 2 comma mark, I plan to airgap a new laptop solely used for financial purpose and nothing else.

with the recent news of a massive breach that pretty much affected EVERYONE I make sure to have paper reports of everything banking wise. I no longer do paperless.
Topic Author
DocInColo
Posts: 98
Joined: Tue Aug 11, 2020 9:20 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by DocInColo »

Great responses, thanks! I don't think my older Mac has the T2 chip. I guess it's a matter of how sophisticated the thief/hacker is. I would assume 99.9% of people who steal a laptop probably just want to turn around and make a quick buck off it. They wouldn't have the technology or knowledge to undertake some sophisticated attack on the laptop.

I do have two more questions that came up from reading these responses:

1) does anyone with a Mac use stand-alone internet security software like Kaspersky or Malware Bytes? Wondering if it is worth it or if they just give a false sense of security.

2) is there any benefit to using paid password management software like 1Password versus just using the free Apple Keychain? All my devices are Apple, which makes sync easy.

3) if you create a separate "limited" user account on a Mac (and its home folder is also encrypted) is that completely separated from the other user accounts? I was thinking that would be a good way to limit any exposure to malware; have a single limited user account just for accessing financial websites.
j9j
Posts: 98
Joined: Sat Oct 24, 2015 1:46 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by j9j »

[/quote]

with the recent news of a massive breach that pretty much affected EVERYONE I make sure to have paper reports of everything banking wise. I no longer do paperless.
[/quote]

Having a certain history of account statements is a good point. I still do paperless communications but I do print and save yearly/quarterly statements.
notBobToo
Posts: 69
Joined: Wed Jan 02, 2019 10:07 pm

Re: Computer Security - Encryption, Antivirus, Passwords

Post by notBobToo »

DocInColo wrote: Sun Jan 17, 2021 10:15 am Great responses, thanks! I don't think my older Mac has the T2 chip. I guess it's a matter of how sophisticated the thief/hacker is. I would assume 99.9% of people who steal a laptop probably just want to turn around and make a quick buck off it. They wouldn't have the technology or knowledge to undertake some sophisticated attack on the laptop.

I do have two more questions that came up from reading these responses:

1) does anyone with a Mac use stand-alone internet security software like Kaspersky or Malware Bytes? Wondering if it is worth it or if they just give a false sense of security.

2) is there any benefit to using paid password management software like 1Password versus just using the free Apple Keychain? All my devices are Apple, which makes sync easy.

3) if you create a separate "limited" user account on a Mac (and its home folder is also encrypted) is that completely separated from the other user accounts? I was thinking that would be a good way to limit any exposure to malware; have a single limited user account just for accessing financial websites.
My experiences with a 2018 Mac mini (with T2 chip) ...

(1) I have a license for Malwarebytes Premium, which runs ONLY the (daily) scanner. (Does not run the real time protection.) Not sure if more than a warm, fuzzy.
(2) Keychain is the only password management software that I use.
(3) I have a non-admin account that I use to login for everyday use. Also, the Mac locks after a few minutes of inactivity and on reboot, requiring a password.
Alchemist
Posts: 622
Joined: Sat Aug 30, 2014 6:35 am

Re: Computer Security - Encryption, Antivirus, Passwords

Post by Alchemist »

lazydavid wrote: Sun Jan 17, 2021 9:24 am You actually don't have to take the RAM out. Thunderbolt ports, like the Firewire ports they replaced, fully support DMA (Direct Memory Access), so attacking those ports directly is a lot more straightforward than trying to move memory (even when it is removable) without losing its state.

But that doesn't change your conclusion. These are not attacks that are practiced by common thieves.
Thanks for the additional info. It spurred me to do some digging and allegedly Intel fixed this with a firmware update that was sent out in MacOS 10.12.4

With that said, we are of course in complete agreement that this is a sophisticated attack so even if you had an unpatched Mac, there is a such a small chance this would happen to you as to be not worth worrying about.
DocInColo wrote: Sun Jan 17, 2021 10:15 am 1) does anyone with a Mac use stand-alone internet security software like Kaspersky or Malware Bytes? Wondering if it is worth it or if they just give a false sense of security.
First I cannot say emphatically enough, DO NOT USE KASPERSKY. It is Russian Spyware.

Secondly to answer the question, I do not use any additional stand-alone security software. If you would feel better using Malware bytes it would not hurt anything but I do not think it is necessary. What is necessary is to keep your Mac (and all devices) updated to the latest software version. Additionally, set your security settings to only allow App Store software installs. You can override this setting on a case by case basis if you need to download non-app store software but enabling it as a normal day to day setting helps erect barriers for any drive by malware attacks by requiring additional user interaction necessary for the attack to succeed.
DocInColo wrote:2) is there any benefit to using paid password management software like 1Password versus just using the free Apple Keychain? All my devices are Apple, which makes sync easy.
The main benefit would be cross platform compatibility if sometime in the future you add a Windows or Android device to your line up or if you just prefer the 1Password interface. No real security difference.
DocInColo wrote:3) if you create a separate "limited" user account on a Mac (and its home folder is also encrypted) is that completely separated from the other user accounts? I was thinking that would be a good way to limit any exposure to malware; have a single limited user account just for accessing financial websites.
This would be a security benefit. If you did end up getting malware on the machine, being logged in as a limited user (non-admin) would help mitigate damage the malware could cause. It is a recommended practice to not daily drive your admin account for this reason. Though with that said, this is a lower priority than keeping all your software up to date, using 2FA/password manager, and not clicking links in emails.
Post Reply