This is not an insignificant question. Even simple security measures on computing devices require a level of discipline, training and understanding that some folks are just not willing to put up with. For instance, when we install a password manager like 1Password on client machines, it takes five minutes. Training and education for you and your employees might take hours or days depending on the size of deployment. But if people refuse to use the system and continue to choose “abc123″ as their password for every service they use, then we’ve failed.
Fortunately, the software solutions to enable secure and safe computing are getting so good that inconvenience is being minimized. Forward thinking companies are able to empower their employees with the tools to protect themselves online, as well as the data on their devices should they be lost or stolen.
However, ever one to complicate a good thing, and go the extra mile for my clients, when it comes to data on physical devices, I ask them to consider something else to trade off: Recoverability.
Now that our computing devices are connected to the Internet pretty much all the time, there are a variety of software solutions you can install on your computer to assist you and law enforcement to track down lost and stolen devices. For example, I detailed a recent case where the Apple Find my iPhone service was an absolute lifesaver in helping me recover my wife’s lost iPhone.
But what if your device is stolen? Software such as Prey works by using your hardware against the thief. So if a thief is using your laptop for example, Prey operates in the background and uses the webcam to snap a picture, take a screenshot of what the thief is looking at, and uses wifi data to report the laptop’s location. It uploads all of that data to Prey on a regular basis. There are some great stories they publish of happy users who have recovered their stuff.
“Great!” say the clients. “Let’s set that up!”
So here’s the catch: The thief needs to be able to use your computer for Prey to do its thing. So: Do you want a shot at recovering your computer, or would you rather have your computer completely inaccessible to thieves. Remember, there could be sensitive data on your computer that opens you up to identity theft. Depending on the client, we usually recommend data security over recoverability. Back up your data with discipline, kiss your computer goodbye, file an insurance claim and we’ll get you up and running as quickly as we can with a new device.
A client of mine put it succinctly. The instructions he gave about how his devices were to be secured in case of theft were music to my ears: “I want these things to be doorstops. Completely useless.”
However, we’ve recently implemented some options with Apple Macbooks that allow us to secure the devices, while still allowing for the possibility that we can help you recover the computer. This is a Mac specific solution, but the theory can be applied to other machines, and we’re investigating a method to implement on PCs as well. I won’t go into all the nitty gritty details about this here, but here are the basics of the method.
Back up your data:
This should go without saying, but hey, we’re saying it. Did you back up your data? Do it. Now.
Your Mac’s firmware is basically equivalent to your PCs BIOS. A tiny bit of software that governs how the computer boots and operates before the Operating System even loads from the hard drive. Apple provides a tool allowing you to set a password on the firmware. For every day use, this actually does nothing. Restart your computer and it will boot as usual. However, if a thief attempted to use a key combination during startup to do something like boot from a DVD or USB drive, he would need to enter your password. A thief might do this in preparation for reinstalling the operating system to prepare your computer for resale. In this case, he would not be able to do that.
Decoy Operating System:
We create a small partition on your existing hard drive, and here we install a clean copy of the Mac’s operating system. Using some configuration options, we make this version of the operating system boot and log a default user in automatically. This user is a “non-privileged” user who can’t change configuration options or access certain areas of the operating system. Put some non-sensitive files in this account to make it look like a real account.
This is where we install Prey. We can even set Prey up to automatically report the computer as stolen (Provided it is connected to the Internet) as soon as the computer starts.
There’s a pretty good how-to over at Spider Labs. This is where we got the idea in the first place :-).
Encrypt your “real” Operating System
Your Mac has a built in option for encrypting your entire disk. It’s called FileVault and what it means is that a thief is going to have lot of trouble reading the data on your hard drive without a password or a recovery key that Apple provides you in case you forget your password.
In this particular case, you are not encrypting the “entire” disk, as your “decoy” operating system remains on an unencrypted partition of your disk, but you are encrypting all the data on your “real” operating system, and that should be all that matters.
The final result:
While all of this takes a bit of time and some careful planning, this is how your Macbook works now:
When you boot your machine, hold down the “Option” key on your keyboard. A screen will come up with a password entry screen. This is the firmware password. Your computer is asking for this because you are using a key to choose which hard drive partition to boot from. Type in the password and choose your original hard drive partition; The one with your “real” or original operating system and information. You’ll then be asked for your user account and password. This should be one of the accounts you chose when encrypting your drive with FileVault. You’ll then have access to the encrypted drive and be able to use the computer normally.
If a thief starts your computer, it will boot into the decoy operating system and automatically log in under the “non-privileged” user you set up. Since your other hard drive partition is encrypted, the user can’t access it. And they cannot change options in the existing operating system very easily, as they don’t have privileges to do so.
Prey will start tracking the computer as soon as it boots, and as soon as it connects to the Internet, it will begin sending reports. Provide these reports to law enforcement and enlist their assistance in getting back your property.
This might all sound a bit complicated and time consuming, but isn’t your data and your gear worth it? All it takes is some planning and forethought. And of course, we’re happy to talk about rolling something like this out to track your gear, but keep your data secure.