|
|
10.5: Insure that Time Machine runs on FileVault accounts
I'm sorry to prolong this, but you want people to believe that a powered-on laptop with a locked screen is vulnerable, but you offer no evidence to support that claim. Just because one can conceive of a possibility does not make it a realistic threat. Regardless, it is only potentially vulnerable as long as the laptop is powered on.
10.5: Insure that Time Machine runs on FileVault accounts
While a "typical user" might be satisfied with using a screen lock for security, that is because they don't have any data of real value and there isn't much downside to having it disclosed. The users that really need FileVault have medical or financial data or trade secrets that would cause a huge problem if there was even a possibility it was disclosed after a computer theft. Several people have left comments on MacOSXhints and other forums who are clearly concerned about such a possibility. The difference between a FileVault user leaving themselves logged in with a screen saver and logging out is that, in the former case, the user's home directory is left mounted and unencrypted. For a hacker, that reduces the problem from a mathematically intractable one (cracking 128-bit AES encryption) to a practical one (obtaining admin or root access to the computer or physically connecting to and reading the RAM). These are not the same thing at all, given sufficient motivation. For example, if the data was known to be worth at least a few million dollars (e.g., if it had tens of thousands of bank card numbers and PINs), a good lab could get it off the machine within 48 hours. For a more authoritative source, read the National Security Agency's security configuration guide, located at http://www.nsa.gov/snac/ On page 153, in the "Best Practices" section, they say "Log out of secure accounts when you aren't using them, or when you leave your computer." They don't say to just use a screen saver. Your comment that the computer "is only potentially vulnerable as long as the laptop is powered on" is bizarre. How would a user remain logged on when the computer is powered off? The vulnerability only exists when the FileVault user is logged on, as discussed ad nauseum. Powering off a machine is even more inconvenient that logging off. In any case, the argument that users need not log off ignores a key point of the above hint: their home folder won't be backed up unless they log off. Presumably, users with valuable data will want it backed up. So telling them not to log off for convenience is bad advice.
10.5: Insure that Time Machine runs on FileVault accounts
There is always the possibility that information may be disclosed. FileVault or not. All someone has to do is guess the login password.
10.5: Insure that Time Machine runs on FileVault accounts
The guidelines NSA publishes are for government and industry and they cover confidential but not Top Secret information, which is stored under much stricter rules. In other words, the guidelines are not for "NSA-level" security but rather recommendations for the configuration and use of computers containing sensitive data. Users concerned about the cost and embarrassment of data theft should consider the NSA guidelines. To provide protection against a sophisticated and well-funded hacker (but not one with unlimited government resources) users can:
If all of the above guidelines are followed, secure accounts on a stolen computer are probably safe, in that no exploits are generally known. Time machine will not back up a secure account when the user is logged in or when no user at all is logged in, but will back it up when the user is in the process of logging out. If connecting a USB or Firewire disk is not practical when logging out of a secure account, creating a "backup" non-FileVault, non-admin account with limited privileges is a convenient way to allow backups later, with minimal risk to security. Logging in to such an account, with a USB or Firewire disk connected, will allow Time Machine to back up all secure and insecure accounts.
10.5: Insure that Time Machine runs on FileVault accounts
... and disable safe sleep, as mentioned above. |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysNo new commentsLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.09 seconds |
|