Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Insure that Time Machine runs on FileVault accounts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Alrescha on Nov 30, '07 11:48:35AM

There is always the possibility that information may be disclosed. FileVault or not. All someone has to do is guess the login password.

That a good lab could gain admin access or break through the screen saver "within 48 hours" is speculation on your part. Moreover, in order to access the FileVault-protected files they have to do so without restarting the laptop.

You are right in saying that best practices for NSA-level security is to log out. But that's not the thread and not where we started. You made the claim that if users do not log out they might as well not use FileVault at all. This is fear-mongering and helps no-one.

A.

(my last post in this thread, apologies to all for letting it go this long)



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 30, '07 04:20:56PM

The guidelines NSA publishes are for government and industry and they cover confidential but not Top Secret information, which is stored under much stricter rules. In other words, the guidelines are not for "NSA-level" security but rather recommendations for the configuration and use of computers containing sensitive data.

Users concerned about the cost and embarrassment of data theft should consider the NSA guidelines. To provide protection against a sophisticated and well-funded hacker (but not one with unlimited government resources) users can:

  1. Chose a strong password for their secure accounts with the aid of Apple's password assistant.
  2. Enable FileVault for secure accounts.
  3. Disable automatic login (in Security preferences).
  4. Enable secure virtual memory (in Security preferences).
  5. Enable the firewall (in Security preferences).
  6. Log out of secure accounts when not using them (and not assume that sleeping with the screen locked or switching accounts with Fast User Switch are equivalent to logging out).
  7. Avoid executing untrusted, especially downloaded, applications.

If all of the above guidelines are followed, secure accounts on a stolen computer are probably safe, in that no exploits are generally known.

Time machine will not back up a secure account when the user is logged in or when no user at all is logged in, but will back it up when the user is in the process of logging out. If connecting a USB or Firewire disk is not practical when logging out of a secure account, creating a "backup" non-FileVault, non-admin account with limited privileges is a convenient way to allow backups later, with minimal risk to security. Logging in to such an account, with a USB or Firewire disk connected, will allow Time Machine to back up all secure and insecure accounts.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Dec 03, '07 10:00:52AM

... and disable safe sleep, as mentioned above.



[ Reply to This | # ]