Dangerous Omission - Knox FAQ

binaryeric

Roustem,



In your FAQ post for Knox, there is this question:



[QUOTE][B]Which settings should I set in the System Preferences to make my Mac secure?[/B]



We run our Macs with the following settings: In the Security preference pane, Require password to wake this computer from sleep or screen saver, Disable automatic login, Use secure virtual memory. In the Desktop & Screen Saver pane, we set up a short time to start the screensaver, and also specify a hot corner to launch it immediately when we leave the computer. In the Sharing preference pane, we disable all services we don’t use and turn on the firewall.

[/QUOTE]



This is a pretty dangerous thing to list because users without any security knowledge will think that this is all you need to do to "make my Mac secure". A few very significant things not listed are...



- Open Firmware Password - Critical for keeping someone from accessing your drives, resetting your user password with a boot disk, booting from another disk to attack yours, etc.



- Creating a separate keychain and not using the Login keychain. If I pull the battery and reset the firmware password, boot to an OS X disk, and reset your user password- I am then able to access your user account. If I then use System Preferences to change the password AGAIN, OS X will sync the new password (#2) with the login keychain password so now I have access to any data in that keychain. Using a separate keychain protects against this because only the login keychain is sync'd with your user account password.



- Using strong (long) passwords for your encrypted images. Even with AES256 encryption, a password like "dog" is not going to get you much of an advantage because your password can be attacked rather than the key. If you are storing your passwords in a separate keychain, use the maximum available length (32 chars in the case of AES256) so that your password & key are the same size.



These are just a few tips... and I'm sure that someone has some even better ones. I also understand that the above question is not intended as a "Secure Your Mac" guide... but the question and answer might lead (many) people to believe that if they have those settings as described...they are locked down!



Eric

MartyS

Thank you for giving your "caution" to what we've got listed so far.

binaryeric

Perhaps AWS could create a type of "Mac Security Recommendations" page on their site and link to it whenever this type of issue or question comes up...



Eric

alanm101

Creation of a vault has the option "Store this password in your keychain". Based on Eric's posting, that sounds like a very bad idea. Is it indeed a very bad idea or not? If Eric is correct, how on earth can this even be an option? I have seen on other forums that keychain is insecure. Isn't that exactly why 1Password moved away from keychain to use it's own proprietary store? Or am I missing something? The point about login keychain vs. a separate keychain? That's new to me; I'm relative newbie, so forgive my ignorance. What then is best practice? No, scratch that. What's the near-best practice - one that balances convenience with security?

binaryeric

If you don't want to store all of your items in a separate keychain but still want your Knox vaults protected, you could create a "knox" keychain and store the passwords for your vaults in that keychain ONLY.



You can then require that the keychain password be entered in order to access that item.



Since only the login keychain password can be reset, this would ensure that your Knox vaults are protected without having to type 32 char passwords manually each time you want to open them! (assuming you are using the max length password)



Eric

alanm101

Thanks Eric. I'll have to Google for the method to create a new keychain. Did not know about this facility.

joojoo

I am confused a little bit. Is it not save to store the Knox password in 1 Password instead of a seperate keychaine ?

It would be VERY NICE to get some hints, how to make my Mac secure. And dont' forget the aspect, that such a strategy should be usable by a "normal" Mac user.

Think about that case, that you store all your important data on the Mac and your wife or your kids should get an "easy" access to your data if you are "gone"!

Up today I believe it is a good idea to give them your password for the access of your User account and the password of 1Password. Inside of 1Password is everything listed, inclusive the access to your know vaults.

Or has anyone a better, but secure strategy ?

binaryeric

[quote name='joojoo']I am confused a little bit. Is it not save to store the Knox password in 1 Password instead of a seperate keychaine ?[/QUOTE]



You can definitely store the Knox password in 1Password! Storing Knox passwords in the login keychain is not a good idea.

Schlaefer

[quote name='binaryeric']Roustem,

… boot to an OS X disk, and reset your user password- I am then able to access your user account. If I then use System Preferences to change the password AGAIN, OS X will sync the new password (#2) with the login keychain password so now I have access to any data in that keychain. Using a separate keychain protects against this because only the login keychain is sync'd with your user account password.

[/QUOTE]



This would imo defeat one of the main purposes of the keychain. I highly doubt that. Afaik there's no way to regain/reset a lost keychain password and at least in 10.6 I can't reproduce it with the steps you laid out.

makip

@binaryeric (original thread poster)



Your assumption is incorrect - you cannot access a user's login keychain contents by resetting that user's password. The login keychain password is not kept "in-sync", rather the user needs to manually update it after a change.



I searched Apple support site for confirmation. Refer to the knowledge base article:

[url]http://support.apple.com/kb/ht1631[/url]

"If you change your account's password using your Mac OS X Install disc (or if your network-based account password is changed due to a network admin forcing a password change), your default keychain password (which uses the same initial password as your user account) does not change"



Also, I agree that using strong passwords is important, however your suggestion for resetting the firmware password is not really that helpful. If someone has physical access to your machine then they can always gain access to data on the hard drive regardless of the firmware password, as they could just pull out the hard drive and access it from another machine which they have admin privileges on. So whether they use that "other machine" or just use a boot disc to reset the admin password on the stolen machine, it's the same thing essentially.



This is why the way to protect access to sensitive data is to either:

1- use full disk encryption, which is independent of a firmware password

2- use the built-in encryption features of Mac OS X (keychains, and encrypted disk images) along with optional products like 1Password and Knox which makes their management and day-to-day use more convenient.



Option 2 above is less risky (and better performing) than option 1. I use keychains to protect my passwords, and secure disk images (sparse bundles) to contain sensitive documents and data, and I assume that anything else on my hard disk can be accessed if someone stole my laptop. Oh, and I use Time Machine to keep back-ups!

vegaz

[quote name='makip']

I searched Apple support site for confirmation. Refer to the knowledge base article:

[url]http://support.apple.com/kb/ht1631[/url]

"If you change your account's password using your Mac OS X Install disc (or if your network-based account password is changed due to a network admin forcing a password change), your default keychain password (which uses the same initial password as your user account) does not change"

[/QUOTE]



which, if I understand correctly, should mean that, while I'm waiting for 1password integration, even remembering my vaults passwords in the OSX keychain is secure enough to avoid the risk of a laptop thief looking at my files. That, of course, provided that I always lock my screen when I'm not in front of my Mac (which I'm already used to do, in fact). Right?

jxpx777

[quote name='vegaz']which, if I understand correctly, should mean that, while I'm waiting for 1password integration, even remembering my vaults passwords in the OSX keychain is secure enough to avoid the risk of a laptop thief looking at my files. That, of course, provided that I always lock my screen when I'm not in front of my Mac (which I'm already used to do, in fact). Right?[/QUOTE]



Welcome to the forums, vegaz. If your login keychain is locked, you're in good shape for protecting any information stored there including your Knox volume passwords. You can customize the autolock behavior and even dissociate the login keychain's password from your account password in Keychain Access.



Generally, I recommend that you just take a reasonable approach to security. Don't have your computer automatically log into your account, especially if that is an administrator account. Use a screensaver and require the password to wake from screensaver or sleep. If you do those things, I feel it's a reasonable balance between safety and security.



Personally, I use [URL="http://www.networklocationapp.com"]NetworkLocation[/URL] to manage my security settings so that my machine is "locked down" when I'm out and about, but doesn't bother me with all that jazz when I'm at home so I get the benefits of both. :)

DavidB

[quote name='binaryeric']

- Open Firmware Password - Critical for keeping someone from accessing your drives, resetting your user password with a boot disk, booting from another disk to attack yours, etc.

[/QUOTE]



Does Open Firmware Password protection really protect much though? In a support document, <http://support.apple.com/kb/ht135>, Apple says:



Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):



1. By any administrator user, as designated in the Accounts preferences (or in Server Admin).

2. Via physical access to the inside of the computer.

3. When the computer is started up in Mac OS 9.



Maybe I am not understanding the nuances here?



David

MartyS

[quote name='DavidB']Does Open Firmware Password protection really protect much though? In a support document, <http://support.apple.com/kb/ht135>, Apple says:



Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):



1. By any administrator user, as designated in the Accounts preferences (or in Server Admin).

2. Via physical access to the inside of the computer.

3. When the computer is started up in Mac OS 9.



Maybe I am not understanding the nuances here?



David[/QUOTE]



Of course the Open Firmware password can be changed when needed. It would be a real problem is it couldn't. Can you imagine the problem if an employee set it for the first time to "BOZO" and when they left the company that had to remain the password? If the system is booted that's a "sign" that the Open Firmware password was used.



Physical access is really the key: if you can touch/take it you can do a lot -- that applies to any computer, not just Macs. That's another reason why Knox vaults are a good additional layer: just having the file from a booted system does nothing to gain access to the contents inside without the encryption key.



Starting up in Mac OS 9 isn't an issue anymore with Intel-based CPU systems.

binaryeric

[quote name='DavidB']Does Open Firmware Password protection really protect much though? In a support document, <http://support.apple.com/kb/ht135>, Apple says:



Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):



1. By any administrator user, as designated in the Accounts preferences (or in Server Admin).

2. Via physical access to the inside of the computer.

3. When the computer is started up in Mac OS 9.



Maybe I am not understanding the nuances here?



David[/QUOTE]



David, as Marty mentioned, physical access is critical to any security plan. #1 only applies if the machine is already booted up. #2 means that someone can remove the small battery that is on the motherboard that keeps this password info "alive". #3 (as Marty mentioned) doesn't apply to Intel Macs.



Someone breaking into your laptop for #2 reason is a crazy hard tactic. If you have a Mac Pro (like me) you can put a lock on your case open mechanism... Apple added a very slick drop down lock holder that I'm sure many people don't even know about! :)

binaryeric

[quote name='Schlaefer']This would imo defeat one of the main purposes of the keychain. I highly doubt that. Afaik there's no way to regain/reset a lost keychain password and at least in 10.6 I can't reproduce it with the steps you laid out.[/QUOTE]



Try again I guess. If you forget your user password, this is how you would get back into your account- under legitimate circumstances. However, it can also be used to break into your data. Take a look at your keychain preferences and take note of the option under Preferences - First Aid - "Synchronize login keychain password with account"



You CAN turn this off but this is the default setting and I prefer to maintain a 2nd keychain rather than worrying about this login keychain.

thightower

[quote name='binaryeric'] Apple added a very slick drop down lock holder that I'm sure many people don't even know about! :)[/QUOTE]



I dont know about it........ you have tweaked my interest.. Do tell



Of course nothing will work with my case probably..

binaryeric

[quote name='thightower']I dont know about it........ you have tweaked my interest.. Do tell



Of course nothing will work with my case probably..[/QUOTE]



:) If you have a Mac Pro, lift up your case latch in the back... then (while it's up) put your finger under it and flip the piece of metal that is there down (towards the floor)... then lower the latch back to the locked position... and voila - You now have a metal loop to physically lock your Mac Pro case. :)

Schlaefer

[quote name='binaryeric']Try again I guess.[/QUOTE]



No change. You can reset the password for your account. But that's not the problem. If you have physical access to the machine there're a dozen ways to get access to the files. But when I login the old login keychain is locked, can't be unlocked by the system and so there's no way to change the password. OS X even throws a dialog when changing the login password via account pref pane that you have to do it manually for the keychain (newly created test account, keep in sync pref is set).



Again, I don't think it should work that way, I can't make it work that way and so I doubt that it works that way. ;)



But I'm highly interested, so if someone else could maybe spare 5 min to test it …

binaryeric

[quote name='Schlaefer']No change. You can reset the password for your account. But that's not the problem. If you have physical access to the machine there're a dozen ways to get access to the files. But when I login the old login keychain is locked, can't be unlocked by the system and so there's no way to change the password.[/QUOTE]



Schlaefer, It looks like this issue has been addressed in Snow Leopard and I hadn't noticed. You are right that even when changing the user password via system prefs (after resetting the user passwd) that the linkage to the login keychain is not restored (which used to be the case).



When I have an opportunity, I am going to look into this further but for now I am mistaken about being able to access the login keychain in 10.6 via the steps I have described above.