If you are a Mac user and you haven’t heard of Objective-See, you should have. Objective-See is a company founded by former NSA guy† Patrick Wardle that provides some excellent security tools for macOS. Objective-See’s “Do Not Disturb” application is a very cool physical security tool for Mac users that alerts you if your Mac’s lid is opened. Continue reading “Do Not Disturb From Objective-See”
A little known feature of FileVault is the ability to create encrypted volumes. Volumes are essentially encrypted file containers that can store a file or set of files. Volumes can be copied, emailed, burned to a DVD, or just set up as an additional layer of encryption for especially sensitive files. FileVault volume level encryption allows you to do this without needing a third-party application like VeraCrypt – assuming you don’t need to share these volumes with other operating systems.
Encrypting external media is important. During the next part of this series on encryption I am going to discuss encrypting external media like USB flash drives or external hard drives. Because these drives are used as backups or to store sensitive data, and because they are easily lost, encrypting them is just as important as encrypting their hosts. We will begin again with FileVault external media encryption. Continue reading “FileVault External Media Encryption”
FileVault is one my favorite out-of-the-box features of Mac computers. FileVault is Apple’s built-in disk encryption utility. Recently Apple has been publicly leading the way in encryption and privacy issues, and when digging into the features it becomes obvious that this focus is not a mere afterthought. While on the surface it seems simple, FileVault provides far more robust capabilities than you might imagine. Unfortunately, some of these options are not immediately apparent. I recently began exploring some of these options. Due to the amount of information, this will be another multi-part series. Today we will cover FileVault full volume encryption. Continue reading “FileVault Full Volume Encryption”
Today’s security task is to set up a standard user account. Though it is a phrase that is normally applied to the corporate or government sectors, personal computers should also employ and adhere to the Principle of Least Privilege (PLP). The Principle of Least Privilege is a concept stating that any user should have only the permissions necessary to do his or her job. At the home-user level this means creating and using a Standard User account rather than performing day-to-day operations on an Administrator account. Using an Administrator account is perhaps one of the most common errors I see committed by home computer users. This mistake that has caused me endless frustration in “fixing” friends’ computers that have become thoroughly infected with malware.
These computers become so thoroughly infected because they are always running with administrator-level privileges. The ability to make system-wide changes like executing programs or deleting other users’ files is not necessary for daily use. Running on a standard user account still allows you to do these things, but only after entering the administrator password to confirm that you actually want this action to occur. Though it may not seem like it, this step is so important that even Microsoft recommends it. To setup a standard user account refer to the following:
Windows 7/10: Windows has two different types of accounts: Standard User and Administrator. A Standard User account has all of the necessary privileges for most of us to do the jobs we do on home PCs. Even though I work at a computer daily, I only rarely log into an Administrator account. User accounts have the privileges necessary to do most day-to-day tasks including creating, opening, editing, and saving documents, browsing the Internet, etc. There are a very small handful of things a User account does not have the privileges for, the most important of which is installing programs.
Because Administrator accounts have the necessary privileges to install programs, executable files may be able to run on an Administrator account without having to ask permission. If permission is required, malicious executables are sometimes capable of tricking the user into agreeing to install the program. Standard User accounts have fewer permissions, and the most important permission a Standard User account lacks is the ability to install programs without permission from the administrator. When a malicious program attempts to install itself on a Standard User account, a prompt will appear asking for permission from the Administrator (and the administrator’s password if the account is password protected). Seeing a password prompt alone should be enough to make a user question whether he or she really wants to allow the executable to run.
When you purchase a new Windows computer, the only account that is enabled by default is an Administrator account. Many home users will never create another account, choosing instead to work only inside this account. This is problematic as it makes the computer more susceptible to malware and viruses. To set up a user account, navigate to: Start >> Control Panel >> User Accounts and Family Safety >> Add or Remove User Accounts >> Create a New Account.
OS X: Setting up a user account in OS X is a relatively uncomplicated affair. Open the System Preferences and click Users and Groups. Click on the padlock icon at the bottom left of the interface and enter your password when prompted (assuming your administrator account is password protected). Click the “+” icon just above the padlock to create a new user account.
A COUPLE MORE CONSIDERATIONS…
Account Naming: There is a tendency to give Standard User and Administrator Account distinctive names. For instance, a family of four might name their accounts Justin, Sarah, David, and Ashley. Unfortunately, these unique account names associate themselves with many things. For example, Microsoft Office records the creator of file by recording the User account name under which it was created in the metadata. If you send out files (of any type) this may leak information about you or your family. For this reason I strongly encourage using bland generic names such as Administrator, User 1, User 2, and so on
Passwords: The administrator accounts and user accounts should be password protected with different passwords. Though I recommend using long, complex passwords in most cases, I recommend (and use) easily memorable passwords that are quick and easy to type for the Administrator and User accounts. This is because the password protection on these accounts offers very little actual security. Having a password can hinder anyone attempting to install malicious software on your device.
Migrating Your Data: The unfortunate part of setting up a new account is that you will have to migrate your data, programs, and desktop to a new account. If you don’t have the time to migrate today, don’t worry about it. However, you should perform all the future tasks in the 30-Day Security Challenge on your Standard User account. To ease the process of migrating your data, I recommend taking the following steps:
- While logged into your administrator account, set up a shared folder
- Import your documents, photos, and other files into the shared folder
- Log out of your administrator account, and log into the standard user account
- Copy all files to a folder that is not shared
- Finally, log back into the administrator account and delete the shared folder
Thanks for joining, and I’ll see you all tomorrow for the third day of the challenge!
Welcome to the Thirty-Day Security Challenge! I am looking forward to the coming month and I appreciate all of you who have chosen to follow along! Today’s task is not flashy or even terribly interesting, but it is one of those tasks that is absolutely critical to security. Today’s task is to install OS and app updates. While we are in the update settings we will also make sure that future updates are downloaded and applied automatically so you don’t fall out of date.
Keeping your software up-to-date is an incredibly important step in securing a computer. As software ages, security holes are discovered in it. Attacks are written to take advantage of these holes. Though software updates are occasionally released to add features and to deal with bugs, they are very often written specifically to patch security holes. If your software is outdated it becomes vulnerable. These vulnerabilities are also well-publicized by virtue of the fact that patches exists to fix them.
Windows: To install OS and app updates in Windows, navigate to Start>>Control Panel>>System and Security>>Windows Update. Select Change Settings from the left sidebar. Open the dropdown menu. If you want to go fully automatic (Windows downloads and installs updates as soon as they are available) choose Install updates automatically (recommended). If you prefer to have your updates downloaded but choose the time and place to install them, choose Download updates but let me choose whether to install them. This also gives you the advantage of being able to research updates before you commit to them (at least in Windows 7), as some updates help Microsoft collect data about you.
To update your applications in Windows, you have a couple of options. You can do so manually for every application you have, or you can download an application that will check them for you. There are two such applications that I recommend. They are Patch My PC Updater and Secunia PSI. Both will scan your computer’s installed programs and let you know if updates are available. Both are also capable of downloading and installing updates for you.
Mac OS X: To update your OS and applications in OS X, open the App Store. If a badge is displayed on the App Store icon you have updates waiting. If you think there may be updates for your machine go to the top of your screen and open the “Store” drop-down menu and select “Reload”. This will manually check for updates.
To ensure that future updates are downloaded and installed automatically, open your Mac’s System Preferences and click the App Store icon. Make sure the following boxes are checked:
- Automatically check for updates,
- Download newly available updates in the background,
- Install app updates,
- Install OS X updates†, and
- Install system data files and security updates.
†You may wish to leave this option un-checked. It will allow you to install OS X updates at your leisure. Because these updates can take time and require a restart this may be prefereable depending on your situation. Realize that you will have to be alert for new updates and install them manually.
Tomorrow will be another foundational step and one that will require some thought and decision-making on your part. Stay with me!
Verifying file integrity is an important step when downloading and installing applications, especially when these applications are relied upon to perform a security function. An application that is not downloaded completely or correctly may be weakened and fail to provide the necessary security. Worse, users may be the victims of a watering hole attack where the download site is infected with malware, or some targeted individuals are redirected to look-alike sites. In this instance the software in question would be modified to suit the attacker’s aims and its security could be bypassed entirely. The easiest way to have some assurance that your downloaded applications are intact and legitimate is to verify their integrity using checksums and a checksum calculator.
There are also some other reasons that a checksum calculator may be handy. For example, if you wish to transmit an attachment to another person through email, a cloud storage account, or other digital medium, a checksum could be used to verify the file had not been tampered with in transit. Checksums can also be used to ensure that two files are are identical. For example, if you backup a large folder to a USB flash drive you can compare the checksums of the two folders to ensure they are the same.
I constantly push this technique in my live classes and never cease to be amazed at the minuscule number of participants who every take any steps at all to verify the integrity of applications before executing them. It appears to me that this skill is applied only by the smallest handful of users. The other major problem I run into when teaching (and when downloading software myself) this is the lack of a single, independent checksum repository from which to pull known-good checksums for comparative purposes. This is perhaps at least part of the problem inherent in verifying file integrity.
As a result I have slowed down on the blog in the past couple of weeks to expand and update the checksums page. Though many do not, some security applications post checksums on their download pages. Even so I still believe it is important to verify checksums from an alternate source; if you are redirected to a forged download page and download a corrupted file, it would be a simple matter for the forger to post his or her own checksum. If you acquired both a corrupt file and its corresponding checksum from a forged site, the result would be worse than not verifying the file at all: you would receive a false positive, causing you to misplace trust in the application.
This is the primary motivating factor in my recent expansion of my checksums page. There seems to be no comprehensive, third-party repository of checksums for security software. The checksums posted there are SHA-256 and SHA-512. MD5 is insecure and there are credible reports of vulnerabilities in SHA-1 dating back several years.
Methodology: Before calculating checksums I download the application in question. If a GPG signature is available I will use the signature to verify the integrity of the application, and then use a checksum utility to calculate a hash. If a signature file is not available for a given application, I will compare it against a checksum found on a third-party site.
Windows: The CHK Checksum Utility is the simplest and most user friendly checksum calculator I have found for Windows operating systems. CHK runs in portable mode so there is no need to install it. Simply download and open the executable. Drag the file or files to be verified into the interface. The checksums will automatically be calculated in SHA-1; to change this open the Options menu and select the desired algorithm.
In the pop-up that appears, paste a known-good checksum and click Verify.
A green checkmark will appear next to the application if the checksums match; if not a red “X” will appear beside the application name.
Checksums for the CHK Checksum Utility itself are available on my checksums page.
OS X: Mac users have checksum verifying ability built-into their operating systems, though it requires a trip to the Terminal. Open Launchpad and select Terminal. Enter the command “shasum” into the terminal. Next, drag the file itself into the terminal window and press Enter; by default this will calculate SHA-1 hashes. If you wish to verify the file using a SHA-256 or SHA-512 checksum use one of the following commands (disregarding the file path which is represented in italics):
- SHA-1: shasum /user/macbook/desktop/filename.dmg
- SHA-256: shasum -a 256 /user/macbook/desktop/filename.dmg
- SHA-512: shasum -a 512 /user/macbook/desktop/filename.dmg
This method merely displays the calculated hash for the selected file. To verify its authenticity requires a visual check. This is tedious and can be mistake-prone but is not impossible. I recommend copying both versions of the checksum (the output of the terminal calculation and the checksum collected from the internet) and pasting them into a word processing document, one on top of the other, in the same pitch and font. This makes differences much more easily identified visually.
There are also several GUI-driven checksum calculators available for OS X but I confess I have not yet tried one. There are very few that have been either recommended by a reputable source or well-reviewed.
Linux: Given Linux’s proclivity for eschewing graphic user interfaces (GUIs) over the terminal it is somewhat surprising that an excellent GUI-driven checksum calculator exists for Linux. It is called GtkHash, and will not be covered here.