Alex Kaloostian

Apple Certified Master Trainer | Systems Integrator | Video Editor | Motion Graphics Artist


Leave a comment

Apple as overhauled two-factor authentication…

…And its kind of crazy confusing. But its worth it in the long run, because the new format is much better, and much faster. It looks like I’m not the only one who had trouble setting it up in the first place. But if you use AppleID for Education, VPP, ApplePay or you’re just concerned about better security, you should read this and be prepared to support your users.

Unlocking a Mac with an Apple Watch requires two-factor, not two-step, iCloud protection—what?


Leave a comment

DropBox is acting shady; and some security tips

DropBox recently added some new tricks that were… surprising. Ever see an app be able to do THIS in the Finder before?

screen-shot-2016-09-09-at-1-24-56-pm

Whats all this, then?

Yeah, me neither. interesting. but how did Apple allow this? Spoiler: they probably didn’t.

http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/

And here’s some more info on how it was done, as well as a bunch of useful tips when you want to investigate anything on your mack with some command line tools:

http://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/


Leave a comment

iOS and security

Theres a lot of talk about security and iPhones lately. Well, there always is, but even more lately. Here are a couple articles that should be required reading.

Parallax primer: why is Android less secure than iOS?

Cops can force you to unlock your phone with a thumbprint but not your passcode: 5 things to know.

Tim Cook says Apple will fight FBI’s order to unlock Farook’s iPhone


Leave a comment

Managing FileVault 2 across your company

A lot of people have been asking me about managing FileVault2 on multiple Macs, maybe using the same recovery key for all of them, and even automating the process. Here’s a great document right form Apple that covers a few different methodologies:

http://training.apple.com/pdf/WP_FileVault2.pdf

And here’s a document from Jamf, on integrating FileVault 2 with the Casper Suite:

http://www.jamfsoftware.com/libraries/pdf/white_papers/Administering-FileVault-2-on-OS-X-Mountain-Lion-with-the-Casper-Suite.pdf

EDIT!

I’ve been pointed to another project, this one by Google, called Cauliflower Vest:

http://code.google.com/p/cauliflowervest/


Leave a comment

Three easy ways to safeguard your Mac

A lot of people are under the misconception that Macs are “safe”. It’s true, out of the box Macs are pretty safe from hackers over a network- guest access, remote management, remote login and file sharing are all OFF by default. But the exact opposite is true if someone has physical access to your Mac.

Apple tech is getting bigger and bigger in corporate America, and that’s great, but first and foremost, the Mac is still a personal computer. (See what I did there? PC? Heh). And first and foremost they are designed to be easy to use, NOT safe. Just off the top of my head< I can think of numerous ways I could break into your Mac without needing your password, your name, your pet’s name, or your lucky number:

  • Hold down T, boot in target disk mode, connect another Mac and steal your files or wipe your drive
  • Hold down command-S, boot in single user mode, steal your files or reset your password
  • Hold down command-R, boot in rescue mode, reset your password
  • Remove your hard drive, plug it into mine, steal your files or wipe your drive

And that’s without thinking hard. Or being an admin. Think about it, if your grandmother has a Mac, and you come over for Thanksgiving dinner, you shouldn’t have to be an NSA agent to help her out, right? Apple gives you security measures to protect you from all of the above, but you have to turn them on yourself.

Here are the three simple things you can do to protect your Mac:

  • Firmware Password
  • FileVault
  • Find My Mac

You don’t necessarily need all three, but they will help a lot.

Firmware Password

How do I set it?

Easy. On a Mac running Lion or Mountain Lion, hold down Command-R when you boot up, to boot to your rescue partition. Click the Utilities menu at the top of the screen and choose Firmware Password, and choose one. On Leopard or Snow Leopard, insert the DVD that came with your Mac and hold down C to boot to it. Then set it the same way. Done!

What does it protect against?

Setting a firmware password is kinda like setting a bios password… kinda. Setting a firmware password will prevent someone from booting your Mac in one of the diagnostic or non-standard modes. That means no single-user mode, no safe mode, no target disk mode, no rescue mode, and no dual-booting to another OS. Unless you have the password, of course.

What could still be done to me?

Without an admin password or the firmware password, I could still remove your drive with a screwdriver, plug it into another Mac, and steal your files or erase them. But that’s about all.

How do I bypass it?

If your Mac is more than a couple years old, the firmware password can be wiped by resetting the SMU, if your motherboard has a button to allow it, or another common method is removing the RAM, booting, waiting for it to crash obviously, then replacing the RAM and booting again. Voila, the firmware password is gone. So maybe put a lock on your Mac or hide your screwdrivers. On newer Macs, about 2 years old, there is no backdoor around the firmware password. You have to bring it to Apple if you forget it.

FileVault

How do I set it?

AS an admin, open the Security & Privacy system preference, click the FileVault tab and turn on FileVault. Enter a password for all the users you want to be allowed to boot your Mac. You’ll be given a recovery key in case you forget your password. Save this recovery key! Your Mac will reboot and begin to encrypt itself. This could take a long time; fortunately, you can still use your Mac while you wait.

What does it protect against?

FileVault will encrypt your whole disk with strong AES encryption. No matter how someone accesses your drive- target disk mode for example, or even removing the drive and connecting it to another Mac, they won’t be able to access your files in any way, without your password. In addition, FileVault makes it a lot harder for someone unauthorized to reset your password- only the recovery key can be used to reset your password now.

What could still be done to me?

I could still boot in rescue mode or single-user mode and erase your drive. But a firmware password will prevent that.

How do I bypass it?

If you forget your password, you can use the recovery key to reset it. But you can’t reset your keychain password, so all your stored passwords will be lost forever. If you are worried about losing the recovery key, you can elect to store it with Apple when you turn on FileVault. Apple will record three security questions on your behalf. You can call Apple, talk to an automated system and recover your recovery key, then reset your password. If you didn’t save the key with Apple and you forget it, its gone forever, and so are your files!

Find My Mac

How do I set it?

This feature used to be only for people who paid $100 a year for the mediocre MobileMe, but now iCloud is FREE so there’s no reason not to turn it on! First sign up for an AppleID if you are one of the few who doesn’t already have one. You can do that in the iTunes store, the App store, or at appleid.com. Then sign up for an iCloud account at icloud.com. You can sign up for an iCloud email address at this time if you want it, or just tie it to your existing account. I signed up with my Gmail account because who needs more email addresses to keep track of?

Now open the iCloud system preference on your Mac. Sign in, and turn on Find My Mac. You can also tap the General Settings on your iPhone or iPad and sign in as well. Its called Find My Mac but it’s really Find My Mac, iPhone, iPad and iPod Touch.

What does it do?

It tracks your Mac if you lose it. You can log into iCloud.com from any Mac, PC or Mobile device, or use the Find My iPhone app on any iOS device. I know, I know, it’s called Find My Mac on the Mac and Find My iPhone on the iPhone, but its all one thing. Log in with your iCloud name and password and Bing! All your devices will show up on a map. Now you can track down your device, or call the cops. You can make it beep, and display a message, like “reward if found, please contact”. You can also remotely lock or wipe the device from here. If your Mac isn’t online at the moment, you’ll get an email the instant it comes online.

Here’s a cool success story. And there are many more on the internet. Did I mention ITS FREE? Why haven’t you already turned it on?

How do I bypass it?

You can always log into the device as an admin and turn it off. But the only way for a thief to bypass it is to never go online, and wipe the machine immediately. Which they won’t be able to do if you get the jump on them and lock it. It’s a firmware lock, so to the best of my knowledge, even replacing the hard drive won’t unlock it. They will have to take it to an Apple store, and Apple will hopefully check with the cops to see if you reported it stolen. Which you did, right?

Good luck. Stay vigilant. And use protection out there!


3 Comments

Home netwokring & file management event

This Wednesday I’ll be hosting another open house at our Cambridge office. The topic: File Sharing and File Storage for Home & Small Businesses.

We will be talking about the best and easiest ways to protect your data in Snow Leopard AND new features in Lion, including:

  • FileVault
  • Disk images & archives
  • Backing up with Time Machine
  • The rsync tool in the terminal
  • Setting up a local private network
  • AirDrop
  • Choosing the right storage device
  • RAID
And a demo of a Drobo S system live & in the flesh. There will be networking and refreshments and plenty of parking at that time of day, so wont you come down? Please RSVP so we know how many to expect.
Future Media Concepts
1 Kendall Square, building 300, right above Friendly Toast
6 PM