Editor's note: This is the third part of a series discussing how to travel safely with your Mac OS X laptop. Today's focus is software encryption and those pesky networks you have to deal with on the road.
Now that we have seen various aspects of physical security, it is time to delve into the issue of software security. After all, the fact that your computer is safe in its case does not guarantee that it will still be once connected to a network.
The first thing to do is to make sure that your Mac is sufficiently secure, even in your usual location. Indeed, the fact that we are going to take extra measures should not prevent you from reviewing the basics. A good way to do it would be to have a look at our "Security Primer for Mac OS X" and make sure that you follow the various steps outlined.
Keep in mind that you may not be able to download updates while on the road, due to bandwidth constraints, for example. Should Apple release an important update right before you go, download it to your desktop and keep it in a cool, dry place (so to speak) until you can install it safely--i.e. you have backed up your data and are able to react in the unlikely even of an upgrade-related issue. This can be done by using the "Download only" menu item, available through the "Update" menu of the Software Update application.
Before going on a trip, you may also want to perform in-depth maintenance in order to make sure that your Mac will behave as smoothly as it should.
The rule is: never connect your computer to an untrusted network! Now that I've said that, I have to admit that it's perfectly impossible to avoid such connections. Indeed, while traveling, chances are that you'll need to connect to the Internet from your hotel room or use wireless hot spots along the way.
Since network services are off by default in Mac OS X, protecting you from the usual remote attacks, this shouldn't be too much of a concern. Nevertheless, you should always ask yourself whether or not the risk associated with the network outweighs the benefit of connecting. For example, wireless hot spots are often very insecure, especially if they are free or accessible from a great distance. You may want to avoid connecting to any network that is "too public," or whose policies you do not know.
About untrusted wireless networks: you may want to keep in mind that some of the hot spots you will encounter during your trip will be "fake" ones, set up by malicious users whose sole intention is to capture confidential information. Therefore, it is a good idea to check where a signal comes from before using it. For example, if the place you're at advertises Wi-Fi access, ask an employee for some network identifying information.
Most good hotel networks will provide you with a rough overview of their security policies before granting you access to the network. When in doubt, do not hesitate to call the front desk (or the networking company directly) to learn more--not an easy task, though, since many such companies do not want to reveal much about their security systems.
If you can do so, it may be a good idea to create a simple user account for you to use exclusively while you are on the road. That way, even if your user account is compromised, your more confidential files and your operating system will stay safe. For an extra layer of protection, you can even FileVault your administrator account (or the user account in which your confidential data is stored).
Packet sniffers are commonly used on public networks by malicious users, bored users looking for some fun, or network administrators that wish to eavesdrop on connections. They are also extremely easy to download and use, as well as legal in many cases.
Therefore, the best way to protect yourself against such threats is to encrypt any sensitive data that leaves your computer, such as passwords, logins, or emails. Here are ways to do so:
In Mail, make sure that both your inbound and outbound connections are protected by SSL encryption, as explained in our security primer. This will ensure that the contents of your messages, as well as your login and password information, are encrypted. Keep in mind, though, that this does not encrypt the message from the server to its final destination: you need to set up encrypted mail in order to do that. Otherwise, the mail will only be encrypted while it travels from your own computer to your mail provider's servers.
Do not establish any connections to remote servers or shared volumes unless you use a secure protocol. For example, SSH will protect your data, while
telnet won't. Likewise, instead of FTP, you can use SFTP, and instead of regular AFP, try the lesser-known AFP through SSH--although AFP will probably protect your login and password, depending on your configuration.
When browsing, make sure that you tunnel the data stream through a secure connection, even if the site you are connecting to isn't encrypted. Services like Anonymizer can help reach this goal--although they usually are designed for Internet Explorer 6 or higher and don't play nice with other browsers. Of course, this only moves the problem (since the stream won't be encrypted when it leaves the anonymizer service servers), but it will prevent eavesdropping from other users of the same hot spot.
Be aware that iChat, and most other chat clients, sends your login information and the contents of your chat in the clear. It is especially important that you keep this detail in mind if you use your .Mac email address as your chat login.
Considering the number of applications and services that rely on an Internet connection in one way or the other, it is difficult to describe every possible situation in which your Mac could send unencrypted data on the Internet. A good way to get to know what your own computer does is to install an application like Little Snitch a few days prior to your trip and to write down or keep in mind the connection alerts.
By looking at port numbers, you should also be able to determine with a certain degree of reliability if the connection that is established is secure or not. For example, connection to port 80 usually indicates an HTTP connection, which is not encrypted, while port 443 seems to indicate that the application you are using uses HTTPS, which is encrypted. This is far from foolproof, though! This page is a good refresher in case you need to have a look at port numbers.
Even with good encryption measures, keep in mind that it's easy to inadvertently send something that you didn't intend to send. Therefore, you should avoid transmitting crucial information over public networks as much as you can. For example, even if most online merchants use secure sites, I wouldn't recommend using your credit card number on a wireless hot spot--if only because it involves taking it out and punching numbers on your keyboard in front of everyone.
About punching numbers, keep in mind that the Keychain Access utility has a special button that allows you to extract passwords and to put them directly in your clipboard without having them displayed on the screen. It's at the bottom left of the window, so obvious that it is often overlooked!
As the credit card example shows, shoulder surfing is still a very common technique. It's as low-tech and as effective as you can get, considering that most users are unaware of this danger. Of course, you cannot encrypt the keys on your keyboard. (Well, you could re-map your keyboard to Dvorak or another language to throw off attackers, but this is a bit extreme.) You should pay attention and make sure that nobody is watching you while you enter a password or work on confidential documents.
Dimming your screen so that only you can see it can also be a good idea. Some companies sell screen protectors that mask the screen with side panels. These do provide a good level of protection by restricting the area from which the contents of your screen can be seen and can therefore make your life a lot easier. At the same time, however, they can draw attention to you and declare to the world that you are dealing with sensitive data (the modern-day equivalent of writing "Gold Bars Transfer Company" on the side of a truck). It is therefore up to you to decide whether they will be effective in the areas you are traveling through.
Firewalls are an essential part of every network-connected user's arsenal now, and chances are that you use a hardware firewall even on your home network to provide an additional layer of protection. Unfortunately, when it comes to connecting your computer to hotel or public networks, using a hardware firewall is not always an option.
If you are not sure of the hotel's connection, you can always try using a NAT device in order to provide an additional layer of protection. Just keep in mind that, since your hotel network probably already uses NAT to split the main network connection out to various rooms, you may experience issues with NAT-sensitive applications (especially streaming and video-conference software).
AirPort base stations will provide you with this feature, as well as the convenience of wireless access in your room. This is especially true now that the AirPort Express base station is shipping. Of course, wireless networks need to be very well-secured, too, so it's up to you to decide whether the risks outweigh the benefits. Consider using WPA with a complex password and access lists for better protection over simple WEP.
If you can't use a firewall, you may want to remove identifying words from your computer's host name so that it cannot be too easily identified from the network.
Even though we are going to see how to back up your data in greater detail in a few moments, now seems to be the ideal time to discuss encrypting your backups. That way, we won't have to come back to less-than-thrilling but essential security considerations.
If encrypting everything is easy for you, my advice would be to do so. Indeed, encrypting your data greatly diminishes the fear of losing a backup drive or even your computer. Sure, it's a problem, but you know that nobody will be breaking into your accounts while you are struggling at the local police station trying to explain the difference between a wallet and a 17" PowerBook. On some occasions, it may also help you get your machine back as some less-skilled thieves do not bother trying to understand a computer or a drive that doesn't behave as they expect. Don't count too much on that one, but it happens.
Thanks to FileVault, you can safely encrypt the entire contents of your home directory. Unfortunately if you copy a file from your FileVaulted home directory to removable media, another volume, or anywhere outside your home directory, the destination file will not be encrypted. For us Mac users, the easiest way to proceed is to first create an encrypted disk image through Disk Utility and to then copy files to it. Here is how I do it.
Open Disk Utility, located in your Utilities folder.
Use the "Images" menu in order to create a "New Blank Image."
In the dialog that appears, name the image and set the encryption setting to AES-128, which should provide us with a good level of protection. Then, pick the size of the image, keeping the restriction of your removable media in mind. Make sure that the format is set to "read/write," and confirm.
Next, you will be asked for a password. Pick a good one, keeping in mind that the little "i" button located at the bottom left of the dialog will help you to do so by testing the passwords you will write in the fields. You can uncheck "Remember Password" if you do not want endless backup passwords to clutter your Keychain--when asked to remember a password, Mac OS X will save it in the Keychain and allow you to access it manually (if needed) through the Keychain Access utility. Then, confirm the dialog and let Disk Utility perform its magic.
A new virtual drive will appear on your desktop. Drag the files you want to back up to it and, once you are done, unmount it, as you would unmount any other removable media prior to disconnecting it.
Finally, copy the disk image file onto removable media. Make sure that you give it a meaningful name (again, not too obvious, though). As a general rule, it is a good idea to include the date. For compatibility reasons with various filesystems, do not include special characters in the date--write "040404" for the 4th of April 2004, and not 04/04/04.
Once the file is safely burned or copied onto the removable media, try to open it at least once in order to make sure that the process went smoothly. Finally, delete the disk image from your hard drive and store your backup in a safe place.
If this sounds like a long, tedious process, it's because it is. Luckily, you only need to perform the steps once and will from then on be able to drag files into and out of the virtual volume you created. However, this depends greatly on the media you're using. Backing up to DVD-RWs, for example, is a slow process (but it does provide greater portability), while backing up to an external FireWire drive makes the whole process a snap.
In fact, should you be lucky enough to own a portable FireWire hard drive with a decent storage capacity, you can use an application like Carbon Copy Cloner to back up your FileVault-ed Home folder in one go (the vault will be seen as a mounted volume) as an encrypted disk image on the external drive. Just be careful about not damaging any permissions in the vault (or the vault itself). This tip makes daily backups possible, even on the go, but is potentially riskier since it acts on the vault itself.
If your only FireWire drive is an iPod, keep in mind that the mechanism of these small drives has not been designed for intense use. Your iPod is not a ultra-high-performance, industrial-strength, back-up-everything, portable-storage solution. It will work, yes, but it will be slower and will drain the iPod's battery faster than usual, since copying large files back and forth causes your iPod's drive to work in a more intense fashion than it does in "music player" mode.
When picking your portable hard drive, you may also want to make sure that it has good shielding and resists minor shocks. Some drives, for example, come wrapped in an unsightly but efficient rubber case--although modern designs put the rubber inside the case, making the drive shock-resistant and less of an eyesore at the same time. Drives that support USB2 connections can also be a good choice by providing you with a way to connect them to a PC in the event of a problem.
Of course, you can choose not to encrypt everything. Since encryption is a resource-intensive process, this will make backup time a lot shorter, which will allow you to perform backups more easily and therefore, be better prepared should something ever happen.
Just as you made a list of your hardware assets, you may want to see which files on your hard drive can be backed up without being encrypted. The speedier and the easier the process, the more backups you will make, which is especially important while you are on the go.
Note that these recommendations apply to your online backups, too. Indeed, even while you upload files to your iDisk, they are sent in the clear over the network (even though your login and password are encrypted). This is perfectly fine for files you want to publish on your home page or pictures of your cat, but may be a problem for your more confidential data. It is therefore important that you also encrypt data before uploading it on a remote server. Should you upload your data to a more public server or one you set up yourself, encrypting the data as you encrypted your backups to removable media will also avoid information leaks in case someone breaks into the server while you are away.
In this installment, we've seen a few security best practices that should allow you to avoid most issues while traveling with your Mac and peripherals. However, we have also seen how heavy these operations can be. Unfortunately, heavy operations can quickly become impossible to manage when traveling, which effectively negates our security efforts. Therefore, in the next installment, I'm going to focus on mobility and "keeping things light," which will make traveling with your computer not only productive, but fun too.
Until then, safe travels.
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to MacDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.