Mac OS X for the Traveler, Part 3by FJ de Kermadec
Editor's note: This is the third part of a series discussing how to travel safely with your Mac OS X laptop. Today's focus is software encryption and those pesky networks you have to deal with on the road.
Software Security Basics
Now that we have seen various aspects of physical security, it is time to delve into the issue of software security. After all, the fact that your computer is safe in its case does not guarantee that it will still be once connected to a network.
The first thing to do is to make sure that your Mac is sufficiently secure, even in your usual location. Indeed, the fact that we are going to take extra measures should not prevent you from reviewing the basics. A good way to do it would be to have a look at our "Security Primer for Mac OS X" and make sure that you follow the various steps outlined.
Keep in mind that you may not be able to download updates while on the road, due to bandwidth constraints, for example. Should Apple release an important update right before you go, download it to your desktop and keep it in a cool, dry place (so to speak) until you can install it safely--i.e. you have backed up your data and are able to react in the unlikely even of an upgrade-related issue. This can be done by using the "Download only" menu item, available through the "Update" menu of the Software Update application.
Before going on a trip, you may also want to perform in-depth maintenance in order to make sure that your Mac will behave as smoothly as it should.
The rule is: never connect your computer to an untrusted network! Now that I've said that, I have to admit that it's perfectly impossible to avoid such connections. Indeed, while traveling, chances are that you'll need to connect to the Internet from your hotel room or use wireless hot spots along the way.
Since network services are off by default in Mac OS X, protecting you from the usual remote attacks, this shouldn't be too much of a concern. Nevertheless, you should always ask yourself whether or not the risk associated with the network outweighs the benefit of connecting. For example, wireless hot spots are often very insecure, especially if they are free or accessible from a great distance. You may want to avoid connecting to any network that is "too public," or whose policies you do not know.
About untrusted wireless networks: you may want to keep in mind that some of the hot spots you will encounter during your trip will be "fake" ones, set up by malicious users whose sole intention is to capture confidential information. Therefore, it is a good idea to check where a signal comes from before using it. For example, if the place you're at advertises Wi-Fi access, ask an employee for some network identifying information.
Most good hotel networks will provide you with a rough overview of their security policies before granting you access to the network. When in doubt, do not hesitate to call the front desk (or the networking company directly) to learn more--not an easy task, though, since many such companies do not want to reveal much about their security systems.
If you can do so, it may be a good idea to create a simple user account for you to use exclusively while you are on the road. That way, even if your user account is compromised, your more confidential files and your operating system will stay safe. For an extra layer of protection, you can even FileVault your administrator account (or the user account in which your confidential data is stored).
The Importance of Encrypting Network Connections
Packet sniffers are commonly used on public networks by malicious users, bored users looking for some fun, or network administrators that wish to eavesdrop on connections. They are also extremely easy to download and use, as well as legal in many cases.
Therefore, the best way to protect yourself against such threats is to encrypt any sensitive data that leaves your computer, such as passwords, logins, or emails. Here are ways to do so:
In Mail, make sure that both your inbound and outbound connections are protected by SSL encryption, as explained in our security primer. This will ensure that the contents of your messages, as well as your login and password information, are encrypted. Keep in mind, though, that this does not encrypt the message from the server to its final destination: you need to set up encrypted mail in order to do that. Otherwise, the mail will only be encrypted while it travels from your own computer to your mail provider's servers.
Do not establish any connections to remote servers or shared volumes unless you use a secure protocol. For example, SSH will protect your data, while
telnetwon't. Likewise, instead of FTP, you can use SFTP, and instead of regular AFP, try the lesser-known AFP through SSH--although AFP will probably protect your login and password, depending on your configuration.
When browsing, make sure that you tunnel the data stream through a secure connection, even if the site you are connecting to isn't encrypted. Services like Anonymizer can help reach this goal--although they usually are designed for Internet Explorer 6 or higher and don't play nice with other browsers. Of course, this only moves the problem (since the stream won't be encrypted when it leaves the anonymizer service servers), but it will prevent eavesdropping from other users of the same hot spot.
Be aware that iChat, and most other chat clients, sends your login information and the contents of your chat in the clear. It is especially important that you keep this detail in mind if you use your .Mac email address as your chat login.
Considering the number of applications and services that rely on an Internet connection in one way or the other, it is difficult to describe every possible situation in which your Mac could send unencrypted data on the Internet. A good way to get to know what your own computer does is to install an application like Little Snitch a few days prior to your trip and to write down or keep in mind the connection alerts.
By looking at port numbers, you should also be able to determine with a certain degree of reliability if the connection that is established is secure or not. For example, connection to port 80 usually indicates an HTTP connection, which is not encrypted, while port 443 seems to indicate that the application you are using uses HTTPS, which is encrypted. This is far from foolproof, though! This page is a good refresher in case you need to have a look at port numbers.
Even with good encryption measures, keep in mind that it's easy to inadvertently send something that you didn't intend to send. Therefore, you should avoid transmitting crucial information over public networks as much as you can. For example, even if most online merchants use secure sites, I wouldn't recommend using your credit card number on a wireless hot spot--if only because it involves taking it out and punching numbers on your keyboard in front of everyone.
About punching numbers, keep in mind that the Keychain Access utility has a special button that allows you to extract passwords and to put them directly in your clipboard without having them displayed on the screen. It's at the bottom left of the window, so obvious that it is often overlooked!
As the credit card example shows, shoulder surfing is still a very common technique. It's as low-tech and as effective as you can get, considering that most users are unaware of this danger. Of course, you cannot encrypt the keys on your keyboard. (Well, you could re-map your keyboard to Dvorak or another language to throw off attackers, but this is a bit extreme.) You should pay attention and make sure that nobody is watching you while you enter a password or work on confidential documents.
Dimming your screen so that only you can see it can also be a good idea. Some companies sell screen protectors that mask the screen with side panels. These do provide a good level of protection by restricting the area from which the contents of your screen can be seen and can therefore make your life a lot easier. At the same time, however, they can draw attention to you and declare to the world that you are dealing with sensitive data (the modern-day equivalent of writing "Gold Bars Transfer Company" on the side of a truck). It is therefore up to you to decide whether they will be effective in the areas you are traveling through.
Pages: 1, 2