Taking Care of All Your IT Needs.

MacLockPick: Will Your Mac & OSX Be Safe Ever Again?

MacLockPick is a USB flash key based application designed to take advantage of a Mac keychains default open status and other clear text data on a host computer to perform a quick and data collection for further analysis offsite. The primary aim of the device is to operate in as fast a time as possible with as minimal trace of activity as possible, gathering a suspect's critical information as it does so.

That being said, this finger-sized device, available direct from the developer, SubRosaSoft Inc. is not available to the general public and can only be purchased by so called "spooks" with proof of being a licensed law enforcement professional.

To go a little deeper into detail, MacLockPick will gather such information from the suspect's computer as: keychain held passwords, file and folders information and history, details from instant messaging and internet chat clients, email and address book information and history, web history and preferences, and hardware preferences. A whole range of information that tells quite a detailed picture of the what, why, when and whom the computer's owner is.

What Does This Mean To You and To Me?

It means that if you leave your computer on, without locking it down, then it is not safe, per se. And if it wasn't safe before, it definitely isn't now. Though you might say to yourself: "What are the chances anything is going to happen?" Well, probably just about the same chances as your Macintosh being stolen, which is as good enough a reason to secure the Mac OSX and the file system on the hard drive anyhow.

On another note, picture this if you will, a trip through US immigration, or a terrorist stop-and-search in London: You are stopped with your laptop in hand, they force you to sign a waiver about your rights and options to give up information, they see you have a Mac laptop and ask you to switch it on; and they then proceed to stick in this little USB flash key device that proceeds to suck out a variety of information regarding your identity that they can then keep on file! You might say that you have nothing to hide, but even in this scenario, it's shocking and highly plausible, and what's more, what does it achieve if you really do have nothing to hide, other than an gross invasion of privacy.

On the flipside, such a usb key might be used to search and gather passswords, chat history and email attachments in criminal cases such as for the capture of peadophiles, or in defense cases where the access of information for the benefit of a quick turn around in action is time sensitive, and that going in, collecting the information and then assessing it are time sensitive activities. I can imagine that Jack Bauer would kill for one of these in 24!

Stopping MacLockPick Dead in its Tracks

Is there any way to avoid being caught out? Yes, of course, but though some steps are simple, and can be easily configured as part of OSX, some steps border on the side of paranoia and hamper the ease of use of any computer system, but of course help to lock down your Mac.

The following is a summary outline of things that you can do as a Macintosh and Mac OSX user in order to lock down your computer and at least avoid attention from prying eyes:

• Setup a passworded screensaver, with a hot corner to activate it when you step away from the Mac. The former can be setup under "Security" in "System Preferences" whilst the latter can be set up in "Dashboard & Exposé" in the same place. Also, on the screensaver, setup quick activation time after short period inactivity.
• In "Security" also, set your user keychain to automatically close itself after a short time of inactivity. This will avoid the chance of it being open when someone comes to attempt to access it, though this also means you might frequently have to enter your password to open it.
• Consider switching off USB storage drive access on the system, a simple script could switch the necessary files and restart the Mac; something that could be run every time you need to switch USB access on and off for yourself, but lock out others. You can find tips on doing this over at the National Security Agency website: "Disabling USB Storage Drives in Mac OSX" (PDF). The side effect of this is that all external storage devices USB or FireWire will be disabled.
• Switch off automatic login, so that you have to supply a password every single time you startup, and at the same time, disable any users that do not require a password. The MacLockPick application can source passwords and other data across multiptle user accounts, so being able to login to any accoutn without a password would be a huge flaw.
• Don't set any application to auto-recall your password for you. Some applications may use the keychain, which might or might not be open, whilst others will not, and some passwords will be stored encrypted, whilst others of course won't be. Moreover, don't use the same password for every single thing you do, and whilst you are at it, don't make them too easy to guess.
• To play it safe, have a script to auto-clear your web history, recent app and documents, and mail attachment caches. Set this to run on shutdown, or even better for it to run periodically through the day as part of the regular Mac cycles. Also in deleting the various files and caches, the cleaner should secur erase the data, passing over it 2 or 3 times and overwritting it with further data before finally deleting it.
• Run IMAP rather than POP email settings. That is to say that you should leave emails hosted on the email server rather than pulling them down to your computer, this means that a minimal amount of info is stored on your Mac when it comes to be searched. That being said, this also makes the assumption that the server is a computer you have control over and ensure that the contents of the mail folders on it, are also secured to the same standard as your own system.
• Use a PGP Disk or FileVault to store sensitive information, and create aliases to the surrogate folder/file locations on the PGP Disk or FileVault back in the original system locations. This will avoid providing a carte blanche to everyone and anyone who decides thay want to go snooping.
• Make sure your backups stay secure. Know where they are and make sure that no one other than you has access to them. Storing them in an unecrypted disk image isn't necessarily a safer and sure fire way to guarantee their security.
• Be aware of the fact that OSX has a security flaw in as much that putting the system into single user mode allows a person full root access to the system. If you don't know what this means, just understand that it allows anyone to bypass the initial security steps to get into your computer by allowing them to change the password to something of their choosing. This can be done with a nice GUI by booting the system of an OSX install CD.

As with all these things there is a fine balance between practicality and annoyance. And in spite of even the most well layed out security plans and practices, even the best strategy can be penetrated sometimes.

Conclusion: Apple Gets Shirty!

Maybe this is part of why employees at the Apple Store get so shirty when you stick anything near the USB port on any of the in-store systems, who knows, but in any event Apple itself has also produced a security configuration document for learning how to lock down your Apple Macintosh OSX server in PDF, and has a page online about security tips and enhancements to its latest version of OSX - Tiger.

The USB flash memory device itself that runs MacLockPick is pretty cool and nifty, and wouldn't go amiss on any keychain. It is definitely handy for any digital investigator, the results of which can then be analyzed on any OSX, Windows or Linux based machine with the associated software Key Log Reader.

For the general joe public like you and me, there are always fears concerning the use and potential abuse of such security hardware and software. Even if you do have nothing to hide, there is no accounting for what others themselves are up to. But I think it is obvious from this article, that there are clear and distinct steps that can be taken to help lock down you Mac from some of even the most trying digital investigators.

To coin a phrase Nick Ross has been using on Crime Watch, UK since 1981: "Don't have nightmares, do sleep well!"

Find out more about the MacLockPick USB flash key over at SubRosaSoft, Inc.