Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Pointers Special: Security best practices, part three

Pointers Special: Security best practices, part three
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 10, 2016, 12:13 PM
You didn't buy your Mac or your iPhone in order to while away the hours avoiding phishing scams and malware. Unfortunately, other people did buy theirs in order to con money or data out of you, so we have to be vigilant. That's the purpose of our three-part Pointers Special. This is how to protect your Apple device, your work, and your money -- and in this concluding edition, how to keep people from seeing what you're doing.

Do be certain to read Monday's part one, where we covered why you shouldn't do banking on Starbuck's free Wi-Fi -- because for one thing you don't know for sure it's the coffee shop's network, or one belonging to that suspicious fella next to you with a hat -- and Wednesday's part two about passwords, downloading, and the unexpected threat from your own family.

Future protection

You've seen the warnings on websites that say you shouldn't save your password if you're using a public computer. You shouldn't. Yet even if you're in your own home's panic room, and nobody else knows the passcode -- or can get by the high-tech retina scan entry system you installed -- there are still times when you should act as if your machine is public.

That's because later on, when you come to upgrade to Panic Room 2.0 and install a newer, faster computer, the old one you chuck out or sell on Craigslist will still have immensely important information on it. You're thinking that you can erase the hard disk, and you're right -- but we've done this ourselves: we've taken an apparently-erased disk, and restored the contents as if by magic. That was a long time ago, it was on a Mac Classic, and the previous owner popped back to tell us something just as his files appeared on the screen.

Anyway. It's harder to do now, but not substantially so. What you can do to help prevent us embarrassing ourselves in front of you is to securely erase the drive. Before you do that, though, you have to make the single most important backup of your life, but you knew that. You also have to sign out of iCloud, which you may not have even thought of. Sign out of both iCloud and Messages, then within iTunes from the menubar, choose Store, and then Deauthorize This Computer.

Quick question: did you ever register your Mac with Apple Support? We'll take that as um, no, possibly, can't remember. Go to supportprofile.apple.com and sign in with your Apple ID. That'll show you a list of your registered devices: if you can see your soon-to-be-ex one listed there, click to remove it.

Now you get to erase the disk. Reboot your Mac, and hold down the Command and R keys: that restarts the machine into OS X Recovery. That includes Disk Utility: use that, select the name of your hard drive, and then click on Security Options. Pick to securely erase, and then back on the Disk Utility main screen, choose Mac OS Extended (Journaled) as the format. Click erase. This will take a little while (one pass), or a few days (35-pass). We're not kidding about that, by the way.


We can't remember what we got from that fella's old Mac Classic, apart from a broken nose, but today we could make a fair stab at what we'd get from yours. One key thing would be your internet browser history. Maybe we're just not criminally-minded enough to grasp all the problems a history can cause, or perhaps we're just searching for an example that doesn't involve your having visited sites of a, um, nervous disposition.

Try this. If someone can see your browser history, they can see when you go on your bank accounts. If you go to a lot of sites that require logging in, Safari and other browsers will not only remember that for you, they will remember the login details, and enter them automatically. That is brilliantly handy for you today, but an appallingly horrible prospect for the next time someone steals your Mac.

You can wipe your browser history. You've probably been able to do that since the start of internet browsing, but it's perhaps exactly that long since you ever bothered. For it used to be that you wiped everything or nothing: you couldn't remove one site from your list. The loss of your entire browser history, and the fact that you had to remember to do it, meant you never quite got around to doing so.

Things have changed. Now clearing your history in Safari is a matter of choosing Clear History…, the last option in the History menu and then picking what you want to lose. It's still not the same as being able to say you don't want anyone to know how long you spend on microsoft.com looking for support answers, but it's much better than it was. Now you can elect to clear the entire history of everything, but alternatively just where you've browsed in the last hour, all of today, all of today and yesterday too.

Eyes down

Do this instead, though: proactively decide that you're not going to leave any interesting breadcrumb trail in your browser history. Choose before you browse, rather than going back to erase later. Choose Private Mode.

This is now a feature on just about every browser -- Chrome calls it Incognito, Internet Explorer calls it InPrivate Browsing -- but it did start with Safari. While in the browser, hold down Command and Shift, and tap N. That gets you a new browser window, but it is in private mode. In a curiously un-Apple kind of way, the new window will clearly tell you this, but you can't always see the full explanation: it doesn't wrap around.

If you were to stretch out the new window long enough, what it says in full is: "Private Browsing Enabled: Safari will keep your browsing history private for all tabs in this window. After you close this window, Safari won't remember the pages you visited, your search history, or your AutoFill information."

You can also just choose New Private Window from Safari's File Menu. On iOS, tap the Safari button to show you all your current pages and there'll be a Private button at bottom left. Handy for when you just need to visit one site you don't want public, while your normal course of sites are fine (even useful) being in your browser history.

If you're thinking that you never do anything online that you wouldn't be happy your mother knowing, ask yourself that again -- and this time, for "mother" read "Facebook." You've already seen how Facebook seems to magically have adverts for exactly the products you've been searching for. Stop it knowing what you're searching for, and you won't get the ads. Or at least not so many, or at least not so specifically targeted.

Prying eyes

Private Browsing is most useful for you sitting there at your Mac. It stops people being able to look back at what you've done -- but it would be good to also stop them being able to see what you're doing while you're doing it. Enter VPN.

The Virtual Private Network is an idea, a technique, where everything that comes into or goes out of your computer or iOS device is encrypted, and so nobody else can see what you're doing. VPN companies often refer to this as your having a tunnel through to where you want to go online.

There are free services like Opera for iPhone that are just there to do VPN's other function of spoofing the internet into thinking you're in a different country. For anything more serious -- anything -- look at VPN providers like NordVPN, and expect to pay out some cash.

Once you've got through that pain, you can relax for a year or so, until you have to pay again. In the meantime, you can send sensitive information like passwords and account details over VPN to wherever you need. Make sure you really need it, though: no technology is "foolproof" secure. There is just too much going on when you connect to the internet: whatever your solution, there's a risk.


There really could be too much going on when you're connected to the internet. Some of it is down to you: you've written that email, you now expect the internet to carry it home. However, any app you have can send any information anywhere, and if that happens, it's not going to be trivial.

Go get Little Snitch or a similar app, like Radio Silence and run them on your Mac. They will spot everything that gets sent or received. Little Snitch has been around the longer, and is to this as Biro is to pens. Still, here's Radio Silence:

It's not the clearest or easiest-to-follow information, but you get used to it -- and what it tells you is when something is going on that you don't want. It'll show you, for instance, things you expect, like Adobe Creative Cloud, phoning home to see that you're a legitimate customer before it launches. You'll see apps like the Reeder RSS news app checking up on your favourite sites for you.

Whatever the app, whatever it's doing, you can stop it in Little Snitch or others. They're net monitoring tools, and they are specifically for seeing how much data is being sent or received by your apps. Get one of those, and update it regularly.

Speaking of upgrades

In Wednesday's edition of this series, MacNN editor Charles Martin spoke about how often we get prompted to upgrade apps -- and how sometimes, it's a con. The short answer is that if it's an upgrade you want, go to the app and look for a Check for Updates option. It'll be in the Application menu, the File or Edit one, wherever there are Preferences. Sometimes they're in the Window menu: you'd think this would be standardized by now, but it isn't.

What is effectively a standard is that if the app says yes, there is an update available, then it is correct and you should update. Always update.

Even if you happen to be a security expert, you're not a hundred security experts, or a thousand of them. We don't know how many people Apple has working on security, but it's more than one. Which means a hugely important thing you can do is follow their lead: when Apple or a developer updates something, take that update. Keep everything up to date, always.

That's a pain, and sometimes it's a real pain, as your Mac or your iPhone keep on nudging you to do it. Yet it's less of one than having to recover lost data later.

Also, it's something you can do to keep on top of problems and every time you are reminded like this, take a look at what Little Snitch is telling you is going on. Take a look at Private Browsing. We're not saying be vigilant, we're not saying you should give up your day job in order to nurse your Mac, but both you and we need to be more on our guards than we have ever had to be before.

-- William Gallagher (@WGallagher)
( Last edited by NewsPoster; Jun 13, 2016 at 10:25 AM. )
Dedicated MacNNer
Join Date: Aug 2001
Location: California
Status: Offline
Reply With Quote
Jun 10, 2016, 03:46 PM
"...we've taken an apparently-erased disk, and restored the contents as if by magic. That was a long time ago, it was on a Mac Classic, and the previous owner popped back to tell us something just as his files appeared on the screen.

Anyway. It's harder to do now, but not substantially so."

This is a pretty extreme claim, and I'd like to see some documentation of it rather than a 30-year-old anecdote from a hard drive with less storage than the firmware on a modern Mac.

If I tell Disk Utility, or an equivalent tool like SoftRAID or whatnot, to write an entire pass of garbage data to a 2TB hard drive, how, exactly, is it "not substantially harder" to retrieve a password from that drive? It's been demonstrated in experiments that with fancy magnetic microscopy you can retrieve some fraction of the "erased" data from a drive several generations back, but unless the CIA has pulled it off in a locked room full of millions of dollars of technology, no one has ever demonstrated retrieving useful specific data from a modern hard drive that's been overwritten, much less *all* of the useful data, as opposed to randomly distributed fragments that are far more likely to contain a chunk of video or standard system files than a password or financial information.

Heck, even with 50% of the blocks on a drive retrieved, randomly distributed, figuring on what's a financial document buried in the terabyte of video data, OS files, app data, and spam emails is not a trivial proposition.

I'm not saying someone incompetent might not select "Erase" without any security options, which is most definitely recoverable (with some effort), or just put files in the trash and select "empty trash" instead of "secure empty trash", but if the person erasing has any idea at all what they're doing I would like to know where the evidence is that I need to mechanically destroy my hard drive to be sure anyone outside the NSA can't get to files I overwrote.

I mean, the US DoD is okay selling hard drives that have been wiped (I've bought them--a lot of cheap refurb office computers I've bought have a DoD sticker on the drive certifying it's been erased). I'm sure they didn't contain top-secret data, but I'm also pretty sure the DoD wouldn't be okay with just handing out their office machines to random strangers who shop on Newegg.
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 10, 2016, 04:24 PM
I believe William was just referring to formatting the drive, as opposed to a specific secure erase. I'll inquire.
William Gallagher
Fresh-Faced Recruit
Join Date: Dec 2014
Status: Offline
Reply With Quote
Jun 10, 2016, 04:35 PM
I was. Not that I have statistics in it but but in my experience most people, most of the time, just chose erase. People don't know what the secure option is and they don't need it in order to wipe the disc, so they don't.
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Jun 10, 2016, 05:28 PM
Not only should people be aware of the difference between "Erase" and "Secure Erase" when talking about formatting a drive (not emptying the trash), but they should also be aware of the amount of time it takes to do both.

"Erase" takes moments. Sometimes a few long moments, but moments nonetheless.

"Secure Erase" takes FOREVER. Depending on the size and speed of the drive and driver interface, as well as the number of passes specified, it could take anywhere from hours to a day or more.
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Jun 10, 2016, 07:38 PM
Well, to be more accurate, 1-pass secure erase (zeroing out) doesn't take that long -- maybe an hour or less for most drives. 7-pass? Oh yeah, leave that over the weekend. 35-pass? You're insane, and your drive will be all clean by Christmas -- if you start now.
Charles Martin
MacNN Editor
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 11, 2016, 12:01 AM
Why no mention of enabling two-factor auth, where available?
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Privacy Policy
All times are GMT -4. The time now is 12:10 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,