[mcsjgs]

From thorssell.com

Monday, November 24th 2003

Target disk mode - the biggest security hole of OS X, or another feature?

Wherever you look these days, security seems to be the new thing. Articles and "how-to's" are all over the place. If it's not about secure ways to ensure that your top secret e-mail will not fall into the prying eyes of everyone lurking just behind your firewall, you've might taken the advice about using secure passwords seriously (the harder to remember, the more difficult to crack).

Using the new FileVault built into OS X 10.3 might calm all those jumpy executives types when on the road. And the documented but still not particularly touted use of an Open Firmware password can also come in handy if you want to be on the safe side.

But for the rest of us? Are all the files on my computer safe when I've logged out and turned off my computer for the weekend?

A couple of days ago a colleague and I realised how vulnerable OS X really is. Going through all the hassle with setting up an account and coming up with a really safe password still doesn't mean a thing if you don't want to dabble with FileVault or Open Firmware of course.

We wanted to shuffle lots of gigabytes from one iBook to another, both running OS X. "Target disk mode might come in handy" we said. It's so easy - just connect the two with a firewire cable, restart the computer you want to use as an external firewire disk and hold down that "T" button.

And voila. Instant access to every file on that computer. If I want to have a closer look at what's in that very private looking folder in a particular user account, I can do that. Nothing will stop me from copying, deleting or rewriting the files I find interesting.

As long as a person with not so good intentions at the office still have access to the place outside office hours, there's nothing stopping that person from having a closer look at every hard drive.

Now, I don't know how many people out there think this is a feature and not a security hole. I just feel that some kind of password protected Home folders when used in this context wouldn't just be a great addition to this otherwise incredible operating system, it should already be included.

[cpac]

if somebody has physical access to your machine, there is no effective security.

And doesn't using File Vault prevent access, even over target disk mode?

[gorickey]

Originally posted by cpac:
And doesn't using File Vault prevent access, even over target disk mode?

Yep.

To me, nothing is more effective then FileVault with the Open-Firmware Password enabled...

[zigzag]

I learned about this last year - thought I had a secure user account, then found out that the password could be bypassed by anyone with a Firewire cable.

But I wouldn't want to be without Target Disc Mode, and Open Firmware passwords are easily bypassed by someone who knows what they're doing. The best solution IMO is to put anything you want to secure in an encrypted disc image (and don't put the password in your Keychain). FileVault is a nice idea but I'm not sure the bugs have been worked out yet.

[torifile]

F.

U.

D.

If Filevault is enabled and the password is not stored in the host computer's keychain (the one using the other computer as a firewire disk), there is no way to access the encrypted files (through ordinary means).

[-Q-]

The writer is an idiot. Give me physical access to most machines and I'll be able to browse all the files on there.

[zigzag]

Originally posted by torifile:
F.

U.

D.

If Filevault is enabled and the password is not stored in the host computer's keychain (the one using the other computer as a firewire disk), there is no way to access the encrypted files (through ordinary means).

If your comment is directed at me, my point was not that FileVault isn't secure, but that it's still causing other problems in some people's systems.

[torifile]

Originally posted by zigzag:
If your comment is directed at me, my point was not that FileVault isn't secure, but that it's still causing other problems in some people's systems.

Oh, no, it wasn't at you. It was at the original post. Sorry for the confusion.

[wadesworld]

This is totally stupid. Of course the files are accessible via Target Disk Mode. That's what it's there for.

Wade

[Millennium]

If someone can get physical access to the machine, You Are Screwed. This is a fundamental maxim of computer security; anyone who can get to the hardware will be able to bypass absolutely any security measures you take, given time, short of some kind of self-destruct mechanism.

Your best defense against physical breaches is to use good encryption software; if you do this correctly (i.e. you don't store your disk image passwords in Keychain) then it would take thousands of years to get into the encrypted data; while this is still theoretically possible, you are extrtemely unlikely to run into a hacker who will live that long. If you do, you're in bigger trouble than any security program can help with.

[The Ayatollah]

ditto to all the 'this is stupid' comments. Any joe with half a brain should realise this. If you want true data protection, enable File Vault.

[Boondoggle]

Here is what I suggest for the ultra-paranoid:


make an encrypted image using PGP

segment the file

encrypt the segments using a different key

store the segments separately. i.e. on different CD's in different locations.

Store your PGP keys on a USB keyfob drive and keep it secure.



Of course the more secure you get the less convienience you enjoy. The above is overkill for most of us. If you really want to get tricky then keep some dummy keys on your computer along with some dummy images encrypted with those keys with provocative filenames, like "mycrimes" or "secrets". That will keep any busybodies busy for a long time.

FWIW Filevault has been working very well here.

bd

[zigzag]

In defense of the ignorant, I wouldn't dismiss these questions as stupid too easily. It's surprising how many people don't know what Target Disk Mode is, let alone the fact that anyone can bypass their log-in password with a simple Firewire cable. It's not something that Apple touts - the average person is instructed to pick a log-in password and assumes that his user account is secure from casual snooping.

Fortunately, FileVault addresses this, but I think Apple should do a better job of explaining security issues to newbies. I found out about the TDM breach by accident, and I wouldn't have known about encrypted disc images or Open Firmware if I hadn't done time-consuming research.

[cpac]

I'd hardly call another person walking around with a Mac and a firewire cable who has physical access to your machine a "casual snooper"

This really isn't a big deal. Anybody who is justifiably concerned about security would (1) probably be using filevault and (2) would probably lock their office and/or not allow suspicious persons to have physical access to their machine.

[mitchell_pgh]

I get tired of this...

Physical access to the hardware is ALWAYS going to cause security problem.

P.S. They could always take the computer! They could always take the hard drive. etc. etc. etc.

[clf8]

I don't think anything about this is stupid. Notwithstanding all the "give me physical access and I'll crack it" comments, that doesn't mean it has to be easy. Ideally, OS X would follow user permissions for a mounted disk. At the basic level that means if you've got a different user ID, you can't read the files (and I mean user ID, as in the number, not the name). Even so, nothing can stop me from becomming root on my system and then having access to any files. It's a small protection, but one that should be there.

My question is, if you have an OpenFirmware password, does it prompt you for it before booting into Target Disk mode? This is the only method of really securing your data, outside of encrypting it all.

[mitchell_pgh]

I think there should be a way to lock it down, but out of the box, I think the way they currently do it is fine. It's all about ease of use. Most people will NEVER had to deal with this.

Remember, to most people "What is your password?" is a difficult question.

[zigzag]

Originally posted by cpac:
I'd hardly call another person walking around with a Mac and a firewire cable who has physical access to your machine a "casual snooper"

This really isn't a big deal. Anybody who is justifiably concerned about security would (1) probably be using filevault and (2) would probably lock their office and/or not allow suspicious persons to have physical access to their machine.

Not "casual" perhaps, but extremely easy. Most offices and dorm rooms are communal. I knew that physical access meant that a determined snooper could get into my hard drive with some time and effort, but I didn't know it was as easy as using Target Disk Mode until I found out by accident. It isn't something that the average user knows about or intuits. Apple could have simply pointed out during set-up "Uh, here are some password vulnerabilities and here are some alternative measures." Instead, the average user thinks their log-in password takes some time and expertise to bypass.

We all agree that FileVault is a good solution. I'm just saying that before now, it would have been helpful for Apple to simply inform people how easy it is to bypass a log-in password. Even now, I suspect that most users think their log-in passwords provide reasonably good protection, which isn't true. Thus this thread.

[zigzag]

Originally posted by clf8:
My question is, if you have an OpenFirmware password, does it prompt you for it before booting into Target Disk mode? This is the only method of really securing your data, outside of encrypting it all.

I could be mistaken but I think Open Firmware disables Target Disk Mode. In any case, Open Firmware is easy to bypass - as I understand it, you just remove a RAM module or something.

[romeosc]

If you leave computer on with multiple users logged in, the casual user can't shutdown to enter "Target Mode" unless you disconnect power.

[Arkham_c]

The old adage "There is no security without physical security" is very true.

If someone has physical access to your computer, no matter what electronic controls are in place, they can just pick up your computer and walk out with it, or take out the hard drive and walk out with that. Then they can steal its contents at their leisure.

Some relevant URLs on the subject:

http://www.bizjournals.com/louisvill...4/smallb2.html

http://www.cert.org/security-improve...ices/p074.html

http://www.cqu.edu.au/documents/comp...40.html#Access

http://vancouver-webpages.com/security/physical.html

http://security.itworld.com/4366/030813utpolicy/

[-Q-]

Again, physical access means security is pretty useless w/out some serious steps taken by the user. And really, if it were such an issue, why are we only hearing about this now?

[Eriamjh]

Target disk mode insecure? That's about as stupid as saying "letting someone see you type your password over your shoulder" is a HUGE security breach!

What if they take the HD out and put it in another machine! Gasp! They can access all your files!

Oh

[Cadaver]

Originally posted by zigzag:
I could be mistaken but I think Open Firmware disables Target Disk Mode. In any case, Open Firmware is easy to bypass - as I understand it, you just remove a RAM module or something.

The Open Firmware lock will prevent the machine from being boot from CD ("C" key), from being started in target disk mode ("T" key), from single-user mode (cmd-S), and a few other Open Firmware key presses.

While I do believe that this can be reset by hitting the CUDA switch on the motherboard (on machines that have one) or by yanking all the RAM (not 100% sure about that), there is an easy and cheap way to prevent this from happening: A padlock on the case.

A padlock on the case will effectively prevent someone from physically removing the hard drive, and will also prevent someone from being able to disable the Open Firmware lock. The Open Firmware lock will then adequately prevent someone from booting your machine off CD or in to target disk mode. This is about as good security-wise that you can get given physical access to a machine.

[Cadaver]

Originally posted by mcsjgs:
From thorssell.com

Going through all the hassle with setting up an account and coming up with a really safe password still doesn't mean a thing if you don't want to dabble with FileVault or Open Firmware of course.

This author really has a gift for stating the obvious, don't you think??

Give me access to your PC with an encrypted NTFS file system and a certain Linux boot disk, and I'll get to your files, too.

If you want a secure computer, you do have to actually take the steps to make it secure.

"Reporting" like this really bothers me, regardless of what platform the target is.

[JKT]

One thing I do find curious about this is that the Open Firmware password isn't active by default - anyone wish to speculate as to why?

Also, if someone has access to your machine and a MacOS X install disk, they too have full access as they can simply reset your password (unless OF password has been activated, etc).

[Cadaver]

Originally posted by JKT:
One thing I do find curious about this is that the Open Firmware password isn't active by default - anyone wish to speculate as to why?

It makes troubleshooting for the average user fairly difficult. The mechanism to lock/unlock the firmware is an application. Application means you need a bootable OS. Screw up your OS, and you wont be able to simply boot off CD by holding down "C".... Try explaining to the average user she has to open the machine and find little buttons, or batteries, or pull a RAM module just to restore her machine by booting off CD. Would not be pretty.

[Cadaver]

Listen, it's not like your average PC is any more secure. Its pretty easy to access the BIOS is most machines and change the boot drive, etc.

[chabig]

One thing I do find curious about this is that the Open Firmware password isn't active by default - anyone wish to speculate as to why?

If the Open Firmware Password were active by default, there would have to be a default password. So there would be no difference between that configuration and what we have now (which is just a default with no password).

Chris

[zigzag]

Good grief, people - it's only "obvious" to people who already have the information. It's not "obvious" to the average user. That's the point. Not everyone who buys a Mac is a friggin' geek.

[Cipher13]

Originally posted by JKT:
One thing I do find curious about this is that the Open Firmware password isn't active by default - anyone wish to speculate as to why?

Also, if someone has access to your machine and a MacOS X install disk, they too have full access as they can simply reset your password (unless OF password has been activated, etc).

Because people would be greeted with an ugly black on white DOS-eque screen.

Not pretty.

[Cipher13]

This is stupid.

As has been made abundantly clear... if I have physical access to your machine, I don't need a FireWire cable to access your data.

OF password? I pull your RAM.
Log-in password? I reset it via Single User mode.
SUM disabled? I pull your hard drive if I can't think of anything else.

[- - e r i k - -]

Originally posted by mcsjgs:
Going through all the hassle with setting up an account and coming up with a really safe password still doesn't mean a thing if you don't want to dabble with FileVault or Open Firmware of course.

The silliness of this comment summed up in one sentence.

[wadesworld]

Good grief, people - it's only "obvious" to people who already have the information. It's not "obvious" to the average user. That's the point. Not everyone who buys a Mac is a friggin' geek.

And it's useless to try to explain to those same users what Target Disk Mode is, what an Open Firmware password is, etc. They want to know how to connect to Yahoo, and have no desire to create encrypted disk images, set open firmware passwords, etc.

Wade

[JKT]

Re: Cadaver.

I was under the impression that the firmware was separate and distinct from the OS. You use an application to set a password, but that is the only time the OS is required wrt the Firmware password. Open Firmware is accessed before the OS has even begun to initialise.

FWIW, it would be no harder to teach a new user to hold option key at bootup so that they could then enter their admin password and select e.g. the image of the CD than it would be to teach them how to hold down the C key at bootup. Both have to be taught and both learnt.

Re: Chabig

The process of starting up a brand new Mac (or installing) for the first time could be used to ask for an OF password to be selected (e.g. by default it could be the same as that chosen by the first admin user to set-up an account and be the same as their log-in password). At this point, the need for OF password and, for utmost security, the desire for physical limits on access to your RAM etc could be clearly explained to the user.

Originally posted by Cipher13:
Because people would be greeted with an ugly black on white DOS-eque screen.

Not pretty.

No they wouldn't - holding down option at bootup presents you with a simple and attractive GUI for selecting the boot drive/partition. If you have OF password activated, the initial screen is a simple GUI log-in pane where you are asked to provide the password and then you get to choose the boot drive/partition. The only time you get the CLI-esque screen is if you boot in Single User mode, which OF password is partly designed to prevent.

[chabig]

he process of starting up a brand new Mac (or installing) for the first time could be used to ask for an OF password to be selected

Good point!

Cipher13:

I don't think you can reset user passwords in single user mode any more since the release of Panther. It was easy in Jaguar, but no more.

Chris

[proton]

Originally posted by chabig:
I don't think you can reset user passwords in single user mode any more since the release of Panther. It was easy in Jaguar, but no more.

While I haven't tested it in Panther, it should be the same as it always has been. The single user mode shell is a root shell, so to reset anybody on the system's password, just type passwd shortusername, substituting the short username of the user who's password you wish to reset. Note however, that this only changes their login password, not their keychain or filevault passwords.

- proton

[chabig]

I've tried <b>passwd shortusername</b>. It doesn't work now that Panther is using shadowed passwords. I don't know how to do it anymore.

Chris

[proton]

Originally posted by chabig:
I've tried <b>passwd shortusername</b>. It doesn't work now that Panther is using shadowed passwords. I don't know how to do it anymore.

I believe that in single user mode you need to start up the NetInfo daemon to be able to change passwords. I'm not sure how to do that with the new Panther startup item mechanisms, as NetInfo is no longer started using /System/Library/StartupItems/NetInfo/

- proton

[zigzag]

Originally posted by wadesworld:
And it's useless to try to explain to those same users what Target Disk Mode is, what an Open Firmware password is, etc. They want to know how to connect to Yahoo, and have no desire to create encrypted disk images, set open firmware passwords, etc.

True for some (who probably don't care about security anyway), not true for all. I would have liked to have that additional information when I started using OS X, so would a lot of people.

[zigzag]

Originally posted by JKT:
FWIW, it would be no harder to teach a new user to hold option key at bootup so that they could then enter their admin password and select e.g. the image of the CD than it would be to teach them how to hold down the C key at bootup. Both have to be taught and both learnt.

[snip]

No they wouldn't - holding down option at bootup presents you with a simple and attractive GUI for selecting the boot drive/partition. If you have OF password activated, the initial screen is a simple GUI log-in pane where you are asked to provide the password and then you get to choose the boot drive/partition. The only time you get the CLI-esque screen is if you boot in Single User mode, which OF password is partly designed to prevent.

Thank you, JKT, for your knowledge and good sense. I suppose I could rag on the geeks for not knowing these things intuitively, but I won't.

[Cipher13]

Originally posted by chabig:
Cipher13:

I don't think you can reset user passwords in single user mode any more since the release of Panther. It was easy in Jaguar, but no more.

Chris

Originally posted by proton:
While I haven't tested it in Panther, it should be the same as it always has been. The single user mode shell is a root shell, so to reset anybody on the system's password, just type passwd shortusername, substituting the short username of the user who's password you wish to reset. Note however, that this only changes their login password, not their keychain or filevault passwords.

- proton

Originally posted by chabig:
I've tried <b>passwd shortusername</b>. It doesn't work now that Panther is using shadowed passwords. I don't know how to do it anymore.

Chris

Originally posted by proton:
I believe that in single user mode you need to start up the NetInfo daemon to be able to change passwords. I'm not sure how to do that with the new Panther startup item mechanisms, as NetInfo is no longer started using /System/Library/StartupItems/NetInfo/

- proton

Let's find out, then... rebooting the Panther machine now.

Booted into single user mode.
Mount /.

> passwd shortname
>

I just get returned to the prompt when I do that.

So...

> SystemStarter

After getting the "Startup Complete" message, it just sits there. To get a prompt, I have to ^C.

> passwd shortname
>

Same deal. Interesting.

[chabig]

Same deal. Interesting

Yeah. That's what happens to me too.

Chris

[mikerally]

The reality of the situation is the majority of people who use computers out there do not care for that level of security.

Most of my friends who use Mac OS X, leave their passwords blank. They see the password protection as an extra chore, and do not really care.

The majority of security in this world, and I'm talking in physical terms here also, is based on ignorance.

I remember I once left the front door to my house for an entire day unlocked (the door was closed however) by accident. My house is in a very large city. Was it robbed? No. Because nobody knew the door was unlocked.

Another incident was when I picked up an old Power Macintosh 6100 that was dumped on the street. I took it home and booted it up, it worked fine. I also found all the financial records of the former owner left on the HD. The idiot didn't even bother to wipe the hard drive.

The same goes for computer security, only those who feel that they have an absolute need to secure their data are most likely reading this thread. The majority of people don't. They feel the most basic security is good enough for them.

Locking the door to your house does not prevent someone from breaking in, it just makes it a little harder to do the job. But the reality is, if someone wants to do it, they will find a way to do it.

I find the kind of security mentioned in here is only useful to those in business, or network administration (for securing workstations). It certainly doesn't apply to consumers.

Apple provides the Open Firmware Password Application on the Panther Installer Boot CD, you can boot from the CD and open the Open Firmware Password Application to set a password to prevent booting from CDs, Firewire Target Disk Mode, and Single User Mode - similar to a BIOS password on startup.

It doesn't take a minute to setup, it is vunerable just like the BIOS password to being reset (you can reset the BIOS password on a PC by changing the CMOS jumper on the motherboard).

Ultimately, if you're totally paranoid about your data, then you should really follow these rules, on any computer system:

1) Secure Physical Access to your computer! The bare minimum you can do, is put your laptop into a combination lock briefcase - this is how businessmen secured their work back in the days of good old fashioned pen and paper.

2) Encrypt all sensitive data, if you can't guarantee physical security, this is the only answer. And if possible don't even keep it on your laptop at all, encrypt it on some removable storage that you can keep secure (e.g. put in a safe).

The reality is the majority of standard computers users not only don't need this level of security, but more to the point don't care for it - or the hassle associated with it. You won't believe how many people I know who avoid using passwords because they know they will forget them.

Large corporations and IT departments should already have been trained to find out what security measures they need to take - they do not need Apple to tell them this or how to implement this (Open Firmware is well documented in the Apple Knowledge Base, which would be the first place any good Mac based IT technician would start reading).