For some reason I couldn't post a comment on Kevin's post about Backing UP, so I decided to start a new topic, which in a sense has it's own right. This last week I was setting up an IMAP account on a MAC and got to the point of installing a SSL Certificate and it asked me for the Power User password, well the user didn't have any password setup. I still cannot believe what I saw. I still hope I'm wrong in my judgment but how come a Power User is not Obliged to have a password? I mentioned to the owner that at any aiport wireless connection his computer was running a great risk of being hacked.
Anyway, that was just a teaser for my brain as I started to think about an issue with laptops, and the post from Kevin just added to it. I fully agree with the issue of Encrypting Sensitive data but there's a lot more to it. For example, weak passwords or none at all on the laptop accounts, saved passswords on Browsers, the famous MAC keychain. I'm not having a go at MACs or its users, but I hardly find a MAC user who remember well their passwords, they are nomally stored and automatically come up on sign ups for everything, I get quite worried when I see that. I run Linux on my laptop and home PC, at home I use SUDO without password for my user (although my user has it's own secure password) but I've banned sudo from my laptop as it is another possible security flaw. There are so many security issues that we could start a discussion for each single one: Passwords, backups, email, encryption, firewall, IM, phishing, blogs, etc.
What I'm trying to say is that we need to instruct our people about securing their data , their user accounts, and more important teach them to think and act secure with their laptops. A good example of not acting secure is the way that some of us in the organization behave while traveling. We expose our laptops, use them in public places, wear distinctive laptop bags, some people have even left their laptops charging at Internet Cafes while they went for a coffee just because the owner seemed nice.
Someone also mentioned something really important on a comment on Kevin's post, "only store on your laptop the data that you really need". A laptop is a way in to many systems, I would get really worried if someone at my base had a laptop stolen. As I always tell people, the weakest link in the chain of security is the human element, machines do as they are told.
Comments
passwords on a mac
Hi.
I'm not a Mac power user by any means. But from what I understand when setting up a Mac it's asking for a password. I'm not sure whether it's possible to leave that empty or not. But on the other hand on Linux it's possible to leave the password empty for the root user. THE one user who can do anything....
Anyways, if you have a password on a Mac it's just like leaving it empty (well, almost) since with a Mac user account, when you do something that needs administrative rights, you just type in your password again and all is fine. Just like "sudo". I never tried it on a console though.
By default, if you only have one user set up, the computer always boots without asking for a password, whether you have one or not. So, watching someone (airport etc) who is not typing in a password doesn't say anything. You can change that though, as far as I know.
When you try to connect to a Mac via a network it's always asking for a user name and password, no matter if that's empty or not. Obviously if you try to hack into a Mac you can try leaving the password blank.
So, it's not that Macs are open to anyone by default. A open share on MS is more likely open to anyone and easy to find. And even if you have not setup a share on Windows, there are backdoors which I haven't yet figured out how to get rid of. You can access any drive on Windows with $[letter_of_the_drive], like $C. I know that I can get rid of the share but after reboot it's there again....
After all, I just can agree that we need to instruct ppl about security, using strong passwords, not carrying with them (files, back up devices, etc) what is not needed and it seems that encryption becomes more and more necessary for many ppl. Specially for those who have to carry around sensitive data. No matter if that is personal or office data since personal data can as well reveal a lot of names.
Greetings from the MatriX,
neo
I agree
Thanks for you comment. I do agree that for the OS security, Windows is a bigger target and known to be less secure and users know that. Windows is always a concern, so that's part of life for me, but the not so secure behavior I've seen in some "new migrants" to Mac nation have worried me. I'm tempted to run some security tests on our network, AKA friendly hacking.
No password?
When you say "Power User" do you mean the Admin account? It's hard for me to believe that when running through the setup process that the user would have been allowed to leave the password field blank. Macs are usually pretty secure from outside attacks, but if there's no password set, then it's really a cinch to get in.
Since it's been a long time since I setup a new mac, I just went through the motions of setting up a new (administrator) account. You can indeed leave the password field blank, but when you click ok, you will hear an error sound and get the following error message:
If you hit enter, the default is cancel, but if you click okay, it will let you create an admin account with no password. This seems like a bad oversight on Apple's part, but at least it reminds you to enter a password. Mind you, on a mac you have to enable root before you can even use it and set a password for it so that's pretty secure and things like (windows) file sharing, ssh, and web server are all disabled by default.
I just read through an article on Apple's website about windows file sharing and I'm relieved to see that you are required to provide a password before you can even activate windows file sharing for the first time.
Here is a another good article about Choosing good passwords in Mac OS X, although I can't imagine why they wouldn't work for other OSes as well.
I recently saw another article about the dangers of using open wireless networks that I'll have to track down.
Just what is sensitive?
Nice to be quoted by you Alex!
I have been pondering just what we ought to consider as sensitive information...
If we take as a starting point that we have two categories:
1. Personal information (That is information that belongs to us only)
2. YWAM information (Information that belongs to YWAM only)
What sensitive information falls into the second category? What should we be concerned that our colleagues should keep secure?
OK. Here is a start.
1. Bank accounts and passwords
2. Passwords to YWAM websites
3. Confidential information about members of YWAM (Beliefs, Health etc)
Over to you!
sensitive data
I take over ;) In addition to Kevins list....
1. Bank accounts and passwords
2. Passwords to YWAM websites [not only YWAM Websites, since many ppl are just using one password for everything like Personal / YWAM Website, MySpace, FaceBook, Blog, Forum, Second Life, etc. - even the same password as the login for the computer itself....]
3. Confidential information about members of YWAM (Beliefs, Health etc) [YWAM and other organisations and churches we partner with]
4. Reports about meetings (potential to reveal Names, Locations, Contact Details, Future Plans, etc.)
5. Projects / Outreach Plans (General Information)
6. Project Partner / Outreach Partner (Names, Locations, Contact Details, etc.)
7. Email communication (reveals Names, Email Addresses, Information, etc.) & user names / passwords for email accounts
8. Address Book(s) for obvious reasons
9. Email Attachments
10. Browser Bookmarks can reveal interesting information as well as the Browsers History. Remember, Google, MS and others claim that they can find out if a person is male or female, age, hobbies, approx wages and other information just by logging the browsing habits.
11. Pictures can reveal a big deal. We just had that at the UofN conferences. There was a person present whos image should not be published on websites or what ever other publications. It got specifically announced....
Some things are more sensitive than others and some are easier protected than others. But most of it fits in both categories Kevin mentioned and for many things it's even hard to put them 100% into only one category. Many of our co-workers are also our friends. Means we communicate with them on a personal as well as business basis. Then, of course, we have our family and supporters we communicate with. And how easy can slip a little piece of information in there that might reveal something that just helps for someone to get a bigger picture....
Maybe, besides the 2 categories (personal and YWAM), we also need to think about different levels of information / sensitivity / security and how this is best protected. Because in that case that a computer gets confiscated we obviously need to reveal some sort of information so that other stuff can be hidden and no one will suspect that there is more "interesting" stuff to find on that machine.
Over to the next person to add to the list.... ;)
Greetings from the MatriX,
neo
Hmmm....
Well, in reading your list, I can't help but wonder if this is a little too paranoid for most users.
Okay, if you're working in closed or half-closed countries, then no, it's not paranoid, but when I think about the base here, of all 90 staff members only about 3 or 4 people really need to worry about points 5, 6, 10 and 11. Let's keep in mind that we're all above-average computer users here, but the majority of people on our bases or locations are not. I can only picture the kind of mayhem I would create amongst some of the more "timid" computer users at my base (you know the kind who have just gotten over their fear of using a computer) and even amongst some of the less "timid" users if I brought them a list like this one above.
So, all I'm saying is this: it's good to discuss these things in detail here, but let's be careful how we communicate it with the average users on our base.
paranoid or realistic?
Hi.
So, what am I, paranoid or realistic? Probably something in between, a paranoid realist, haha ;)
But yes, you are right. We are above average computer users with probably above average knowledge. But that doesn't really help in any way to have someone like us on base if we don't act. It's more like that, we have more responsibility to teach and train those who might need to know because of their travelling destinations or what ever other reason. Because someone's computer skills are close to zero doesn't help when the computer got stolen or confiscated with a ton of "hot" information on it. At the end of the day the thief/investigator is not trying to hack the computer with the skill of the owner....
Well, besides the fact that there is no need to hack a computer anyway. HD in external case, connect to other computer, no password required, fire. If there is no encrypted drive or HD password then all the data is right there.
A few months ago we had an incident in a Muslim country, very unfortunate and very unexpected. But through this the police got a booklet with information about our base, pictures, names, phone numbers, locations, etc. Luckily this country is not totally anti Christian. At the end it had no consequences for our ongoing work but it could have very well happened in another country. The thing is that security is a pain. It's work, it requires learning, it probably takes a bit more time for certain tasks, it might even slow down a whole process, etc. But honestly I don't want to wait until something happens. We use this technology, we have to deal with it. With every aspect.
The more I think about it the more comes to my mind how much "interesting" information is on my laptop. I don't want to think about how much more is on the laptops of leaders around me. I don't want to be the moral apostle here but I think that a car needs breaks. And the faster the car can go and/or the heavier the car is the better the breaks need to be. And when I'm not able to maintain them then I need to give my car into the hands of someone who can do that for me. There are just some things we can't ignore. Whether we are in a half-/closed country or not. One day we might travel/teach there or we might send a (school) team there.
However, I agree with you that we need to be careful how to communicate with others. Also, it's good that we discuss it here in detail, not in staff meetings or around lunch tables. But sometimes I think we can not be paranoid enough. I heard once of a YWAM team that is operating in a closed country. They invited people on a website to come and visit them because there is a great outreach opportunity.
Another example, someone in Australia got a visa denied just because of what was written on this persons website. Just by describing, in christianese, the general everyday work. Nothing about "spiritual warefare" or anything else that could have been an obvious fret. The christian terms simply didn't fit the non-christian / government categories. It was obviously miss-interpreted but still now 6 months later this person (from the US!!) has trouble getting a visa for Australia because of this.
So, where does security start? Where does it end? But again, I don't want to be the moral apostle and I want to quote my self here:
Not everything applies to everyone. But if we never discuss the things we never do something about it. So, don't look at me as a over paranoid person. I just want to dig deeper before something happens. I want to know that the breaks are working before I go full speed on a race track.
Even if I still can count my years in YWAM with one hand I have seen and heard enough to fill a book with. It's not my intention to write up a list with 100 action points that everyone has to go through, no matter what. But I think we need to be careful not to be too sluggish or over-reacting towards on of the extremes. That is not protected at all and care- and clueless or wanna-be-250%-over-protected and totally paranoid. But in discussing this topic we will hit both ends. The worst-case-scenario and the 100% total locked down solution.
Greetings from the MatriX,
neo