Security: Plan in advance for loss of your computers

An article on computer security has been on my list for a long time. Now, though, I can write with feeling. Earlier this month I was the victim of crime when my computer bag containing a MacBook Air and iPad was stolen. In the two hours between theft and recovery by the police (in a remarkable tale involving Find My Mac), I had plenty of time to think about disaster recovery.

I was mentally ticking off all the precautions I had taken—backups, iCloud, Dropbox, File Vault 2, logon passwords—but worrying about any loopholes I’d left. I was convinced my computers were lost, but what about the data?

This is therefore the perfect time to review the preparations I had already made for such an eventuality and to look at what more I could have done. First, the weakest link.

Common sense: Take care of your belongings

Here I failed miserably. I put a bag containing a computer and tablet on a chair beside me in a restaurant. Ok, it’s a reasonable assumption that it is nearby, indeed within sight, and safe. But I was wrong. Modern sneak thieves can have your stuff away without your noticing it. As I discovered to my cost.

My first resolution, then, is never to leave my bag without attaching it to something solid or to myself. Slip the strap under a table or chair leg, or even put it round your own leg, so the thief’s task is that much more difficult.

My second precaution is to carry my Tom Bihn Ristretto more securely. I have the bad habit of slinging it over my right shoulder and letting it dangle down on the same side. This is an invitation to bag snatchers. Instead, I have to get used to the idea of slinging it over the left shoulder with the bag resting on my right hip. This way there would be an almighty tussle if anyone wants the bag. Of course, I could lose my head as well, but that’s another matter.

Preparing for the worst

I always knew that loss of one or other of my devices was a distinct possibility, although I did not anticipate losing two at the same time. This is beyond carelessness. However, with the possibility of loss in mind, I had taken a number of precautions, all of which I would recommend to you.

Log-on passwords

This is a no-brainer, but it’s surprising how many people leave their devices completely unprotected. Admittedly, if you are in a hurry it’s a pain to keep on entering numbers or passwords, but it is a small price to pay for peace of mind. Once you get accustomed to entering a password it becomes second nature and is no longer a chore. Remember, even your iPhone contains so much personal information that a thief could soon have everything he needs for identity theft. If you are particularly careless, he could have immediate access to your bank account, especially if you had a few debit and credit cards in the same bag.

So turn on Passcode Lock on both iPhone and iPad. By default this is a four-figure code, although such codes are relatively easily broken. This doesn’t really matter: It is a first-stage bolt on the door. If you are particularly paranoid (as I am) turn off Simple Password (four digits) and instead enter six digits. This makes hacking that much more difficult yet is hardly more onerous to enter than the standard, simple four-digit code.

An obvious point: Don’t use a passcode beginning with 19 or 20. Most people tend to use a date, possibly a date of birth or a friend’s birth date. If you are born in 1972 and the thief notes your approximate age, there’s a good chance the passcode could be cracked by trying 1968 through to 1978. It is therefore better to choose a number starting with 0 or 3-9.

Choose a time after which the phone or iPad will lock. As you see in the screenshot on the left, mine is set to lock after one minute of inactivity. Also, turn on the Erase Data button. This ensures that if more than ten attempts are made to break the passcode the device will simply erase all its data. 

For the moment I have Siri set to off. This doesn’t mean that Siri doesn’t work; it is simply a block to prevent Siri being used before the passcode has been entered. You may prefer leave Siri enabled, but there is a slight danger that your protection could be compromised.

In practice, most sneak thieves are not really interested in your data. All they care about is turning the phone into cash as soon as possible. So, almost invariably, the phone will be reset and all data erased. Imagine, though, if you do not use a logon password. Then, even the least inquisitive robber will be tempted to see if there is anything useful on the phone. There will be, believe me.

On the Mac, a compulsory logon password is also essential (See System Preferences/Security & Privacy). It should be requested when starting the computer and on waking from sleep. By setting an acceptable interval for sleep, you can thus ensure that your computer secures itself automatically whenever you stop using it. I would recommend this for iMacs, Minis and Mac Pros, which can also be stolen in burglaries, as much as for the more vulnerable out-and-about laptops.

Encryption

Macs and OS X

For most users, encryption of data is considered to be a step too far. It used to be complicated and expensive and consequently was seldom entertained. This is a pity, because encryption is a very effective means of ensuring that the information on your disk is secure. Even if your Mac is protected by a log-on password, an unencrypted disk can be removed from the computer and viewed on another device.

Fortunately, Apple has made encryption childishly easy with File Vault 2 in Lion. There is absolutly no excuse not to use it despite certain scare stories. I have had it switched on for months and have not encountered a single problem; nor have I noticed any deterioration in performance. It simply works in the background and, after a time, you completely forget that the disk is encrypted. But if you switch off your Mac the hard disk or SSD is fully protected and will resist all but the most determined hackers. See this Macworld guide to using FileVault 2 in Lion. Don’t think of FileVault 2 as being merely for the more vulnerable laptop; use it also on your home-based computers to reduce the risk in the event of burglary.

While on this subject, there is a slim chance that an encrypted disk in a computer left in sleep mode could be compromised.  But if the computer is switched off your account is closed and any hibernation files deleted. The disk is thus completely unapproachable. I suggest, therefore, that you switch off your MacBook when travelling rather than simply closing the lid and putting it to sleep.

iOS

Attempting to encrypt the data on an iPhone or iPad is, apparently, possible but not straightforward, as explained in this article. Nonetheless, it is not something you need worry about. As I have already stressed, most thieves will take the easy option of resetting a device. Even a brute-force attack on the password will fail if you have set the phone to erase its data after ten attempts (see above). Furthermore, if you are using Find My iPhone you have a quick solution at your disposal: send a remote wipe command.

Backup

It is one thing to prevent a thief accessing your data, but how to you get yourself back in action in the minimum time and without any loss of data or functionality? It’s not just data, it’s all those passwords and settings that you need to remember. The answer is a backup, or as many backups as you can manage. Only the foolhardy individual ventures forth with a device that is not backed up at home or in the cloud.

iOS devices

Time was, before iOS 5, when regular synchronisation with iTunes was essential to ensure all your applications and data were backed up. Very few people stuck to a reliable schedule, though, and I have seen many instances of lost or crashed phones where there was no recent backup. Result, misery.

This is no longer a problem because iCloud does it for you. That is, if you have it enabled. I now see no point in using iTunes and I have my iPhone and iPad set to backup automatically to iCloud. Lose your device and you can clone a new one from iCloud within minutes. There is another good reason for using iCloud and that is the Find My Mac/iPhone/iPad application. Lose a phone or a 3G iPad (with working SIM) and you will be able to locate immediately it from another device or, even, from a public computer at an internet cafe. I am living proof that this really does work.

Macs

You do use Time Machine, don’t you? Apple’s built-in sequential backup system works automatically and reliably. It should be regarded as the bare minimum protection for your data. Time Machine is particularly useful for recovering individual files you have erased. You can fly back to see the contents of a folder at any time in the past.

In addition, though, I would recommend a second external hard disk for regular backups. This gives you a degree of belt-and-braces protection in the unfortunate event of failure (or loss) of your computer and simultaneous failure of one of the external drives.

Regular scheduled backups can be performed easily using either SuperDuper! or Carbon Copy Cloner. The latter, which is free (with a small donation if you wish) is probably the best choice if you want an instant, easy solution.

Your data is important and you never realise just how important until it is lost. But no matter how many backup disks you maintain, you will not have ultimate protection until one of them is kept in a separate location. You can hide disks around the house to help protect against burglary, but you cannot protect easily against a disaster such as fire. One simple solution for off-site backup is to keep an up-to-date disk in the car. With a bit of planning, it’s easy to collect it, update the contents and stick it back in the vehicle. You would be doubly unfortunate to lose your house and the car at the same time.

Ah, you will say, what happens if my car gets stolen and someone connects my backup disk to a computer? Will they have all my data? The simple answer is yes. But then I would never recommend putting all your data on any external drive without some protection.

It is very simple to use encryption with any disk. Just set up an encrypted sparsebundle which is then seen as a separate disk within a disk. The good thing, though, is that you can set it to require a password for access. Do this by using the Mac’s Disk Utility or, to make things easy, buy a little application such as Knox (now part of the 1Password empire) to do it for you.

Some external disks, including the ubiquitous Western Digital units found in most Apple Stores, include an in-built proprietary disk-encryption system. Nevertheless, I don’t use these systems and prefer to control my own destiny with Knox or Disk Utility.

Finally, just remember that you can never have enough backups.

Cloud backup services

Managing your own backups should be a part of daily computing life. Increasingly, though, we are relying on cloud backups, particularly for mission-critical data. Apple’s iCloud offers seamless behind-the-scenes synchronisation of your basic PIM (Personal Information Manager) data between Macs and iOS devices. This system has been working well for many years. Even under the much-maligned MobileMe I had few issues.

Your contacts and address book, your calendar data and your Safari bookmarks can be synced easily and, more to the point, can be restored to any device provided you have your Apple ID. Other data, such as photographs and iWorks iOS datafiles, are also handled by iCloud. This repertoire will be extended with the introduction of the new Mountain Lion operating system in the summer. iCloud is an absolute essential if you are passionate about data portability and data protection.

There are many cloud systems to back up your entire disk and keep the data up to date (See this list). In effect, they take over from your physical external disks. However, I wouldn’t rely on them to the exclusion of local physical backup. They also have downsides. The services are relatively expensive and the initial upload can take several weeks (yes, weeks) unless you have a very fast broadband service.

Upload speeds are always a fraction of the download speeds you see advertised. In my case I currently enjoy 50 Mbs download but only 4.75 Mbs upload. If you are on 10Mb package your upload speed could well be under 1 Mbs.  

I did try several full backup systems two years ago and encountered reliability issues. More than once I had to completely erase the backup and suffer another weeks-long upload. As a result, I reluctantly decided not to use such services. Your experiences could be more positive, especially now that broadband speeds have soared, and it might be worth giving it a try.

If you want to cloud-protect your most sensitive data and have full control over the file structure, as with any external disk, then I would unreservedly recommend Dropbox. Everyone should have a Dropbox account, no matter which computing platform they favour. A free account gives you 2 GB of storage and it is amazing how much of your vital data you can squeeze into this. Obviously large media files are out, but then they are probably better backed up locally because of the speed issue and because they change less often.

Dropbox, unlike most other cloud backup solutions, sits on your hard drive as a folder, just like any other. You can drag and drop files, add more sub-folders and generally treat it as you would your Documents folder. In fact, I keep Dropbox on the desktop and it has completely replaced my Documents folder. I am never aware of any bandwidth issues, nor any apparent delays. Dropbox just gets on with its job in the background. 

I pay $19.99 a month for 100 GB of storage and I find this meets all my requirements except for archive photographs and media (which I keep on an external Drobo drive array). All my Mac applications are instructed to save to sub-folders within the Dropbox folder. Even those applications which insist on saving to specific locations (often in the Library) can be spoofed into using Dropbox by means of a symbolic link. See my earlier guide to doing this.

Apart from security, the advantage of this approach is that all my data, including my current Aperture photographic library, are available on both my iMac at home and on my MacBook Air when I am on the road. Dropbox applications for iOS ensure that you can also access your data from your iPhone or iPad.  Bear in mind, though, that not all your Mac-created data files can be opened under iOS.

Furthermore, if you are out and about and your MacBook or any other device is stolen, you can still open Dropbox on any computer (even in an internet cafe, subject to the usual security provisos) and get at your data. Gradually you come to a realisation that the laptop or iPad is just a tool, a window on your data, and not a sacred repository for information. Increasingly, the important stuff is up there in the cloud. 

Just a word of warning. With Dropbox, all connected computers are potentially saving to the same data files. You just need to understand the mechanics and take common-sense precautions. Dropbox will record the last file saved. If you are working on a Numbers spreadsheet and open it on two Macs at the same time there is potential for confusion. Just make sure you save and exit before moving to another computer. Fortunately, if you get a snafu you can visit your Dropbox web site and recover deleted files, much the same as you can with Time Machine.

Incidentally, I have read that iCloud overcomes such limitations in that the system will detect the latest version even if you have two copies of the file open on different platforms. This is all linked in with the new automatic save feature incorporated into Lion. I haven’t tried this for myself but will do so when iCloud document synchronisation is extended to the Mac in the summer.

Passwords

You can protect your devices from illegal entry, but what if someone does get in and is able to see all your data? Bad news, of course, but less so if you are scrupulous in not storing über-sensitive information in clear. How many people do you know who keep a simple text file of passwords, bank details and other reminders?

This is where 1Password comes it. The idea behind this brilliant application is that the fully-encrypted 1Password file contains all your sensitive information in one place. You need just one master password to unlock everything else.

This should be a medium to high security password, such as a passphrase using the initial letters of a favourite quotation (2bont2b,TitQ, according to Hamlet, but that is probably too obvious).

By the nature of this master password, it must be something you can memorise. But never use your master password anywhere else, least of all for registering your details on a web site. Any password you use on the web can be compromised and this could enable a hacker to break into your 1Password database by trial and error. So make it unique and guard it carefully.

1Password is the final bastion with its encrypted data file. Even if your Mac disk is encrypted using FileVault 2, even if some determined hacker breaks into FileVault, 1Password provides yet another level of security for the most sensitive information.

Since 1Password can automatically complete web log-on forms, even credit card information, from its stored data (released by your master password, of course), you can readily create complicated, non-rememberable passwords for all the sites you visit. 1Password will do this for you and will automatically keep a record of the resulting gibberish for future use.

1Password is available for iOS and Mac and the good news is that the data file, fully encrypted, can be stored on Dropbox so that the same information is available on all your devices. Change a password on your iPad and it is available within minutes on your Mac. There is also a useful facility to replace the standard OS X keychain with the 1Password keychain. Using Dropbox or another cloud service for such a vital information store is mandatory, in my view. This is definitely something I would recommend; I have been using it for years with absolutely no issues.

On the Mac, go to System Preferences/iCloud and ensure that Find My Mac is ticked. If you cannot enable it, see my suggestions in the articleiCloud and Find My Mac/iPhone/iPad

We have mentioned iCloud in relation to its backup and synchronisation facilities. But the Find My Mac/iPhone/iPad location service is magic. I know, having been one of the few tech journalists to experience it firsthand when my MacBook Air and iPad were stolen this month. And I doubt anyone else has had experience in such dramatic circumstances, in the midst of a riot in Athens.

iCloud’s Find My Mac should be enabled on all your devices. Check on any device, or via the iCloud web page, and you should be able to see the location of all your Apple gear.

Note that some Macs report an error when trying to turn on Find My Mac. You might see a reference to “recovery partition required”. I wrote about a possible solution some months ago.

It is important to remember that iPhones and iPads equipped with a working 3G SIM card will be visible immediately when you open FMM on another device. A computer or non-3G iPad will be located if it is connected to the internet via wifi or ethernet cable, but the position on the map could be less accurate.

Go to your iCloud web page and you can check the status and location of all your devices. You can also perform the same trick from your iPad or iPhoneWhen there is no SIM card present, a location can be determined only once the device is re-connected to the internet. So if you lose your MacBook Air it is dumb to the world until the thief connects to the internet. Phones and 3G iPads can be found immediately and tracked.  As was the case in Athens, my 3G iPad, bless its little Smartcover, protected the dumb-for-the-moment MacBook Air and enabled recovery of both devices and the bag.

For this reason, I think it is always worth spending the extra $100 for a GPS-equipped 3G iPad and taking out a cheap monthly data plan. Regard it as a as a form of insurance and you will also appreciate the extra facilities and freedom from always having to find a wifi connection.

If the next revision of the MacBook Air were to include a SIM-card slot I would certainly take out a cheap contract simply because of the benefits of being able to determine location before it is too late. 

With all devices, including the Mac, you have the opportunity to wipe the data remotely via iCloud. As soon as you are sure your device is gone, and not just hidden under a sofa cushion, I would recommend wiping the device. This will happen immediately if an iPad or iPhone is connected to the internet via 3G. With a non-3G device or a Mac, the wiping will occur next time someone connects it to the internet.

Even if you are lucky enough to find the computer, nothing is lost by wiping the data as a precaution if there is any uncertainty. You can restore a Mac easily from one of your many backups, Your replacement iOS devices will simply ressurect themselves via iCloud. Even after three days.

It’s worth noting that, in my Athens drama, I delayed wiping the data until I was absolutely certain the police could not find the stuff. I was within five minutes or so of pressing the button when they recovered the bag. It was a calculated risk, but one I felt was worth taking.

You are so calm

When my bag was stolen I did have a quick panic. Who wouldn’t? But I soon recovered my inner calm because I knew I had done all I could to protect my data and prepare for recovery. The police told me I was super relaxed for someone who had just had $3,000-worth of stuff stolen. They must be used to dealing with gibbering wrecks.

No one wants this, but when it does happen you need to pause and make a mental checklist. The first thing I was sure about was that I had insurance. There is a $300 excess, the first amount of any claim that must be paid, and this was the extent of my potential financial loss.

I was also confident that my pre-theft preparations had reduced the risk of data theft to almost negligible proportions. My biggest annoyance, undoubtedly, was the fear that I would have to buy a new iPad and MacBook Air at a time when updated versions are rumoured to be in the offing. That would have been painful.

Overall, though, things could have been worse. I was just lucky to get everything back, but I know deep down that I will not be so lucky next time.

Ten-point security checklist

Here are the things you can do to reduce the possibility of theft and to mitigate the effects if you do lose a device.

  1. Physical security: Take better care of your belongings and don’t leave them unattended. Secure the strap.
  2. Insurance: Add your devices to your household insurance for “anywhere” risk; take out travel insurance.
  3. Serial Numbers: Keep a record of serial numbers and list them on a note system that is synchronised among all your devices (I keep mine in Address Book).
  4. Logon Passwords: Set a six-digit unlock code on iOS devices and a logon password on your Mac.
  5. Encryption: Use FileVault 2 on your portable Macs (or on any Mac, for that matter)
  6. Backups: Switch on iCloud on all your devices and ensure that you use Time Machine and at least one other external drive to backup your Mac. Try to keep one drive in another location.
  7. Cloud Backups: Use iCloud and take out (at least) a free 2GB Dropbox account.
  8. Passwords: Use 1Password to store all your passwords securely
  9. iPad: Spend the extra $100 for a 3G model and take out a cheap monthly data plan. Think of it as insurance. That way you can track an iPad as soon as you notice it is missing.
  10. Save My Ass: Ensure you have enabled Find My Mac/iPad/iPhone on all your devices even if they never leave the house.