Secure your macOS and iOS


iOS

Prevent the brute force

Let’s start with iOS.

First, we need to understand what kind of backdoor FBI is making Apple to implement, they’re not asking for encryption keys (for now), they want to buypass some of the security functions which prevent the brute force attacks on iPhones. When you type in the wrong passcode several times in a row, there is a cool down period during which you can’t unlock the phone, even with your fingerprint (1 minute, 5 minutes, etc.)

FBI is asking Apple to build a version of iOS without this cool down period, they are also asking for a way to type the password programatically by hooking up the iPhone to a machine running a brute force software. After this, your 4 digit passcode (or even 6 digit used in recent versions of iOS) could be cracked on modern hardware in a matter of few instants. Imagine the consequences if this version of iOS is somehow leaked into the wild, FBI will not be the only one using it.

Watch this video to better understand the demands of FBI: https://www.youtube.com/watch?v=YG0bUmuj4tg&feature=youtu.be&t=5356

But the solution to brute force attacks is pretty straight forward, the problem here is the fact that only digits are used (from 0 to 9, 4 or 6 times), which makes it VERY easy to iterate through without the cool down period, and find the correct passcode, to counter the brute force attacks we need to use alphanumeric passcodes.

To enable it go into Settings, then Touch ID and Passcode:

It’s still the same settings category if your device doesn’t have Touch ID

The tap Change Passcode:

Require passcode option should always remain on “Immediately”

Tap on Passcode Options:

And chose Custom Alphanumeric Passcode:

A good recipe for a strong Alphanumeric Passcode in my opinion is 1 Capital letter, 2 digits (minimum), at least one special character, and the length should be minimum 8 characters, something like this for example: Crazyhorse!1991

I understand that typing this every time you want to unlock your phone could get annoying pretty fast, but if you have Touch ID on your device, this shouldn’t be an issue.

Another good security mesure would be to enable “Erase Data” option in “Touch ID and Passcode” settings, after 10 failed attempts all data on the phone will be erased forever, a little radical, but better than letting someone else obtain your personal data.


OS X

Enable the FileVault

So the first reflex on OS X is to enable FileVault of course, some people claim that startup times are going up after you enable it, not true, especially not on modern hardware, with hardware accelerated encryption on Intel CPUs and modern SSDs, on older hardware the difference is negligible (if any).

Go to System Preferences, Security and Privacy, FileVault tab, unlock the settings by clicking on a little Lock on the bottom-left side of the window, and entering your andmin password (which also should be compliant to the recipe of Good Alphanumeric Passwords, you know, the one I mentioned above):

OS X will ask you if you want the ability to reset the encryption password from iCloud, do not enable it, because, well, FBI could ask Apple to give acces to your iCloud account, to which they have to comply.

Instead you’ll be given a long encryption key which will be used to decrypt the hard drive if you ever want to move your data and/or clean reinstall OS X and restore form backup. I would recommend writing it down somewhere on a piece of paper, or saving it on a trusted system. Please do not lose it, I’m not responsible if you lose your data forever.

Enable the Firmware Password

Enabling the firmware password prevents others from installing, erasing or switching to another OS (if you have dualboot or bootcamp enabled), it also prevents unauthorised access to recovery mode.

To enable it, restart your Mac and hold down the and R keys at the same time during the boot sequence, the machine will boot into recovery mode.

From there, click on Utilities, then Firmware Password Utility, (again, follow the recipe of Good Alphanumeric Passwords™), preferably make it different from the one you’re using on your OS X account, and do not forget it.

Don’t touch anything else here if your don’t know what your’re, just reboot by clicking on the little Apple logo on top-left side of the screen, then hit restart.


Here are some of the mesures I’m using to add additional layers of security to my devices, if you have any segguestions, please let me know in the comment section (or whatever the hell it’s called on Medium.com)

Thank you for reading, and always remember to keep your personal data safe.

A. Vatsaev
Show your support

Clapping shows how much you appreciated A. Vatsaev’s story.