Cybersecurity Ramifications of the 2021 Storming of the United States Capitol
Hidden amidst the physical cleanup and repairs necessary after a mob of rioters stormed and occupied the US Capitol are significant cybersecurity concerns. At Wired, Lily Hay Newman writes about the cybersecurity implications of the invasion, explaining some of the breaches that happened and discussing others that could have happened if foreign intelligence agents piggybacked on the takeover.
Jake Williams, founder of Rendition Infosec, wasn’t surprised, noting, “You have to step back and realize that foreign intelligence could have looked at this and said, ‘Yeah, this is going to be an opportunity.’” Other experts commented on the massive amount of work needed to assess the damage and remediate or monitor any potentially compromised accounts, devices, and networks.
We should all take to heart the words of Kelvin Coleman, executive director of the National Cyber Security Alliance, who said, “Any time there’s a physical breach of a space, I automatically assume it was a digital compromise as well.”
After all, if someone’s going to break into your house, exposed data and account credentials may be more valuable than your personal belongings. For data protection, Apple’s FileVault drive encryption system, particularly when running on a Mac with a T2 security chip, guarantees that data cannot be extracted (iPhones and iPads are similarly protected). Turn it on in System Preferences > Security & Privacy > FileVault. Also, be sure to use a password manager like 1Password or LastPass instead of recording passwords in a physical notebook that could be stolen.
Just to make it clear in advance, I’ll be accepting only comments surrounding the cybersecurity and IT ramifications of this event. If I have to keep removing posts, I’ll shut off comments on the article entirely.
I worry that FileVault is that I might not be able to access my computer if I mess up in some way.
In the light of what could have been accessed in the storming it seems to me the question of who might have accessed what and who might have put important data on a thumb drive is a concern. I might also add that I am the son of an FBI agent (deceased - worked during the end of WW II and through the Viet Nam war and riots era) who taught me early on that national security is a constant concern and of great importance. What is raised by the article is significant and thank you for posting it. I’ll be interested in what the folks online here who have far better understanding of all things cyber than me will have to say lol.
I have the same worry, but I think it’s a holdover from the old days. The solution to messing up in some major way is a solid backup strategy. All that having the data readable on disk at rest gets you is the ability to use utility software to scan the surface of the disk (or SSD equivalent) looking for bits that might be data. That sort of data recovery will sometimes get some things back, but it’s pretty hit or miss. If you’re resorting to that, you probably want to be calling DriveSavers anyway and paying them to recover the data with their specialized tools. They might be somewhat less capable of recovery if FileVault was enabled, but if you provide them the password, they can probably decrypt what they do recover. (It’s the same with the iPhone and iPad; the data isn’t accessible to just anyone, but if people with the right skills have your passcode, they can get the data off.)
And of course, once you have a Mac with a T2 chip, the data is encrypted at rest anyway, so FileVault is just ensuring that the data is protected after the Mac has booted and decrypted the disk (as I understand things—see Glenn’s article linked in our original article).
So I think it makes a lot more sense to enable FileVault and make sure you have a solid backup strategy, which includes offsite or Internet backup for reasons that this event makes obvious.
Thank you Adam. That is a very helpful explanation. I have multiple backups and use Carbon Copy Cloner but my frustration is that with dreaded consistency one of my two CCC backups will suddenly be declared unwritable - I can get stuff off but the disk will not be writeable and so I have to reformat it all over. This is odd because one disk is SSD and the other is a regular hard drive. Thus my concern over being locked out. I also back up key files to other disks (copies to 2 different disks always as backups), keep most of my stuff on Dropbox and use Backblaze. OCD is my middle name lol but I once lost important professional files to a disk failure so I am ever cautious.
I am going to go to FileVault and so appreciate your excellent explanation.
I have to admit I’ve never given this much thought so let me just ask very bluntly. On a modern Mac, is there any good reason not to use FileVault? Or perhaps better worded, what are the use cases where it would be advisable not to use FileVault on a modern Mac?
I would think it it not just “foreign intelligence agents” who are a concern. Some of the people involved are likely to be members of hacking groups who can do great harm over the internet. Gathering account passwords (likely written down in desk drawers etc) would be an easy task while rifling through offices.
Also I am not sure that encrypted drives would have been much help - it looked like most office workers had to flee for their lives and many computers would have been left “open”.
Sort of. The data is encrypted at rest, but it seems you don’t need a password to decrypt it if you have physical access to the Mac. According to this article on Kolide, using target disk mode (no password needed) will make the T2-encrypted disk available to another Mac or over the network. It’s great that T2 and M1 Macs have hardware encryption, but FileVault is still highly recommended.
I don’t know how much of a problem this will have been. I doubt there were many rioters sitting and trying to extract data from the computers during the incident, and to take the computers with them they will almost certainly have had to shut them/put them to sleep/turn them off.
The T2 chip’s encryption serves to tie the flash chips to the computer so you can’t extract the data by moving them into another device, but it does nothing if the chips are connected to the Mac they are paired with. Which is why target disk mode or booting a different OS (including the recovery partition) on that Mac (if secure boot is configured to permit it) will grant access.
File Vault provides protection against booting other systems, requiring a password, either by entering it directly or by logging in via an account authorized to unlock the volume.
One would be Macs that provide a server-like function and might reboot due to a power failure. For example, I have one machine that runs SpamSieve to filter my spam. When I’m traveling (the good old days!) it’s nice if that machine doesn’t stay down because that results in a lot more spam showing up on whatever device I’m using to read my mail on the road. (Unfortunately, I have to use FileVault on that machine for other reasons, but I’ve often though it would be nice if it could reboot itself without human interaction.)
I would think a greater worry is that a nation-state took advantage of this and tried to execute malware on an unlocked computer (as it seems Nancy Pelosi’s was) to try to get access later. Though I have to say that if I was the IT staff at the Capitol would assume that all computers were compromised and would be replaced or completely rebuilt, so it’s probably still not much of a worry.
Heard some reports of laptops and iPads been stolen which also has implications.
Given the elderly nature of many representatives I wonder how secure these machines were. The office computers would have had some standards applied but personal devices would vary.
There was reports of email still being up on the screen,
Here’s another complication, the top security guy and other staff members are running off of Capitol Hill:
What really bothers me is that there doesn’t seem to have been a security protocol in place that would address what should happen before, during and after anything resembling a siege of the US Capital building. And now we’ve got this internal US security mess on top of the SolarWinds/FireEye security mess.
The Email on screen problem is a reminder to set your computer to lock the screen after a modest period of inactivity. You can use your iPhone (or Apple Watch?) to lock your computer if you step away beyond Bluetooth range and unlock it when you return.
80% of cybersecurity breaches are due to passwords being stolen or compromised. The technology for passwordless two factor authentication is available now, but widespread adoption has been slow.
Just an aside re security breaches: when I was in high school I took a 3 year electronics course, one of the first programs where multiple school districts provided career programs in one place. The course was taught by a retired engineer (who was demanding but taught a college level program - proof: we started with 30 students and were down to 6 by the end of the 3 years). He had worked at a major corporation that had top level security contracts. One night the FBI came through their office (my dad never confirmed he was part of that lol). The next morning one of the engineers found a note on his desk from the FBI - DON’T use the calendar to keep your security code!!! - he had circled dates in months that would remind him of his code!!
I would also add that given the preplanning and some of the groups involved, it would not be a far reach to suspect some brought equipment to access computers on the expectation they would access offices. I’m not a conspiracy nut but recognize the planning that can go into efforts to get information. Also, having worked down in Ground Zero shortly after 911 I remember how stunned we all were at the planning and sheer audacity of what happened - who would have thought, we all said.
I thing the caution you have all expressed is well said and should be acted upon. I’m going to do so.
Not to disagree in general, but I do want to clarify something that has changed with M1-based Macs.
With respect to an M1-based Mac anyway, the Kolide article is wrong. The only way to access the Share Disk command that invokes Target Disk Mode is to enter macOS Recovery, select an account for which you have a password, and then enter that password.
Plus, even after you do that, if you’re sharing an encrypted disk, it requires another authentication to unlock the disk for sharing.
I was watching 60 Minutes on Sunday (through tears - oh my poor Steelers forgot to show up for their game!) and they showed a picture of someone walking off with a laptop and indicated there were several computers stolen or messed with. That is scary. Per Adam’s excellent explanation I am going to FileVault - my grandkids may be able to come back into the house soon lol.
The flip side of having good backups, is needing to secure additional devices. Filevault and on-device encryption work if my MacBook/iDevices is/are pilfered or lost e.g. if I take them out of the house. But multiple, and frequent backups could make data theft easier. Eg if someone stole my Carbon Copy Cloner destination, or Time Machine drive. My backups are by-and-large not encrypted. Especially if I want them to be bootable. My unencrypted external terabyte clone drive is just sitting in front of my Filevault-installed computer.
From memory, backup to an encrypted Time Capsule was slow, and I switched encryption off there. When I tried to switch on encryption on my Synology, I had a warning about incompatibility: I think with longer file names. Add to that is the “off-site” backups, where a drive is periodically brought elsewhere just in case, also subject to theft.
Maybe my “safest” (in terms of physical ransacking) backup is the Backblaze one. Which also would be a PITA to recover from.
Wouldn’t the destination be encrypted, if it’s a clone of the source?
Only if you choose to encrypt the destination. CCC creates a per-file clone, not a binary image of the storage device.
All of my backup and clone drives are encrypted. Encrypting my machine’s drive isn’t worth all that much if the backup drive sitting right next to it is unencrypted (even my notebook computers rarely leave the house) - so mine are not.
You should encrypt your CCC backup! It’s a bit of a pain initially, as you have to boot using the backup to turn encryption on. But once you’ve done that, it all works seamlessly (and the initial boot at least proves that your backup is bootable). Procedure explained here:
Further information here:
And as you acknowledged, you can (and should) enable encryption for your Time Machine backups, too.
I tried the steps at:
Soon after that article was released (2017). But then had trouble accessing the drive when I needed to restore (computer died). Can’t remember the exact circumstances. I’ll have another go, when I upgrade the backup to SSD. Thanks.
Thanks for that education, @Shamino. I had assumed that a “carbon copy” of an encrypted file would be encrypted. Live and learn.
Thank you for those pointers. I’m surprised that the procedure (boot from clone, turn on FileVault, boot from internal and go about life) works, but that is pretty clearly the procedure.
The procedure (make non-encrypted backup, boot it, enable FileVault) is to allow easy booting. When you enable FileVault on the startup volume, you can select users whose login will automatically unlock the volume. See also Use FileVault to encrypt the startup disk on your Mac.
If you create an encrypted volume and then backup to that volume, this association doesn’t happen. As I understand it, trying to boot that volume (assuming it’s even possible) will result in you seeing a pre-boot screen where you need to enter the password you used when creating the volume. Then the system will boot normally.
It’s not nearly as convenient as seeing your normal login screen as the pre-boot interface, and there’s a greater possibility that you’ll forget the volume’s password when you really need it in the future.
On my Mini M1 I had to switch off FileVault if I wanted to use a wireless keyboard connected to an external Bluetooth dongle. The latter I require until Apple fix the Bluetooth problems with their M1 systems.
I have just moved to FileVault on my iMac 2019 and then took the steps and encrypted the Time Machine disk. Everything running smoothly and no difficulties so far. Appreciate all the excellent posts here. Thanks.
I understand that FileVault is a machine-wide setting. In other words, if user1 turns it on, then user2 will also use it, eventually. If I got that wrong, please correct me.
The Apple help file leaves me with a couple of questions about multi-user machines.
Would user1 enter user1’s password and user2 enter user2’s password? If so, then apparently there are multiple passwords, although I assume the normal policies that prevent user1 from seeing user2’s files would still apply. Does it matter if one or both of user1 and user2 do not have administrator privileges (but do have an administrator’s username and password, if needed)?
Yes…when you setup Filevault you tell it which accounts (admin or not) are authorized to unlock the drive. I recall some issue when I created some more user accounts after the fact 3 or 4 macOS versions back…but figured out how to solve them…I think it was a matter of disabling and reenabling Filevault but can’t remember.
Thanks, @neil1. It sounds like I can authorize every account to unlock the drive and that would cause minimal operational change for each user.
My basic understanding of the situation is that when you turn on FileVault, you set a password that encrypts the drive. This password is then somehow encrypted with the passwords of the users you authorise to unlock the drive. So none of the authorised users need to know the drive’s password – their normal login password will unlock the password that will unlock the drive (if that makes any sense).
Correct. After a reboot, you’ll get to the login screen more quickly than normal, because it’s actually a pre-boot login screen. After providing a user ID and password that’s authorized to unlock the drive, the rest of the system will boot and you will log in to the account.
Subsequent logins (after logging out without rebooting) will be exactly as without FileVault.
Well, FileVault is working perfectly. Not so happy with encrypted Time Machine - it does a backup and then takes forever to encrypt again, I mean like over an hour! Got 1.85 TB on a 4 TB TM drive (my iMac has a 1 TB drive). This is after days of using the TimeMachine system. I just happened to look at the System Prefs screen and saw it was “encrypting” again and it said about 2 more hrs required - but it had already encrypted! Frustrating. Good way to burn out a drive?
I think it is relevant to ask:
How does an encrypted clone drive work, if attaching the drive to a new Mac computer?
Or a new Windows computer (with 3rd party apps to access the APFS drive).
Or… an old computer running an ancient macOS?
All of which are possible scenarios, if trying to get back to work after a computer dies.
If the drive was backed up with FileVault, it will ask for a password, and you can use the password for any account that was set up to unlock the encryption key. If it was just encrypted with a passphrase, you just need to enter the passphrase.
I didn’t realize there was such a thing as that.
For an HFS+ encrypted drive, it would be the same as above. FileVaiult 2 began with OS X Lion if I remember correctly, so Lion and later should be able to handle an HFS+ encrypted FieVault drive.
APFS requires High Sierra or later.
It was also available (in pre-release form, and only via command-line tools) in macOS Sierra (10.12), but I don’t think I would trust that implementation if there is any other possible alternative.
I need to correct myself. It turns that when I was testing this, I did have FileVault on, and that was why I was getting the password prompts.
So yes, even on a T2 Mac, Target Disk Mode allows access to the internal drive unless FileVault is on.
The moral of the story is, turn on FileVault!
Sorry for the incorrect information.
Join the discussion in the TidBITS Discourse forum