Securely and completely cleaning your hard drive on your computer has risen in importance as a data integrity concern to the university as more and more breaches elsewhere of confidentiality and security have been published.
This concern has been heightened further now that Apple hardware repairs are leaving the U of Manitoba campuses.
[NOTE: one proven method of securing the storage local to your computer is to ensure all your data and information are stored externally to the device. Whether …
[View More]it is on to a network server and even just locally attached external drives, this makes it easier to isolate your data and information if the computer itself needs to be taken away for disposal or repair. Keep in mind that even using an external location for your files could still mean that email passwords and the like are still stored with the SYSTEM on the local hard drive so you may wish to delete email account setups, browser history, and such before sending the computer away to ensure they cannot be accessed.]
….from:
http://www.macworld.com/article/2906499/mac-911-how-to-erase-your-macs-hard…
Mac 911: How to erase your Mac's hard drive the right way
[disk utility hero]
When you sell or donate a Mac or give it to a family member, it’s best to make a clean break: wipe the puppy clean, reinstall the latest version of OS X, and hand off a system that you’re not worried has remnants of yourself on it.
But how can you be sure? Readers have written in with several related questions, so let’s talk this week about erasing a drive, how FileVault 2 encryption can play into it, and out-of-date Recovery Drive partitions.
Erase and leave no trace
Reader Jim Kay, who asked about migrating from one Mac to another a couple of weeks ago, had a second question as well that opens a delightful can of worms:
Since I’m looking to resell my current Mac, how do I reinstall OS X, so as to wipe my hard drive and resell knowing the new buyer has a cleaned-up computer, and my files are nowhere to be found on it?
Wiping or erasing a drive has a surprising number of definitions. In the olden days, in the long ago, we ran utility software that often came from third parties, which would simply delete the catalog and related records. Such an erase was, in practice, the best way to create a clean installation. But it doesn’t make all the files on the disk unrecoverable—it just makes them harder to retrieve.
To get rid of old data in a thorough fashion, you need use a multi-pass approach, in which every bit of storage in the disk is overwritten with new data (often zeroes). That’s been built into Apple’s Disk Utility for years. When you select a volume in Disk Utility and then the Erase tab, you can click Security Options to pick how many times the drive is overwritten: once, three times, or seven times. Once is considered enough for regular purposes, while three and seven correspond to different U.S. government security guidelines.
[mac 911 secure erase options 580]
Securely erase your hard drive with Disk Utility.
Before Lion, you had to boot from a CD or DVD system disk or a third-party utility, like Disk Warrior, or from an external drive with OS X installed. Then you’d run Disk Utility to erase your startup drive. But this has become easier since OS X Recovery<https://support.apple.com/en-us/HT201314> was added in Lion. Restart a Mac and hold down Command-R after the startup chime sounds, and the computer boots into the recovery mode. Select Disk Utility from the startup menu, and you can erase your startup drive securely.
[mac 911 erase tab disk utility]<https://cms-images.idgesg.net/images/article/2015/04/mac-911-erase-tab-disk…>
You'll save a little time if you do an erase without overwriting, then reinstall OS X, then Erase Free Space with an overwriting option.
There’s a slightly different way to accomplish the same goal. First, erase a drive without the overwriting part, and reinstall OS X. After you boot, launch Disk Utility, select the startup volume, and click the Erase tab. Now use the Erase Free Space option, which also offers 1, 3, and 7 passes of erase, and only empties out unused parts of the disk. The advantage is that your computer remains available (though often slow) while this operation is underway.
Along with both Secure Erase and the Erase Free Space options, which can take a very, very long time even for a single pass, you’ve got two other options, one of which you don’t need to enable.
Even better with SSD and FileVault 2
If your Mac has an Apple-installed or third-party SSD, you can’t use Secure Erase, nor do you necessarily need it, as Apple explains in a support document<https://support.apple.com/en-us/HT201949> (see the note at the end). SSD data can’t be trivially recovered because of how SSDs optimize storage to reduce wear and tear.
This is by no means foolproof, and one should assume that there are forensic tools available that can reconstruct erased SSDs—some are for sale, but I haven’t tested their claims. Apple doesn’t provide in-depth details on why it made its statement about SSDs as it does for some security claims, and thus it’s impossible to confirm.
However, there’s a simple way with both SSD and regular hard drives to perform a fantastically quick and reliable erasure: using FileVault 2. FileVault 2<http://www.macworld.com/article/2880039/how-to-encrypt-your-mac-with-fileva…>, the full-disk encryption (FDE) option that first appeared in OS X 10.7, keeps your startup drive encrypted at all times. Whenever you boot your Mac and log in to one of the accounts that’s authorized to boot with FileVault 2, OS X encrypts everything written to disk and decrypts everything read on the fly.
[filevault]<https://cms-images.idgesg.net/images/article/2015/02/screen-shot-2015-02-04…>
If you use FileVault, any data "left behind" on your erased hard drive will be totally unreadable by your Mac's next owner.
With a FileVault-encrypted startup disk, you can restart into OS X Recovery and launch Disk Utility to erase the volume. However, before erasing, you need to select the disk and then choose File > Unlock “volume name”. Enter the password for any FileVault-enabled user account, and the disk is unlocked and can be erased.
Erasing a FileVault-encrypted volume discards the key that’s associated with it, turning a disk into a nearly perfect cacophony of irrecoverable randomness. Without the key, which is uncrackable in any realistic period of time by any current technology, the erased data is as good as gone as if it had been written over millions of times.
You can then install OS X on that partition, either from the recovery system or via an external drive<http://www.macworld.com/article/2690806/how-to-install-mac-os-x-yosemite.ht…>.
A few other recovery and FileVault issues
Reader Peter wondered how FileVault figures in to cloning a disk. Because FileVault encrypts an entire drive and only decrypts files when you’re logged in, it has no effect on how or whether you make a clone, use Migration Assistant, or copy files.
However, if you’re planning on using FileVault on the new computer, I would heavily suggest enabling FileVault on the new machine before moving any files to it. This will speed up the operation by encrypting the new computer’s fewer files first. When FileVault has finished and your new Mac has rebooted and you’ve logged in, then start the migration process, and all new files are encrypted on the fly.
Andrew Robertson writes that when he upgraded to Yosemite, his recovery drive remained out of date with 10.9 Mavericks. Then, when trying to set up FileVault and enable iCloud-based recovery of his key, he doesn’t see an option to do so when booting into OS X Recovery.
Fortunately, there are answers for both:
* You can reinstall 10.10 on the startup disk without damaging the rest of your setup, though make a backup first. This should upgrade the recovery partition. (Carbon Copy Cloner<https://bombich.com/kb/ccc4/frequently-asked-questions-about-cloning-apples…> can clone a recovery partition from one drive to another, but it can’t create one from an installer or from scratch.)
* The reset password option isn’t available with FileVault 2, but you can store a copy of your recovery key with Apple. To recover a key<https://support.apple.com/en-us/HT202274>, first start up OS X normally, and enter the wrong password three times. (This is also how to use iCloud password recovery on non-FileVault systems.) You’re then presented with the option to contact Apple, which requires speaking to a representative, and answering multiple questions exactly as you entered them when setting up the recovery option. If correct, Apple’s customer service gains access to the stored key, which they provide to you.
Ask Mac 911
We’re always looking for problems to solve! Email us at mac911(a)macworld.com<mailto:mac911@macworld.com>, tweet them at me (if brief) @glennf<https://twitter.com/glennf>, or call 206-337-5833 and leave a voicemail message. (We’ll be experimenting with some audio in the future, and may put your question “on the air.”)
Mac 911 can’t provide direct email responses or answers for every question. For that, turn to AppleCare, an Apple Store Genius Bar, or the Apple Support Communities<https://discussions.apple.com/welcome>.
[View Less]
There seems to have been a rise in bad email specifically targeting AppleID accounts.
Usually the email is attempting to get you to enter your AppleID and password.
I've seen 3 of these in the past two weeks and others are reporting similar concerns.
Generally the email takes one of two formats:
- something is wrong with your AppleID account - just log in to fix it
- something "odd" has been purchased on your AppleID - just log in to verify the purchase
For example, one email indicated that …
[View More]"your AppleID has been used to purchase 'Game of Thrones' from an unusual location".
Whatever the format or claim, following the suggested links and entering your AppleID and password to verify or correct the information can lead to unintended exposure of your account information.
There are some things you can do to verify that the email is not a valid AppleInc. notification, to slightly reduce your overall exposure, and to report the problem to Apple.
1) reporting the problem to allow Apple Inc. so they can take some action is quite simple by forwarding the message to an appropriate Apple email address:
a) open the original email message in MAIL
b) select VIEW > MESSAGE > RAW SOURCE
c) select all and copy the entire RAW SOURCE of the message
d) FILE > NEW MESSAGE addressed to phishing(a)apple.com<mailto:phishing@apple.com>
e) Write a brief subject indicating a PHISHING attempt and describing how you received the original message
f) paste in the RAW SOURCE you'd copied earlier and hit SEND
- this RAW SOURCE allows Apple to examine all of the email server paths and "hidden" links that the original message may have contained
2) verifying original message is not legitimate: examine the RAW SOURCE you'd selected earlier. Within it you will probably find many legitimate Apple links such as "http://euro.apple.com" or "http://iforgot.apple.com". You will probably also see a few very odd links which have nothing to do with AppleInc. These could be any domains such as:
http://elmnitasdevigohttp://fsioterapiasantarita
....just odd (perhaps already compromised) web addresses which seem to have no connection to "apple.com<http://apple.com>". One sure indicator that something phishi is happening is the presence of non-Apple links in a message supposedly originating at Apple. Apple rarely if ever does that.
3) reducing potential of exposure: one simple step you can take to help reduce your exposure profile through email is to deselect "Load remote content in messages"
[cid:6346619A-5084-4345-98E3-2108DE5CE532]
a) MAIL > PREFERENCES > VIEWING
b) uncheck/deselect LOAD REMOTE CONTENT IN MESSAGES if it is checked
- if this option is checked and the sender includes a graphic in the email message, when you open the message in MAIL, this can be an automatic indication to the sender that your email address is "alive"/someone is actually using the address. Just the fact that your mail package requested the graphic can trigger a confirmation to the sender.
If you deselect this option, graphics are not loaded automatically but can be loaded manually within the email message as you read it. You'll see a "LOAD REMOTE CONTENT" button in the top-right of your email message.
Deselecting this option gives you an opportunity to scan your email message first before loading the graphics allowing you to screen out any suspect email messages.
This is not a guarantee that your email address will be 100% safe. It does, however, reduce the chances of an accidental confirmation/exposure relating to your email account via this "load a graphic" mechanism.
I hope you find this information to be useful.
Please feel free to email questions or concerns you may have.
Thanks,
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
Computer and Network Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
[View Less]
