0

I'm reviewing security on my hosting infrastructure, which is based on Google VMs, SQL and Cloud Storage. It seems to be that the following scenario is a risk:

  1. I use gcloud or gsutil on my MacOS laptop, which stores my sign-in credentials so that it doesn't ask for them every time I use one of these utilities.
  2. Someone steals my laptop (very possible)
  3. By whatever means, the thief succeeds in signing in as me (less likely, but not impossible)
  4. The thief can now run gcloud or gsutil and do more or less whatever damage they want to my web hosting.

This possibility seems plausible to me, and could be a catastrophic.

Can anyone think of a way of a good way to reduce this risk? For example, a way of managing security so that I am challenged to provide credentials whenever my laptop reboots or exits from sleep, but not on every single command?

(I've also asked this question as a support case with Google)

Improve this question
1
  • 1
    Could you put the utilities, or their data, in a VeraCrypt-protected folder? You'd only need to enter a password at the start of a session, and can set VeraCrypt to dismount folder on lock screen, log-out, timeout, etc. You could also keep a keyfile on a USB, use it and immediately unplug it.
    – DrMoishe Pippik
    Commented Aug 22, 2023 at 16:16

2 Answers 2

Reset to default
2

If someone knows your login password, they've got your entire keychain, bank details … everything.

Filevault & the security T2 chipset boot options are your main security for the entire Mac. Also, ensure FindMy is enabled. That will prevent any attempt to wipe it. Make sure they're enabled & your AFK timeout is short enough to not be a risk.
If you have TouchID, you can just press the button as you walk away & the machine will lock immediately, otherwise use Cmd ⌘ Ctrl ⌃ Q

It should already ask you for credentials every time it's been asleep or rebooted, unless you set auto-login.

Use a good password strategy for your login. Then you don't need to worry about the rest. You cannot brute-force a modern Mac.

Unless…

enter image description here

Under xkcd license - https://imgs.xkcd.com/comics/security.png

Improve this answer
2

Having now spoken to Google support, the recommended way of protecting against this is the following command:

gcloud auth revoke --all

This revokes permissions on the gcloud and gsutils utilities. Before using them again, you need to do a

gcloud login

This opens a browser window for you to sign in to your Google account and enable the utilities to be used once more.

If you have more than one account in use, skip the --all and revoke just the account you need. You can find the list of active accounts using:

gcloud auth list
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .