It depends on exactly what you mean by:
it was protected with a password
If it means that they were using FileVault, then their data should be pretty much inaccessible.
If it just meant that they had a login password, though, all the thieves have to do is boot the laptop off another disk, and they'll have immediate access to everything on the internal drive.
Yes. Stealth mode enhances your system's security. Stateful packet inspection is another crucial component of a firewall's prowess. It's also of note that Apple's firewall is powered by the rugged ipfw.
What Apple says is a concise summary of how stealth mode works, and if you aren't versed in IT security, a full-fledged explanation won't offer up much more as it's a complex system (TCP, or Transmission Control Protocol, which is just one element of data transmission itself is rather complicated and deeply layered).
The fundamentals of networking (aka transferring data on the internet) rely on protocols that establish connections ("handshaking" starts it all) and then relay of data (through things like TCP and UDP). ICMP (such as pinging or echo requests) are typically used to "probe" a target host (most often for quite valid reasons), identifying it on the network. Hackers use them to find their prey.
Firewalls work by planting themselves between the kernel and the TCP/IP stack (so at a very deep level) and watching the packets that run between those layers. In the image above, a system's kernel would be located between the ethernet driver and hardware. The firewall would sit right on top of the kernel. Firewalls need this deep level of integration to remain rugged and durable. If a firewall were implanted at a high level, say at the level of your browser, it would make it highly susceptible to attack. The deeper a process is located (closer to the kernel), the harder it is to gain access to it.
When a system runs without a firewall, the packets are allowed free access (in and out). If an echo request is sent, an echo response is loosed by your computer (think of it as a greeting; someone on the street passes you and says "hello," you smile and greet them in return). But when a firewall is operational, it steps in, like a member of the secret service, following its protocol. If it is told to deny requests, it will send a message to the machine making the request that it does not reply to echo requests. The machine gets a notice that their echo request was denied (or blocked). Naturally this doesn't give that machine much information, but it does inform them that someone is there.
Stealth mode, on the other hand, doesn't. The firewall watches the echo request come in, and instead of denying it, it simply tells your computer to ignore the packet. The machine on the other end, not only doesn't get any data, but doesn't even get a notice of rejection. It's as if their packet was just lost in the space. And that's indicative of either a machine guarded by a secure firewall, or a machine that doesn't even exist.
In effect, it's the equivalent of putting someone through to voicemail (denying the echo request) or simply disabling voicemail and letting it ring, indefinitely (running under stealth mode).
As with anything, a clever hacker can bypass these safe guards, but it does make their life a lot harder. And that's the key to security: making the hackers job just a little bit harder at every turn. That greatly weeds out the "script kiddie" from the die-hard, Lulzsec hacker.
Stealth mode cloaks you from those initiating traffic, but it doesn't make you invisible. Once a connection is established (either by you, or by something that was allowed to negotiate outbound traffic), you pop up on the grid just like any computer. So while sending ping requests may no longer work, there are still plenty of ways hackers could still establish a connection and potentially exploit your computer through a running service.
Best Answer
I ended up using a second Mac to do a scan with the questionable machine booted into target disk mode.
My actual scanning procedure was
0) (done before using target disk mode) update system and apps on both machines to current versions
1) compare files on both machines using this script:
1.1) I used a high-powered text editor (vim) to make sense of the output. My basic strategy was to just organize the lines of output by the first couple of levels of the directory structure using indent-based code folding. This technique does require some general and POSIX-ish-specific computing knowledge, in particular to differentiate "okay" differences from potentially dangerous differences.
2) I ran
chkrootkit
using the command2.1)
chkrootkit
came up with the following output. These indications seem to be due to running the scan on a target disk and/or due to differences between the various operating systems thatchkrootkit
supports.2.2) In order to get
chkrootkit
to compile, I had to uncomment a line in theMakefile
. It's clearly indicated in theMakefile
. See here for more info.SUMMARY
I feel pretty confident that this was an effective scan (given the clean state of the scanning system). However, there are a few downsides to this method:
In case you don't have an extra Mac available, here are a couple of alternatives to this approach:
It's possible to put a clean install of OSX onto a USB drive. To do this, you boot the machine while holding down command-option-R to do an Internet Recovery. This bypasses the disk contents and uses firmware code to install OSX from Apple's servers. Apparently you can just plug a USB drive in and choose this as the installation target; afterwards you can boot the machine from the USB drive and run scans on the system drive. Downside here is that this is a >5GB download, so you'd better have a fast Internet connection (or some patience).
I could have also pulled the drive out of the machine and put it into a hard drive enclosure. The advantages here are that I wouldn't have had to use a Mac to scan it, and that I wouldn't have had to find a 9-pin-to-9-pin Firewire cable. Of course, if I didn't use a Mac to scan it, I wouldn't have been able to use my first scanning method (the
diff
).