Ransomware. You’ve probably heard it mentioned recently as some pretty big targets fell victim to it and though rare, the Mac has been targeted as well. A few months ago ransomware named KeRanger was found to encrypt user files and when successful the victim had to pay $400 to have their files unlocked or lose the data forever.

This wasn’t the first and definitely won’t be the last. So how do you protect yourself? Unfortunately antivirus is probably the least effective in detecting and stopping this type of malware. For an antivirus to detect this immediately it needs to use true heuristics, which no Mac AV does. By the time it gets a signature update to recognize it, your files may already be encrypted and it’s too late.

Of course not opening suspicious files goes a long way, not visiting any shady websites generally helps too (though any website can hand out malware through compromised ad networks and other connections it makes) and of course having a solid backup in place in case things do go south is always a good idea. Then I came across RamsomWhere? (question mark included in the name) and it sounded to be exactly what I was looking for:

“By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.”

The creator is Patrick Wardle from Objective-See and I have mentioned him before in regards to another great utility KnockKnock. So I had to see what this was all about. Mind you I have not pitted this utility against actual ransomware so knowing if it truly works remains to be seen but I did make a few observations.

The utility can be downloaded here, that page will also explain how it works, how to install it etc.

Once installed I noticed high CPU usage (normal behavior) and once it was done establishing itself CPU usage dropped so low it’s using less resources than any other app or process. Then I just sat back and forgot about it after a few days. There is no menu bar or dock icon, no application that’s always on to remind you everything is ok. Just a process that runs in the background. Then one morning I woke up to a notification from Carbon Copy Cloner, it had failed to perform a clone. I walked to my Mac and noticed RansomWhere? had blocked CCC as it attempted to encrypt some files. So it worked! I allowed CCC to encrypt the files it needed to encrypt and RansomWhere? has respected my choice ever since. Another warning I got was for Plex Media Server which apparently does some light encryption on/in it’s own database.

These two examples along with Patrick’s quality work in the past has made me a believer in this utility. Again, until it thwarts some actual Ransomware it’s hard to say if this will make a good line of defense. The website is also very clear on the software’s limitations.

Still I think it’s worth installing as it does not take any noticeable resources and well, it’s yet another layer of defense and one can never have enough of those.

Have a look at the above mentioned link and also check out his other products which include; KnockKnock, Lockdown and Dynamic Hijack Scanner. These tools are all free so if you think they can help you (or have helped you in the past), consider making a donation so we can keep seeing these awesome utilities in the future as well.

Posted in Security Tagged with: , ,

We’re back!

officeHaving a baby, running a business and working on several other projects, something had to give and securityspread.com was it. With the business running smooth and the baby now 5 months old, I had some time to practice time-management in this new situation and I think I have it figured out to a point where old projects can be dusted off and restarted. Of course starting with this website.

So, imagine my office looked like the one in the picture after a year of not being used, it is now cleaned up, upgraded and ready to be used again 🙂

First, a big thank you to all those who have kept in touch during this period of inactivity, I do appreciate it.

The biggest request I received almost weekly was an update to the antivirus tests. As this takes up enormous amounts of time I will not be able to do that just yet. My malware sample sets are very out of date, virtual machines need to be upgraded, test licenses need to be obtained again for the AV products and of course the testing itself takes days. While I have some time to regularly update this site again, testing AV will have to wait.

Thanks for visiting and being patient. Now let’s get this party going again.

Posted in Just an update

A few days with OS X 10.11 El Capitan [Updated]

I mentioned in a previous post I had high hopes for El Capitan. After installing it on September 30th, I am not disappointed. My system is fast, scrolling through large directories is smooth, Finder does not choke up when working with lots of folders open, Mail is no longer freaking out because my Mail folder is 22GB. I am very happy with this upgrade.

One issue I did have though is my Messages app refused to sign in. The account worked before the upgrade, it works on my iPhone but after the El Capitan install it no longer worked on my Mac. It became clear very soon that a lot of people are having this problem. For me it was not a dealbreaker as I can use iMessage on my phone or iPad but for some it might be a bigger deal. Luckily there is a fix.
– Shut down your Mac.
– Power on your Mac and immediately hold the Option(or Alt)+Command+P+R keys. Keep holding them until your Mac sounds the boot chime. Keep holding them but when you hear the boot chime for the second time…
– Immediately let go of the above mentioned keys and hold down the shift key instead.
– Let go of the shift key when you see the Apple logo and progress bar.

This boots your Mac into safe mode. Boot time will be much longer than usual so be patient. You might also see slow display refresh rates or other glitches, just ignore those. Once your Mac is booted, open the Messages app and sign in. It will let you sign in without issues if all goes well. Do the same for FaceTime if that gave you problems before too. Quit the apps and restart your Mac.

Now your Messages should work.

Another issue that seems to be the hot topic after every new OS X release is Mail. The most common complaint after the El Capitan upgrade is mail disappearing and certain accounts being unable to send mail. I have not experienced this myself on my machines or any of the others I have upgraded but the message boards are full of reports about this. As of yet I have not seen a solution. Some people have had luck rebuilding the affected mailboxes, for others it did no good. To rebuild your mailbox, select it in the mailboxes list and select “Rebuild” from the Mailbox menu. Depending on the amount of mail this can take a while.

Something I did experience is that Apple Remote Desktop stopped working. On my end, the administrator, all of the client computers were grayed out even though I knew they were online. The fix was simple; in System Preferences > Sharing (on the client machines), turn off Remote Management, then turn it on again. This solved the issue for me with roughly 48 Macs. I think this problem is caused by the client computer but I have also heard people say this is a problem on the admin side. Either way it’s a quick fix. If you do not have access to the remote machine, hold off on upgrading to El Capitan on both sides, just to be safe. In some cases the Screen Sharing app or Finder buttons still worked but this was random.

Finally, an issue I hear a lot of people mention is that Outlook no longer works or works poorly. This has been a reported issue since El Capitan went into beta and seems to affect Outlook for Office 2011 only. If you rely on Outlook (any version), make sure others report it works well on El Capitan or contact Microsoft to ask if an update will be released soon to address these issues. No issues were reported with the other Office applications like Word and Excel. Microsoft is working on a fix. Microsoft has released an update that fixes the problem.

These are the highlights of El Capitan issues as far as I can tell. Message boards are flooded with people damning El Capitan to hell, it broke my stuff, nothing works, Apple failed us all… etc etc. This is the same stuff I read every year after a new OS X version is released and this will most likely never change. Despite the few glitches I have seen myself, those mentioned above, I am very happy with this upgrade.

If you are not sure if El Capitan is right for you or worth the risk just backup your data and give it a try. If something goes wrong or if you experience bugs you can not live with, your old system is just a restore away 🙂 You can also clone your system to an external drive, boot up from that and then run the upgrade. If it does not work out just boot up from your internal drive again and you’ll be set.

I have mentioned a few backup options in my “Get ready for OS X 10.11 El Capitan” article.

You can also play it safe and wait for Apple to release the 10.11.1 update which usually follows soon after the initial release of a new system. Either way El Capitan is worth the upgrade as it offers many improvements to security, stability and usability. So upgrade now or wait for some of the bugs to be squashed and upgrade later but definitely consider upgrading.

As new bugs are discovered I will report them here. This will only cover the bugs that are widespread and/or I have been able to confirm myself.

Keychain Access
When running Keychain First Aid, the user is unable to enter a password.
Solution: Apple removed the ability to check or repair keychains completely in 10.11.2.

Disk Utility RAID configuration
As this is not a feature I use every day I had not discovered this in the beta builds. Apple has removed the ability to create or edit RAID configurations in Disk Utility.
Solution: Use the terminal diskutil command. Instructions can be found here.

When browsing a folder that has a scroll bar, open one of the folders and then go back. You will notice the previous window does not remember the scroll position like it did in previous OS X versions. When scrolling through large directories especially this is very annoying.
Solution: Fixed with 10.11.2 update.

Posted in Just an update Tagged with: , , , ,

Get ready for OS X 10.11 El Capitan

While I am not crazy about the new name, I am very excited about the product. Some new features are introduced but the majority of the work has been under the hood to improve responsiveness, stability and usability. My favorite versions of OS X to date have been 10.4.11 Tiger and 10.6.8 Snow Leopard, both releases that worked hard on under the hood improvements and it showed. OS X versions since then have had some nice features added but to me OS X has not felt like smooth and intuitive operating system I used to love.

My hope is that will change with the latest release that hits the virtual shelves tomorrow. I would love to add OS X 10.11 to my list of favorite OS versions. Hopefully Apple will not let the system slide again after this, turning future OS X versions into the same mess 10.7 – 10.10 were before focusing on serious maintenance and cleanup again. Typically in the past, any new OS comes with some bugs and a .1 update follows quickly to resolve these issues. El Capitan will probably be no different so don’t expect perfection immediately after upgrading. With that said, I have been using the pre-release versions for a while and am very impressed so far.

Hardware requirements
Alright, let’s get started. First of course you have to make sure your machine can handle the new OS. While exact system requirements have not been published yet, everyone pretty much agrees the following Macs can run El Capitan:
• iMac – Mid 2007 or newer
• MacBook – Aluminum Late 2008 and Early 2009 or newer
• MacBook Air – Late 2008 or newer
• MacBook Pro
– 13-inch Mid 2009 or newer
– 15-inch Mid/Late 2007 or newer
– 17-inch Late 2007 or newer
• Mac mini – Early 2009 or newer
• Mac Pro – Early 2008 or newer
• Xserve – Early 2009

If your Mac is one that is listed above exactly, you might want to hold off on upgrading for now. If it’s newer than those listed above, you should be ok to upgrade as long as your Mac meets the following requirements:

• At the very least, 4GB of RAM
• At the very least, 20GB of free hard drive space
• Highly recommended, a graphics card with more than 512MB of memory

But wait, Apple says all I need is 2GB of RAM, 8GB of free drive space and they don’t even mention the graphics card! I know. And your Mac will run OS X alright with those specs. The problems start when you want to run any other applications. 2GB is the minimum requirements for OSX, meaning OS X needs those 2GB to run properly. It does not mean you can run OS X + Mail + iTunes + Safari with 10 tabs + Photoshop (which will require 4GB at minimum, 8GB preferred).

You want to take the minimum suggested requirements and double them for better results or triple them for smooth operation. So if you have a Late 2008 MacBook Air with 2GB of RAM and 10GB of free drive space… do yourself a favor and don’t upgrade. Or at least wait until you hear/read about how the system performs for others that also have Late 2008 MacBook Airs.

Software compatibility
Check the websites of the manufacturers to see if the software you use is compatible with El Capitan. You may need a software update or you may need to purchase a brand new version. Find out now so there are no surprises after you upgrade.

Skipping versions
If your Mac is running 10.9 or 10.10 you should be able to upgrade to 10.11 El Capitan without any issues. However if your Mac runs 10.7, the jump to 10.11 might cause issues. Apple typically states you can upgrade from any Mac running 10.6.8 to the latest OS X but speaking from experience, this rarely goes off without a hitch. If the upgrade is skipping a few versions you may want to consider starting fresh, meaning an erase and install. If your system is currently experiencing issues (regardless of the OS version you have installed) like slow performance, freezing, spinning beachball or applications unexpectedly quitting do not upgrade. An upgrade is not a magical fix, it will almost certainly make the issue worse. Instead resolve the problem first and then upgrade. Depending on the issue a clean install may be the best solution.

After a clean install you can migrate your user data back from a Time Machine or Clone backup. This will ensure you have a brand new and fresh OS rather than a patched one an upgrade would provide.

Backup and Clone
Upgrading to a whole new OS is a very invasive undertaking. In case something goes wrong (see prior point but even if your system is fine, stuff can still go wrong) you want a backup to restore from. You should already have some kind of backup strategy in place like Time Machine but in cases like these it’s a good idea to have a clone of your system as well. A clone is a 1:1 copy of your hard drive contents and will allow you to boot up from it or restore the entire system. If you upgrade to El Capitan and find out you hate it, have too many incompatible applications or it just doesn’t run well on your older machine, just start up from the clone drive and copy the whole thing back to your Mac. Once the clone is done and you restart it’ll be like nothing ever happened.

SuperDuper is my preferred cloning tool and I recommend using an external hard drive that supports FireWire 800, USB 3.0 and/or eSATA for best performance. USB 2.0 and FireWire 400 will work but both the cloning and booting from it, if needed, will be painfully slow. Keep running your Time Machine backups as usual too of course.

Remember your passwords
After installing the new system you will be asked for your Apple ID so that features like iCloud and Messages can be enabled so make sure you know the login details before you upgrade. You can set up your iCloud and Messages later on but entering these details during the installation will make for a smoother experience when it’s done.

Duplicate important documents
Once you upgrade and start working on a document in a new version of Numbers, just to name one, you can not open that document in older versions anymore. This is the case for a lot of software. With a new OS usually come big application updates or upgrades as well. If you have important documents that you still need to be able to work on even if you decide to downgrade back to your previous system later on (with that clone I mentioned), make a copy and work on that instead. If you open/edit the original file you may not be able to use it anymore if you downgrade your system.

Having a backup (clone preferred) will ensure you can go back to the previous state of your system and is therefor the most important step when it comes to any upgrade.

Posted in Just an update Tagged with: , ,

Be sure you are prepared for iOS9

This exact article is recycled every year when a new iOS is about to be released. I have edited it where needed and republished it so you can be ready for tomorrow’s upgrade to iOS 9.

Tomorrow Apple’s iOS 9 will be available to the public. The next few days you’ll hear a lot of the following:
– I love it! It’s amazing!
– It’s great but….
– Where did all my *name data* go?!
– My *name app* doesn’t work anymore!
– My phone is messed up now!
– I hate it, I wish I could go back.

As always there will be people from all of the above camps out there. You won’t know what camp you’ll be in until you install iOS 9 so it’s important to prepare properly so you won’t lose data and/or can downgrade back to iOS 8. If you upgrade, love it and don’t experience a single issue, great. Then you’ll have done all of the following for nothing but hey, better safe than sorry 🙂 Let’s begin.
Continue reading “Be sure you are prepared for iOS9” »

Posted in Just an update Tagged with: , , , ,

Adobe Flash Player, it’s time to say goodbye.

FlashUninstallI can’t remember a time without you. You’ve caused sluggish performance, slow page loads and have put me at risk many times. Adobe Flash Player, it’s time to go.

It’s no secret that Flash Player is not the best web plug-in to have. A long history and list of security vulnerabilities. Very demanding on your system causing older machines to feel terribly slow when they really shouldn’t be. And these days HTML5 pretty much replaced Flash everywhere it matters.

I have removed Flash Player from my system before but somehow it always found it’s way back on. Today however I decided to remove it once and for all.

Why? Security mostly. I don’t have any Macs that are too old to properly load and run a website that relies on Flash Player but the never ending security vulnerabilities basically just pissed me off. I keep Flash Player up to date. The second an update is available, I install it on all my systems thinking at least it’ll protect me from the latest vulnerabilities. Sure there are vulnerabilities out there that have yet to be discovered but as long as they are not known to the mainstream, I should be safe from them.

Today another Flash Player vulnerability was patched, a 0-day that was being used in the wild for quite some time. Hacking Team, a company that specializes in surveillance software and will sell to anyone that pays, was hacked a few days ago. The hackers cleaned out their poorly secured servers and dumped all the data online for anyone to see (over 400GB worth). In that data this Flash Player 0-day was discovered and Adobe pushed out a patch as soon as possible.

It’s not the first 0-day to be discovered and it most certainly won’t be the last. But this one may have been around for a while and could have been sold to government agencies and dictatorships alike and be in active use by them. That just irks me. When I tell friends and family to update their Flash Player the first thing I hear is “I just did that!” or “Again?!” and they’re right, it’s ridiculous. So, goodbye and good riddance Adobe Flash Player. Its a headache I can do without.

If you want to uninstall Flash Player, go to your Applications > Utilities folder and in it you’ll see “Adobe Flash Player Install Manager.app”. Run that and Flash Player will be removed from your system. I doubt you’ll miss it as all sites that matter have switch to HTML5 by now which requires no plug-in to function. If you’re a laptop user and use a lot of websites that call on Flash Player, you should notice an increase in battery life and every computer user, laptop or desktop, will lighten the load on their processor.

[UPDATE July 10] The Hacking Team leaked data has revealed a second 0-day exploit which is at the time of writing still unpatched. Now that it’s public, expect this exploit to be in the wild very soon, if not already.

[UPDATE July 12] Oops, make that TWO new 0-day exploits that are unpatched. Still have Flash Player installed after all this? Good luck.

Posted in Security Tagged with: , , ,

Apple releases updates for OS X and iOS

While you’re reading this, have your Time Machine or other backup running.

Today Apple released software updates for OS X and iOS. The update for iOS is 8.4 and it’s main purpose is the introduction of iTunes Music but as always some security related issues were addressed as well. A total of 35 security issues were fixed making this more than just a music service update. Back up your iOS devices to iCloud or iTunes and install the update when you can. Read the installer for all the details on what the update has to offer.

For OS X users we got a new version of Safari. Available for users of OS X 10.8.5, 10.9.5 and 10.10.3. While only 4 WebKit issues were addressed, they are not insignificant:
•  A maliciously crafted website can access the WebSQL databases of other websites.
•  Visiting a maliciously crafted website may lead to account account takeover.
• Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage.
• Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution.
By installing this update, Mountain Lion users will get Safari 6.2.7, Mavericks users will get Safari 7.1.7 and Yosemite users will get Safari 8.0.7. It is recommended to install this update soon, specially if Safari is your primary browser.

Also released today was OS X Yosemite 10.10.4. Fixing a whopping 79 security issues it is recommended you install this update as soon as you can. A few of the security fixes are:
• (Admin Framework) A process may gain admin privileges without proper authentication.
• (Admin Framework) A non-admin user may obtain admin rights.
• (Admin Framework) An attacker may abuse Directory Utility to gain root privileges.
• (ATS) Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution.
• (Bluetooth) A malicious application may be able to execute arbitrary code with system privileges.
• (Certificate Trust Policy) An attacker with a privileged network position may be able to intercept network traffic.
• (EFI) A malicious application with root privileges may be able to modify EFI flash memory.
• (EFI) A malicious application may induce memory corruption to escalate privileges.
The list goes on and on. While I have not confirmed this yet, some or all of the included security fixes address the recently discussed XARA vulnerabilities which makes this (amongst many reasons) a great update. The included EFI fixes address a serious vulnerability that were recently found and could compromise a Mac. Another reason a lot of people are excited about the 10.10.4 update is the return of mDNSResponder. Starting with OS X 10.10 Apple replaced the process with Discoveryd, a move that was ill advised since the very beginning but Apple did it anyway. A host of network related issues, high CPU usage, battery life problems, wake from sleep issues and more were attributed to this new process. It’s finally gone making folks very excited to see all those issues (hopefully) disappear. If you experienced any of these issues, Wi-Fi issues and network issues in general, this update might solve your woes. I am hoping the removal of the dreaded Discoveryd process will return my OS X server to something worth having.

That brings us to the next update specifically for OS X 10.8 Mountain Lion and 10.9 Mavericks users. It’s called “Mac EFI Security Update 2015-001” and addresses the same EFI vulnerability mentioned above. While OS X 10.10 Yosemite users have this EFI fix included in the 10.10.4 update, users of older OS X versions must install this stand-alone update. Backing up your data before any update is a good idea but with EFI Firmware updates, make extra sure your backup is recent and in working order. A software update gone bad can be fixed with a reinstall. A firmware update gone bad can result in your Mac becoming a brick with no way to reinstall. I have updated over 65 machines this afternoon without a single issue but you never know. Better safe than sorry.

Update your backups and start installing updates!

Posted in Security Tagged with: , , , , ,

XARA sets it’s sights on OS X and iOS

Researchers have discovered “a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data.” Sounds ominous huh? It is.

The researchers built a malicious app, submitted it to Apple, beat all the tests and security screenings and got the app into the App Store. This app was able to snatch data from the keychain (where all your passwords live on a Mac) using a very simple trick. Your keychain allows the sharing of resources. Your stored facebook password for example can be accessed by other applications if you allow it. This app created a false entry for facebook stored login credentials. Next time the user actually logs in to facebook the login details are stored in the keychain entry created by the malicious app. Now the app has your facebook login credentials. You can imagine a truly malicious app by malware creators will go after your entire keychain and harvest whatever it can. They routed their app through Apple to make a point but of course malware can come from any source.

The above described method is just one of the cross-app resource access (XARA) attacks that were performed. WebSocket and Scheme were also tested and did not fare well. Even the implementation of sandboxing (making sure each app stays in it’s own confined space and can’t access data it shouldn’t) Apple uses was found to be flawed “exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID.” The Bundle ID is is a unique identifier for each app that comes from the App Store. Applications that use bundled helper apps like 1Password have a Bundle ID but the helper app does not. In the case of 1Password that would be the browser extension. The researchers found that they were able to intercept traffic between 1Password and the browser extension, giving them access to the things you don’t want anyone to access.

1Password has been working on this issue for a while and has yet to find a fix. All they can do is recommend users always keep their 1Password Mini running and pay attention to what you install. The reason for their first suggestion is that the researchers launched the malware before 1Password Mini and were able to accomplish the intercept of sensitive data. If 1Password Mini launches right when you log in to your Mac, the malware should not be able to get between 1Password Mini and the browser extension. Agilebits full discussion on this topic can be found here.

To allow applications to communicate with their helpers they often set up a server. In the case of 1Password, the application runs a server and opens a few different ports waiting for requests from the browser extension. That inter-app communication is the weak link. It might even be the communication between the 1Password Mini and the 1Password app, I’m not sure. Either way, there is no fix as of yet. Disabling the browser extension won’t help, disabling 1Password Mini won’t help and clearing all names and passwords from your system and keeping them in a notepad is not only a very bad idea, it’s just impractical.

“Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications.” the reearchers pointed out. To see just how widespread these issues were, they developed a scanner that automatically analyzed OS X and iOS app binaries.

“In our study, we ran the analyzer on 1,612 most popular MAC apps and 200 iOS apps, and found that more than 88.6% of the apps using those mechanisms and channels are completely exposed to the XARA attacks, and every app’s container directory has been fully disclosed. The consequences are dire: for example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and se- cret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome; from various IPC channels, we intercepted user passwords maintained by the popular 1Password app (ranked 3rd by the MAC App Store) and the secret token of Evernote (ranked 3rd in the free “Productivity” apps); also, through exploiting the BID vulnerability, our app collected all the private notes under Evernote and all the photos under WeChat. We reported our findings to Apple and other software vendors, who all acknowledged their importance.”

Affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.

I can go on and on sharing every step of the research, rag on Apple for not fixing these issues (they have known since October 2014) and get into the technicalities but for now all you need to know is this:
• These vulnerabilities are huge and there is no fix.
• Now that the news is out, bad guys will jump on this and implement it in their malware.
• Right now no known malware uses these techniques.
• Malicious apps can come from any source, including the App Store.

Until more is known and Apple provides a fix, continue using your best practices.
• Don’t install software unless you absolutely need it.
• Whatever you do install should come from a well known reputable developer and only from original sources (developer website or App Store).
• Use Little Snitch. Any malicious application that uses these techniques will have to send your stolen data somewhere. Little Snitch will show you that outgoing connection attempt and if it’s something you don’t recognize or find suspicious, block it. In theory, even if you were to be infected with this type of malware, the stolen data will remain on your system.

Unfortunately iOS does not have a Little Snitch and was found to be vulnerable as well, though not as much as OS X. So be extra careful with what you install on your iDevice.

[UPDATE] Friday June 19th.
Apple has commented stating: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” an Apple spokesperson told iMore. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”

The full report can be found here. (PDF, Links to Google Drive)
A youtube video that shows how one of the exploits can work can be seen here.
A youtube video that shows how a WebSocket attack against 1Password is done can be seen here.
And how to steal iCloud tokens in a Keychain attack… here.

Posted in Security Tagged with: , , , , ,

Knock Knock, me again!

Last October I wrote an article about Knock Knock, a tool that checks common hiding places of malware. You can read this article here. Overall a good tool but it was command line only. Immediately after writing the article I was asked both in the comments and via email to do a follow up piece with instructions on how to use it. I said I would but I never got around to it. The article ended with me saying the following “If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.”.

Today I received an email from the Knock Knock creator, Patrick Wardle, to say that he had done just that. Knock Knock now has a neat user interface which will make it a lot easier and more fun (for nerds like me anyway) to use. On top of that he integrated VirusTotal so you can see if a particular file is thought of as malware. VirusTotal is not foolproof and may not show a detection for everything but it can certainly give a good indication as to whether a file should be investigated further.

Let’s take it for a spin and see what we got!
If you prefer to explore for yourself, download Knock Knock here.

The application is a very light 1.5MB and the UI is very clean. I tested the app on my main system first (OS X 10.10.3). Simply clicking the “Start Scan” button immediately resulted in a permission request dialog asking me if Knock Knock could access confidential information from the Safari Extensions List. I allowed it once, then did another scan and denied the access. Allow or Deny, the scan still shows you results for browser extensions, the only difference is that Safari results are omitted if you deny the access. I believe you can safely allow this access. Knock Knock only attempted to make one connection to a remote server during and after the scan, to Google for the VirusTotal results. The connection to “ghs-svc-https-c46.ghs-ssl.googlehosted.com” was blocked by my Little Snitch so initially I did not get any VirusTotal results. If you block any and all Google related connections, Knock Knock still functions. You just miss out on the VirusTotal results which could help you if you are new at this.

Knock Knock showed me a little over 30 results which were all clean. This list may seem small but this is because Knock Knock omits OS and known items. If you want the full list, every kernel extension and login item, click the gear and check “show os/known items”. Then run the scan again. If you do not want to confuse yourself, stick with the default settings. In the preferences you can also disable VirusTotal integration and enable the app to save the results for you. If enabled, there will be a “kkFindings.txt” in your downloads folder after a scan. Make sure you rename that text file if you want to save the results as Knock Knock will overwrite that same file with the next scan results. A little colored lock icon also shows if a found file is signed or unsigned which can be helpful.

Everything looks and works well on a clean system. No abnormal CPU or memory usage, no hangs or freezes. Let’s see how it handles an infected OS.

Thanks to the VirusTotal integration it’s very obvious if something is detected. Knock Knock will mark the category that has potentially infected items in bright red and the individual suspect files show their VirusTotal score in red as well. As mentioned before, VirusTotal is not foolproof so as expected a lot of files were not flagged as malware. To be clear, Knock Knock showed them all, VirusTotal just didn’t flag them. The files that you want gone can easily be exposed with the “show” icon which will take you to the Finder location of that file.
I did notice on the infected system (OS X 10.9.5) Knock Knock did not prompt me for access to Safari Extensions and no Safari extensions were listed in the scan results even though Safari is heavily infected with all kinds of malware. It did find Chrome and Firefox extensions. Even with this small issue, I still recommend at least trying Knock Knock 1.0.0. Keep it on your system if you like it/find it helpful and just like AdwareMedic, run it periodically to see if anything shows up that raises red flags.

Knock Knock is not an all-in-one security solution, such solutions do not exist. As mentioned before, the best security comes in layers and Knock Knock is certainly one of many layers worth having.

UPDATE: Patrick sent me an email today where he told me the issue with Safari extensions on older systems was resolved. Knock Knock 1.2.2 can be downloaded at the link below.

Previous writeup on Knock Knock.
Knock Knock download and basic instructions.
Also mentioned: AdwareMedic
Also mentioned: Little Snitch

Posted in Security Tagged with: , ,

Comments temporarily disabled – Updated

Due to a serious vulnerability discovered in the WordPress platform, comments have been disabled throughout the entire site. As soon as WordPress offers a patch comments will be re-enabled.

WordPress has not addressed this issue yet but thanks to a workaround limiting the comment size by Arnaud I was able to allow comments again.

Update 2:
WordPress has rolled out an update with a patch for the issue.

Posted in Security Tagged with: ,