Ok, thanks Ronni, will pass on this information to James.
Regards Pete.
----- Original Message -----
From: wamug@wamug.org.au
To:
Cc:
Sent:Sun, 30 Apr 2017 13:14:07 +0800
Subject:Re: Macbook Pro Certificates
Hi again Peter,
I just noticed your mentioned that on James MacBook Pro he has the
Firewall TURNED OFF? .... why is this setting turned OFF?I would never
recommend the Firewall to be turned OFF!
He would be prompted to Deny or Allow access to specific apps when
they begin listening for outside connections, and OS X remembers your
choice (you can always change your mind later).You can customize your
Firewall settings in Security & Privacy > Firewall > Firewall Options.
Cheers,Ronni
Sent from Ronni's iPad4
On 30 Apr 2017, at 12:37 pm, Ronni Brown wrote:
Hi Brian & Peter,
I agree with Brian that this issue is at the school’s end. The
“Show Certificate” but when James clicked does not show the
Certificate, indicates to me that the Certificate on the School’s
Intranet/Internet has been updated/changed or expired to the
certificate on James MacBook Pro that he accessed with before the
holiday period.I would not suspect it to be a Sierra issue.
I expect the problem will only be corrected by the school’s IT
Department.
Are other students experiencing similar issue as James?
Regards,Ronni
13-INCH MACBOOK AIR (APRIL 2014)
1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz
LPDDR3 SDRAM
512GB PCIe-based Flash Storage
macOS Sierra 10.12.4
On 30 Apr 2017, at 11:12 am, Brian Risbey wrote:
Hi Peter
Just as a thought, the Department of Ed is upgrading all school
wireless networks in preparation for online NAPLAN testing, they
missed the cutoff and 2017 is going to be paper.They are adding many
more wireless routers. Our school has had issues with iPads not
connecting to the wireless system all Term 1, ongoing. My MacBookPro
has occasional issues too. So, it could be school’s end with the
wireless network.The Department is also having major issues with
access to teacher email services via Safari and has suggest to use a
different application.
Just a bit of ‘insider’ knowledge/ experience.
Brian
On 30 Apr 2017, at 10:04, petercr...@westnet.com.au [3] wrote:
Ok, I can confirm there was no email opened at all - James does not
attend to his emails - so I am sure this malware (Dokument.zip) is
not the source of his problem. He also indicates there was no email
and no zip folder he has accessed and he is still unaware of an email
if indeed it is in his Inbox.
He has been provided credentials from the school (been in use for a
couple of years at least) and has been no problem auto connecting
until now (problem has arisen post these school holidays where we did
the update to Sierra 10.12.4 from El Capitan). He is able to see and
connect to the school WIFI network (modems dotted all around the
school whichever room he is in, he can connect) but unable to access
the internet (as he puts it). The VMware he uses for school material
is an internal site to the school (like _Intranet_) but he also is
unable to get to the proper _internet_ Google etc from the school
access point as he was previously able to. He is however able to get
to the school intranet site AND to the internet (Google etc) all from
the home WIFI without issue.
His recollection of events are upon getting back to school for the
first time after the recent holiday period, opening up his MacBook, a
popup presented saying "Show certificate" which he pressed, no
certificate showed and no further entries by him and ever since no
intranet or internet connectivity possible.
On his MacBook, his Security>Firewall setting is OFF.
WCE comfortably across the line though Dockers put up a bit of a
fight in second half. I hope you Pies do the proper business :)
Regards
Peter.
----- Original Message -----
From: wamug@wamug.org.au [4]
To:
Cc:
Sent:Sat, 29 Apr 2017 19:30:22 +0800
Subject:Re: Macbook Pro Certificates
Hi Peter,
Need to know from James the exact details of what that "Certificate
Pop up screen message" was and what happened after he clicked
"accept"Also details about the school's environment network WiFi
access.
Eagles 45 points lead at half time... just have to keep playing as
well in second half, not fade away like they have been lately in 3 &
4th quarter.Pies need a big win tomorrow :(
Cheers,Ronni
Sent from Ronni's iPad4
On 29 Apr 2017, at 6:35 pm, Peter Crisp wrote:
Hi Ronni, thanks for the details but I think it is safe to say James
has not gone down this path as he NEVER opens his emails. So for that
reason, it is highly unlikely. I will nonetheless get his confirmation
that he hasn't opened any emails and specifically one with a Zip
folder in it.
So if I am correct and it is a red herring the dokument.zip scenario,
what else could it be?
WCE have made a good start though a long way to go.
Regards
Pete
On 29 Apr 2017, at 12:32 PM, Ronni Brown wrote:
Hi Peter,
For James to have been infected by OSX.Dok. James would have needed to
install it! And he would have to go through quite a number of steps &
windows to install it. You have indicated that James is pretty
competent in these things, so lets hope you are correct. As this is a
new very nasty Malware and the malware is able to have continued
_root-level permission_ without continuing to request for an admin
password.---“OSX.Dok comes in the form of a file named DOKUMENT.ZIP,
which is found being emailed to victims in phishing emails. Victims
primarily are located in Europe.
Apple has already revoked the certificate used to sign the app, so, at
this point, anyone who encounters this malware will be unable to open
the app and unable to be infected by it.
_IF THE USER CLICKS PAST THIS WARNING TO OPEN THE APP, IT WILL DISPLAY
A WARNING THAT THE FILE COULD NOT BE OPENED, WHICH IS SIMPLY A COVER
FOR THE FACT THAT NO DOCUMENT OPENED:_
Interestingly, this window cannot be dismissed, as the OK button does
not respond. Further, the app will remain stuck in this mode for quite
some time. If the user becomes suspicious at this point and attempts
to force quit the app, it will not show up in the Force Quit
Applications window and in Activity Monitor, it will appear as
“AppStore.”
If the user manages to force this “AppStore” app to quit, however,
all is not yet okay. The malware dropper will have copied itself onto
the /Users/Shared/ folder and added itself to the user’s login items
so it will re-open at the next login to continue the process of
infecting the machine.
After several minutes, the app will obscure the entire screen with a
fake update notification._“OS X UPDATES AVAILABLE - A SECURITY ISSUE
HAS BEEN IDENTIFIED IN A OS X SOFTWARE PRODUCT_ etc etc.”
_If James did continue to this stage his Mac is probably infected with
this Malware.___
_Malwarebytes Anti-Malware for Mac _ [8]_will detect the important
components of this malware as OSX.Dok, disabling the active infection.
However, when it comes to the other changes that are not easily
reversed, which introduce vulnerabilities and potential behavior
changes, additional measures will be needed. __For people who don’t
know their way around in the Terminal and the arcane corners of the
system, it would be wise to seek the assistance of an expert, or
__ERASE THE HARD DRIVE AND RESTORE THE SYSTEM FROM A BACKUP MADE PRIOR
TO INFECTION._
Please post back more information from James as to exactly what were
the details of the below “certificate pop up screen”? A what
happened after he click “Accept”
"certificate pop up come up on screen" to which he pressed
AcceptI’m hoping it is not the malware and can be rectified without
an erase of the hard drive and restore the system from a previous
backup made prior to infection.
Cheers,Ronni
13-INCH MACBOOK AIR (APRIL 2014)
1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz
LPDDR3 SDRAM
512GB PCIe-based Flash Storage
macOS Sierra 10.12.4
On 29 Apr 2017, at 10:33 am, Pat wrote:
There is a report in today’s online news about a new malware
targeting Macs calle OSX/Dok. The first symptom is a pop-up message
about a new OSX update. Don’t update! It is a trojan that can bypass
Gatekeeper. Apparently it is signed with a valid developer certificate
and attacks all kinds of Mac.
Pat
On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [10] wrote:
My son's (James) MacBook Pro (~2011) has been updated to Sierra
10.12.4 since he went on school holidays. He went back to school this
week and was unable to gain access into the school IT environment
using the school wifi. He had previously had no problem at last time
in school when running El Capitan. He called me this morning as I am
FIFO at the moment in sunny Hedland and using Facetime we proved a few
things. He was able to access the school IT environment by using the
home WIFI network without a hitch. This problem therefore arises when
he is at school in the school wifi environs.
He indicated to me when first attempting to connect to the school
environment via the installed VMware he had a "certificate pop up
come up on screen" to which he pressed Accept. My suspicion is that
has something to do with his access problem though may be a Sierra
related issue potentially. He took it to his school IT team on Friday
who said "you need to go to the App store and do an update". He told
them he is at the latest OSX 10.12.4, there is no further update - I
think they're fobbing him off and copping out because they don't
actually know the problem and solution. But neither do I, however I
admit to it. James is pretty competent in these things but we're both
stumped right now.
Any clues by anyone on similar issues?
Regards
Pete.
Links:
------
[1] mailto:ro...@mac.com
[2] mailto:risb...@bigpond.com
[3] mailto:petercr...@westnet.com.au
[4] mailto:wamug@wamug.org.au
[5] mailto:wamug@wamug.org.au
[6] mailto:petercr...@westnet.com.au
[7] mailto:ro...@mac.com
[8] https://www.malwarebytes.com/mac/
[9] mailto:clamsh...@iinet.net.au
[10] mailto:petercr...@westnet.com.au
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
