Thanks Brian, from what I understand the students access via the first method (Servers + Internet). Maybe the higher years they get the second access method ability. Will enquire when I am back from the Pilbara.
Regards Pete. ----- Original Message ----- From: wamug@wamug.org.au To: Cc: Sent:Sat, 6 May 2017 07:01:32 +0800 Subject:Re: Macbook Pro Certificates Hi Ronni and Pete When students and teachers log onto a school wireless network there are two methods. First with an id number and password - this gives network access to servers and internet , second way -students are allowed to by-pass this step and log into a student network with minimum level of access-just internet, you are presented with a pop up screen asking you to accept a department security certificate, it is to do with the Education Department security log in protocol. So, the pop up screen may be this in place, not anything malicious. Hope this info helps. Brian On 5 May 2017, at 21:30, Peter Crisp wrote: Ok thanks Ronnie, will arrange that in the morning. Good luck for your Pies! Regards Pete On 5 May 2017, at 8:53 PM, Ronda Brown wrote: Hi Peter, I would like to see the results of the Malwarebytes scan please.If James didn't keep a copy of the scan, you can email me the photos offlist or transcribe what the 39 items were, I would appreciate it. I can then comment if any further action is required. But, it sounds like James has done everything as instructed which is very pleasing to hear. Kind regards,RonniPS I've backed your Eagles to win tomorrow, I won money on you last week & hope to tomorrow ;-) I haven't backed my Pies to win :( Sent from Ronni's iPad4 On 5 May 2017, at 8:28 pm, Peter Crisp wrote: Hi Ronnie, sorry for slow reply - working remotely to my son has necessary lag. So yes he has now run the anti malware program. 39 items identified. I have these in photographs so could transcribe. He has done the clean up too and re-run - it is all clean now. Firewall is ON too. Given that this has been all done, is there any further action in this space do you feel? Regards Pete.. On 1 May 2017, at 9:49 pm, Ronni Brown wrote: Hi Peter, I mentioned previously for James to download and run _Malwarebytes Anti-Malware for Mac [5], _has this been done? James had his Firewall turned OFF, so his Mac was open to incoming connections from the outside world.With the Firewall ON it blocks incoming connections, and if you have “stealth mode” on in the Firewall options basically makes your Mac invisible on an untrusted network. That “Certificate PopUp screen” still worries me… Someone or some malicious software with administrator privileges, could have made changes to the Network Settings to redirect all outgoing connections through a proxy server which lets the attacker eavesdrop on your communications. First Run a Malwarebytes Anti-Malware for Mac scan and let us know the results please. Regards,Ronni On 1 May 2017, at 5:23 pm, Peter Crisp wrote: Hi Ronnie et al, James’ MBP school network intranet/internet issue is now resolved. The issue was relating to Proxies. James took his MBP to the IT guys and they asked him “did you download any proxies” to which he responded “not that I know of”. He may have done this accidentally, he didn’t even know where the Proxy settings are located within System Prefs when I quizzed him this afternoon so it wasn’t by direct entry. Not sure how the Proxies came to become misaligned, unlikely a result of the Sierra update but does anyone know how this could have happened? The IT guys said “we reset your network settings” and now it is all good at school and still at home working fine too. Regards Pete. On 29 Apr 2017, at 6:35 pm, Peter Crisp wrote: Hi Ronni, thanks for the details but I think it is safe to say James has not gone down this path as he NEVER opens his emails. So for that reason, it is highly unlikely. I will nonetheless get his confirmation that he hasn't opened any emails and specifically one with a Zip folder in it. So if I am correct and it is a red herring the dokument.zip scenario, what else could it be? WCE have made a good start though a long way to go. Regards Pete On 29 Apr 2017, at 12:32 PM, Ronni Brown wrote: Hi Peter, For James to have been infected by OSX.Dok. James would have needed to install it! And he would have to go through quite a number of steps & windows to install it. You have indicated that James is pretty competent in these things, so lets hope you are correct. As this is a new very nasty Malware and the malware is able to have continued _root-level permission_ without continuing to request for an admin password.---“OSX.Dok comes in the form of a file named DOKUMENT.ZIP, which is found being emailed to victims in phishing emails. Victims primarily are located in Europe. Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it. _IF THE USER CLICKS PAST THIS WARNING TO OPEN THE APP, IT WILL DISPLAY A WARNING THAT THE FILE COULD NOT BE OPENED, WHICH IS SIMPLY A COVER FOR THE FACT THAT NO DOCUMENT OPENED:_ Interestingly, this window cannot be dismissed, as the OK button does not respond. Further, the app will remain stuck in this mode for quite some time. If the user becomes suspicious at this point and attempts to force quit the app, it will not show up in the Force Quit Applications window and in Activity Monitor, it will appear as “AppStore.” If the user manages to force this “AppStore” app to quit, however, all is not yet okay. The malware dropper will have copied itself onto the /Users/Shared/ folder and added itself to the user’s login items so it will re-open at the next login to continue the process of infecting the machine. After several minutes, the app will obscure the entire screen with a fake update notification._“OS X UPDATES AVAILABLE - A SECURITY ISSUE HAS BEEN IDENTIFIED IN A OS X SOFTWARE PRODUCT_ etc etc.” _If James did continue to this stage his Mac is probably infected with this Malware.___ _Malwarebytes Anti-Malware for Mac _ [9]_will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. __For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or __ERASE THE HARD DRIVE AND RESTORE THE SYSTEM FROM A BACKUP MADE PRIOR TO INFECTION._ Please post back more information from James as to exactly what were the details of the below “certificate pop up screen”? A what happened after he click “Accept” "certificate pop up come up on screen" to which he pressed AcceptI’m hoping it is not the malware and can be rectified without an erase of the hard drive and restore the system from a previous backup made prior to infection. Cheers,Ronni 13-INCH MACBOOK AIR (APRIL 2014) 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz LPDDR3 SDRAM 512GB PCIe-based Flash Storage macOS Sierra 10.12.4 On 29 Apr 2017, at 10:33 am, Pat wrote: There is a report in today’s online news about a new malware targeting Macs calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is signed with a valid developer certificate and attacks all kinds of Mac. Pat On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [11] wrote: My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 since he went on school holidays. He went back to school this week and was unable to gain access into the school IT environment using the school wifi. He had previously had no problem at last time in school when running El Capitan. He called me this morning as I am FIFO at the moment in sunny Hedland and using Facetime we proved a few things. He was able to access the school IT environment by using the home WIFI network without a hitch. This problem therefore arises when he is at school in the school wifi environs. He indicated to me when first attempting to connect to the school environment via the installed VMware he had a "certificate pop up come up on screen" to which he pressed Accept. My suspicion is that has something to do with his access problem though may be a Sierra related issue potentially. He took it to his school IT team on Friday who said "you need to go to the App store and do an update". He told them he is at the latest OSX 10.12.4, there is no further update - I think they're fobbing him off and copping out because they don't actually know the problem and solution. But neither do I, however I admit to it. James is pretty competent in these things but we're both stumped right now. Any clues by anyone on similar issues? Regards Pete. Peter crisppetercr...@westnet.com.au [12] -- The WA Macintosh User Group Mailing List -- Archives - Guidelines - Settings & Unsubscribe - -- The WA Macintosh User Group Mailing List -- Archives - Guidelines - Settings & Unsubscribe - Links: ------ [1] mailto:petercr...@westnet.com.au [2] mailto:ro...@mac.com [3] mailto:petercr...@westnet.com.au [4] mailto:ro...@mac.com [5] https://www.malwarebytes.com/mac/ [6] mailto:petercr...@westnet.com.au [7] mailto:petercr...@westnet.com.au [8] mailto:ro...@mac.com [9] https://www.malwarebytes.com/mac/ [10] mailto:clamsh...@iinet.net.au [11] mailto:petercr...@westnet.com.au [12] mailto:petercr...@westnet.com.au [13] http://www.wamug.org.au/mailinglist/archives.shtml [14] http://www.wamug.org.au/mailinglist/guidelines.shtml [15] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug [16] http://www.wamug.org.au/mailinglist/archives.shtml [17] http://www.wamug.org.au/mailinglist/guidelines.shtml [18] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>