Thanks Brian, from what I understand the students access via the
first method (Servers + Internet). Maybe the higher years they get the
second access method ability. Will enquire when I am back from the
Pilbara.
Regards
Pete.
----- Original Message -----
From: wamug@wamug.org.au
To:
Cc:
Sent:Sat, 6 May 2017 07:01:32 +0800
Subject:Re: Macbook Pro Certificates
Hi Ronni and Pete
When students and teachers log onto a school wireless network there
are two methods. First with an id number and password - this gives
network access to servers and internet , second way -students are
allowed to by-pass this step and log into a student network with
minimum level of access-just internet, you are presented with a pop up
screen asking you to accept a department security certificate, it is
to do with the Education Department security log in protocol. So, the
pop up screen may be this in place, not anything malicious. Hope this
info helps.
Brian
On 5 May 2017, at 21:30, Peter Crisp wrote:
Ok thanks Ronnie, will arrange that in the morning.
Good luck for your Pies!
Regards
Pete
On 5 May 2017, at 8:53 PM, Ronda Brown wrote:
Hi Peter,
I would like to see the results of the Malwarebytes scan please.If
James didn't keep a copy of the scan, you can email me the photos
offlist or transcribe what the 39 items were, I would appreciate it.
I can then comment if any further action is required. But, it sounds
like James has done everything as instructed which is very pleasing to
hear.
Kind regards,RonniPS I've backed your Eagles to win tomorrow, I won
money on you last week & hope to tomorrow ;-) I haven't backed my Pies
to win :(
Sent from Ronni's iPad4
On 5 May 2017, at 8:28 pm, Peter Crisp wrote:
Hi Ronnie, sorry for slow reply - working remotely to my son has
necessary lag. So yes he has now run the anti malware program. 39
items identified. I have these in photographs so could transcribe.
He has done the clean up too and re-run - it is all clean now.
Firewall is ON too.
Given that this has been all done, is there any further action in this
space do you feel?
Regards
Pete..
On 1 May 2017, at 9:49 pm, Ronni Brown wrote:
Hi Peter,
I mentioned previously for James to download and run _Malwarebytes
Anti-Malware for Mac [5], _has this been done?
James had his Firewall turned OFF, so his Mac was open to incoming
connections from the outside world.With the Firewall ON it blocks
incoming connections, and if you have “stealth mode” on in the
Firewall options basically makes your Mac invisible on an untrusted
network.
That “Certificate PopUp screen” still worries me… Someone or
some malicious software with administrator privileges, could have
made changes to the Network Settings to redirect all outgoing
connections through a proxy server which lets the attacker eavesdrop
on your communications.
First Run a Malwarebytes Anti-Malware for Mac scan and let us know the
results please.
Regards,Ronni
On 1 May 2017, at 5:23 pm, Peter Crisp wrote:
Hi Ronnie et al, James’ MBP school network intranet/internet issue
is now resolved. The issue was relating to Proxies. James took his MBP
to the IT guys and they asked him “did you download any proxies”
to which he responded “not that I know of”. He may have done this
accidentally, he didn’t even know where the Proxy settings are
located within System Prefs when I quizzed him this afternoon so it
wasn’t by direct entry. Not sure how the Proxies came to become
misaligned, unlikely a result of the Sierra update but does anyone
know how this could have happened?
The IT guys said “we reset your network settings” and now it is
all good at school and still at home working fine too.
Regards
Pete.
On 29 Apr 2017, at 6:35 pm, Peter Crisp wrote:
Hi Ronni, thanks for the details but I think it is safe to say James
has not gone down this path as he NEVER opens his emails. So for that
reason, it is highly unlikely. I will nonetheless get his confirmation
that he hasn't opened any emails and specifically one with a Zip
folder in it.
So if I am correct and it is a red herring the dokument.zip scenario,
what else could it be?
WCE have made a good start though a long way to go.
Regards
Pete
On 29 Apr 2017, at 12:32 PM, Ronni Brown wrote:
Hi Peter,
For James to have been infected by OSX.Dok. James would have needed to
install it! And he would have to go through quite a number of steps &
windows to install it. You have indicated that James is pretty
competent in these things, so lets hope you are correct. As this is a
new very nasty Malware and the malware is able to have continued
_root-level permission_ without continuing to request for an admin
password.---“OSX.Dok comes in the form of a file named DOKUMENT.ZIP,
which is found being emailed to victims in phishing emails. Victims
primarily are located in Europe.
Apple has already revoked the certificate used to sign the app, so, at
this point, anyone who encounters this malware will be unable to open
the app and unable to be infected by it.
_IF THE USER CLICKS PAST THIS WARNING TO OPEN THE APP, IT WILL DISPLAY
A WARNING THAT THE FILE COULD NOT BE OPENED, WHICH IS SIMPLY A COVER
FOR THE FACT THAT NO DOCUMENT OPENED:_
Interestingly, this window cannot be dismissed, as the OK button does
not respond. Further, the app will remain stuck in this mode for quite
some time. If the user becomes suspicious at this point and attempts
to force quit the app, it will not show up in the Force Quit
Applications window and in Activity Monitor, it will appear as
“AppStore.”
If the user manages to force this “AppStore” app to quit, however,
all is not yet okay. The malware dropper will have copied itself onto
the /Users/Shared/ folder and added itself to the user’s login items
so it will re-open at the next login to continue the process of
infecting the machine.
After several minutes, the app will obscure the entire screen with a
fake update notification._“OS X UPDATES AVAILABLE - A SECURITY ISSUE
HAS BEEN IDENTIFIED IN A OS X SOFTWARE PRODUCT_ etc etc.”
_If James did continue to this stage his Mac is probably infected with
this Malware.___
_Malwarebytes Anti-Malware for Mac _ [9]_will detect the important
components of this malware as OSX.Dok, disabling the active infection.
However, when it comes to the other changes that are not easily
reversed, which introduce vulnerabilities and potential behavior
changes, additional measures will be needed. __For people who don’t
know their way around in the Terminal and the arcane corners of the
system, it would be wise to seek the assistance of an expert, or
__ERASE THE HARD DRIVE AND RESTORE THE SYSTEM FROM A BACKUP MADE PRIOR
TO INFECTION._
Please post back more information from James as to exactly what were
the details of the below “certificate pop up screen”? A what
happened after he click “Accept”
"certificate pop up come up on screen" to which he pressed
AcceptI’m hoping it is not the malware and can be rectified without
an erase of the hard drive and restore the system from a previous
backup made prior to infection.
Cheers,Ronni
13-INCH MACBOOK AIR (APRIL 2014)
1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz
LPDDR3 SDRAM
512GB PCIe-based Flash Storage
macOS Sierra 10.12.4
On 29 Apr 2017, at 10:33 am, Pat wrote:
There is a report in today’s online news about a new malware
targeting Macs calle OSX/Dok. The first symptom is a pop-up message
about a new OSX update. Don’t update! It is a trojan that can bypass
Gatekeeper. Apparently it is signed with a valid developer certificate
and attacks all kinds of Mac.
Pat
On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [11] wrote:
My son's (James) MacBook Pro (~2011) has been updated to Sierra
10.12.4 since he went on school holidays. He went back to school this
week and was unable to gain access into the school IT environment
using the school wifi. He had previously had no problem at last time
in school when running El Capitan. He called me this morning as I am
FIFO at the moment in sunny Hedland and using Facetime we proved a few
things. He was able to access the school IT environment by using the
home WIFI network without a hitch. This problem therefore arises when
he is at school in the school wifi environs.
He indicated to me when first attempting to connect to the school
environment via the installed VMware he had a "certificate pop up
come up on screen" to which he pressed Accept. My suspicion is that
has something to do with his access problem though may be a Sierra
related issue potentially. He took it to his school IT team on Friday
who said "you need to go to the App store and do an update". He told
them he is at the latest OSX 10.12.4, there is no further update - I
think they're fobbing him off and copping out because they don't
actually know the problem and solution. But neither do I, however I
admit to it. James is pretty competent in these things but we're both
stumped right now.
Any clues by anyone on similar issues?
Regards
Pete.
Peter crisppetercr...@westnet.com.au [12]
-- The WA Macintosh User Group Mailing List --
Archives -
Guidelines -
Settings & Unsubscribe - -- The WA Macintosh User Group Mailing List
--
Archives -
Guidelines -
Settings & Unsubscribe -
Links:
------
[1] mailto:petercr...@westnet.com.au
[2] mailto:ro...@mac.com
[3] mailto:petercr...@westnet.com.au
[4] mailto:ro...@mac.com
[5] https://www.malwarebytes.com/mac/
[6] mailto:petercr...@westnet.com.au
[7] mailto:petercr...@westnet.com.au
[8] mailto:ro...@mac.com
[9] https://www.malwarebytes.com/mac/
[10] mailto:clamsh...@iinet.net.au
[11] mailto:petercr...@westnet.com.au
[12] mailto:petercr...@westnet.com.au
[13] http://www.wamug.org.au/mailinglist/archives.shtml
[14] http://www.wamug.org.au/mailinglist/guidelines.shtml
[15] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
[16] http://www.wamug.org.au/mailinglist/archives.shtml
[17] http://www.wamug.org.au/mailinglist/guidelines.shtml
[18] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
