krypted.com

Tiny Deathstars of Foulness

Reporting on application usage is an interesting topic on the Mac. This is done automatically with a number of device management solutions. But there are things built into the OS that can help as well.

mdls "/Applications/Xcode.app" -name kMDItemLastUsedDate | awk '{print $3}'

Now, if you happen to also need the time, simply add ,$4 to the end of your awk print so you can see the next position, which is the time. Additionally, a simple one-liner to grab the foreground app via AppleScript is:

osascript -e 'tell application "System Events"' -e 'set frontApp to name of first application process whose frontmost is true' -e 'end tell'

That’s pretty much all I had to say about that.

September 27th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

I’ve been making guides to macOS Server since Server 2:
And along the way, I’ve also sold plenty of books on Mac Servers and gotten a lot of opportunities I might not have gotten otherwise. So thank you to everyone for joining me on that journey. After teaching so many how to use the services that Apple made available in their server operating system, when they announced they’d no longer be making many of the services my readers have grown dependent upon, I decided to start working on a guide on moving away from macOS Server. 
And then there are tons of all-in-one small business servers solutions, including Buffalo, Qnap, NetGear’s ReadyNAS, Thecus, LaCie, Seagate BlackArmor, and Synology. Because I happen to have a Synology, let’s look at setting up the same services we had in macOS Server, but on a cheaper Synology appliance:

September 25th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , ,

September 25th, 2018

Posted In: JAMF, Mac OS X

Tags: , , , ,

macOS now comes with a vulnerability scanner called mrt. It’s installed within the MRT.app bundle in /System/Library/CoreServices/MRT.app/Contents/MacOS/ and while it doesn’t currently have a lot that it can do – it does protect against the various bad stuff that is actually available for the Mac. To use mrt, simply run the binary with a -a flag for agent and then a -r flag along with the path to run it against. For example, let’s say you run a launchctl command to list LaunchDaemons and LaunchAgents running:

launchctl list

And you see something that starts with com.abc. Let me assure you that nothing should ever start with that. So you can scan it using the following command: 

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a -r ~/Library/LaunchAgents/com.abc.123.c1e71c3d22039f57527c52d467e06612af4fdc9A.plist

What happens next is that the bad thing you’re scanning for will be checked to see if it matches a known hash from MRT or from /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara and the file will be removed if so. 

A clean output will look like the following:

2018-09-24 21:19:32.036 mrt[48924:4256323] Running as agent

2018-09-24 21:19:32.136 mrt[48924:4256323] Agent finished.

2018-09-24 21:19:32.136 mrt[48924:4256323] Finished MRT run

Note: Yara rules are documented at https://yara.readthedocs.io/en/v3.7.0/. For a brief explanation of the json you see in those yara rules, see https://yara.readthedocs.io/en/v3.5.0/writingrules.html.

So you might be saying “but a user would have had to a username and password for it to run.” And you would be correct. But XProtect protects against 247 file hashes that include about 90 variants of threats. Those are threats that APPLE has acknowledged. And most malware is a numbers game. Get enough people to click on that phishing email about their iTunes account or install that Safari extension or whatever and you can start sending things from their computers to further the cause. But since users have to accept things as they come in through Gatekeeper, let’s look at what was allowed.

To see a list of hashes that have been allowed:

spctl --list

When you allow an app via spctl the act of doing so is stored in a table in 

sudo sqlite3 /var/db/SystemPolicy

Then run .schema to see the structure of tables, etc. These include feature, authority, sequence, and object which contains hashes.

On the flip side, you can search for the com.apple.quarantine attribute set to com.apple.quarantine:

xattr -d -r com.apple.quarantine ~/Downloads

And to view the signature used on an app, use codesign:

codesign -dv MyAwesome.app

To sign a package:

productbuild --distribution mycoolpackage.dist --sign MYSUPERSECRETIDENTITY mycoolpackage.pkg

To sign a dmg:

codesign -s MYSUPERSECRETIDENTITY mycooldmg.dmg

However, in my tests, codesign is used to manage signatures and sign, spctl only checks things with valid developer IDs and spctl checks items downloaded from the App Store. None of these allow for validating a file that has been brought into the computer otherwise (e.g. through a file share). 

Additionally, I see people disable Gatekeeper frequently, which is done by disabling LSQuarantine directly:

defaults write com.apple.LaunchServices LSQuarantine -bool NO

And/or via spctl:

spctl --master-disable

Likewise, mrt is running somewhat resource intensive at the moment and simply moving the binary out of the MRT.app directory will effectively disable it for now if you’re one of the people impacted.

September 24th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

Firefox describes their malware posture at https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work which heavily leverages Google SafeBrowsing, as do many a browser. Settings for SafeBrowsing are set in the browser.safebrowsing.downloads.remote.enabled pref. To lock this pref, you would need to create an autoconfig.js file in 

/Applications/Firefox.app/Contents/Resources/defaults/pref that points to a firefox.cfg file with a lock pref in it. To do so, create the autoconfig.js file and paste in these settings:

// Configure SafeBrowsing
pref("general.config.filename", "firefox.cfg");
pref("general.config.obscure_value", 0);

Then create the firefox.cfg file and paste in these settings:

// Configuring SafeBrowsing
lockPref("browser.safebrowsing.downloads.remote.enabled", TRUE)

Live Firefox preferences can be seen at /Users/charles.edge 1/Library/Application Support/Firefox/Profiles/*.default. Because SafeBrowsing is enabled by default, you shouldn’t see it listed unless it’s been disabled. But you can confirm it’s doing its thing by parsing the contents of these settings:

user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "1537457871853");
user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "1537459685853");
user_pref("browser.safebrowsing.provider.mozilla.lastupdatetime", "1537457872202");
user_pref("browser.safebrowsing.provider.mozilla.nextupdatetime", "1537461472202");

September 21st, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

Most phishing sites follow a known pattern. And people like to flag bad sites. So Google and a few other organizations, such as stopbadware.org have a collection of feeds that can be leveraged by software vendors to provide a warning or flat-out block potentially fraudulent sites. If a piece of malware is found, even if buried deep in a site, the site will likely get picked up by a robot or reported by a user. Robots can pick up a lot, as people who exploit WordPress sites and stuff like that are often after playing a numbers game. Harvesting hundreds of thousands or email address and sending phishing emails. It only takes one person to give you banking information Given that they’re just dropping a file in an open web directory, the attacker might otherwise go months before enough people complained and the web host shut them down.

Google Safe Browsing came about similar to how realtime blacklisting has worked with email for a long time. Sites are listed and then blocked as needed. But privacy works differently with web browsing and so Google added a bunch of cool stuff that is described at https://safebrowsing.google.com. Basically though, there are some encrypted files on nearly every computer running Safari, Firefox, Chrome, etc that contains information about bad sites. This is updated fairly regularly, as well as some signatures of known nastiness and a little machine learning magic so that the systems are able to react to emerging threats.

In case you’re interested in writing your own tools, Google Safe Browsing has an API, which is documented at API Documentation.

So what is sent to Google? Only information from unsigned executables (or when the signature isn’t accepted) is sent to the Google SafeBrowsing service. The implementation and also how to turn that remote app reputation check are explained in https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc.

If you find that you’re managing a site that gets attacked, maybe you learn about it initially from having the site blocked. If this happens, you would need to remove the stuff that was put on your site that resulted in the site being blocked and then request removal from the list of reported phishing sites, use this form provided by Google.

Also request removal from stopbadware.org.

Safari uses Google Safe Browsing. There is a “Fraudulent sites” setting in the Security Preference pane for Safari. Here, you check a box and then you get prompted when you attempt to open a bad site. 

Safari SafeBrowsing involves having Safari pull a new version of the bad stuff from Google every now and then. You can see the date and timestamp that this occurred using the defaults command to read com.apple.Safari.SafeBrowsing.plist, as follows:

defaults read com.apple.Safari.SafeBrowsing.plist

The output contains the SafeBrowsingRemoteConfigurationLastUpdateDate key for /Users//Library/Preferences/com.apple.Safari.SafeBrowsing.plist:

defaults read com.apple.Safari.SafeBrowsing.plist
{
SafeBrowsingRemoteConfigurationLastUpdateDate = "2018-09-19 22:43:30 +0000";
}


Or to wrap this into a command that just displays the last date updated:

defaults read /Users/charles.edge\ 1/Library/Preferences/com.apple.Safari.SafeBrowsing.plist SafeBrowsingRemoteConfigurationLastUpdateDate | awk ‘{print$1}’


The actual bad stuff file is tricky. A number of temporary dynamic files are stored in /var/folders, and then inside a hierarchy generated by guids for a given system. Here, you’ll find a couple of files, including /var/folders/r1/05ns3cqs0cg5c42x38gk0c0w0000gn/C/com.apple.Safari.SafeBrowsing and /var/folders/8s/s9k75nys3rb399w4fwwtk04h0000gn/C/com.apple.Safari.SafeBrowsing. 

These files are binaries and cannot be viewed. They appear to be downloaded via the com.apple.Safari.SafeBrowsing.BrowsingDatabases.Update service routinely. Looking at their date and time stamp though, will give you a good idea of when the last update was run if you care to find that out.

Enable SafeBrowsing via the WarnAboutFraudulentWebsites key in ~/Library/Preferences/com.apple.Safari.plist as can be seen below:

defaults write /Users/charles.edge/Library/Preferences/com.apple.Safari.plist WarnAboutFraudulentWebsites 1

September 17th, 2018

Posted In: Mac Security

Tags: , , ,

September 16th, 2018

Posted In: MacAdmins Podcast

Tags: , , , ,

Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’:
  • cups: cups-config –version
  • Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2
  • Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2
  • iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2
  • ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2
  • installer: /usr/sbin/installer -vers
  • Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2 
  • iTunes: mdls -name kMDItemVersion /Applications/iTunes.app | cut -d ‘”‘ -f2 
  • Java: /usr/bin/java -version
  • Keynote: mdls -name kMDItemVersion /Applications/Keynote.app | cut -d ‘”‘ -f2
  • macOS: sw_vers -productVersion
  • macOS Server: mdls -name kMDItemVersion /Applications/Server.app | cut -d ‘”‘ -f2
  • Mail: mdls -name kMDItemVersion /Applications/Mail.app | cut -d ‘”‘ -f2
  • mdnsresponder
  • Motion: mdls -name kMDItemVersion /Applications/Motion.app | cut -d ‘”‘ -f2
  • Numbers: mdls -name kMDItemVersion /Applications/Numbers.app | cut -d ‘”‘ -f2
  • Pages Required mdls -name kMDItemVersion /Applications/Pages.app | cut -d ‘”‘ -f2
  • Preview: mdls -name kMDItemVersion /Applications/Preview.app | cut -d ‘”‘ -f2
  • Quicktime: mdls -name kMDItemVersion /Applications/Quicktime\ Player.app | cut -d ‘”‘ -f2 quicktime_broadcaster No (Darwin Stream Server deprecated) N/A quicktime_darwin_mp3_broadcaster No (deprecated service) N/A quicktime_pictureviewer No (for QuickTime for Windows) N/A quicktime_streaming_server No (deprecated service) N/A
  • Remote Desktop: defaults read /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/version.plist CFBundleShortVersionString
  • Safari: mdls -name kMDItemVersion /Applications/Safari.app | cut -d ‘”‘ -f2 server_manager No (deprecated in 2006ish) N/A software_update tcp_ip_configuration_utility No (Laserwriter vuln from 2002) N/A terminal Required mdls -name kMDItemVersion /Applications/Utilities/Terminal.app | cut -d ‘”‘ -f2
  • Textedit Required mdls -name kMDItemVersion /Applications/TextEdit.app | cut -d ‘”‘ -f2
  • Transporter: /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/bin/itsmtransporter
  • Xcode: mdls -name kMDItemVersion /Applications/Xcode.app | cut -d ‘”‘ -f2
  • Xsan: /usr/sbin/cvversions
  • openSSL: openssl -version
  • Apache: httpd -v
If you notice, a lot of the built-in apps can be scanned with the same mdls command. There are certainly better ways for some, but when it comes to runtime cost, spotlight can respond quicker than a lot of other tools (other than purpose-built open source tools of course, who already have a smaller amount of data specific to the task). 3rd party software can be checked the same way. Let’s take Microsoft Outlook as an example:

mdls -name kMDItemVersion /Applications/Microsoft\ Outlook.app | cut -d ‘”‘ -f2

Additionally, Frameworks work a little differently. If I wanted to get the WebKit Framework version programmatically, I will need the system_profiler command along with the SPFrameworksDataType option. This will show me the version of WebKit, but strictly piping the output into grep won’t find the WebKit version. Instead I actually need to use an option I don’t use often with grep. Note that -A will allow you to define a number of lines to output following the pattern in question, so here I’m saying constrain my output to what you find that’s WebKit + the next ten lines, then constrain further for just the version number. 

system_profiler SPFrameworksDataType | grep -A10 WebKit: | grep Version

Anyway, more on all this soon.

September 13th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , , ,

My session from MacTech 2017.

September 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

September 7th, 2018

Posted In: JAMF

Tags: , , , ,

Next Page »