mw arch mac_tips and tricks v1.0
TRANSCRIPT
Securing your MAC and Safe Surfing, Tips and Tricks
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How
Creator of“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my BlogMalwareArchaeology.com
MAC’s don’t get viruses
• Wrong !
• MAC use is growing
• More malware
– 815 in 2015
• AV-Test states 0.06%
– Windows is KING
MalwareArchaeology.com
Gatekeeper
• Designed to protect users by only allowing “approved” software
• Patrick Wardle with SynAck found a vulnerability in 2015
• Apple issued a patch in January 2016
• Most MAC infections will come from users installing bad or malicious software
MalwareArchaeology.com
RansomWare
• This first MAC RansomWare was seen in 2016
– KeRanger
• Fake BitTorrent client
• User approves and installs
MalwareArchaeology.com
Little Snitch
• Firewall / Network Monitor App
• Watches any communication and alerts you to outbound traffic
• https://www.obdev.at/products/littlesnitch/index.html
MalwareArchaeology.com
LoggingSystem log• The main system log is found simply by opening the Console application. It is found in
the "Utilities" folder inside the computer's "Applications" folder.Printing logs• The CUPS printing subsystem in Mac OS X 10.2 and later keeps its logs in the following
location:– /var/log/cups/error_log
Crash logs• When individual applications like Microsoft Word or Apple Mail crash, the operating
system will create a crash log. These log files are organized by application and stored in:– ~/Library/Logs/
• The crash logs can be opened in the Console utility, or displayed in the Apple System Profiler program.
• Crash logs may be useful to technical staff. They can be invaluable to vendors wishing to fix problems in programs, as well.
Kernel panic log• A kernel panic is a very rare event in Mac OS X. In Mac OS X 10.2, you will see the
following information on your screen if you have a kernel panic:
MalwareArchaeology.com
Logging
• You may want additional debug information
• You have to enable it
• sudo launchctl log level debug
MalwareArchaeology.com
Logging
Console – Built in App– Applications – Utilities - Console
3rd Party log viewers
• LogrPro– https://lograpp.wordpress.com/
• Log File Navigator– http://lnav.org/
MalwareArchaeology.com
Logging
• LogTail App – can do over SSH
– http://www.logtailapp.com/
• LogMX – CSV
– http://www.logmx.com/download
• LogDiver
– http://www.logdiver.com/
MalwareArchaeology.com
Safe Browsing
• Aviator – Secure by design– https://www.whitehatsec.com/terms-conditions/aviator/
Safari
• Incognito for Safari – Surf anonymously
• Web of Trust (WOT) – URL reputation
MalwareArchaeology.com
Safe Browsing
Plugins for Chrome and FireFox
• LastPass – Password manager
• Xmarks – bookmark sync
• HTTPS Everywhere – Force HTTPS
• uBlock Origin – Block offsite content
• Ad Block+ - Block Ads
• Web of Trust (WOT) – URL reputation
MalwareArchaeology.com
You a Windows user?
• New tool to help you audit the logging settings
• Helps you enable the proper logging
• Harvests the logs only if properly set
• Performs full filesystem hash baseline
• Performs full registry baseline
• SRUM data from Win 8.1 and 10
• AutoRuns report
• 25+ reports
MalwareArchaeology.com
Resources• Websites
– MalwareArchaeology.com
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com
• Malware Analysis Report links too– To start your Malware Management program
MalwareArchaeology.com