mw arch mac_tips and tricks v1.0

Securing your MAC and Safe Surfing, Tips and Tricks

Michael Gough – Founder

MalwareArchaeology.com


Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic

• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How

Creator of“Windows Logging Cheat Sheet”

“Windows File Auditing Cheat Sheet”

“Windows Registry Auditing Cheat Sheet”

“Windows PowerShell Logging Cheat Sheet”

“Windows Splunk Logging Cheat Sheet”

“Malware Management Framework”

• Co-Creator of “Log-MD” – Log Malicious Discovery Tool

– With @Boettcherpwned – Brakeing Down Security PodCast

• @HackerHurricane also my BlogMalwareArchaeology.com

Stats


MAC’s don’t get viruses

• Wrong !

• MAC use is growing

• More malware

– 815 in 2015

• AV-Test states 0.06%

– Windows is KING


MAC Malware

• Most are Unwanted Applications - USER


MAC Malware


AV for the Mac

• Stick with the BIG names

• Free is NOT better

• Sophos


Gatekeeper

• Designed to protect users by only allowing “approved” software

• Patrick Wardle with SynAck found a vulnerability in 2015

• Apple issued a patch in January 2016

• Most MAC infections will come from users installing bad or malicious software


RansomWare

• This first MAC RansomWare was seen in 2016

– KeRanger

• Fake BitTorrent client

• User approves and installs


Tools


Little Snitch

• Firewall / Network Monitor App

• Watches any communication and alerts you to outbound traffic

• https://www.obdev.at/products/littlesnitch/index.html


A MUST HAVE website

• https://objective-see.com/index.html


Logging


LoggingSystem log• The main system log is found simply by opening the Console application. It is found in

the "Utilities" folder inside the computer's "Applications" folder.Printing logs• The CUPS printing subsystem in Mac OS X 10.2 and later keeps its logs in the following

location:– /var/log/cups/error_log

Crash logs• When individual applications like Microsoft Word or Apple Mail crash, the operating

system will create a crash log. These log files are organized by application and stored in:– ~/Library/Logs/

• The crash logs can be opened in the Console utility, or displayed in the Apple System Profiler program.

• Crash logs may be useful to technical staff. They can be invaluable to vendors wishing to fix problems in programs, as well.

Kernel panic log• A kernel panic is a very rare event in Mac OS X. In Mac OS X 10.2, you will see the

following information on your screen if you have a kernel panic:


Logging

• You may want additional debug information

• You have to enable it

• sudo launchctl log level debug


Logging

Console – Built in App– Applications – Utilities - Console

3rd Party log viewers

• LogrPro– https://lograpp.wordpress.com/

• Log File Navigator– http://lnav.org/


Logging

• LogTail App – can do over SSH

– http://www.logtailapp.com/

• LogMX – CSV

– http://www.logmx.com/download

• LogDiver

– http://www.logdiver.com/


Cron files

• Scheduled jobs

Cron tabs

• /etc/crontab

• /usr/lib/cron/tabs/*


The Web


Safe Browsing

• Aviator – Secure by design– https://www.whitehatsec.com/terms-conditions/aviator/

Safari

• Incognito for Safari – Surf anonymously

• Web of Trust (WOT) – URL reputation


Safe Browsing

Plugins for Chrome and FireFox

• LastPass – Password manager

• Xmarks – bookmark sync

• HTTPS Everywhere – Force HTTPS

• uBlock Origin – Block offsite content

• Ad Block+ - Block Ads

• Web of Trust (WOT) – URL reputation


Windoz


You a Windows user?

• New tool to help you audit the logging settings

• Helps you enable the proper logging

• Harvests the logs only if properly set

• Performs full filesystem hash baseline

• Performs full registry baseline

• SRUM data from Win 8.1 and 10

• AutoRuns report

• 25+ reports


Resources• Websites

– MalwareArchaeology.com

– Log-MD.com The tool

• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com

• Malware Analysis Report links too– To start your Malware Management program


Questions?

• You can find us at:

• @HackerHurricane

• Log-MD.com

• MalwareArchaeology.com

• HackerHurricane.com (blog)

• http://www.slideshare.net


mw arch mac_tips and tricks v1.0

Technology