Wow… I’ve been slacking off on writing posts. I know I’m highly overdue on S/MIME on iOS, I’ll be working on that soon… just finding a few snags and using MDM deployments. For now here are several sets of pictures I’ve been taking over the past month.
Compared to last year’s collection, these are weak except for the landscape pictures I was able to take out of the airplane window traveling to CA and returning home to DC. MacTech was an awesome conference and I hope to present again next year!
Today, Intego announced of a new trojan designed for the Mac dubbed “DevilRobber”.
You can read Intego’s site (or many other sites posting about this trojan), but I wanted to remind everyone that there is a built-in anti-virus software within updated versions of Snow Leopard (version 10.6.7 with Security Update 2011-003 OR greater) and Lion called XProtect.
Xprotect is enabled by going to System Preferences => Security => General tab and check the “Automatically update safe downloads list”. If you ever want to update your list, just uncheck / recheck the option.
(Notice, my settings may look different from yours as I have FileVault enabled along with other MCX settings. The safe downloads list is what’s important for this article.)
However, let’s get a little more information from Xprotect.
If we run to following command “today” (11/1/2011 @ 11am Eastern), we get the following results:
/usr/libexec/PlistBuddy -c "print LastModification" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist Tue, 11 Oct 2011 16:20:51 GMT
This tells us that our anti-virus dictionary file has not been updated since Oct 11th of 2011. In order to update your dictionary, you can use the above check / recheck method or:
/usr/libexec/XProtectUpdater
You will notice that as of right now the XPotect meta file timestamp has not change. I assume Apple will soon update this file to protect Mac users from DevilRobber, or any other future trojan/virus that gets created. We’re just dependent on Apple to update their dictionary just the same as Intego / Sophos / etc users are dependent on their paid software to update their dictionary file. Once the file is updated, you should get a similar result for MacDefender.
cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist | grep MacDefender
### Update
XProtect.plist file has been updated as of Nov 1st, 2011, and if you grep for “Devil” you will get a response of “OSX.DevilRobber.A”. Pretty quick (and automatically done) as the announcement was on Nov 1st.
For the past couple of weeks, I’ve been in Niagara Falls, NY for a client. I have never seen the falls or have been to Canada, so it was fun to check both of those items off my life’s to-do list, and in the process took some pictures.
For the pictures I knew I wanted to get the long exposure for the water coming down the falls, however, it was harder at night to get the right balance between getting enough light to even see the falls vs. washing out everything. In the end I used a high ISO of 1600 and half second shutter speed. I would have preferred to use ISO 200 (or 100 if possible) to reduce the noise in the pictures. For future note, these pictures are from the US side of the falls, the Canadian side is better for viewing the falls (just haven’t been there at night… not yet at least).
Check www.niagaraparks.com/attractions/falls-illumination.html for the light’s schedule.
First, I want to say thanks to Edward Marczak for his original post on how to remove the Diginotar CA Certificate, and his forward thinking about how to do this from a System Admin perspective. I wanted to add a few more bits of info to his post to better explain the security command.
In Ed’s post, he states to run this command:
sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
So the “-Z” flag is telling they system to search based on the SHA-1 has value of the certificate. How do you know this is the correct certificate? By using the find-certificate operation.
/usr/bin/security find-certificate -Z -e "info@diginotar.nl" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA | awk -F ": " '{print $2}'
In the command above, I’m asking the security command to find the certificate with the email address with the “-e” flag. The “-Z” flag in this command states to print out the SHA-1 has value. At the end I’m using “grep” to filter all the other information that comes with displaying your certificate information via Terminal then “awk” to only return the hash value. This way you can have some logic to ensure that you system find the correct certificate to delete vs. taking information from a website and fully trusting the instructions (no offense to Ed, it is just a good practice to perform sanity checks).
#!/bin/sh
BADDIGI=$(/usr/bin/security find-certificate -Z -e "info@diginotar.nl" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA | awk -F ": " '{print $2}')
echo "Going to delete: $BADDIGI\n"
sudo /usr/bin/security delete-certificate -Z "$BADDIGI" /System/Library/Keychains/SystemRootCertificates.keychain
So the obvious question from the above command is “How do I know info@diginotar.nl was the correct email”? Simple, I checked Keychain Access.
If you open Keychain Access (located in /Applications/Utilities/), do a search for Diginotar (you will get one value in return as seen below). Right click the certificate and select “Get Info”.
These tools are nothing new as they were available in Snow Leopard (and I believe Leopard, just can’t check), but they are fun little tools just in case you don’t have Apple’s Xcode [iTunes link] installed or MacPorts available on your computer. Read the rest of this entry »