Post #438,399
2/17/21 10:17:18 PM
2/17/21 10:17:18 PM
|
FFS Ashton
Ashton is persuaded that his new iMac, which he has never managed to get online via his internet connection, has somehow been infected with badness from his older, purportedly compromised machine via their two Bluetooth keyboards!
This strikes me as beyond preposterous, but he absolutely insists that it has happened. Can anyone provide me with ammunition to shoot down this delusion? I will read to him any persuasive responses.
exasperatedly,
|
Post #438,400
2/17/21 11:39:44 PM
2/17/21 11:39:44 PM
|
buy a $9 crap usb keyboard problem solved
"Science is the belief in the ignorance of the experts" – Richard Feynman
|
Post #438,402
2/18/21 2:15:18 AM
2/18/21 2:15:18 AM
|
There's insufficient brains on the keyboard to do it
Specifically, they know about devices they're paired with, and that's it.
If it's been infected with badness, it's probably via good ol' wifi. Or it's actually been connected inadvertently to the internet, and has been pointed at the same infection vector as the first machine.
Occam's razor, and all that.
|
Post #438,413
2/18/21 7:19:01 PM
2/18/21 7:19:01 PM
|
Process IDs
Ashton looked at the log files and seems to have interpreted certain things in there as individuals accessing the machine. I'm not familiar enough with Apple's log contents, but the description sounded like process IDs. Some of the background processes chatter continuously making it look as if the invaders are having a field day.
Other than that - Peter is right. The keyboard doesn't have the brains. Bluetooth is just a transport layer. Plus, it requires pairing. The keyboard of laptop 1 will be ignored by laptop 2 unless it has been explicitly registered on laptop 2.
|
Post #438,428
2/19/21 10:27:00 AM
2/19/21 10:27:00 AM
|
I’ll pass this on to him
He’s been looking at the Mac OS “Console,” and yes, that will look like all sorts of things are going on. It’s difficult getting a clear idea of what’s going on from his, er, somewhat discursive telephone accounts, so I think I’m going to have to make a house call later this month. My personal belief, on the basis of admittedly incomplete and less than coherently organized information, is that A. is misinterpreting various kinds of system weirdness and, having concluded that bad actors are at work, is shoehorning all perceived irregularities into this scenario.
I don’t have anything approaching the technical chops of most of the regulars here (and I’m particularly weak on networking issues), but I have almost thirty-seven years of Mac experience under my belt, and I think I can probably fix at least some of his issues. Here’s hoping.
cordially,
|
Post #438,429
2/19/21 10:36:24 AM
2/19/21 10:36:24 AM
|
This reminds me of
Many years I set up a internet monitoring console. Our main network guys could take a glance at a web screen and it would show with pretty pie graphs where all the internet traffic was coming from. Except for one day it started coming from a decidedly centralized place.
I forget where it was coming from. But it wasn't bad. It was a traffic aggregator / centralizer that front-ended various websites and it was just launching over the last couple of weeks. So our internet traffic came from a whole bunch of places and then kind of centralized to a mostly single place.
At that moment my network administrator flipped out and decided that the vast majority of machines on our network were hacked and they were redirecting traffic to this centralized location and it was all bad and he had to shut it off. I tried to explain to him that this was not the case. It didn't matter. He shut that s*** down.
It took about three or four hours before enough people screamed at him that he realized this was a bad idea and he really needed to turn everything back on.
At that point I realized you shouldn't hand tools to monkeys. They will misuse the tools.
|
Post #438,434
2/19/21 2:05:42 PM
2/19/21 2:05:42 PM
|
Yes and no
If I'm paying someone to secure my network, and one day the traffic patterns change substantially and he wasn't expecting it, I'd want him to block that source until he understood the change. And I'd want that person to be more paranoid and dogmatic than I am.
In that couple hours before he opened things back up, was he researching the new aggregator to confirm what you told him? Or did he just give in to the screaming?
|
Post #438,436
2/19/21 4:49:31 PM
2/19/21 4:49:31 PM
|
No idea. 20 plus years ago
|
Post #438,439
2/20/21 10:12:42 AM
2/20/21 10:12:42 AM
|
Similarly, ...
I was trying to figure out some networking issue at work and decided to look at the Windows traffic. I was flabbergasted by what I saw.
Very roughly:
Joe's PC - "I'm here. Anyone out there?" Jacks's PC - "I'm here. Anyone out there?" Jane's PC - "I'm here. Anyone out there?" Bob's PC - "I'm here. Anyone out there?" Joe's PC - "I'm here. Anyone out there?" Jacks's PC - "I'm here. Anyone out there?" Jane's PC - "I'm here. Anyone out there?" Bob's PC - "I'm here. Anyone out there?" Joe's PC - "I'm here. Anyone out there?" Jacks's PC - "I'm here. Anyone out there?" Jane's PC - "I'm here. Anyone out there?" Bob's PC - "I'm here. Anyone out there?"
It was amazing that there was any bandwidth left with all the chatter. :-/
Yeah, it's great that the pointy-clicky tools are out there, but if one doesn't know what normal looks like it can be overwhelming.
Cheers, Scott.
|
Post #438,445
2/20/21 4:53:12 PM
2/20/21 4:53:12 PM
|
very normal
"Science is the belief in the ignorance of the experts" – Richard Feynman
|
Post #438,446
2/20/21 5:05:22 PM
2/20/21 5:05:22 PM
|
Yeah.
I neglected to mention that this was way back when I was running OS/2.
:-)
Still, normal. But I was surprised.
Cheers, Scott.
|
Post #438,447
2/20/21 5:10:13 PM
2/20/21 5:10:13 PM
|
Yeah we both reacted like that
Those were standard arp announcements. When you see them on a tiny little network for the first time it's easy to absorb them and understand why it was reasonable in those days. But then when you see them on a monster network and you realize the amount of background chatter going on at all times you realize you are really happy that wire shark has colored tracking to separate the conversations.
|
Post #438,448
2/21/21 5:23:18 AM
2/21/21 5:23:18 AM
|
It's almost as if...
...the amount of network traffic on a corporate network is much larger than human brainmeats are able to comfortably conceptualise in real-time.
They're NETBIOS browser announcements. A few bytes, per machine, every few seconds. Basically non-existent, in the context of a 100 megabit or better network. Then there's ARP, and DHCP, and this and that and and the other.
|
Post #438,450
2/21/21 11:36:31 AM
2/21/21 11:36:31 AM
|
That goes under the heading of : holy s***
All those protocols that developed over all those years that aggregated into the pipes that we have to f****** figure out right now.
yeah, you know it simply doesn't work for human brains to be able to absorb all the crap at once. I'm almost happy I don't work in that environment.
|
Post #438,478
2/23/21 6:46:18 PM
2/23/21 6:46:18 PM
|
Yah. NetBIOS has a reputation for being very chatty.
|
Post #438,431
2/19/21 12:03:27 PM
2/19/21 12:03:27 PM
|
End users should never look at system log files
|
Post #438,460
2/22/21 7:15:26 AM
2/22/21 7:15:26 AM
|
Most likely unrelated, but you did say "new".
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.
Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow. https://arstechnica.com/information-technology/2021/02/new-malware-found-on-30000-macs-has-security-pros-stumped/
bcnu, Mikem
It's mourning in America again.
|
Post #438,474
2/23/21 1:44:03 PM
2/23/21 1:44:03 PM
|
Saw that, but…
Ashton is actually convinced—on what does not appear to me compelling evidence—that the bad guys compromised his machine via a used iPhone beginning five years ago. I made a house call to A’s rustic cottage in the wine country over the weekend in hopes of resolving his real or fancied security issues. I came away persuaded, if not certain, that his concerns are largely misplaced; he in turn was genially unconvinced by my assurances. I was, I think, able to demonstrate that at least some of the symptoms he believed to be evidence of hacking were no such thing, and stemmed from misconceptions about the Mac UI, and particularly about the way the “Dock” works, in one instance invoking on my own unconnected MBP a piece of visual feedback he’d considered damning evidence of outside interference. There were other issues. His password recording hygiene (my own is not flawless) could be better. It took us a few attempts, where successful, to go places we needed to go. In other instances, we came a-cropper. His supposed iCloud password, revealed in Keychain Access, was a string of gibberish, and not the familiar characters he recalled. The string of gibberish, carefully entered (on the new machine, using my phone as a WiFi hot spot), was not recognized. Easy-peasy: enter the phone number associated with this account and Apple will help you reset the password via that device. Er, the phone was believed compromised, as mentioned above, and so the service was cancelled. Got a sort of Gordian knot thing going here. Ashton believes that he is being hacked via AirDrop. Research suggests that AirDrop has an effective range of about ten meters, so unless the one neighbor within that distance is the author of his grief, this seems as implausible as his earlier Bluetooth model. He also asserted that the new iMac had also been infected, and that a dodgy icon for “GoToAssist”* (which I was able to remove from the old unit) had appeared in its dock. It was not there when we turned on the machine; nor could I find any evidence that the software had ever been in residence. I append here a snippet from the Terminal app that, saith A, appeared unbidden on his screen the other day, although it appears to be a record from a month ago. It alarmed him deeply, and he takes it to mean that the baddies have been changing his passwords (I saw no evidence of this in Keychain Access). I’ve screenshotted and redacted it: I see another house call in my future, because we’d left some issues unresolved, including the cabling configuration for his television/internet setup, by the time Lina, her errands in nearby Sonoma discharged, arrived to retrieve me. I’m particularly keen to determine which of the two “xfinity” wireless networks detectable from the premises is his: my money is on the unsecured one. cordially, *My understanding of this tech is, to put it mildly, imperfect, but if some external bad actor were actually fucking with A, GoToAssist, which some techie apparently installed on a consultation years ago, would seem a likelier channel than some of his other candidates.
|
Post #438,475
2/23/21 6:28:06 PM
2/23/21 6:28:06 PM
|
Bummer.
It's good of you to try to help. Here's hoping it gets resolved soon. Ashton must be quite stressed about it. :-(
(I'm not seeing your avatar picture nor the "terminal" image in your post - just broken link graphics. I don't think drook's avatar picture shows up either.)
Cheers, Scott.
|
Post #438,479
2/23/21 6:48:21 PM
2/23/21 6:48:21 PM
|
Images
|
Post #438,480
2/23/21 6:49:22 PM
2/23/21 6:49:22 PM
|
OT: broken images
That is happening because the forum pages are now https and most modern browsers now won't show embedded images that are http.
Wade.
|
Post #438,482
2/24/21 12:04:05 AM
2/24/21 12:04:05 AM
|
Ah. Thanks.
|