Macbook Air Drive Clean up

I came across this need as I am currently managing several Macbook Air laptop carts in the school district I work for. As these labs get used by multiple users eventually I begin to see quite a few kids as they show up at my door with 100% disk space on the logon screens and a completely grey screen if they logon. Performance of these 64GB SSD drives is pretty nice, but after about 40 different users logon and save a few things (iMovie projects,etc) storage becomes an issue.  It has been a real pain to clean up since I could not logon to the machine either(Just a grey screen). Apple Remote Desktop(ARD) still seems to be working with these machines in this state so my first reaction was that I could send out the little one line UNIX ARD command that I use to clean the machines during the summer…

mkdir /Temp && mv /Users/admin/ /Temp && mv /Users/Shared/ /Temp && rm -rf /Users/* && mv /Temp/admin/ /Users && mv /Temp/Shared/ /Users && rm -rf /Temp && ls -la /Users
 

That works great to clean up the /User directories in the off months, but these kids need their work. So at first I was tediously going through the /Users/ directory by date like this: ls -lat /Users/
to figure out what I could delete and then outputting the same without the details: ls -t /Users/
Then I’d make a list of users and put them into a spreadsheet with one column of names and the other column with: rm -r /Users/
Once I finally had that I would do a find/replace in a text editor for the Tab character and finally putting the long list of commands into a Unix command in ARD like…

rm -r /Users/joe.shmoe
rm -r /Users/yougetthepoint
 

So after a little research and testing I came up with a solution that will dynamically delete home folders based on last folder activity.
To clean these up as root with an ARD unix command send this…

df -h
touch /Users
touch /Users/AdminAccountName
touch /Users/Shared
find /Users -maxdepth 1 -type d -mtime +15 -exec rm -r {} \;
df -h
 

That will show your current disk usage, update the time of the important folders in the /Users directory (so they are not deleted!) and delete any home folders older than 15 days. Modify the number of days as needed 🙂

This works find if you put it into a new Unix command like this…
MacbookAirCleanup

Example Output:
HostName (127.0.0.1)
Filesystem Size Used Avail Capacity Mounted on
/dev/disk0s2 56Gi 56Gi 0Bi 100% /
devfs 181Ki 181Ki 0Bi 100% /dev
map -hosts 0Bi 0Bi 0Bi 100% /net
map auto_home 0Bi 0Bi 0Bi 100% /home
map -fstab 0Bi 0Bi 0Bi 100% /Network/Servers

Filesystem Size Used Avail Capacity Mounted on
/dev/disk0s2 56Gi 41Gi 14Gi 75% /
devfs 180Ki 180Ki 0Bi 100% /dev
map -hosts 0Bi 0Bi 0Bi 100% /net
map auto_home 0Bi 0Bi 0Bi 100% /home
map -fstab 0Bi 0Bi 0Bi 100% /Network/Servers

I have tested this on 10.5 through 10.8.2 systems. Your mileage may vary and I claim no responsibility for what you might do with this script(Unless it is really cool 😉 )

Happy Cleaning!
Craig

References:

Thanks to this litte page for getting my started…
http://www.howtogeek.com/howto/ubuntu/delete-files-older-than-x-days-on-linux/

Posted in ARD, Macintosh, Network Administration | Tagged , , , , , , , , , | Leave a comment

Using OSSEC to Detect MacDefender in Squid Logs

While doing forensics this week to determine where the MacDefender malware was coming from I noticed one thing that was distinct to all the requests for this malicious package. When it was downloaded the mime type for the file request was “application/download” when searching through the logs I noticed that this was a mime type that I would want to know about anyways and that generally there are not a lot of requests associated with this mime type. So I would not be overwhelmed with notifications.

So how do I monitor this? I’ve been using the OSSEC IDS system (http://www.ossec.net/) for a few years now. It is an excellent tool and completely customizable. To get OSSEC to monitor my squid log first I added the /var/log/squid/access.log to the list of monitored files in the  /var/ossec/etc/ossec.conf file and restarted the service.

  <localfile>
    <log_format>squid</log_format>
    <location>/var/log/squid/access.log</location>
  </localfile>

Now, the problem I found with adding this is if you have a pretty busy network with a lot of different clients (Macs, Linux, PCs) then you are going to get some odd traffic that will trigger alerts based on multiple errors found in the squid access log. To monitor this it would be a good idea to shut off active response for a while and then gather some exceptions that you can put into the local_rules.xml file on the OSSEC server. Below is the rule I used to detect application/download.

<group name="squid-custom,">
  <rule id="100400" level="6">
   <if_sid>35000</if_sid>
   <match>application/download</match>
   <description>Application downloaded via squid proxy. Check URL to determine malware.</description>
 </rule>
</group>

I have I have email notifications set for level 6 and up and active response to 7 or greater. This way internal hosts will not lose there internet connection abilities when downloading a legitimate program. Below are some of the exceptions that I had to add to the local_rules.xml to make sure that certain requests did not add internal hosts to the hosts.deny file.

  <rule id="35057" level="0">
   <if_sid>35057</if_sid>
   <match>secars.dll</match>
   <description>False Positive. Symantec Endpoint client going through proxy.</description>
 </rule>
  <rule id="35009" level="0">
   <if_sid>35009</if_sid>
   <match>secars.dll</match>
   <description>False Positive. Symantec Endpoint client going through proxy.</description>
</rule>
  <rule id="35008" level="0">
   <if_sid>35008</if_sid>
   <match>secars.dll</match>
   <description>False Positive. Symantec Endpoint client going through proxy.</description>
</rule>

There will probably be a few more things to add. Just monitor your alerts carefully and you will have it smoothed out in short order.

As I was about to leave work today I received an alert from OSSEC that looked like what you see below. I’ve edited out the internal information and the bad URL’s host.

OSSEC HIDS Notification.
2011 May 27 14:49:17

Received From: (MyProxy) IPaddress ->/var/log/squid/access.log
Rule: 100400 fired (level 8 ) -> "Application downloaded via squid proxy. Check URL to determine malware."
Portion of the log(s):

1306522093.290    620 <InternalHost> TCP_MISS/200 47939 GET http://VeryBadHost.com/files/a6930dd67bda35bd60e694db3a40ec58d3875a870e2210c7.zip DIRECT/<BadIPAddress> application/download

 --END OF NOTIFICATION

I blocked the IP on my network, checked the host that downloaded the package and then submitted the bad ip address to the Google Safe Browsing Report here: http://www.google.com/safebrowsing/report_badware/ and as I checked it tonight I receive the warning when going to the site in Firefox and Chrome.

Posted in Computer Security, Macintosh, Phishing | Tagged , , , , , , | Leave a comment

Macintosh Fake Anti-Malware: How to Protect Yourself and Your Network

Protection at Home: (For the regular home folks)
There is a new Malware scam going around for Mac computers that exploits Safiari’s “Open safe files automatically” feature. If you are just a home user and use Safari then please disable this risky feature . In Safari() just go to the Menu: Safari->Preferences and under the General tab un-check the option near the bottom.

Protection at Work: (For Network Administrators and other Geeks)
So what if you are like me and you are in charge of a whole network full of Macintosh machines? Well hopefully your settings are managed with Open Directory and you use Workgroup Manager to enforce certain settings. I have a variety of User and Computer groups that are managed in this manner. In order to manage Safari settings in Open Directory you need to add the Safari.app to the preferences under this screen which you see when you click on a group, then preferences(Note: Click on the details tab).

Choose Safari in the /Applications folder. (Note that I have also previously chosen /System/Library/CoreServices/Managed Client.app which is why there are a lot more options on this screen.) Once Safari is added, highlight com.apple.Safari and click the Pencil

In the next dialog highlight the “Often” and then “New Key”. Choose the “Open Safe Downloads Automatically” and change the value to false. Apply it and click Done. This preference will now be set each time a managed client opens Safari. End-users can still un-check it if they like, but it should be reset after a quit and reopen.


I’m not sure why this option is not available under the “Always” section, which would lock the option. Feel free to explore the other options available under the “Always” key.

Posted in Computer Security, For-Facebook, For-My-Facebook, Macintosh | Tagged , , | Leave a comment

Online Accounts: Just a Bit of Common Sense

Millions, possibly billions, of people are conducting transactions online. Whether this is online banking, shopping, social networking or group discussions there are a few important guidelines to follow in order to make sure that your information and accounts are only going to affect the scope of the site you use them on. In other words do NOT use the same username/password at multiple sites. In the last week alone there have been three larga data breaches that involved either employee or customer information. For an example just Google: texas OR barracuda OR epsilon data breach.

Account Choices:

For my very important accounts I never use anything remotely close to a real name when choosing my username. The same applies when I am choosing a password. I never will use the same password that I used on another site. Why? Because when something happens at the site with whom I am engaging services with is hacked or left wide-open I do not want my username password to be valid elsewhere. For instance, say I have an account with Citibank or some other online banking firm and somehow that site’s information is extracted by a group of online criminals. I want this breach to stop within the scope of that institution and not have those credentials move onto another popular website.

Choosing an account name and password. Your usernames and passwords need to contain alpha, numeric, upper case, lowercase and special characters(These things:!@#$%^&*). When I am making a password I have a couple approaches. One approach is to choose a fairly long phrase or lyric that I like and use the first initial of each word to create my password. I’ll alternate upper and lower case and put in a few 1’s for I’s or zeros for O’s. Sometimes I’ll phonetically alter the spelling and combine acronyms. For example: RUr34llyPhour2dazeOld? (English Translation: Are you really four days old?) Another approach that I use I like to call is a Brain-Fart-on-my-Keyboard. Just start pressing random keys on the keyboard while thinking random things. I usually end up with something like this…

User: Lhjglkj(*&y43tiy678e
Pass: z7834hKJGjkG78efuhff%Y

These are things I will never remember and if possible they will never be lifted from my mind. I save these passwords in an encrypted file that I do know the password to (that is another story) and then simply copy/paste them into the sites that I am logging into. An easy way to do this would be by using the highly rated free program LastPass: https://lastpass.com/

The point to all this: Do not use a real word or name!

Those Stupid Questions they ask:

One thing that is really annoying are those security questions that they ask you to fill out. Such as what is your Mother’s maiden name, etc… If they ask you to create your own question I use the “Brain Fart” method above for the question and the answer. If it is one of those choose a drop-down question and then they make you type your answer it’s another brain fart for me…

Posted in Computer Security, For-Facebook, For-My-Facebook | Tagged , , , , | Leave a comment

Specialized Email Phishing Attacks Highly Likely

This week many of you have received emails from companies (Best Buy, Chase, Citi, Disney, Walgreens, TiVo, etc, etc..), whose website’s you’ve registered with with that mentions a data or security breach in which your Name and Email address was stolen from a company called Epsilon. Epsilon is a company that send out gazillions of emails for a lot of companies(About 2,500). Simply they are a very busy email marketing delivery service with a lot of personal information.

The Problem: Since these criminals now have your name, email address and the actual company associated with that information, you can expect that they will be sending you email communications posing as a legitimate company. I’m not going to get in to the technical aspects of how they will do this, just know that they can and will.

The Solution: In a previous blog post I mentioned phishing attacks that appear to come from a legitimate source yet do not. In that post I summarized at the end a few things that you should do to be cautious and protect your information/identity from being stolen. What I really should have said is simply: Do not click on links in an email*.

If you get an email from your bank, read it, maybe it is real (Do you always believe everything you read?) and something you need to take care of. Instead of clicking on that convenient link in the message, manually open your web browser(hopefully you use Firefox or Chrome), go to the companies site that you should have bookmarked and take care of business.

For a fairly complete list of companies that were exposed check this website: http://www.databreaches.net/?p=17374

For more on Phishing attacks the FBI.gov site has a good example: http://www.fbi.gov/news/stories/2009/april/spearphishing_040109

If you want learn more about computer security I recommend this weekly podcast: http://twit.tv/sn . They have hundreds of shows online with notes: http://wiki.twit.tv/wiki/Category:Security_Now_Show_Notes

——————————————————-

* Unless of course you know what message headers or HTML source code are and how to decipher what they actually mean. I only look at them since it is part of my job and I am curious. In reality, it is easier and safer to just go to the companies website manually.

Posted in Computer Security, For-Facebook, For-My-Facebook, Phishing | Tagged , , | 1 Comment

Hiking Bluff Head, Guilford, CT Via the Mattabesset Trail

Much to the chagrin of my family, I love to hike on the weekends and if possible it has to be somewhere that I haven’t been before. All I want is somewhere that is moderately challenging, gives you some good inclines and gets the heart rate going. The obvious bonus is that you usually will get a nice view, which my camera appreciates greatly.

The Mattabesset trail in the Bluff Head/Northwoods section was no exception. Jim over at hikethegiant.blogspot.com mentioned doing a 9.5 mile loop. I knew over nine miles was not going to go over well with the family, so I took a look at the map and decided I could probably cut this in half by taking the road back to the parking area. This wasn’t the best idea, since the traffic is pretty speedy along this road, but we made it safely. In retrospect, I would have just gone in 2.5 miles or so and cut back along the same trail. Click here to download the trail map from the Guilford Land Trust website.

The parking lot was easy to find. I was able to use Google maps street view determine that 4411 Durham Rd, Guilford, CT is approximately where you need to be to find the parking lot. Just put that address into your GPS and slow down as you approach.

To start we headed to the back of the parking lot and followed the Blue trail. The hike began with a great climb up a steep incline. The footholds were solid and secure as I used the roots and stones along the path to place my steps. This walk is not a walk for small kids as you can see when looking at this sign…

DSC_2264_Bluff_Head_Guilford

Serious Injury or Death

After a little over .36 miles logged we had already had worked up a good sweat and enjoyed a great view to the east…

DSC_2288_Bluff_Head_Guilford-Family

The Happy Family...

DSC_2294_Bluff_Head_Guilford_Pond

Myer Huber Pond (what you see when you look down)

There were a few more overlooks as we moved onwards. The trail got a little too crazy at one point there was about a 10 foot rock to scale. This is not something all of us were willing to do so we went around to the left and cut back to the blue trail on the other side.

The descent was fairly uneventful. The trail is well marked and easy to follow. The forest has taken a beating this winter and there are a ton of downed trees. I’ve noticed this a lot on the trails in the state, especially on the western side of any hill I happen to be walking over. We finally reached the base of the path that leads you past some horses and signs that are urging you to stay on the path.

DSC_2318_Bluff_Head_Guilford_Horses

DSC_2333_Bluff_Head_Guilford_Pond

Below is a snapshot of my GPS log with some annotations. Thanks for reading.

Bluff_Head_Guilford_CT_GPS_log

References:

Trail Map Location (as of 4/3/2011): http://guilfordlandtrust.org/wordpress/maps/northwoodsmap.pdf

http://hikethegiant.blogspot.com/2010/09/mattabesset-trail-bluff-head.html

http://guilfordlandtrust.org/

http://www.speedwitch.com/conservation_commission/

Posted in Day-Hikes, For-My-Facebook, Hike-Moderate-Level, Hiking | Tagged , , , | Leave a comment

Security Note: Fake SSL Certificates Issued for 9 Popular Websites

Apparently Comodo issued security certificates for these popular websites…
login.live.com,, mail.google.com, http://www.google.com, login.yahoo.com (3 certificates), login.skype.com, addons.mozilla.org.  This would allow attackers to create fake websites using these certificates and pose as authentic site and at least steal your logon information.

So when your Microsoft Update asks you to install an update out of make sure you do(That little yellow shield near the clock). If you do not want to wait for the update to come to you then go get it here…
http://support.microsoft.com/kb/2524375

In addition, make sure you update your Firefox Browser as well. Mozilla Firefox released 3.6.16 today also to include a fix that “blacklists a few invalid HTTPS certificates”. The Firefox 3.6 update is available here: http://www.mozilla.com/en-US/firefox/all-older.html
Or just simply update to the latest version: http://www.mozilla.com/en-US/firefox/new/

References:
http://www.wired.com/threatlevel/2011/03/comodo-compromise/
http://support.microsoft.com/kb/2524375
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/

Posted in Computer Security, For-Facebook, For-My-Facebook, Phishing, Security, Windows | Tagged , , , , , | Leave a comment