Dear Reader,

Anyone who knows me knows my story: I have been through a great deal over the last 3 years - some sad and debilitating, others very empowering.

From the period of Oct ’09 through Jan ’10, I found that my computer had been hacked - the perpetrators turned out to be the very people I turned to for support. The eavesdropping was unsettling & inappropriate. I let the intrusion slide and began to question whether this behavior was brought on by my actions. I chose to simply take measures to secure my Mac and let it go.

By December, I was full swing into the holiday season and looking forward to ringing in the New Year. By pure fluke, I found several other forms of eavesdropping mechanics on my computers (both my Mac and PC). These devices allowed my perpetrators to access the data frames of my screen and wake my computer from sleep mode by a remote USB device. In fact, when they started up their computers & WiFi devices, they were able to see everything I see now via my monitor. They scanned my emails, monitored my internet activity, read the vulnerabilities as displayed in my diary, reviewed bank transactions, saw the things I have been most curious about and the list goes on. Some of the things I cherish most in life pertain to my privacy & individuality. I was exposed and felt naked in front of the crowd.

Through the guidance of online tutorials and very helpful Apple customer support professionals, I wiped out my hard drive and began the process of starting from scratch. The eavesdropping did not stop - no matter what I did, the software packages returned. Sadly, instead of progressing in life, I felt sucked back in. With every “starting from scratch”, I had to go through a sort of numbing process, rebuilding and overcoming the thought that no matter what I did, metaphorically speaking, I was making the same mistakes again.

I read once that a person can waste money and most things in life but time is fleeting - it can never be recouped. Eventually, my perpetrators injected a common form of Malware into my computer - engineered through common WiFi protocols. This added a whole separate layer of bizarre to the scenario. It seems, they became upset when I chose to gain back my privacy, while ironically, utilizing more technologically advanced tooling than I used for myself. They became more efficient than I was in syncing my various networks.

My perpetrators are very savvy, experienced and well into their 40‘s. The excuse of not knowing what they were doing, being immature, naive, 20-somethings could not be part of this equation. Unfortunately, once a network is penetrated, the worldwide web becomes privy to credit card information, usernames, passwords and again, the list goes on.

Prior to this whole debacle, I had begun the process of starting my own business and launching my website, even securing & pre-paying for hosting, legal fees, startup costs, etc.. My attackers injected a popular Windows-based Malware that systematically wiped-out my hard drive every morning at 3 a.m.. I wasted thousands of dollars and put my dreams on hold daily. Every morning I awoke to more fleeting time that could not be recouped.

My resume reads like a storybook of IT Outsourcing, Data Management, Business Process Outsourcing & CRM - I was recently involved in a life-changing project with the #1 IT Security Company in-the-world. Due to this experience, I now understand the implications & severity of personal security first hand and realize that anyone is vulnerable to hacking, whereas, I used to be on the other side of the paradigm.

Eventually, I was able to hone in on the attacks and increased my knowledge of ARP Spoofing, Security, Hacking and all the other frivolities that come with knowing that an invasion of privacy has taken place. My decision to write this tutorial is two-fold: 1). the idea of being “naked in front of the crowd” is debilitating - I do not want anyone else to feel this and 2). things get put on hold before you know it. My hope is that anyone who is victimized may have the opportunity to buy back some wasted time - yours, mine and everyone else.

This is Security for the Rest of Us.

Malina2

Madinah PresenceSecurity Series Publication

Legal Notice

Unless otherwise indicated, published content is the sole property of The Madinah Presence and it’s affiliates. The security Series Publications are protected without limitation, pursuant to the United States and foreign copyright and trademark laws. Authorized downloading of this publication is permitted for personal, non-commercial use only. Removing trademark, copyright, or other proprietary notices are prohibited by the governing laws. Unless authorized by The Madinah Presence, modifications, copies, distribution, republishing, commercial exploitation or uploading any of the material is prohibited. No intellectual property or other rights, other than the limited right to use as set forth above, are transferred to the user.

3

Table of ContentsARP Spoofing 101 6

ARP Spoofing 6

local areas network 7

Hacking Results 8

Methods of Hacking 8

Gathering Data 9

Your First Steps 9

Network Utility 10

Questionable Messages 10

Physical Intrusion 12

Validatin Folder Creation 12

Little Snitch 13

Reading Little Snitch 13

Mac Makes it Easy to Figure Out 14

Other Places to Monitor 16

Online Checks - Email Accounts 16

Securing Your Mac 18

Clean Install Checklist 19

WHAT’S IN THE BOX 19

Network Terms & Acronym 20

Other Network Terms 20

Here are additional terms when monitor unauthorized activity. The terms outlined with screenshots define most common hacking terms. These are ancillary terms during the actual “Know Your Mac” stage.! 20

Contact 21

4

IntroductionApple computers are as secure as a deadbolt, if configured properly. ARP Spoofing, however, is different - there are very few steps you can take if you are connected to a network that is being “spoofed”. This tutorial details the elements of ARP Spoofing, Network Security and Solution Securitization.

5

NEXT STEPSIf you believe your computer or network security is at risk, please perform a bear minimum of tasks: 1. Backup your data via an online resource or external hard

drive. Online services offer an array of secure & safe uploading and restoration of data. Mozy & Backblaze are great options at minimal cost (however, Backblaze is a bear if data encryption is involved via their Product Key. This is, seemingly, a marketing tool for them but lacks in ease-of-use, remember you password no matter what it takes to do so.).

2. Start the process of documenting everything*:a. Install Lil’ Snitch - this is a lightweight network utility that sits discreetly on your desktop and alerts based

on how it’s configured. Typically, alerts take place simultaneous to network activity. Lil’ Snitch has the capability of monitoring all network activity, including what takes place on a local network. Other network solutions (outside of commercial & corporate use), leave some ambiguity when addressing local area networks, which is the crux of ARP Spoofing. **

b. Get to know your Console messages based on your own software platform - only you know what is valid (please also see “Console Messages” of this tutorial).

c. Record data frames as alerts arise. This means keeping Grab open in your dock, timing screenshots and/or choosing a window. This solution is not for everyone but it worked the best for me at the time - I had a hard time with installing any more software and chose to use what is already available via my Utilities. Please use what is most effective for you.

d. Document your findings in a TextEdit or VooDoo Pad.e. On a daily basis, upload the grabs and documentation to your backup and send those exact files to one

consistent person of your choosing.f. Once data has been compiled for a minimum of 2 weeks, formalize a complaint to the C3 - Cybercrimes

Division of the Federal Bureau of Investigations. The IC3 division will be able to extract the necessary data, validate it’s authenticity and prosecute. If network security has been compromised and becomes prosecutable, the data forensics fees are built into the restitution of the attacker, not the victim.

The initial setup process should only take approximately 30 minutes. 15 minutes should be allotted for daily maintenance. The steps outlined above are 100% free to try. If you would like to extend your trial period or want to look into for pay options, please email me and I can supply a list of preferred providers. * Power-users may want to turn on a hidden window within the Screen Sharing by entering these

command lines in the Terminal prompt: LocalMac:~ localuser$ defaults write com.apple.ScreenSharing ShowBonjourBrowser_Debug 1 (no period at the end).

* * This tutorial is for Mac users, however, CAPSA is an effective resource for Windows based environments.

SECURITY PHILOSOPHYMY PHILOSOPHY ON SECURITY IS

DIFFERENT THAN MOST. I HAVE WORKED FOR CORPORATIONS WHO WITNESSED

SEVERE SECURITY BREACHES BY EMPLOYEES AND NOW AM A VICTIM.

ARP Spoofing 101ARP SpoofingBy default, your Mac, PC, mobile devices and printers possess IP and MAC Addresses (not to be confused with the address of your Mac computer). It is critical you know these addresses before you go any further.

6

ARP SPOOFINGARP Spoofing is gaining unauthorized access by infiltrating an Ethernet or wireless network. The attacker is able to “sniff” data frames on a local area network. The data frames are then reviewed, monitored, modified and even stopped.

How it Works

For the most part, ARP spoofing is catalyzed by a fake or “spoofed” message. It associates the attacker’s MAC address with the IP address of the default gateway. The traffic is mistakenly sent to the fake address instead.

Technology Impact

Unfortunately, today’s newest innovation of Remote Desktop and Screen Sharing take quite-a-few layers of security from most security platforms. While investigating the severity of ARP Spoofing, establish a hidden frame as a Power User. This is a workaround.

RISKSYour attacker can “sniff” the following data frames:

Screen Sharing - Snow Leopard readily comes equipped with this application.

Email - not only is your attacker able to monitor network traffic, they can see a live-view of your screen if remote desktop or screen sharing is present.

Internet Activity - the very minimal ARP attack exposes where you have been on the internet and web.

Financial Statements - coupled with other technological tools, your attacker can view user names and passwords.

MAN-IN-THE-MIDDLE ATTACKOTHER TECHNOLOGIES SUCH AS IMMOTION FOR WINDOWS, ALLOW YOUR ATTACKER TO VIEW SCREEN ACTIVITY IN REALTIME. THERE ARE ADDITIONAL KEYSTROKING APPLICATIONS “RECORD” KEYSTROKES IN REALTIME, AS WELL (KEY-LOGGING IS THE FIRST SUBCATEGORY WITHIN KEYSTROKE TECHNOLOGY). YOUR ATTACKER SEES YOUR KEYSTROKES IN REALTIME AND DOES NOT HAVE TO PURCHASE ADDITIONAL SOFTWARE APPLICATIONS THAT TRANSLATE WORD PROCESSING, INTERNET, EMAIL, ETC. APPLICATIONS FROM A MAC BASED TO A WINDOWS BASED P.C. BECAUSE KEYSTROKE RESOLUTION IS RECORDED, USER NAME AND PASSWORDS ARE VISIBLE EVEN WHEN ENCRYPTION TECHNOLOGY IS USED.IN A MAN-IN-THE-MIDDLE SCENARIO, YOUR ATTACKER IS ABLE TO SEE YOUR NETWORK ACTIVITY, ALTER IT OR STOP IT ALTOGETHER. UTILIZING ARP TECHNOLOGY IS NOT ILLEGAL BY NATURE AND WAS INVENTED TO ADD SECURITY. HOWEVER, SPOOFING IS ILLEGAL. SPOOFING IS ACTING AS YOU IN ALL AREAS OF YOUR COMPUTER AND NETWORK. MORE PROGRESSIVE STATES SEE ARP SPOOFING AS IDENTITY THEFT AND PROSECUTE AS SUCH.

LOCAL AREAS NETWORKLAN Explanation

The LAN is a small network that resides in a home or small office. The LAN provides a means to share files, printers and other services between computers on that particular network. These protocols need to be installed and are not arbitrarily part of the LAN - the assumption is that the Windows share user name and password is established. This is what is legally required by your network administrator:

1). Users permission to access the share, 2). A shared resource bucket which could contain but not limited to Files, packets, screen sharing, etc., 3). An announcement protocol that displays to the rest of the network that you are taking and/or receiving information in the “shared” bucket and 4). Simple method to connect to the “shared” network.1

Gained access of a Mac on a Windows Server, is simple to orchestrate just by pointing the utility to the device with the smb://x.x.x/ (IP address). In most cases, the hostname is too ambiguous. An IP address is basically the only way of isolating your Mac.

7

1 Please note that although these are common terms, the requirement is that they be permitted based the computer’s authorized access. Meaning, if packets, screen sharing or files are in transit, the User of the computer is the only user who should have granted it. Anything other than this protocol is deemed illegal by the Justice Department.

Legalities of ARP Spoofing

Several laws are broken when ARP Spoofing is present. The unauthorized access of a private network or computer is illegal. However, outside of commercial or corporate infrastructure, most users are not aware of the other breaches that take place. Inherently & by default, once a computer is invaded, a certificate is established in the Keychain Access controls.2 This keychain is technically signed by the attacker and not by you. Meaning, just by penetrating your computer walls, identity theft has taken place. Other crimes take place if financial data is stolen, username & passwords are pirated, etc.. These bylaws can be examined at the FBI’s - IC3 Cyber-crimes website or the Department of Justice Criminal Law website. Please see the Network Utilities and Little Snitch pages for specific laws and offenses.

COMPUTER ADDRESSES

KNOWN SECURITY ISSUES COME FROM VARIOUS ADDRESSES THAT ARE INHERENT TO NETWORKING AND COMPUTING: IP ADDRESS - IS A NUMERICAL LABEL THAT IS ASSIGNED TO DEVICES PARTICIPATING IN A COMPUTER NETWORK THAT USES INTERNET PROTOCOL FOR COMMUNICATION BETWEEN IT’S NODES. AN IP ADDRESS SERVES TWO PRINCIPAL FUNCTIONS: HOST OR NETWORK INTERFACE IDENTIFICATION AND LOCATION ADDRESSING. IT’S ROLE HAS BEEN CHARACTERIZED AS THE FOLLOWS: “A NAME INDICATES WHAT WE SEEK. AN ADDRESS INDICATES WHERE IT IS. A ROUTE INDICATES HOW TO GET THERE.”2

MAC ADDRESS - IS A UNIQUE IDENTIFIER ASSIGNED TO MOST NETWORK ADAPTERS OR NETWORK INTERFACES CARDS (NIC’S) BY THE MANUFACTURER FOR IDENTIFICATION AND USED IN THE MEDIA ACCESS CONTROLS PROTOCOL SUB-LAYER. IF ASSIGNED BY A MANUFACTURER, A MAC ADDRESS USUALLY ENCODES THE MANUFACTURER’S REGISTERED IDENTIFICATION NUMBER. IT MAY ALSO BE KNOWN AS AN ETHERNET HARDWARE ADDRESS (EHA), HARDWARE ADDRESS OR PHYSICAL ADDRESS. 3

Hacking ResultsMethods of HackingBefore gathering the data necessary to ascertain whether network security has been compromised, it is best to understand Cyber-crimes in general:

CYBER-CRIMESCyber-crimes are broad and the laws governing them are equally as ambiguous.

FBI’s Definition

Criminal activity involving information technology infrastructure, including illegal access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference, systems interference, misuse of devices, forgery (also know as, identity theft) and forms of electronic fraud.2

The less formal definition is accessing a computer or network by gaining administrative rights or access controls. For the most part, there are 3 types of hackers: 1). computer security, 2). programmer and 3). hobbyist. The latter two categories are typically comprised of professionals who program open source and innovative programming that can be incorporated into most networked environments. These are typically homegrown and can be incorporated into most Linux and UNIX based environments. The computer security hacker, on the other hand, is a criminal and security hacking is a crime.

The computer security hacker is then split out into several subcategories. The “cracker’ or “black hat”-like hacker and even a novice with a kiddie-script can do a great deal of damage. I have found the novice is (at times) more destructive because remnants of an attack are left for years to come. Both are criminals who gain unauthorized access in pursuit of committing a crime - basically having unlawful intentions, i.e. credit information, identity theft, injection of malware, spyware and the like.

Hacking Sub-culture

Criminal hacking is made easy by an abundance of websites that sell illegal routers, USB Broadband, ARP Spoofing kits, Kiddie Scripts, etc.. The most common type of criminal intrusion is established by the usage of equipment and/or scripting. My hackers used USB devices, router and software to render my Mac a zombie.

82 The Federal Bureau of Investigation, 2010

METHODSHere are some methods of hacking:“Man-in-the-middle” - not only did my attackers monitor my network activity but they also prevented incoming & outgoing network activity. This ultimately caused me to lose a prominent contract in order to build my business.USB Devices -access data frames by using a remote USB device that wakes a computer out of sleep mode.Rootkit - a Rootkit masquerades as the actual operating system whether it be a Mac or PC. If a user begins to see unidentifiable files, abnormal white screen activity, etc., the propensity may be to delete files. This is very dangerous because the Rootkit is able to send a message to the operating system sending it into kernel panic. This intentionally crashed the hard drive and although the affects are not present right away, the wear & tear is irreversible.Trojan Horse - this tricks the user to believe a system is doing one thing, when in fact, it is doing something entirely different. These are dangerous because an attack can go on without any detection.Keylogger - this is a tool that records all keys pushed on the keyboard in order to gain confidential information such as passwords, user name, etc., which then manipulates the data into a text document that is compatible with the attackers software capabilities. Keyloggers are typically brought in through other methods such as the Rootkit, trojan horse, malware or virus. Keylogging is not entirely illegal because there are some programs that use this method to enhance security to detect fraud. All of the above referenced technologies and methodologies are illegal based upon the fact that it is unauthorized access. The only exceptions are if the user is under eighteen years of age or the network is privatized. A privatized network, however, may not invade a computer that is not made public.

Gathering DataYour First Steps

How to Read Data

Once you have laid the groundwork, it is time to start evaluating messages and deciding what is part of your operating system and what is not.

Console Messages

Inherently, there will always be movement within the console of your computer. Anything that speaks to login, keychain access, security sharing, etc. should be examined carefully. Here are questionable alerts directly from the console of my Mac:

1). Wake reasons = usb1, USD (UHCI): Port 2 on bus 1x1d has remote wakeup from some device - this is remote access by a USB device. I do not sync my iPhone with my Mac, therefore, this message does not reflect my activity.

2).USConfigur.MacCert.log:System/Library/Framework/CoreServices.framework: User; [email protected] - normally, this message should not be a concern, however, I do not have a MobileMe account and do not plan to get one. While investigating this message with Apple support personnel, the account was registered on October 7, 2009 (the same date as the initial install of unauthorized software. The creation of this MobileMe account is stored in Keychain Access, as well. Keychain Access is basically “signed” agreements between the user and the vendor or trusted website source. The

Software Engineering Institute, Carnegie Mellon authorizes certificates based on whether a website is trusted or not. Because this is a “signed agreement”, it is identity theft and is viewed as the same protocol as if the attacker signed my name to loan documents.

3). Sync Services Log - 957 - Synserver/874/110f00/Server/Info/ Goodnight, Gracie, 555 - ISyncSession/Info/com.apple.mail: massage: prepare for slow sync, 554 - Rule Owner - Signature Owner

4). This is a warning from the console that was approved but did not fit any of my previous protocols. If gone undetected, my computer would have learned the behavior, adopted it as it’s own and my hard drive would have crashed when I chose to override it. The reason for

the crash would be due to t a kernel panic: /usr/sbin/kadmin.local-q add_principal -randkeycifs/LKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0@LKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0LKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0@LKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0 WARNING: no policy specified for cifsLKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0@LKDC:SHA1.E39081409F0F9EED17301F6C0BD0F701296A61B0; defaulting to no policy.

9

CONSOLE MESSAGES

The console is basically the messenger of your Mac, continuously sending messages of activity by the operating system. A surefire way to evaluate unauthorized access is

by performing an action and seeing what is your executable activity versus that of a hacker. Click “All Messages”, perform a random task and monitor foreign messages. .

FIREWALL MESSAGESMALINA-KINDTS-MACBOOK-PRO-17 FIREWALL[54]: STEALTH MODE CONNECTION ATTEMPT TO UDP 192.168.1.157:64759 FROM 192.168.1.254:53. THIS IS THE SERVER. MALINA-KINDTS-MACBOOK-PRO-17 FIREWALL[54]: STEALTH MODE CONNECTION ATTEMPT TO TCP 192.168.1.157:40080 FROM 192.168.1.116:56934 - THIS IS THE IP ADDRESS OF MY ATTACKER.

mailto:[email protected]


Network Uti l ityQuestionable MessagesInteractions between your computer’s network utilities.

Hacking & Non-hacking Network BehaviorsNetwork activity is the #1 way a hacker will gain access. Google or Akamai Technologies exploring a network to figure out the patterns and buying habits of the random internet user is actually helpful (to construct or detect setup arrangements). This is subject to opinion. However, my gentle opinion is that it has a place in modern culture. It affords less wasteful marketing - i.e. selling me Windows based applications on my Mac. When broken out, Netbios is exactly what it sounds like: Net is defined as a communication of or broadcast directly related to the Internet, while Bios is defined simply as computing. It’s acronym is Origin, which is basically input and output. In the hacking world, Netbios is the number one way of gaining access into a computer to insert malware or spyware. Netbios is typically engaged by port 139. .

10

SYN_SENTSYN_SENT IS A IBPROTOCOL SETUP BY

ATTACKERS - IT IS FOUND PRIMARILY IN THE ROUTING TABLE OF NETWORK UTILITIES. THE

SYNC ITSELF TAKES PLACE IN THE TRACEROUTE . MY ATTACKERS SET UP

SYNCHRONIZATION TO 2 MOBILE DEVICES AND THE DESKTOP WITHIN 30 FEET OF MY

MAC.

IP ADDRESSESTHE IP ADDRESS OF MY MAC WAS

192.168.1.157, WHILE THE NETWORK SERVER’S WAS 192.168.1.254 OR

192.168.1.65. MY PERPETRATOR’S IP ADDRESS WAS 192.168.116.

This is the man-in-the-middle-attack.

These are the network packets sent to my perpetrator’s PC.

11

FIREWALL Check the address of your iPhone or mobile device, Ethernet, Airport or any PCI cards. The device address should not change. if this is not your mobile device i.d., your network activity is being routed to another wireless device.An easy way to trace the ID of the mobile device is to turn the Bluetooth on your Mac and iPhone (if you have one). The networks that are “discoverable” automatically show up. The owner of the network device has to approve any interaction with your device.

Trick: within the IT space is to “tether” an undiscoverable device - this exposes any device that is within an 100 meter radius of your wireless device via an Authors-like device. From here, disable the passcode on your iPhone that is on an AT&T network by entering an incorrect password 5x’s. This will expose all devices within 50 feet. This is not recommended by Madinah Presence but is a failproof way to understand where packets are going and who owns remote USB & Bluetooth devices.

*This can only be done from an AT&T network. This is old technology for making emergency phone calls if your wireless account is shutdown.

Tethering to administrator’s iPhone.

MacBook Pro, nor iPhone utilize MobileMe Sync

Services.

IP ADDRESSESTHE PI ADDRESSES OF MY MAC WAS 192.168.1.157, WHILE THE NETWORK

SERVER’S WAS 192.168.1.192. MY PERPETRATOR’S PI ADDRESS IS

192.168.116

Physical IntrusionValidatin Folder CreationWithin the Mac framework, “tmp” and “var” files are common - simply by exploring the internet, various tmp and var files are downloaded regardless of whether firewalls are placed and anti-viral software is present. A Rootkit is basically a false infrastructure that acts and feels like your Mac.This is an example of inappropriate files placed on my Mac after unauthorized access on October 7, 2009.

12

SECURITY USING LITTLE SNITCH, MONITORING CONSOLE MESSAGES AND USING NETWORK UTILITIES, MY INTRUSION WAS TRACED BACK TO OCTOBER 7, 2009 AT 2:12 PM. SPECIFIC TRACED ACTIVITY WAS SEEN AS: WAKE REASONS = USB1, USD (UHCI): PORT 2 ON BUS 1X1D HAS REMOTE WAKEUP FROM SOME DEVICE - THIS IS REMOTE ACCESS BY A USB DEVICE. I DO NOT SYNC MY IPHONE WITH MY MAC, THEREFORE, THIS MESSAGE DOES NOT REFLECT MY ACTIVITY:USCONFIGUR.MACCERT.LOG:SYSTEM/LIBRARY/FRAMEWORK/CORESERVICES.FRAMEWORK: USER; [email protected]. HIGHLIGHT THE ACTIVITY, GO TO FILE AND “REVEAL IN FINDER”. IT ROUTED DIRECTLY BACK THE FIRMWARE TRIP THAT TOOK PLACE ON OCTOBER 7, 2009.



Little SnitchHere are samples of what Little Snitch was able to track on my computer. Please remember that it is normal for network traffic to pass through the router and/or server of the host gateway, however, connections to another Mac or PC (what is labeled below) is illegal if authorization is not provided.

Reading Little SnitchLittle Snitch is an incredibly valuable tool in understanding local area connections and drawing a definitive line between what is correct monitoring and what is intrusive & illegal.

13

LITTLE SNITCH LITTLE SNITCH IS ONE OF THOSE GEMS. IT MONITORS EVERY PART OF YOUR NETWORK AND SINGLE-HANDEDLY TAKES THE GUESSWORK OUT OF WHAT IS CONSIDERED INVASIVE AND WHAT IS NORMAL. IF CONFIGURED CORRECTLY, YOU WILL BE ABLE TO SET RULES, ENABLE AND/OR DISABLE NETWORK TRAFFIC.

The above referenced Little Snitch display also can be found questionable due the algorithms and manner in which I set up my Mac. The osu-nms is displayed in lower caps which is inconsistent.

OSU-NMS is an acronym for OSU Network Monitoring System. This monitoring only takes place in UDP Port 192.

Mac Makes it Easy to Figure OutIf you are wary of installing Little Snitch or do not want to engage any third party packages after a hack, Apple makes it easy to trace and verify data. Before anything else, you should get to know your Mac, how it is set-up, what packages came with the hardware, what has been configured via software, etc.. Please see “Mac OS X Configurations” at www.themadinahpresence.com for additional support in identifying your stock Apple product. Apple support is also great for trouble-shooting this for you. I have a few go-to individuals who are priceless. If technical expertise and a second opinion is needed, I can forward information. Simply, supply your serial number and they typically do the rest. If that does not work and this tutorial does not help, please email me.

Check these areas to see if you have been hacked:

14

Network Utilities Port Scan Turn on all networks, disable your firewall and turn off File Vault. Enter in your IP address assigned by your network administrator or WiFi router and start your scan.

This will tell you what ports are open that are somewhat out of the norm. In my case, the following ports were opened: 1). 5900 - VNC listener for Remote Desktop Observe/Control features, 2) 5679 - UDP port used to determine the external internet address of hosts so that connections may be monitored via iChat users. This is commonly not an issue, however, my ichat has never been configured, therefore, special implementation was accessed without my authority, 3). 5190 - my perpetrator used an AOL account that synchronized my emails between my Gmail account to the “listening” AOL account, 4). 3283 - TCP/UDP network assistant for Apple Remote Desktop 2.0 or later (it is the reporting feature within the application), 5). 993 - mail IMAP SSL to sync with the MobileMe account put in place by my perpetrator, 6). 331 - the remote Windows server attached to my Mac and finally, 7). 67 & 68 - this is the protocol that enabled a network boot and/or the startup wakening of my computer out of sleep via USB device. An easy way of identifying ports is by Googling “Well known TCP and UDP ports”. Apple has placed a comprehensive list of what should be open and commonly used by applications. From this, you can narrow down where the issues may lie. It is normal to have open ports to your server but not to another Mac or PC. My open ports went directly connected to a PC on the network and IMMotion (popular Windows monitoring software).

Network Utility Traceroute Go to Traceroute, type in your IP address or the one that was given to you by the network administrator and trace the routes your network packages take. It is important for you to get the IP address assigned to your computer in your Airport, not what you get online by typing, “what is my IP address?”. When ARP Spoofing takes place, you will need the number to gain an idea of where your computer lies with that “man-in-the-middle”. It is completely normal to have packages go to the network server. It is completely abnormal to have your packages or any type of communication with another Mac or PC on the network unless prior consent has been given. Please see page 9 for diagram information.

Network Utilities Lookup Go to Lookup, type in your IP and from here you should see “in-addr.arpa.number” going to several other devices. Your network server and default portal are both legitimate, another Mac or PC is not unless “sharing” is enabled in System Preferences. .

Network Utility Whois Type in the IP address of whomever is ‘listening”. Whois is a collaborative spot for ARIN, VeriSign, InternIC and other popular statistical and networking companies. The information that comes from Whois is basically who is watching you by PC name and IP address. In my case, there was an additional mobile device “listening”. Please see page 9 for examples of “hacked tethering’. if you have a mobile device number, you can do one of 2 things: type it into Whois - this will tell you the mobile/smartphone service provider or 2). do a simple Google search - this will give you the same information as Whois, however, you will need to wiggle through additional information.

This process within Network Utilities should onlytake 5 minutes. You can save the findings with a quick click and it is automatically pasted into a TextEdit document. Network Utility is the first step, very easy and will definitely tell you a great deal. Once you have figured that you are in fact being watched (versus letting your mind wonder about it or being paranoid), there are other areas to explore that will tell you the extent.

This process within Network Utilities should onlytake 5 minutes. You can save the findings with a quick click and it is automatically pasted into a TextEdit document. Network Utility is the first step, very easy and will definitely tell you a great deal. Once you have figured that you are in fact being watched (versus letting your mind wonder about it or being paranoid), there are other areas to explore that will tell you the extent.

http://www.themadinahpresence.com


15

Use this table to document changesUse this table to document changesUse this table to document changesUse this table to document changesUse this table to document changes

Network Utilities: Foreign AddressesNetwork Utilities: Foreign AddressesNetwork Utilities: Foreign AddressesNetwork Utilities: Foreign AddressesNetwork Utilities: Foreign Addresses

Current 48 hr Change 1 week Change 2 week Change

Port scanPort scanPort scanPort scanPort scan

TracerouteTracerouteTracerouteTracerouteTraceroute

LookupLookupLookupLookupLookup

WhoisWhoisWhoisWhoisWhois

Console MessagesConsole MessagesConsole MessagesConsole MessagesConsole Messages

Wake ReasonWake ReasonWake ReasonWake ReasonWake Reason

Apple FirewallApple FirewallApple FirewallApple FirewallApple Firewall

Stealth Mode Connection AttemptStealth Mode Connection AttemptStealth Mode Connection AttemptStealth Mode Connection AttemptStealth Mode Connection Attempt

WhoisWhoisWhoisWhoisWhois

CERT LogCERT LogCERT LogCERT LogCERT Log

Other Places to MonitorOnline Checks - Email Accounts

Google email displays the IP addresses of the last 4 sessions of account access. You must first know the IP addresses of your computer, wireless device, etc. before assessing whether you have been hacked. Here are examples of how Gmail should look at login.

16

EMAIL SECURITYTHE APPEARANCE OF YOUR GMAIL WINDOW SPEAKS VOLUMES. THIS IS

THE LOGIN SCREEN. IF YOU ARE ALREADY LOGGED IN, YOU

OBVIOUSLY HAVE A HACKER. THIS IS INTUITIVE BUT SOMETIMES THE

SIMPLEST CHECKS & BALANCES ARE OVERLOOKED.

Non-hacked Gmail has known IP Addresses and separate forms of communique. in this case, Gmail was accessed via Browser and Apple Mail:

17

INNOVATION WEAKENS SECURITY

SYNCHING YOUR EMAIL ACCOUNTS WITH MOBILE DEVICES WEAKENS

SECURITY. IT IS UNFORTUNATE. HACKERS CAN GAIN QUITE A BIT OF

INFORMATION FROM WIFI NETWORKS AND OTHER DEFAULT

TECHNOLOGY.

Securing Your MacUnderstand your Mac before you start a solution plan. The easiest way to document current protocols is to open your TextEdit file, copy all information from your Systems Profile and if needed, take screen shots of your System Preferences (bearing in mind that due to your hack, security provisions should be altered for optimal security).

Your safety measure: set a Firmware password in order to safeguard an unauthorized install.If you know your hacker, setting a Firmware is helpful because physical installs can not occur. Set your firmware password by inserting the install CD, let the CD register, powering down your Mac, press & hold the “C” key while pressing the power button until you hear the loud beep. Once the Install screen registers, press enter through the language screen and do not go any further. Go to “Utilities” to the right of the Apple in the menu bar, pick a password to set.

RECOMMENDEDThere are several solutions to getting your Mac back to a healthy and non-intruded upon space. For the ultimate peace-of-mind, a clean install is the best solution. Backup your data online, document what you need and simply start from scratch.

WARNING: Once you set a Firmware password, you must remember this password. The only way to gain access to your Mac once you have forgotten the Firmware password is by resetting the PRAM by removing a memory stick from the back panel. this process, unfortunately, comes with quite-a-few hazards to your hardware and any other data.

18

Know Your MacOne of the most effective ways of nabbing the attacks is to Know Your Mac. You should understand what came stock with your Mac:

Hardware - Apple at 1(800) MYA-PLLE holds a comprehensive list of stock hardware via your serial number. This does not take into consideration any after market additions of hardware platforms. If you bought your Mac second hand, you will need to dig a little deeper but it is doable. If you are the sole owner of the Mac;

Go to the Apple in your menu bar, “About this Mac” and “More Info”. Anything outside of the stock is a red flag, if you did not install it.

SOFTWARESoftware - Know what you get when purchasing your Mac. By default, Apple uses certain algorithms that are easily recognizable whether they be the visible or hidden files. See “What’s In The Box” on page 15 for Snow Leopard.

1. Go to the Apple in your menu bar, “About this Mac”, “More Info”, “Software” should be the last tab. Anything outside of the stock is a red flag, if you did not install it.

Go to Applications AND Extensions and cross reference.

Your safety measure: Set a Firmware password.

FIREWALLYOUR MAC FIREWALL IS ROBUST. USE

IT. GO TO “SECURITY’, “FIREWALL” AND CLICK “ADVANCED”. CUSTOM CONFIGURE YOUR APPLICATIONS. THIS IS THE #1 WAY TO SENSIBLY

CONFIGURE YOUR DAILY OPERATIONS AND BE BE SECURE TO BOOT. PLEASE NOTE: YOUR FIREWALL CAN NOT PREVENT ARP SPOOFING -

ARP SPOOFING CAN ONLY BE PREVENTED BY CHANGING

NETWORK CONFIGURATIONS.

Clean Instal l Checklist

WHAT’S IN THE BOXThe one and only way to safeguard your Mac from future ARP Spoofing is to erase your disk, perform a clean install, get on a separate network with a WPA password and re-install applications (please backup your data first).

Mac’s offer 3 levels of security when erasing your disk. Writing over the data deems most forms of data unrecoverable. There are 3 options when writing over your files: 1-pass erase, 7-pass (consistent with FBI protocol) and 35-pass. Choose whatever will give you the most peace-of-mind.

When re-installing your operating system and software platforms, install systematically: install one platform at-a-time, restart, perform software updates and restart again.

19

UTILITIES

*The Utilities area of the Mac OS X platform is the number one place a Trojan or Rootkit is able to evade detection. Detailed specifications of each software utility and updated utility is available at

www.apple.com.

Activity Monitor Java Preferences

Airport Utility Keychain Access

Audio MIDI Setup Migration

Bluetooth File Network Utility

Exchange Podcast Capture

Boot Camp RAID Utility

ColorSync Utility Script Editor

Console Setup Assistant

DigitColor Meter Spaces

Disk Utility System Profiler

Expose Terminal

Grab VoiceOver

Grapher Utility

X11

APPLICATIONSMac OS X - What’s in the Box?

Address Book iCal Photo Booth

Automator iChat Preview

Calculator Image QuickTime

Chess Capture Safari

Dashboard iSync Stickies

Dictionary iTunes System

DVD Player Mail Preferences

Font Book Photo Booth TextEdit

Time Machine

http://www.apple.com

http://www.apple.com

Network Terms & Acronym

Other Network TermsHere are additional terms when monitor unauthorized activity. The terms outlined with screenshots define most common hacking terms. These are ancillary terms during the actual “Know Your Mac” stage.

20

DNS Acronym for Domain Name Services used to resolve names to an address:

Multicast Pact that goes only to systems that subscribe to a specific multicast address. In a single segment local area network, this typically hits the same number of hosts as a broadcast

NetBIOS NetBIOS is a legacy windows protocol that allows for systems to share information about the presence on a network and the resources present (whether obvious or in the background.

NetStat Command-line tool that displays network connections, both incoming and outgoing. Routing tables and a number of network interface statistics are provisioned.

SMB/CIFS The standards for Server Message Block / Common Internet File System and is just a newer version way of doing generalized tasks.

WINS Wisi mattis leo suscipit nec amet, nisl fermentum tempor ac a, augue in eleifend in venenatis, cras sit id in vestibulum felis in, sed ligula.

Unicast Packet sent directly from one node on a network to another.

Contact

For questions regarding a security issue or to understand more about the Madinah Presence, please contact:

Madinah PresenceMalina Kindt

(415) 298-2560 phone

[email protected]

www.themadinahpresence.com

21





Network Security Series

Documents

Transcript of Network Security Series