Live Blog: How pwned am I?

Uhoh. My MacBook Pro may have been hacked. I’ve already done a bit of troubleshooting, but this looks like it’s going to be A Thing, so I’ve decided to liveblog it. And here’s the liveblog.

The brief version is that Apple Mail crashed when it tried to open a particular email message dated 4 November, one containing a PDF file. Consistently. So I thought I’d do a virus scan on it.

That’s when Norton Internet Security reported that LiveUpdate was missing pieces, and I saw that it hadn’t checked for updates since… 4 November. Eek.

Now all the action would have happened on my battered old MacBook Pro running OS X 10.6 Snow Leopard. That computer finally died of motherboard failure on 11 November and I replaced it with a fresh OS X 10.7 Lion machine on 12 November.

However I did just transfer everything across using Apple’s migration tool, rather than freshly installing all the software and just copying the data, so… well… who knows what the hell is going on?

Deep in my heart I suspect that it was just bugginess and a dying computer, copied badly to a new computer. I hope.

If you want to follow or even help, the liveblog is over the jump.

[Update 11.20pm: Things may not be as bad as I thought. It turns out that Norton Internet Security for Mac version 4.x is only compatible for OS X up to version 10.6 Snow Leopard. There’s NIS version 5.x for OS X 10.7 Lion. It looks like it’s a straightforward software compatibility problem, and the lack of updates could be because I was travelling that week and the computer was offline when updates were scheduled. If this is all the case, I’m a bit disappointed that the software itself couldn’t figure this out.]

The CoveritLive live blog tool should appear immediately below this paragraph — at least if you’re looking at this in a compatible web browser.

[This is where I’ll post links to any follow-up posts.]

2 Replies to “Live Blog: How pwned am I?”

  1. I don’t know a lot about macs, but if it was happening in Windows, i’d assume it’s a problem with adobe acrobat reader (program i use to read pdf’s) and i’d reinstall that software.

  2. @Andrew M: Well, whatever the operating system, there’s a problem with that being your initial approach. You’re only treating the symptoms that initially presented themselves: being unable to read a certain email containing a PDF file.

    The thing that should leap out here, with giant red flashing lights, is that the core security software hasn’t updated itself in more than a month. Why? If LiveUpdate is broken, then what else is broken security-wise?

    And if the machine has been exposed to incoming material from the internet for a month, we don’t know that it hasn’t been compromised. We need to make sure that hasn’t happened.

    The priorities should always be to secure the data (and that means ensuring we have a current backup, which is what I’m doing right now), and then ensuring that the machine has not been compromised (and a fresh installation of security software and a complete scan happens next).

    In any event, we need a 100% current backup so that once we start making changes — reinstalling software and the like — we’re able to roll back a step if something goes wrong.

    At every step, before we perform any operation, we have to be able to answer the question, “If what I’m about to do goes wrong, how will I undo it?”

    Once we’ve made sure our data is safe, and reassured ourselves that we’re not dealing with a security incident — and I don’t think we are, but I don’t know for sure — then we can start treating the symptoms.

    Now my choice of procedures is tempered by the specific facts of my situation: I have only this one computer with me; I’m a long way from anywhere; I do have to stay in touch; if I’ve been pwned for a month then the bad guys already have access to everything. That’s why I’m staying online as I deal with this. Otherwise I’d have pulled the machine offline and done a fresh OS X installation and so on.

Comments are closed.