1. 47
  1.  

  2. 23

    In the Terminal application, you can run the following commands:

    I really wish guides like this would explain what the commands do, versus merely telling users to run them as root.

    This could be a teaching opportunity, but instead it’s yet another instance of training users to cede control of their machines to others (by running commands they don’t understand).

    1. 26

      I had a call with Apple support years ago because of a semi-bricked macbook (btw, the best hotline money can buy, I habitually called them with MacOS software problems). System was booting, but terribly broken, even after a reinstall.

      So, same thing, go to terminal, do a couple of things… 2 things happened: a) The engineer asked about my profession and apologised that he will go by script and that he understands that I know all he tells me b) Goes and does exactly what you are asking for: explaining every single component of the command in laymen terms (“sudo is doing what would normally be admin access” and so on).

      Really, really awesome. If we had more such phone support, people would feel more empowered using their computers.

      1. 12

        TBH, I think it’s already an improvement to merely be a few commands which you can research yourself — a much better alternative than the common suggestion to pipe some random file from the internet directly into root shell, or, even better, download this binary removal tool that could so totally be trusted, wink wink.

      2. 33

        Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store), Google chose to implement a piece of malware known as GoogleSoftwareUpdate that resides in /Library/Google and ~/Library/Google. It is a specific kind of malware known as an APT (Advanced Persistent Threat), and several articles have been written on this subject (but I can’t find at the moment via a cursory search).

        Sometimes people have “legitimate” reason to use Google Chrome (i.e. because it supports some piece of DRM you might need which better browsers like Brave choose to not ship with). If you’re one of these users, to prevent Google Chrome from infecting your computer with its malware, you need to perform the following actions:

        # create folders if they don't already exist
        $ sudo mkdir -p /Library/Google ~/Library/Google
        # if they do exist delete everything inside of them
        $ sudo rm -rf /Library/Google/* ~/Library/Google/*
        # prevent Google from writing to these folders
        $ sudo chown -R root:wheel /Library/Google ~/Library/Google
        $ sudo chmod -R go-rwx /Library/Google ~/Library/Google
        
        1. 10

          In what world is this an APT? I deal with threat hunting, APT attack simulation, and TTP recreation on a daily basis and this is not the first time that I’ve seen a few people who don’t like Google try and pin the term on GoogleSoftwareUpdate. It makes no sense and you make your argument way weaker by throwing around terms like that and spreading FUD. APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves. That’s like calling Stuxnet a APT.

          1. 11

            I consider it an APT. Even removing Chrome doesn’t remove it, and if you don’t excise it completely it will restore itself. It’s nasty. Really evil stuff on MacOS.

            1. 12

              That’s like calling Stuxnet a APT.

              The Wikipedia page calls Stuxnet an APT. Copied from there:

              The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example.

              GoogleSoftwareUpdate is an APT because, well, it fits the definition. It runs in the background, without your permission, it phones home to Google, and at any point in time it can modify your computer either directly or with a payload it downloads.

              1. 10

                An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period

                I don’t mean to be inflammatory, but I honestly don’t even think you read the first sentence of the Wikipedia article you linked. It references to threat actors specifically. So this would generally be considered a tool used by an APT. Google is the actor, GoogleSoftwareUpdate is their payload/TTP (Tools Techniques and Procedures). We assign APT names and numbers to groups, not malware families, your description doesn’t fit that definition at all.

                1. 6

                  It seems like the Wikipedia entry uses it in multiple ways as well, since it calls Stuxnet an APT, and later refers to its creators.

                  If you’re used to hearing the term APT refer to the people behind the code, I can see being confused at the way that I’m using it here. Wikipedia does not use the term consistently, and others have also used the term to refer to the software itself, so I’m not alone in this usage.

                  I think confining the term “APT” to the software’s creators can be unnecessarily limiting. In the case of GoogleSoftwareUpdate, it might not be accurate to call Google the APT, since their mechanism (GoogleSoftwareUpdate) can be hijacked by completely unknown entities to infect computers. In a sense, you could also say that GoogleSoftwareUpdate is the entity that’s doing the infecting, and I don’t think that’s an unreasonable expansion of the definition.

                  1. 6

                    I’m saying that the entire computer security field has seemingly agreed (whether or not the terms are somewhat confused in Wikipedia) that APT refers to specific threat actors not their tooling, which means when you use those terms in technical groups they are going to misconstrue them since no one calls TTPs APTs. Whether or not you are meaning to, you are accidently leading people away from the in field terms. I have never once heard a threat hunter call a artifact an APT in my entire career.

                    Generally in the malware and analysis world GoogleSoftwareUpdate wouldn’t even count as malware, it would be a PUP (Potentially Unwanted Program) that functions in a known way but might do something unwanted. That’s not the same as malware either. Also if you are refering to the fact that GoogleSoftwareUpdate is installed in a user writable directory and can be replaced or DLL hijacked then you are further purposefully choosing to make that fit into you view. This is a common terrible practice, but can be mitigated by installing the Google Chrome Enterprise which installs system wide and doesn’t leave GoogleSoftwareUpdate writable by users.

                    1. 5

                      I’m saying that the entire computer security field has seemingly agreed

                      I thought my presence on Hacker News and Lobsters bringing in all the high-assurance and CompSci folk showed that popular security != entire computer security field. The popular ones also built many fewer systems highly-resistant to penetration. They knew nothing of those that did or even denied they existed. When they failed, they doubled down on their ways instead of relenting or admitting the other groups had anything of value. If anything, I’m skeptical when the “computer security field” that most know about make a pronouncement. The skepticism usually pays off.

                      Back to this, I see why @itistoday is talking like this. Many security and news pieces I read at the time talked about APT in terms of their methods. They highlighted how different the methods were. Who cares who the source is if the methods are the same things you already blocked. The “APT’s” were different using stealthier techniques that involved getting a foot in, bringing in more, and doing a lot of exfiltration of data under users’ noses. That’s basically Google minus outright hacking. Hence, hyperbole.

                      1. 1

                        Skeptisism is always fair and I appreciate being called out when I accidently arbitrate or overly claim authority, that was not my goal and very much not my objective either. Appeal to authority was a failure on my part. I know based on our conversations that I very much have respect for the HA world and the world outside of “pop-security”, but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks. I agree that the term “persistence” is of importance, and isn’t represented properly in the original acronym, but I have always heard and read about them in the terms of “persistence” in general.

                        For the second portion, the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention. I think this is fundamentally flawed (as I bet you do too), but just look at something like the MITRE ATT&CK and show me how the Google example fits in? I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?

                        1. 2

                          “but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks”

                          Thanks for fairly evaluating what’s going on here. It could be the reporting media doing it. Being outside your group, what I was reading was a combination of actors and methods that were supposedly better than everything else. If anything, it looked like media and security companies were making excuses for bad security in general by making hackers look amazing. Hackers whose methods were sending loaded emails and such followed by gradual expansion of access. Not amazing.

                          “the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention.”

                          I don’t have much experience there past what I read about they do. I appreciate the insight. They’re often reactive based on whatever is getting a lot of attention. This could be an extension of their habit to want to create an easy characterization of something, point blame at it, and have some solution that eliminates it entirely. It doesn’t work with IT security in general. I definitely can see them doing it.

                          “ I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?”

                          I agree in general. I already said it was likely hyperbole. Thing is, Google is a threat actor of its own sort trying to get as much secret and public information about its users and non-users as possible to sell influence attempts by third parties. Also, getting close with D.C. in a police state with whatever comes with that. And they do their own thing in a sneaky way.

                          I agree that the APT term doesn’t fit them in definition of mainstream, security community or news headlines I saw for some reasons. I do see how the sneaky, bring-in-backdoors, exfiltrate-data behavior justifies a comparison with hyperbole, though.

                      2. 1

                        I didn’t realize the APT Language Police were here, sorry!

                        I have heard various people use APT to refer to software. Multiple definitions for the same words often exist. This is how language works. Since you keep banging on about this, I’ll remind you that I’ve linked to one paper that uses “APT” in this way, that sentence from Wikipedia, and here’s another person:

                        The Advanced Persistent Threat (APT) has become the watchword for today’s cyber espionage. It frequently involves a piece of malware or group of malware programs that can evade detection

                        Re some people not considering it “malware”. Great, we can agree to disagree. I’m with Stallman on this.

                        1. 4

                          Multiple definitions for the same words often exist.

                          Yeah, we have to stop this in computing. We have enough complexity, and enough trouble communicating ideas. We don’t need to overload terms and make this worse.

                          Precision is a foundational aspect of why math is a universal language.

                          1. 4

                            Yeah, we have to stop this in computing.

                            Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses. 👍

                            Precision is a foundational aspect of why math is a universal language.

                            And math is definitely not known for overloading the definitions of symbols.

                            1. 2

                              Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses.

                              Thank you for your kind nomination!

                              And math is definitely not known for overloading the definitions of symbols.

                              There are very few “symbols,” but you can generate new words for your definitions by using the generalized concept of addition (which has axiomatic properties) and basic set theory primitives like subset. Put another way, assuming a function newword(L, N), where L is a tuple, containing production rules for valid words, P, and a set, C, of valid symbols (e.g. characters), I can call newword, to generate valid words contained in L of length N. While I’ll leave the proof as an exercise to the reader, it follows that incrementing N is all that is needed to create additional words in L, provided, that production rules in L are unbounded.

                            2. 2

                              Mathematics is the art of giving the same name to different things. (Henri Poincaré)

                              Math is precise when it comes to the definitions and what a word means in a context, but the keyword here is context.

                            3. 3

                              There is a difference between being the language police and accepting the fact that the common use terms in the industry itself (to which I have been taken part of IR engagements that discover named APT’s) are not confused in their day-to-day use. I think when you do that you are doing it on purpose to try and craft the narrative in a way that you are the language police and can redefine terms that are not confused inside of a field. It is purposefully trying to confuse people who are not part of the field and I think that’s just as dangerous.

                              It frequently involves a piece of malware or group of malware programs that can evade detection

                              Again even in the your quote you are are ignoring that entire sentence, APT’s do use malware to evade detections. That just solidifies my statement.

                              APTs often embed programs in a penetrated system

                              From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT (not crafting an APT again).

                              EDIT: I’m bailing out of this argument for the sake of the length of the thread. I’ll squat in IRC or messages if you want to have a further discussion after your response to this.

                              1. 4

                                From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT

                                This is the first sentence:

                                Google’s software update system can serve as a model Advanced Persistent Threat (APT).

                                The thing being called an “APT” in that sentence is “Google’s software update system”.

                                I’m bailing out of this argument for the sake of the length of the thread.

                                Good call. It was fun and I also have work to get done.

                    2. 7

                      Oh come on, it’s just some hyperbole about Google doing things with similarities to stealthy attackers. It was a warning and joke mixed together to get more attention to the issue. That’s on top of entertaining the Lobsters.

                      Far as APT’s, my favorite counter on the term back when it was hot was Luiz Firmino’s comment on Kreb’s blog. It just explained why the media was making a big deal about what was just hacking 101 for any careful party targeting enterprises. Heck, the whole post makes what they were doing look obvious. I threw in 2 cents worth of corroboration.

                      1. 2

                        I’ve read studies that only one out of four lobsters are born with a humerus bone in their body. The rest don the thick skin of an exoskeleton one should naturally expect.

                        1. 1

                          That’s great lol.

                      2. 3

                        APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves.

                        Huh, I thought those were “threat actors”. But I’m not very in touch with threat hunting.

                        ETA: OK, from the top of Wikipedia:

                        An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group

                      3. 3

                        Do you by any chance have the same directions for Windows, too? There were some official instructions that Google would post; I’ve followed all of those when they were still current, and yet sometime afterwards they’ve still broken out of their sandbox, and performed damage to my seldom-used copy of Google Chrome.

                        Also, you mention Brave, but Brave doesn’t quite have a way to disable autoupdate, either — unlike Firefox and SeaMonkey.

                        1. 2

                          I don’t have any direct directions, but Google provides Chrome Enterprise installers that have administrative templates that let you control the vast majority of these controls. They have Mac DMG’s too.

                          1. 1

                            Do you by any chance have the same directions for Windows, too?

                            I do not, sorry. Maybe someone else knows.

                          2. 2

                            Or you can (in this case at least) keep your operating system up to date, and not disable System Integrity Protection.

                            I realize SIP disable is required for 3rd party graphics cards on Macs. And possibly the version of whatever graphics software was required for these machines only run on older versions of MacOS. This raises the question of why they were running (presumably) non-mission critical software (Chrome) on machines that absolutely have to be running…

                            1. 3

                              Maybe they just wanted to use a 3rd-party GPU? I don’t see why the users are suspect because of a completely arbitrary MacOS anti-feature

                              1. 0

                                What anti-feature are you referring to? SIP or that lack thereof, or Google’s Keystone updater software?

                            2. 2

                              Somewhat similarly, on Linux (at least on Ubuntu) Chrome installs itself into /etc/cron.daily: so that even if you notice its existence in your repos and remove it from there, it will re-add itself.

                              1. 2

                                you need to perform the following actions

                                Also recommended, KnockKnock, which can tell you what launch agents, etc. can be installed:

                                https://objective-see.com/products/knockknock.html

                                And BlockBlock (which I haven’t tried yet), which warns you if software tries to install anything persistent.

                                https://objective-see.com/products/blockblock.html

                                Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store)

                                Luckily, Microsoft now offers Office in the App Store. Another terrible installer/autoupdater that I hated.

                                1. 1

                                  Although I haven’t verified it, using a portable version of Chrome should be a solution, as nothing is installed.

                                  1. 1

                                    This is funny because I think you’ve heard the term APT and thought persistence meant persisting in memory or on disk, which is important in malware terms. But as far as I’ve known the term (in infosec for a few years) the persistent in APT means persistent in trying to get at you. Interesting that this whole time I never thought of confusing persistence of malware with the persistence in APT, but they are different meanings.

                                    APTs are groups, not code, a different approach would be crimeware groups that send out ransomware indiscriminately then take the profits where they can. Calling Google an APT seems hyperbolic since their primary goal is shareholder value not intel/influence/surveillance, a list of APTs and their inconsistent names (aka all infosec vendors come up with their own names) are here: https://medium.com/@cyb3rops/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

                                  2. 5

                                    It’s impressive that they managed to brick systems with a userspace program. I mean, isn’t the whole idea of having the userspace/kernel distinction to ensure that userspace can’t break your system?

                                    1. 4

                                      It didn’t hurt the kernel, it hurt userspace

                                      1. 3

                                        Shouldn’t it be impossible for a userspace program to brick the system?

                                        Of course you can brick the system with a userspace program when you run it as root.

                                          1. 2

                                            Doesn’t change the fact that it slipped past QA and made a lot of systems unbootable. This is quite impressive(ly stupid).

                                            1. 2

                                              Yep, blame can be easily spread around. On Apple’s side, having to disable SIP to get a 3rd-party graphics card to work sounds suboptimal.

                                              Google has created a browser that’s the default target for web developers, so even if you’re on a dedicated workstation you might have to use Chrome to use your company’s intranet. This means that Google needs to be cognizant of all sorts of corner cases their installer might encounter.

                                              1. 2

                                                Google has created a browser that’s the default target for web developers, so even if you’re on a dedicated workstation you might have to use Chrome to use your company’s intranet. This means that Google needs to be cognizant of all sorts of corner cases their installer might encounter.

                                                However, this a type of corner-case, they should’ve never encountered, nor should they have come within 10 kilometers of it. I don’t get why their installer can’t simply unpack a .zip or .dmg archive, like just about every other OSX application does. This is the real problem here.

                                    2. 1

                                      THANK YOU. Just recovered a Macbook with this.

                                      1. 1

                                        I’m running Chromium on MacOS for the times when I hit a site that only works with it, or want to use its dev tools. I don’t think this has that updater service, so this might be an option for some to avoid this issue.