Java in the web-browser: Disable Java if you haven’t yet

Please see

http://nakedsecurity.sophos.com/2013/02/16/facebook-admits-network-breached/

http://nakedsecurity.sophos.com/2013/02/04/another-java-update-oracle-brings-patch-tuesday-forward-to-close-in-the-wild-hole/
and
http://www.cnn.com/2013/02/15/tech/social-media/facebook-attack/

The moral of the story is: Disable Java for your browser, you probably (really) don’t need it.
For your computer at work – of course – please check with your admin(s) before attempting any changes.

If you’re running Mac OS X 10.7 or newer and keep up to date, disabling Java in your browser was probably taken care of for  you.
Additionally, you can ensure Java is disabled in Safari, by navigating (while in Safari) to the Preferences menu,  Security tab.
In Chrome, type: chrome:plugins and check that Java is disabled.

In Firefox go to Tools > Addons > Plugins

If you’re running Windows, please be sure to follow these instructions:
http://www.java.com/en/download/help/disable_browser.xml

How to install WordPress on Mountain Lion server, and migrate your WordPress setup from your old OS X Server install

Geting WordPress working on your Mountain Lion Server, or “This one goes to eleven”  😉

The first thing I’d like to make clear is that I’m not trying to tell you every last detail you’ll need to know. The scope of the instructions I do provide covers the key parts of the process, circumscribed by:
1) A working install of WordPress (and associated MySQL database) on an existing OS X Server,
and
2) An existing working install of 10.8 server and (working) website hosted on it.

If you have some background with OS X Server, and a modicum of experience (and comfort) working via the Terminal (“the command-line”), this isn’t particularly difficult at all. Rather, the process requires a number of very specific, correctly executed steps. It’s actually quite straightforward if you proceed with patience and precision, and in an orderly fashion.

You should have have already successfully installed WordPress on an existing instance of Mac OS X (client or Server) and configured your MySQL database appropriately for your WordPress install.
As such, you do need to already be at least somewhat comfortable working in the command-line (via the Terminal).

And now you want to hear about someone else’s success (mine) getting a WordPress site running on Mac OS X 10.8 server.
In my case, I was migrating from 10.6.8 server.

There are eleven main steps in this process. Why didn’t I make it ten ? Actually, it worked out that way as I was writing this post. I’ll take the opportunity to reference the much-loved and (and oft-quoted by me) line from the filme This is Spinal Tap, “These go to eleven“:

1. Backup of the WordPress files
2. Exporting your existing MySQL database for WordPress
3. Transfer the above files from your old server to your new one
4. Decompress and migrate the WordPress backup to the appropriate location on your new server
5. Install MySQL on your 10.8 server
6. Set up a new (empty) WordPress database in MySQL and restore your prior database backup (sql dump)
7. Download and install the latest stable version of WordPress
8. Configure your webserver & restore your WordPress config and content to the new WordPress install within your (web)site directory
9. Additional MySQL items
10. In Server.app, under Websites, click to “Enable PHP web applications”
11. Test and ensure that everything is working.

Postscript: Additional miscellany
Success !

Step One:
On your existing server, backup your WordPress installation. This is typically
going to be within your (web)site directory, in 10.6 Server this is
/Library/WebServer/Documents/<yoursite>
where <yoursite> is the name of the folder where your existing website files are housed.

cd /Library/WebServer/Documents/yoursite
sudo tar -czvf ~/WP_Content_backup_$(date +%Y%m%d).tar.gz <yourWordpressDirectory>

for example:
cd  /Library/WebServer/Documents/yoursite
sudo tar -czvf ~/WP_Content_backup_$(date +%Y%m%d).tar.gz wordpress

The above will put the backup (eg, WP_Content_backup_20121208.tar.gz) in your home directory,
which will be the home directory of the user you logged in as, via the Terminal.

Step Two:
Export your existing MySQL database for WordPress.
mysqldump --user=root --password=<pass-here> your_Wordpress_databasename | gzip -c > ~/WP_DB_backup_$(date +%Y%m%d).sql.gz
So the case of my example, the resulting filename would be WP_DB_backup_20121208.sql.gz

Step Three:
Next you’ll want to migrate both of those backup items to your new server.
I used ssh to work with either server, and scp to copy the files.
You can read up on that if you need to, but as an example,
once you’ve connected to the Mountain Lion server via ssh, run the following:

scp username@oldhost:WP_Content_backup_20121208.tar.gz .
and
scp username@oldhost:WP_DB_backup_20121208.sql.gz .

“oldhost” could be the old server’s IP address or hostname.

Leave the WordPress DB backup for now.

Step Four
Decompress the wordpress content from your former server:

sudo tar -xzvf WP_Content_backup_20121208.tar.gz

Leave the resulting “wordpress” directory where it is for now.

Step 5
Install MySQL from mysql.org:

Download MySQL from http://www.mysql.com/downloads/mysql/

It should be the fourth listing there, “Mac OS X ver. 10.6 (x86, 64-bit), DMG Archive”
I do recommend that you also download the signature and verify your download with gpg.
That’s another topic entirely, but see http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin
and https://www.gpgtools.org/installer/index.html

Always secure your mysql installation, which you can do with the command below,
which will also ask you to create a (MySQL) root password.
Make sure you record this securely, and please don’t confuse the MySQL root user with your/the
system “root” user.

cd /usr/local/mysql
bin/mysql_secure_database

Step 6
Set up the MySQL DB for your WordPress installation:

Create an empty database for your WordPress database (db):

/usr/local/mysql/bin/mysql -u root -p

(Presuming that your database name is wordpress.db – when you’re at the mysql prompt):
grant all on wordpress_db.* to your_wordpress_username@localhost identified by 'password for your wordpress user here';

Do note that your wordpress username and password will need to be the same as they were originally,
in order to line up with your wordpress config (see the next item).

Restore your backed up WordPress MySQL database via:
mysql -u username root -p -h localhost DATA-BASE-NAME < WP_DB_backup_<DATE>.sql
eg.
mysql -u username root -p -h localhost DATA-BASE-NAME < WP_DB_backup_20121208.sql

Step 7
Download and install the current version of WordPress:

Download from http://wordpress.org/download/
and see
http://codex.Wordpress.org/Installing_Wordpress#Famous_5-Minute_Install

Step 8
Configure your webserver & restore your WordPress config and content-directory within your (web)site directory:

After installing WordPress, restore wp-config.php from your decompressed directory of your old WordPress install, or edit the stock config at
/Library/Server/Web/Data/Sites/yoursitename/wordpress/wp-config.php
to match your database name and db username and password that you set up above. See http://codex.Wordpress.org/Installing_Wordpress#Famous_5-Minute_Install
Then restore your former WordPress content to the new WordPress installation:

cd ~
mv wordpress/wp-content /Library/Server/Web/Data/Sites/yoursitename/wordpress/

Step 9
Additional MySQL setup steps:

Ensure that your mysql socket config lines up with what PHP is expecting.
Namely, /var/mysql/mysql.sock
http://support.apple.com/kb/HT4844?viewlocale=en_US&locale=en_US

From the MySQL install, copy my-dedium.cnf to /etc:
cp <path to MySQL files>/support-files/my-medium.cnf /etc/my.cnf

If you’re not sure where the support-files are (or don’t seem to have them), you can download the tar.gz version of MySQL from http://dev.mysql.com/downloads/mysql/

Look for the first item listed there, “Mac OS X ver. 10.6 (x86, 64-bit), Compressed TAR Archive”

Edit /etc/my.cnf to change the socket location (I strongly suggest you use vim or even nano and not a GUI editor):

Look for
socket          = /tmp/mysql.sock

and change it to:

socket          = /var/mysql/mysql.sock

Change the permissions for the directory in question:

sudo chown -R _mysql /var/mysql

Restart MySQL:

sudo SystemStarter restart MySQL

Ensure that you can connect to MySQL as your wordpress database user:
/usr/local/mysql/bin/mysql -u <wordpress_db_user> -p

This is the user you configured originally for your MySQL wordpress database and when prompted give the associated password
password for that user.
You should be presented with the mysql prompt:
mysql>

rather than any error message(s).

Exit mysql with:
quit
(and press return).

Step 10
Enabling PHP –
Simple enough: In Server.app, under Websites, click to “Enable PHP web applications”

Step 11
Test that everything is working.

That’s it !  🙂

Postscript – Additional miscellany:
If something isn’t working, check your logs. This is easy enough to do via the Console.app utility.
The most common cause of problems will be missing a step above, or incorrect permissions.
Both are easy to correct. Don’t panic, and get this working on a non-critical server first to ensure you’re
able to get it working.

If you run into an issue where your wordpress site appears to load but nothing actually appears,
verify the permissions for the wordpress directory in question,
and remove any extraneous ACLs if there are any.

I also recommend that you install some WordPress extensions to help protect your WordPress installation & server. Look into Login LockDown, Secure WordPress, and WordPress Firewall.

Internet Explorer Zero-Day: Don’t use IE as your browser

There’s a really VERY serious exploit for Internet Explorer. IE versions 7 to 9 in Windows XP through Win 7 are vulnerable. If you haven’t updated in a while, you really need to. Please have/make a backup, and update.

See http://nakedsecurity.sophos.com/2012/09/17/new-ie-zero-day-exploit-poison-ivy/
and
https://krebsonsecurity.com/2012/09/exploit-released-for-zero-day-in-internet-explorer/ for more info.

The only time you should really use IE is for Windows Update(s).

Sophos Anti-Virus for Mac showing two (double) menu-bar icons

For those of you using a Mac but not yet running Anti-Virus software, at this stage in the game it’s a good idea. And Sophos offers a free (for home-use) version of their product for the Mac: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

We recommend Sophos for Mac as it’s effective and light-weight. We implemented (the paid version) of Sophos for a client & it successfully identified and disinfected some Word files infected with a (PC) Macro-virus, while leaving the files themselves intact and fully usable.

I’ve been using Sophos for Mac at home without a hitch – until recently, that is. After an update to 10.7.4 and required reboot, the Sophos menu-bar icon was showing up double – ie, listed twice.

I navigated to my account’s Library folder and within that, the Preferences folder,
removed com.sophos.ui.plist
In my haste, I also set aside (moved to the Trash) com.sophos.sav.plist but this was probably not necessary.
Try it if removing only the com.sophos.ui.plist pref file doesn’t solve this for you.

and then used the Terminal to issue:
sudo killall -HUP SophosUIServer

when asked, you will need to be logged in as an administrator (or know how to “su” to one in the Terminal)
and the password asked for will be your existing, usual login password (for the Admin account you’re logged in with).

And the problem was solved without needing a reboot.

Symantec AntiVirus LiveUpdate – “There was an error performing the update”

Symantec Antivirus (for the Mac) LiveUpdate fails with an alert stating, “There was an error performing the update”

This occurred on a Mac OS X client workstation running Symantec AntiVirus for Mac – the Enterprise product version, not the consumer-oriented Norton AntiVirus for Mac – when attempting to run LiveUpdate.

In order to see a more helpful error message, you’d need to know to look at
/Library/Application Support/Symantec/LiveUpdate/liveupdt.log
where you’ll find the more descriptive:
"verifyCertPath():  objCertJ.buildCertPath failed to get cert path."

When I saw the above error message, it occurred to me right away that communication between the Symantec client and their servers was failing.Perhaps I might need to update a certificate by manually installing it ? The fix is easier, in fact. Update the Symantec LiveUpdate itself, which is a 4.6 MB .dmg file.

See Symantec’s article here: http://www.symantec.com/business/support/index?page=content&id=TECH154634

If you are managing your Macs centrally with Apple Remote Desktop (aka “ARD”), you can use “Send Unix command…”
to verify the LiveUpdate version on the client workstations using the following:

defaults read /Applications/Symantec\ Solutions/LiveUpdate.app/Contents/Info CFBundleGetInfoString

Using ARD, you can centrally push/distribute the updated LiveUpdate by mounting the .dmg download from Symantec, and using the package installer within.
After that, use the following command to get the client workstations to update. I suggest updating everything, rather than just (virus) definitions:

/Applications/Symantec\ Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate -liveupdatequiet YES -liveupdateautoquit YES -update LUal

The command to update definitions only is:

/Applications/Symantec\ Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate -liveupdatequiet YES -liveupdateautoquit YES -update LUdf

You can monitor some information about the update process by watching the log file (via ssh access, for example):

tail -f /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

Please note that after repairing the problem (updating applying the LiveUpdate package/updating LiveUpdate itself), the update process can take a very long time ! Just let it do its thing.

Note that this problem can also occur on a Windows client where – for example -you might be trying to run LiveUpdate from a batch file or other script. See:

http://www.symantec.com/business/support/index?page=content&id=TECH167145

Note that the specific error message is the same (“verifyCertPath():  objCertJ.buildCertPath failed to get cert path”)

The most likely cause of this problem on either platform (Mac or Windows) is that the software is installed without then updating all components right away. And/or updating only virus definitions over a long period of time, without updating the program components – the the extent that the client falls too far out of date to communicate with the update server(s) correctly.

Some tips for troubleshooting Apple’s Mail.app

PLEASE NOTE: The following is being provided for informational purposes ONLY and should not be attempted if unless you are already familiar and comfortable with working in the Terminal. In no way is this meant to be a comprehensive method (not at all) for troubleshooting Mail.app.

When you get a spinning cursor (also known as the “spinning cursor of death” or the “spinning pinwheel of death” (SPOD) or “spinning beach-ball of death” (SBOD), this typically indicates that some task or event (internal to, for the application) is not completing – and the application (Mail) is waiting and so are you. Apple states the following about the spinning cursor: “The spinning wait cursor… is displayed automatically by the window server when an application can’t handle all of the events it receives. In general, if an app does not respond for about 2 to 4 seconds, the spinning wait cursor appears.” See http://developer.apple.com

In 10.4 and 10.5 you can use the Terminal to get the process id of Mail and then watch what files it’s accessing. As of OS X 10.5, fs_usage probably won’t give the expected result(s), and so for 10.5 and later, it’s better to use dtrace tools such as rwsnoop and opensnoop.

To look for specific mail message that might be causing the problem, try the following, using the Terminal (Applications/Utilties)

(The initial “sudo” is just to escalate privileges early, so as to avoid a delay between launching Mail and authenticating afterward and missing the output. This assumes the user (account) in question has administrative privileges).

sudo echo ''; open -a /Applications/Mail.app; sudo opensnoop | grep mbox

To see more of what Mail is accessing, try (all one one line):

sudo echo ''; open -a /Applications/Mail.app; sudo opensnoop | grep -v mds | grep -v grep | grep $(ps aux | grep [M]ail | grep -v bundle | awk '{ print $2 }')

In both cases, press ctl (control) and: c simultaneously in the Terminal to cancel the operation. Mail will still continue to run, quit it normally as desired.

Please *DO NOT DELETE ANYTHING* at all, especially while Mail is running. If necessary, force-quit Mail (see “Force Quit” in the Apple menu). However it’s best not to force-quit an application until you’re quite certain that it’s hung.

Please do not touch anything outside of the user’s Library/Mail directory, unless the problem turns out to be a 3rd-party bundle, which you should see listed as being in /Users//Library/Mail/Bundles/

Whatever you do, please make sure you have a full, known-good backup (of your Home folder at the very least in this case).

Rather than attempting to state what you might do with what you find, if you’re not sure then please contact us at the Core Solution Group to arrange to bring your Apple computer to us, or if that’s not an option we can arrange a remote support session (it’s easy to set up).

Tools and information for managing Mac OS X client

Infoworld published an article today that is a good overview – but – it should be emphasized the article is a start – and just that – seemingly geared towards those with only a beginner’s knowledge of what’s available and possible for managing Mac OS X in a centralized manner. Be it with available directory services (Microsoft’s Active Directory, or Apple’s Open Directory, and others), or where no centralized service(s) are available or an option.
See http://www.infoworld.com/t/mac-os-x/its-guide-managing-macs-in-the-os-x-lion-era-177361

Workgroup Manager is a free download from Apple, and can be used in conjunction with Mac OS X clients bound to Active Directory (beyond the scope of this post) or via dslocal (see links below). For Mac OS X 10.7 you should install the 10.7.2 version of the Server Admin tools and use the version of Workgroup Manager included with it.
http://support.apple.com/kb/DL1457

For 10.6 clients, see
http://support.apple.com/kb/DL1403

Note that you should use a version of Server Admin tools (namely, Workgroup Manager) that matches your client OS as closely as possible. For example, see
http://support.apple.com/downloads/#10.6%20server%20admin%20tools

Some additional key tools you should know about are (one is mentioned in the comments for the Infoworld article):

Munki
http://code.google.com/p/munki/
For managing software installation(s) on Mac clients
– Server: “A Munki server is simply a web server. It is nothing else. You do not need the munki tools installed on the server. It is possible to use a NAS appliance as a Munki server. You are simply setting up a filesystem on a web server for clients to access. Common choices: Mac OS X Server, a Linux Server, in other words a webserver product (i.e. Apache) running on a box with some way to get files on and off it. Good choices for transferring files to and from the munki server include file sharing via AFP, SMB or NFS”
– client: Mac OS X (client) workstation

Reposado – for hosting Apple software updates.
https://github.com/wdas/reposado
“you may use any existing web server you wish (but) Reposado… currently relies on the command-line “curl” binary to download updates from Apple’s servers. curl is available on OS X, RedHat Linux, and many other OSes, including Win32 and Win64 versions. See http://curl.haxx.se for more information.”

Apple Remote Desktop – for easy adjustment of client settings, client support (screen sharing), pushing out (Apple) package-installer compliant software installs, and more.
http://www.apple.com/remotedesktop/

dslocal mcx (client-local mcx for “Managed Client for Mac OS X”)
See http://www.afp548.com/article.php?story=using-mcx-in-the-dslocal-domain
and http://managingosx.wordpress.com/2008/02/07/mcx-dslocal-and-leopard/

Please contact the Core Solution Group if you would like to begin planning and implementation of one or more of these tools.

Farewell, Steve Jobs. RIP.

http://www.apple.com/stevejobs/

After much reading and thinking about the passing of Steve Jobs, the following are two of the favorite shared tidbits I came across about the man:

http://blog.pluckytree.org/2011/10/last-time-i-saw-steve-jobs.html

“…the problem with children is that they carry your heart with them. The exact phrase was, ‘It’s your heart running around outside your body.’ That’s a Steve Jobs quote.”
http://www.businessweek.com/printer/magazine/eric-schmidt-on-steve-jobs-10062011.html

Malware for Mac OS X and security concerns for any PC user


Please note: If you use a PC (Personal Computer) – be it an Apple running Mac OS X or a Windows-based computer, and you live in the Pioneer Valley or Western MA and have reason to believe your computer is compromised (be it Mac OS X malware or a Windows virus or malware), please contact us to make an appointment to have your computer checked by our techs
.

 Update, 9/27/2011, 1:30 PM: Apple has updated their XProtect mechanism to cover the PDF exploit. See http://www.h-online.com/security/news/item/Apple-updates-malware-definition-list-to-defend-against-PDF-trojan-1350430.html

There are two new security concerns worthy of note for Apple’s Mac OS X, which may come as a surprise to some, but really shouldn’t.

First, it’s important to understand that no operating system is invulnerable, including Mac OS X.
There are in fact a growing number of pieces of malware targeting Mac OS X: Malicious software in the form of “Trojans”, ie: items that appear to be harmless while posing as something they’re not, and if installed, can put in place software that you don’t want that can take up resources and cause unapproved (and undesirable) changes to your computer’s operating system. This has been seen previously in the form of malware for Mac OS X posing as a installer for various kinds of software, some of which frankly would have to have been obtained illegally and that may still be floating about P2P (peer-to-peer) networks and dark corners of the Internet (websites that one should know full well are not trustworthy sources of software).

Two more recent items of concern are (very) recent malware (“Trojans”) that you should know about,
if you don’t already: A fake Flash installer, and a malicious PDF file. More information about them
is given a little further below.

You may be wondering what you can and should do to help keep your computer safe from malware.
Whether you’re using a Mac or a PC, one very good step you can take, is to create a non-administrator account and log in to that account for your everyday use. In OS X it’s easy enough to authenticate as a non-admin with the credentials of your admin account (username and password),and by running under a limited account, you can help to limit the damage that malware can accomplish.

However, migrating your data properly from an existing admin account to a non-admin account is beyond the scope of this post. Also, be advised that some software is written with the assumption that you are running as/under and administrator account, and – if not – either won’t install, or won’t run properly in part or in whole.

Another important security practice you should take – and I wish Apple would set as the default – is to disable
Safari’s ‘Open “safe” files after downloading’: Launch Safari and open Safari’s Preferences settings from the Safari menu, and in the first section, un-check the option at the bottom to Open “Safe” files after downloading.

Disable Safe downloads in the Safari preferences settings

 

 

 

 

 

 

 

If you want to feel fancy about it (or you’re already comfortable using the Terminal), another way to do this is to quit Safari and simply enter the following in a Terminal window (you can copy-paste if you like):

defaults write com.apple.Safari AutoOpenSafeDownloads -bool FALSE

(executed by pressing the Enter or Return key on your keyboard).

However, even prior to the above steps, the most important thing you can do is be careful and actively think about your online activities. Consider the site(s) you’re going to, whether you should even waste any time on software installers that you might find there, or any claims that a questionable site makes that you “need” something that they want you to download and install. Stop, and think about it. And where commercial software is concerned, if you didn’t obtain it legally, then you don’t know what else you might be getting when you unquestioningly supply your username and password to the installer you just got from obviouslyshadysite.sketch. At that point all bets are off, and this is where social-engineering will get you, if you’re not applying intelligence to how you use the Internet: Web, email, and especially P2P which can be used for legal purposes, but is very often used to distribute – or attempt to acquire – content illegally.

Adobe installers should only be obtained directly from Adobe (or purchased from reputable vendors – be it a store or online vendor), Apple software from Apple, and Microsoft (eg, Office) from Microsoft or from an established and trustworthy vendor.

Also know that Apple is taking steps to help counteract malware, with a brief explanation given at their support site, http://support.apple.com/kb/HT3662 (and the same mechanism exists in 10.7 as well)

More information about the fake-Flash installer/trojan can be found at arstechnica:
http://arstechnica.com/apple/news/2011/09/mac-trojan-pretends-to-be-flash-player-installer-to-get-in-the-door.ars

And there is more info about the malicious PDF file at f-secure.com. Note that while this
and the above fake installer might not yet have been seen extensively “in the wild” (meaning
it’s not wide-spread – yet) as always, be cautious.
http://www.f-secure.com/weblog/archives/00002241.html

There are manual removal instructions are available at F-Secure’s site, http://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml BUT they miss a key detail where Lion/10.7 is concerned (see below):

Quoting and slightly modifying from the f-secure article:

Open Activity Monitor
Select checkvir then click Quit Process
Delete the following files:

/Users/<your_user_homefolder>/Library/LaunchAgents/checkvir
/Users/<your_user_homefolder/Library/LaunchAgents/checkvir.plist

Additional info you might need: Bear in mind that in Lion, your Library folder
is hidden by default, if you don’t see the Library folder within your home folder (In the Finder use the Go menu > Home)
you can get to it by instead choosing “Go to Folder…” (the second last item) in the Finder’s Go menu,
and typing in: ~/Library and then pressing the (highlighted in blue) Go button.

 

Printing from Lion to a Windows server print queue with a client NOT bound to Active Directory

The following describes working with 10.7.1 (“Lion”) client and adding a setup for a printer that’s hosted by a Windows server, in an environment where Mac workstations are not bound to Active Directory (ie, no single-sign-on via Kerberos, no Kerberos auth for printing).

In the Add Printer dialog, choose Windows, select the domain in question,
locate the print server desired, and when asked to authenticate,
use: domain\username and the associated password.
Save to your keychain if desired (This may well be unacceptable in some settings due to security policies).
Choose the printer queue desired, and configure appropriately (pinter name, options).

When first printing to the printer, if asked to authenticate, do so again using the same
credentials as above (domain\username – and associated password).

If you skip the 2nd authentication request, the job will get spooled but fail to print (check the list for the printer in question and you’ll see a message relating to authentication failed/needed).