Back in mid July I noticed something odd with my Mac Mini. It turned out that At some point in the past few months my chrome browser on my Mac Mini at home was compromised. I’m not sure if it was malware or a configuration hack on the browser.
The problem may have existed for some time. I do not normally use chrome on my home Mac. What I noticed that was odd behavior after I launched chrome to log into my Google account. Whenever I use my Google account I always login via chrome. Call me paranoid but I do not want Google possibly tracking activities via my login on Safari that I use as my daily browser. When I attempted to log in I noticed that after clicking on login from Google.com I got some fake message about my Google account being compromised. The funny thing was I never actually gave it my login credentials and the screen that was displayed didn’t look at all like standard page on any Google site I have been on.
My first reaction was to clear all the settings on the browser like it was a brand-new set up. I then tried again however the problem persisted. That was concerning to me.
My next step was to completely delete the Chrome browser from my Mac and download a fresh copy from Google.com using a different browser. That worked and once I installed the new version everything seemed okay. The lingering question I had was how contained was the problem I had? I some confidence but not enough that issue was purely within chrome. I had no definitive evidence to back myself up.
To be safe in the immortal words of Riply from the movie Aliens “nuked the site from orbit”. I created a carbon copy cloner image of my OS drive and then deregistered any application I needed to associated with this computer and wiped it. That was the only way to be sure that there was no ongoing compromise to my system.
The rebuild process was slightly challenging and took more time than I’d hoped. As I was trying to reformat the drive in recovery mode the computer kept crashing. I am not sure why. That forced me to start to do a network boot and download the original operating system that came with this Mac bypassing the step on my local hard drive that was crashing. The machine is from 2012 so that meant at least three OS upgrades to get me to the latest. By the time I completed the original OS install I was able to download El Capitan on my MacBook Pro and create a boot USB key. The USB key worked so I was able to save a significant amount of time and jump right to El Capitan. I was handful I did not need to complete several more upgrades. The parallel efforts paid off of trying to create the sub key boot disk from my laptop paid off.
Once I had my base install done I was able to patch the system and install the standard applications that I typically use. Because I use Bittorrent Sync for replicating my data restoring most of the system was as simple as reseeding my data on this machine. It took several days for the data to replicate however when it was done everything was fine.
Weeks later there are still some applications I haven’t finished setting up yet. Of course that means I don’t use them that often so it’s a minor inconvenience. The main applications I use already set up and working perfectly fine.
For me the moral of this story is my data replication set up works. I also confirmed what I already knew that no matter how diligent I am I can still be compromised. I think the problem is existed for a while however have no way to prove it. Recently I have started compartmentalizing some of my web browser to prevent such exploits. That I hope will mitigate risk for the future however nothing is 100% safe. That Compartmentalizing effort in and of itself is a blog entry I’m working on.