Thursday, November 5, 2015

Mac OS X Malware Soars in 2015

Mac malware is set to accelerate over the coming months after having its most prolific year ever so far in 2015, according to new research from endpoint security firm Bit9 + Carbon Black.
After an analysis of the year so far, the vendor concluded that five times more Mac malware appeared in 2015 than the previous five years combined.   
It collected 1,400 unique samples over the period using custom built sandboxes and tools such as such as fs_usage, dtrace, and opensnoop.
It found that Mac malware as a whole does not borrow very heavily from Unix or Linux malware, which was unexpected given OS X’s roots in the open source FreeBSD.
Another interesting find was that more than 90% of the Mac malware it discovered still uses the old load command (LC_THREAD and LC_UNIXTHREAD) to define the entry point into the Mach-O format.
This makes it easier to spot potential malware—if a new system is still using the old command.
In addition, the Bit9 + Carbon Black researchers concluded that the vast majority of Mac malware uses one of just seven persistence techniques to remain on an infected system.
These include LaunchAgents; LaunchDaemons; Login items; Browser plugins; StartupItems; Binary infection; and Cron job.
It appears the growing prevalence of Mac malware is unsurprisingly linked to a rising market share among consumers and enterprises.
“For years, Mac users have watched their PC-using counterparts struggle with cyber-attacks, while enjoying the relative immunity that their hardware provides from malware. This view is becoming increasingly outdated; our research shows that Mac users should be just as worried,” argued Bit9 + Carbon Black Emea MD, David Flower.
“With 45 per cent of businesses now offering Macs as an option to staff, our research should be seen as a timely reminder that every device on the network is a potential target—businesses can’t just rely on a clearly outdated perception of invulnerability.”

Thursday, September 10, 2015

Apple's Core Problem Is That It Can No Longer Innovate

Oh, how we laughed when Microsoft unveiled a tablet device with an expensive snap-on keyboard. And, when Steve Jobs declared that the stylus was complete folly and a thing of the past in 2007, we cheered. The tech industry has a very short memory it seems.

Roll forward to 2015 and Tim Cook showed an expectant audience much of the same that we’ve seen before, and like previous years we have grown to accept that the polish and style of delivery masks a growing problem at Cupertino: Apple has run out of juice.

iPhone 6S and 6S Plus

There was nothing here we didn’t already know or even expect, given the many leaks beforehand. Another mid-life iPhone facelift ahead of next year’s iPhone 7, with camera and processor spec bumps. The new iPhone was the last to be announced at the Apple Event because there was nothing to announce. The only attraction this time was Force Touch, something which will definitely kill off the Home Button on the next iteration when Apple figures out how to do fingerprint recognition from the screen for Apple Pay and Touch ID. Tim Cook struggled to make the ubiquitous device seem anything but more of the same. Live Photos? Sounds like a cross between Vine and what Google Photos has been doing for a while now. The 6S Plus is more of a curious beast though, because it almost heralds the death of the iPad Mini. but Apple won’t admit this yet.

iPad Mini 4

Here’s a device which received some treatment before it disappears from the iPad family-photo album entirely. Apple knows exactly how to capitalize on the runt of the litter, and a little extra gloss will definitely sell a few more numbers but with a 6S Plus in the Apple Store there is no real reason to own an Mini anymore. And it gets worse now Big Brother has arrived.

iPad Pro

This is where things get interesting. Apple unveiled a device clearly aimed at the more business and prosumer market. With a price point at the higher end to make laptop buyers weep, coupled with an expensive $169 snap-on keyboard and a ludicrous $99 Apple Pencil (i.e. a stylus) it was the clearest indication that Cupertino couldn’t innovate but only imitate competitor strategy. This was almost an admission that Microsoft got it right with the Surface, but just couldn’t market it like Apple hardware. The Pro is aimed at the enterprise market, a smart move by Apple (which has cut deals with IBM and Cisco for distribution of hardware and apps) in a time of slowing consumer tablet sales. But what could the Pro do the consumer laptop sales at Apple? Much like the 6S Plus will eat away at the iPad Mini, the iPad Pro will cut into sales of the Macbook Air. The Pro’s speed and screen resolution (it beats a Retina display on a MacBook Pro) will make many think twice about getting an Air, which until now has been Apple’s least expensive way to balance portability and performance.

Apple TV

The bedroom hobby project has been trying to become a serious hobby for years. It has still failed to be anything else, and yesterday’s announcement seemed very odd indeed. Apps are not the future of TV, in fact making consumers sit and watch more TV is not the future of the human race. And certainly owning a separate box to appify television is not the answer. Apple wants us to believe that their black beauty is what we need to make the living room come alive again, but every last-gen and current console has been doing what an Apple TV can do for a few years now, and more. If Apple really wanted to make this a serious concern, it would have baked tvOS into a television unit itself, or licensed it to one major OEM. But it won’t. Given that smart TVs already have apps that cater for the same content as Apple TV, together with consoles, Chromecast, Amazon FireStick, and voice interaction already exists, there is no killer reason to own an Apple TV on top. And as a casual games proposition? Please. Even the wording on the website makes it sound like Apple has singlehandedly reinvented the games industry.

Wednesday, May 20, 2015

Vulnerability in Safari Allows Attackers to Spoof Websites

A security firm has discovered a vulnerability in Apple’s Safari Browser that allows attackers to spoof legitimate websites and phish for user credentials.

Security firm Deusen reveals that the flaw works by using a short script to force Safari into loading one page while still displaying the URL of another page. This script is provided below:

function f()

Deusen has published a demonstration of the vulnerability here.

The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one,” comments Manuel Humberto Santander Peláez, Handler at SANS Internet Storm Center.
The bug works on fully patched versions of iOS and OSX. Even so, the demo code is not perfect.

safariStaff members at Ars Technica tested the vulnerability, and while the demo code worked flawlessly with a MacBook Pro, the address bar on an iPad Mini periodically refreshed as the page appeared to reload.

Similarly, Help Net Security experienced some problems when testing the bug. The demo code appeared to work only until a user switched tabs, and even then, it reasoned that savvy users would notice a flickering in the loading progress bar of the address bar.

Despite the demo code’s flaws, less experienced users might not notice this behavior. Attackers could subsequently target unaware users by redirecting them to a malicious website where they could attempt to infect visitors with malware or steal their login credentials.

This vulnerability was discovered by the same group of researchers who discovered a Universal Cross Site Scripting (XSS) vulnerability in the latest versions of Microsoft’s Internet Explorer back in February of this year. That flaw also put web users’ login credentials and sensitive information at risk.

Users are encouraged to watch out for spoofing attacks that redirect them to phishing schemes.

Wednesday, April 22, 2015

Apple 'Rootpipe' security vulnerability still prevalent following patch

Apple issued an OS X Yosemite update earlier this month which remedied a flaw known as Rootpipe. First discovered last October by security researcher Emil Kvarnhammar (yet having existed since at least 2011), the flaw allows bad actors to gain root access to a system through a backdoor in the system preferences app.
A second security researcher, Patrick Wardle, attempted to exploit the vulnerability on a patched machine and was apparently able to pull it off.
In a post on Objective-See, Wardle said he was on a return flight from a conference when he stumbled upon what he describes as a novel, yet trivial way for any local user to re-abuse Rootpipe. Wardle didn’t provide the technical details of the attack in the spirit of responsible disclosure (except to Apple, of course) but wanted other OS X users to be aware of the risk.
In an e-mailed statement to Forbes, Wardle said he was tempted to walk into an Apple store and try the exploit on a display model but stuck to testing it on his personal laptop.
Wardle, currently the director of research and development at security firm Synack, has made a name for himself in the security community by presenting at conferences including DefCon, VirusBulletin, ShmooCon and CanSecW.
Apple could have its hands full with Rootpipe. Another security researcher, Pedro Vilaça, told the publication that the original fix was doomed since its release because there are so many ways to bypass it “due to the wrong fix design.”
Apple has also been criticized for only issuing a patch for OS X Yosemite, effectively leaving a large number of Mac users vulnerable.

Monday, February 23, 2015

Most vulnerable operating systems and applications in 2014


An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.

Some of the questions asked are:

-       What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?

-       What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)

-       In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?

-       Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.

24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.

It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

To keep systems secure, it is critical that they are fully patched. IT admins should focus on (patch them first):

Wednesday, January 7, 2015

World’s first (known) bootkit for OS X can permanently backdoor Macs

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

Enter evil maid

While the hack requires an attacker to have brief physical access to a targeted machine, that prerequisite isn't prohibitively steep in many situations. For example, so-called "evil maid" scenarios—in which a rogue hotel housekeeper tampers with a computer—or an agent at an international border crossing both routinely have access to computers, often while unsupervised. Documents leaked by former National Security Agency subcontractor Edward Snowden also exposed how agents intercept hardware being shipped to organizations targeted for surveillance and covertly install modified firmware onto them before they’re delivered.

All any of these attackers would need to do to carry out a Thunderstrike-style attack is to reboot a Mac with a previously weaponized Thunderbolt device attached. If the machine is turned on but locked, the attacker need only press the power button for a few seconds to hard-reboot the machine. Firmware passwords, disk encryption passwords, and user passwords won't thwart the attack since the Option ROMs are loaded before any of those protections are checked.

Thunderstrike made its debut in late December, at the Chaos Communication Congress. The vulnerability was discovered by Trammell Hudson, an employee of a high-tech hedge fund in New York City called Two Sigma Investments, while trying to secure the firm's MacBooks. A self-described reverse engineering hobbyist, Hudson was previously known for creating Magic Lantern, an open source programming environment for Canon digital SLR cameras.

Thunderstrike builds on a similar attack as demonstrated at the 2012 Blackhat conference that bypasses OS X FileVault protections to install a rootkit. Like Thunderstrike, the 2012 exploit used Thunderbolt ports to inject the malicious payload into the boot process, but the earlier attack wasn't able to modify the boot ROM itself. To work around that limitation, the researcher—who works under the hacking moniker snare—wrote the bootkit to the EFI system partition.


One of the breakthroughs of Thunderstrike is its ability to get the boot ROM firmware volumes validated. Hudson figured out how to do this after discovering an undocumented CRC32 cyclic redundancy check routine carried out during the normal validation process. A second breakthrough involved the discovery that Option ROMs are loaded during a recovery mode boot. That allowed Hudson to figure out how to replace Apple's existing EFI code.

Thunderstrike was just one of at least two EFI-based attacks that were demonstrated at December's Chaos Communication Congress. A separate talk delved into the Unified Extensible Firmware Interface, a similar mechanism that's used to boot some Windows and Linux machines. Hudson said an attack technique known as Dark Jedi that was outlined during the talk could possibly be adapted to make his exploit work remotely, so the attacker wouldn't require physical access. Earlier this week, the US CERT issued three advisories warning of vulnerabilities in widely used UEFI chips. A researcher from security firm Bromium also has this brief writeup on the UEFI talk.

Hudson said Apple is in the process of partially patching the vulnerabilities that make Thunderstrike possible. The remedy involves not allowing Option ROMs to load during firmware updates, a measure that Hudson said is effective against his current proof of concept. Apple already has begun rolling out the upgrade to Mac Mini's and iMac Retina 5ks and plans to make it more widely available soon.

"However... it is not a complete fix," he warned in a blog post detailing Thunderstrike. "Option ROMs are still loaded on normal boots, allowing snare's 2012 attack to continue working. Older Macs are subject to downgrade attacks by 'updating' to a vulnerable firmware version."

Until there's a complete fix from Apple, there aren't a lot of viable options for preventing Thunderstrike-type attacks. Pouring a liberal amount of epoxy glue in a Thunderbolt port will certainly make the exploit harder, since it would force an attacker to take apart the casing to access the underlying flash ROM chip, but it would come at the cost of disabling key functionality. The other obvious solution is for people to keep their machines on their person at all times, but that isn't always practical, either. Hotel safes and locked and sealed storage boxes are also only partially effective, since both measures are vulnerable to cracking and picking.

Thursday, November 6, 2014

Malware Discovered In China Could Herald ‘New Era’ Of iOS And Mac Threats

Conventional wisdom suggests that the vast majority of mobile malware cases impact Android devices. Or at least that those who do not jailbreak their iPhones are safe from most threats — even Apple CEO Tim Cook has bashed Android for “dominating” the mobile malware market. Yet a new virus found in China by U.S.-based researchers could herald the first serious security threat to Apple devices.

A report from Palo Alto Networks (hat tip The Verge) claims that a new family of malware is getting past Apple’s settings to potentially infect secure (i.e. not jailbroken) iOS devices using infected software for Macs. Dubbed “WireLurker,” it was found in the wild in the Maiyadi App Store, a third-party Mac store in China, where it is said to have infected 467 apps. Infected versions of these programs have been downloaded more than 350,000 times and are likely to have affected “hundreds of thousands” of users, according to Palo Alto Networks. [Update: Apple tells us that it has blocked infected apps from working -- the company's full statement is at the bottom of this post.]

The malware works by repacking legitimate Mac applications. Once downloaded to a Mac, that software will then install malicious and third-party applications on any iOS device that is connected to the infected machine using a USB cable. What’s most interesting — or, indeed, worrying for Apple customers — is that once on an iOS device, WireLurker reportedly uses a range of sophisticated techniques to modify existing apps for malicious purposes.

While the aim of its creators is not clear yet, Palo Alto Networks reports, WireLurker has been found to steal “a variety of information” from inside rewritten apps. Since it surfaced in China, it is targeting Alibaba’s hugely popular Taobao shopping and AliPay payment apps — where a phone owner’s credit card and bank details are retained — but the security firm says the way it operates could usher in a “new era” of malware for Apple devices.

In particular, Palo Alto Networks says it is “the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.”

The security firm recommends its own product to help prevent WireLurker, but — as ever — the best pieces of advice are to avoid downloading apps from third-party sources, and use officially approved USB cables. The former is more difficult in China, where third-party app store are well established and hugely popular — though that’s more the case for Android than Mac or iOS.

The full report from Palo Alto Networks has additional advice for Apple customers in the enterprise space who could be most at risk given WireLurker’s characteristics.