back to article Ex-NSA security bod fanboi: Apple Macs are wide open to malware

A former NSA staffer turned security researcher is warning that bypassing typical OS X security tools is trivial. Patrick Wardle, a former NSA staffer and NASA intern who now heads up research at crowd-sourced security intelligence firm Synack, found that Apple's defensive Gatekeeper technology can be bypassed allowing …

  1. dogged

    Bug bounties?

    Surely Apple are working on a way that you can pay them for the privilege of finding their security holes for them.

    1. PrivateCitizen

      Re: Bug bounties?

      @dogged - I wish I could upvote you more than once.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bug bounties?

        No, I've done quite a few bug discoveries for the Fruit, nada cash in either direction ;-) (my work provided the h/w)

        I did get a marginal iPad repair for free once at an physical Apple store, once they checked up on my online 'history'

        bottom-line is I suppose if they don't fix as many of the bug-doors as physically possible within the shortest time possible then I'll switch away - the 'KGB' enhanced Yotaphone looks interesting for example, and would allow me to move away from the 'NSA' enhanced Fruit ecosystem (taking 'hundreds' of tech-followers with me I guess)

        1. Anonymous Coward
          Anonymous Coward

          Re: Bug bounties?

          Yeah you try and sell them on a KGB phone in Silicon Valley - good luck.

    2. ZSn

      Re: Bug bounties?

      Yes it's called buying one of their overpriced products.

      1. Nick Pettefar

        Re: Bug bounties?

        As opposed to other peoples' overpriced products?

  2. Anonymous Coward
    Anonymous Coward

    Sits back, grabs popcorn, waits for fanbois.

    It's not a surprise. Truly.

  3. Anonymous Coward
    Anonymous Coward

    "AV [anti-virus] developers seem to be resting on their laurels," Wardle explained. "For example, Windows anti-virus offers heuristics and runtime behavioral analysis, but Mac may not.”

    Well, duh. I have this one annoying question I keep asking when someone tells me that an OS is secure: can you prove it?

    With an IT background you tend to be reasonably OK safe with a platform, but social engineering works on any platform, and that includes OSX, *BSD and Linux. If I can convince a user that installing dodgy code is a good idea, I will get those admin privileges. It's less of an issue in the locked down corporate world, but that assumes there IS indeed a lock down, and that assumes that software actually works without admin rights. My own experience with OSX shows that that is not always the case.

    So, good to hear that someone is stirring that pot again.

    1. Anonymous Coward
      Anonymous Coward

      an OS is secure: can you prove it?

      Yes, if you model the threats, then test to Common Criteria - some good examples here from CESG on IC's, Smart Card OS'es etc

      I seem to remember meeting just a single OS that was secure - resistant to EAL7+ (infinite computing power attack for infinite time) but that was a very short kernel and almost mathematically provable to be OK, almost. . .

      . . . as the very secure OS license was infinitely expensive, we used to 'hack' the OS by constantly resetting the $date$time

      1. Anonymous Coward
        Anonymous Coward

        I must admit I've never quite found the need to go beyond EAL4+ level because you then hit a curve where you the increased security comes at far faster increasing costs.

        In my experience you're usually better off spending that on screening your staff and enforcing process, but I have been deemed *way* too practical in my approach (read: suppliers don't make enough money when I'm around)..

      2. Anonymous Coward
        Anonymous Coward

        CC/SEAL Certs

        Having been through CC and SEAL-5 certification, I would disagree. The OS is fairly safe, but they cannot and do not test every possible attack vector thoroughly. They do their best and they find all the obvious stuff, but there are still bugs in code that come to light, even after CC and SEAL-5 that cause problems and open backdoors or allow attacks.

        Security is a moving target and you can only guarantee that a product is secure with today's knowledge. What a security researcher comes up with tomorrow cannot be incorporated in today's testing.

        It is a good start, so long as you don't rest on your laurels.

      3. PrivateCitizen


        Out of curiousity, what EAL 7 operating systems are there? I cant find any on the common criteria


  4. MojyWojy

    Serious question

    If Apple has these security issues, why aren't more people exploiting the issues? Between the increased popularity of osX and more businesses using, it seems like people would be more likely to want to exploit both platforms and I can't recall hearing of anybody actually doing this (at least recently)

    1. Nunyabiznes

      Re: Serious question

      Give it about a month. Now that the black hat antenna are twitching and they have a direction to look at it will not be long.

      It could be there are multiple vulns being accessed but if none of the current crop of antimalware products for OSx are catching them - how would you know until they get turned up by white hats?

    2. johnnymotel

      Re: Serious question

      Exactly, I've been a Mac user since 1998 and I'd describe myself as a power user. I also use torrents. So far I haven't come across any issues within the OS. I monitor all Internet traffic and have never seen anything constantly making access. I don't experience any slow downs. Perhaps some of the more techie guys here can show me where to look?

      1. Sir Runcible Spoon

        Re: Serious question

        "Perhaps some of the more techie guys here can show me where to look?"

        Are you just looking at inbound stuff? You really need to be looking for outbound stuff.

        Pick some times when you know you won't need your net connection and lock the firewall/router down during that period and log all the traffic attempts (whilst your machine is connected of course and not running anything that you initiated).

        Then sift through the stuff you find with a packet analyser for anything dodgy looking and investigate what it is.

        Alternate exercises include the use of a conical bath made of ebony and some white sand - but that's really only for experienced network analysts :)

        1. Anonymous Coward
          Anonymous Coward

          Re: Serious question

          a quick and dirty way is to look at the opened connections

          in Terminal, type netstat -W | grep ESTA

          you'll certainly see a summary of vast amount of connected traffic if you have the otherwise excellent Chrome open,(lots of probably),

          Apple themselves hang out iCloudily around the 17.x.x.x's, then there are often a few CDN's where your internet feeds really come from

          if there's traffic to China/UKIP/Unknown IPv4 IPv6 then you could/should(*) put an open source Suricata Intrusion Detection System (twin ethernet Linux gateway PC) to block the miscreants, or as the eminent Sir above suggests, download Wireshark & get scarfing packets

          (*)"if you don't know the origin and destination of every packet in your system, you're screwed" - said someone famous, I think? Suricata is suggested because I met one of the developers in a bar once, hence now I suggest it should be ubiquitous - it even defeats some GCHQ/NSA/KGB race-condition attacks, allegedly

        2. Gritzwally Philbin

          Re: Serious question

          Not the one you were replying to, but he and I could be the same person.

          I too do everything he does, and also hit some of the really dodgy porn sites as well - and as I have a budget speed internet connection I will go offline most nights if I am working on my graphics (this also allows husband to watch youtube with no lagging) and I run little snitch and one app called Private Eye that sees all traffic.. Mostly it's the things like Adobe and the Apple programs trying to get out for updates. Then again, I have specific uses for the different browsers - I use Chrome for the pornsites, (the videos play better for some reason) and Safari for Facebook - both are set to delete all data on close. Opera for ebay/Amazon or any shopping I'll do and a fork of Firefox called SeaMonkey for the general El Reg/Google/BBC news/Reddit surfing.

          So far, I've managed, by keeping everything segregated by use, to not have issues. This on Snow Leopard no less. Perhaps I'm just lucky? Don't know, but I DO pay mind to where on the net I am and also what browser I am using.

      2. ElsmarMarc

        Re: Serious question

        "Perhaps some of the more techie guys here can show me where to look?"

        Little Snitch does a great job at monitoring inbound AND outbound connections on Macs. I have a couple of Macs, one of which my girl friend uses, and I have LS installed on each. I have even taught her to watch for connections Little Snitch "asks" about. It has a very good GUI monitor so at any time I can see every inbound and outbound connection which is happening (and has happened), how many times each is connecting and when. It also shows network traffic (including the amount of data) and when each connection was made. And - You don't really need to be a total "techie" to use it. I have LS set up pretty well on each Mac. Every now and again my GF will get an "Allow/Don't allow" alert box and ask me, but if I'm not around the default is for her to take a quick screen shot and then click on "Do Not Allow". I will say it does take a while to set up its "Rules", but once that is done if Little Snitch "asks" about a connection which there is no rule for, you can decline it "temporarily" so you can look (such as Google) as to what the connection is, or block it permanently.

        When the Flashback malware made its presence known on the Mac platform, one of the ways people discovered its activity was through warnings of outgoing connections from Little Snitch. Following these detections, future variants of Flashback and other malware that used similar modes of attack began searching target systems for the presence of Little Snitch among other security software and cancel their installations to avoid early detection. As a result, in some cases simply having the security software installed is enough to ward off potential attacks.

        I also recommend browser plugins such as Ghostery, NoScript and AdBlock Plus for added protection. And, of course, NEVER open an email attachment or click on an email link unless you are expecting the email.

    3. Anonymous Coward
      Anonymous Coward

      Re: Serious question

      If Apple has these security issues, why aren't more people exploiting the issues?

      Because quite a lot of what has been demonstrated starts with getting a foothold, and the only entry vector seems to be social engineering - drive-by infections, for instance, don't exist for OSX as there are no real attack vectors to abuse. The only external vector I saw was stream code injection via an MITM approach, and that only happens with people who do not use the app store - which typically means they are competent enough to make the right choices of where to go anyway.

      It appears that Mac users are not the derided idiots they are alleged to be, because that social engineering doesn't seem to work that well either. However, as I said before, that is no argument to make the mistake of becoming become complacent.

    4. Wade Burchette

      Re: Serious question

      1 percent of 1,000,000,000 is greater than 50 percent of 1,000,000. Black hats go where the users are.

  5. Mike Moyle

    "Apple might like to lock down Macs and 'impose more control of third party code'..."

    Cue exploding heads from the reflexive "Jobsian control-freakery" and "Apple walled garden SUX" posters here.

  6. VinceH

    I'm tempted to bookmark this article, so next time at a particular office, talking to a particular fanboi, I can present it to him when he next boasts about how secure his Apple computers are.

    The problem is, if I did he wouldn't read it because "words" - and having not read it, he'll continue to boast about how secure his Apple computers are, having not seen anything to suggest otherwise.

    I know other fanbois who could also do with some cluebat education, but this one in particular just annoys me.

    1. Anonymous Coward
      Anonymous Coward

      Well, this article talks about a lot of ways that you could exploit OS X, not that it is actually happening. And some of it is retrospective, i.e. "until recently all Mac security software packages downloaded over unencrypted http connections" so he's listing stuff that's already been fixed.

      Granted, not checking that signed applications stay signed to prevent local modification is a hole that should be closed, but Windows doesn't do this either and while Linux supports signed updates I'm not aware of any distro that signs the binaries and enforces the check. Apple is still well ahead of those because OS X and especially iOS utilize signed code far more broadly. Assuming they fix this issue it'll also fix the shared library issue he brings up.

      It is good to point out issues, but calling out that anti-malware software on OS X isn't capable of detecting or defending against the sort of stuff nation-states create is irrelevant. The same is true for Windows, that's why when stuff like Stuxnet and its descendants is discovered, it is years after it was initially deployed. No one can detect that stuff - that's the whole point of it, with nearly unlimited budgets you can always stay several steps ahead of the AV world's and operating system's ability to detect it.

      It costs much less to find a hole to exploit than close all exploitable holes, so when you put a nearly unlimited budget on the search for holes you always win because you only need to find a few to win while Apple/Microsoft/etc. would need to find them all to win. You basically have to accept that you can't defend against the likes of Stuxnet no matter what OS you run. The fools who think using that KGB phone or OpenBSD will protect from spooks at that level will find that out in short order if a large government has a reason to target them enough to deploy that level of resources.

  7. Anonymous Coward
    Anonymous Coward

    Apple? Bug bounties? HAHAHAHAHA.

    Offering bug bounties will mean they have to admit that their special snowflakes are subject to nasties as much as everything else. Can't have that damaging their cult brand image.

  8. JLV

    what one hand giveth, the other taketh

    On one side, Apple has the benefit and cleverness of working from the BSD OS family. That means it should be pretty secure in its foundations.

    On the other hand, the company seems to be somewhat relaxed about security considerations. There have generally been more holes found than massive exploitation of said holes, but that seems more related to general insistence of the bad guys to be going after poor ol' Windows users, rather than any innate security attention lavished by Apple.

    As Windows keeps on losing market share and as Apple users indicate that they have spare $ to spend, how long will Apple's neglect work out in its favor? It took MS a long time to accumulate a strong reputation as a malware cesspit, but it's taken them even longer to shrug it off and that has cost them plenty.

    Not to mention that MS can pretty much point at expectations that users should run an AV and then blame them if something slips through. Apple has left itself no such recourse by hinting at built-in immunity.

    1. Anonymous Coward
      Anonymous Coward

      Re: what one hand giveth, the other taketh

      Apple can't ignore a national security letter;

      We've heard of one version of Xtools that was subverted, and there are relatively few documents around where national security guys complain about the difficulties of accessing, say iMessages.

      MS & eBay bothered to 'spend' billions of $ to access Skype... presumably 'terrorists' also use Mac OSX, for a given definition of terrorist (might include all users!)

      1. JLV

        Re: what one hand giveth, the other taketh

        What Apple does or does not do with regards to nation-state/unlimited resource bad guys and snoopy laws is best handled by changing laws to allow for a judicious de-fanging of the NSA, CSIS and equivalents.

        I don't expect Apple to fix or make me immune to government-level abuse.

        I think this is the point of the author of the article as well - harden it to a satisfactory level, not expecting miracles.

        When Apple says it won't fix rootpipe on < Yosemite, "cuz it's hard", that's less than acceptable to me as an Apple customer (even if my 2011 Mac happens to support Yosemite, which is not true of everyone's).

        When Apple initially blows off customers complaining of Mac Defender issues because, I dunno, it would clash with their squeaky clean hipster Starbucks image, then that sucks too.

        When Mac Lion doesn't handle LDAP passwords securely...

        You get the idea. Very smart people, lots of good technology to rely on to fix security, but the attitude is lacking.

        But hey, if being an Apple customer means that you give them a free pass on security, then be my guest. I suppose that's the difference between a fanboi and a regular customer.

  9. Slap

    Let's face it

    Let's face it, it doesn't matter if you run OS X, Linux, another flavour of UNIX, Windows, iOS, Android, we're all fucked at the end of the day.

    1. Anonymous Coward

      Re: Let's face it

      only if you can afford it

  10. Dan 10

    Hey, thanks other commenters for the tips. (Netstat shows a connection to Twitter, when I don't even use Twitter?!)

    I know I prefer OSX to Windows or Ubuntu, but I'm the first to concede that I don't know all the ins and outs of the OS.

    Little Snitch looks useful. Seems there is also a rudimentary IDS called 4shadow - appears to just be a front end for a bunch of scripts/commands etc, but at only £4 I might give it a whirl.

    1. dogged

      > Netstat shows a connection to Twitter, when I don't even use Twitter?!

      Third-party authentication code. Even if you don't use it, it's still there.

  11. Anakin

    Time for a beer and popcorn

    And waiting for the war.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like