
Mac malware signed with Apple ID infects activist’s laptop - shawndumas
http://arstechnica.com/security/2013/05/mac-malware-signed-with-apple-id-infects-activists-laptop/
======
eridius
Headline says "sighed with Apple ID" as if that's a bad thing, but it's
actually a good thing, as it means Apple has already revoked the Apple ID (and
presumably the associated certificate), so as soon as your computer updates
its certificate revocation list, it will refuse to run the application (even
if you try to bypass gatekeeper).

~~~
smackfu
Good and bad. Actually, bad right up until Apple revokes the cert.

~~~
pflats
Gatekeeper really can't do much against a spear phishing attack. If someone's
running a scam specifically to target a single person or a small group of
people, and has spent the time and energy figuring out how to get them to open
a malicious file, having an Apple ID is a $100 speed bump.

Gatekeeper is meant to prevent a wide-ranging attack. If you've got someone
custom crafting an attack vector for you specifically, you've got some serious
problems. I don't think Gatekeeper adds any more false security than an
antivirus app would, and I don't know of _any_ software that'd prevent an
attack like this.

At best, it adds a small amount of information for authorities to try to track
the attack. I doubt it'll be fruitful, but it's better than nothing.

~~~
pi18n
What I don't like about Gatekeeper is that there is no way to revoke Apple's
cert and replace it with another. Not that that would protect the activist in
question, but it would certainly make a company machine secure against this
kind of attack.

~~~
eridius
If I understand you correctly, it would also prevent you from launching _any_
codesigned application, including the OS-provided ones, since they would all
be considered to have an invalid code signature.

So yeah, I guess in a certain light, a machine that can't launch apps is
definitely secure.

~~~
pi18n
Good point. I think you half misunderstood; their certificate should be
replaceable so that you disallow third-party software from developers in their
developer program and allow it from your company only or vendor A only.
Obviously one would need to implicitly allow certain OS processes and Finder
for the system to work, but my point is basically that we should not be
beholden to Apple beyond that, the CA should be something we can choose.

------
salimmadjd
I posted numerous stuff on Facebook. Critical of both our government (US) and
Israel. Then I noticed a lot of Spear phishing emails ostensibly sent from my
facebook friends. I use an alias on facebook and they addressed me by my alias
name (something friends wouldn't do) so I knew what the nature of the email
was. Seems like governments are investing a lot in electronically targeting
outspoken individuals.

~~~
brown9-2
Or perhaps your Facebook friends had their own accounts randomly hacked and
phishing messages were sent to every one of the account's Facebook friends.

At any given point in time, half of America is posting some sort of critical
message about the government online.

~~~
salimmadjd
So that was my first thought. I accused them of carelessly falling for
phishing and other stuff. But they had not seen any emails from their facebook
friends or any other phishing attempts. And it seem like I was being targeted
by various different facebook friends. Which increased the odds of me being
the target.

~~~
jonknee
Facebook plays fast and loose with data, perhaps one of your friends used a FB
integrated service at some time which captured their friend list (e.g. you).

~~~
salimmadjd
>perhaps one of your friends used a FB integrated service

Again that's what I thought too. But it was coming from different friends.
Which means all of them must have done the same thing.

I also sent the email to my friend who works at facebook for investigation in
case it was some service that wasn't playing by the rules.

------
Groxx
In a way, I prefer malware to be signed. If nothing is signed, essentially
everything has full permissions, so we'll ignore that part for now, and just
look at the differences once malware is signed.

First and foremost, it cost $100 to get the signature. It was paid somehow.
Hello money trail, this is way more information on malware authors / pushers
than we tend to get. If they somehow obfuscated every bit of data in that
account to the point that it's worthless, then it's merely identical to it
lacking a signature, no worse.

Second, it can be revoked. This _severely_ limits the spread, reducing the
total damage. Sure, the people prior to this are impacted, but they would be
if it didn't have a signature, so again, no worse, no matter what.

Third, people click 'yeah, let this program do whatever the hell it wants' all
the time, so the _lack_ of a signature really doesn't prevent its spread /
limit the damage. Maybe for the techy-elite, but they're less likely to get
this anyway. Probably more likely to run unnoticed because it's signed, but
I'd argue not by much. Slightly worse.

------
deeqkah
There was a relevant update to iTunes last night (or earlier this week) for
both OS X and Windows. It is usually these types of updates i keep an eye out
for, as it is most importantly an update to certificate validation.

CVE-2013-1014 as it impacts iTunes for Mac OS X v10.6.8 or later, Windows 7,
Vista, XP SP2 or later (<http://support.apple.com/kb/HT5766>) -

"Impact: An attacker in a privileged network position may manipulate HTTPS
server certificates, leading to the disclosure of sensitive information

Description: A certificate validation issue existed in iTunes. In certain
contexts, an active network attacker could present untrusted certificates to
iTunes and they would be accepted without warning. This issue was resolved by
improved certificate validation."

There were almost forty other CVEs for iTunes on Windows. And just a last bit
- the discussion and quality of submissions here at Hacker News has taken a
substantial fucking nose dive in the last year. I change my name every so
often, but i can tell you that i've been here long enough to say that.

------
ancarda
>the servers used to receive pilfered data from infected machines has been
"sinkholed," Intego said. Sinkholing is the term for taking control of the
Internet address used in malware attacks so white hats can ensure that
compromised computers don't continue to report to servers operated by
attackers.

I'd be interested to know how this works? How can you just "take control" over
a server/IP address like that? Is there some law that allows botnet control
servers to be seized?

~~~
kalleboo
mailto:abuse@isp.com?subject=ToS%20Violation

------
bmohlenhoff
I was confused why the submission title specifically mentioned that the laptop
belonged to an activist, but the end of the article indicates the persons life
might be endangered as a result. I can't decide if this is sensationalized or
not.

~~~
pyre
It seems to be quoting a tweet by Jacob Appelbaum. I think that the idea could
be that they don't know who put the malware there. As this person was an
activist, it's possible that it was there by the government this person was
opposing. How does the Angolan government treat activists?

I imagine that if a similar thing happened to an Egyptian activist during
Mubarak's time in power that it would not be such a stretch to say such a
thing.

------
nicheuser
I first read that as Apple's ID And thought it was like the Microsoft
certificate attack.

Looks like Macs market share is growing. Was this distributed in the store?

~~~
pyre
Probably not. The article said it was from a link in n email. As this was a
spearphishing attack, the attacker probably doesn't care that the developer
account doesn't work anymore.

~~~
acqq
Exactly. Everybody with 100 USD can get such an ID and then let it be revoked
once discovered.

~~~
takluyver
I thought the point of requiring a payment was that the ID could be traced
back to a real person or company, so law enforcement could follow things like
this up?

~~~
ajross
The point of requiring a payment is to make money. There is no meaningful
mechanism to require a true "real human being" identity. It's no different
than the presence of a TLS cert on an arbitrary domain, all it tells you is
that the attacker cared enough to expend resources on the attack.

~~~
demlulz
If Apple wanted to actually 'make money' from its developer program fees, it'd
cost a lot more than $99 - even more than it cost before the Mac App Store. I
realize that $99 may be a lot of money for people like you, so I appreciate
that this might be difficult to grasp at first. Keep trying, I've got faith in
you!

~~~
oxide
this isn't reddit.

------
sinnerswing
Not as bad as this

"Android malware attack spreads via e-mail"

[http://www.usatoday.com/story/tech/2013/03/28/android-
malwar...](http://www.usatoday.com/story/tech/2013/03/28/android-malware-
attack-irs-email/2028845/)

[http://securitywatch.pcmag.com/mobile-
security/311417-window...](http://securitywatch.pcmag.com/mobile-
security/311417-windows-malware-techniques-spread-to-android)

~~~
nicheuser
People were saying for years that the superior UNIX design and the bad Windows
code is the reason that Windows had a huge malware problem but Linux and Mac
did not.

~~~
pyre
People were mostly talking about drive-by infections and the fact that an
unpatched Windows machine idling on the Internet could be infected in an hour
or so.

There's nothing anyone can do if a user installs software. UNIX design or not,
if the user runs a program, it can access everything that the user can.
Nothing that this malware did needed special access (e.g. root exploit).

~~~
claudius
If you put in a lot of effort, you could try mounting /home and other user-
writeable areas as noexec, use SELinux/AppArmor to do funny things to confine
administrator-installed programs etc. etc.

However, this will break nearly everything – and I am rather positive that
Windows offers similar security measures, if required.

~~~
glhaynes
This is basically sandboxing by hand.

------
nutate
Derp, my girlfriend was at that conference with her macbook air. I feel like I
should put a condom on mine now.

