Objective by the Sea 2.0
Mention the name Monaco and most people think roulette, racecars, and royalty.
But this weekend the glamourous Mediterranean enclave was all about Mac security, as it played host to the Objective by the Sea 2.0 conference. Billed as the world’s only conference dedicated to macOS and iOS security, OBTS is a two-day gathering of researchers and developers from around the globe.
SecureMac was proud to sponsor the conference, both because of the quality of work done there as well as its wider relevance to the millions of Mac users concerned about security and privacy.
The talks at OBTS 2.0 covered a lot of ground, and dove deep into the technical details of Mac security, but they also contained a host of insights that should interest the Apple community at large.
Read on for some highlights from this weekend’s talks and Q&A’s!
Keychain (and a good reason to update!)
The conference kicked off with a talk by security researcher and CS student Linus Henze, who discovered a vulnerability in one of Apple’s APIs that could allow a malicious actor to gain access to Keychain, the macOS password management system, without a password prompt!
Considering the host of extremely sensitive data stored in Keychain, this is a potentially huge security issue. Thankfully, Apple has already addressed it, but since Linus is publishing his findings to GitHub after the talk, this is probably a good time to update if you haven’t done so in a while.
Malware creators run the gamut
Josh Long gave an informative (and humorous) talk about the process of Mac malware attribution: figuring out just who is behind a given piece of malware.
Some of what he touched on will already be familiar to listeners of our Checklist podcast, including the Coldroot RAT and Fruitfly.
But one of the big surprises of his talk was just how inept many malware authors are when it comes to covering their tracks! Josh touched on some of the “advanced” forensic techniques he used to unmask the bad guys, including DuckDuckGo searches and Wayback Machine archives.
All joking aside, though, he also pointed out that macOS is now in the crosshairs of much more sophisticated actors, noting that the North Korea linked Lazarus Group was likely behind Operation AppleJeus, an attack on crytpocurrency exchanges that used malware specifically targeting macOS.
The upshot is that while much of the threat landscape is still made up of bush league actors, there is a growing danger to macOS users from the Advanced Persistent Threat (APT) world.
A warning for enterprise
Josh also made a very important point during his Q&A session: For enterprise security teams, protecting endpoints against macOS malware is likely to be more and more important in the coming years.
This is due in part to the fact that an increasing number of high-value targets (read: executives) are using Macs at work.
But it also has to do with Apple itself. Josh argues that macOS just hasn’t been tested the way Windows has—and so while Microsoft has responded to its many public failures by hardening its security, Apple may still have a lot of work to do in this department.
Add to this the widespread belief among everyday users that “Macs are just safe”, and you have a dangerous situation in which these high-value targets may have their guard down at the worst possible time.
Richie Cyrus echoed Josh’s concerns about APTs as well as enterprise security in the introduction to his Python-based detection tool called Venator.
He noted that Mac malware is on the rise as macOS systems are becoming more prevalent in enterprise environments. While Apple can be expected to take steps to counter malware aimed at macOS, this will only lead to more sophisticated attacks from bad actors in the future.
And unfortunately, while the people working with Macs in enterprise settings are usually those with the most to lose, they’re rarely the most technically savvy users in the building.
All of this means that paying more attention to Mac endpoint protection, as well as reviewing security basics with potential targets, is a must for enterprise security teams going forward.
The story of your life
Sarah Edwards presented on forensics research and data logging using various Mac security apps. While the meat of her talk was geared to a more technical crowd, one takeaway that everyone should be concerned about is the sheer volume and diversity of personal information available for collection on macOS. Everything from location data and app usage to when your MacBook lid is open or closed is recorded by your OS.
Third-party security apps query and store this data with your best interests in mind, but considering the amount of unwanted apps afflicting Mac users, the fact that so much personal data is logged by the system gives one pause. It also underscores the importance taking privacy seriously and being very careful about which apps to allow on your system.
One of the most interesting aspects of their presentation, in terms of what matters to the average Mac user, was the fiendishly clever ways in which the malware authors served up their downloads.
In one sample, a download page employed some pretty sophisticated social engineering techniques in an attempt to fool unsuspecting visitors into thinking the malware was legitimate.
The page automatically detected the version of macOS being used by the visitor and displayed it in a message, lending an air of authenticity to the site. And the general appearance of the webpage was, with the exception of the illegitimate download itself, a perfect mirror of the Apple site, even down to live links that would let you navigate to the real “Buy AppleCare” page.
Erika and Josh’s talk serves as a useful reminder that a little healthy skepticism can go a long way to keeping us safe online.
Sergei Shevchenko showed us a Potentially Unwanted Application, or PUA, from a real (unnamed) company. PUAs are apps that often come bundled with other software and sneak under the radar and onto a user’s system during installation, usually adding little real functionality while at the same time compromising security and privacy. This particular PUA was both powerful and sophisticated, using over a thousand different functions to perform string decryption at install and loaded with a few other advanced features to boot.
While the technical details of how the PUA accomplished all of this were pretty fascinating, it’s also interesting to note that we’re seeing more and more of these “Windows malware” features aimed at macOS.
Sergei’s talk reiterates a running theme of OBTS this year: The old, clear distinctions between the threats faced by Windows systems and those affecting macOS are becoming far less relevant.
Safe at last?
Conference organizer Patrick Wardle closed out OBTS 2.0 by giving an overview of a longstanding macOS security issue that’s still with us in Mojave: synthetic clicks.
After dealing with synthetic click security issues since 2011, Apple finally decided to tighten things up in the latest version of macOS and block any and all synthetic events from non-system or unapproved apps.
The idea was that this would prevent someone who’d gained code execution on a machine from bypassing Mojave’s Transparency, Consent, and Control (TCC) functionality and faking a click to gain access to protected data. TCC, broadly speaking, restricts the ability of many apps to make requests for sensitive data or access (think things like access to contacts and camera permissions), creating a prompt for consent that requires a user click to give the app permission to do what it’s trying to do. Great in theory, but if a bad actor can synthetically generate a “click”, then all bets are off!
You can probably guess what’s coming next: Patrick found an error in the way the TCC daemon was validating (or rather, failing to validate) the executables and resources of certain approved apps. He demonstrated how it’s possible to load a malicious plugin into an otherwise valid and signed application in order to perform disallowed actions like synthetic events and bypass TCC.
In his closing remarks, Patrick pointed out that while Apple still markets and sells their products on security, the reality on the ground is often quite a different story. Just one more reason we’ll all be watching this week’s WWDC for significant security improvements!
All the talks and 3.0
OBTS 2.0 was filled with more info (and more speakers) than we’re able to cover in a short post, so if you want to dive into all the technical details and hear all of the talks for yourself, be sure to stop by the conference’s Twitter feed, as they’ve promised to post the recorded talks in the very near future. And stay tuned for Objective by the Sea 3.0, which will be held in Maui sometime in early 2020!