Researchers last week discovered the first ransomware in the wild aimed at Apple’s hardware platform. While the threat was subdued quickly, it exposed the weakness of digital certificates in authenticating software to devices.
The ransomware appeared as a legitimate application because it contained a digital certificate stolen from a bona fide Mac developer in Turkey.
The certificate was used to sign an application of another developer and post a malicious update at the developer’s website.
“Apple doesn’t control what Mac software can be signed with what certificate,” noted Ryan Olson, threat intelligence director ofUnit 42 at Palo Alto Networks, which discovered the ransomware.
“Apple just wants to confirm that the software has been signed with a certificate,” he told TechNewsWorld. “That limitation is in place in the iOS App Store.”
Kind of Useless
“Certificates are kind of useless,” said Chet Wisniewski, a security adviser atSophos.
“It’s a nice idea, but the problem with managing the back-end certificate database and making sure the bad guys don’t get them is pretty much impossible,” he told TechNewsWorld.
“We’re seeing people stealing legitimate certificates from legitimate developers who are insecure,” Wisniewski added.
Theft, though, may be the hard way to obtain a certificate for malicious purposes.
“If I want to start selling and developing Mac software tomorrow, it takes all of five minutes to ask Apple for a certificate,” Wisniewski said. “How does Apple know if I’m a good guy or a bad guy?”
Big Deal
Stolen certificates have played a role in some high-profile cyberattacks.
“Some of the most important cases in malware history have dealt with stolen certificates,” said Liviu Arsene, a senior threat analyst atBitdefender.
“Stuxnet and most advanced persistent threats rely on some form of valid certificate to get installed on machines,” he told TechNewsWorld.
Certificates tell the machine that an application that wants to run on it is legitimate and need not be scrutinized by any defenses running on the machine.
“That’s a big deal,” Arsene noted. “That’s why developers are encouraged to make sure they don’t lose them and make sure they keep them safe in containers.”
Nevertheless, certificates remain a choice target for criminals and spies.
“The certificate thing is a very low barrier, and we’ve seen it defeated at every level,” Wisniewski said.
“It’s super easy for criminals to bypass,” he added.
Multifactor Authentication
One of the largest contributors to data breaches is compromised credentials. There’s no easier way for a hacker to crack a network than masquerading as a legitimate user of that network.
However, even if a person’s credentials have been compromised, multifactor authentication can foil a bandit attempting to use those credentials to compromise a network.
That form of authentication combines something you know (a username and password, for example) with something you have (a token, magnetic card or phone) or something you are (a fingerprint, iris or voice).
As effective as multifactor authentication is, though, it can create friction for users, which has proved to be a challenge for enterprises.
Cloud Solution
“Implementing multifactor authentication in the enterprise has been an uphill battle,” said Chris Webber, a senior product marketing manager atCentrify.Multifactor authentication can create a burden for IT. An organization needs back-end structure to support it. IT needs to issue tokens to users and create a system to replace tokens that have been lost or are unavailable for immediate use.
In addition, there’s been user resistance. “Users are sometimes not ready for it,” Webber told TechNewsWorld.
“They find it too cumbersome. The CISOs I’ve talked to say their users just staged a revolt when they tried to implement multifactor authentication for security,” he said.
“There’s always a trade-off between convenience and security, and it can be too inconvenient for rank-and-file users,” Webber added.
One way to make multifactor authentication more palatable to both IT and users is to move it to the cloud. With a cloud setup, there’s no back-end hassle for IT to deal with, and people can use their cellphones as a token.
“Cloud availability means you don’t need any dedicated infrastructure or servers on your premises, but it also means it works for things that are in the cloud, behind the firewall, on servers and in Infrastructure as a Service,” Webber noted. “It’s an everywhere solution.”
Breach Diary
- March 6. Krebs on Security reports Seagate Technology sent W-2 forms for all present and former employees to an unauthorized third party as the result of a phishing scam.
- March 7. U.S. Justice Department appeals a decision by a federal magistrate judge rejecting its request that Apple unlock an iPhone linked to a drug dealer in New York.
- March 7. Premier Healthcare of Indiana announces it’s notifying more than 200,000 patients that their personal information is at risk after a laptop was stolen from its Bloomington office.
- March 7. Ezaki Glico, a Japanese confectionary maker, announces it’s investigating a report from a credit card company that as many as 83,194 data sets of personal information may have been stolen from its online shopping site.
- March 8. Home Depot agrees to pay US$13 million to compensate consumers affected by a 2014 data breach in which more than 50 million payment card numbers were stolen. The company also agreed to pay $6.5 million for 1.5 years of identity theft services for victims of the breach.
- March 8. 21st Century Oncology Holdings in Florida warns some 2.2 million patients that their personal information was stolen as a result of a data breach of its computer systems in October.
- March 8. Rosen Hotels & Resorts posts a warning to its website for customers who visited its facilities between Sept. 2, 2014, and Feb. 18, 2016, to be on the alert for fraudulent charges on their payment cards because of a compromise of its payment card network.
- March 8. Ozaukee County in Wisconsin announces as many as 200 employees may have had personal information used to file federal tax returns stolen from the county’s online portal.
- March 8. SevOne, a technology company in Delaware, notifies an undisclosed number of employees that their W-2 forms were sent to an unauthorized recipient outside the company. It did not release details about the breach.
- March 8. Sony begins sending out codes for free games to users of its PlayStation Network as part of settlement of a class-action lawsuit resulting from a 2011 data breach in which personal information on 77 million people was stolen.
- March 10. UK media regulator Ofcom alerts dozens of TV companies that information they filed is at risk after a former employee downloaded as much as six years of data from the agency and offered it to his new employer, a major broadcaster.
- March 10. Sky News reports it has obtained tens of thousands of documents containing personal information of Islamic State jihadis leaked to the news outlet by a disgruntled insider.
- March 10. The Federal Trade Commission requests nine companies performing PCI audits to respond within 45 days to a set of detailed questions about how they measure compliance with PCI Security Standards.
- March 10. Staminus, a company specializing in DDoS protection systems, is attacked by hackers who broke its network backbone and posted a database for the company to the Internet.
- March 11. The Barbara Ann Karmanos Cancer Institute in Detroit alerts 2,808 patients and family members that their personal information is at risk by the loss of an unencrypted flash drive.
Upcoming Security Events
- March 22. Reconceptualizing the Right to Be Forgotten to Enable Transatlantic Data. Noon ET. Harvard Law School campus, Wasserstein Hall, Milstein East C, Room 2036 (second floor). RVSP required.
- March 24. Massachusetts Attorney General’s Office Forum on Data Privacy. Ray and Maria Stata Center, Kirsch Auditorium, Room 32-123, 32 Vassar St., Cambridge, Massachusetts. RSVP required.
- March 29. Microsoft Virtual Security Summit. Noon-3 p.m. ET. Online event. Free with registration.
- March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- March 30. Get a Grip! Taking Control of Today’s Identity and Access Management Realities. 2 p.m. ET. Webinar by BrightTalk. Free with registration.
- March 31. Decoding the Encryption Dilemma: A Conversation on Backdoors, Going Dark, and Cybersecurity. 9-10:30 a.m. ET. Information Technology and Innovation Foundation, 1101 K St. NW, Suite 610, Washington, D.C. Free with registration.
- March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
- April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
- April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
- April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
- April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
- April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
- April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
- April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
- May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston, Texas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
- June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
- June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
I agree, certificates are useless and don’t help if someone gains access to a legitimate one. I thought this when Apple touted how great developer certificates were. Especially when your issuing them to so many all over the world. It still takes time to pull those certificates and then issue new ones to the developer who may have legitimate apps. One has to figure Apple is not much better than Google in monitoring their app stores. In my view the only good way to prevent a lot of this is not stray away too far from reliable and trustworthy app developers.