Security → ExNSA Researcher Finds Sneaky Way Past Apple Mac's Gatekeeper

»www.forbes.com/sites/tho ··· wnloads/

"Want to know something odd? It’s 2015 and all the top anti-virus products for Mac OS X use insecure lines to transmit their software to Apple AAPL +1.75% machines. Download files, known as .dmg files, for products including Kaspersky, Symantec SYMC +0.42%, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sent over unencrypted HTTP lines, rather than the more secure HTTPS. There is method in their madness, as they trust Apple’s Gatekeeper security technology to recognise the digital signatures they sign their software with that should guarantee the authenticity of the download.

But a former NSA and NASA staffer Patrick Wardle, who now heads up research at security start-up Synack, believes he has found a new way to abuse such insecure downloads and bypass protections in Apple Macs without getting caught. Normally, anyone who intercepts a download to turn it nasty won’t get away with it, as Mac Gatekeeper will see that the vendors’ original signature has been altered or taken away entirely, and the software tampered with, meaning it’s no longer trusted..."

That's not good.

Certificates for creating digital signatures have been stolen/"obtained" in the recent past and used to sign malware so this just seems like another "hole in the wall"

»Crypto certificates impersonating Google & Y! pose threat to Windows users

»Attackers sign malware using crypto certificate stolen...

»Adobe's code signing certificate has been stolen

»Final Report: DigiNotar hack was Total Compromise

»Mozilla: Revoking Trust in Two TurkTrust Certificates

Hmm, SYNACK just coincidence or...???

I wondered the same thing. I suppose the name could be a coincidence, but it sure is suspicious.

Synack is based in Maui, HI according to a web search and Patrick Wardle is its Director of Research.

SYNACK claims to be in Venice, CA and is still active on this site.

Perhaps he telecommutes (is a VPN expert)

. o O (Wasn't Edward Snowden based in HI? Hmmm...)

*Users look at the "From IP" of this post*
*Users take out Tin Foil hats since OMG a .mil address*

Now that I got that out of the way. I see this article as nothing more but a free advertising grab for customers by a smart investor that decided to employ his CV name drop.

A former CIA, NSA, NASA, FBI, FSB, KGB senior janitorial staffer has invested in a new company that helps you do X. Now sell that headline to Forbes.

IN other news, the system needs to be infected in order to be infected further.

That's backwards - Forbes doesn't buy advertising, they sell advertising.
Probably purposeful misdirection to draw attention away from the topic:
What is the depth/status of SYNACK 's involvement with the NSA?

Even if they cannot send the .dmg over HTTPS shouldn't an md5sum be sent over HTTPS?

Also the blind trust of gatekeeper in some ways reminds me of how PSN got hacked its first time. A group of hackers jailbroke a PS3, Told the console it was a dev unit and then got high level access to the PSN without even needing a password... Sony figured only devs could get in... never figured aanybody would alter the console.

Forbes is a news/story/magazine, they pay the people they interview for a story.
Even if they don't, the story sounds exactly like a low brow advertising by a guy who decided to quit government work and start his own company. I mean all the power to him, thumbs up.
Just saying that don't place a blind trust into something, look at things from all perspectives. The article has an agenda, it's not to inform the reader, but rather to introduce this new company and it's capabilities to the reading masses....mostly CEO's of a company that read Forbes.

You've underestimated the collective intelligence of the forum by stating the obvious.
Advertising/marketing dressed as 'news' is not lost on the forum.

"Collective Intelligence"?

We are The Borg and anonymous posters will be assimilated

. o O (And issued a tinfoil hat)

I plead the 5th.

Well that clears that up

Oh I fully appreciate the collective intelligence of the forum. It's the intelligence of one person that sometimes one must question (not picking on anyone, just stating that assumptions are deadly).

Besides not everyone who reads the forum is a registered member, nor posts a reply. Sometimes folks find topics on Google. I am just making sure that any decision maker (CEO) who decides to quickly google this article is fully informed regarding the tactics employed in the article. It would be ill advised for any CEO to dictate their IT department purchasing decisions based just on some flashy Forbs article.

oooh before I forget

quote:

---

Oh! Come and see the violence inherent in the system! Help, help, I'm being repressed!

---

Old crone! Is there anywhere in this thread where we could buy a shrubbery!

Ni!

Mentioning shrubbery and Ni? Some of you apparently know more about me that you might admit. (... whatever that means)

I plead the 5th