Archive for March 7, 2016

Monday, March 7, 2016

KeRanger Transmission Ransomware

Jim Finkle (via Arnold Kim, Hacker News, Slashdot):

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.


Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

Claud Xiao and Jin Chen:

Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.


Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website.


The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.

Jeff Johnson:

Surprise, surprise. What I’ve said all along. Gatekeeper is only security theater, because attackers can easily acquire a Developer ID cert.

It’s not full protection, but it’s not useless because in theory Apple can add it to XProtect before it spreads too far.

Kuba Suder:

I guess technically Gatekeeper can’t detect changed developer when you replace the .app, but I think Sparkle does that

Paul McGrane:

Transmission and VLC really ought to be on the Mac App store except Apple has some puritanical fear of them

Ben Sandofsky:

The Transmission malware wouldn’t exist if it were distributed via the Mac App Store.

But the Mac App Store prohibits BitTorrent clients.


Over the past years dozens of apps have been rejected from the App Store because they mention the word BitTorrent.

Apple defended this policy and told developers that their apps were not allowed “because this category of applications is often used for the purpose of infringing third-party rights.”

This is an interesting hypothetical. Would breaking into Transmission’s iTunes Connect account be harder than breaking into its Web site? At least the odds seem better that the developers would notice that this had happened. Would sandboxing help, or would the malicious app be able to trick the user into granting it access to non-BitTorrent data? Could such an app get through App Review?

Dino A. Dai Zovi:

Why couldn’t the ransomware encrypt files in TimeMachine backups? Mac OS X uses TMSafetyNet kext to make the files immutable after creation.

Federighi and Cryptographers on FBI vs. Apple

Craig Federighi (via Tim Hardwick):

Your phone is more than a personal device. In today’s mobile, networked world, it’s part of the security perimeter that protects your family and co-workers. Our nation’s vital infrastructure — such as power grids and transportation hubs — becomes more vulnerable when individual devices get hacked. Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks through access to just one person’s smartphone.


That’s why it’s so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. They have suggested that the safeguards of iOS 7 were good enough and that we should simply go back to the security standards of 2013. But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers. What’s worse, some of their methods have been productized and are now available for sale to attackers who are less skilled but often more malicious.

I don’t understand what this second part is referring to. It doesn’t sound like what we were talking about before.

Paul Wagenseil (via Hacker News):

“I don’t think this case is about backdoors,” said Adi Shamir, who with his MIT colleagues Leonard Adleman and Ron Rivest developed the RSA encryption algorithm in 1977. “The FBI is asking Apple to do something very specific. It’s got nothing to do with placing backdoors in millions of phones around the world.”

Martin Hellman, who developed the Diffie-Hellman encryption-key exchange with Whitfield Diffie at Stanford in 1976, disagreed, as did Rivest and Diffie.


“[Apple] put themselves in a position where they could state they could no longer help,” [Shamir] added. “But they failed because they didn’t close this particular loophole in which Apple can help the FBI. Apple should close this loophole, and then they can really make the argument.”

Indeed, the backdoor is already there in that current phones will accept software updates signed by Apple, without wiping the user data. So, in theory, the FBI could simply compel Apple to hand over its signing key and then build itself the tool that it wants. The line of argument about government conscripting Apple engineers to do custom software development is a red herring.

Likewise, it makes sense to worry about creating a special OS build—because what if it got out? But we face the same situation today if Apple’s key somehow got out. No one seems to be talking about that happening, even though the difference is just a matter of some engineering.

This will all get a lot more interesting when Apple makes a phone that’s secure from Apple itself.

Blake Ross:

Governments decided that allowing crew members to fully override the flying pilot using a key code would be insecure, since it would be too easy for that code to leak. Thus, there is nothing the outside pilot can do — whether electronically or violently — to open the door if the flying pilot is both conscious and malicious.


What’s striking is that this incident did not prompt any change in cockpit protocol in the United States. The FAA is improving mental health checks, but at 30,000 feet, we still have a security system where the parameters are widely known to criminals; where the method of abuse is clear; where we see no way for people outside the cockpit to stop it; and we’ve still decided the public is best served by keeping the people in the cockpit in charge of the lock.


Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin?

Update (2016-03-11): Christopher Soghoian (via John Gruber):

DOJ: We tried to be nice. We could just force Apple to turn over the iOS source code and code signing keys.

Ray Tomlinson, RIP

Dante D’Orazio (comments):

The inventor of email, Ray Tomlinson, suffered an apparent heart attack on Saturday, according to reports. He was 74 years old.

The Internet Hall of Fame (via Jason Kottke):

In 1967, he joined the legendary research and development company Bolt Beranek and Newman (now Raytheon BBN Technologies). At BBN, he helped develop the TENEX operating system, including implementations of the ARPANET and TELNET protocols. In 1971, he developed ARPANET’s first application for network email by combining the SNDMSG and CPYNET programs, allowing messages to be sent to users on other computers.


Tomlinson’s email program brought about a complete revolution, fundamentally changing the way people communicate, including the way businesses, from huge corporations to tiny mom-and-pop shops, operate and the way millions of people shop, bank, and keep in touch with friends and family, whether they are across town or across oceans. Today, tens of millions of email-enabled devices are in use every day. Email remains the most popular application, with over a billion and a half users spanning the globe and communicating across the traditional barriers of time and space.

John Ribeiro:

“I chose to append an at sign and the host name to the user’s (login) name. I am frequently asked why I chose the at sign, but the at sign just makes sense,” he wrote in a post about the first network email. “The purpose of the at sign (in English) was to indicate a unit price (for example, 10 items @ $1.95). I used the at sign to indicate that the user was “at” some other host rather than being local.”


Where I first saw email becoming central to a culture is when I got to IBM. PROFS notes, or email, had a massive impact on the entire culture. The combination of calendar and email and the internal culture that had a terminal in every conference room would be familiar with most readers of Hacker news. You could have survived with what they offered in today’s modern world.


I saw an article on the founder of IBM PROFS email, and so I hunted him down on email while I was at IBM. I regret I cannot remember his name, but I wanted to say he was in research at Almaden, but this may be an human ECC error. However, I do remember that I wanted to know how obvious the creation of email was for everybody, and how much it was embraced. He stated at the time that most people thought that it would not be central to business life.

The Force Quit Fallacy

Kyle Richter:

The only time you need to force-quit an app is if it is frozen, or otherwise misbehaving — beyond that the best battery life can be attained by not force-quitting any apps.

Update (2016-03-10): Mitchel Broussard:

Asked specifically whether Cook quits apps to save battery and if it’s truly “necessary for battery life,” Federighi jumped in with a concise “no and no.” Although far from an official condemnation of the force quit belief by Apple, it is the most the company has directly said about the myth in the six years since multitasking became available in iOS 4.