This Week In Security: Baltimore, MacOS Zipfile Security, And App Store Monopolies

Baltimore. The city was breached, crippled and held for ransom. The ransomware attack was discovered on May 7th, shutting down a major portion of the city’s infrastructure. The latest news is that an NSA-written tool, EternalBlue, is responsible for the attack. Except maybe it isn’t? First off, digging back through the history of an attack is challenging. It’s often hard to determine the initial attack vector with certainty.

The “initial attack vector” is the patient zero of the attack — how the first machine was compromised. An organization generally has a firewall separating the outside internet from the internal network. Once an attacker has found a way to access a machine inside the network, the separation is not nearly so strict. This takes many forms, but the most common is phishing. Close contenders are RDP and SMB (Remote Desktop and Windows File Sharing). A report at Ars Technica indicates that the initial vector into the Baltimore network was a phishing email.

The second step to consider is what’s called “lateral movement”, which describes an attacker using the compromised machine to target other machines in the organization. Often an attacker will have an entire toolkit of exploits to attempt to compromise other machines. One of the exploits used in this case was the same exploit contained in the NSA tool, EternalBlue. A clever program called psexec is usually part of any lateral movement campaign. While the exploit associated with EternalBlue was probably used to compromise a few of the machines on the Baltimore network, placing all the blame on the shoulders of the NSA is missing the point. The tool is only a small part of this attack.

MacOS and NFS Shares Inside Zipfiles

MacOS has a sometimes irritating feature, Gatekeeper, that only allows running signed binaries by default. The point of Gatekeeper is to prevent a user from running a malicious binary that has been downloaded from the internet. While it is sometimes an annoyance, it is helpful for some users. [Filippo Cavallarin] announced an exploit that completely bypasses Gatekeeper on the 24th. This exploit takes advantage of the fact that Gatekeeper considers network shares to be trustworthy, and doesn’t run the normal check before executing a binary located there. While interesting, this isn’t useful unless there is a way for an attacker to mount a malicious location as a network share. Enter the Mac’s ability to automatically mount network locations through the use of the /net path. The last piece of this puzzle is the fact that zip files can contain symbolic links. A zip file can be built with a link to the /net location, automounting an arbitrary NFS location. If binary files are located in this location, the OS will happily allow the user to execute those binaries whether signed or not.

This exploit may not be the most serious of the year, but it’s still a problem that needs fixing. [Filippo] contacted Apple back in February and disclosed the problem, even getting an assurance that they would fix it within 90 days. 90 days have passed, and Apple has begun ignoring his emails, so he has made the announcement and published steps to reproduce on his website.

There has been discussion in the comments of this column about vulnerability disclosure and publishing proof of concept code. This is a perfect example of why researchers publish their work. As far as [Filippo] knows, Apple has no intention of fixing the issue he discovered. He also has no reason to believe that no one else has stumbled on this discovery before he did. We mentioned EternalBlue above. The NSA discovered the SMB vulnerability that exploit targeted and used it silently for up to five years before it was stolen and finally disclosed to Microsoft and fixed. Make no mistake, public disclosures and proof of concepts get vulnerabilities fixed. For any given vulnerability, there is no guarantee that someone else hasn’t already found it.

Just a Little Document Leak

OK, maybe not so little. A Fortune 500 company, First American, managed to host millions of private documents in an accessible format. Imagine you upload a document to a company, and get a confirmation link that looks like “”. If you’re like me, you’re very curious what is at id=0252233. [Ben Shoval] is a real estate developer who apparently also wanted to know the answer to that question. To his surprise, millions of uploaded documents were available for anyone to view. He tried reaching out to First American, and when there was no response to his emails, he forwarded his findings on to Krebs on Security. After what was likely years of exposure, the database was finally taken offline Friday the 24th.

Walled Garden Monopolies

Staying on the Apple train, the App Store is pretty obviously a monopoly. Someone has finally asked whether it’s an illegal monopoly. As most of these questions go, it’ll take a drawn out court battle to decide. How is this security news? If the court finds that Apple has been violating antitrust laws, one possible remediation is to allow alternative app stores. While there is always the potential for a high quality alternative store like F-droid, sketchy app stores and downloaded are a real possibility. On the other hand, it would be nice to have an iOS app store that is compatible with the GPL.

VCF East: The Mail Order App Store

Today we take the concept of a centralized software repository for granted. Whether it’s apt or the App Store, pretty much every device we use today has a way to pull applications in without the user manually having to search for them on the wilds of the Internet. Not only is this more convenient for the end user, but at least in theory, more secure since you won’t be pulling binaries off of some random website.

But centralized software distribution doesn’t just benefit the user, it can help developers as well. As platforms like Steam have shown, once you lower the bar to the point that all you need to get your software on the marketplace is a good idea, smaller developers get a chance to shine. You don’t need to find a publisher or pay out of pocket to have a bunch of discs pressed, just put your game or program out there and see what happens. Markus “Notch” Persson saw his hobby project Minecraft turn into one of the biggest entertainment franchises in decades, but one has to wonder if it would have ever gotten released commercially if he first had to convince a publisher that somebody would want to play a game about digging holes.

In the days before digital distribution was practical, things were even worse. If you wanted to sell your game or program, it needed to be advertised somewhere, needed to be put on physical media, and it needed to get shipped out to the customer. All this took capital that would easily be beyond many independent developers, to say nothing of single individuals.

But at the recent Vintage Computer Festival East, [Allan Bushman] showed off relics from a little known chapter of early home computing: the Atari Program Exchange (APX). In a wholly unique approach to software distribution at the time, individuals were given a platform by which their software would be advertised and sold to owners of 8-bit machines such as the Atari 400/800 and later XL series computers. In the early days, when the line between computer user and computer programmer was especially blurry, the APX let anyone with the skill turn their ideas into profit. Continue reading “VCF East: The Mail Order App Store”

Software Defined Radio App Store

Software defined radios (SDRs) can–in theory–do almost anything you need a radio to do. Voice? Data? Frequency hopping? Trunking? No problem, you just write the correct software, and you are in.

That’s the problem, though. You need to know how to write the software. LimeSDR is an open source SDR with a crowdfunding campaign. By itself, that’s not anything special. There are plenty of SDR devices available. What makes LimeSDR interesting is that it is using Snappy Ubuntu Core as a sort of app store. Developers can make code available, and end-users can easily download and install that code.

Continue reading “Software Defined Radio App Store”

Apple Gives C64 Emulator The Boot


After making it to the top 20 in most regions, Apple has removed the c64 emulator for the iPhone from the App Store. Apparently the thorough app review process didn’t discover that the BASIC system had not been removed from the app, but was instead merely hidden.

Another revision of the emulator has been submitted for review but how long will that take?  What is the review process for if they’re not looking deep enough to find specific functions they don’t want an app to have? Approving apps and pulling them a few days later is another Hot Coffee waiting to happen.

[POCKET GAMER via Slashdot]

C64 Emulator For IPhone Approved — Minus BASIC


After a lengthy process that had previously met with rejection, Manomio’s Commodore 64 emulator for the iPhone and iPod touch has finally been accepted by Apple. This marks the first time a multi-purpose emulation title has been approved by the App Store. The $4.99 C64 app comes bundled with five fully-licensed classic games, and additional titles can be purchased and downloaded directly within the application.

App Store policies prohibit software that could run downloadable code, which barred most emulation attempts in the past. A couple of Sega titles worked around this by nature of being single-purpose emulators. The condition by which the C64 title was finally approved was the removal of the BASIC programming language (though ironically it’s still shown in screen shots, even on the App Store). Since only sanctioned programs can be installed and run from within the application, no user-alterable code is present.

The C64 emulator is neat enough in itself, but the really encouraging news here is that a precedent has been set; the business model may open the floodgates for developers to bring more classic gaming titles to the iPhone platform. So download that SDK and get hacking!

[via TouchArcade]

Update: The iPhone Blog has a simple work-around for accessing BASIC!

Update 2: App pulled, no surprise. If you jumped on the opportunity while it was available, [George’s] comment might be of interest.

Reversing Google’s IPhone Voice Search

Google recently updated their Google Mobile App with a couple new features. Voice Search automatically starts listening when you raise the phone to your ear. Just say what you’re looking for, and it will poll Google and return the results. The app leverages Google’s voice recognition engine, which they’ve been training with Goog-411. [Andy Baio] has been experimenting with audio transcription and was curious what the new app was doing behind the scenes. He started by sniffing the packets as they traversed his network. Unfortunately, the size of the data packets transmitted is so small that he’s almost certain he’s missing something. He’d appreciate any help in this endeavor. Part of the problem might be Google getting special treatment and using undocumented iPhone SDK features.