ShmooCon: Apple’s broken Gatekeeper; Tax agency warns users of breach (Day 1)

Day one of ShmooCon started with a fire drill. At about 0200 a.m. on Friday, the hotel fire alarms started to go off, creating a chaotic symphony of lights and sound.

Oddly, none of the hackers in the hotel lobby moved while this was taking place. However, several guests in the hotel did use the elevators to come to the lobby (a serious no-no in the event of a real fire). After about 20 minutes, the fire department showed up and fixed the problem – whatever it was.

More security flaws in Apple’s Gatekeeper:

Patrick Wardle, director of research at Synack and Apple security expert, will detail a Gatekeeper vulnerability on Sunday during ShmooCon.

On OS X, Gatekeeper is an anti-Malware defense. Before Gatekeeper existed, most of the malware infections on a Mac were due to users acting on their own, granting access to malicious applications or downloading untrusted software.

So Gatekeeper was primarily developed to prevent Mac users from infecting themselves. Another way to look at Gatekeeper is that its whitelisting technology that was bolted onto Apple’s blacklisting technology.

There are three settings on Gatekeeper; users can opt to allow applications to be installed if they are taken from the Mac App Store, the Mac App Store and Identified Developers, or anywhere on the Web.

However, if an application is signed and verified by Gatekeeper, but uses external libraries, it’s possible to bypass Gatekeeper by linking malicious code to the external libraries, or by delivering Malware in place of the library.

This injection method works if the attacker has network-level access, or if they can locate a Cross-Site Scripting flaw in a given domain.

Last October Wardle gave a presentation at VirusBulletin outlining unpatched vulnerabilities found in Gatekeeper that allowed attackers to spread unsigned binaries containing malware to unsuspecting machines. Apple has since issued patches, but Wardle found a way to reverse those patches, once again leaving Gatekeeper vulnerable.

Wardle plans to release an open source kernel extension that monitors process creation in response to Gatekeeper’s mixed bag of coverage.  When enabled, the tool doesn’t concern itself with how the application came to be, if it’s from the Internet and unsigned, it’s blocked.

TaxAct warns customers about account compromise

TaxAct, a tax preparation and filing program, recently sent customers a notification surrounding suspicious activities on their accounts.

The notice, dated for January 11, 2016, warns the customers that an “unauthorized third party” accessed their account sometime between November 10 and December 4, 2015.

“We have no evidence that any TaxAct system has been compromised and believe the third party used username and password combinations obtained from sources outside of our own system. In order to stop this unauthorized access, we have temporarily disabled your account,” the notification states.

“In addition to your username and password, we have reviewed our website logs for account activity after this attempted access, and found that the tax return(s) stored in your account may have been opened or printed. These documents may contain your name and Social Security number, and may also contain your address, driver’s license number, and bank account information.”

The key takeaway here is that TaxAct wasn’t directly attacked, its customers were. It’s likely the accounts accessed were sharing passwords and fell victim to a Phishing scheme, or they were part of any one of the massive data breaches in 2015, which again makes password recycling an issue.

TaxAct will offer 12 months of credit monitoring to those impacted by the incident.