Show Notes
Transcript
Patrick Wardle [00:00:00]:
I think people really for a long time had a mindset that Macs are impenetrable, where we all know the reality is Mac OS, even iOS built on a lot of really great things. But it's an operating system, it's going to have bugs. Users are going to do things that they shouldn't do.
Arek Dreyer [00:00:23]:
Today's guest is someone whose work is shaping the way we think about macOS security from the inside out. Patrick Wardle is founder of the Objective foundation and the Objective by the Sea macOS security conference. He's the author of the Art of Mac Malware book series and has built some of the most widely used open source macOS security tools in the world. Having worked at NASA and the nsa, Patrick's been on both sides of the security chessboard and he's on a mission to empower the next generation of defenders. He's also intimately familiar with aliens, spies, and talking Nerdy Patrick, welcome to Patch Me If You Can™.
Patrick Wardle [00:01:07]:
Thank you. I'm laughing. That was a great and very comprehensive introduction. I am, I am very flattered and super stoked to be here to talk nerdy about Mac security topics. So mahalo again for having me on the podcast.
Arek Dreyer [00:01:21]:
Great. For those of you joining us at home, make sure you're following us so that you don't miss out on future episodes. So let's get started with when we discussed having you on the podcast, when we discussed having you on the show, you described it as a cat and mouse game between macOS malware, native OS defenses and third party tools. Where do you see that game heading right now?
Patrick Wardle [00:01:48]:
Yeah, that's a great question. And I guess a little bit of backstory first. So I started looking at Macs all the way back in, well now I'd say about 2008, so slightly dating myself here, but it's a relevant data point because you know, it's given me 15 plus years of really seeing how those baked in native security has evolved, but also how malware Hoffman locks step has equally evolved as well. And back in 2008 net malware was a not as prevalent, not as prolific and b really not as sophisticated, not near as sophisticated as it is today. And that was based on the simple fact that it really didn't have to be macOS, didn't I guess it was OS X at that time, didn't have a lot of the baked in security mechanisms, e.g. xProtect, Gatekeeper, notarization, the list goes on and on and on. But now luckily has integrated natively into macros and so malware at the time was super basic. And so when I talk about this cat and mouse game, you know, it's something I think we see specifically in terms of map security, but also in the broader landscape of any operating system, any security posture that as it evolves, the adversaries equally have to evolve.
Patrick Wardle [00:03:09]:
And so there's, you know, countless examples of this. You know, I mentioned Gatekeeper. When Gatekeeper first came out, we saw malware authors fraudulently obtaining code signing certificates, stealing them or getting fake ones, and then simply signing their code, essentially bypassing or site stepping, I should say Gatekeeper. Now we have notarization. Apple really, in response to that, kind of upped the ante and, you know, added that additional layer of security, which basically means Apple now is going to scan and essentially only approve software after they've scanned it and found no malware. And so what we do is we see adversaries either evolving again to find ways around that. I think many of us are familiar with malware that instructs its users to right click and open. That was something that worked on versions of Mac OS 14 and below, or even submitting their malware to Apple in the hopes of getting notarized.
Patrick Wardle [00:04:07]:
And we have seen not a ton, but there are a handful of samples that unfortunately were inadvertently notarized by Apple. But again, cat and mouse game. Apple has responded by improving their notarization checks and also making it more difficult to run non notarized software on macOS. So in macOS 15, you can now no longer right click, open that. And so the attackers responded to that as well. Now they have instructions for the users to open the terminal and then run a script via the terminal. I'm sure we'll see Apple shut down that loophole as well. And so this is expected.
Patrick Wardle [00:04:48]:
It is good to see attackers evolving. And I say that because that means that Apple is doing their job and making it more difficult. So at the end of the day, Apple is certainly raising the bar, making it more difficult to, in effect, max. And I think that's good for everyone. Well, not for trackers, but for users, you know, us who are on the, let's just say, the right side of the law.
Arek Dreyer [00:05:17]:
Where do you ideally want to see this game go in the future?
Patrick Wardle [00:05:20]:
Another excellent question, because if Apple did everything right, we would all be out of Jobs. So, you know, I joke, the reality is that it's always going to be a cat and mouse game. You know, Apple can continue to raise the bar, but invariably what Apple runs into is an issue with Usability, and I forget what the exact quote is and who said it, but essentially they said the only secure device is one that has been unplugged in the Internet, piled down and buried 10ft underground in the cement bunker. That's true, that's very difficult to hack. But that device is also completely unusable. And so ideally the defenders, whether that's Apple or us as third party security tool developers, researchers, et cetera, would get to a point where we have won. But because systems have to be usable and users have to run software which is all well and good, a lot of times Apple has to make tough decisions that balances usability and security and ideally security and usability are aligned but in reality they often diverge greatly and Apple has sometimes erred on the side of usability and sometimes there's security implications for that. I think going back to notarized software, there's still a lot of legitimate software that is not notarized.
Patrick Wardle [00:06:43]:
You know, Apple would probably love to just say everything should be notarized, but that would impact a lot of legitimate software which would impact usability. So there's kind of this balance. So you know, ideally we, we get to the, you know, the end state where the cat and mouse game is over and the defenders have won. But again that's really an ideal and I don't think we'll will get there ever. So lighting as well. Thanks for the timeline. But then I also think that's important for users to learn about threats. You know, listen to, you know that to me if you can, for example, to learn about threats because they need to understand that, you know, whatever Apple does, that's not a panacea and Macs are never going to be fully secure.
Patrick Wardle [00:07:31]:
And so there is always a lot of user responsibility in now ensuring that for example, you don't run random things, shouldn't download, install pirated software, you should make sure you're running the latest version of macOS. You do have multi factor authentication best practices. So I think there's an important education component because we are never going to get to that ideal of the defenders wholly winning.
Arek Dreyer [00:07:56]:
Well, in your latest book, I liked how you had an example of software that wasn't necessarily nefarious malware, it was malware, it kept the microphone on.
Patrick Wardle [00:08:05]:
Yeah, that's a really great example because I think what it does is really aligns well with how I think about detection, which is focusing on malicious behaviors. And I know that's something that Kandji does as well, which I think is very smart because not only can that then detect brand new malware that's never been seen before, but also can uncover the fact if an application is, let's just say, misbehaving. So the example you gave, I'd love to dig into a little bit more, involved Shazam. A lot of us back in the day remember, you know, when a song was playing, you could hold up your phone, you would have at that time launch an application called Shazam. And it would tell you what was playing. And at the time, they were like, this is the greatest thing since sliced bread. I'm not sure kids these days would still be as impressed. But like, for us, this was like, wow, technology.
Patrick Wardle [00:08:56]:
This is magic. And so there was a Mac version as well. And one of the users of a tool I wrote, it's called Oversight. And Oversight basically tells you when anything activates the microfiber webcam. It was designed to detect malware that was spying on you, because at the time when I released this software, there weren't TCC privileges or permissions to access the micro webcam. So any software running on your device could. For the webcam, there would be an indicator light, but for the mic, there was no indicator. So we saw a lot of very sophisticated, stealthy malware infecting Macs, turning on the microphone, essentially turning them into room capture audio devices, and spying on users in that way.
Patrick Wardle [00:09:40]:
So Oversight was really written for that, but because it didn't discriminate, just tell you, anytime something turned on the mic, I had a user who said, hey, Patrick, Oversight is great. Love the free open source tools. But there might be a bug because when I activate Shazam to identify a song, Oversight correctly says, hey, the microphone is activated. No surprises there. It's what Shazam Does. But when I turn off and disable Shazam, there's not a subsequent notification from Oversight telling us that the microphone has been off. And I was like, yeah, okay, there's probably a bug there. Like, I try to, you know, put out great software.
Patrick Wardle [00:10:19]:
But, you know, first and foremost, I'm a researcher, you know, security engineering professional with my colleagues like to remind me. But anyways, I dug into this and long story short, it turned out that Shazam was actually still listening even when you disabled the app or told it to turn off. And the interesting thing was I reported that to Shazam and they admitted that, yes, this is the case. And then they said, yeah, we do this so that the next time you ask us what song is playing, since we've already been listening, we could tell you right away. And I guess this kind of goes back to the usability I was talking about at the beginning of the podcast, where from purely a usability point of view, that actually makes a lot of sense, but from a privacy and security point of view, that is insane. And Shazam was like, yeah, we're not going to fix this. And so for better or worse, I've learned that when you are a passionate individual security researcher, sometimes the best way to enact change is to get the media involved. And so I reached out to some of my media colleagues and I said, hey, these are the facts of a situation.
Patrick Wardle [00:11:26]:
Personally, I believe this is a gross miscarriage of privacy. They tentatively agreed and wrote some articles. They kind of, I won't say any polish, but they were like, former NSA hacker finds that Shazam is always spying on you. I was like, I don't know if I would have quite written that, but that's a great headline, right? And the crazy thing was, literally the next day Shazam pushed out an update, rolling back that. And so when you turned off Shazam, it would actually stop listening. So happy ending. But to your point, a great example of tools that focus on behaviors versus, say, static signatures turning out to be very powerful, both for detecting malware, but, but even legitimate applications misstating.
Arek Dreyer [00:12:16]:
And to be clear, you didn't find any evidence that Shazam was taking that information and storing it and like doing anything nefarious with it, but for their purposes of being able to identify a song immediately, that's what they were doing.
Patrick Wardle [00:12:32]:
Yeah, and that is a really excellent point. I don't think there was any malice involved. And I think that's why they were somewhat shocked when I was like, hey, this is a problem. And you know, we kind of touched on the topic of usability, but also education a few times already. And yeah, from their point of view, like not thinking about privacy, this was like a no brainer. Like, this is a great feature, right? It's not a. So I think it's important to have these broader conversations as we are now, because myself included something that I might have an opinion on or be very confident about. Well, that might be wrong.
Patrick Wardle [00:13:07]:
And so it's good to involve diverse opinions, other people's opinions. And see, the interesting thing is, you know, shortly thereafter, thereafter, Apple acquired them, I think for like $400 million. And so, you know, maybe usability won out and they kind of laughed all the way to the bank. So.
Arek Dreyer [00:13:27]:
Well, I want to, I want to dig into those blockers for, of those, those blockers, like, you know, we hear a lot about prompt fatigue and yeah, just click, okay, I just want to do my thing. So how do you overcome that challenge in the fight against malware?
Patrick Wardle [00:13:45]:
Yeah, that is an excellent question. And I am humble enough to admit that I really don't have an answer for that. Because to your point, we really see, especially in recent versions of macOS, that now the operating system alerts you basically all the time. And it was interesting because I gave a talk a year ago at Blackout about installing a network extension that would allow you to add additional security to the dev. And from downloading the software to installing it, there were six or seven different prompts that the user had to agree to, which is kind of insane. There should be a few prompts, but I don't think there should be that many. And I remember chatting with Apple about this and they basically said, hey, the core issue is that at Apple teams are very autonomous and segregated. And so for example, the prompt for downloading files from Safari is totally unrelated to the gatekeeper prompt, totally unrelated from, you know, approving a system extension, et cetera, et cetera.
Patrick Wardle [00:14:48]:
And you know, while I think largely many of those prompts could be combined because, hey, the user is wanting to launch something that's notarized, entitled, been scanned by Apple, all the good things doesn't need seven prompts. Just the way Apple designs things, these groups, you know, there's, there's some discontinuation, so there's a lot of alerts. And you know, I think it's good that these things are alerts. A lot of them are in direct response to malware attacks. For example, the prompt that you now see when a new device is plugged in via usb, from a security point of view, that is amazing. You know, way back in the day I was developing offensive Mac capabilities and I had a really nice one where you would plug in a USB into a locked OS X machine and boom, game over. And now you couldn't do that. I mean, those bugs and vulnerabilities are long patched.
Patrick Wardle [00:15:43]:
But there now is this really high obstacle which is that device would not even get approved or processed or parsed by the operating system unless the user manually approved that. And I think for locked Macs, like, the user first has to authenticate. So from a security point of view, awesome idea that really, I think makes sophisticated physical access attacks that nation states might be using a lot more, a lot more difficult. But yeah, then for your average user, I literally was setting up a new MacBook today and plugging in a bunch of external devices. And I'm clicking Allow Allow allow Allow allow and you know, and then I wanted to install a network extension so I'm clicking Allow allow. So I don't know what the solution is because there's gotta be some middle ground where we are alerting the users about what is going on. And I do like Apple pushing some of that decisions to the user because Apple shouldn't be the sole arbitrary arbitrator and gatekeeper of what is being run on our systems. But I think currently they've gone a little too far where you know, it's like we're almost back in Vista days where Microsoft Windows Vista, everyone including Apple ragged on Vista for having so many props.
Patrick Wardle [00:16:56]:
You know, I think macOS has now eclipsed what this that was and so you know, life is a pendulum. I'm hoping Apple starts maybe reducing some because to your point click fatigue is real and really nothing is gained when there's so many problems and we're seeing malware abuse that where they just keep showing the user, for example, you know, fewer wants to access the keychain. It will just request access over and over and over because they know the user will list eventually acquiesc and if that wasn't working the malware wouldn't use that approach. And so you know, this does confirm that user fatigue is real. And you know, with too many alerts and pop ups you're basically taking a large step back and malware is basically exploiting that. So again I don't know what the solution is. There is some middle ground balancing that usability and security. And currently I think Apple's a little too far on the security side and users myself included are overwhelmed with these alerts.
Patrick Wardle [00:17:55]:
So yeah, it'll be interesting to see where we go from here.
Arek Dreyer [00:17:58]:
It sounds like based on your description of how Apple teams are compartmentalized that applying pressure on Apple, letting them know that hey, the overall experience, here's what we're seeing, what can you do about it Might be one approach to that.
Patrick Wardle [00:18:15]:
Yeah, that is a great idea and I think Apple is becoming a little bit more friendly. I don't know if that's the right term because that implies maybe in the past that weren't but I think it more willing, more engaging of the external security research community. You know, see examples for example releasing Endpoint Security framework. That is a huge paradigm shift. Apple literally saying here's a framework for developing third party security tools. I don't think people often realize like how insane that was that Apple basically provided something Just for. Just for us. And so I think they are really realizing that, hey, we're all on the same side here, that we're all looking out for what's best for the end users, and we're all end users ourselves.
Patrick Wardle [00:18:58]:
And so if we're struggling with things or have ideas that, okay, maybe we can provide valuable feedback because perhaps we are more engaging with users, especially in the security space, than Apple. Right. Apple may be doing a gazillion things on a daily basis. You might be talking to customers really concerned about security, and they might bring up, for example, the click fatigue, et cetera, et cetera, et cetera. So, yeah, to your point, I think any feedback from Apple would be great. I think Apple's current mindset is also that MDM is the way, especially in the context of the enterprise. I think it's pretty good to point out that a lot of these prompts can be suppressed via MDM policies. There's, I still say, a lot of improvement there, but I'm super jealous of y', all, iconji, because the tools I release are for, like, end users and we don't, you know, who aren't in Manage and enrolled devices.
Patrick Wardle [00:19:52]:
So I have to patiently explain how to click through all the prompts, and if they click Deny, I have to gracefully handle that in the tool and then answer to the emails why it didn't work. And I know in the MDM space there's some challenges there as well, but, you know, that does seem to be what Apple's current mindsets that, at least in the context of the enterprise, MDM is the way to go. So I think what you're doing at Kandji aligns with that really well. And that's great.
Arek Dreyer [00:20:20]:
Thanks. Yeah, I was going to suggest that as an alternative to the manual setup that it sounds like you were doing today. So I want to look ahead a little bit and ask, what's one outdated mindset that you think people should leave behind and why?
Patrick Wardle [00:20:41]:
Yeah, I actually have a few. So, like, you know, the good thing is I think the mindsets are evolving, which is refreshing. For many, many years, it was literally like convincing people that Macs do indeed get malware. And I remember in 2012 on Apple's website thinking with apple.com they basically had this quote. And I remember, like getting a screenshot of this because I'm like, I'm going to hold on to this. And it basically said that Macs are not vulnerable to the countless number of Windows threats, malware and viruses that are plaguing Microsoft Operating systems that was kind of true at that point. Like you plugged in a Windows XP box owned in like 15 seconds. So like glad we're not there anymore.
Patrick Wardle [00:21:26]:
But I think and what Apple was saying was largely true because they, you know, had that key phrase that yeah, that the wind Windows malware was not compatible with Mac. So almost by definition kind of a moot point. Like yeah, you can't take a, you know, Windows virus exe like that's just not going to run on Mac. It's totally their architecture, et cetera, et cetera, et cetera or operating system. But a lot of people took that like Macs don't get malware. And to Apple's credit you could plug in a OS X box at that point and it wouldn't be, you know, infected with adware in five minutes with no user interaction. So I think people really for a long time had a mindset that Macs are impenetrable. Where we all know the reality is macOS, even iOS worked on a lot of really great things.
Patrick Wardle [00:22:18]:
But it's an operating system, it's going to have bugs. Users are going to do things that they shouldn't do. So it's going to be Apple. So that's one mindset that for a long time I think all of us had to work on. And I'm sure at Kandji you see this too where hopefully not now, but maybe when you were starting out enterprises were like, I'm actually good, you don't need to manage them. Like there's no malware, like we don't need to install third party security tools. So that was definitely a mindset that was difficult. I think where we're at now is people are moved off from that, which is great.
Patrick Wardle [00:22:52]:
But the other mindset I see is people think that Apple's built in security mechanisms are sufficient and they largely are. But as we talked about earlier, Apple often chooses usability over security. And I don't blame them, right. We all love this great Mac experience. Apple does many things. Incredible. And the whole experience, you know, using the Mac, it's like incredible, right? If you're stuck using Windows. I'm sorry, like, and so, you know, I understand that it's part of their ethos.
Patrick Wardle [00:23:26]:
Beautiful design, beautiful systems, not interrupting user experience too much. They maybe show too many pop ups but again a lot of times they maybe they could be more secure but they err on the side of usability. And I think that's fine maybe for the average user, but especially in the context of the enterprise where the stakes are a lot higher. It's imperative that enterprises deploy third party security tools. I think it's really important for them to realize that that's necessary. You know, I remember talking to customers and they're like, Apple has av, it has expert tech. And it's like, you know, those are static signatures for known malware. By design, they're not going to protect you from new threats.
Patrick Wardle [00:24:11]:
They're very reactive. And it's good that Apple has that. And I don't think Apple should be in the position of adding additional security. I think Apple has made the conscious decision to delegate that out to companies such as Kandji, both to provide management solutions, but also additional security. But I'm sure this resonates with you that you might still run into customers that, yeah, now understand Macs get threats, but think, hey, Apple's taking care of this. I'm good as long as I update macOS. And again, for the average user, that's probably fine. But I still think that for enterprises and users that might be more targeted or maybe more at risk, installing third party security tools is super important.
Patrick Wardle [00:24:55]:
And I will just end this by saying choose wisely about third party security tools.
Arek Dreyer [00:24:59]:
So my last question is, if you could instantly patch something in your world, what would that be?
Patrick Wardle [00:25:06]:
Ooh, that's a great question. I'm going to stick to technology because I think that aligns well. If we weren't, I would choose something about like sharks being more friendly to humans and humans being more friendly to sharks. The reality is we kill way more sharks than sharks kill humans. But in reality, I think I would start simple and practical and just say, hey, Apple, like maybe only allow notarized software to run on macOS. Because the reality is the vast, vast, vast majority of malware to this day is still not notarized. And I actually added this capability to one of my tools where you can block non notarized software. And that on 99% of malware is toast.
Patrick Wardle [00:25:52]:
Obviously, as we talked about at the very beginning, we would see attackers evolved. They would try to figure out how to bypass notarization. And I think Apple wants to get there. I think if they blocked, as I mentioned earlier, all non notarized software, there'd be a lot of pushback from users that want to run legacy software, indie developers who don't want to pay Apple the $99 for notarization so the Apple can make this free. So, you know, it's not as simple as just saying block all non notarized software. But if I could patch that or choose a patch. I would love a way to figure that out, where that becomes the reality. And it's kind of like what iOS has done, saying, hey, you can only run software that's, you know, signed from the App Store in a sandbox.
Patrick Wardle [00:26:37]:
And I will end by saying that introduces a bunch of complexities. You can't run, for example, security tools on iOS and so adversaries who can hack in basically can use the security of the device in a way that benefits them. Right. We just don't have visibility. But I think starting with blocking software would be great and would instantly raise the bar the security of macOS immediately overnight.
Arek Dreyer [00:27:04]:
Love it. Well, huge thanks to Patrick for joining us on this episode of Patch Me If You Can™ and sharing what it looks like to stop reacting and start architecting. If you like this episode, hit follow and share it with someone who's ready to lead it and security from the front. We'll see you next time.
Patrick Wardle [00:27:23]:
Thank you, Arek. Amazing. Thank you for hosting me. Also, big shout out to Kandji, who's a longtime supporter of the Objective C Foundation. It's always great to chat nerdy with you and can't wait to hopefully do it again in the near future.
