Wes Widner - A worm in the Apple examining OSX malware

all right all right we should be good to go but the closer you can stand to the podium the easier it is for

everybody is this their first time everybody else last time my first so last

year connection and we were pulling down just and since then things have changed with that company I wanted to I still wanted to resar all so fig something that most people don't care about which is macm um interesting that that that choice was made because um in the last several months Mac malware is actually kind of exploded especially in the news any of you um paid attention to the news for MC malare yeah some of the um some of the higher profile ones I wanted to highlight here U of course the one that just that came out very recently was the NSO group selling uh iPhone zero days now I'll go ahead and give a caveat um iPhone

security is closely tied to OS 10 security and we'll see why in just a second but I just wanted to kind of wet your appetite a little bit for what's what's there so we have uh the NSA group um zero day for iPhones we also have um [Music] well you also have a key Ranger and a few other like well-known here we go uptick and malware vulnerabilities um basically this talk is um kind of a what you need to know as far as not just what's out there but also the the vulnerabilities that exist within os10 itself now I'm not going to release any zero days right now but if you're seeking to secure a even from

your home all the way through a business if there's Max on the network um this is the information that you're probably going to need to know to go back to my uh slides though um security engineer by day um research the security at night I particularly work on large scale systems so it's not entirely security related although we we have security stuff that flows through the system but the real exciting part of you know the research part is what I'm going to share with you today this all really began because I recently got my um a few events that happened kind of simultaneously I got my mother to uh change to OS 10 and my

daughter at the same time was really involved Minecraft and downloading these um mods for a games and um both of those kind of made me really nervous and then I started thinking about it like what well I can recognize a malware installation or malware infestation on a Windows system and I would know relatively where to go look you know startup folder and registry stuff like that but where would I go look when it comes to a Mac system and that's pretty much where this whole talk was born and um lots of research went into you know all that so one thing that kind of jumps out of us well most of you probably even saw

the title of the talk and you were wondering why you know the title of the talk was excit or um kind of peaked your interest because Max don't get viruses right you know I mean yeah we laugh and obviously I'm going to disprove that but the reason why that's important is because um up until 2012 Apple themselves actually sold Max and their on their website one of the features was um Macs don't get PC viruses that was still back in the the Mac versus PC days and where you know that's part of their advertising but now theyve changed it since 2012 to say U Macs are secure by Design they don't have the grandiose claim of Max don't get PC viruses the

reason for that is Flashback came out in 2012 took control of 600,000 systems as soon as it came out um social engineering was used as far as getting people to install a flash plugin this was still back when um max didn't have flash plugins pre-installed and just a so um the one of the major avenues for attack for Mac right now is apps that you're not that that people are going to need that they're going to go hunting for so flash plugins or or Java update stuff like that now these things get unfairly blamed a lot of times um I I think in Flash's case they really were insecure but um anyway in this case it

was a social engineering to get the flash plug-in installed and then it generated Revenue through um ads so one thing to take away as far as Mac malware right now it's it's rather immature and most of them end up being just adwar so this one generated um Revenue through just displaying ads a key thing that that um there two points to it one it contained Advanced features that weren't used there was actually stubs in the code that researchers looked at and it they could have added a lot more features to it they could have added commanded control they could have added um root kits back doors all this stuff it was a modular application but it

didn't have those and then the second thing is it was weirdly sophisticated just for adway now I'm going to make the case throughout this talk that the iOS platform and the well the phone and the laptop the laptop is the staging ground for what goes on or what's targeting the phone so and there's several reasons for that so anyway then we have flashback part two in 2014 and this is um so intego company called intego bought these sink holes that were from the first flashback and what they were looking for is how many people remain infected as time goes on um the good news is it was only about 20,000 or so people that remained

infected up until they lost access to the sinkles the bad news is there's still 20,000 people that were infected so Mac does a good or apple does a good job of pushing people to update as soon as it comes out and they really you know have a nice interface for that but they still suffer the same problem that Windows suffers which is not everybody updates their systems as fast as they sh as fast as they should in fact um how many of you have updated your iOS devices to the latest 935 no why not especially after I go through the um what that means as far as the updates but we'll get to that in just a second

so flashback part two most researchers considered it no big deal because it's covered in an update and so if you just update your device you know you're fine but um I would submit that it's still a big deal because it shows activity and flashback part two was not just residual of the first flashback they were actually iterating on that design going forward so this one u in one of the so there's lots of different flash so flashback part two is really just a catch all for the different variants that came out after the first one and the variants some of the variants were Java so a lot you saw a lot of Apple blaming Java and a lot of people hating

on Java and Java is there were some vulnerabilities there I'm not going to give them a clean pass on it however some of it was just they were taken off guard so right around or apple was taken off guard because people are updating their software and there's there's this vulnerable space so [Music] um yeah d d by downloads blaming Java on that and then the last event that I'll talk about in the pre in the setup to this is key Ranger released in February 2016 I believe it was the first os10 ransomware and it was delivered through a signed application so get into that in a second too so that was worth noting it's a signed

application so was um well the fake versions of of Flash and fake version of java not necessarily signed actually the unpatched be VM that really was yeah that was a signed out so key Ranger first os10 ransomware delivered this year I just saw um a couple of days ago there's another variant on key Ranger that's just come out so all that to say is that um before we get into the unique attack go all I have to say is that Mac malware is on the rise it um it was a slow trickle um a couple of years ago maybe 200 a year now we're seeing about 10 a day and that's nowhere near the volume of a Windows of of

Windows malware that you see but if you think that the Macs are completely in the clear they're not now that said I'm going to kind of taper that I don't want to to say that Macs are completely insecure I still have all my iOS Dev devices and and Os 10s but let's go through the unique attack vectors if you are securing a system if you just want to make sure that your um your family is secure or you're secure first you're going to have to know what is it about Apple that makes it different fundamentally from a Windows system and there's basically four different areas that I've come up with there's the bootup process the kernel is

the way that software is installed and something called Macho which is the binary format that Mac uses natively does anybody know the native format for Windows off the top of your head packed executable 32 so and that's interesting because as we go into boot process in the beginning um every so Apple security Rises and falls on the boot process especially on the iOS device so I'm going to so an abbreviated boot sequence would be you power the device on and in ages past it was the BIOS that was the first thing that was given command now it is something called the EFI the extended um I forget what EFI stands for but anyway that's the the equivalent of the

BIOS in in most other PCS that's what handles running so EFI was developed by um Intel and oddly enough it runs PEX executable 32s P 32s so all of your iOS devices actually run a effectively a Windows executable in order to to boot the whole device up now it's just a p32 it's a small file um however if you can take control of that file then you can take control of everything beneath it because of that apple is really really concerned about making sure that their boot up sequence is as secure as possible for instance your um well EFI sits on a fat 32 partition you usually don't see it um this is where your firmware protections

are so um on your iOS device if you've got a passcode before you can get into your device this boot sequence is what throws up the password screen first you log into that and then it persists the password back through to the Kern so the fi system is really important it's what handles unlocking the disc for the for the um if you have whole dis encryption installed all of that so you can kind of I'm really stressing that this is the most important part of the especially iOS boot process um the boot process is also what handles when your battery is dead you plug your um power cord in EFI is what handles flipping the the

pictures back and forth that it's booting or that it's charging and then it also runs another application once it's gotten to a certain charge and flips it over and actually booting your entire system up so if you're wondering why it is that you you type in your password but you still have a delay before you can get into your system that's because the system hasn't actually booted it just went to the EFI part you were you put in your credentials and it still has to go through the rest of the boot process we haven't even touched the kernel yet um after the boot process after EFI then we go down to uh loading the kernel that's

where kernel extensions are loaded and that's also where Dynamic libraries are loaded um these are uh for those of you who aren't programmers uh pretty much all software is modular these days uh these Dynamic libraries include things like uh the Coco framework that's used on the well it's it's used on both os1 and iOS but in the boot process you can um especially on the iOS because of the limited um memory and all that they will preload a whole bunch of libraries that's important because if you control one of these libraries that's preloaded then you can take control of the whole system one of the pre-loaded libraries is the image processing um Library that's actually what the 934 update

supposedly addressed so this is where this becomes important when it comes to um taking control of the system now before I go too far in the EFI section here I list P star and rebel EFI so back when John's was still alive one of the things that he hated the most was the idea that somebody would take one of his iPhones and install Android on it that actually happened it's called the idroid you can still look it up there's still pictures of there's still some people that um still keep one around of course they're super old by now but that kicked off an entire row of um that that's where the jailbreaking the anti- jail breaking and everything

else comes out now the P star versus Rebel EFI Rebel EFI that was a company that came pistar was a company that that started up and they wanted to take uh this was around the same time that Apple also went to selling their devices on on regular x86 Intel chips so pistar had this Bright Idea we're just going to all it is that Boots the system up is the EFI all it has to do is get control to a um to the colonel and once the colonel takes over it does all it needs to do so they decided to write a um a boot loader an EFI just to get that to work on any hardware that apple or

that any any x86 compatible Hardware so Hackintosh so these were the guys that start up an entire company um just for selling Hackintosh and it went all the way through up to the Supreme Court court and the Supreme Court ruled that the bootloader is copyrighted and this is why your iOS device that's why they're able to resist any um jailbreaking attempts now is because of this ruling so as long as this ruling stays in place they control the entire stack of um the iOS device not the OS not the um not the laptop so that's where the difference as far as bootloading begins and ends and this is important because if if Apple can guarantee everything from boot through

the kernel for the iOS device then a lot of these other security practices that they have in place they have um you can be sure that they're giving you good information not not false positives we'll get in that in a second um the boot process also handles uh launch D which we'll get into in a second uh launch D is the the meca everything that auto starts on a Mac starts through launch D launch D is the uh init of the Linux world so everything runs as a subservice of launchd launchd loads what are called pist files and that's either XML or they could be compiled on iOS they usually are compiled but in your on your OS 10

device on your laptop they're usually just plain text which means you can just scan through them and see what they're doing this is what handles uh regularly scheduled jobs it also handles um pretty much any uh loading uh kex kernel extensions also drivers so any of that stuff goes through uh launch D well usually specified in PS so another another aspect of this in the boot is the firmware dma how many of you have heard of the firmware um dma attack came out several years ago yeah so it's interesting how many of these vulnerabilities exist and then there's they're quietly patched and anyway Mac Mac security usually gets um gets swept under the rug so for whatever it's worth

so the firewire dma direct uh dma for direct memory access so firewire standard says that anything connected by a FireWire can just read and write the memory on whatever device it's connected to which is an obvious problem so the uh this this is also what's could also be con concern or considered a evil ma attack but Mac's solution to that was when the device boots up if it has a password set then direct memory access is to not if the device if the device has already booted up then you connect something like a fire wire to it then you can do whatever you want to with it now if the device is already booted up and you're

um they usually have other controls in place so it's not as bad as as you may be thinking but uh another aspect of this is when you're charging your device or you're connected through the um iTunes and you're syncing your device and all that the boot the boot process plays a role there so to move on I kind of want to get through the kernel real quick it's kind of dense but I want to get to the the package application stuff like that but so the kernel is another attack surface um interesting note about the the os10 kernel it's um this is the logo for the os10 kernel znu but most people don't know this it's

not distinctly Mac it's actually a hybrid of um well bstd which could be considered like the new interface it's the posix interface and then there's um a MCH a mock kernel the mock kernel was developed at um next if you remember your Apple history uh jobs goes over to next next has some really awesome technology including mock they also they also had um the precursor to what we use now for xcode and and a bunch of other cool stuff interface Builder so mock was a micr kernel many ever heard of a micr kernel micro so there's basically two you either have a monolithic kernel that handles all the device access or a micro kernel that's split up into m multiple

pieces the problem with a micr kernel yeah the problem with a micr kernel is that if you have a bunch of pieces that are all sitting there in memory and they're not tightly integrated like they're not all in the same address space the promise of a micr kernel is we pass messages to all these other places and so the whole system doesn't fail if one piece fails so if your device does something crazy and it writes memory the wrong way the entire computer's not drug down however the problem that you run into with micr kernels is that they end up being really slow so Apple has spent a lot of engineering fixing that problem it's a

really good the the idea is academically sound the problem is in in the real world we don't really we're not willing to wait for our devices you just on the promise of that makes it more secure so it's because of these um compromises that some security flaws have have come up and there's really good presentations on on a lot of these um security flaws and I have links to them towards the end so I run over this stuff while I'm talking but hold on there's handouts later the last aspect is the Macho format it's similar to eelf but the biggest difference elf being the the binary format that Linux uses n natively but the the biggest difference is native

code signing support this means that um um some other random trivial details the uh Magic bites sport or Cafe babe which is the same as the Java class file which I think kind of fueled the feud between that apple and Java to some degree just because it's aggravating that the binaries contain the same magic pipes you had to read a little bit more of it to figure out what it was so the fact that they the fact that Macho um supports code signing natively is a fundamental piece of os10 security so have any of you ever tried developing applications for for OS 10 or iOS anybody you have to pay so simple cultural change I've I've developed

applications for both Android and iOS and I released the one for Android to the um Play Store Apple um so releasing something to Android's Play Store cost about well it's actually free you can release it all for free and you don't have to pay anything Apple though last time I checked was about $100 and I I used to get really you know why why is it $100 the reason is because in order to run anything on an iOS device it has to be signed by Apple themselves so they can restrict that's why you can't do side loing or anything else on an iOS device and remember since they control the boot they control everything below it they could do the

same thing for OS 10 but most of us use our Macs for you know most of us install third party applications for Mac although they're moving in that direction for o for um OS 10 the next version of os 10 um Mac OS it's going to have not only so in the Mac OS now or Os 10 now code signing is required or is turned on by default you have to explicitly disable that um no that's in Mac OS so so Macho format was designed to work with that MCH kernel and inside of it it has some pretty solid engineering principles but um of course the performance problems uh plagued it for a while one of the things that they came

up with to um to bypass some of that performance problem was the concept of ports and they're not networking ports and it's not even really a port in the sense that you're um communicating well you're communicating but it's not um over a wire this is in intra kernal communication and the idea is that with a ma Macho biner you can request a service be performed by somebody so I need maps to do something and you send it through the kernel and then maps in the kernel says I have the ability to handle that here is a hook hook into my memory space you know go do something a recent vulnerability that was actually released at U black hat this year last

year was basically dosing the kernel in this kernel and capturing one of those hooks and then of course if you provide the running program with a hook into your code then you own the entire program so these are like native vulnerabilities now I have not seen malware in the wild take control of that but like um like you know said you know we're it's what you don't know that's going to bite you so other uh interesting things about Macho format is that it supports natively a universal binary format and up until two versions back of os 10 there were some traces of power PC code that were still bundled in the biners is kind of weird because I

haven't sold those in a really long time another aspect of Macho is the notion of resource ports um the best way to describe resource ports is like how um in a Windows environment an exe could provide certain resources that the OS could look at like an icon was the most popular example similar thing exists for for os1 with the exception that an OS 10 everything can have resource Force this is actually a native thing that's supported by the file system or it's supported by the the OS itself which brings me to software installation so when I first transitioned over to Mac the installation process was really Agra I found it to be aggravating because I

was used to there's a formal install program it puts things on the disc and you know where it needs to go and then usually um usually Windows programs came with a formal uninstalled program which actually took it all back out and there's that nice ad remove programs well the difference in Mac is um applications are just binaries or the the most common thing that you'll see in your applications folder are application bundles which is really just a folder with a app extension natively Mac loves working with archives that's actually supported transparently in in the kernel a bunch of different compression formats DMG is one of the the native um it basically an ISO file that you can

mount and you're mounting it from the system that's why all these mounts show up when you go to install stuff and then you drag that over into the applications folder and all you're doing is overriding whatever was there so some of the problems with DMG is that there's there's really no magic bites to determine whether whether a file is a DMG for those of you who are doing network security and you really want to find out fast what type of file is being downloaded the bad news is for the DMG the only spec is the last 512 bytes of the file will have um I think it's Kota hail or kale or something in the last 512

bites of the cloud so you would have to go through the entire fight just to get to the very end and see if it's DMG now the the way I've gotten around it is most dmgs are packed um as bzip files and so we'll get to yeah most of them are packed bip files so DMG is natively um compressed and because it's natively compressed it also supports native encryption in fact when you go to update your iOS device what you're doing is you're downloading a DMG and it the system is basically pointing to that DMG as the mount point the next time the device boots up so when you see the updating Mac OS whatever it's coming from a DMG file now

the closest we get to an installation program in the Apple world is a PKG pkgs are dmgs wrapped with a um basically scripts so there's a bill of materials that's involved there uh give you an idea well no we'll get to that in a second so it's native pkgs are usually natively compressed in a zar format that's um by spec it doesn't have to be Zar so Zar is a um most people use tar and gzip together wellar just combined both them it's actually kind of cool um and then the last common way to install applications is through app store which is doing the same thing the others are except they're signed and it enforces code signing down

the line so now that I've sufficiently pointed out how many things can go wrong with apple I wanted to dial this back because this doesn't need to be a code red most of us went into this thinking that our iOS devices and and Os 10 devices were generally secure and they are and here's the things that um apple is tried to do so on the bootloader which enforces Apple's wal Garden there is the um file Vault system that that is what protects the whole disc encryption this is what also um if you have a password set on your device and I encourage you to go in boot your device into maintenance mode put at least put a password on it

because that blocks a whole lot of threats like the direct the the direct memory um direct memory access it also um thwarts um some other physical access issues for your iOS device it blocks plugging in you know the evil um plug attacks and somebody already tweeted today about the charging station out there and um possibility of that being an evil um plug attack having a password on your device would actually mitigate some of that especially your iOS device um of course Apple was one of the first ones to provide aslr address based layout randomization everywhere on all of every part of their system whereas with others it was kind of slowly rolled out over time theirs was almost a c

change overnight everything is aslr um gatekeeper which um Macho binaries also have what are called file file attributes this is part of the file system itself um each file can have any number of attributes most of them only have a handful or so so gatekeeper is when you download um yeah when you download an application or binary from the Internet it's tagged as this came from the internet inter and then gatekeeper is what is what throws up the the dialogue to say you downloaded this from the internet are you really sure you want to run it and you've probably seen where you can't just double click on it especially in Safari you have to go find it and rightclick on it open it

and it's it's a behavioral thing but these are the types of protections that are going on in the background another one that's um that's a file quarantine Works along with gate gatekeeper um exper there's actually a hash lookup service in os10 um where you so a lot of these viruses the reason why so there was the 600,000 and after that is what spurred apple on to quickly put out all of these pieces so a lot of the viruses I'll show you towards the end here that you should still keep an eye out for they don't have the penetration as the first one because Apple themselves can remotely convict um hashes so so X protect and

then what's coming up next is sandboxing sandboxing is is already baked into the kernel they're still working out some bugs with it um basically containerization in the Apple um environment in U app applications that are installed via the App Store are run in sandboxes so it's not just that it's signed and that's another part of it is um another built-in protection is application signing it's really hard to get somebody's um code signing certificates although that is something that has has happened as well so last part application firewall um Apple has its own um any any code that is installed that is not signed is subject to the application firewall and if it thinks that your application is doing something

particularly bad for example if you're running um intellig or you know if you're writing an application and you're trying to run it you run it on one of the privileged ports below 5,000 I think or no below six 6,500 yeah then um it complains about that however if it's signed a lot of those restrictions fall away and that's why Mac maware now seeks the the the most attractive Target is sign applications where the developers are kind of careless with the keys so with that I wanted to go over just a survey of Mac malware and this is the popular Mac malware this is the type of stuff that you'll run into when you um you know

like my daughter comes to me these are the types of things that I'm I'm worried about actually being on her system Matt keeper is the number one um because the number one attack Vector is developers who don't have a tight control over their security their code signing practices companies that are kind of shady in the first place like Mater they're going to be the number one targets for Mal so they've come out with a lot of press release Matt keeper is actual company but they've come out with press releases saying that people have just you know been tarnishing their name and releasing malware under their name and it's not them well the reason why they're being picked on is because

they're careless with their keys and their code sign so because of that mat keeper is usually the source of a lot of adwar a lot of um it's not necessarily malicious most places that you'll see on virus total will will classify it as Pua potentially in one an application and like I said most of the stuff is um kind of in a shady realm opinion spy like is another one in that same category it's um well this one is really does cross the line of malware it'll stream information back not necessarily information but it's getting there and that's important because we'll get to a later stage that is actual full malware um Eleanor came out about four four or

five months ago and that was a true back door um capturing uh command and control um its reach though was pretty limited um maybe 10 20,000 for it and because because Apple has done a good job so far of locking down these threats my remember my theory from the beginning that Mac is the staging ground the OS 10 is the staging ground for what goes on the iOS the real difference between the iOS and um that there's there's very few differences between iOS and um and the OS 10 so moving along you got wire lurker or yeah while wire lurker which actually targeted both iOS and Mac um install M installs malicious applications and steals actually steals personally

identifiable information and it also tried it many of these viruses um seek out other things that are installed on the system and this one was no different it looked for um program called just blanked on the name is a Mac of fire firewall client we'll get to that in a second um little snitch yeah little snitch is a is a number one a target for a lot of these applications so um just a plug for those guys because it actually if the malware is targeting it's a good it's a good indication that it's pretty good and pretty um capable of of blocking a lot of this bad stuff Mac Defender is another one um fishing Key Ranger like I

mentioned before is ransomware and then you've got several others so like I said the

um oh there we go uh there's also Pegasus exploit which also affected iOS and adwin rat uh kidnap that was the one that I was thinking about kidnap is the next evolution of and that came out in August sorry was a little bit after I put these slides together um kidnap came out and it actually dumps credentials from the um or tries to dump credentials from the the keychain there's actually proof of concepts for attacking the keychain as well scripts that you can use and and we'll get to that just a little bit but before I um before I go on um there's actually a few other slides that I or a few other not slides but I mentioned

earlier that applications that were poorly developed end up being the attack Vector so going forward what you should really look for is so the sparkle updator back in February a researcher noticed that um anything using the sparkle updator which there's a lot of open- source utilities you know people use the same sort of Transport media and other commonalities so VC is a good example of this it uses something called Sparkle update so you can um as in most things in security if you you can secure everything that you know about but if the application itself is doing bad things then it makes it a lot harder for Apple to come along and say you know this is

bad so several applications have gotten into the habit of updating themselves not waiting for the user to go to the app store or anything else so so VC is one of those it'll say you know an update's available would you like to go do that and what it did what it did was it would download the the DMG package and then um shut itself off transfer that in the background and BR and boot it back up so uh there was not an active malware that took advantage of this and what I'd like to really convey too is that a lot of Mac malware is pretty immature based on what we've seen from Windows malware so

Mac malware uh this was this was a vulnerability in the um Sparkle update a lot of other um utilities use this as an auto update feature um it it was a vulnerability because it used HTTP instead of htps so it could be hijacked to go to any other place and download an update from there one that just came out recently like just came out recently was Dropbox um Dropbox actually with without letting you know installs into the accessibility tab a hook that they've put there and the reason why that's bad is because they effectively have root privileges on the box and a lot of their stuff when they when they're installing and it's not really clear to the user you're not just

giving it the ability to install you're also giving it the ability to control your system this is a vulnerability not an act of exploit but if it does become an exploit then of course Dropbox would be a a source of Mal now they did respond today and I was just reading it um 15 hours ago and I was just reading a little bit of it earlier but I'm pretty sure they'll have a good explanation on why they need those why they need that access my point is applications themselves um and the Developers for those applications are are the targets today for Mac malware another um Source I mentioned the fir um direct memory access So Physical

vulnerabilities also include USB so um this was another proof concept issued recently um and the basic idea is a USB device that presents itself as so it presents itself as a network device and because of the way that the kernel extensions are loaded it um it the first thing Mac does it has the bonjour service and asks the device you know do you have any you have any network services so it'll run DHCP discovery on a new what it sees as a network device and so you can have a USB device that presents itself as a network device and then also runs a DHCP server and that can bypass security consideration or security controls back up to back up

through the kernel so and it's interesting that this ends up being a um a crossplatform attack both Mac and windows

um so my uh thanks for attending there's three things I wanted to point out the handouts are available at this address and I'm going to leave this up there I'll also tweet it out later um there was an enormous amount of material for this talk and if nothing else I want to leave you with the the notion that Mac malware is a rich field the technology that Max are based on is 30 years old in some cases it's it's old it is Battle tested but there's still a lot of security research that is yet to be done on that we're just scratching the surface on this year we had um security researchers turn their eye to Mac um more so than another

years and they found three almost you know several several vulnerabil in Rapid succession and I think that we're we're just starting to see people take Mac as seriously as a as a Target in fact to to kind of bolster that argument Apple um a couple of months ago just announced a bug Bounty program which they had been adamantly opposed to before now they will pay $200,000 if anybody finds a vulnerability in the kernel which again you own the colel you own the entire system however security company came out right after that and said that they would pay 500,000 for colel vulnerability now that all sounds well and good but if you go back and I

encourage you to read this actually I'll leave this slide up but I encourage you to read it the NSO group they licensed their stuff for 600,000 so Mac it's the law of supply and demand Mac vulnerabilities are highly valued now because they're highly valued the good news for the average person is they're probably not going to Target you with a high highly valued piece of malware you're probably just going to get adwar instead however um pay attention to what's running on your Mac um utilities uh I didn't have time to get to these utilities but two that I wanted to point out well no just pay attention to what goes on in the os10 security awesome list and The

Homebrew tab anybody who's using uh Mac probably uses Homebrew anyway so I set up this Homebrew tap for a bunch of utilities they're not they're not necessarily security but they could be used for forensics one of them is a launch D command that you can go through and um dump out what's been running for example this this is the launch DC command Lian X and here's everything that starts on my system at startup but to give you an idea of this the attack surface that's on a Mac if I look at all the system um stuff that started up then all of a sudden we'll have to start scrolling for a while every one of these could have something

going on with it just to give you an idea now not all of them are I mean they're pretty well put together anyway but you still probably want to know what's on your backc the good news is for Windows so the Windows versus MAC malware environment it's really kind of transparent on the M what's running if it's not in launchd doesn't run so with that I'll open the floor up for questions and let me switch back to the slide so you have time for about one question okay any burning question I probably okay so got to figure out a question to ask does anybody know the Can anybody name the the debugging Utilities in OS 10 or or in uh xode

I have any ex code developers in here at all no yeah good luck with that yeah let me try to scale that back down a little bit sorry so it's not gbb is it no well GDB is one of me but well it's not me um yeah there was a whole other kernel stuff because like GDB Apple actually ships their own version of GDB so that you don't um interupt with their other stuff they also sh their own version of Malo weirdly enough so you know other stuff um uh yes sorry Val Val um no no there's actually instruments as what I was thinking about D instruments and all that stuff how about you need help with a question yeah

what was the there was a web- based storage product that installs a little app with that effectively gives that app privileges there we go I heard three people but I heard hers was the loudest I think one one one to the loudest and one you get the First Choice you want iOS application ory all right G over here gets iOS application security which I told Phil earlier that uh that's on my ship to you

now yeah we still have time for one more question if anybody hasn't otherwise get out the way for the next yes said there was a mitigation uh put a password on something for when people plug in at that password was for what service so if you go into the BIOS on the OS and set a password there plugging you know evil made attacks where you plug in devices that gets blocked otherwise I can't block it because it's just it's a passord basically where you can set password pass thank you West very much appreciate your timeing