The recent breach of Apple’s App Store by malware from China is another in an ongoing series of grim reminders about the porous state of today’s security measures. While this marks the first successful major attack on this key Apple marketplace, it was really only a matter of when – not if – such a breach would occur. Just to be clear, Apple’s App Store infrastructure itself wasn’t breached. The Xcode developer toolchain was trojanized and made available in alternate sources to the App developers.
According to a story in the Washington Post, “It's unprecedented for the company to have allowed so many apps with malicious code to get through its security processes.” Perhaps even more disturbing is the Post’s observation that “because the attack happened at the development stage, average consumers have no meaningful way to parse the good apps from the bad.”
Let’s quickly look at the specifics of the attack. According to security vendor Palo Alto Networks, 39 apps were affected in total, potentially affecting "hundreds of millions" of users. The culprit of the attack is a malicious program called Xcode Ghost that is a forged version of Apple’s official software development program Xcode. The counterfeit “Ghost” version hides malware in legitimate apps. This is a classic example of Compiler Malware, aka The Ken Thompson Hack (pdf). Instead of trying to create a malicious app, the Xcode Ghost authors trojanized a development tool to insert malware into legitimate apps. To be fair, “developers who made the bad apps strayed from the approved, official Apple protocols for developing applications” according to the Washington Post article.
Yet again, this raises a fundamental security question that continues to plague our industry: Despite all of the layers of security measures currently in place, why does malware continue to evade detection and inflict damage on even the most sophisticated and security-minded organizations over and over again?
We’ve been preaching for some time now that malware is a fact of life and it’s not going away. No matter how many firewalls, IDS, IPS, AV systems, and the like you throw at the problem, malware workarounds will continue to pop up like mushrooms after a downpour. As long as it remains possible for malware to maneuver around, behind or through security defenses, hackers will remain motivated to keep churning out new exploitations. Clearly, they subscribe to the notion “If it ain’t fixed, keep breaking it.”
It’s a stinging reminder that the security industry needs to move well beyond failed attempts to distinguish between “good” and “bad” content. Crazy? Indeed. For it was Einstein who pointed out that insanity is trying the same thing over and over again expecting a different outcome.Picture courtesy: gofwd.tmblr.com