or Connect
AppleInsider › Forums › Software › Mac OS X › Rumor: Undisclosed security breach cause of Apple's new Gatekeeper app signing policy
New Posts  All Forums:Forum Nav:

Rumor: Undisclosed security breach cause of Apple's new Gatekeeper app signing policy

post #1 of 7
Thread Starter 
A report on Monday suggests Apple's recently modified OS X app signing policy is the result of an undisclosed Developer Portal security breach that leaked keys for multiple services, including Gatekeeper.




Noting tweets by user @SomeoneSW and one corroborating source, TUAW claims Apple's newly instituted policy forcing developers to re-sign app credentials is the result of a security breach that not only released Gatekeeper keys, but also "many other keys for many other things."

As seen in the tweets embedded below, @SomeoneSW, whose account was seemingly created today, claims inside knowledge of a data breach that released "virtually every key Apple used for anything." The Twitter user said they were approached with a proposal to buy said keys shortly after the undisclosed theft.

Apple could not be reached for comment on the issue.

August 18, 2014

August 18, 2014


According to the publication, also pilfered was Apple's Enterprise Signing Key, an asset used to sign activation tickets for bypassing iCloud locks. This particular key was used in a previously reported iCloud exploit that supposedly allowed hackers to defeat Activation Lock, the anonymous Twitter user said.

Gatekeeper is a security tool first offered in OS X 10.8 Mountain Lion that protects users from malicious software by placing restrictions on app installation. At its default setting, for example, Gatekeeper allows installation of apps from the Mac App Store and titles signed by developers who have registered through company's Developer ID Program.

The supposed Developer Portal breach would technically let nefarious users sign malicious apps as kosher, prompting Apple to change the way apps are recognized by Gatekeeper in OS X 10.9.5 Mavericks and the upcoming OS X 10.10 Yosemite.
post #2 of 7

Sorry I have to say that but : duh!

 

I don't see any other reason that could explain the change.

 

Edit: Just to be clear, I'm not complaining about the article as it does bring some interesting new information. But obviously, a security issue was the reason behind the code signing change.

post #3 of 7
If true I am a little disappointed in Apple! If you remember that breach Apple took the dev portal down and then the iCloud in Australia incidents happened so its all lining up together. At the time Apple recommended every one change your password and don't use the same password on all websites. Did Apple lie or is it just a coincidence that all these these things happened in an order and this is now leaked to confirm it?

Thing that is odd it was only random people in Australia, it wasn't everyone all over the place. So it doesn't sound legit there.

Not sure what to think!
post #4 of 7

one question though. as I understand it this need to resign apps is tied to the whole 10.10 release. As in if you don't do it then your app even if in the MAS won't pass through gatekeeper. 

 

but if this was tied to some security breach 'a while ago' wouldn't they have demanded the resigning of apps and now. Why have folks potentially in danger cause of the swiped keys for weeks

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #5 of 7
For the past several years now, the Public Key Infrastructure (PKI) of every certificate authority in the world has been under attack by hackers (known and unknown) attempting to steal the private signing keys used to sign the client digital certificates used for SSL site identification and also the certs used for code signing. I guess this is just the latest PKI breach coming to light.

Of interest, Google's Certificate Transparency project (http://www.certificate-transparency.org/) is an attempt to detect (in near real time) SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. Google claims this also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.

I don't believe I have heard of any similar project to identify rogue certs that are being used for code signing.

A good article reviewing all the recent certificate authority misadventures is at: http://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/

A current list of 'bad' SSL certificates (issued in error or through manipulated PKI issuance) identified by abuse.ch associated with malware or botnet activities is at (https://sslbl.abuse.ch/).
post #6 of 7
Quote:
Originally Posted by cashxx View Post

If true I am a little disappointed in Apple! If you remember that breach Apple took the dev portal down and then the iCloud in Australia incidents happened so its all lining up together. At the time Apple recommended every one change your password and don't use the same password on all websites. Did Apple lie or is it just a coincidence that all these these things happened in an order and this is now leaked to confirm it?

Thing that is odd it was only random people in Australia, it wasn't everyone all over the place. So it doesn't sound legit there.

Not sure what to think!

I don't see a link to the icloud incidents to be honest - that did go a little wider than Australia but it was all traced to one individual who was caught and charged - nobody else has been able to do anything similar and the vast, vast majority of users were never affected - to me it sounds much more like he had a list of shared passwords (perhaps from some Australian based service) rather than something like this which would give him random access to the whole userbase.
post #7 of 7
Quote:
Originally Posted by OcelotWreak View Post

I don't believe I have heard of any similar project to identify rogue certs that are being used for code signing.

1) I don't know if they are using Google's service or some other method to determine if sites may have been compromised but after Heartbleed but 1Password implemented Watchtower to let you know if you should change your password.

2) Google has one user-level security option I wish Apple (and Dropbox et al.) would adopt. Besides the two-step verification they have unique codes used for eachl app on each device that will access Gmail outside of a web browser.

Quote:
Originally Posted by petri View Post

I don't see a link to the icloud incidents to be honest - that did go a little wider than Australia but it was all traced to one individual who was caught and charged - nobody else has been able to do anything similar and the vast, vast majority of users were never affected - to me it sounds much more like he had a list of shared passwords (perhaps from some Australian based service) rather than something like this which would give him random access to the whole userbase.

There isn't. These are completely separate issues.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Rumor: Undisclosed security breach cause of Apple's new Gatekeeper app signing policy