Which web site was compromised? Several reports point to "a website for mobile software developers" as "the waterhole". Is it the apple ios dev center? The android sdk site? HN?
I'd be very interested in knowing if myself or coworkers may have been exposed (or in the best case, which waterhole website I've been missing out on)
I'm very curious too, I wonder why this "waterhole" has not been publicly revealed yet? It would make it easier for others to identify whether they were exposed, and take the necessary actions to secure their workstations.
If you are running Java, Flash, most PDF readers, using any browser which doesn't update automatically, you are exposed. Not "were".
Even browser updating automatically aren't a panacea: the update itself may be corrupted by an exploit (now that would be a fiasco).
That is precisely the reason people should surf from a separate user account, using very strict firewalling rules.
"iptables -I OUTPUT -p tcp --dport 80 (and 443) -m state --state NEW -m user --user-id 501 -j ACCEPT"
Now it's too bad per-user firewalling cannot be done easily on neither Windows nor OS X.
It's also too bad one user (say the one allowed to surf the Web) cannot display its browser window(s) in another user (say your main account)'s graphical display (neither on Windows nor on OS X).
Or too bad OS X doesn't allow to run two graphical sessions simultaneously (on some version of Windows, if you pay enough, at least you can do that).
All this is trivial to do under Linux.
I'm feeling better and better using Linux as my desktop.
Now it's too bad per-user firewalling cannot be
done easily on neither Windows nor OS X.
I haven't tried this, but pf seems to have the support there, so I'm not sure why you couldn't.
It's also too bad one user (say the one allowed
to surf the Web) cannot display its browser window(s)
in another user (say your main account)'s graphical
display (neither on Windows nor on OS X).
$ su testuser
$ /Applications/Safari.app/Contents/MacOS/Safari
Seems to work for me.
Or too bad OS X doesn't allow to run two graphical
sessions simultaneously
I don’t mean to take away from your feeling good, but why is iptables ok on Linux and ipfw is too hard on OS X?
uid user
Match all TCP or UDP packets sent by or received for a
user. A user may be matched by name or identification
number.
also, since I agree that neither iptables nor ipfw are good enough as UIs, there are a number of graphical firewall apps that allow people to do very very easily filtering per user, per process, per domain, per ip, timed, with different profiles http://www.obdev.at/products/littlesnitch/
You have in one single post perfectly captured why Linux is both amazing and terrible.
(Amazing, because look what you've done! Terrible, because almost every other human on this planet could not accomplish your outcome even with guides and training...)
I see a lot of people bagging on Java but I think the real problem are the browsers. Java is the one being used in this attack but next time it could be Flash or Acrobat or any other plugin or even 3rd party Javascript scripts. The default behavior of browsers should be similar to flash-block, Ghosterly and other similar plugins: the plugin only runs when the user requests it by acknowledging the source and hitting a "play" button inside the page. No auto-loaded code should ever run.
Chrome's "click to play" plugin setting chrome://settings/content has a nice user experience, because on YouTube you click the video that you want to play instead of clicking some off menu to enable Flash on the whole domain. I think that setting should be default, but likely the AdSense team would have a throwdown with the Chromium team if that happened.
A minor point - Facebook wasn't targeted last week, they were targeted in January and it was reported last week. The timeline is important if we're going to be linking these together. I didn't see hack date info in the Reuters piece, did I miss it or was it not included?
In other news, "Windows laptop gets compromised, media responds 'And your point is?...'"
It would be nice if the attack vector were the main focus of the article, but how much publicity would "Java plugin allows Facebook and Apple to be hacked." get.
Which browser is infected? Perhaps your browser is infected.
Which browsers are affected? Any browser configured to pass along Java class files or jar archives to Oracle's Java plugin. Chrome, Safari, and Firefox are all potentially affected.
The more advanced kits detect your OS/Browser/Plugin stack and deliver exactly the exploit that will own you. It was iphonedevsdk.com that was used as the watering hole.
Shared infrastructure, use of same non-public backdoor, same tactics taken once on the box, same watering hole used, hop point includes connections from both Facebook and Apple...
Come on man. Read the Mandiant report on APT1 if you want to get schooled on how to tie groups of hackers together over different campaigns.
The authors of this piece try to make it out like it's Apple that's now become a security risk, when this hack is really Java's fault. It makes you wonder if Oracle is entirely up to the responsibility that comes along with inheriting the entire Java-sphere.
No they don't. They make it very clear that this was done by exploiting a flaw in Java.
> The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday.
That being said, even if it is Oracle's "fault", most malware works by exploiting third-party software such as Java or Flash or Acrobat - including most Windows malware. OS X may be "becoming less secure", even though OS X itself hasn't changed, due to the fact that some Java and other exploits are now being used to target OS X machines. This is all covered very fairly in the article.
Looks like the "Write Once, Run Anywhere" Java mantra is true for malware too. Pretty much any run-of-the-mill Windows PC, Mac or Linux machine is vulnerable to this.
Incorrect. Even malware targeting write-once-run-anywhere systems is rarely write-once-run-anywhere itself. The actual shellcode of the exploit is almost always native code, or a native binary dropped on the filesystem via a directory traversal bug. The attacker typically has to determine the system being attacked and use system-specific shellcode, even for system-independent vulnerabilities. The JIT or bytecode interpreter is rarely directly leveraged by the exploit code itself. In other words, the shellcode is almost never bytecode.
Write once run anywhere isn't the problem. Write once run anywhere is just a feature that greatly increases the number of machines with a given piece of vulnerable software installed. VMs also tend to be big complicated pieces of software with a huge attack surface, and tend to be written in unsafe languages (C/C++).
If 99% of all browsers used very similar versions of libpng, all with the same vulnerability, we'd see this same problem.
Software monoculture combined with poor incentives to write secure software is the problem.
Edit: since write-once-run-anywhere languages tend to be more safe, it's a shame that more VMs aren't written in (subsets of) their hosted languages. Jikes RVM, PyPy, and Squeak Smalltalk are some notable exceptions.
It's not the language so much the isolation in the VM. Normally, there would be safegards against privilege escalation (since remote code execution is a feature, not a bug).
This is just a factor of Oracle not paying attention to a product they bought. When Cisco let Linksys (in the consumer market) stagnate, we ended up with lackluster hardware. Not a big deal. When Oracle ignored Java in the consumer market, the damage is quite a bit more extensive due to its sheer ubiquity.
You're talking about something different than nivia was. That comment was in reference to "write once, run anywhere" meaning that malware became cross-platform. A malicious Python app can do malicious things on any platform with Python just like a malicious Java app can do bad things anywhere you have Java.
The fact that this is exploitable through a browser plugin makes the risk of infection worse, but doesn't actually make it more cross-platform, per se.
Yes but Python also isn't generally distributed the same way. You could argue the same about the C++ redistributable across Windows and even .Net (I think 4.0 runs on XP), but malware for these are still executables. Silverlight may be the only common ground, but then that's the same as Flash, Acrobat or similar plugin.
And as you say it certainly doesn't run in the browser on so many disparate systems making watering hole attacks not nearly as damaging if there were to be Python malware in the wild (and I'm sure there are).
Look at the exploits over the last few years. JS, JS in Acrobat, Flash, Java. Any sort of VM with sandboxing is fair game. So long for the really low hanging fruit of straight up VB attacks.
Further still, there are attacks through even the most apparently harmless types like maliciously formatted images. If the web was my everyday world, I'd be concerned walking down the street that lines on the street would strangle me.
I find this a bit concerning not because Apple was hit, but because getting hit by some Java-malware necessitates a public statement. Anyone here in an organization of more than about 10 users likely has one or more of them with malware of some sort on their device right now, and it is treated as just the cost of the platform. In my organization I'm sort of the paranoid in that I treat every exposure as a serious event, but I am very much alone on that.
Unless they can prove (to themselves) that no customer data could have been obtained, they have to disclose this due to laws in several states, including California.
Aside from that, I believe it is ambiguous as to whether or not publicly traded companies have to disclose incidents that may have adverse effects for investors. In some cases, ambiguous errs on the side of not getting sued or sanctioned.
It's good that companies are coming out. I work in infosec, and it's constantly a battle with clients who take a "it can't happen to a big company like us, we have a professional IT department" mindset. It is happening, constantly, and things only improve when there is awareness.
I also like the forced disclosure to deal with the "they probably won't hack us, and if they do, we will just fix it later and quietly cover it up" companies. There are a fair number of those as well. Doing things right costs money that they think they can get away with not spending. Usually, that translates to externalizing the cost to the customers who get hacked for using their products, or get their data raided.
Every large ( >1000 employees ) organization has DAILY infections on employee computers. That is the reason for IT departments. If any big corp did a press release every time they found malware on a computer, it would just be a never ending stream.
Not everyone who works for apple is a programmer. There are janitors, cooks, secretary's, etc.. Those people use IE and click links in emails.
I cant say as to why apple chose to release this statement. I can just say I am fairly confident they did not have to.
Almost certainly: I'd be shocked if they didn't have HR or accounting people dealing with incredibly hairy enterprise accounting, payroll, purchasing, etc. apps. If they're lucky, they support IE > 6.
At a previous job, I called Oracle support for one of their enterprise apps (we paid at least 6 figures a year for “support”) asking about IE8 compatibility and was eventually told that they don't test Microsoft's software for them and would wait until it was released to start. This was after IE8 was released and our users had already discovered that Oracle's thicket of JavaScript had an ancient bindows.net library which relied on IE not throwing an exception for a completely erroneous misuse of elem.style; a week or so later, a support manager called me to ask for a copy of the monkey-patch I'd mentioned so they could distribute it to other customers.
It doesn't sound like the law is quite that strict:
"California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. "
Right, it depends who was compromised. My statement accounted for the fact that Apple has access to so much personal information (icloud, siri, app store, all customer service functions, applecare, etc). But it's true that they have many employees who have no such access and would not trigger the California law.
Generally the attacks are fuzzy. The attackers are quick to pivot off of the first infected system, because defenses tend to be extremely weak inside the firewall. They look for test systems, code repos, privileged interfaces, etc. For this reason, if they can't reasonably say that the compromise didn't lead anywhere else, they could get in a lot of trouble for failing to disclose.
Remember Sony? They kept quiet and attributed billions in losses to that incident, and had regulators down their backs. Nobody wants to deal with that. If the details of the compromise are not thoroughly understood internally, it could be better to say what happened and note that you don't believe user data was compromised.
>only a small number of its employees' Macintosh computers were breached, but "there was no evidence that any data left Apple."
Looks like Apple is worried more about leaks of their unreleased products. I would be more worried about data entering Apple, whether any websites were injected with malware or, in a much more unlikely scenario, malicious code being in injected into OS code or apps.
It's pretty scary to imagine what a bad guy could do with backdoor access to the iCloud or iMessage services, too. Remote control and wipe any iOS or mac device, steal device backups, intercept txts...
I'd be very interested in knowing if myself or coworkers may have been exposed (or in the best case, which waterhole website I've been missing out on)