
Apple hit by hackers who targeted Facebook last week - derpenxyne
http://www.reuters.com/article/2013/02/19/us-apple-hackers-idUSBRE91I10920130219
======
0x0
Which web site was compromised? Several reports point to "a website for mobile
software developers" as "the waterhole". Is it the apple ios dev center? The
android sdk site? HN?

I'd be very interested in knowing if myself or coworkers may have been exposed
(or in the best case, which waterhole website I've been missing out on)

~~~
cooldeal
Warning: The below site is reported to be still infected, do not visit, even
if you have Java disabled since it may be host to other exploits.

According to the NYTimes, the site is iPhoneDevSDK (not including a clickable
link for obvious reasons).

[http://bits.blogs.nytimes.com/2013/02/19/apple-computers-
hit...](http://bits.blogs.nytimes.com/2013/02/19/apple-computers-hit-by-
sophisticated-cyberattack/)

~~~
Blahah
Chrome has been warning about iPhoneDevSDK each time I tried to go there for
about 6 months.

------
guelo
I see a lot of people bagging on Java but I think the real problem are the
browsers. Java is the one being used in this attack but next time it could be
Flash or Acrobat or any other plugin or even 3rd party Javascript scripts. The
default behavior of browsers should be similar to flash-block, Ghosterly and
other similar plugins: the plugin only runs when the user requests it by
acknowledging the source and hitting a "play" button inside the page. No auto-
loaded code should ever run.

~~~
robert-wallis
Chrome's "click to play" plugin setting chrome://settings/content has a nice
user experience, because on YouTube you click the video that you want to play
instead of clicking some off menu to enable Flash on the whole domain. I think
that setting should be default, but likely the AdSense team would have a
throwdown with the Chromium team if that happened.

------
devindotcom
A minor point - Facebook wasn't targeted last week, they were targeted in
January and it was reported last week. The timeline is important if we're
going to be linking these together. I didn't see hack date info in the Reuters
piece, did I miss it or was it not included?

------
robert-wallis
In other news, "Windows laptop gets compromised, media responds 'And your
point is?...'"

It would be nice if the attack vector were the main focus of the article, but
how much publicity would "Java plugin allows Facebook and Apple to be hacked."
get.

Here's some perspective: <http://www.qualys.com/research/top10/>

Also here's their site where you can check your current config:
<https://browsercheck.qualys.com/>

------
suyash
Which websites are they talking about? Also, which browsers are infected
(Chrome only or Safari, Chrome, Firefox etc)?

~~~
dsl
The more advanced kits detect your OS/Browser/Plugin stack and deliver exactly
the exploit that will own you. It was iphonedevsdk.com that was used as the
watering hole.

~~~
suyash
thanks dsl..

------
mtgx
How do they _know_ it's the same hackers? If they are only assuming they
should state so.

~~~
dguido
Shared infrastructure, use of same non-public backdoor, same tactics taken
once on the box, same watering hole used, hop point includes connections from
both Facebook and Apple...

Come on man. Read the Mandiant report on APT1 if you want to get schooled on
how to tie groups of hackers together over different campaigns.

------
gph
The authors of this piece try to make it out like it's Apple that's now become
a security risk, when this hack is really Java's fault. It makes you wonder if
Oracle is entirely up to the responsibility that comes along with inheriting
the entire Java-sphere.

~~~
rednukleus
No they don't. They make it very clear that this was done by exploiting a flaw
in Java.

> The same software, which infected Macs by exploiting a flaw in a version of
> Oracle Corp's Java software used as a plug-in on Web browsers, was used to
> launch attacks against Facebook, which the social network disclosed on
> Friday.

That being said, even if it is Oracle's "fault", most malware works by
exploiting third-party software such as Java or Flash or Acrobat - including
most Windows malware. OS X may be "becoming less secure", even though OS X
itself hasn't changed, due to the fact that some Java and other exploits are
now being used to target OS X machines. This is all covered very fairly in the
article.

------
recoiledsnake
Looks like the "Write Once, Run Anywhere" Java mantra is true for malware too.
Pretty much any run-of-the-mill Windows PC, Mac or Linux machine is vulnerable
to this.

<http://en.wikipedia.org/wiki/Write_once,_run_anywhere>

~~~
nivla
This is true of any cross platform language, the job of making the exploit
work across different OS gets efficiently transferred to the compiler.

One of the main reasons I am worried if webkit becomes monolithic, zero day
exploits, there will be no running away from it.

~~~
eksith
It's not the language so much the isolation in the VM. Normally, there would
be safegards against privilege escalation (since remote code execution is a
feature, not a bug).

This is just a factor of Oracle not paying attention to a product they bought.
When Cisco let Linksys (in the consumer market) stagnate, we ended up with
lackluster hardware. Not a big deal. When Oracle ignored Java in the consumer
market, the damage is quite a bit more extensive due to its sheer ubiquity.

~~~
chc
You're talking about something different than nivia was. That comment was in
reference to "write once, run anywhere" meaning that malware became cross-
platform. A malicious Python app can do malicious things on any platform with
Python just like a malicious Java app can do bad things anywhere you have
Java.

The fact that this is exploitable through a browser plugin makes the risk of
infection worse, but doesn't actually make it more cross-platform, per se.

~~~
eksith
Yes but Python also isn't generally distributed the same way. You could argue
the same about the C++ redistributable across Windows and even .Net (I think
4.0 runs on XP), but malware for these are still executables. Silverlight may
be the only common ground, but then that's the same as Flash, Acrobat or
similar plugin.

And as you say it certainly doesn't run in the browser on so many disparate
systems making watering hole attacks not nearly as damaging if there were to
be Python malware in the wild (and I'm sure there are).

------
corresation
I find this a bit concerning not because Apple was hit, but because getting
hit by some Java-malware necessitates a public statement. Anyone here in an
organization of more than about 10 users likely has one or more of them with
malware of some sort on their device right now, and it is treated as just the
cost of the platform. In my organization I'm sort of the paranoid in that I
treat every exposure as a serious event, but I am very much alone on that.

~~~
lawnchair_larry
Unless they can prove (to themselves) that no customer data could have been
obtained, they have to disclose this due to laws in several states, including
California.

Aside from that, I believe it is ambiguous as to whether or not publicly
traded companies have to disclose incidents that may have adverse effects for
investors. In some cases, ambiguous errs on the side of not getting sued or
sanctioned.

It's good that companies are coming out. I work in infosec, and it's
constantly a battle with clients who take a "it can't happen to a big company
like us, we have a professional IT department" mindset. It _is_ happening,
constantly, and things only improve when there is awareness.

I also like the forced disclosure to deal with the "they probably won't hack
us, and if they do, we will just fix it later and quietly cover it up"
companies. There are a fair number of those as well. Doing things right costs
money that they think they can get away with not spending. Usually, that
translates to externalizing the cost to the customers who get hacked for using
their products, or get their data raided.

~~~
DanBlake
This is untrue, there is no law saying as such.

Every large ( >1000 employees ) organization has DAILY infections on employee
computers. That is the reason for IT departments. If any big corp did a press
release every time they found malware on a computer, it would just be a never
ending stream.

Not everyone who works for apple is a programmer. There are janitors, cooks,
secretary's, etc.. Those people use IE and click links in emails.

I cant say as to why apple chose to release this statement. I can just say I
am fairly confident they did not have to.

~~~
whatusername
Are there really non-programmers (ie - not those working on iTunes/safari on
Windows) at Apple using IE/Windows?

~~~
acdha
Almost certainly: I'd be _shocked_ if they didn't have HR or accounting people
dealing with incredibly hairy enterprise accounting, payroll, purchasing, etc.
apps. If they're lucky, they support IE > 6.

At a previous job, I called Oracle support for one of their enterprise apps
(we paid at least 6 figures a year for “support”) asking about IE8
compatibility and was eventually told that they don't test Microsoft's
software for them and would wait until it was released to start. This was
_after_ IE8 was released and our users had already discovered that Oracle's
thicket of JavaScript had an ancient bindows.net library which relied on IE
not throwing an exception for a completely erroneous misuse of elem.style; a
week or so later, a support manager _called_ me to ask for a copy of the
monkey-patch I'd mentioned so they could distribute it to other customers.

------
cooldeal
>only a small number of its employees' Macintosh computers were breached, but
"there was no evidence that any data left Apple."

Looks like Apple is worried more about leaks of their unreleased products. I
would be more worried about data entering Apple, whether any websites were
injected with malware or, in a much more unlikely scenario, malicious code
being in injected into OS code or apps.

~~~
0x0
It's pretty scary to imagine what a bad guy could do with backdoor access to
the iCloud or iMessage services, too. Remote control and wipe any iOS or mac
device, steal device backups, intercept txts...

------
drivebyacct2
The sooner Google and Mozilla make Click-to-Run the default, the sooner more
clueless people will be safer.

