'Sophisticated' Hack Trapped Apple, Facebook, Says Dev Forum
Apple employees didn't practice what their company preached; it may have stopped supporting Java in OSX due to security issues, but it was a Java hack that caught the employees when they visited a developer's forum. The forum's owner has spoken out about the attack and his website's subsequent actions, while Apple and Oracle have issued fixes to all customers.
02/21/13 11:35 AM PT
The owner of the iPhoneDevSDK website involved in a major Java hacking incident has given his side of the story, saying a single compromised administrator account was the cause of internal computers at Apple and Facebook being infected after their users visited the site.
A media report on the Facebook hack was the first indication that something was amiss with the popular iPhone developers' forum, said website owner Ian Sefferman.
"We didn't know about it because it never actually infected any of our systems," Sefferman told MacNewsWorld. "We were never able to see anything on it."
Once he learned about the news, Sefferman and iPhoneDevSDK started making calls. "We immediately reached out to Facebook's security officer, and we've been working with them to learn more about what the effects were on their end," he said. "Now we're continuing to try to work with as many folks as we can to find out the root causes. It's still very much an ongoing investigation."
In a Wednesday post on his website, Sefferman said there is no evidence that any user information was stolen. The site has since changed all user passwords.
It was a very sophisticated attack, Sefferman added. "We're going to try to do our best to nail down exactly how it happened, and we'll go from there as far as any lessons learned."
Companies Moved Fast With Fixes
Apple and Oracle acted swiftly this week to address the Java exploit. Apple pushed out a security update to its older systems that use Java, and Oracle released one for computers using the latest version of its programming language.
Apple's update for OS X 10.6 Snow Leopard -- the last version of its personal computer operating system that shipped with Java -- includes an update for Java 6 released by Oracle on Feb. 1 that addressed 30 vulnerabilities, as well as some additional security fixes.
Packaged with the Snow Leopard update: A detection and removal tool to clean up any Macs infected with malware that exploit the Java vulnerabilities addressed in the update.
Mac users running the most current versions of OS X -- Lion and Mountain Lion -- will have to install the Oracle update to the latest version of Java, version 7, manually. That's because Apple stopped shipping Java with OS X with the release of Lion.
Apple cut the cord with Java after a virus exploiting a vulnerability in Oracle's programming language infected hundreds of thousands of Macs around the globe. Apple also includes code in its operating systems that will automatically shut-off Java if it isn't used for 35 days.
Do as I Say, Not as I Do
While Apple has acted to protect Mac users by discouraging Java use, the company admitted that some of its employees were trapped using the same exploit.
Apple revealed this week that "a limited number of Mac systems" within the company were infected with malware in the iPhoneDevSDK "drive-by" attack.
The systems were isolated from the company's internal network, Apple said, and there is no evidence that any data was removed from the company. Apple never mentioned the name of the developers forum involved in the attack.
Apple did not respond to a request for comment for this story. However, the fact that a developers' website was infected says something about the nature of the assault.
"They were probably trying to compromise code on developers machines, rather than exfiltrating data," Lysa Myers, a senior security analyst with Intego told MacNewsWorld.
"They may be trying to introduce bugs or holes or somehow compromise the programs," she added.
The scenario has all the elements of a classic "watering hole" attack, as it is called, said Sophos Security Advisor Chet Wisniewski.
Just as predators stake out watering holes for their next meal, hackers infect websites that attract people from organizations they want to infiltrate.
Is Steve Jobs' Legacy to Blame?
"If you want to break into a defense contractor, it's really hard to break through the hard shell of its security," Wisniewski told MacNewsWorld, "so you look for a place on the Internet where the contractor's employees frequently hangout. Those sites have a softer shell so it's easier to get your malware on it."
Breaking into Facebook's computer infrastructure is hard, he said. "It's a lot easier to find a little developer forum that has nowhere near the skills or resources available to it to defend itself, and plant the malware there."
Apple's culture may also have contributed to the recent infection of its systems, Wisniewski added.
During Steve Jobs' tenure at Apple, it was the company's policy to exercise as little control as possible over their internal systems. "Every user is given a MacBook when they enter the company, and they could put whatever they want on it," he said. "They're not required to run antivirus. They're not required to be centrally managed by the IT department."
The IT department, in fact, was not allowed to dictate any rules to employees, Wisniewski added. "Jobs was adamant that IT wasn't to get in the way of the creativity of the business in producing great products."