Apple hacked by same group that attacked Facebook
Summary: The iPhone and iPad maker said today that it is working with law enforcement to identify the hackers that breached its internal network. The same Java exploit that was used to attack Facebook was also to blame for allowing the hackers in to Apple's network.
The same group of hackers that attacked Facebook last month also successfully attacked Apple, the company revealed today.
The Cupertino, Calif.-based technology giant told the Reuters news agency that while its networks were successfully breached, there was "no evidence that any data left Apple."
It's almost exactly the same wording used by Facebook last week when it disclosed it had also been hacked.
A small number of the company's employees Mac computers were hit by the hack, which exploited a vulnerability in the Java Web plug-in.
A Java malware removal tool will be issued to OS X users later today that will prevent other Mac owners from being attacked in the same way.
Facebook suffered a breach to its internal network last month by hackers, but no data was taken, the company said. The hackers used the same active Java zero-day exploit to attack the company's network. Facebook's dedicated security team noted a suspicious domain in its corporate domain name (DNS) logs, which was traced to an employee's laptop. Numerous other laptops were compromised, cleaned and disinfected from malware.
Oracle, the developer of Java software, subsequently patched the exploit in a February 1 security fix.
In the past few weeks, a spate of semi-successful hacking attempts at Western companies by Chinese hacking groups—state sponsored or otherwise, it remains unclear—from The New York Times to The Wall Street Journal.
Apple did not comment further on the hack, but the firm said in a statement sent to our sister site CNET:
Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.
Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Now comes the difficult decision
1. apple uses Windows
2. if you use os x and safari, you will be hit by 0 user interaction web drive by malware
Results at 11.
who cares?
I Know That The Current 'High Score' Is 6.1; But,
Nothing More Secure Than Apple! LOL!
Scary to be an os x user
It's a Java issue..
So?
I repeat: if apple can't even use os x securely, you have no chance.
you know this because...
I know this because I read
http://thenextweb.com/apple/2013/02/19/facebook-apple-employees-visited-iphonedevsdk-where-their-computers-were-compromised-by-java-exploit/
"Absolutely, positively do not visit this site, at all. If you do, you run the risk of being infected"
If this were social engineering, the warning wouldn't be so strong.
I could be wrong but I'm quite confident I'm right. How confident are you that this is pure social engineering?
social engineering
In particular, no normal computer user, who switched to Mac for better security ever visits a site like this. Not that they might not be infected by visiting another malicious sites, but let's stick to facts,not speculation.
Ah, you weren't clear
It would appear you were disputing this:
"I repeat: if apple can't even use os x securely, you have no chance."
Well, you heard it here folks. Only os x developers can ever get infected using os x because they are the only ones with Java who visit sites on the internet.
And Windows people get accused of relying on security by obscurity?
os x is swiss cheese. It is so bad that not even apple can plug the holes for their own employees. If apple can't keep their employees safe, there is no way you can keep yourself safe. You aren't smarter than apple.
I don't know the term
But even if someone (wasn't me) promised you OS X can be infected with a virus, I bet that same person did not promise you java can't be infected. So give this fact, I just don't understand your persistence to prove things that are just not here.
But, it seems you can't stop. So, go toddy, go!
The score so far
We have Apples corporate network breached by multiple computers infected with worms, systems compromised and under the control of attackers. In addition to macs infecting the networks of Twitter and Facebook.
What a joke Linux and OS X security has turned out to be.
Windows is battle-hardened, has sandboxing that actually works and prevents infections, has anti-exploit mitigations such as ASLR+DEP that are actually effective (and not pseudo-ASLR vulnerable to ROP like on Linux and OS X).
Windows experiences fewer vulnerabilities than both Linux and OS X, and Windows is patched faster than both.
we also have
What else? :)
If you don't have a clue you don't connect general purpose computers to networks. This is by the way, one of the reasons the so called 'desktop' is dead. The users expect too much 'convenience' that always comes at the cost of security. You either learn or get infected.
We also have os x completely destroyed by a drive by
os x security epic fail.
Don't forget it, this one is about os x security utterly failing. Even worse, os x security failed even when apple themselves were the ones who set it up. If apple can't secure their own os x machines, you have no chance.
You seem to have it in for Apple
False
Nope. False on both claims.
1) No certificate was stolen. A vulnerability combined with a rather sophisticated crypto attack (involving considerable computing power) allowed an attacker to create a fake certificate.
2) The certificate did not allow an attacker to run any code. He first had to get in. The certificates required for drivers in Windows offer a security level *not* *available* on competing OSes.
The vulnerability allowed an attacker for a limited time (until the vulnerability was patched) to bypass an *additional* security level which would have been there on OS X or Linux.
In no way is this comparable to a network breach of the vendors own corporate network.
Nice try, though.
kernel.org, linuxfoundation.org and more compromised and running a rootkit for the better part of a month. kernel.org is where all sourcecode for Linux is being coordinated. Compromise only discovered by accident. Attack was un-sophisticated and the attacker apparently didn't know he had pwned the crown jewels of Linux. The best Linux brains in the world was pwned by a script kiddie!
OSX computers at Apple(!!!), Twitter, Facebook and many others *compromised* and under the control of attackers who managed to set up DNS zones inside the networks! Smug Apple types eating crow and trying to dump their embarrassment on Oracle. The "most advanced OS in the World" should have protected the system. Where was the sandbox? where was the AV software which should have prevented this? (A: sandbox MIA, AV woefully ineffective).
I'm a (Windows) PC!
not my case
The certificates were stolen from Microsoft's internal network and yes, code has been run on many computers.
By the way, plenty of non-Microsoft platforms employ code signing. Just FYI.
You can worship your tech company. I worship none.
Don't ask danbi to back up his claim
Back up your claim, please
danbi, You cannot be this stupid. If you knew *anything* about digital security certificates you would know that the private key of a central certificate is *always* stored in a HSM.
That's HSM == Hardware Security Module. It is a FIPS certified hardware appliance which *guarantees* (!!) that the private key cannot ever leave the module (except when transmitted in encrypted form to peer HSMs).
Even the most privileged administrator of such a box cannot extract the private key. If the CEO brings in the lawyers or if a prosecutor brings in the feds they can *still* not extract the key. The HSM is tamper proof. The chips are welded in epoxy. If you try to drill into the unit, vibration sensorsand/or light sensors will fire and cause the unit to self-wipe. If you move the unit G sensors and GPS location will fire and cause the unit to wipe itself. If you pull the power the battery backup will kick in. If you pull the batteries the unit will lock up hard.
In short: You are lying. There has never been a single incident where a root key or central key was compromised. Not from Microsoft nor anyone else.
Sure, some of the SSL digital cert providers have been compromised. Even RSA had a break-in (Unix systems). But a master key has never been stolen.
oh my
Yes, you can store the private key of a certificate in a HSM, but in no way you are forced to.. So what is your point?
But, even if you store the private key of your root certificate in an HSM, if I know your access credentials, I will ask your HSM to sign an intermediate certificate for me. It will happily do so (because if it cannot do it, it's pretty much useless piece of junk) and I will have certificate that your end system will ultimately trust. Because it is signed by you. The private key of that certificate can sit anywhere, nobody cares.
The security incident I talk about, when Microsoft's internal network (where these cents are processed) happened exactly that way. Nobody ever cared to steal any private keys.
Of course, you can revoke root certificates. But for the purpose of which they are used in Windows (to let Microsoft anti-theft code to run undetected), the only way is to re-install the OS. And, lots and lots of Windows users don't update their systems for one reason or another. Yet more absurd, those certificate updates are marked non-critical in Windows Update.
Unfortunately, the whole PKI concept is utterly flawed, but most people don't realize it and some who do... just cannot refuse the money.
Like I said, I know about digital certificates more than I deserve. Ignorance is bliss. Unfortunately, not everyone has the chance.