Facebook, Apple hacks could affect anyone: Here's what you can do

Facebook, Apple hacks could affect anyone: Here's what you can do

Summary: Reports suggest that both Facebook and Apple employees — and likely others, including Twitter — visited an infected website laden with malware, which exploited a vulnerability in Java. Now that the cause has been identified, here's what you can do.

SHARE:
TOPICS: Security
64

If you or someone connected to your network — a family member or an employee, for instance — visited one particular malware-ridden website in the last few months, you may be in a lot of trouble.

Facebook and Apple have both suffered at the hands of hackers, thanks to a zero-day vulnerability in Java that led to hackers infiltrating both of the companies' internal networks in recent weeks. While there was "no evidence" to suggest that company or user data had been stolen, the companies said in separate statements, it sent a shiver down the spine of many who had invested their trust in the companies to keep their data safe.

The root cause is reportedly one iPhone development website that became infected with malware, which was then able to dump its malicious payload on vulnerable machines. If those infected machines were then connected to a corporate network, that network would likely have been infected.

Other technology news sites have reported that the mobile development site "iPhoneDevSDK" is the source of both Apple and Facebook's internal network breaches, according to AllThingsD and The New York Times, which both confirmed the source of the malware.

It's absolutely vital that you do not visit this site in any way, shape, or form, as it may still contain active malware that could lead to infection.

iphonedevsdk.com
Seriously. Do not visit this site.
(Image: ZDNet)

According to AllThingsD, which spoke to Facebook sources under the condition of anonymity, a number of the company's employees visited the site more than a month ago. The site, laden with malware that was injected into the website's code, used an exploit in the Java web plugin to gain access to the employee laptops.

This "watering hole" technique attacks a centralized website with many visitors, and secretly attacks and infects vulnerable machines using an unpatched exploit. This is different from a targeted attack, such as emailing a malware-laden attachment to a certain user.

While Apple's laptops were clearly MacBook machines running the latest (if not pre-release) version of OS X, it most certainly would not be limited to these devices. PCs and devices running Windows would also be at risk if they were running a vulnerable version of Java.

Facebook confirmed that the internal network breach was a result of a zero-day exploit in the Java plugin, as did Apple in a statement on Tuesday. Law-enforcement agencies were informed in both cases.

Java developer Oracle patched the vulnerability in a February 1 security update.

Twitter suffered a similar hack earlier this month, but the microblogging company did not identify exactly what the root cause for the breach was. It was believed at the time that it was connected to Chinese hackers, which may have been associated with the country's government or military. It's now looking more likely that a Twitter employee visited the "root" infected website that led to the company's network being hacked.

Exactly who is behind this threat is unknown. Many are looking at the Chinese, who have been known to carry out cyberattacks on networks and infrastructure before. In 2010, Google pulled out of China altogether, after its networks were compromised by the Chinese government.

However, sources speaking to Bloomberg are pointing the finger in an entirely different direction. The publication reported that "at least 40 companies", including Apple, Facebook, and Twitter, were targeted by Eastern European hackers who were "trying to steal company secrets".

So, now what?

Here's the troubling thing: You may not have accessed the allegedly infected website, but have your employees? Do you run onsite iPhone application or service development? And can you be absolutely sure that your company, network, or individual computer has not been compromised in some way?

Of course not. Here's what you can do. (This list is far from exhaustive, but it's a start.)

1. Remove Java immediately

The chances are that you are running Java on your machine, or, at the very least, someone on your network is.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

You can either disable Java or remove it completely, thus lowering the attack vector considerably. Java has been known to contain flaw after flaw, even after numerous updates, and is commonly used by hackers to gain access to computers, devices, and networks.

Oracle released yet another update to its Java plugin on Tuesday. Apple has also released a Java patch — this can be downloaded here, if it hasn't already appeared in your software updates window — that should patch any vulnerabilities currently being exploited in the wild.

Run updates on your system through the Java Control Panel item on Windows, or check System Preferences on OS X.

2. Check your logs, history, browsing records

While it may not be the easiest thing to do, you may need to trawl through your DNS logs and other browsing records to determine whether anyone on your network — be it a single family member, or a thousand employees — has visited this "root" infected website in the past two months.

If at any point that website appears — again, do not visit this website: "iPhoneDevSDK" — then there is a significant chance that certain machines, if not others on that network, may have been infected with malware.

3. Run a full, network-wide malware sweep

Even if nothing has shown up, run a full, network-wide malware sweep using an up-to-date network malware or antivirus solution. If you can set server-side IT policies to force users connecting to your network to run an antivirus scan before connecting (such as Network Access Protection on Windows machines, for instance), this may help mitigate the spread of such malware across your network.

Vulnerable machines are those running unpatched versions of Java, particularly those not running the latest version — Java 7 (Update 15) and Java 6 (Update 41) — and the malware can infect both Mac and Windows machines.

4. Take future precautions: Virtualize and isolate risky software

Many companies rely on Java — even if many websites do not use the plugin anymore — thus, removing it may not be an option. Patching the software to the latest version is the best you're going to get, at least for now, but adding an extra layer between the Java plugin and the host machine can mitigate any network-wide malware attacks.

Java is the zero-day king, and more and more flaws will likely be found with the software. By using a virtual machine that's not connected to the host or the host's network (but still connected to the internet), Java-based web applications and Java-enabled websites can be run in an isolated and sandboxed environment, away from company files and other machines.

Updating the software may not have prevented the attack on Facebook, Apple, and others, but keeping it sandboxed may have lessened the risk of any data being stolen.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • This does not affect Windows PC's

    Just make sure you have the latest Java runtime patch. Sorry iUsers, you can't get the latest patch until crapple decides to release it.
    Smigelhoffen
    • Windows also affected

      From a source speaking to Reuters: "The malware was distributed at least in part through a site aimed at iPhone developers, which might still be infecting visitors who haven't disabled Java in their browser, the person close to the case said. There is a version that infects computers running Microsoft Windows as well."
      zwhittaker
      • Not exactly Zack

        If I am not mistaken, and I could be, Apple is responsible for their own Java and, seeing that I cannot do iPhone Development on a PC, I seriously doubt many PC users were targeted from that site.
        slickjim
        • iPhoneDev isn't for apple only

          The new jailbreak method for iOS 6.1 was released recently. Malware was injected into that site because if it contains a long-awaited jailbreak, everyone is going to flock to the site.

          It isn't a site just for "iDevelopers" but a site that discusses and shares iPhone and iOS related softwares and discussions. I went there recently to download the newest redsnow so that I could put a riend's iPod touch into Pwned DFU mode and force a recovery on it when iTunes wasn't able to restore it properly (multiple error 9's)

          My machine (PC Laptop) wasn't compromised, but it my have been had I fumbled around the site long enough. As with all security matters... have the proper protection! Firewalls, virus protection and staying away from shady websites will prevent 95% of these problems....
          John Giallanza
      • FYI

        It appears Microsoft was also "done like a dogs dinner" with this little bit of bubble and squeak as well. I believe it affected some PC's and some in the Mac unit. Fun times indeed!
        ego.sum.stig
    • Not accurate

      Oracle released a patch for OS X at the same time as the other platforms they support. Older versions of OS X may need to be patched by Apple. iDevices DO NOT RUN JAVA and are not vulnerable.
      Randy Burgess
    • @ Does not affect Windows PC's

      Only an IDIOT would assume that a site " rife with malware " does not include at least a FEW toys for Windows users.
      materva
  • And what OS was the website infecting all those Macs running?

    No prize for guessing ..... Linux!!

    http://toolbar.netcraft.com/site_report?url=http://iphonedevsdk.com/

    When even the developers and promoters of Linux themselves cannot keep their sites from being compromised, it is no surprise that iphonedevsdk.com were pwned.

    Buggles your mind that anyone dare run Linux on their servers or OS X on the desktop.
    honeymonster
    • All I know

      is that Microsoft is a multi-billion dollar company that has been forced to take security seriously for over a decade now, and they are not only proactive about it, but have also become the aggressors against the source of the treats. No other company/OS is even proactive let alone the aggressors.
      Smigelhoffen
      • How about...

        Let's focus on peer-suggested help to those who *might* be affected by this, instead of focusing on "which operating system/platform/company is better" -- because after five years of reading comments on my posts, it's pretty boring now. :)
        zwhittaker
        • You must be new around here...

          You should know by now your readers THINK they know everything about computers, but they are actually pinheads. These pinheads generally fall into one of three groups:

          A) Microsoft fans. They hate Apple and Linux, for no rational reason.

          B) Apple fans. They hate Microsoft and Linux, for no rational reason.

          C) Linux fans. They hate everything not Linux. They think they're saving the world by not using Microsoft or Apple products (for some unknown reason).

          There are also subgroups. For example, some Microsoft fans think Win 8 is the end of the universe because the start button is gone. This is the same logic that people used to say the start button was the end of the universe in Win 95. They just don't like change, and for the most part are computer illiterate. They don't know this, however; they think they're computer ninjas. They're not.

          You should know all this by now, Zack. If you've spent any time at all on the interwebs (and I think you have), you should know that, by and large, people are idiots.

          And these idiots are your readers. Don't expect much from them.
          pishaw
          • Its does seem you choose to not read comment before yours

            Its does not matter what OS someone uses, all can be exploited.
            Secure you OS the most that you can, all others will do the same.

            Have questions either ask or search...
            RickLively
          • Zack's not new...

            Why, it's like we watched him grow up! (JK) IMHO this is one of the better articles he has produced, and the typical OS p*ssing contest is not what we need. I'm stuck supporting a third party app that requires JRE, and the more information we get the better! Thanks Zack!
            randysmith@...
          • Stuck ? NOT !

            Stuck is when your billion $ corp. goes ass deep in service or platform dependent software and pays cash for it. ( otherwise known as F_ _ ked ! )

            If THAT accurately describes your situation, take your medicine and deal with the problem as best you can, patches etc. and good luck TO YA' !

            In any other case, DUMP the dependent software NOW ( before it REALLY costs you a bundle ) and CAREFULLY replace it with FREE STANDING software, that is to say, software which operates independently from your operating system and it's registry and is otherwise self sufficient. Software of this type is not cheap and may require some custom development but will certainly prove itself worthwhile in the long run. Some standard issue software thoughtfully allows for this type of installation, usually referred to as " portable ".
            materva
          • Supporting a "third party app"...

            means that our clients are using an app from some other company, which in my case integrates certain data from our product. So, "DUMPing" the JRE piece is not always so simple. I'm not talking about a simple display widget or something, but rather a combination of software and services that someone else provides, and requires the JRE on a server. Yes, maybe some other "third party" may offer an equivalent solution, but maybe not. And, maybe our clients like the current solution, so having information such as presented in this article is helpful, which was my original comment (and certainly not defending Java nor recommending Oracle's crap as a good solution!). That's the reality of real businesses!
            randysmith@...
          • you just described JAVA

            The description you gave was what Java was marketing years ago. portable not associated with the OS.
            Your quote "DUMP the dependent software NOW" is abusrd as this whole article is about Java which is an non OS dependant software.
            mark@...
          • What he said!

            pishaw nailed it! The web is a breeding ground for know it all wanna-bees that don't take the time or effort to educate themselves but somehow still consider themselves an expert. Worse yet they are an expert about EVERYTHING!
            Qnerd
          • I plead guilty.

            Having been an idiot myself a couple of times I totally agree with you.
            I use both Linux and Microsoft and learning more about both all the time and find no reason to hate one or the other but getting p*ssed off at both of them from time to time is another story. lol.

            Sites like this are a good learning tool to filter out the BS from the good stuff.
            Rick Sos
          • That's quite a statement from your obviously small mind...

            pishaw. It's not often that you see someone complaining about idiots who then uses their own blogg to prove their point like you did.
            AkBadBoy
        • Its all propaganda...

          Business, religion, countries etc uses propaganda to support their ideology and will try to throw mud on their nemesis and bitching is part of that. It’s not going to end and don’t expect readers to be quiet about it in forums. If you try to police what comments people write about your articles then what is the point of a debate?

          I don’t think Zdnet falls under the category where one could look for the so called ‘peer-suggested’ help.
          Owlll1net