Slashdot Mirror
Apple Hit By Hackers Who Targeted Facebook
snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"
Thank you folks, I'll be here all week.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Apple's advanced 1969-era OS is "secure by design". It is immune from viruses, and there's no need to run a virus scanner.
Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.
Seems Macs can be hacked just like everything else...
compromising your privacy and security since 2004...
I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.
http://www.cloud65.com/ as Linda answered I'm surprised that a mother can get paid $4920 in 4 weeks on the internet. have you seen this web site
Wait... What. "...defense contractors... running Mac computers." ?????????????
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
And I've only owned and used PCs for the past 15-20 years. Yes, Macs it does just *work* but never did I ever consider it 100% or foolproof. I like their design and simplicity. But I'm also learning Bash shell in Red hat which throws me back to the DOS days and I like it even better. I can't stand people who put Macs on a pedestal and glamorize its terminal and *nix roots. True, it's there and functional but the people who preach that to me have never used it.
At the end of the day, computers are just tools, and the perceived danger is proportional to what kind of data is in the computer and the particular role the computer is playing in the workplace/ home. If I'm just storing movies or working as an occasional render machine, then it's disposable as far as I'm concerned. But if it's mission-critical, then I treat it like Fort Knox with several layers of security and backup plans.
Anyways, computers are just tools and I believe the attack vector will always be the operator. Seems like Spear Phishing is the best balanced attack for the amount of effort these days.
'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers"
I thought Apple disabled Java in the browser months ago?
This is such a delicious day for the tech "press" because despite their constant barrage of warnings to the contrary, Apple viruses have been pretty much non-existent. Sure, OS X has had some vulnerabilities, but they were generally in various Unix packages and daemons, and those same problems generally affected Linux and BSDs and Solaris and so forth.
Anyway, my question: who the hell uses Java as a browser plugin anyway? On my rigs, it is disabled and has been for years. It's still installed (unlike Flash) because some desktop software needs it, but in the browser? Fuck that.
I'm surprised random douche bags like yourself haven't been beaten to death yet.
Only if they used windows then the users would have noticed something was wrong. Oh wait...
It *was* related to their work duties, jerk.
Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.
I don't understand - explain each and every line.
I'm not in security. Please help in my ignorance ....
What is new in this post compared to the last one?
So it sounds like the newer, Oracle Java 7 SE was the vulnerable hole? Also hasn't that been the case for the last several months' worth of "Java Exploit" headlines? .... who need dat Java 7 anyway? What is it's be for?
I am's be wonderin'
I never installed it, just running the good ole' Java 6 SE which lets me run all the crap the interwebs brangs forth towards me.
TFA doesn't say which version of Java was responsible, only "a version". Was it Apple's modified Java 6, Oracle's latest and greatest Java 7, something in between, or something earlier?
Yes.
Join the Slashcott! Feb 10 thru Feb 17!
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
burying their heads in the sand since 1984...
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
That was a bit quick to jump to conclusions:
Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.
"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
Source: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
"compromising the server of a popular mobile developer Web forum"
So far, all of the press reports and statements from those compromised have left off the most important bit of information: WHAT "popular mobile developer Web forum" was used?
One would imagine this would be important information to disseminate to developers...
Just say NO to Java.
If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
And it was so light and thin.
Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.
any engineer who visited the site and had Java enabled in their browser would have been affected
It seems like not many Mac developers would have been affected - because (1) you have to specifically install Java, and (2) as the response from Apple states Java (in the browser) is disabled if you do not use it for 35 days...
But it would be great to know the sites involved so we would know if we were at risk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't find any reference to what the attack actually does. Does it crash the machine? Erase the hard drive? Cause ugly pop-ups? Spam email?
The only thing worse than a Democrat is a Republican.
Correct me if I'm wrong but isn't Java included with the OS?
No, you have to download and install it.
And even if you do that, if Java is not used for 35 days the system disables it.
Now THAT's how to handle Java so most people will not get burned...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
That's because the attacks are usually around IE or open ports. So of course people would blame the OS for the security failure.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Perhaps in this case it was a targeted site that was compromised, but the point still stands.
By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
It also points out the problem with complex coding platforms like Java.
As I never liked Java because of many other factors, this is just icing on the cake to my issues with it. Java is terrible.
Sounds like their aim needs some practice.
/* No Comment */
any hints on how to remove the malware?
by the way: it was: iphonedevsdk.com
(http://arstechnica.com/security/2013/02/web-forum-for-iphone-developers-hosted-malware-that-hacked-facebook/)
Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses...". So now they now should be upset with themselves.
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses...". So now they now should be upset with themselves.
Actually, before you ripped it out of context, the full quote was: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." So even at the time they admitted they were upset with themselves even though they could't help but take a shot at Microsoft for reasons that have to do with events that took place while you were probably still in diapers. Come to think of it I could fill a book with snide comments by Linux Fanbois about Windows security made on this forum, comments that ignore the fact that there is way more malware targeted at Windows than there malware targeted at Linux. If you take that into account Microsoft is doing a pretty good job on security, snide comments by Apple Marketing drones and Slashdot Linux fanbois not withstanding.
The main problem many people fail to realize is this: there is no such thing as 100% security....ever! I don't care if you build a bunker 1000 miles into earth's core and cover the bunker in cement and re-bar, there is still a threat to security if someone is willing to spend the time and resources (money?) to infiltrate said device and drill down to the computer (even if it takes 100 years to do so). So when people say it's Java's fault, or it's Oracle's fault, or whoever, there is always something or someone that can infiltrate/hack something else. Whether or not the action of an attacker appears plausible, threats always exist and will continue to exist no matter what. The better term would be, "Some devices can be built more secure than others. OR Some settings/configurations can be more secure than others, never 100% secure." All of this depending on infinite amounts of factors, so no, there is no such device or code that can ever be written that is 100% secure and "un-crackable" by someone else (given enough time and resources).
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
The Java vulnerability is only a doorway, what you send through it is totally different.
Hi theVarangian, I own a Mac, I use Avast for Mac, and I'm very careful what websites I visit. I realize no OS is virus immune. Does that qualify for a first? A decade of windows usage taught me. Now please stop spewing crap about what mac users know and don't know. Thanks.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
Come to my company. We have many users with Apples at home that swear to me that their Apples cannot get viruses, malware, hacked, etc... They all want to use them on the company network.
"A plan fiendishly clever in its intricacies"- Homer Simpson
This wouldn't have happened if Steve was alive!
Call me ignorant, but the recent wave of Java bugs, are they Oracle implementation bugs, or problems with the Java specification? Are OpenJDK/IcedTea affected?
Perhaps in this case it was a targeted site that was compromised, but the point still stands. By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
No, your point does not stand. You were blaming the stupid users with too much time browsing porn sites or whatnot as well as the corporation that did not train them properly.
There isn't much you can do against a browser plugin silently executing malicious code planted into a normally harmless popular website. No matter how knowledgeable were the respective FB developers, if the cited information is correct and complete, there was no way he they could have avoided the problem except by having java blocked/disabled.
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
1. If it counts as a vulnerability on Windows, then it counts as one on Mac and any other OS, too.
2. Apple runs marketing and fanboys spread the idea that there is some quality to Macs which make them immune to attack, regardless of the vector.
Wait, the people who are smart enough *NOT* to have their overly expensive laptops serviced in APL stores (they probably bought it for the name or how pretty it looks) because they'd charge retarded prices are also smart enough to ask about malware.
You also realize that on APL's main website *AND* promotional materials -- for the longest time -- said it was "virus free".
I wonder where people's misconceptions come from...
Work without fear.
Decrease your downtime and forget about needing an IT person stationed in the kitchen. PCs were plagued with 114,000 viruses by the end of 2005 and that number skyrocketed to 257,000 in 2007. On a Mac, you don’t have to waste your valuable time keeping up with all those viruses and trying to protect your system from them. Instead, you’re free to amaze yourself with everything you can accomplish.
How interesting.
Uhm, you're taking that out of context too. They're upset at themselves for having unauthorized software on their music players.
Here, let me replace "it" with what "it" represents:
"... we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching having a Windows-only virus preinstalled on our devices."
They're not upset at themselves for "not being hardy against viruses".
Actually, before you ripped it out of context, the full quote was: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."
It wasn't out of context. The statement is damning Windows for having the vulnerability, and apologizing for not protecting the "lesser" OS. The parent's point still stands- why are not upset with themselves now for having an OS which is, to use your exact quote "not more hardy against such viruses"?
The answer is simple- Apple has spent a shitload of marketing money promoting the idea that Macs are somehow more secure and less vulnerable to attacks, of any kind. Don't get all lawyer on me about their language and the fine print, that's the image they wanted the average user to see and it's worked well for them over the years. So they don't want to admit that as predicted by many, as their market share increased they became a more viable target, and today there is nothing fundamentally "better" about their OS than the one they constantly bash as being "vulnerable".
You could fill a book but back then when those comments were stated, YES MICROSOFT DID HAVE A PROBLEM. We know damn well that Microsoft has stepped up since then. Even though you fucking Windows morons told us that it was impossible for MS to do anything because of their dominating market position. Yeah, that same position they maintain today. You Windows boobs were wrong about it. Microsoft proved it when they finally stepped up. They're still number one in the market and yet they're no longer the number one exploit vector. Market share alone doesn't dictate what hackers go after. You have to have both the market share and bad software.
Those comments you'd use in your book were accurate within their historical context. So, before you go griping about someone taking things out of context, you'd better make sure you're not doing the same.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware.
Actually, Macs claim that they are immune to PC Viruses.
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Riiiigth.
Write once, run anywhere.
"This is a new campaign. It's not like the other ones you read about where everyone can tell it's China," the first person said." I'm a bit lost with all attacks, java security alerts, java patches, java this, java that. Could we give each java alerts a feminine first name like we do with tornado ?
Why does everywhere seem to be keeping the identity of the site in question top secret?
That's rather unacceptable, as many other developers using said site could also have been impacted.
This helps no one other than the admins of a site who failed to properly secure it and they shouldn't have right to anonymity of their site when others may well be at risk.
Apologies, my hand grazed the touchpad and my laptop took that as an indication I wanted to moderate you as flamebait. Posting to undo.
Change is certain; progress is not obligatory.
Hi theVarangian, I own a Mac, I use Avast for Mac, and I'm very careful what websites I visit. I realize no OS is virus immune. Does that qualify for a first? A decade of windows usage taught me. Now please stop spewing crap about what mac users know and don't know. Thanks.
WOOOSH!!!
Oh shit.
Oh shit.
No Apple user I know ... claims Macs are immune to malware
It happens....
To be clear, she makes her connections on the internet. She makes her money on her knees. At least that's what I heard from kutahuja's mom.
Reply to undo Mod.
Of course news about a fake are Fake News.