Remember a few weeks ago there was a big stink about Twitter, Facebook, Apple, and then Microsoft being “hacked,” which was not actually a hack? As there were very few concrete details being shared by the affected parties, there was a huge amount of misinformation and partial explanations floating around. For my money, the most off-the-mark explanation was from early reports stating it was the result of a targeted attack by Chinese hackers. No, it was nothing that skillful or obvious.
I suspect the proximity of this event to the release of the Mandiant report (also referenced in the article above) that detailed the activities of Chinese malware gangs caused everyone to jump to that conclusion. Everyone was running around with China on the brain. But China is not the locus of all things nasty and cyber. There are plenty of countries spewing out malware and generating attacks. It’s good not to forget that, as it could blind us to details that might better help identify and prosecute criminals.
Likewise, it’s good not to stop investigating just because one possible explanation has been found. Details are still emerging about what happened in this event that affected so many major vendors. As many surmised, it was not just those four vendors that were affected. And it was not just software developers but car companies, U.S. government agencies, and even a candy company that got hit. (Software companies aren’t the only businesses that employ developers!) Nor was it just Macs – Windows machines were hit with a similar version of the threat, which also used a Java vulnerability to sneak silently onto machines. Oh, and it wasn’t just that one iPhone developers’ site, it was several other developer sites as well.
There’s one quote from Joe Sullivan, Facebook’s Chief of Security, in the Security Ledger article that really drives me nuts:
Even with that list, it is possible that the public will never know the full extent of the attack, given its sophistication, he said. ”Nobody knows the whole picture,” he said. “And, in the absence of an environment where all the companies implicated are able to share all their internal details, there is little chance of the whole picture being directly assembled.”
He’s right, no one knows the whole picture. But he is shockingly wrong about there being an environment where all the companies can share information. All four companies that were hit can and do share information about malware and other security incidents. They all have active security researcher representatives on private security industry mailing lists. Had any of the four shared the details of their own attack the way they have shared detail in the past, we could have had more eyes on this puzzle and we all could have worked together to figure out what was going on. As it stands, there are several separate investigations going on that create redundancy and slows all of our progress significantly.