Security & Privacy

More Details Surface About Recent Apple “Hack”

Posted on March 11th, 2013 by

Remember a few weeks ago there was a big stink about Twitter, Facebook, Apple, and then Microsoft being "hacked," which was not actually a hack? As there were very few concrete details being shared by the affected parties, there was a huge amount of misinformation and partial explanations floating around. For my money, the most off-the-mark explanation was from early reports stating it was the result of a targeted attack by Chinese hackers. No, it was nothing that skillful or obvious.

I suspect the proximity of this event to the release of the Mandiant report (also referenced in the article above) that detailed the activities of Chinese malware gangs caused everyone to jump to that conclusion. Everyone was running around with China on the brain. But China is not the locus of all things nasty and cyber. There are plenty of countries spewing out malware and generating attacks. It's good not to forget that, as it could blind us to details that might better help identify and prosecute criminals.

Likewise, it's good not to stop investigating just because one possible explanation has been found. Details are still emerging about what happened in this event that affected so many major vendors. As many surmised, it was not just those four vendors that were affected. And it was not just software developers but car companies, U.S. government agencies, and even a candy company that got hit. (Software companies aren't the only businesses that employ developers!) Nor was it just Macs - Windows machines were hit with a similar version of the threat, which also used a Java vulnerability to sneak silently onto machines. Oh, and it wasn't just that one iPhone developers' site, it was several other developer sites as well.

There's one quote from Joe Sullivan, Facebook’s Chief of Security, in the Security Ledger article that really drives me nuts:

Even with that list, it is possible that the public will never know the full extent of the attack, given its sophistication, he said. ”Nobody knows the whole picture,” he said. “And, in the absence of an environment where all the companies implicated are able to share all their internal details, there is little chance of the whole picture being directly assembled.”

He's right, no one knows the whole picture. But he is shockingly wrong about there being an environment where all the companies can share information. All four companies that were hit can and do share information about malware and other security incidents. They all have active security researcher representatives on private security industry mailing lists. Had any of the four shared the details of their own attack the way they have shared detail in the past, we could have had more eyes on this puzzle and we all could have worked together to figure out what was going on. As it stands, there are several separate investigations going on that create redundancy and slows all of our progress significantly.

  • Kelly Martin

    I would like to know if Intego’s A/V engine was able to block the malware before a signature update was provided? I suspect not, or else you would have mentioned it. If you can block attacks like these from previously unknown malware that’s a big selling point… and if not, it helps me justify why I don’t use A/V on my Mac…

    • LysaMyers

      As we haven’t seen all the components of this threat, we can’t say whether or not it would have been detected with existing virus definitions. But what you describe is not what AV products are designed for. The idea behind AV is that there is always some time between “patient zero” and others being infected – most malware hangs around affecting people for years after it’s first discovered. Previously unknown threats may be detected if they’re similar to previous, known threats in terms of code or behavior, thanks to what are either called Generic or Heuristic detections. But if you want to prevent something totally unique and unknown, you need to employ another layer like a firewall. In this case, depending on your settings, NetBarrier could have detected this even if the virus definitions did not.