Apple, Facebook and Twitter have all fallen victim to the same attack by hackers over the past few weeks.
The good news is that very few users have been affected by these security breaches. Still, the way these companies were attacked–through malicious websites that exploited a security flaw in Java–could happen to anyone. Here’s what you need to know about the recent attacks, and how to stay safe:
How did this happen?
At least one website related to iPhone app development, called iPhoneDevSDK, fell victim to an attack, which in turn seems to have caused this whole mess. Hackers compromised the account of a site administrator, and used it to inject malicious code into the site. This code allowed malware to infect the computers of people who visited the site, including employees at Apple, Facebook and possibly Twitter. A post on iPhoneDevSDK says the attack likely ended on January 30, but many of the details are still unknown.
Who, exactly, was affected?
Twitter was the only company that said its users were affected. In a February 1 blog post, Twitter said attackers compromised 250,000 accounts, gaining access to user names, e-mails, session tokens and encrypted versions of passwords. Twitter has reset those users’ passwords and sent e-mails notifying affected users, so they’ll have to create new passwords next time they log in.
Facebook says a handful of employee laptops were compromised, but found no evidence of stolen user data. The attack on Apple affected some employees’ Macintosh computers, but the company says there’s “no evidence that any data left Apple.”
We may not yet know the full extent of the damage, as anyone who visited iPhoneDevSDK was susceptible to the attack.
What was the point of the attack?
Bloomberg claims that the hackers “appear to be seeking company secrets, research and intellectual property they can sell underground,” citing “people familiar with the matter.”
However, security firm F-Secure speculates that the actual goal was to compromise the accounts of mobile application developers, allowing the attackers to inject malicious code into smartphone apps. If true, developers will need to be vigilant and check their accounts and source code for signs of trouble.
Is this related to the supposed hacking efforts from China, or the compromise of high-profile Twitter accounts?
No, this seems to be a separate case. Bloomberg claims that the iPhoneDevSDK attack originated in Eastern Europe, not China. The hacking of Burger King and Jeep Twitter accounts is more of a prank, and may have originated in the United States, Gizmodo claims.
Aren’t Macs invulnerable to malware?
Nope. In the past Apple has done a good job of locking down Mac OS X, but malware such as Mac Defender and Mac Guard have proven that OS X isn’t impervious to security threats. As The Next Web notes, Apple didn’t yet have a patch to protect against this particular Java vulnerability, though the company has since issued one.
How can users protect themselves from similar attacks?
Vulnerabilities in Java are common, which is why the U.S. Department of Homeland Security now recommends disabling Java in your browser. Chances are, you’ll never even notice that it’s gone. Here’s a quick guide to disabling Java in most popular browsers:
- Chrome: Enter “chrome://plugins” (without quotes) in the location bar, scroll down to “Java,” and click “Disable.”
- Firefox: Click the Firefox button in the top-left corner, and click “Add-ons,” then click the Plugins tab, then click “Disable” for any Java-related plugins, such as Java Deployment Toolkit and Java Platform.
- Safari: Click Safari > Preferences, or press Command-comma, then click the “Security” tab. Uncheck the box that reads “Enable Java.” (Make sure to keep the “Enable JavaScript” button checked.)
- Internet Explorer: Disabling Java in IE is a lot more complicated than other browsers. I recommend following the instructions on Sophos’ blog, or uninstalling Java altogether. You can uninstall Java by going to Control Panel > Programs (or Add/Remove Programs), clicking on Java in the program list, then clicking “Yes” when prompted.
To make sure you’ve disabled Java in your browser, visit this Java website and make sure nothing but a jigsaw piece comes up in the gray box on the page. It’s possible that your computer may not have Java installed in the first place.
If you absolutely need Java for certain websites (such as Minecraft), TrendMicro has a good tip: Leave Java enabled in a secondary browser for accessing trusted sites. So for instance, if you mainly use Chrome, you can still use Firefox for the occasional Java site. Just keep in mind that even well-known sites can be susceptible to an attack, as this latest hacking episode has demonstrated.