Apple, Facebook and Twitter have all fallen victim to the same attack by hackers over the past few weeks.
The good news is that very few users
have been affected by these security breaches. Still, the way these companies
were attacked–through malicious websites that exploited a security flaw in
Java–could happen to anyone. Here’s what you need to know about the recent
attacks, and how to stay safe:
How did this happen?
At least one website related to
iPhone app development, called iPhoneDevSDK, fell victim to an attack, which in
turn seems to have caused this whole mess. Hackers compromised the account of a
site administrator, and used it to inject malicious code into the site. This
code allowed malware to infect the computers of people who visited the site,
including employees at Apple, Facebook and possibly Twitter. A post on
iPhoneDevSDK says the attack likely ended on January 30, but many of the
details are still unknown.
Who, exactly, was affected?
Twitter was the only company that
said its users were affected. In a February 1
blog post, Twitter said attackers compromised 250,000 accounts,
gaining access to user names, e-mails, session tokens and encrypted versions of
passwords. Twitter has reset those users’ passwords and sent e-mails notifying
affected users, so they’ll have to create new passwords next time they log in.
Facebook says a handful of employee
laptops were compromised,
but found no evidence of stolen user data. The attack on Apple affected some
employees’ Macintosh computers, but the company says there’s “no evidence that
any data left Apple.”
We may not yet know the full extent
of the damage, as anyone who visited iPhoneDevSDK was susceptible to the
attack.
What was the point of the attack?
Bloomberg claims that the hackers
“appear to be seeking company secrets, research and intellectual property they
can sell underground,” citing “people familiar with the matter.”
However, security firm F-Secure speculates
that the actual goal was to compromise the accounts of mobile application
developers, allowing the attackers to inject malicious code into smartphone
apps. If true, developers will need to be vigilant and check their accounts and
source code for signs of trouble.
Is this related to the supposed
hacking efforts from China, or the compromise of high-profile Twitter accounts?
No, this seems to be a separate
case. Bloomberg claims that the iPhoneDevSDK attack originated in Eastern
Europe, not China.
The hacking of
Burger King and Jeep
Twitter accounts is more of a prank, and may have originated in the United
States, Gizmodo
claims.
Aren’t Macs invulnerable to malware?
Nope. In the past Apple has done a
good job of locking down Mac OS X, but malware such as Mac Defender
and Mac Guard have proven that OS X isn’t impervious to security
threats. As The Next Web
notes, Apple didn’t yet have a patch to protect against this
particular Java vulnerability, though the company has since issued one.
How can users protect themselves
from similar attacks?
Vulnerabilities in Java are common,
which is why the U.S. Department of Homeland Security now recommends disabling
Java in your browser. Chances are, you’ll never even notice
that it’s gone. Here’s a quick guide to disabling Java in most popular
browsers:
- Chrome: Enter “chrome://plugins” (without quotes) in the location bar, scroll down to “Java,” and click “Disable.”
- Firefox: Click the Firefox button in the top-left corner, and click “Add-ons,” then click the Plugins tab, then click “Disable” for any Java-related plugins, such as Java Deployment Toolkit and Java Platform.
- Safari: Click Safari > Preferences, or press Command-comma, then click the “Security” tab. Uncheck the box that reads “Enable Java.” (Make sure to keep the “Enable JavaScript” button checked.)
- Internet Explorer: Disabling Java in IE is a lot more complicated than other browsers. I recommend following the instructions on Sophos’ blog, or uninstalling Java altogether. You can uninstall Java by going to Control Panel > Programs (or Add/Remove Programs), clicking on Java in the program list, then clicking “Yes” when prompted.
To make sure you’ve disabled Java in
your browser, visit this
Java website and make sure nothing but a jigsaw piece comes up in
the gray box on the page. It’s possible that your computer may not have Java
installed in the first place.
If you absolutely need Java for
certain websites (such as Minecraft), TrendMicro has a good tip:
Leave Java enabled in a secondary browser for accessing trusted sites. So for
instance, if you mainly use Chrome, you can still use Firefox for the
occasional Java site. Just keep in mind that even well-known sites can be
susceptible to an attack, as this latest hacking episode has demonstrated.
No comments:
Post a Comment