Microsoft Admits To Being Hacked Too 92
Posted
by
samzenpus
from the join-the-crowd dept.
from the join-the-crowd dept.
colinneagle writes "Once upon a time, Microsoft claimed that falling prey to social engineering tactics and then being hacked was a 'rookie mistake.' But now is the time for companies to jump on the bandwagon, to admit they were targeted by cyberattacks and successfully infiltrated. The stage is so crowded with 'giants' at this point, that there are fewer 'bad press' repercussions than if only one major company had admitted to being breached. Microsoft now admitted, hey we were hacked too. 'As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,' wrote Matt Thomlinson, General Manager of Microsoft's Trustworthy Computing Security. Unlike the New York Times and the Wall Street Journal there was no mention of Chinese hackers."
Re: (Score:3, Informative)
The Macs at the Mac Business Unit were affected.
FTFA:
It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.
Troll less, recoiledsnake.kthxbai.
Re: (Score:3, Interesting)
The Macs at the Mac Business Unit were affected.
FTFA:
It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.
Troll less, recoiledsnake.kthxbai.
That can imply that Macs are being used elsewhere in Microsoft apart from the Mac Business Unit. The malware was hosted on an iPhone dev site, and Microsoft has a lot of iPhone app development going on with Bing, Photosynth, Xbox etc. which are not part of the Mac Business Unit.
The computers hacked at Facebook were Macs. (Facebook devs pretty much use Macs exclusively). The ones at Apple were pretty obviously Macs. So the implied assumption in the absence of concrete information is that it was pretty much a
Re: (Score:3)
Why are the computers at Apple "obviously" Macs?
iTunes, QuickTime, Safari, and other Apple software is all available for Windows. Do you think Apple does all that Windows development without any Windows machines?
Someone else stated that if it was only Macs infected, Microsoft would have made sure to state that. They didn't state that *any* of the computers were Macs, despite the implication with the "Mac Business Unit" bit, so it's safe to say that at least some of them were runnimg Windows.
Re: (Score:1)
Re: (Score:3)
Yes none of their Linux PC got hacked.
Re:It was Macs at Microsoft (Score:5, Informative)
It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.
Troll less, recoiledsnake.kthxbai.
Yes, it was just the macs. The attack vector was a Java vulnerability, but the payload is always OS specific. Some attacks have been known to serve different payload after sensing the OS. But not this one. This payload was Mac specific, and Mac computers were the only one affected.
Coincidentally, the Java vulnerability exploited in the attack had been patched by Oracle several weeks before. But the vulnerability was still in the Apple maintained Java 6 (Apple still maintains their own Java 6 until EOLed - Oracle has only committed to maintain Java 7 on OS X).
This is all Macs and all Apple.
Re: (Score:2)
Apple still maintains their own Java 6 until EOLed
FYI, Java 6 EOLed now, Feb. 2013, no longer supported by Apple
For your information: http://support.apple.com/kb/HT5666 [apple.com] :"Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_41. For Mac OS X v10.6 systems, these issues were addressed in Java for Ma
Re: (Score:2)
The claim is that Macs don't get virus'
Which is obviously BS, because that's what just happened to Facebook, Twitter, Microsoft, and Apple. Macs got infected via Java. The payload was targeted for OSX.
Re: (Score:2)
It also depends on how the "don't get viruses" comment is made.
A few years back my (then) girlfriend was in need of a new laptop, so we opted to cast a wide net which included a local Apple store and during the sales pitch the 'genius' had said "and these can't get PC viruses".
While technically true (when not running Windows)... I found it a rather deceitful way to try to brag about their security as I could have listed a few recent cases were Macs were in fact hacked... such as them being the first thing t
Re: (Score:2)
There are no known virus on Macs.
Since that statement is easily disprovable with a single example, here's the word from Sophos from 2006 [sophos.com], for OS X specifically. There's even a nice section labeled "Is Leap-A a virus or a Trojan?" to counter your next rebuttal. If you disagree with their assessment, argue with them, not me.
If you look at the Mac virus timeline on that page, you can see the first one in 1982, which predates the first IBM PC virus by 4 years. There have been several viruses written to target various Mac operating systems,
Re: (Score:2)
Sadly, another false interpretation of the state of affairs.
Windows historically was a victim of both their poor security practices and their own success. They've actually done a lot in the Vista and up days to mitigate the need for users to 'run as administrator' to essenitally get anything done and acheive a fundamental security model roughly on par with modern Unix and Unix-like systems.
They are left with being a victim of their own success, malware authors target platforms of high popularity. Frankly,
Re: (Score:2)
I don't know about you, but the rest of us realized that was all sarcasm and that saying anything was immune was stupid.
Re:It was Macs at Microsoft (Score:5, Interesting)
I got into a bit of a flame war back and forth with a guy when the Java vulnerability first appeared. He said it would only affect PCs since viruses don't work on Mac or Linux. I called bs he responded with "they use different filesystems, learn something before spewing off at the mouth." To which I replied: 1) this is a browser based attack and 2) do you think a hacker can't figure out /home/bob rather than \Users\bob? My God the things people come up with. All three platforms now have a request for elevation kind of mechanism that is supposed to protect you. The problem is for 90% of users a UNC prompt or its mac/linux equivalent pops up and they click ok. To most users the fingers go in the ears as soon as you try to explain the risks and what is happening and they just ask "So what do I need to click to continue?" This is more a mental problem then a technological one and I don't see any likely solution. Sandboxing like Win 8 Modern can help where you at least in theory make no app able to see each other directly or even the whole of the filesystem but there are just too many use cases where being able to browse all the filesystem, one app needs to get something from anothers space etc that are needed.
Re: (Score:2)
The problem is for 90% of users a UNC prompt or its mac/linux equivalent pops up and they click ok. To most users the fingers go in the ears as soon as you try to explain the risks and what is happening and they just ask "So what do I need to click to continue?"
If common tasks didn't require the user to answer these pop-ups, then they would see them as "unusual" and wouldn't be as likely to just "click to continue".
There are quite a few control panel settings in Windows 7 that require answering a UAC prompt just to see the settings. Any software that tries to make a network connection and isn't on the Windows firewall "approved" list generates a UAC prompt. Then there are some settings (like "Adjust Visual Effects" in the "Perfomance Information and Tools" contr
Re: (Score:2)
Good points on a lot of it. I can get the UAC for network connection though. If you download a office suite say and it tries to connect to the internet you might be suspicious. I think it is a good idea for users to know what applications use the network especially since a lot/most people have metered internet connections so you are paying for that traffic.
Visual settings: agreed and should be per login based (not sure if they are or not). Apple has a better solution here for preferences: show the preferenc
Re: (Score:2)
I can get the UAC for network connection though. If you download a office suite say and it tries to connect to the internet you might be suspicious.
Since there is now a lot of legitimate software that requires a network connection to "phone home", it just gets to the point that a user will blindly click the "make this dialog go away" button without reading. In addition, all the dialog gives you is the program name, and malware can have names that seem legitimate, while I sometimes have to google an EXE or DLL to see if it is OK or not.
Also, Internet Explorer is whitelisted, so if the malware creates an IE instance (which doesn't require a visible wind
Re: (Score:2)
Okay so malware might be more appropriate. See for example: http://www.kernelthread.com/publications/security/vunix.html [kernelthread.com] though (albeit a bit old). Vulnerabilities exist in UNIX and a large set of things can be expected to be on a lot of other systems (eg. Apache, Perl, bash etc), so find an open interface to something and a corresponding vulnerability and away you go. Malware doesn't have to rely on peer to peer replication: they effect a server and the visitors "do it to themselves" afterwards.
Also: the d
Re: (Score:3)
Re: (Score:3)
Oh sure. Everything that has been said about Macs and Linux still stands.
Now we all knew Java was riddled with holes. That too still stands.
Macs and Linux just happen to be able to run Java.
Re: (Score:2)
Something tells me that had these "some" actually been Macs, they (Microsoft) would have mentioned it. But then I have a suspicious nature when it comes to press releases.
Re:It was Macs at Microsoft (Score:5, Interesting)
Let's disect this, shall we?
"A small number of computers" of OS type undisclosed, therefore it included Windows machines or else MS would have specifically called out the faults of others to safe face and made it clear that none were running it's flagship operating system.
"including some in our Mac business unit" of OS type undisclosed, therefore it included Windows machines or else they would have called out OSX by name.
For all we know there were 78 machines compromised (a small number compared to the number of machines at all of Microsoft, and of those only 2 were in the Mac business unit. the statement reads as true but deflects the maximum amount of blame away by implying that it's a Mac issue. .
Re: (Score:2)
Or a less evil way of thinking about it is that MS didn't want to say "yeah we have the problem too" without pointing out that it isn't just them having the problem but it is Apple products too. Keep in mind every time a company discloses things they lose control over how it will be presented. If their statement doesn't include that it is Apple hardware/software too (or at least implies that it might have been) what might end up as the head line is "MS hacked" with no mention of Apple at all leaving MS look
Re: (Score:2)
The problem with Chinese hackers... (Score:5, Funny)
...an hour later and you're losing data again!
Re: (Score:2)
You fool! You've invoked APK! Woe! Woe unto all of us!
Let's be honest (Score:1, Flamebait)
Microsoft wants to join in because OSX is in the spotlight. Other companies have already admitted infiltration with the hack, so this gives them an opportunity to shine a bright light on OSX' security issues away from their own for a brief minute.
Re:Let's be honest (Score:5, Informative)
Except that it has NOTHING to do with OS X security. This is all Oracle software that has the issue, software that Apple no longer distributes nor supports. If you don't run Oracle software, you won't be affected. Interestingly, even if you do have the software installed, and it isn't used after 31 days, OS X automatically disables it.
Again, this has zero to do with OS X security. This is all about end user installed software, provided and supported by Oracle.
Re: (Score:3, Insightful)
Re: (Score:2)
Except that it has NOTHING to do with OS X security.
No; bullshit. There is a whole load of security stuff that could have protected against that. The SELinux stuff that came from the NSA, that RedHat has been working on for years; that is present in Fedora; is exactly what could protect against this kind of user level stuff. There was a choice made by a number of computer manufacturers to put in ease of use without thinking through how to do that securely. Apple and Microsoft both, together, chose to push out alternative more secure solutions by trying
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
The core truth doesn't matter, it's all about appearances.
Put yourself in the shoes of a PHB (I know, i know... it's only temporary) - what would your take be?
Re:Let's be honest (Score:5, Insightful)
By the same token, a huge section of "Windows Malware" also has nothing to do with Windows Security. Yet we see hundreds of modded up posts on Slashdot bashing Microsoft over it regularly, yet Apple seems to be getting a free pass just like Android.
Re:Let's be honest (Score:4, Insightful)
Again, this has zero to do with OS X security. This is all about end user installed software, provided and supported by Oracle.
Just so we're all on the same page, when computers get infected with malware it is not the fault of the OS, it is the fault of the third-party software, right? It seems like I heard a different tune when people were talking about Windows machines getting infected through third-party software.
Re:Let's be honest (Score:4, Insightful)
Well something like 80% of BSOD issues were driver based (talk from a while back in XP days) but that didn't stop MS from getting the blame. A company can encourage other vendors to make good stuff but they can't force customers to apply the blame correctly when 3rd parties fail. It is fair game for MS to say "we've been hacked and yeah our Macs got hacked too" if it is true. It is also in their best interest to make sure that their competitors get included in the sound bits about the problem (and the source of the problem too of course) so that they don't get stuck with all the blame.
Re: (Score:3)
Ironic isn't it? (Score:2)
Re: (Score:1)
As expected (Score:4, Interesting)
The U.S. government has recently been saber-rattling about the NSA/DOD/whoever taking on the role of protecting vital national computer interests, particularly against the hacking efforts of China. And now, very atypically and with very little rationale for publicly admitting as much, a number of major technology/web companies have started admitting they've been hacked, allegedly from China.
So, was the U.S. government recognizing a real trend ahead of time, or maybe they had non-public information regarding these activities? Or are the companies being pressured to help create a story that will justify a government takeover of the network security infrastructure?
I distrust coincidences and the timing of these initiatives and disclosures smells a bit odd to me. Expect congressional inquiries into the "growing cybersecurity threat" to be covered on C-SPAN within the next few weeks.
Re:As expected (Score:4, Insightful)
Anyone with a Linux server had information regarding these activities.
Look at your SSH logs, and you'll find 99.99999% of brute force attempts these days are coming from China.
Who the heck still has SSH open to the Internet? I haven't been set up this way for years, so I have no brute force attempts in my logs, on any of the dozens of Linux servers I maintain. Everything requires an OpenVPN connection first, then SSH over that.
As far as I'm concerned, an open SSH port is barely better than an open telnet port. The only improvement is that it prevents cleartext traffic sniffing.
Re: (Score:2)
Re: (Score:1)
Both
There is something real going on; there are always hackers from all Nations and there are probably more from China right now and also there is a conspiracy to take advantage of that.
Re: (Score:3)
The real problem here is all those technology trying to sell the lie of being able to secure the internet completely. The reality is, if you want it secure then don't bloody connect it to the internet. It only takes one mistake, in set up, in maintenance, in updating and of course in end user use and you security will fail.
So these companies in seeking billions of taxpayer dollars to fill their coffers and trying to sell something they know will fail and of course they will be able to sell upgrades for.
hope the hackers (Score:2)
You are already hacked. (Score:3)
I think the point of this story is.
You are already hacked. Doubly so if you use Java in the browser or anything else that's had any number of security flaws in the past year.
Make sure your IDS is up and running and stick it between your developers and your servers.
Oh, and make your developers run their updates. They have to be the worst at ignoring the java, adobe, and microsoft warnings from the task bar.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
>can be completed against some third party proprietary application that the busness cannot fix....
Live by the black box, die by the black box.
Re: (Score:1)
If the update causes the business to shutdown, then the business may go out of business before the "some extra work to fix bugs" can be completed against some third party proprietary application that the busness cannot fix....
So no. bosses that don't want push updates because "it can break our systems" are correct. Pushing the update could put the company out of business.
Hey, I'm all for this as long as when the inevitable occurs, I'm not held responsible. We all know how that will go though, don't we?
Re: (Score:2)
and stop allowing access to production databases from developer workstations. If you have a bug that requires a developer to read the production database, it must be done from an isolated machine with access to it, developers should not have direct network connectivity to it
Re: (Score:2)
Depends how big the company is. If there are not enough code checks, hacking the developer box is eventually hacking the production database no matter how isolated the two are.
Better to admit to being hacked (Score:4, Insightful)
Than to admit to certificate management incompetence.
it's like a self help group (Score:1)
It's like a self help group for non-recovering corporate assholes.
"Hi, I'm Microsoft, and I was hacked"
everyone: "Hello, Microsoft"