Microsoft joins Apple and Facebook
“You are the weakest link, goodbye.”
This morning Microsoft confirmed it had become the latest victim of the recent hacking attacks, that
have also affected both Apple, and Facebook in recent weeks.
There is plenty of information about the attacks on the BBC news website for those who are interested in reading more. However, what most people seen to have missed is that there are actually two successful hacking attacks in this story, not one.
The attack that has been so widely reported against these companies involved an undiscovered vulnerability, a so called “zero day exploit”, in the Java programming language. That vulnerability has since been closed by Oracle in the latest Java release. However, that problem is actually the second attack.
The First Attack
The first attack was actually against a small company’s website. The iPhoneDev.com website was compromised and used to host and distribute the malware used in the attack. It was this malware that once downloaded onto the computers at Microsoft, Apple and Facebook that allowed the second much more serious attack to occur. You can read about their involvement in their blog post in full here.
I want to pick up on one key point in their statement:
The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user’s computers.
Here is the real issue. A direct attack against the computers used by Microsoft, Apple and Facebook would have been very unlikely to succeed. So the attackers had to find another way. They had to find the weakest point in the chain. iPhoneDevSDK.com appears to have been that weak point. Critically, however, neither iPhoneDevSDK, or their hosting provider appear to have known nothing about this attack for two weeks! No doubt, infecting other computers both corporate and private in the intervening period.
We are confident that had iPhoneDevSDK been using our new Website Monitoring service we would have detected this malicious Javascript injection within 24 hours in the worst case. Most probably we would have spotted this within a few hours. This potentially could have stopped Microsoft, Apple and Facebook from being compromised.
Fixing it one Website at a Time
Websites are hard to secure against attacks and no one website will ever be 100% secure. In the world of information security there is no such thing as a 100% guarantee. But, you can help yourself and work to reduce the risks by asking for advice from security professionals, and using services such as ours to monitor and help protect your websites from attack.
Remember, it is not necessarily your site, or your data that the hackers want. They are just using your site as the weakest point in the chain, to attack their real targets.
Your task is to ensure you website should not the weakest link in the chain. The web is not a safe place. But everyone has their part to play in making it a safer place for everyone to use. That can only be done one website at a time. Why not start with your website?