Hackers access Apple server with small amount of survey data

Posted:
in General Discussion edited January 2014
A group of hackers this weekend posted a list of 27 usernames and passwords culled from surveys hosted on an Apple Business Intelligence website.



The group of hackers known as "AntiSec" were responsible for the alleged security breach and posting of usernames and passwords, according to The Wall Street Journal. The data was posted over the weekend on the official Twitter account of the group, which is comprised of members of the vigilante group "Anonymous" as well as hackers from the defunct "Lulz Security."



The data released by the group includes 27 usernames and encrypted passwords taken from an SQL database from an online survey hosted by Apple. The security breach does not involve Apple's popular iTunes Store or the 225 million accounts and credit cards associated with it.



"#Apple could be target, too," the group wrote on its Twitter account on Sunday, along with a link to the short list of usernames and passwords. "But don't worry, we are busy elsewhere."



A number of high-profile companies have recently been the target of groups like "AntiSec" and "LulzSec." Most prominently, Sony was forced to take its PlayStation Network offline for a lengthy period of time after hackers breached its servers and obtained data including usernames, passwords, names, addresses, and potentially even credit card data.







Other victims of "LulzSec" include the FBI, the CIA, AT&T, and the Arizona Department of Public Safety. The group of loosely associated hackers claimed to have disbanded last month, though other operations like "AntiSec" have picked up where they left off.



Apple bolstered the security of its "Apple ID" accounts associated with iTunes and App Store purchases last year after its online forums were hacked. iTunes accounts have also been targeted for fraud, though a large-scale breach of usernames and passwords similar to Sony's PSN woes has never occurred.
«134

Comments

  • Reply 1 of 73
    irnchrizirnchriz Posts: 1,616member
    Quote:
    Originally Posted by AppleInsider View Post


    A group of hackers this weekend posted a list of 27 usernames and passwords culled from surveys hosted on an Apple Business Intelligence website.



    The group of hackers known as "AntiSec" were responsible for the alleged security breach and posting of usernames and passwords, according to The Wall Street Journal. The data was posted over the weekend on the official Twitter account of the group, which is comprised of members of the vigilante group "Anonymous" as well as hackers from the defunct "Lulz Security."



    The data released by the group includes 27 usernames and encrypted passwords taken from an SQL database from an online survey hosted by Apple. The security breach does not involve Apple's popular iTunes Store or the 225 million accounts and credit cards associated with it.



    "#Apple could be target, too," the group wrote on its Twitter account on Sunday, along with a link to the short list of usernames and passwords. "But don't worry, we are busy elsewhere."



    A number of high-profile companies have recently been the target of groups like "AntiSec" and "LulzSec." Most prominently, Sony was forced to take its PlayStation Network offline for a lengthy period of time after hackers breached its servers and obtained data including usernames, passwords, names, addresses, and potentially even credit card data.







    Other victims of "LulzSec" include the FBI, the CIA, AT&T, and the Arizona Department of Public Safety. The group of loosely associated hackers claimed to have disbanded last month, though other operations like "AntiSec" have picked up where they left off.



    Apple bolstered the security of its "Apple ID" accounts associated with iTunes and App Store purchases last year after its online forums were hacked. iTunes accounts have also been targeted for fraud, though a large-scale breach of usernames and passwords similar to Sony's PSN woes has never occurred.



    Were these details actually stored by Apple? Normally Apple employ the services of a 3rd party to carry out online surveys etc.
  • Reply 2 of 73
    lkrupplkrupp Posts: 10,557member
    Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.



    Have I missed anything in my predicted responses?
  • Reply 3 of 73
    charlitunacharlituna Posts: 7,217member
    Quote:
    Originally Posted by irnchriz View Post


    Were these details actually stored by Apple? Normally Apple emily the services of a 3rd party to carry out online surveys etc.





    That's what I was wondering. Was this really an Apple breach or that of a company that was doing something for Apple





    Quote:
    Originally Posted by lkrupp View Post


    Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.



    Have I missed anything in my predicted responses?



    Other than the detail that it is just as likely to happen without any details just like with the whole location fuss, the iphone 4 antenna flaw, the FCPX is utter crap and 'everyone' says so etc
  • Reply 4 of 73
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by lkrupp View Post


    Have I missed anything in my predicted responses?



    People who hear the shrillness could start taking their credit card details out of iTunes, which would be a disaster for Apple. Obviously this was a separate system, but you can't expect a layman to make such distinctions.
  • Reply 5 of 73
    nobodyynobodyy Posts: 377member
    Quote:
    Originally Posted by irnchriz View Post


    Were these details actually stored by Apple? Normally Apple emily the services of a 3rd party to carry out online surveys etc.



    This was also my first thought.



    Quote:

    The data released by the group includes 27 usernames and encrypted passwords



    This caught my eye; the fact that they pulled encrypted passwords means nothing. Passwords stored in databases SHOULD be encrypted so if they are stolen (like in this case) they are useless. Trying to log in with an encrypted password would cause re-encryption of the user-entered password, thus breaking it rendering the stolen information useless. If other sensitive data is stolen (CCs, addresses, phone numbers), however, that would be a big deal.
  • Reply 6 of 73
    radjinradjin Posts: 165member
    Quote:
    Originally Posted by Nobodyy View Post


    This was also my first thought.







    This caught my eye; the fact that they pulled encrypted passwords means nothing. Passwords stored in databases SHOULD be encrypted so if they are stolen (like in this case) they are useless. Trying to log in with an encrypted password would cause re-encryption of the user-entered password, thus breaking it rendering the stolen information useless. If other sensitive data is stolen (CCs, addresses, phone numbers), however, that would be a big deal.



    Looks to all be the system user names, not usually encrypted, but everything else is. So not much of a story.
  • Reply 7 of 73
    drdoppiodrdoppio Posts: 1,132member
    Quote:
    Originally Posted by irnchriz View Post


    ...Normally Apple emily the services ...



    uhh... what?
  • Reply 8 of 73
    jacobo007jacobo007 Posts: 33member
    Quote:
    Originally Posted by DrDoppio View Post


    uhh... what?



    He said Apple emily the services....
  • Reply 9 of 73
    drdoppiodrdoppio Posts: 1,132member
    Quote:
    Originally Posted by jacobo007 View Post


    He said Apple emily the services....



    Thanks, that makes sense.









    NOT!
  • Reply 10 of 73
    richlrichl Posts: 2,213member
    Quote:
    Originally Posted by DrDoppio View Post


    Thanks, that makes sense.



    I believe that irnchriz meant to say that Apple elizabeth the services. An easy mistake to make.
  • Reply 11 of 73
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by DrDoppio View Post


    NOT!



    employ?
  • Reply 12 of 73
    lkrupplkrupp Posts: 10,557member
    Quote:
    Originally Posted by lkrupp View Post


    Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.



    Have I missed anything in my predicted responses?



    Sorry to quote myself but it's already happening. This title from MacSurfer a few minutes ago...



    ""Move Over, Sony. Now Hackers Are Attacking Apple. iCloud Beware?""



    All so very predictable in the age of Apple dominance. The hate never lets up for a second.
  • Reply 13 of 73
    jragostajragosta Posts: 10,473member
    Quote:
    Originally Posted by lkrupp View Post


    Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true........



    If it DOES turn out to be true, I recommend the death penalty. Or at least life imprisonment.



    We need to get serious about security in this country. While strengthening servers is important, it's equally important to go after the criminals who are stealing information and hacking others' servers. There's really no major consequence to this type of criminal activity, so people continue to do it.



    And, yes, I'm well aware that much of the hacker activity is done overseas. We have treaties in place with most countries to cover that - if we'd have the guts to push them to enforce the rules.
  • Reply 14 of 73
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 15 of 73
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 16 of 73
    drdoppiodrdoppio Posts: 1,132member
    Quote:
    Originally Posted by RichL View Post


    I believe that irnchriz meant to say that Apple elizabeth the services. An easy mistake to make.



    Riiight. I got confused for a monica there.





    Quote:
    Originally Posted by ascii View Post


    employ?



    Whom, irnchriz? Not before (s)he learns to spell correctly...
  • Reply 17 of 73
    drdoppiodrdoppio Posts: 1,132member
    Quote:
    Originally Posted by jragosta View Post


    ... if we'd have the guts to push them to enforce the rules.



    Well, we don't. But thanks for reminding us of this today
  • Reply 18 of 73
    cowhidecowhide Posts: 49member
    If the group could have gotten more data, they would have.



    I dare them to do more.
  • Reply 19 of 73
    These usernames are those users authorised to connect to the MySQL database on the relevant server.



    Whilst information like this being public is NEVER a good idea, there are several factors that lower the "defcon" level here:
    • The passwords are indeed encrypted and would require a bruteforce attack to decode.

    • The database server may (and should) be behind a firewall limiting access to trusted IP addresses (or better yet over a VPN or local subnet). If so, knowing the usernames is useless without first gaining access to a trusted machine.

    • MySQL usernames are associated with a host (IP address). If the DBA has been smart then these will be very restrictive which leaves the attacker with the same problem as the firewall does - they need first compromise a trusted IP.

    • The database in question is apparently on a box used for carrying out surveys. Hopefully such a database will only have anonymous statistical data and nothing juicy like e-mail addresses, credit card details, etc.

    So we don't know how significant this leak actually is. The information may well be useless.



    It does however demonstrate that the attacker probably had free rein to download from and *possibly* modify whatever information they liked on the database. If further security details could be gleaned then they might have been able to penetrate the system further.



    What would most concern me would be if the attacker were able to modify the mysql.user table from which these usernames were lifted. If that were the case then they could create their own user account and if there isn't restriction on which IP addresses can connect to the MySQL server then the could connect to it using a proper database program and have very convenient access to the whole database. Again however, if the database didn't contain any specific information relating to individual people (which is possible - the only survey I ever filled out for Apple didn't ask me anything personal) then it's probably no big deal.



    On the flip side, the DBA and/or programmers who maintain the system probably need to have a serious look at their security precautions. It looks like:
    • The interface used by the attacker to access the database (probably a website) wasn't equipped to handle "SQL injection" attacks. All programmers should "program defensively" but many don't.

    • The user account restrictions in MySQL were way too lax. The user account used by the compromised program (again, probably the survey website) should never have been granted enough rights that it could list the contents of tables in the "mysql" database. Any system that public should have only the minimum rights that it needs to perform its function, nothing more.

    Anyway, I suspect that Apple will probably be doing some wrist slapping. I note that the server in question appears to be offline.



    Incidentally, the IP address of the compromised server is on one of Apple's subnets. It's either one of their own servers, or if it belongs to a third party supplier it would appear that Apple are hosting the server on their own network.
  • Reply 20 of 73
    solipsismsolipsism Posts: 25,726member
    If not for this being a holiday in the US I bet this would have gotten more coverage than the Sony hacking. The week's still young.
Sign In or Register to comment.