or Connect
AppleInsider › Forums › General › General Discussion › Hackers access Apple server with small amount of survey data
New Posts  All Forums:Forum Nav:

Hackers access Apple server with small amount of survey data

post #1 of 74
Thread Starter 
A group of hackers this weekend posted a list of 27 usernames and passwords culled from surveys hosted on an Apple Business Intelligence website.

The group of hackers known as "AntiSec" were responsible for the alleged security breach and posting of usernames and passwords, according to The Wall Street Journal. The data was posted over the weekend on the official Twitter account of the group, which is comprised of members of the vigilante group "Anonymous" as well as hackers from the defunct "Lulz Security."

The data released by the group includes 27 usernames and encrypted passwords taken from an SQL database from an online survey hosted by Apple. The security breach does not involve Apple's popular iTunes Store or the 225 million accounts and credit cards associated with it.

"#Apple could be target, too," the group wrote on its Twitter account on Sunday, along with a link to the short list of usernames and passwords. "But don't worry, we are busy elsewhere."

A number of high-profile companies have recently been the target of groups like "AntiSec" and "LulzSec." Most prominently, Sony was forced to take its PlayStation Network offline for a lengthy period of time after hackers breached its servers and obtained data including usernames, passwords, names, addresses, and potentially even credit card data.



Other victims of "LulzSec" include the FBI, the CIA, AT&T, and the Arizona Department of Public Safety. The group of loosely associated hackers claimed to have disbanded last month, though other operations like "AntiSec" have picked up where they left off.

Apple bolstered the security of its "Apple ID" accounts associated with iTunes and App Store purchases last year after its online forums were hacked. iTunes accounts have also been targeted for fraud, though a large-scale breach of usernames and passwords similar to Sony's PSN woes has never occurred.
post #2 of 74
Quote:
Originally Posted by AppleInsider View Post

A group of hackers this weekend posted a list of 27 usernames and passwords culled from surveys hosted on an Apple Business Intelligence website.

The group of hackers known as "AntiSec" were responsible for the alleged security breach and posting of usernames and passwords, according to The Wall Street Journal. The data was posted over the weekend on the official Twitter account of the group, which is comprised of members of the vigilante group "Anonymous" as well as hackers from the defunct "Lulz Security."

The data released by the group includes 27 usernames and encrypted passwords taken from an SQL database from an online survey hosted by Apple. The security breach does not involve Apple's popular iTunes Store or the 225 million accounts and credit cards associated with it.

"#Apple could be target, too," the group wrote on its Twitter account on Sunday, along with a link to the short list of usernames and passwords. "But don't worry, we are busy elsewhere."

A number of high-profile companies have recently been the target of groups like "AntiSec" and "LulzSec." Most prominently, Sony was forced to take its PlayStation Network offline for a lengthy period of time after hackers breached its servers and obtained data including usernames, passwords, names, addresses, and potentially even credit card data.



Other victims of "LulzSec" include the FBI, the CIA, AT&T, and the Arizona Department of Public Safety. The group of loosely associated hackers claimed to have disbanded last month, though other operations like "AntiSec" have picked up where they left off.

Apple bolstered the security of its "Apple ID" accounts associated with iTunes and App Store purchases last year after its online forums were hacked. iTunes accounts have also been targeted for fraud, though a large-scale breach of usernames and passwords similar to Sony's PSN woes has never occurred.

Were these details actually stored by Apple? Normally Apple employ the services of a 3rd party to carry out online surveys etc.
post #3 of 74
Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.

Have I missed anything in my predicted responses?
post #4 of 74
Quote:
Originally Posted by irnchriz View Post

Were these details actually stored by Apple? Normally Apple emily the services of a 3rd party to carry out online surveys etc.


That's what I was wondering. Was this really an Apple breach or that of a company that was doing something for Apple


Quote:
Originally Posted by lkrupp View Post

Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.

Have I missed anything in my predicted responses?

Other than the detail that it is just as likely to happen without any details just like with the whole location fuss, the iphone 4 antenna flaw, the FCPX is utter crap and 'everyone' says so etc

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #5 of 74
Quote:
Originally Posted by lkrupp View Post

Have I missed anything in my predicted responses?

People who hear the shrillness could start taking their credit card details out of iTunes, which would be a disaster for Apple. Obviously this was a separate system, but you can't expect a layman to make such distinctions.
post #6 of 74
Quote:
Originally Posted by irnchriz View Post

Were these details actually stored by Apple? Normally Apple emily the services of a 3rd party to carry out online surveys etc.

This was also my first thought.

Quote:
The data released by the group includes 27 usernames and encrypted passwords

This caught my eye; the fact that they pulled encrypted passwords means nothing. Passwords stored in databases SHOULD be encrypted so if they are stolen (like in this case) they are useless. Trying to log in with an encrypted password would cause re-encryption of the user-entered password, thus breaking it rendering the stolen information useless. If other sensitive data is stolen (CCs, addresses, phone numbers), however, that would be a big deal.
post #7 of 74
Quote:
Originally Posted by Nobodyy View Post

This was also my first thought.



This caught my eye; the fact that they pulled encrypted passwords means nothing. Passwords stored in databases SHOULD be encrypted so if they are stolen (like in this case) they are useless. Trying to log in with an encrypted password would cause re-encryption of the user-entered password, thus breaking it rendering the stolen information useless. If other sensitive data is stolen (CCs, addresses, phone numbers), however, that would be a big deal.

Looks to all be the system user names, not usually encrypted, but everything else is. So not much of a story.
post #8 of 74
Quote:
Originally Posted by irnchriz View Post

...Normally Apple emily the services ...

uhh... what?
post #9 of 74
Quote:
Originally Posted by DrDoppio View Post

uhh... what?

He said Apple emily the services....
post #10 of 74
Quote:
Originally Posted by jacobo007 View Post

He said Apple emily the services....

Thanks, that makes sense.




NOT!
post #11 of 74
Quote:
Originally Posted by DrDoppio View Post

Thanks, that makes sense.

I believe that irnchriz meant to say that Apple elizabeth the services. An easy mistake to make.
post #12 of 74
Quote:
Originally Posted by DrDoppio View Post

NOT!

employ?
post #13 of 74
Quote:
Originally Posted by lkrupp View Post

Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true, including the number of reported usernames and passwords, then is this really news worthy? Unfortunately, because it is Apple, this will be plastered all over the internet. We will see dozens of hit pieces raking Apple over the coals, advising people to dump Apple products, analyzing Apple's failure to protect its customers, predicting that iCloud will fail because of this incident. Of course the usual suspects who troll Apple centric forums will have a field day.

Have I missed anything in my predicted responses?

Sorry to quote myself but it's already happening. This title from MacSurfer a few minutes ago...

""Move Over, Sony. Now Hackers Are Attacking Apple. iCloud Beware?""

All so very predictable in the age of Apple dominance. The hate never lets up for a second.
post #14 of 74
Quote:
Originally Posted by lkrupp View Post

Until Apple confirms the hack I will consider this merely bragging by the script kiddie group. If the report turns out to be true........

If it DOES turn out to be true, I recommend the death penalty. Or at least life imprisonment.

We need to get serious about security in this country. While strengthening servers is important, it's equally important to go after the criminals who are stealing information and hacking others' servers. There's really no major consequence to this type of criminal activity, so people continue to do it.

And, yes, I'm well aware that much of the hacker activity is done overseas. We have treaties in place with most countries to cover that - if we'd have the guts to push them to enforce the rules.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #15 of 74
deleted
post #16 of 74
deleted
post #17 of 74
Quote:
Originally Posted by RichL View Post

I believe that irnchriz meant to say that Apple elizabeth the services. An easy mistake to make.

Riiight. I got confused for a monica there.


Quote:
Originally Posted by ascii View Post

employ?

Whom, irnchriz? Not before (s)he learns to spell correctly...
post #18 of 74
Quote:
Originally Posted by jragosta View Post

... if we'd have the guts to push them to enforce the rules.

Well, we don't. But thanks for reminding us of this today
post #19 of 74
If the group could have gotten more data, they would have.

I dare them to do more.
post #20 of 74
These usernames are those users authorised to connect to the MySQL database on the relevant server.

Whilst information like this being public is NEVER a good idea, there are several factors that lower the "defcon" level here:
  • The passwords are indeed encrypted and would require a bruteforce attack to decode.
  • The database server may (and should) be behind a firewall limiting access to trusted IP addresses (or better yet over a VPN or local subnet). If so, knowing the usernames is useless without first gaining access to a trusted machine.
  • MySQL usernames are associated with a host (IP address). If the DBA has been smart then these will be very restrictive which leaves the attacker with the same problem as the firewall does - they need first compromise a trusted IP.
  • The database in question is apparently on a box used for carrying out surveys. Hopefully such a database will only have anonymous statistical data and nothing juicy like e-mail addresses, credit card details, etc.

So we don't know how significant this leak actually is. The information may well be useless.

It does however demonstrate that the attacker probably had free rein to download from and *possibly* modify whatever information they liked on the database. If further security details could be gleaned then they might have been able to penetrate the system further.

What would most concern me would be if the attacker were able to modify the mysql.user table from which these usernames were lifted. If that were the case then they could create their own user account and if there isn't restriction on which IP addresses can connect to the MySQL server then the could connect to it using a proper database program and have very convenient access to the whole database. Again however, if the database didn't contain any specific information relating to individual people (which is possible - the only survey I ever filled out for Apple didn't ask me anything personal) then it's probably no big deal.

On the flip side, the DBA and/or programmers who maintain the system probably need to have a serious look at their security precautions. It looks like:
  • The interface used by the attacker to access the database (probably a website) wasn't equipped to handle "SQL injection" attacks. All programmers should "program defensively" but many don't.
  • The user account restrictions in MySQL were way too lax. The user account used by the compromised program (again, probably the survey website) should never have been granted enough rights that it could list the contents of tables in the "mysql" database. Any system that public should have only the minimum rights that it needs to perform its function, nothing more.

Anyway, I suspect that Apple will probably be doing some wrist slapping. I note that the server in question appears to be offline.

Incidentally, the IP address of the compromised server is on one of Apple's subnets. It's either one of their own servers, or if it belongs to a third party supplier it would appear that Apple are hosting the server on their own network.
post #21 of 74
If not for this being a holiday in the US I bet this would have gotten more coverage than the Sony hacking. The week's still young.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #22 of 74
""es and passwords similar to Sony's PSN woes has never occurred."

has should be that no?
post #23 of 74
Quote:
Originally Posted by MacRulez View Post

Are you being serious on that?

If he's not, I am.
post #24 of 74
Quote:
Originally Posted by AppleInsider View Post

"#Apple could be target, too," the group wrote on its Twitter account on Sunday, along with a link to the short list of usernames and passwords. "But don't worry, we are busy elsewhere."

Translation: We don't have jack squat, and we know it.
post #25 of 74
Quote:
Originally Posted by Wiggin View Post

Translation: We don't have jack squat, and we know it.

Probably, although were there's one sloppy security hole there are bound to be others, waiting to be discovered.
post #26 of 74
Quote:
Originally Posted by DrDoppio View Post

Whom, irnchriz? Not before (s)he learns to spell correctly...

ha ha have you ever tried typing with an iOS device with spelling corruption turned on?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #27 of 74
Quote:
Originally Posted by ascii View Post

P...... you can't expect a layman to make such distinctions.

Yeah, layman must be an idiot.
post #28 of 74
Quote:
Originally Posted by mstone View Post

ha ha have you ever tried typing with an iOS device with spelling corruption turned on?



Nice.
post #29 of 74
deleted
post #30 of 74
Quote:
Originally Posted by lkrupp View Post

Sorry to quote myself but it's already happening. This title from MacSurfer a few minutes ago...

""Move Over, Sony. Now Hackers Are Attacking Apple. iCloud Beware?""

All so very predictable in the age of Apple dominance. The hate never lets up for a second.

It was to be expected, even for Apple enthusiast sites such as this. It's not hate, simply a way to get eyes on the articles.

With that said, I suspect this particular hacking attempt was more of a attention-getter. If they truly wanted to grab more than they did, I personally have no doubt they could have. I fully expect that if Apple were to piss them off in some way, as Sony did, that Apple would not be able to withstand a first strike either.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #31 of 74
Nah, you're reading into MacSurfer's motives too deeply.

There were no editorial shenanigans on MacSurfer's part. They were simply reblogging another site's headline verbatim, a commonplace occurrence on the Internet. PaidContent.org wrote the headline "Move Over, Sony. Now Hackers Are Attacking Apple. iCloud Beware?", not MacSurfer.

MacSurfer reblogged a number of articles about the same topic, with varied headlines, so it's not like they were taking a particular stance when they reblogged the PaidContent.org item. Many of these sites come up with sensationalist headlines for the pageviews.

Not a big deal.
post #32 of 74
Quote:
Originally Posted by Gatorguy View Post

It was to be expected, even for Apple enthusiast sites such as this. It's not hate, simply a way to get eyes on the articles.

With that said, I suspect this particular hacking attempt was more of a attention-getter. If they truly wanted to grab more than they did, I personally have no doubt they could have. I fully expect that if Apple were to piss them off in some way, as Sony did, that Apple would not be able to withstand a first strike either.

Attention seeking hackers would grab all the data they could and that's likely what happened here. They got 27 encypted passwords. Unless they were polite attention seeking hackers.
post #33 of 74
When are the FBI and CIA going to take these criminals seriously? These arrogant clowns are doing serious damage to a community built on trust. It's not funny or cute anymore. They hijack merchantmen on the high seas of internet commerce. They are pirates and should be dealt with as such. In the old days pirates were hung. Today they should be hunted down, dragged into court, and given long prison sentences.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #34 of 74
For a good description of what happened, and to see the actual file, see

http://tech.fortune.cnn.com/2011/07/...get-apple-not/
Notice the "NOT!"

BTW anyone know how much compute power is required to crack a unix password encryption code?
post #35 of 74
Oh well, time for Apple to change some passwords.

If AntiSec really were l33t haX0rz they would have gotten Steve Job's password. (Everyone knows his email address already.)

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #36 of 74
Quote:
Originally Posted by irnchriz View Post

Normally Apple emily the services...

I think he meant Apple will have Emily conduct the services. She is a 17 year old intern that knows excel pretty well.

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
post #37 of 74
Quote:
Originally Posted by jmmx View Post

BTW anyone know how much compute power is required to crack a unix password encryption code?

Well, they're 40 digit hexadecimal strings, so that's 16^40 = 1.46×10^48 possible combinations. If I've worked it out right, that's 14,600,000,000,000,000,000,000,000,000,000,000,000 ,000,000,000,000. I don't even know the words to describe a number with that many zeros after it.

With a brute force attack even with a shed load of distributed computing power they're gonna be at it for ever.

A better method would be a dictionary attack, which wouldn't take too long if they get lucky.
post #38 of 74
AntiSec isn't a group, it's a movement, also LulzSec has been disbanded, it was mixture of anon and ex-lulz skiddies who use pre-made DDoS and SQLi tools, not real hackers. it's more like try, if you are lucky and get something, tweet about it - at least that's what ppl have been tweeting recently and proper hacker groups say
Water cooled QuadCore 16GB 2 x 240GB SSD HackBox | 13" MacBook Air 1.8 GHz Core i5, 8GB RAM, 256GB SSD | 32GB iPhone 4 | PS3 Slim 250GB
Reply
Water cooled QuadCore 16GB 2 x 240GB SSD HackBox | 13" MacBook Air 1.8 GHz Core i5, 8GB RAM, 256GB SSD | 32GB iPhone 4 | PS3 Slim 250GB
Reply
post #39 of 74
Quote:
Originally Posted by MacRulez View Post

Are you being serious on that?

Obviously, it was hyperbole.

The point is that we need to start getting serious about enforcing the laws.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #40 of 74
@ "proper hacker groups."

Truly, if the good name of quality hacker groups is going to be tarnished by these ruffians it might be time the government stepped in. We need to protect the rights of proper hackers at all costs! The death penalty for everyone! Burn them alive for the sake of civility! In the name of progress! Rabble rabble!

And inversely...

Kids these days. They buy an iPod and next day are arguing for the merits of a pogrom. It would make more sense to pass a law against resistance than to try to restrict it in all of its forms. Just call it terrorism, that always sells with the "string 'em up" set. I bet if you shackled yourselves it'd save the interests you cater to a moment or two of trouble. My dog expresses a greater independence in his ideologies; he'd rather run off a leash. Too bad you can't say the same.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Hackers access Apple server with small amount of survey data