Apple Employees Hacked By Visiting iPhoneDevSDK

[Fatalbert]

Quote:

Originally Posted by macsrcool1234

Couldn't agree more. After banning all ips originating from that area, our hacking attempts were reduced by more than 50%.

As far as the internet is concerned, nothing good comes out of China.

China as well as other countries are blocked by the htaccess file for my web server, but I haven't bothered trying to figure out how to block the China IP range from all ports since it's a semi-personal computer.

----------

Quote:

Originally Posted by coolfactor

This is an example of the prevalence of cheap hosting and open web frameworks. Overconfidence by do-it-yourself website creators that think that they've got it good, but fail to take all of the proper measures to secure their sites.

Hmm, I wonder how secure my site is. It's basically set up by the Mac OS X Server wizard.

[Peace]

Quote:

Originally Posted by coolfactor

This is an example of the prevalence of cheap hosting and open web frameworks. Overconfidence by do-it-yourself website creators that think that they've got it good, but fail to take all of the proper measures to secure their sites.

It's also an example of Apple's need to reign in both employees and access to beta builds.

[Fatalbert]

Quote:

Originally Posted by Renzatic

If that's true, how is this any worse than all the other millions of hacks, keyloggers, virii, and malware exploits we've been facing down for the past 20 odd years?

The plural form of "virus" when using Latin declension is "viri", but since you're comparing it to "this", it should be the ablative plural "viribus". Or just say viruses

On topic, you are totally right. In fact, the only connections I have ever gotten from China have been malicious. But I'm sure conspiracy theorists will jump on this now. It should be a feature in all American routers that you can enable: ban all of eastern Asia except Japan.

[Rudy69]

Quote:

Originally Posted by Tankmaze

Iphonedevsdk always had trouble in the past. From the malware warning, hacked site (down) and now this.

Maybe all the members can migrate here. The discussion on that site is gold.

I think what brings developers to the site is:
1. Community of mostly developers or people involved in selling apps
2. Away from the general public (mostly, the site is not private or anything but very few ventures there)

[Renzatic]

Quote:

Originally Posted by Fatalbert

The plural form of "virus" when using Latin declension is "viri", but since you're comparing it to "this", it should be the ablative plural "viribus". Or just say viruses

...viriur..variiur...vuhrus...bugs.

Quote:

On topic, you are totally right. In fact, the only connections I have ever gotten from China have been malicious. But I'm sure conspiracy theorists will jump on this now. It should be a feature in all American routers that you can enable: ban all of eastern Asia except Japan.

The problem with that is it's only a temporary solution. If we all started blocking every unknown Chinese IP address, there'd be about a week or two respite before all the big hackers start using proxies to do the exact same thing.

Really, there's no way around it except constant vigilance. Sucks, but that's the only surefire method you've got.

[Robert.Walter]

I removed java from my Macs some time ago.

I checked for updates via the Mac App Store button, and the system said that no updates were available.

Question: Does this latest update require Java to be installed to run the associated anti-malware patch? And if Java is not installed, will the update fail to be required such that the patch will also not be run?

Question 2: Is it possible that I have enabled some setting that allowed the anti-malware patch to be run but without notification?

Thanks to the community for any answers.

[haruhiko]

Of course there have been a lot of hacking from Chinese IPs but I think the media exaggerated a bit. I don't think they have military origin. If it's military grade, first it may not have left a trace, and also they can route through infected computers in other countries to achieve the same effect. So banning Chinese IPs doesn't really help if you think your computer has sensitive data that's valuable to the Chinese military.

Anyway, the culprit here is Java. Disabling it (and Flash) from your browser helps reduce most potential malware problems.

[GoldenJoe]

The malware warning has always kept me away from that site. Stackoverflow works just fine.

[Renzatic]

Quote:

Originally Posted by haruhiko

Of course there have been a lot of hacking from Chinese IPs but I think the media exaggerated a bit. I don't think they have military origin. If it's military grade, first it may not have left a trace, and also they can route through infected computers in other countries to achieve the same effect. So banning Chinese IPs doesn't really help if you think your computer has sensitive data that's valuable to the Chinese military.

In this situation, no. The People's Army probably has a decent enough porn...er poetry stash of their own, so I doubt they'll have any reason to go rooting through yours. It's likely a bunch of East Asian kids having fun at your expense.

But considering the story that broke earlier today, the Chinese military has been involved with some fairly heavy hacking and espionage recently. It's hardly overblown.

[ilmman]

Oh man I visit that site regularly, Don't know if I should be concerned at all, or whether I should be concerned about my developer accounts being at risk (as these accounts are responsible for making me never to work at a 9-5 job again).

So it seems apple employees visited that site as well..

[Four oF NINE]

And yet again, Java appears to be the weak point, security wise.

What is WRONG with these people? Does anyone there know how to play this game?

[Fatalbert]

Quote:

Originally Posted by Renzatic

The problem with that is it's only a temporary solution. If we all started blocking every unknown Chinese IP address, there'd be about a week or two respite before all the big hackers start using proxies to do the exact same thing.

Really, there's no way around it except constant vigilance. Sucks, but that's the only surefire method you've got.

Sure they can use proxies, but at least it would be more difficult for them to get away with it. Of course, this would be much better if only a few of us had it.

[york2600]

The site runs on Vanilla Forums so it was probably this last vulnerability here unless they managed to get someones credentials by other means

http://www.cvedetails.com/vulnerabil...la-Forums.html

[Tech198]

i dare anyone on this forum to go there ,, and don't cheat with a Windows PC.

Quote:

Originally Posted by Four oF NINE

And yet again, Java appears to be the weak point, security wise.

What is WRONG with these people? Does anyone there know how to play this game?

I guess not.. Maybe a new game should be in order.. One they CAN play

[nagromme]

Quote:

Originally Posted by fins831

Call me crazy, but this along with the chinese 'supposed' hackings, all while the government is getting ready to make another cyber legislation push....this is all TOO PERFECT.

the timing of everything is so suspect. Maybe I am trying to read between the lines but if they want to take away our rights on the internet, the first thing they have to do is scare us enough to allow us to waive them, raise the white flag.

If the Chinese hacks are "supposed" and not real, and the US government is behind a massive hoax, then they got Facebook, Apple, the New York Times and many others to cooperate in the hoax. All for an effect that has nothing to do with taking away privacy, and affects very few users. How would all those parties get together to create such AMAZING technical detail, and why would the bother and then have the threat be so trivial it goes right over most peoples' heads? How would this Chinese hack news derail all the opposition to bad Internet legislation? It wouldn't.

Rule of thumb for conspiracies: if it requires HUGE numbers of people to keep a secret, it's probably just your paranoia.

[Kashsystems]

Quote:

Originally Posted by Peace

Oh. I agree. I was commenting on the state of relationships between Apple and developers.

It's sad that developers have to go to a 3rd party website for collaboration instead of Apple's official Dev portal.

[edit]

I might add this is going to cause some bad blood between Apple and the devs that go to the other website. Perhaps it will shake things up a bit.

[/edit]

It is not even about that. I do not know about now, but starting out, iphonedev website was one of the biggest resources of learning iPhone programming. Especially before they even started calling it IOS.

There are a few forums including this one that has a developer discussion center. To tell you the truth I like the approach of this one better because a lot of developers push away from hand holding.

Also personally I think the Apple discussion board is just one hot sick mess of ugliness.

[WestonHarvey1]

Something sinister is going on at iPhoneDevSDK. That or total incompetence. The last time they shut it down for malware and came back with the new system, the sysop claimed it was vBulletin's fault and that vBulletin is impossible to secure. Then why doesn't MacRumors have these problems? Well we know that's a load of BS now anyway.

[Peace]

Quote:

Originally Posted by Kashsystems

It is not even about that. I do not know about now, but starting out, iphonedev website was one of the biggest resources of learning iPhone programming. Especially before they even started calling it IOS.

There are a few forums including this one that has a developer discussion center. To tell you the truth I like the approach of this one better because a lot of developers push away from hand holding.

Also personally I think the Apple discussion board is just one hot sick mess of ugliness.

Your statement proves my point. Not that I disagree or anything.

Developers should be able to go to a discussion forum and interact with Apple engineers. Unfortunately it's obviously not any forum run by Apple.

This is Apples fault. Hopefully they will get a clue soon.

[charlituna]

Quote:

Originally Posted by sparkso

What were the impact of the hackings though? What did the hackers do to those employees computers?

Little to nothing it seems. According to Apple no sensitive info got out. The machines could have been personal machines that happens to be owned by employees. Who knows. Other than it requires Java so its not really all that of a Mac hack and its already been fixed

[Amazing Iceman]

Quote:

Originally Posted by charlituna

Little to nothing it seems. According to Apple no sensitive info got out. The machines could have been personal machines that happens to be owned by employees. Who knows. Other than it requires Java so its not really all that of a Mac hack and its already been fixed

Yeah, but lately, the weak point has been either Java or Flash, being the first one the most common nowadays. It may be time to ditch JAVA, and get over with this nonsense. It has had too many security flaws, and nothing can assure us there are no more to be discovered.

[TouchMint.com]

Quote:

Originally Posted by Tech198

i dare anyone on this forum to go there ,, and don't cheat with a Windows PC.



I guess not.. Maybe a new game should be in order.. One they CAN play

I go to that site everyday im surprised one of my topics wasn't on the screenshots lol.

I take it this malware does not effect windows? a win for 7 and ie 9? lol

[SockRolid]

Quote:

Originally Posted by MacRumors

The compromised site, iPhoneDevSDK, is an online forum designed for software developers. The site is still infected, and visiting it is not recommended.

Oops. I've visited that site more than once in the past year or so.
So I launched Utilities -> Java Preferences, and saw an alert saying "To open Java Preferences, you need a Java Runtime. Would you like to install one now?"

Um, no. Done. With. Java.

[whooleytoo]

Quote:

Originally Posted by maxosx

The amount of breaches no matter the platform is truly getting out of control. It's time for increased focus by all in the tech sector to improve security.

The problem is complexity. As complexity grows, the difficulty in securing a system grows. Then you have to factor every app/plugin/extension you install could introduce a security flaw, or even an individual version of an app could introduce a flaw and you can't possibly test every single one.

Fixing security is a colossal task.

----------

Quote:

Originally Posted by SockRolid

Oops. I've visited that site more than once in the past year or so.
So I launched Utilities -> Java Preferences, and saw an alert saying "To open Java Preferences, you need a Java Runtime. Would you like to install one now?"

Um, no. Done. With. Java.

Safari has had 'drive by' vulnerabilities too which have been fixed; do you still occasionally use Safari?

My point is - people are more willing to forgive security vulnerabilities in software they use/like than in software they don't. People who have forgotten about Safari's flaws will slam Java, not because it's insecure but because they didn't use/like it in the first place.

[Reason077]

Quote:

Originally Posted by coolfactor

This is an example of the prevalence of cheap hosting and open web frameworks. Overconfidence by do-it-yourself website creators that think that they've got it good, but fail to take all of the proper measures to secure their sites.

Actually, iphonedevsdk.com is hosted by Vanilla forums, a "cloud" provider of community forums which ought to be pretty secure and well-maintained.

Apparantely the hackers somehow obtained an admin password to iphonedevsdk's account on Vanilla, and used that to add malicious code to the site.

[Mr.damien]

Java: Implement once, bug everywhere.

----------

Quote:

Originally Posted by whooleytoo

My point is - people are more willing to forgive security vulnerabilities in software they use/like than in software they don't. People who have forgotten about Safari's flaws will slam Java, not because it's insecure but because they didn't use/like it in the first place.

And your point is wrong. Java is a world record security hole ****.

No one can beat them lately as it's so full of it. Even Oracle said it would took 2 years to secure it.

The only worst thing in computer history was Microsoft ActiveX. Flash, is just behind them.