comments

Hackers target Apple -- not!

By Philip Elmer-DeWitt July 4, 2011: 8:29 AM ET

The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated

Source: Engadget

The headlines over the July 4th weekend were pretty scary.

Wall Street Journal: "Computer-Hacking Group Targets Apple In Latest Attack"
Financial Times: "Hackers Claim Attack on Apple Server"
Gizmodo: "Apple Is Latest Company To Feel the Might of AntiSec's Hacking Power"

Coming less than a month after Steve Jobs unveiled Apple's (AAPL) iCloud project, the reports had a predictably unsettling effect.

"WOW," wrote The Ravenette on the Huffington Post's comment stream. "I guess we cant trust the Apple Cloud to securely contain all of our most important data. ... Hey if you all give me your credit card numbers and pin numbers I will keep them safe by painting them on a wall in Time Square."

In fact, the security of Apple's iTunes database is the envy of many an organization (e.g. Sony, the CIA, the U.S. Senate and the Arizona Department of Public Safety) that has felt the sting of Anonymous, Lulz Security and AntiSec (the splinter group that claimed responsibility for Sunday's prank). In eight years of operation, there has yet to be a credible claim of data hacking into iTunes or the Apple Store.

What happened over the weekend was certainly not that, as the Twitter message that announced it made clear:

Source: 9to5Mac

"Not being so serious, but well," the message posted by @AnonymousIRC read. "Apple could be target, too. But don't worry, we are busy elsewhere."

The Tweet pointed readers to a page on PasteBin where the fruits of such exploits are often posted. It contains what appears to be a list 27 user names and encrypted passwords from an SQL database for an online survey -- since taken offline -- at the Apple Business Intelligence website.

Unless adequately protected, SQL databases are famously vulnerable to SQL injection attacks -- one of the top 10 known vulnerabilities of Web applications, according to the Open Web Application Security Project. Presumably, Apple knows better than to leave the databases holding those 225 million iTunes one-click credit card open to SQL injections.

Below: The file that got posted on PasteBin.

SITE: http://abs.apple.com:8080/ssurvey/survey?id=

db: mysql table: users

1 posted on 07/04/2011 2:36:10 PM PDT by Swordmaker

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...

Hackers claim to have compromised Apple Server... but it is not what the news media is making it out to be... Security of the iTunes database has not been breached! —PING!

Apple iTunes Credit Card security is still safe Ping!

Don't attack people!

Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 07/04/2011 2:44:53 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone. See swordmaker....macbots really do post ga)

3 posted on 07/04/2011 2:55:22 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone. See swordmaker....macbots really do post ga)

If those are encrypted passwords, there’s another security failure. Three passwords are repeated, two of them repeated twice and one of them is repeated four times. That would mean that the users kept the default password that was assigned to them.

Default passwords are just too easy to guess what they are.

4 posted on 07/04/2011 3:59:28 PM PDT by PastorBooks

No, make that 4 passwords were repeated twice, and one four times.

5 posted on 07/04/2011 4:02:08 PM PDT by PastorBooks

The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated.

That being said, I had someone in Asia hijack my iTunes account a while back and buy bunch of virtual poker chips. I no longer tie a credit card to that account. The max I ever keep there at one time is a $25 gift card credit.

6 posted on 07/04/2011 4:02:16 PM PDT by Leroy S. Mort

There’s another way the press usually gets it wrong. Passwords aren’t encrypted, they’re hashed.

7 posted on 07/04/2011 4:27:14 PM PDT by antiRepublicrat

To: antiRepublicrat

> Passwords aren’t encrypted, they’re hashed.

Generally true. But strictly speaking, it depends on whether the cleartext password can be obtained from the other. If so, it was encrypted. If not, it was hashed. Hashing is forward-only, and often adds or discards selected information, while true encryption maintains all original information intact and therefore can be reversed (decrypted).

There's generally no good reason to encrypt passwords; hashing is sufficient since the auth test is usually just a match of the hashed forms.

But hey, Unix crypt(3) is really just a hash, using the supplied password as a 56-bit key to the DES Data Encryption Standard working on a block of all-zeroes. So the naming confusion has a long-standing basis... :)

8 posted on 07/04/2011 4:59:39 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)

> The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated

Sure, but the purpose has been served:

Get "Apple" and "Security Breach" into the same headline! Page hits! Page hits!

Tech news writer are whores. Even the ones I like, that I agree with, are whores.

ANYTHING to get that headline with "Apple" in it. ANYTHING.

9 posted on 07/04/2011 5:03:19 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)

What does this rag have to do with Fort Worth?

10 posted on 07/04/2011 7:46:14 PM PDT by Deaf Smith (I spent all my money on women & booze, the other rest I just plain blew.)

It isn’t. The site I found it linked it as that but it’s the Financial Times.

11 posted on 07/05/2011 7:51:03 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone. See swordmaker....macbots really do post ga)

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794