Kevin Haley says he has no intentions of ever becoming a hacker, but if he did, there’s no question in his mind who would make the best possible target.
“I’d love going after Mac users because they have this sense they can’t possibly get attacked,” the director of Symantec Security Response says. “If you’re looking for a group that has its guard down, that’s the one.”
Maybe not anymore. On Tuesday Apple reported a security breach of employee laptops that may have spread to other Mac-based systems far beyond the tech giant’s headquarters. Though no data was reported lost, experts like Haley suspect the same culprit might be behind the hacker attack on Facebook last week. Worse still, the technique that may have been used in the attack suggests far greater sophistication on the part of the bad guys, and increased difficulty for those who want to avoid being hacked.
It’s possible that both Facebook and Apple employees had visited a website related to mobile application development which contained a piece of dangerous software or “malware” that infected their computers. If that’s true, it’s an example of what Haley and others call a “watering hole” attack. Rather than targeting individual users with an email that links to the malware, which has been the more common approach by cybercriminals, the watering hole method simply looks for places where the intended victims are likely to congregate.
“This is a specific website that caters to a specific type of person,” he says. “It’s possible they weren’t going after all the users, but going after particular ones. That they got some additional people may not have been the point.”
This is scary because it suggests the hackers are doing some background research on the demographics of their target first. It also suggests that the Mac machines used by both Apple and Facebook employees may not represent the digital Fort Knox many in the IT industry long believed them to be.
Scott Crawford, managing research director of security and risk management at Enterprise Management Associates in Boulder, Col., says that until recently, the confidence among Mac users wasn’t necessarily misplaced.
“A Mac tends to be more holistic (from a security perspective) because the software on it was written specifically for that piece of hardware,” he says, whereas Windows was designed to run on all kinds of computers. “There is conceptually a greater barrier to malware.”
In this case, however, the hackers were using the kind of venue open to any computing platform, which is the browser. The malware also focused on a potential security hole in a piece of software called Java, which is common not only to Apple but all kinds of systems, Crawford pointed out. “When something like Java is so ubiquitous and so widely adopted, keeping up with the security vulnerabilities is more demanding,” he says.
While watering hole attacks aren’t as easy to avoid, Haley suggests keeping a level head. There’s a difference between going after an Apple or a Facebook and the average user.
“Most people aren’t even being targeted for this. If you’re not doing development on a mobile phone, if you don’t visit that website, you’re not at risk,” he says. And besides, “If we’ve forced these guys to come up with a new way, then I think all the talking we’ve been doing about avoiding suspicious e-mails and the like has had some success.”