This month has been a crazy one in online security. There have been attacks on media companies like The New York Times and The Wall Street Journal, originating from China, as well as on Apple and Facebook, originating from Eastern Europe.
Yet it’s really the latter group that shows just how much computer security is becoming an issue that affects absolutely everyone, no matter how tech-savvy you are.
Don’t get me wrong: there will always be criminals hitting large groups of ignorant users to make a quick buck. Pushing malware to huge numbers of people and building botnets to send spam, stealing credit card information, identity theft, and so on is a very profitable business.
At the same time, there will also continue to be specialized attacks against targeted organizations to steal intellectual property, industry secrets, and whatever else can be resold on the black market. This is done by directly hacking computers or more often by sending emails to employees and hoping one of them will open an attachment with a threat that exploits an unpatched flaw. More often than not, curiosity gets the better of one or more employees.
Yet the attack that hit Apple and Facebook was different. A few things had to line up just right, but the way it was pulled off in the end was simply classic.
Introducing the Watering Hole attack
The watering hole attack is not a new concept, but it is definitely one that is being used more and more often. Here’s how it works.
Instead of the attackers hunting their victims, they wait until the victims come to them. First, they identify a website frequented by employees of a targeted organization. They then hack that legitimate site and plant one or more carefully selected exploits on some of its pages. Lastly, they wait in the hopes that one or more employees visit and their computers are compromised.
That may sound a bit haphazard, but if it’s successful, it’s a huge win for the attackers. Without leaving much trace, they suddenly have malware on an employee computer. In the case of Apple and Facebook, there were a few non-essential parts of this attack that fell into place to make it a particular doozy.
First off, the attackers used a Java flaw. Malware writers love exploiting Java because it’s simply more efficient: it allows them to target more than one operating system, more than one browser, and thus more than one type of user. Oh, you’re not using Windows? Doesn’t matter, if you have Java, we’ll get you anyway.
Next, a 0-day Java vulnerability was used. “0-day” or “zero-day” refers to a security hole that has not been publicly disclosed yet, and so doesn’t have a patch available. That means even though Apple and Facebook were running the latest version of Java, they were still vulnerable. Oracle ended up releasing a patch, but by then it was too late.
Last but not least, the “watering hole” in this case was iPhone Dev SDK, a site that didn’t realize it had been hacked. This means the administrators couldn’t fix the problem and warn their users, and so more companies had their computers compromised until one of them raised a red flag.
Anyone can be a victim
Again, we’re talking about Apple and Facebook here. These companies employ some of the world’s smartest people. While they eventually figured out their computers had been breached, this was naturally after the fact.
That’s the “beauty” of the watering hole attack. Because users are visiting a site they already have before, their guard isn’t up. This isn’t someone clicking on a random popup or downloading a questionable installer, and then later realizing that maybe they shouldn’t have done so.
We’re talking about computers being silently compromised in the background, while employees perform their day-to-day tasks. No amount of security software or computer knowledge can prevent such an attack.
The good news is that once the malware threat is dropped on the computer in question, it can be always be detected and removed via the usual methods. Of course there are always techniques to track down and figure out what has happened, but the initial entry in cases like this comes down to whether or not the user was browsing sites he or she already has before.
Where do we go from here?
Education and teamwork. These types of attacks are not something that you can just thwart with the usual advice (use security software, keep your computer updated, and don’t click on random links).
Facebook did the right thing by publicly disclosing the attack and looping in other companies that could have been targeted. Apple, which has a very poor track record of talking to the security community, also showed it is starting to take such issues more seriously by announcing its systems were compromised.
It’s critical that companies that discover they were hacked, or had their systems compromised in some way, publicly disclose everything they can. If that is not possible, they need to privately contact other companies that may have also been targeted.
If there’s a trail of easily accessible warning signs, not all the animals will end up drinking the poisoned water.
Image credit: Adam Masters