Pages

Monday, July 4, 2011

Apple server cracked

The New York Times' Bits blog noted that an Apple system was cracked and "27 internal Apple usernames and passwords" were released to the world.

Everybody's vulnerable. That's beyond doubt.

However, let's look at the information the crackers released.

The crackers did indeed list 27 usernames. Among them:
  • admin (twice)
  • backup (twice)
  • bulkmail (twice)
  • myapp (twice)
  • survey (twice)
  • process_super
  • status_check
  • survey_slave
  • NULL (twice)
  • root (twice)
  • backup_user
That accounts for eighteen of the 27 users right there. (Of the remainder, two more were also duplicated.)

Why were so many of these included twice? Good question. However, it looks like what the crackers broke into was a MySQL database. The user list looks like a query on the database on something other than the set of user records.

The usernames I picked out appear to belong to role accounts. Role accounts are special-purpose users created to carry out system administration jobs. (Well, NULL probably indicates that the "username" field of the database record on was empty.) That means that substantially fewer than "27 internal users" were compromised. And while a user list that spans multiple systems can have role accounts, one of them is almost certainly not root. Ergo, my guess is what the crackers got was a local system's user database, not a database containing cross-system usernames (which would be a lot more valuable).

As for the passwords, what the crackers actually appear to have gotten are the cryptographic hashes of the passwords. Wikipedia has an article about cryptographic hash functions that saves me the trouble of explaining what they are. Suffice to say that while it's bad that crackers got any ciphertext, it's not nearly as bad as it could have been.

So how serious is this? As always, it depends. My guess is that the greatest risk is that one of the actual human beings who has an account on this system is using the same password on other systems, or even for a distributed account (one available on multiple systems). It's not likely the password can be cracked from the cryptographic hashes, but it's not impossible. It's also not out of the question that a cracker could get a hint (or more) through social engineering.

If I were Apple IT, I'd jump all over this before it leads to something worse. That said, the Times article overstates the severity of the breach.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)