Slashdot Mirror
Apple: Developer Site Targeted In Security Attack, Still Down
An anonymous reader writes "Apple has informed developers that an intruder gained access to its developer site database. Quoted email from Apple: 'Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then. In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.'"
So is sensitive information only your credit card data?
Interesting timing. Wonder if it was related/coordinated to the Ubuntu forums attacks.
http://it.slashdot.org/story/13/07/21/0318243/ubuntuforumsorg-hacked
I'm thinking of the purpose of this attack:
* Software stealing
* Account hijacking: use the certificate to publish fake apps and get money
* New software: tomorrow maybe the day that Apple will release iOS 7 Beta 4 and OS X Mavericks
http://www.michel.eti.br
This wouldn't have happened if Steve was still alive
Great info for future spear phishing (or just phishing)
- People must look before you click (hover over link, make sure it gels with URL)
- Never use the same password on sites, especially if the site has info you consider sensitive (and make it a good password)
Spirit of transparency or because there is an entire site down without any other reason?
One Million Dollars! *strokes fluffy cat*
The only source of information about this is what Apple says when you try to go to the iOS or Mac developer centre, which was correctly quoted by the article. Note that there is no mention that any intruder did actually get any access to anything, as the summary suggests. It says that someone _tried_ to access developers' information, that all this information is encrypted, but they can't rule out someone's information was accessed. Quite a difference.
Either these guys at CNet can't read, or they make it up as they go. CNet writes in its article "Apple says its developer site was targeted in an attack, and that any information that was taken was encrypted. ".
No, that's not what Apple says. Apple didn't say any data was taken, encrypted or not. Apple said the data that was targetted (not the same as "taken") was "securely encrypted".
Data was encrypted? What a joke. This is web site, it has to have unencrypted data in memory to server any purpose. If Apple can access the data, so did the intruder.
Always trying to show how smart they are and expose weaknesses in the system so they can be fixed. It's purely for the good of Apple ya know.
If the attacker didn't successfully get in why is Apple completely revamping the site? When I ran a small website it got attacked everyday, I can't even imagine how many people try to get into Apple's systems. So what's so different about this one? Something doesn't add up.
I have my own domain name, and suffice it to say it is unique. It is 8 characters and unless the attackers brute-forced my name and the domain name, data was definitely taken unencrypted. I have not published anything to the app store yet; my website doesn't talk about any apps. As far as anyone who develops for iPhones knows, my personal development account doesn't exist.
Throughout the day Thursday I had 4 password reset attempts on this Apple ID. I immediately changed my password the legit way to something much stronger than I had it, but that's beside the point - there's really only two vectors for someone to have gotten my developer account info: through the Apple breach, through email harvesters, or through past business contacts (I have developed for other people, but not published under myself)
Considering the timing, I think we can assume it was obtained through the Apple breach. I consider the data compromised. I'm going to go so far as re-generate ALL of my provisioning, etc. certificates and I advise anyone else to do so when the site comes back up.
Was just my email exposed to some more spam? Not so bad.
Was my password exposed? That would suck as I hate remembering new ones but I use a different one for every site.
The worst from a password exposure would be if they then log in and developer reject all my apps.
Was my credit card exposed along with bits like the code on the back? That would suck but again I use a crap card for online stuff.
Were my private app keys exposed which then probably opens my app to piracy? That would suck too.
Was my banking information exposed. That could mega suck. Either if they manage to redirect payments or just do something nasty to my account.
Was all my contact info exposed? Along with my CC this would be the worst, as a scam artist could send an email/phone me, saying they that my apps were pulled from the store because of porn or something and that I could click HERE to contact Apple to protest. Even though I would be sure it is a scam and I would log in normally to check, my blood pressure would be up for a while.
So I would say of the various exposures banking info would be the worst.
Data was encrypted? What a joke. This is web site, it has to have unencrypted data in memory to server any purpose.
All the website has in memory when I visit is my name - not my email, or my physical address which are the two other items possibly accessed in this attack.
There's no reason why it would have anything other than my name for any page besides my account information, which I pretty much never access. Even on a page that indicates I'm paying with an existing credit card only has a few digits of the card, there's no reason to think anywhere it has the whole card number - and there's pretty much no Apple Developer page where you use you credit card anyway (payment for dev accounts is handled through the Apple Store transaction system).
Also getting to data in memory is significantly harder. The data is far more transient my nature than the main database, and you'd have to figure out what data you could access per page.
Basically the database itself is such a richer source of data it makes little sense to target the web pages themselves as served to customers.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So how much was the payoff from NSA (proceeds from the U.S.A. Department of Treasury and 'look the other way' from the IRS) to Cook for his 'sellout' of the Developers he loves so well?
Inquiring minds are digging for the 'dirt' and the bodies.
In this case, you have to assume that data was taken. No "If ands or Buts about it". Data was taken.
I'd agree you have to assume that...
They just don't know what data.
A small point of phrasing, they do seem to know "what" was potentially taken at a meta level - names, addresses (physical and email), phone numbers. They just don't know what subset of user data (if any) was taken.
So each Apple developer has to assume that someone may have that data now... but as a developer I'm not really that concerned. It's pretty much data someone could have found via other means who looked at applications I am selling. Most developer accounts belong to companies that would have public email/physical addresses anyway.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Was just my email exposed to some more spam? Not so bad.
That was one of the items possibly leaked.
Was my password exposed? That would suck as I hate remembering new ones but I use a different one for every site.
That was not one of the items leaked, at least Apple claims not.
Was my credit card exposed along with bits like the code on the back? That would suck but again I use a crap card for online stuff.
That was definitely not one of the items leaked as any developer purchases go through the App Store framework, which was not breached.
Were my private app keys exposed which then probably opens my app to piracy? That would suck too.
There's really not anything anyone could do with these though. Apps can be pirated already without any of that information if you use a jailbroken phone, because it can be made not to check the application signing.
You also can't build new enterprise apps locally to phish companies, because that requires a private key that is only held client side, Apple does not have it.
Also Apple is not saying that was one of the items potentially leaked.
Was my banking information exposed.
Apple is not saying that's any of the data exposed, and the system that holds that (iTunes Connect) is not offline.
Was all my contact info exposed?
Again, possibly your email address and phone in encrypted form were taken... but anyone could find those out in other ways anyway.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Although the outage has been inconvenient, the upside of this is that the users of the system can be pretty sure Apple figured out the extent of possible damage, and also we can be pretty sure nothing else was hacked into in the meantime.
The timeframe seems pretty long but to me it seems like any site that has been hacked should, as a rule, probably go down until the site developers can be sure nothing else will be taken and holes are closed. Yet very few other sites do this, I'm sure to avoid irking customers...
Perhaps it's only really possible for a site like the Apple Developer website where the users can understand the technical reasons for closing a site until it is safe, but it seems like it's a better approach when possible.
It does make you wonder though just what they are fixing that takes this many days to get back on track.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I've got to dash to work, but here goes the link to the video where he shows what he did.
http://www.youtube.com/watch?v=q000_EOWy80
ac
"an intruder attempted to secure personal information"
let me get this straight - the intruder tried to secure information that Apple left insecure - so it was a white hat attack?
" In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database."
"We knew about the vulnerability, and didn't do anything about it for months. Hopefully looking like we're doing all this to protect you means you won't sue us and find out."
Finally had enough. Come see us over at https://soylentnews.org/
two vectors
through the Apple breach
through email harvesters
through past business contacts
Please tell me you write accounting software.
Finally had enough. Come see us over at https://soylentnews.org/
“Researcher” posts video of Apple intrusion, with user data in the video [2:50]: http://youtube.com/watch?v=q000_EOWy80
Correlation != causation.
Otherwise, since throughout the day Thursday I had ZERO password reset attempts on my Apple ID we must assume that the data was not taken or was taken and not partially encrypted.
Obviously both arguments are silly.
(PS, like you I have written apps for other companies but have not published any under my own name).
Since corporations can simply write off "damage" (funny how they tally "potential business lost" time at peak sales rate) from their taxes, their's an incentive to fluff out expenses, isn't there? And what easier way to do that then to feign "computer attack" by "evil hackers11!!!11!!! "??
There is a TechCrunch article on the breach, and someone by the name of Ibrahim Balic is taking credit for the breach.
What he wrote is below, and the link provided goes directly to the comment.
http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-has-potentially-been-breached-by-hackers/?hubRefSrc=permalink#lf_comment=87472293
Short URL: http://fyre.it/tjlVmC.4
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Are the password reset emails forgeries?
Stupidest "researcher" in the world?
"I broke in and took 100,000 users' data. But I maintain I stole nothing, broke in nowhere, and I have kept all of the copies of the data from my hack so I can prove I didn't hack anything."
He won't have to wait much longer for them to contact him, I'm sure. Unfortunately, that contact will come in the form of the UK police slapping cuffs on him so he can be brought in for an extradition hearing.
I bet the encryption password was “guest”.
One Million Dollars! *strokes fluffy cat*
You realize you are automatically taken as a complete idiot on Slashdot when you have some social network profile attached to your account, right? You fucking loser?
we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database.
how a security breach where no sensitive data was compromised requires a total database rebuild?
how do you "completely overhaul" a developer system just hours after being compromised?
how long do you plan to work "around the clock" on that? half a year? because that's about the minimum such a system update would require, wild guess.
and how do you want to keep customer confidence with such blatant and unnecessary lies? ...
duh, apple
I noticed the article is dated sunday.. well I only just now got notified on Monday evening.. it says "in the spirit of transparency, we're notifying you".. LONG after it's been all over the web, here, and other tech publications. A little late, maybe?
My developer info as an iOS developer includes my Apple ID and my password.
Mine too.
But that was not the system accessed, authentication is handled by a different system.
Luckily Apple seems to compartmentalize some important systems, and that is one of them...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I noticed that this morning and later today there are 2 separate attempt to reset my Apple ID password so I am fairly certain my ID/email was stolen from there as I once registered as a IOS developer.