Apple takes Dev Center down for days, finally admits, "We got owned!"

Filed Under: Apple, Data loss, Featured, Vulnerability

What a weekend!

First Ubuntu and now Apple have admitted to large-scale breaches of their user databases.

The Ubuntu Forums hackers called attention to themselves by changing the main screen to a cartoon of an AK-47-wielding penguin, and Canonical owned up as soon as it could.

But Apple's breach was less obvious at first, with the Developer Center simply going offline with the most generic sort of explanation:

We apologize that maintenance is taking longer than expected.

Apple told developers whose membership would expire during the outage not to worry, giving them a free extension and reassuring them that their apps wouldn't be ejected from the App Store:

If your program membership was set to expire during this period, it has been extended and your app will remain on the App Store.

But as the outage dragged on from last Thursday into the weekend, some observers began to ask if there were more sinister reasons than merely a maintenance window gone wrong.

After all, Apple is one of the massive success stories of the modern cloud economy (iTunes, QED), which makes maintenance alone a decreasingly likely explanation the longer it takes.

It turns out the cynics were right.

Apple's Developer Centre was penetrated, with Cupertino admitting that the attackers seemed to be after personally identifiable information (PII).

The main developer page looks OK at first sight:

But if you try to click through to any of the developer-specific locations, such as the iOS Dev Center or the Mac Dev Center, you don't get very far:

The notice, which was also sent by email to registered developers, now admits the reason for the extended maintenance:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Investigating a breach of this sort requires considerable circumspection, not least because you need to make sure that such evidence as you have available for law enforcement is safe and sound before you say too much.

That might explain Apple's delay in telling it like it is, but I'm still not quite sure how many friends in the developer community Apple will win by invoking "the spirit of transparency" some two-and-a-half days late.

The next part of Apple's admission, which seems to be intended to explain why actually fixing things is taking longer than might have been expected, says:

In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database.

It sounds slightly worrying to hear that Apple is updating its server software after the incident.

With all of this in mind, here's what we recommend:

  • Patch early, patch often.
  • Proactive security isn't just for Windows users.
  • If you suffer a breach, remember that honesty is the best policy, and time is of the essence.

What now?

Well, let's hope that operating system data breach notifictions aren't like buses, where you wait a while and then three come at once.

Ubuntu/Linux, then Apple/OS X...who/what, do you think, would be next?

, , , , , ,

You might like

11 Responses to Apple takes Dev Center down for days, finally admits, "We got owned!"

  1. "who/what, do you think, would be next?" .....hummm...Windows/Microsoft ? well after Linux, OS X, only thing left is Windows I guess

    • Paul Ducklin · 368 days ago

      Well...there are the various BSDs, of course. There's Google/Android, except they got punctured twice in a row recently, and technically perhaps the platform counts as Linux, so perhaps that pairing is already off the list.

      Oh. There's also Oracle/Solaris. It's still going, folks - in fact, it got a bunch of security patches the other day!

      And don't by any means forget Wind River/VxWorks.

      (Just to clarify: I am not implying that any of these are, will, might get breaches. I was just making a "three buses come at once" joke, remember?)

  2. Antonio · 368 days ago

    Microsoft?

  3. Anonymous · 368 days ago

    Sophos keeps its customer information well protected, right? :-)

    • Paul Ducklin · 368 days ago

      Right :-)

      I don't mean the smiley to imply that I'm just saying "right" but I really mean "wrong", in case anyone is wondering.

      But no serious company intends to get hacked, and all of those who have been pwned lately would likely have, entirely honestly, have said "right".

      So, for all that we might look askance at Apple for the time it took to clarify the situation in this event, the company has almost certainly been the victim of a crime, since user data that a hacker would surely have known wasn't for public consumption appears to have been "got at."

      (As chance would have it, I'm writing this reply in the midst of publishing a followup article about a bloke who is now claiming to be the "Apple hacker", and amidst his protestations of innocence, he's saying he did get at 100,000 or more user database entries. Just for research purposes, you understand. Watch this space for more info :-)

  4. Marc · 368 days ago

    Should people change their apple id/dev account password ?

    • Paul Ducklin · 368 days ago

      When the site comes back up?

      I'd have to say, "Why not?"

      Shouldn't cost you much effort and effectively gives you closure over the login aspects of this hack.

      (How you change any of the other details stolen is an open question. But since it's under your control to update your password, you might as well do so. My 2c.)

      • No need to wait for the site to come back up -- Apple ID is the same for iCloud, iTunes, Developer centre, Apple Support, and Apple Store. I tried to keep mine separate for years, but Apple eventually consolidated them.

        So changing your info for one of those services will change it for all. The Dev centre adds a bit more metadata than you'd have without being signed up, but it all boils down to your Apple ID (which is probably why they're saying that stuff is secure, as the attacker probably got a list of tokens associated with the Dev Centre metatada only -- no usernames/passwords).

  5. Steven Grossman · 367 days ago

    My employer is client of many AV and security companies and we are worried that many companies and their talking heads are not stating that this was a criminal act.

    1. The Criminal performed a security assessment and pen test on computers and systems he was not authorized to perform. It seems he wrote a customer Python Script to do this.

    2. The criminal did not use fair disclosure, it is impossible for a larger enterprise to update a system with customer visibility quickly. This can take weeks especially during roll outs and beta programs. The cost to individual developers and Apple is enormous.

    3. The Criminal published emails from developers from companies in the telecommunications industry, education and government. Over 1000000 records which are not his property and contain private information as defined in several jurisdictions are in his possession.

    All of these actions are 100% breaking the law. Why would a company; example Sophos or Immunity (My CIO saw Dave's interview on Bloomberg and is pissed that he does not see this as 100% criminal...) or it's representatives, defend and cover for illegal behavior? How can we trust the companies we pay huge amounts of money to protect us if they do not call this what it is. A criminal act against a company and individuals that break a host of laws and do enormous damage.

    Would Sophos or Immunity help in the prosecution of individuals that attack their clients assets, of course they would and should. It seems that arrest and prosecution is proven tool to stop criminal behavior such as this especially if there is an enormous cost to our industries and society.

    Security companies and AV companies have to come clean and call it what it is, an illegal action by a criminal.

    So Paul, is does Sophos and you think this is a criminal act. After all he published information of developers from the Vic, AU Government? Can you explain if his actions are illegal?

    • Paul Ducklin · 367 days ago

      You might want to start by considering my reply to @Anonymous above, written more than 24 hours before your comment, in which I said, "For all that we might look askance at Apple for the time it took to clarify the situation in this event, the company has almost certainly been the victim of a crime, since user data that a hacker would surely have known wasn't for public consumption appears to have been 'got at'."

      Don't forget, at the time I wrote this article (and made the abovementioned comment), the information in the three numbered points you make *was not yet known*. So the clarity and detail you trot out about "the criminal", and how much he'd stolen, and what he did with it once he'd got it, is entirely a matter of hindsight.

      And if you read the article carefully, you will notice that I actually make an excuse for Apple's delay in coming clean by pointing out that the company needed to get evidence together for law enforcement first.

      I think that a reasonable person would form the opinion, from what I said in the article, that I *did* think that a crime had been committed, and furthermore that it should be investigated in order to deal with it properly. (I should hardly have mentioned law enforcement otherwise.)

      Indeed, if there is anyone who should be offended here, it is surely I! You're accusing me of "defending and covering for illegal behaviour"...have a care, Sir!

      As for "the criminal", we dealt with him somewhere else:
      http://nakedsecurity.sophos.com/2013/07/22/ibrahi...

      You might want to comment over there, by the way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog