Apple Developer Website Hacked: Developer Names, Addresses May Have Been Taken

[AidenShaw]

They are going to upgrade their server software? What are they running? Mac OS server or Windows?

Certainly not Apple OSX Server - since no reasonable server hardware can run Apple OSX Server.

Or, do you think that Apple's cloud runs on MiniMacs?

 

[springsup]

All this, and yet people are still foolishly attacking the NSA, who are being constantly vigilant in trying to find out where this stuff comes from.

No, this isn't what the NSA uses PRISM for (or at least they absolutely should not).

Hacking Apple's developer site is bad, and it's a crime, but it isn't a terrorist threat. If we start being OK with PRISM as a substitute for policing, we really are going down a slippery slope.

 

[charlituna]

oh boy!

Perhaps not. Despite headline Apple only said it was attempted, not that they were. They are reacting as if it was to be safe. Which is appropriate

 

[Pakaku]

Obviously they're different teams (although there's more than likely overlaps), but it'd be stupid for them to release the 4th beta. Sure the OTA would work, but actual developers need access to the 4th beta of Xcode for it to be of any worth. You need the developer website for this.

Obviously that, but there's also the chance of the beta not being ready right now anyways. I don't actually know.

 

[sexiewasd]

They are going to upgrade their server software? What are they running? Mac OS server or Windows?

It's probably a mix of different severs, some public facing, and others not, running a wide mix of software and OS, but Apple has been known to use windows servers for the Apple.com domain.

 

[Exotic-Car Man]

This is why I'm not a fan of the keychain syncing with iCloud in OS X Mavs. That's a lot of information that Apple now has (and am I to completely trust them with it?), and that's a lot of information that could be hacked.

 

[IGregory]

This is why I'm not a fan of the keychain syncing with iCloud in OS X Mavs. That's a lot of information that Apple now has (and am I to completely trust them with it?), and that's a lot of information that could be hacked.

Then don't.

 

[springsup]

This is why I'm not a fan of the keychain syncing with iCloud in OS X Mavs. That's a lot of information that Apple now has (and am I to completely trust them with it?), and that's a lot of information that could be hacked.

Apparently all they got was a list of usernames. No passwords (or even password hashes, as in the Evernote hack for example). No app data.

While it isn't the best news for Apple from a security perspective, it's good that they've been tested and found to be extremely resilient.

 

[KdParker]

Apparently all they got was a list of usernames. No passwords (or even password hashes, as in the Evernote hack for example). No app data.

While it isn't the best news for Apple from a security perspective, it's good that they've been tested and found to be extremely resilient.

Well, that is good for apple but not for anyone that has their email hacked.

It would be wise to change passwords for the emails attached to the developer accounts.

 

[MacbookSwitcher]

No, this isn't what the NSA uses PRISM for (or at least they absolutely should not).

Hacking Apple's developer site is bad, and it's a crime, but it isn't a terrorist threat. If we start being OK with PRISM as a substitute for policing, we really are going down a slippery slope.

Actually, the NSA's activities are not confined solely to PRISM, and are not confined only to anti-terrorism. They also carry out many other activities, including gather signals intelligence to find the source of hacking attacks against American targets, precisely like this one, should it turn out to be the work of state actors. Another reason to support the good work they are doing.

 

[HenryDJP]

this will hit news stations like a frenzy, android users are gonna gloat

Perhaps, but here's the thing, Apple usually fixes problems too fast for the media to have time to gloat, unlike Google.

 

[JayCee842]

I just hope it's nothing serious

 

[RobertMartens]

Apparently all they got was a list of usernames. No passwords (or even password hashes, as in the Evernote hack for example). No app data.

While it isn't the best news for Apple from a security perspective, it's good that they've been tested and found to be extremely resilient.

Nice spin, you're good!

 

[monkeybagel]

this kind of stuff is what has always worried me about cloud stuff.

absolutely!

 

[sergioxg]

My biggest concern is that if one of the websites of Apple got hacked, how does that make me think that iCloud won't?

I already received 3-4 emails indicating that i requested to reset my password but i didn't.

Apple claims to be using a 128-bit encryption for iCloud.
http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US

 

[ChazUK]

News reporting would go something like this...

Of the Apple hacking, which didn't really affect much, and is actively being resolved:


Of the Android master key exploit which exposes 900 million phones to malware/viruses and more, and has no chance of ever being resolved:

You do realise this hit the mainstream press?

http://m.bbc.co.uk/news/technology-23179522

http://www.dailymail.co.uk/sciencet...-allows-hackers-hijack-phones-steal-data.html

ETC.

I'm sure even the turd that is AppleInsider had a field day with it.

 

[spacehog371]

This is why I'm not a fan of the keychain syncing with iCloud in OS X Mavs. That's a lot of information that Apple now has (and am I to completely trust them with it?), and that's a lot of information that could be hacked.

iCloud Keychain uses 256-bit AES encryption.

This is the same exact encryption that 1Password uses, and almost everyone I know who uses 1Password uses Dropbox to sync 1Password as well.

256-bit AES encryption is what the banks, military, and NSA use to encrypt their information. It is safe.

 

[charlituna]

Someone says that they are required to inform us within a timely manner about this?

It was like four days ago. The first day or two which they will likely trying to block the attempts from getting into anything.

Sounds rather timely to me.

----------

I highly doubt they'll offer to change apple ids. I don't think they have the mechanism to do that.

Why not. The public can change their apple IDs. To any email that isn't already in the system. You just can't merge IDs.

My beef with their system is that you can't use one id for all selling systems. Yes there might be some indie soul who films a movie, releases a soundtrack, creates an app and writes an official novelization. All selling in Apple stores. But that can end up needing4 unique IDs.

 

[jmh600cbr]

Hopefully this doesn't effect iOS 7 Beta 4 release. But I think it most likely will.

I very much doubt it will. In fact I think the next uptime on the dev site will be tomorrow at 1 pm, when beta 4 comes.

 

[erangaj]

An interesting comments from the techcrunch article:

ibrahimBalic 1 hour ago
Hi there,


My name is ibrahim Balic, I am a security researcher. You can also search my name from Facebook's Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple inc.

In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and I've also added screenshots.

One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.

4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this... I have been waiting since then for them to contact me, and today I'm reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I'm not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn't attempt to get the datas first and report then, instead I have reported first.

I do not want my name to be in blacklist, please search on this situation. I'm keeping all the evidences, emails and images also I have the records of bugs that I made through Apple bug-report.

Watch this video
http://www.youtube.com/watch?v=q000_EOWy80&feature=youtu.be

http://techcrunch.com/2013/07/21/ap...kers/?hubRefSrc=permalink#lf_comment=87472293

 

[A Hebrew]

Microsoft would never let this happen.

 

[kgtenacious]

An interesting comments from the techcrunch article:



http://techcrunch.com/2013/07/21/ap...kers/?hubRefSrc=permalink#lf_comment=87472293

yeah, I'm not buying that. Also, nothing but FUD in the techcrunch comments section.

 

[benthewraith]

and has no chance of ever being resolved:

Saurik has posted a fix for the exploit in addition to the exploit itself. So I'd say there's a fair chance it will be resolved.

 

[WhackyNinja]

Microsoft would never let this happen.

 

[iancapable]

I'm not normally one to step up and defend Apple, but in this case, sadly this is how things are now.

Facebook has been hacked, Twitter has been hacked, Sony has been hacked, Zendesk has been hacked, Microsoft has been hacked, Ubuntu has been hacked, numerous government websites have been hacked etc. etc.

It's simply next to impossible these days to guarantee security in the millions of lines of code that constitute modern Operating Systems and the dozens of processes that run on them. Someone will find a vulnerability sooner or later and exploit it. The only thing you can do is make it as hard as possible for them, and store your data in as safe a manner as possible with strong encryption (and hashing for passwords).

This was going to happen sooner or later, and while it looks bad for Apple, it's a fact of life that there are people out there for whom hacking is their job and how they earn their money. The only way to secure your data from hacking, is not to put it on the internet. End of story.

It's not impossible to completely lock down a website. Having worked on a "secure" software solution for a while... You just have to accept that some bits are going to have a sh** user experience.

1. Username and passwords: If a password is entered incorrectly, the account locked or the username doesn't exist, you give them the same message (thus potentially confusing the user).

2. Lock down the servers, so that the only way in is via VPN tunnel through a special isolated machine at the datacentre.

3. Regular pen-tests

4. Rotating password policy

5. Time limited passwords

6. Enforce complex passwords

7. 3 strike rule