Digital Spy

Search Digital Spy
 

DS Forums

 
 

Apple was hacked via its "outdated, crappy technologies"


Reply
Thread Tools Search this Thread
Old 22-07-2013, 13:46
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956

http://thenextweb.com/apple/2013/07/...ly-steal-data/
As there was access to 100,000 users data I'd assume 100,000 passwords have now been reset.

"In total I have found 13 bugs and have reported through http://bugreport.apple.com. The bugs are all reported one by one and Apple was informed. I gave details to Apple as much as I can and Ive also added screenshots.

One of those bugs have provided me access to users details etc. I immediately reported this to Apple. I have taken 73 users details (all apple inc workers only) and prove them as an example.
4 hours later from my final report Apple developer portal gas closed down and you know it still is."

I guess with a bit of wider publicity and 'we prefer not to know' Apple might just let him back in.
I do wonder how many first trespassed without telling
alanwarwic is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 22-07-2013, 15:20
barky99
Forum Member
 
Join Date: Jul 2011
Location: Scotland - near a whirly thing
Posts: 2,924
a familiar pattern from Apple ... they had a similar reaction to a Russian company that found vulnerabilities didn't they?
barky99 is online now   Reply With Quote
Old 22-07-2013, 17:05
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
It is quite interesting.
It looks like he reported 13 bugs and as they were still not actioned he went and confirmed the seriousness of the security hole.

Only after supplying proof did action take place, and rather than bothering to speak to him direct, they instead closed down that server impacting on the 100,000 developer accounts there.

The next security developer would be far wiser selling their expose to the Telegraph or Panorama. You are less likely to get life in a US prison that way.
I'm not sure if Apple actually reported him to US law enforcement agencies but it is almost implied that he is now a wanted criminal.
alanwarwic is offline   Reply With Quote
Old 22-07-2013, 17:44
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
http://www.guardian.co.uk/technology...er-site-hacked
"as company 'rebuilds and strengthens' security around databases".

"Theft".

"My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.""

I'm not sure if he is running scared or if the video(screen recording log?) came first.

"The breach is the first known against any of Apple's web services."

Obviously 'No proof of concept' is ever allowed then.
I would hazard a bet that more than a few reading here would be in prison if so.
alanwarwic is offline   Reply With Quote
Old 22-07-2013, 19:36
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
The guy is based in London so maybe Assange at the Ecuador embassy would like some company.
http://www.theregister.co.uk/2013/07...s_apple_bloke/
"ecurity market expert Graham Cluley has predicted that Apple may be tempted to take tough action to dissuade any other researchers from probing too hard."

That register report reminds me that Kaspersky was banned from IOS.
It does get rather strange when the only legitimate non Apple employee security researcher appears to be the career criminal.
alanwarwic is offline   Reply With Quote
Old 22-07-2013, 19:46
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
https://twitter.com/ibrahimbalic

"If the black helicopters take you away, can I have your laptop?"

The guys English is maybe not great but makes it easier to see why he had now panicked.
alanwarwic is offline   Reply With Quote
Old 22-07-2013, 23:48
bspace
Forum Member
 
Join Date: Jul 2004
Posts: 8,590
this strange anti apple fetish is getting beyond tiresome

all companies have problems, no one is perfect, we know
bspace is offline   Reply With Quote
Old 23-07-2013, 00:10
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
Just because I find them more often than not bizarre does not make it hate

A missing Howard Hughes seems more forthcoming.
You can't ever 'join all the dots' with Apple which always makes for great fascination. And Apple defending us all against the bad little good guy is a bit more surreal than usual.

Contrast that to Microsoft who read far more like an open book.

If it was hate I'd probably have been reading and posting in the fairly preposterous iPhone electrocution topic.
alanwarwic is offline   Reply With Quote
Old 23-07-2013, 10:03
paulj48
Forum Member
 
Join Date: Jul 2007
Posts: 1,034
I'm registered with the Apple Developer website and I only received an email from them advising me that my details may be at risk this morning, the following is the content, notice the bit that says 'In the spirit of transparency, we want to inform you' yes 4 days later

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, were completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
paulj48 is offline   Reply With Quote
Old 24-07-2013, 13:11
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
6 days now and the solution could still be up there in the clouds.
Well that made for interesting reading. Just Maybe Balic actually had nothing to do with it.
And the fact that they never acknowledge anyone, at least without a visit from the police. could be his saving.

That array of 13 security holes, on different servers, reported over several days was wide ranging left enough to think that Apple is always swarming with intruders. The one he demonstrated looked on a different server in iAds where he could return names and addresses, not just developers but he thought them as standard regular Apple gadget users. So maybe just a coincidence and Balic understandable panicking?

A connection from there to this developer server would obviously be for iAd payments IDs.
Whatever, it looks like they are certainly trying to clean up some major disaster.

The 'intruder' detection quite is probably true on any particular day so maybe it was just a wrong sized spanner from Amazon, Microsoft or whoever runs/owns the Apple developer server.

BTW they have since removed the iAd adduser function that that might have simply returned regular iTunes users names and addresses so again, likely a separate issue there
alanwarwic is offline   Reply With Quote
Old 24-07-2013, 13:34
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
I'm not quite sure if my headline quote was never linked but here it is.

" It's no secret that Apple's developer portals are a mix of outdated, crappy technologies, and it seems that this security researcher did good work by making that fact very, very clear for everyone. "
http://www.osnews.com/story/27206/Re..._vulnerability

They do use a whole hotchpotch of stuff including Google software.
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 12:50
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
Well, I was certain that when a historic milestone of '7 days downtime' was reached something would have to blow. Add it did.

https://developer.apple.com/support/system-status/
https://developer.apple.com/
A wicked accidental a sense of humour there.

Now we get a 'this dial goes up to 15'. Bug reporting was seemingly working anyway.
The developer forum will certainly let off a certain amount of NDA steam when it opens and they get beyond what really looks like a data loss catastrophe.

There is also a fair chance they bulldozed badly through, not realising they had a bug report in front of their nose that could called back that slightly misbehaving bulldozer.
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 21:30
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Even at the best of times Alanwarwic, your use of language does not lend itself to basic comprehension, so it is with no surprise that your posts here are again a convoluted word mess.

So lets lay this story out.


Some time last week a chap that identifies himself as a "security researcher" found a vulnerability in Apple's Developer facing technologies and filed bug reports and a detailed analysis of how he used that vulnerability to extract the details of up to 100k developers and or users from Apple's systems. By way of proof he analysed the data and extracted and submitted back to Apple the details of 73 accounts claimed to be those of Apple employees.

So far, so good.

He, you and me have absolutely no idea how Apple responded to, or used that data.

After the "security researcher" published his technique on Youtube (video since withdrawn) Apple takes action, by shutting down the entire Apple Developer areas of their website.

The "security researcher" stole data, there is absolutely no way at all to ensure that he did not leak, sell or exploit that data, and because he did not get his taint tickled by Apple he published his methodology.

Apple have absolutely no choice but to shut down their systems at this point. Anyone, and there are a few that post here, who look after similar systems would have done exactly the same; shut the system down until sure that the "security researcher" has not compromised further systems or sold, or leaked or exploited data.

Alanwaric, we understand you hate Apple, but if you had the first clue about data security you would understand exactly what happened.
Harumph is offline   Reply With Quote
Old 25-07-2013, 21:40
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
So lets lay this story out.
Apple have had a catastrophic server/system failure, possibly due to some quite unknown hacker. After 7 days it is not yet back up.


There is little else to 'comprehend' unless we spin more, apart from that at 7 days Apple gave us that status picture to say "hey give us a break, we are trying our best".
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 21:46
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
They have not had a "catastrophic server failure".

That would suggest hardware failures for a start.

What they have is a software exploit that could expose corporate and / or personal data, and so took the decision to shut their systems down to ensure no more data was stolen or exploited.
Harumph is offline   Reply With Quote
Old 25-07-2013, 21:49
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Had the "security researcher" not put his methodology on Youtube over the weekend when Apple refused to tickle his taint, it is quite likely Apple would have only shutdown the less sensitive areas of their developer center.
Harumph is offline   Reply With Quote
Old 25-07-2013, 22:04
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
What they have is a software exploit that could expose corporate and / or personal data
It should have been fairly easy to isolate a lot of things and get stuff like the forum back up.

It simply does not compute. What is also fascinating is that a short while before this problem, a brand new interfacing came up, but it got pulled fairly quickly.

That is what normally happens in 'down for maintenance'. Up pops something new so just maybe they got stuck half way though. Obviously in reporting an intruder they would then have been telling us about that security report Balic sent.

Again, my last statement is as much as we really know. Systems are down. BTW your timeframe in the last comment works out all wrong. And at 7 days I do feel the use of the word 'catastrophic' quite justified.
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 22:08
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Alanwarwic, in general terms, outline your server security experience.

Now tell me how you separate private discussion areas from accounts tied to developer accounts?

Now convince me the "security researcher" did not pass details to third parties?
Harumph is offline   Reply With Quote
Old 25-07-2013, 22:17
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
Alanwarwic, in general terms, outline your server security experience.
Now tell me how you separate private discussion areas from accounts tied to developer accounts?
Now convince me the "security researcher" did not pass details to third parties?
Nice politics.
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 22:23
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Or, you could answer the question.
Harumph is offline   Reply With Quote
Old 25-07-2013, 22:25
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
Or, you could answer the question.
Outline Apples 8 days of security experience.

Of course I could answer the question. I could even tell you I get my code fixes in 5 times faster than my competitors.
But it means zilch if it is not relative..
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 22:28
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Or you could explain how, after an exploit is found, and published on youtube, thus inviting even more exploitation, how the company keeps everything open and running while working out how to fix the exploit you have just publicized to the world?

Is it any wonder no one responds to your ramblings?
Harumph is offline   Reply With Quote
Old 25-07-2013, 22:31
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
Outline Apples 8 days of security experience.

Of course I could answer the question. I could even tell you I get my code fixes in 5 times faster than my competitors.
But it means zilch if it is not relative..
I need to ask this, but just to be sure, is English your first language?
Harumph is offline   Reply With Quote
Old 25-07-2013, 22:46
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,956
I need to ask this, but just to be sure, is English your first language?
I just reread your #13 post. You just read up on this tonight didn't you.

The timeline ain't just wrong, you are all jumbled to hell.
Seriously, all we can see is that the Balic guy is a convenient fall guy !
Now go and read up properly.
alanwarwic is offline   Reply With Quote
Old 25-07-2013, 22:58
Harumph
Inactive Member
 
Join Date: Jul 2013
Posts: 570
so English is your first language, go to know.

Balic is now a fall guy?

Have you ever, ever, worked in the industry?

You do not expose or admit to to fault UNTIL such time you have managed to plug the hole.
Harumph is offline   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT. The time now is 17:48.