Apple Admits to Breach in Developers' Portal

broken-lock

Today (Sunday July 21 2013) Apple officially admitted that someone had hacked their developer site. The notification came out as a warning that some information including names, addresses and email information might have been accessed. What we find interesting is that this announcement comes on the heels of a multi-day outage to the same site. It looks like Apple might have known about the breach earlier and not told anyone until they confirmed that user data was compromised (in which case they might have been compelled to). This is not exactly what you want to hear from a company that prides themselves on the security and safety of their operating system AND their ecosystem.

 

Apple’s notification read as follows:

“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”

The Thursday in question is the 18th of July which means there was a three day gap between the discovery of the breach and the disclosure to members of the development program. This almost makes it look like Apple might not have revealed the breach if they could not have confirmed that user data was accessed. Of course, if there was no access to data no company is under any compulsion to reveal when an outside person or company penetrates their security. It is only when there is loss of data that this becomes necessary.

The other lines about encryption of data is just talk. There is almost no level of encryption that is not breakable. You might hear someone tell you this, but in almost every case someone will find a way. It does not help that there are multiple encryption cracking applications that leverage the power of GPUs to make the task that much quicker. So the fact that the data was encrypted does not instill confidence. LinkedIn had their data encrypted, with an old and outdated encryption algorithm (MD5). Which leads us into the next part of the announcement where Apple says they are completely overhauling the system. If this is really the case then the existing one must have been complete crap. Sorry but you do not go to the lengths that Apple is if you had a decent system to begin with. It brings us back the claim of encryption, just what was used to encrypt user information? If you are rebuilding the database and also upgrading/updating all servers (which should be a regular thing anyway) there is a chance of greater compromise than Apple is letting on.

We may never know the full extent of the breach or what the hackers were after, but we do know this; Apple did not need to have another item go wrong for them. This single bit of news can put doubt about other areas of their infrastructure. What other systems inside Apple’s networks are not as secure as they should be? User data, user chat data, iTunes accounts, the iTunes system? Sadly we will never know if these systems also need looking at or if Apple intends to do anything to make sure they are as secure as they could be.

Tell us what you think in our Forum

 

No comments

Leave your comment

In reply to Some User