Five Days In, Security Firms Start to Wonder What's Going on at Apple
The recent security breach with the Apple Developer website has left many security firms wondering what’s going on over in Cupertino. Apple’s Developer Center has been down since Thursday evening, leaving many developers unable to gain access to resources and downloads provided by Apple. What’s really interesting is that someone has already claimed to be responsible for the breach, however that person is saying he’s a security researcher and had warned Apple about the vulnerabilities via bug reports prior to them taking down the site.
Despite the fact that Ibrahim Balic, the security researcher, claims to have warned Apple, he admits he took user details for 73 accounts, all of which he says where owned by Apple employees as a way to prove it was possible to exploit the system. While it seems that Mr. Balic took only Apple employees user details as a way to limit the fallout, according to Derek Tumulak, VP Product Management at Vormetric, a data security firm, “He [Ibrahim Balic] forced Apple to make a public disclosure by taking any user information.” In other words, it wouldn’t have mattered who’s accounts were compromised, either way, Apple is forced to release a statement.
If you believe Mr. Balic’s story, one of the issues that is likely to be discussed in the security community (if it isn’t already) is whether or not he gave Apple a reasonable amount of time to fix the vulnerabilities and if he acted responsibly or not. Based on the email he wrote, it doesn’t seem (to me) that this has been something he’s been trying to get Apple to acknowledge for a while, but rather something he found and notified them about without giving much (if any) time before exploiting the defect. “If you are a professional security researcher and you find a defect, you are going to go to the vendor and give them responsible disclosure, you are also going to give them a reasonable amount of time to fix the defects,” said Alan Kessler, CEO of Vormetric.
You also have to wonder what Apple may have found when they started looking into the situation. I mean, we are now going on five days without access to the Developer Center, it must either have been pretty bad or is a huge job (or both). According to Vincent Berk, CEO of FlowTraq, a network monitoring and analysis software company, Apple may be using its proprietary software system called WebObjects in parts of its Developer Center, which is may be where the vulnerability had been found. “The benefit of this is that it’s [WebObjects] harder to hack, but it’s also not as actively supported by people at Apple,” said Mr. Berk. This means that if and when a vulnerability is found in the WebObjects software, it may not be patched as quickly or easily, which may explain the extended downtime that we’ve been experiencing.
No matter how you look at it, the consensus amongst the security community seems to be that taking down the developer site was the right move — now we just have wait for Apple to overhaul its setup to ensure it’s secure before putting it back online. The last thing any company would want to experience after a security breach is a second one shortly thereafter.