Quantcast

Apple’s developer site overhaul continues following breach

Discussion in 'Off-Topic Discussion' started by sparkyscott21, Jul 25, 2013.

  1. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Apple is incrementally restoring its developer systems following an intrusion last week the company said may have divulged personal information about registered users.
    The company created a new status page listing the various functions of its developer site, which is used to aid programmers in creating applications.“We’ve been working around the clock to overhaul our developer systems, update our server software and rebuild our entire database,” said an Apple notice.iTunes Connect, a tool for distributing content, and Bug Reporter, for reporting software errors, are back online. But many other services, such as pre-release documentation, technical support and software downloads, remain down.The systems scheduled to come online again next will be Certificates, Identifiers and Profiles, Apple Developer Forums, Bug Reporter, pre-release developer libraries and videos, according to Apple’s notice.




    [​IMG]



    Software downloads, including the latest beta versions of iOS 7, Xcode 5 and OS X Mavericks, will come back online next followed by the remaining site components, Apple said.Apple acknowledged on Sunday that an attacker tried to access personal information of the site’s registered users. Although personal information was encrypted, Apple said the names of some developers plus their mailing or email addresses may have been accessed.No credit card information or iTunes accounts were compromised, the company said.


    7-25-13


    Source


     
  2. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]
    There's always some scumbag who is willing to try to take advantage of a bad situation. Take Apple's prolonged outage of the Apple Developer Center, for example. It's a bad situation for everyone - Apple and developers alike - which is why, of course, someone's now launched a phishing attack to try to trick people into thinking the Developer Center is back up.According to a report by ZDNet, a flood of phishers are trying to trick developers into thinking that the only way they can get back into the Developer Center is by changing their password... which, of course, is only a method of catching their existing password.Users have taken to Twitter to warn others of the phishing attacks, and security firm Kasperky Lab has found that Apple-related phishing scams have skyrocketed in the last six months, with scammers focused on stealing login credentials and financial data.Like most phishing attacks, these emails are written with the grammar and syntax of brain-damaged four years olds, so they are easy to spot. Just delete them if they pop up in your inbox, okay?
    7-25-13

    Source​
     
  3. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]
    An independent security researcher has claimed responsibility for the security breach that forced Apple to close down its Developer Center website last week.

    Ibrahim Balic claims that he reported the vulnerability to Apple and didn’t act with any malicious intentions, but he confirmed extracting user IDs, names and email addresses from the website.

    On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.

    “Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed,” the company said in a message posted on the site’s home page.

    Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.

    “This is definitely not a hack attack; I have reported all the bugs,” Balic said on Twitter. “I am not an hacker, I do security research,” he said in a separate message.

    Balic’s name is listed on Facebook’s acknowledgement page for security researchers who responsibly reported security issues to the company.

    “I reported security bugs to Facebook and Opera before over numerous times,” Balic said via email.

    He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.

    “The video is now removed from YouTube,” Balic said on Twitter. “I apologise for sharing some of the confidential information.”

    He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.

    The vulnerability exploited to extract the information was reported to Apple via the company’s “Bug Reporter” system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.

    Balic claims that the company did not respond to his reports until yesterday, when he received an email saying that the issues are being investigated.

    Apple did not respond to a request for comment.

    Some people on Twitter and in comments on other websites criticised Balic’s decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.

    “I continued taking [information] to see how deep I could go,” the researcher said via email. “I wanted to be heard. I’m not hacking and I didn’t do it for bad purposes.”

    “There has been a lot of debate about the ethical aspects in bug hunting,” Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender told us. “While penetration testing proves often to be extremely profitable in the long run for both customers and companies, they also have a downside: whenever pen testing is done on production servers, you run the risk of breaking things and taking the respective infrastructure out of business causing more harm than good.”

    In addition, downloading 100,000 records is overkill for a proof of concept attack and exposes much more users than necessary, Botezatu said.

    Apple says that it is completely overhauling its developer systems.


    7-24-13​




     
  4. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]


    Following the attempted breach into Apple’s iOS and Mac Developer Center, and its subsequent closing, Apple has posted an iCloud-like Status Page so developers can track Apple’s work for re-implementing Developer Portal Features. Additionally, Apple has outlined its approach to restoring these features.

    We apologize for the significant inconvenience caused by our developer website downtime. We’ve been working around the clock to overhaul our developer systems, update our server software, and rebuild our entire database. While we complete the work to bring our systems back online, we want to share the latest with you.

    We plan to roll out our updated systems, starting with Certificates, Identifiers & Profiles, Apple Developer Forums, Bug Reporter, pre-release developer libraries, and videos first. Next, we will restore software downloads, so that the latest betas of iOS 7, Xcode 5, and OS X Mavericks will once again be available to program members. We’ll then bring the remaining systems online. To keep you up to date on our progress, we’ve created a status page to display the availability of our systems.

    Apple will first restore Certificates and Provisioning, Forums, bug reporting, documentation, and videos so that developers can continue developing apps at their old pace. Later, the iOS, Mac, and Xcode seeds will become available for download online.

    Apple has also included this information in an email directed to developers (image of the email below – thanks, Doug). While the Developer Portal has been offline, it has been somewhat business as usual thus far for new OS X seeds. Apple seeded a new OS X Mavericks Developer Preview on Monday and a new 10.8.5 seed earlier today.

    Notably absent have been new iOS seeds, though many developers have speculated that this is due to the current inability to download the corresponding Xcode files.



    [​IMG]


    7-24-13

    9to5mac.com​

     
  5. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    After being offline since last Thursday, Apple’s Developer Center is back and operational. Certain parts of the portal are still coming back online, but Apple’s system status page reveals that several services are accessible again, including the centers where developers can download iOS and OS X betas.


    “We appreciate your patience as we work to bring our developer services back online,” said Apple in an email to developers. “Certificates, Identifiers & Profiles, software downloads, and other developer services are now available.”


    Last Sunday, Apple said that an intruder had breached the Dev Center’s security, causing the company to rewrite the system’s databases. Apple has been working “around the clock” to get everything up and running since the breach, which was allegedly committed by a Turkish security researcher.


    Apple has said that developers with memberships that expired during the outage will have their memberships extended at no extra cost. To access the Dev Center, developers must pay a $100 annual fee.


    On the surface, much of the Dev Center still looks the same, but Apple has presumably done a complete rewrite under the hood. The source of the scare has not yet been confirmed by Apple, but the company is expected to reveal more about what caused the breach in the near future.



    7-26-13


    Source
     
  6. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Apple has sent out an email to registered developers to outline its restoration plans for a number of services that are still down following its Developer Center outage. Those include Xcode automatic configuration and access to license agreements, program enrollments, and renewals — all of which are to be reinstated this week.

    The Dev Center went down on Thursday, July 18, after “an intruder attempted to secure personal information” from Apple’s website. The Cupertino company immediately took the service down to plug the security holes, and it remained down until July 26.

    But not all services were restored on that date. Apple made the Dev Center available to registered developers, but a number of things are still out of reach. Apple has now outlined its plans to bring those back. In its email today, the company writes:

    We sincerely appreciate your patience as we work to bring our developer program services back online, and we want to give you an update on our progress. The majority of our developer services are currently online, including Certificates, Identifiers & Profiles, Dev Centers, software downloads, Videos, Apple Developer Forums, iTunes Connect, Bug Reporter, App Store Resource Center, and access to pre-release documentation.

    We plan to reinstate most of the remaining services this week: Xcode automatic configuration as well as access to license agreements, TSIs, program enrollments, and renewals in Member Center. You can check the availability of these systems on our status page.

    Apple also notes that if you Dev Center membership is due to expire during this time, it will automatically be extended, and your Mac and iOS apps will remain in the App Store.




    8-5-13

    Source
     
  7. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]



    Apple brought its Developer Center back online over a week ago, following the hack that took it down for eight days. But the site still isn’t fully restored. Though the company says it plans to have most of the remaining services back in action by the end of this week, at the moment, several components are still down or inaccessible.

    These include Xcode automatic configuration and access to licence agreements, technical support incidents, program enrolments and renewals in the Member Center.

    In an Apple update, the company said, “We sincerely appreciate your patience as we work to bring our developer program services back online, and we want to give you an update on our progress. The majority of our developer services are currently online, including Certificates, Identifiers and Profiles, Dev Centers, software downloads, Videos, Apple Developer Forums, iTunes Connect, Bug Reporter, App Store Resource Center and access to pre-release documentation.”

    Apple was quick to reassure members that if their memberships should expire or have expired at any time during this period, they would be automatically extended.



    8-6-13

    www.macworld.com



     
  8. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Apple just sent developers an email stating all developer program services are finally back online.


    The developer center went down on July 18th, which prevented developers from accessing documentation need to code apps for iOS and OS X, as well as beta builds for Apple’s platforms.


    A Turkish security researcher by the name of Ibrahim Balic came forward shortly after the outage and claimed responsibility as the intruder that breached the Dev Center’s database. No personal data was stolen from users, but Apple decided the breach warranted a complete rebuild of the backend.


    8-10-13

    Source
     
  9. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]

    Reported Dev Center downtime credit highlighted in red




    A post to Apple's Web Server Notifications webpage shows a research team reported a security threat that coincides with the Developer Center's takedown, suggesting the vulnerability is to blame for the portal's weeks-long outage.

    The website, through which Apple gives credit to those who have reported potential threats to its servers, notes that a remote code execution issue was addressed on June 18, the same day Apple's Dev Center was taken offline. As pointed out by TechCrunch, the report notates the problem as being associated with "developer.apple.com," the address of Apple's Developer Center.

    Apple offers no further information regarding the remote code execution threat, but does credit "7dscan.com" and "SCANV" of www.knownsec.com for discovering and reporting the issue. 7Dscan.com is also cited as finding another remote code execution issue with Apple's Express Lane tech support service.

    The new information runs counter to statements made by researcher Ibrahim Balic, who claimed responsibility for Apple's self-imposed downtime days after the dev portal was pulled. At the time, Balic said he discovered and reported 13 bugs to Apple, along with user details of 73 Apple employees.

    Balic is, however, credited as finding an iAd Workbench bug related to an information disclosure issue. The problem was addressed on the day Balic came forward with his claims.

    The specifics of Apple's Dev Center downtime have yet to be explained. Apple has revealed little in its subsequent updates to developers, though the company did announce that an "intruder" attempted to glean personal information from a database of registered developer accounts. Sensitive data was encrypted, though Apple could not rule out the possibility that at least some information was accessed.

    About one week later, portions of the Dev Center were reactivated as Apple worked to bring the website back online with newly installed safeguards.

    The Dev Center was finally brought back online earlier this month after what amounted to a three week downtime.






    8-21-13


    Source

     

Share This Page