Twitter Revealed that It Had Been;

A Developer Holds Many KeysWe knew that bad news was on the horizon more than two weeks ago. That was when the social networking giant Twitter revealed that it had been the target of a sophisticated hack that spilled account credentials for 250,000 users (including this author). At the time, Twitter warned that the hack “wasn’t an isolated incident” and that “other companies and organizations” had be “similarly attacked.” The only question then was “what other companies?” and “how were they hacked?”

In recent days, more victims have come forward – notably: Facebook and Apple Corp. – and more details have started to emerge about the technique used by the attackers to get a toe hold on the networks of some of the world’s most technically sophisticated firms. As it turns out: application developers played a key role in almost all the attacks.

The systems that were compromised belonged, by and large, to developers within those organizations. The common characteristic of all of them: they had visited a mobile application development website, iPhoneDevSDK.com. In a post on Wednesday, Ian Sefferman, the 20-something CEO and founder of the firm MobileDevHQ acknowledged the breach. The attackers, he explained, compromised an administrator account and used it to modify the iPhoneDevSDK.com theme, adding JavaScript to it that launched attacks on a previously unknown vulnerability in Oracle’s Java technology.

Few of the details of this attack are new or unique. Facebook, Twitter and Apple are all known to be targets of cyber criminals and even nation-state actors who want confidential information on users, or just access to credit cards and other valuable data. Furthermore, the use of iPhoneDevSDK.com as a “watering hole” is consistent with similar attacks against high value targets. Those attacks include the so-called “VOHO” attacks and the Council of Foreign Relations late last year.

What is new is the decision to target developers at these organization, rather than C-level executives or less technically sophisticated users (often those terms are synonymous).

Going after developers is high risk: they’re more technically sophisticated and – these days – often prefer to use Macs over Windows devices. Their technical know-how, in theory, makes them more apt to smell a rat when they receive a strange Facebook wall post or e-mail message. What the attacks on Apple, Facebook and Twitter suggest, however, is that developers are just as likely to fall into the trap of thinking that cybercriminals and other sophisticated attackers aren’t interested in them.

It makes perfect sense that cybercriminals are interested in penetrating developer systems. These are the people, after all, who are often given direct access to source code respositories and other sensitive material. They’re also considered more technical users and, thus, are given more latitude once on the corporate network – a boon to malicious hackers and cyber criminals.

Online forums like iPhoneDevSDK.com are important online resources for mobile developers. They provide support and opportunities to network and share information. But, in the end, developer forums are just web sites and no more or less likely to be securely deployed than any other site. And developers, themselves, are just people with the same blind spots and biases as other users. Apple Corp. has made clear that it considers Java a dangerously insecure technology. The company has taken steps to make it harder to use Java on Apple Mac and iOS systems. For all that effort, however, a small number of its developers had Java enabled in their web browsers when they visited iPhoneDevSDK, anyway.

This blog has written frequently about the security downside of our freewheeling application development culture. Whether we’re talking about the dangers of trusting third party SOUP (Software of Unknown Pedigree) or the lack of rigor in application design, coding and testing. The news this week of watering hole attacks aimed at developers adds a new wrinkle to this. Application development professionals need to be cognizant of how their online behavior at- and away from work may constitute a security risk for their employer. Sporting a Mac and knowing enough not to click on suspicious links and attachments isn’t enough. Developers need to think like a potential adversary will think and use due diligence to isolate critical data and activities from activities – whether personal or professional – that could expose that data to compromise.

Posted by Paul Roberts in ALL THINGS SECURITY, February 21, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Namtek or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Namtek shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: