We knew that bad news was on the horizon more than two weeks ago. That was when the social networking giant Twitter revealed that it had been the target of a sophisticated hack that spilled account credentials for 250,000 users (including this author). At the time, Twitter warned that the hack “wasn’t an isolated incident” and that “other companies and organizations” had be “similarly attacked.” The only question then was “what other companies?” and “how were they hacked?”
In recent days, more victims have come forward - notably: Facebook and Apple Corp. - and more details have started to emerge about the technique used by the attackers to get a toe hold on the networks of some of the world’s most technically sophisticated firms. As it turns out: application developers played a key role in almost all the attacks.
Few of the details of this attack are new or unique. Facebook, Twitter and Apple are all known to be targets of cyber criminals and even nation-state actors who want confidential information on users, or just access to credit cards and other valuable data. Furthermore, the use of iPhoneDevSDK.com as a “watering hole” is consistent with similar attacks against high value targets. Those attacks include the so-called “VOHO” attacks and the Council of Foreign Relations late last year.
What is new is the decision to target developers at these organization, rather than C-level executives or less technically sophisticated users (often those terms are synonymous).
Going after developers is high risk: they’re more technically sophisticated and - these days - often prefer to use Macs over Windows devices. Their technical know-how, in theory, makes them more apt to smell a rat when they receive a strange Facebook wall post or e-mail message. What the attacks on Apple, Facebook and Twitter suggest, however, is that developers are just as likely to fall into the trap of thinking that cybercriminals and other sophisticated attackers aren’t interested in them.
It makes perfect sense that cybercriminals are interested in penetrating developer systems. These are the people, after all, who are often given direct access to source code respositories and other sensitive material. They’re also considered more technical users and, thus, are given more latitude once on the corporate network - a boon to malicious hackers and cyber criminals.
Online forums like iPhoneDevSDK.com are important online resources for mobile developers. They provide support and opportunities to network and share information. But, in the end, developer forums are just web sites and no more or less likely to be securely deployed than any other site. And developers, themselves, are just people with the same blind spots and biases as other users. Apple Corp. has made clear that it considers Java a dangerously insecure technology. The company has taken steps to make it harder to use Java on Apple Mac and iOS systems. For all that effort, however, a small number of its developers had Java enabled in their web browsers when they visited iPhoneDevSDK, anyway.
This blog has written frequently about the security downside of our freewheeling application development culture. Whether we’re talking about the dangers of trusting third party SOUP (Software of Unknown Pedigree) or the lack of rigor in application design, coding and testing. The news this week of watering hole attacks aimed at developers adds a new wrinkle to this. Application development professionals need to be cognizant of how their online behavior at- and away from work may constitute a security risk for their employer. Sporting a Mac and knowing enough not to click on suspicious links and attachments isn’t enough. Developers need to think like a potential adversary will think and use due diligence to isolate critical data and activities from activities - whether personal or professional - that could expose that data to compromise.