A Developer Holds Many KeysWe knew that bad news was on the horizon more than two weeks ago. That was when the social networking giant Twitter revealed that it had been the target of a sophisticated hack that spilled account credentials for 250,000 users (including this author). At the time, Twitter warned that the hack “wasn’t an isolated incident” and that “other companies and organizations” had be “similarly attacked.” The only question then was “what other companies?” and “how were they hacked?”

In recent days, more victims have come forward - notably: Facebook and Apple Corp. - and more details have started to emerge about the technique used by the attackers to get a toe hold on the networks of some of the world’s most technically sophisticated firms. As it turns out: application developers played a key role in almost all the attacks.

The systems that were compromised belonged, by and large, to developers within those organizations. The common characteristic of all of them: they had visited a mobile application development website, iPhoneDevSDK.com. In a post on Wednesday, Ian Sefferman, the 20-something CEO and founder of the firm MobileDevHQ acknowledged the breach. The attackers, he explained, compromised an administrator account and used it to modify the iPhoneDevSDK.com theme, adding JavaScript to it that launched attacks on a previously unknown vulnerability in Oracle’s Java technology.

Few of the details of this attack are new or unique. Facebook, Twitter and Apple are all known to be targets of cyber criminals and even nation-state actors who want confidential information on users, or just access to credit cards and other valuable data. Furthermore, the use of iPhoneDevSDK.com as a “watering hole” is consistent with similar attacks against high value targets. Those attacks include the so-called “VOHO” attacks and the Council of Foreign Relations late last year.

What is new is the decision to target developers at these organization, rather than C-level executives or less technically sophisticated users (often those terms are synonymous).

Going after developers is high risk: they’re more technically sophisticated and - these days - often prefer to use Macs over Windows devices. Their technical know-how, in theory, makes them more apt to smell a rat when they receive a strange Facebook wall post or e-mail message. What the attacks on Apple, Facebook and Twitter suggest, however, is that developers are just as likely to fall into the trap of thinking that cybercriminals and other sophisticated attackers aren’t interested in them.

It makes perfect sense that cybercriminals are interested in penetrating developer systems. These are the people, after all, who are often given direct access to source code respositories and other sensitive material. They’re also considered more technical users and, thus, are given more latitude once on the corporate network - a boon to malicious hackers and cyber criminals.

Online forums like iPhoneDevSDK.com are important online resources for mobile developers. They provide support and opportunities to network and share information. But, in the end, developer forums are just web sites and no more or less likely to be securely deployed than any other site. And developers, themselves, are just people with the same blind spots and biases as other users. Apple Corp. has made clear that it considers Java a dangerously insecure technology. The company has taken steps to make it harder to use Java on Apple Mac and iOS systems. For all that effort, however, a small number of its developers had Java enabled in their web browsers when they visited iPhoneDevSDK, anyway.

This blog has written frequently about the security downside of our freewheeling application development culture. Whether we’re talking about the dangers of trusting third party SOUP (Software of Unknown Pedigree) or the lack of rigor in application design, coding and testing. The news this week of watering hole attacks aimed at developers adds a new wrinkle to this. Application development professionals need to be cognizant of how their online behavior at- and away from work may constitute a security risk for their employer. Sporting a Mac and knowing enough not to click on suspicious links and attachments isn’t enough. Developers need to think like a potential adversary will think and use due diligence to isolate critical data and activities from activities - whether personal or professional - that could expose that data to compromise.

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe, Salon.com, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (1)

facebook hacker | September 15, 2013 5:25 pm

* Considered a military alliance threat by NATO, Anonymous has successfully
hacked various countries' websites, including: Turkey, Iran, Chili, Libya, Columbia and Egypt. When starting out, he had benefitted from the financial and advisory support given by his father-in-law, but, subsequently, he went against his father-in-law advise by venturing into other restaurant businesses which were highly successful and are now contributing about two thirds of the business turnovers. These attacks are extremely expensive to launch and have often shown to have government involvement.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.