London-based "researcher" takes issue with commentary calling him a "hacker"

A self-styled "security researcher" named ibrahim BALIÇ (Ibrahim Balic), has claimed responsibility for finding 13 bugs in Apple, Inc.'s (AAPL) iOS and online developer interfaces, which allowed him to access developer records without authorization.  Mr. Balic -- who moved to London, UK from Turkey in 2010 -- has performed penetration testing for, Inc. (FB) in the past, according to his commentary.

I. Dev. Center Gets Hacked

The somewhat confusing tale of the intrusion began on Thursday when Apple's Developer Center -- its online portal for app developers -- went down, leaving devs unable to snag beta copies of iOS 7.

Apple posted the following message:

This site is undergoing maintenance for an extended period today. Thanks for your patience.

Apple Dev Center down
[Image Source: The Next Web]

Then on Sunday Apple revealed "an intruder" had accessed its servers that it uses to host the Developer Center.  The fallout was minimal; Apple encrypts its developer records and there was no evidence sensitive information like credit card records was accessed.  But Apple did warn developers that the intruder had gained access to servers where encrypted user names, email addresses, and real names.

The company wrote in an email to The Next Web:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

That provoked a response from Ibrahim Balic who posted to Twitter:

Ibrahim Balic
ibrahim BALIÇ [Image Source: Tapscape]

On TechCrunch a user who appears to be Mr. Balic posted:

I have been waiting since then for them to contact me, and today I'm reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I'm not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn't attempt to get the datas first and report then, instead I have reported first.
I do not want my name to be in blacklist, please search on this situation.

He claimed that he contacted Apple immediately after testing his exploit and did not release any records to the public.  In his Bug Report to Apple he says he referenced 73 compromised account records belonging to Apple employees.  Whether these were merely encrypted files or if he somehow managed to undo the encryption is unclear.

II. "Researcher" First Claims Twice to Have Grabbed Records, Then Backpedals

In a video he showed disguised partially garbled record text files that appear to belong to the employee accounts in question.  He also repeated his claim to have grabbed "100,000+" records in the video title.

But in his TechCrunch comments he began to backpedal claiming he did not take any user records:

[Image Source: Sophos Naked Security]

At this point it's unclear what exactly Mr. Balic did or didn't take and what level of access he gained.  Given that he's contradicted himself at least once, any claims he makes going ahead should be taken with a grain of salt.

It's easy to see why he might be nervous.  Even towards relatively responsible security researchers Apple has practiced a policy of marked belligerence.  

The last hacker to access "100k+" Apple records -- Andrew "weev" Auernheimer -- was sentenced to nearly four years in prison for federal computer crimes in the U.S.  Mr. Auernheimer merely gained access to customer email addresses via a script that used auto-generated ICC-ID (integrated circuit card identifiers) to spam an overly permissive interface on AT&T, Inc.'s (T) iPad web portal ("doing arithmetic" as he put it).  

By contrast, Mr. Balic's intrusion and records grab sounds potentially much more serious.  It should be interesting to see how this one plays out, and whether this "researcher" faces charges as Mr. Auernheimer did.

For Apple the hack represents the latest setback for a company who at one point was estimated to be 10 years behind Microsoft Corp. (MSFT) in terms of security.  Last year was a watershed year for attacks on Apple operating systems, particularly OS X.  OS X 10.7.2 Lion was caught dumping passwords in plaintext, thanks to some sloppy programming by an Apple engineer.  Before that, Apple suffered a Trojan infection of Conficker proportions (between 1 and 2 percent of Macs -- or roughly 600,000 machines were estimated to be infected) and was caught telling its technicians to lie about another wide-spread piece of malware, a fake antivirus program dubbed "MacDefender".

Sources: ibrahim BALIÇ on Twitter, The Next Web, TechCrunch

"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il

Latest Blog Posts
T-Mobile Data Problems
Saimin Nidarson - Oct 20, 2016, 10:17 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki