backtop


Print 16 comment(s) - last by Tony Swash.. on Jul 24 at 7:31 AM

London-based "researcher" takes issue with commentary calling him a "hacker"

A self-styled "security researcher" named ibrahim BALIÇ (Ibrahim Balic), has claimed responsibility for finding 13 bugs in Apple, Inc.'s (AAPL) iOS and online developer interfaces, which allowed him to access developer records without authorization.  Mr. Balic -- who moved to London, UK from Turkey in 2010 -- has performed penetration testing for Facebook.com, Inc. (FB) in the past, according to his commentary.

I. Dev. Center Gets Hacked

The somewhat confusing tale of the intrusion began on Thursday when Apple's Developer Center -- its online portal for app developers -- went down, leaving devs unable to snag beta copies of iOS 7.

Apple posted the following message:

This site is undergoing maintenance for an extended period today. Thanks for your patience.

Apple Dev Center down
[Image Source: The Next Web]

Then on Sunday Apple revealed "an intruder" had accessed its servers that it uses to host the Developer Center.  The fallout was minimal; Apple encrypts its developer records and there was no evidence sensitive information like credit card records was accessed.  But Apple did warn developers that the intruder had gained access to servers where encrypted user names, email addresses, and real names.

The company wrote in an email to The Next Web:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

That provoked a response from Ibrahim Balic who posted to Twitter:

Ibrahim Balic
ibrahim BALIÇ [Image Source: Tapscape]

On TechCrunch a user who appears to be Mr. Balic posted:

I have been waiting since then for them to contact me, and today I'm reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I'm not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn't attempt to get the datas first and report then, instead I have reported first.
I do not want my name to be in blacklist, please search on this situation.

He claimed that he contacted Apple immediately after testing his exploit and did not release any records to the public.  In his Bug Report to Apple he says he referenced 73 compromised account records belonging to Apple employees.  Whether these were merely encrypted files or if he somehow managed to undo the encryption is unclear.

II. "Researcher" First Claims Twice to Have Grabbed Records, Then Backpedals

In a video he showed disguised partially garbled record text files that appear to belong to the employee accounts in question.  He also repeated his claim to have grabbed "100,000+" records in the video title.

But in his TechCrunch comments he began to backpedal claiming he did not take any user records:

TechCrunch
[Image Source: Sophos Naked Security]

At this point it's unclear what exactly Mr. Balic did or didn't take and what level of access he gained.  Given that he's contradicted himself at least once, any claims he makes going ahead should be taken with a grain of salt.

It's easy to see why he might be nervous.  Even towards relatively responsible security researchers Apple has practiced a policy of marked belligerence.  

The last hacker to access "100k+" Apple records -- Andrew "weev" Auernheimer -- was sentenced to nearly four years in prison for federal computer crimes in the U.S.  Mr. Auernheimer merely gained access to customer email addresses via a script that used auto-generated ICC-ID (integrated circuit card identifiers) to spam an overly permissive interface on AT&T, Inc.'s (T) iPad web portal ("doing arithmetic" as he put it).  

By contrast, Mr. Balic's intrusion and records grab sounds potentially much more serious.  It should be interesting to see how this one plays out, and whether this "researcher" faces charges as Mr. Auernheimer did.

For Apple the hack represents the latest setback for a company who at one point was estimated to be 10 years behind Microsoft Corp. (MSFT) in terms of security.  Last year was a watershed year for attacks on Apple operating systems, particularly OS X.  OS X 10.7.2 Lion was caught dumping passwords in plaintext, thanks to some sloppy programming by an Apple engineer.  Before that, Apple suffered a Trojan infection of Conficker proportions (between 1 and 2 percent of Macs -- or roughly 600,000 machines were estimated to be infected) and was caught telling its technicians to lie about another wide-spread piece of malware, a fake antivirus program dubbed "MacDefender".

Sources: ibrahim BALIÇ on Twitter, The Next Web, TechCrunch



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

For all those years...
By littlebitstrouds on 7/22/2013 6:53:36 PM , Rating: 3
For years PC users had to listen about "how secure Mac's are" when they had 2% of the market. Finally they gain market share, and it's a surprise people are writing malware/viruses for them?




RE: For all those years...
By Motoman on 7/22/2013 7:24:51 PM , Rating: 4
Well, "gain" is a pretty relative term. I think they're still around ~5% of total OS marketshare.

Still basically statistically insignificant.

I think probably it's more a function of them gaining prominence in phones and stuff. Perhaps now hackers are going after them because they're high-profile, not necessarily because they have OS marketshare.


RE: For all those years...
By Apone on 7/23/2013 1:29:01 AM , Rating: 2
5% marketshare or not, more and more "average joe" computer users, businesses, schools, etc. are opting for Macs so I wouldn't be surprised if we see a dramatic increase in malware attacks targeted specifically towards OS X.


RE: For all those years...
By Tony Swash on 7/23/2013 2:37:04 PM , Rating: 1
quote:
I wouldn't be surprised if we see a dramatic increase in malware attacks targeted specifically towards OS X.


I hope you have a lot of patience.


RE: For all those years...
By Tony Swash on 7/23/2013 2:32:14 PM , Rating: 2
quote:
For years PC users had to listen about "how secure Mac's are" when they had 2% of the market. Finally they gain market share, and it's a surprise people are writing malware/viruses for them?


Can you actually read? This hack of a web site involved neither malware nor viruses. I for one don't know what hardware or software Apple uses to run it's developer web site although at a guess I think iMacs are unlikely.


RE: For all those years...
By Schrag4 on 7/23/2013 5:27:53 PM , Rating: 2
Perhaps he wasn't talking about the hack of a web site. From the article:

quote:
For Apple the hack represents the latest setback for a company who at one point was estimated to be 10 years behind Microsoft Corp. (MSFT) in terms of security. Last year was a watershed year for attacks on Apple operating systems, particularly OS X. OS X 10.7.2 Lion was caught dumping passwords in plaintext, thanks to some sloppy programming by an Apple engineer. Before that, Apple suffered a Trojan infection of Conficker proportions (between 1 and 2 percent of Macs -- or roughly 600,000 machines were estimated to be infected) and was caught telling its technicians to lie about another wide-spread piece of malware, a fake antivirus program dubbed "MacDefender".


RE: For all those years...
By Tony Swash on 7/24/2013 7:31:16 AM , Rating: 1
quote:
Perhaps he wasn't talking about the hack of a web site. From the article:

quote:
For Apple the hack represents the latest setback for a company who at one point was estimated to be 10 years behind Microsoft Corp. (MSFT) in terms of security. Last year was a watershed year for attacks on Apple operating systems, particularly OS X. OS X 10.7.2 Lion was caught dumping passwords in plaintext, thanks to some sloppy programming by an Apple engineer. Before that, Apple suffered a Trojan infection of Conficker proportions (between 1 and 2 percent of Macs -- or roughly 600,000 machines were estimated to be infected) and was caught telling its technicians to lie about another wide-spread piece of malware, a fake antivirus program dubbed "MacDefender".


So why make that comment in relation to this story about a web site hack?

The relative security positions of Windows and MacOSX remains the same - 95% of malware and security problems occurs on the Windows platform. Hardly surprising given MacOSX is built using rock solid UNIX foundations.

Uncannily the relative security performance of Windows and MacOSX, and Android and iOS, are almost identical in that 95% of all mobile malware occurs on the Android platform. What an odd coincidence :)


He's ok
By Visual on 7/23/2013 7:34:12 AM , Rating: 2
My personal view on this matter is he is OK. If he didn't sell out the information, he didn't cause any damages. You may argue that the money Apple needs to spend now while it is scramming to fix the issue can be considered damages caused by him, but really, they do have to fix the vulnerability and so spend similar amount of money either way.

But then again, US laws were never aligned much with common sense, so I fully expect him to rot away in a prison somewhere.




RE: He's ok
By Gurthang on 7/23/2013 8:41:15 AM , Rating: 2
Gimme a break.. doing "intrusion testing" without the expressed understanding of the operator ahead of time is akin to breaking into a bank taking money and then comming back in to the bank manager to tell him and everyone there how bad his bank's security is and "give the money back". Unauthorized is still unauthorized even if you had no intention to do harm chances are if Apple's panties are in a bind over this (I mean their lawyers and knowing their past history they aren't exactly the most forgiving folks) they will claim whatever it cost them to revamp their systems and the loss of business for the downtime as damages easily hitting the "major felony level". That won't be pretty for him.

It is one thing to do testing on your own systems and software and to report back to the vendor issues you find with their products it is quite another to use someone else's public servers as target for your "testing".

In the old days this was sometimes an interesting way to get a job with a company that is a tad more understanding these days I would not hold my breath. I expect that boy to be getting a knock on his door and all of his computers taken in 3... 2... 1....


RE: He's ok
By Visual on 7/23/2013 10:56:20 AM , Rating: 2
If I could rob a bank without damaging any part of it physically, and I did it as a demo, and returned the money, yes, I'd consider myself innocent. I am not saying the law agrees, but it is how I personally view the subject.


Facker
By half_duplex on 7/23/2013 9:53:26 AM , Rating: 1
Real hackers don't have twitters attached to their names. This guy is a wannabe.




RE: Facker
By JasonMick (blog) on 7/23/2013 9:59:35 AM , Rating: 2
RE: Facker
By Ramtech on 7/23/2013 6:02:10 PM , Rating: 2
These guys are inactive "hackers" = black hats


Brilliant....
By NicodemusMM on 7/22/2013 6:14:35 PM , Rating: 4
For a "researcher" this guy doesn't sound very bright. If he was authorized to do pen testing he would have known the proper channels with which to contact Apple if hired directly or his employer if they were hired as an outside auditing firm... i.e. - he had no authorization. He's boned.

If he had claimed that it was art he could get away with it...




Not an american citizien
By piomaj on 7/23/2013 9:01:37 AM , Rating: 2
You guys are forgetting one thing, he's not an american citizen nor does he reside in the US. Unless they extradite him, he might not rot in prison for 20 years. He was being reckless not malicious and that should be taken into account when judging him. He didn't try to take any monetary gains out of this situation.




RE: Not an american citizien
By Gurthang on 7/23/2013 10:14:32 AM , Rating: 2
According to the article he resides in the UK so not exactly safe from the US. Privacy laws require Apple reports the intrusion and some investigation will likely automaticaly occur which could mean fines for Apple and/or law enforcement involvement. Those people and likely Apple are not exactly known for the sense of humor or leninacy. He does not appear to be a minor so that protection is moot and last I checked the US and most EU nations coorperate on tracking and punishing cybercrime so while his intentions were not criminal his actions have caused harm which these days is all they need to make his life3 miserable.


"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki