Story image

Why taking down Apple's Developer site was a good idea...

26 Jul 13

Over the weekend, we learned that Apple’s Developer Center was taken down due to a security vulnerability or breach on the site last Thursday July 18.

In their notice, Apple indicated that the security breach could have led to developer’s names, mailing addresses and e-mail addresses being accessed, although the company states clearly that sensitive personal information was encrypted and not accessed.

Apple is notorious for not talking about its security issues, and followed that example for the first three days of this issue by talking about the site outage as “a maintenance issue.”

But by Sunday, Apple posted an explanation of the outage and the scope of the data breach. Another thing the posting stated, which isn’t getting a lot of focus right now, is what they’re doing about it:

"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database."

In other words, Apple has decided to accept the risks of a prolonged outage so it can mitigate the security risks, threats and breaches through a complete rebuild. In the immortal words of Ripley from Aliens, Apple decided to nuke the site from orbit because “it’s the only way to be sure.”

This is a nearly unprecedented, comprehensive response, especially since it’s not clear that there was an actual breach.

A security researcher in the United Kingdom, Ibrahim BaIiç, has come forward claiming that he found the vulnerability on the site, notified Apple and they took the site down. He further claims that he didn’t breach the systems or access data.

Regardless of whether a breach occurred, the scope of the data lost (or potentially lost) here is circumscribed. And that’s what makes Apple’s response remarkable.

The only other example we have of a company accepting an extended outage to do the right thing and rebuild is Sony’s response to the PlayStation Network hack in 2011. Sony accepted twenty-five days of downtime in that event.

But in that case, there was a demonstrated breach and a loss of 12,000 credit cards.

Sony said that their breach cost them at least $171 million (USD). A large part of that loss was due to the downtime it took for the company to rebuild its system.

Nonetheless, Sony did the right thing by accepting that downtime and there has not been a security breach since then. Sadly, Sony doesn’t get credit for that, though they should.

And so Apple security team should get credit for doing like Sony did and committing not just to patching a hole in a troubled architecture but taking the time to rebuild from the ground up to make the system more secure.

If we had more companies respond to breaches in this way, we (technology, privacy, security and cyber threats) would be much better off as an industry.

Christopher Budd - Threat Communications Manager, Trend Micro

Dell dominates enterprise storage market, HPE declines
The enterprise storage system market continues to be a goldmine for most vendors with demand relentlessly rising year-on-year.
The key to financial institutions’ path to digital dominance
By 2020, about 1.7 megabytes a second of new information will be created for every human being on the planet.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Record revenues from servers selling like hot cakes
The relentless demand for data has resulted in another robust quarter for the global server market with impressive growth.
Opinion: Critical data centre operations is just like F1
Schneider's David Gentry believes critical data centre operations share many parallels to a formula 1 race car team.
MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill.