The recent Apple iTunes Hack is clear evidence of why supply chain management and tough vendor qualification are so critical to cyber security. Failure to manage these elements can lead to far worse consequences than those suffered by iTunes users who saw their accounts utilized without authorization.
In essence, these customers downloaded and installed programs developed by a vendor with no verified credibility or pedigree. Apple’s failure to safeguard its customers defies the conventional wisdom that its environments are secure and virus-free. As has been stated by experts in the field, the Apple environment is fundamentally no more secure than any Windows or Linux environment since hostile content can be loaded and executed by remote control on virtually any platform. The iTunes hack demonstrates the basic fallacy of superior security that is promulgated by Apple marketing.
Worth Their Weight in Pixie Dust
If Apple products were built on pixie dust instead of conventional computer technology they would not have to conform to the laws of computer science or be exposed to cyber security threats. Unfortunately pixie dust does not exist in processor technology as it does in Apple marketing.
In our field of privileged identity security, we warn private-sector customers that sourcing security software from low-cost, offshore vendors funded by VC dollars from unverified sources creates the potential for backdoors that could lead to a total loss of security. That’s why US government purchasing teams verify software vendors and others in the supply chain against foreign interests and the potential for hostile content being introduced on government networks.
Apple customers might have assumed that their machines were invulnerable to compromise, protected from hostile content by the benevolent and all-knowing Apple staff running the iTunes store. Today we know better: Apple computer platforms can be easily compromised if a developer wants to do so, and iTunes store management has little capability to scan applications for hostile sideband functionality.
Perhaps instead of totally trusting Apple’s application vetting processes, consumers will wake up and think about what they download from the iTunes store.