I was perplexed by the wording of many initial reports on the recent attacks ‘against’ Apple, Facebook, Twitter, and Microsoft. Sure, maybe they were targeted, but it seems just as likely that the attackers just picked popular developer sites and harvested some big fish.

That is the essence of a a good piece at securityledger:

Rather, the wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a narrowly focused operation.


Developers are typically soft targets, with extensive access to internal resources. In this case I would bet that most Mac-based developers have Java enabled in their browsers. As a former dev myself, they spend a lot of time in various fora with crappy security and which are thus prone to compromise. I still spend a lot of time on those sites, but I am probably more careful than most devs or admins.

Developers and administrators are in jobs that require deep access to sensitive resources, more control over their own systems, and a larger software attack surface (Java is essential for managing certain systems and platforms); but they aren’t necessarily more secure than average users, beyond basic attacks.

Targeting job roles rather than organizations seems like a good strategy. Hit something popular enough within the development or admin communities, and the odds are very good that you will gain access to a variety of prime targets. No one works in a vacuum.

Image: a real watering hole, with a croc you can’t see. Took this one myself in Africa. He/she wasn’t hungry that day.