Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Shun pills, try sex to get relief from migraine
London, Sep 17 (IANS) Got a throbbing or pulsing sensation in one area of the head? Forget pills and go between the sheets to relieve migraine symptoms.
 
 
Squid skin technology produces vivid colour display
New York, Sep 17 (IANS) Researchers have created a breakthrough colour display technology that brings the quest to create artificial squid skin - a metamaterial that can 'see' colours and automatically blend into the background - a step closer.
 
 
Even healthy people carry viruses in their bodies!
Washington, Sep 17 (IANS) On an average, healthy individuals carry about five types of viruses in their bodies and the same viruses that make us sick can take up residence in and on the human body without provoking a sneeze, cough or other troublesome symptom, says a significant study.
 
 
Unique human faces evolved via social interactions
Washington, Sep 17 (IANS) Why do humans have such an amazing variety of faces? To look unique and be easily recognisable and the highly visual social interactions throughout the history are the driver of this evolutionary trend.
 
 
 

Latest from the Network

Syrian army gains ground against IS
Damascus, Sep 17 (IANS) The Syrian army has gained ground against the Islamic State (IS) terrorist group after launching intensive air and ground attacks in al-Ghouta, the eastern countryside of capital Damascus, a...
Read more on Politics Balla
 
'Zero tolerance for sexual harassment at Asiad'
Incheon, Sep 17 (IANS) The Olympic Council of Asia (OCA) Wednesday issued a zero tolerance policy for any cases of sexual harassment, if and when they come up at the Asian Games to be held here from Sep 19 to Oct 4....
Read more on Sport Balla
 
Jackie Chan's son formally arrested on drugs charge
Beijing, Sep 17 (IANS) Jaycee Chan, son of Chinese kung fu star Jackie Chan, was formally arrested in Beijing Wednesday following a drugs bust on his residence in the capital. The arrest was approved by Beijing's...
Read more on Celebrity Balla
 
Medical irregularities found in Joan Rivers' death: Report
Los Angeles, Sep 17 (IANS/EFE) The personal doctor of Joan Rivers is being investigated for the death of the popular American comedian and television host who died a week after undergoing a minor throat operation....
Read more on Celebrity Balla
 
17th Asian Games torch arrives in Incheon
Incheon (South Korea), Sep 17 (IANS) The torch that will be used to light the main cauldron at the opening ceremony of the 2014 Asian Games arrived here Wednesday. After a 36-day torch relay throughout South Korea,...
Read more on Sport Balla
 
First meeting of Nepal-India boundary group begins
Kathmandu, Sep 17 (IANS) The first meeting of the Nepal-India Boundary Working Group (BWG) commenced Wednesday in Kathmandu. The BWG was constituted this year to undertake field work related to finalising the Nepal-...
Read more on Politics Balla
 
Ukraine unveils roadmap to implement EU deal
Kiev, Sep 17 (IANS) The Ukrainian government has approved a plan to implement the Association Agreement with the European Union (EU), Ukrainian Prime Minister Arseny Yatsenyuk said Wednesday. "The agreement must be...
Read more on Politics Balla
 
ICC World Cup trophy arrives in Pakistan
Dubai, Sep 17 (IANS) The ICC World Cup trophy arrived in Lahore as part of its visit to countries which will compete in next year's extravaganza to be staged in Australia and New Zealand from Feb 14 to Mar 29....
Read more on Sport Balla
 
Sino-Indian cooperation invaluable: Chinese daily
Beijing, Sep 17 (IANS) The India-China relationship is of enormous strategic value, one that cannot be replaced by other bilateral ties, a leading English daily of China said ahead of Chinese President Xi Jinping's...
Read more on Politics Balla
 
Shun pills, try sex to get relief from migraine
London, Sep 17 (IANS) Got a throbbing or pulsing sensation in one area of the head? Forget pills and go between the sheets to relieve migraine symptoms. In a recent survey by German researchers, 60 percent of those...
Read more on Apple Balla