Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Apple Planning to Open 25 New Stores in China within Two Years
Apple Planning to Open 25 New Stores in China within Two Years
Tim Cook reveals that Apple is thinking to build 25 additional stores in the massive Chinese market
 
 
Nike CEO Indicates Cooperation with Apple to Build New Wearable Products
Nike CEO Indicates Cooperation with Apple to Build New Wearable Products
Mark Parker says that Nike and CEO can do those things together that would have been impossible working “independently.”
 
 
iPhone 6 Plus Affected with Crashing Issues
iPhone 6 Plus Affected with Crashing Issues
The largest version of the iPhone has been found to either crash or gets rebooted on a constant basis
 
 
Apple Ditches SSL 3.0
Apple Ditches SSL 3.0
Apple is switching to TLS encryption after new vulnerabilities
 
 
 

Latest from the Network

Second MERS case reported in Qatar
Doha, Oct 23 (IANS) A 43-year-old man in Qatar has tested positive for Middle East Respiratory Syndrome (MERS) in the second confirmed case of the deadly virus in 10 days, media reported Thursday. The patient had...
Read more on Business Balla
 
Two people die in Pakistan bomb blast
Islamabad, Oct 23 (IANS) At least two people were killed and 12 others injured in an explosion that took place in Pakistan's Balochistan province Thursday, media reported. The bomb was planted on a motorcycle, Dawn...
Read more on Politics Balla
 
Trott extends contract with Warwickshire till 2017
London, Oct 23 (IANS) England batsman Jonathan Trott, whose mental issues led to his abrupt departure from last winter's Ashes tour, has confirmed his successful comeback to competitive cricket by signing a new three-...
Read more on Sport Balla
 
Srikanth, Kashyap big movers in BWF rankings
Kuala Lumpur, Oct 23 (IANS) Indian men shuttlers Kidambi Srikanth and Parupalli Kashyap jumped seven places each in the latest Badminton World Federation (BWF) rankings released Thursday while Olympic bronze medallist...
Read more on Sport Balla
 
Alvin Stardust dead
London, Oct 23 (IANS) English singer Alvin Stardust died after a short illness. He was 72. Stardust's manager confirmed the news about his demise Thursday, reports mirror.co.uk. He was recently diagnosed with...
Read more on Celebrity Balla
 
Indian man reunited with family after 40 years
Dubai, Oct 23 (IANS) An Indian man, who had disappeared from his hometown in Kerala nearly 40 years ago, has been found by his family at a hospital in Dubai in the UAE, a newspaper report said. Now in his 60s, Abdulla...
Read more on Politics Balla
 
Srikanth, Kashyap, Saina rise in world rankings
Kala Lumpur, Oct 23 (IANS) Indian men shuttlers Kidambi Srikanth and Parupalli Kashyap jumped seven places each in the latest released Badminton World Federation (BWF) rankings Thursday while Olympic bronze medallist...
Read more on Sport Balla
 
Flintoff signs for Big Bash side Brisbane Heat
Brisbane, Oct 23 (IANS) Former England captain and all-rounder Andrew Flintoff, who retired from international cricket in 2009, Wednesday confirmed that he will play for Brisbane Heat in the Big Bash League (BBL) this...
Read more on Sport Balla
 
OPEC daily basket price falls again
Vienna, Oct 23 (IANS/WAM) The basket of 12 crude oils of the Organization of Petroleum Exporting Countries (OPEC) closed at $81.94 a barrel Wednesday compared to $82.09 Tuesday, the OPEC Secretariat said. The new OPEC...
Read more on Business Balla
 
Lopez to sign multi-million dollar deal?
Los Angeles, Oct 23 (IANS) Singer-actress Jennifer Lopez is reportedly in the final stages of securing a multi-million dollar deal to perform in Las Vegas. The 45-year-old is being offered $350,000 per show at The...
Read more on Celebrity Balla