Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Why Apple Is Winning The Samsung War
Why Apple Is Winning The Samsung War
The two companies are still competing, but Apple has taken the lead
 
 
Russia Pushing Apple To Release Source Code
Russia Pushing Apple To Release Source Code
Security claims by overseas governments prompting call for openness
 
 
Apple TV Meets Another Delay
Apple TV Meets Another Delay
The expected upgrade might not be released until 2015
 
 
Galaxy that acts as cosmic magnifying glass discovered
Washington, Aug 1 (IANS) Using NASA's Hubble Space Telescope, astronomers have unexpectedly discovered the most distant galaxy that acts as a cosmic magnifying glass.
 
 
 

Latest from the Network

Yemen hands over Al Qaeda suspects to Saudi Arabia
Riyadh, Aug 1 (IANS) Yemen has handed over eight suspected Al Qaeda militants to Saudi Arabia, officials said Friday. The move comes as part of joint security operations between the two countries, and the suspects...
Read more on Politics Balla
 
Commonwealth cocktail celebrating spirit of the Games (CWG Diary)
Glasgow, Aug 1 (IANS) Celebrating the spirit and togetherness of the Commonwealth Games, is a city bartender who has come out with a unique cocktail synthesising ingredients from each of the competing nations. Using a...
Read more on Sport Balla
 
Pujara, Kohli slip in ICC rankings for Test batsmen
Dubai, Aug 1 (IANS) South Africa's AB de Villiers continues to head the Reliance ICC Rankings for Test batsmen while compatriot Hashim Amla returned to the top three. Poor performances from India's Chetseshwar Pujara...
Read more on Sport Balla
 
Two women injured in Pakistan acid attack
Islamabad, Aug 1 (IANS) A woman and her daughter were injured Friday in an acid attack in Pakistan's Punjab province. According to police sources, the two women, Momina and her daughter Amina, were inside their...
Read more on Politics Balla
 
Family of six murdered in China
Beijing, Aug 1 (IANS) At least six members of a family were murdered Friday in China's Hunan province, a police official said. According to the official, Cheng and his family were killed in their home in Jiutang...
Read more on Politics Balla
 
Seema, Krishna qualify for women's discus throw final
Glasgow, Aug 1 (IANS) Both Seema Punia and Krishna Poonia advanced to the women's discus throw final but while Seema's throw put her in second position, Krishna was placed a lowly 11th in the qualification round of the...
Read more on Sport Balla
 
James Bond script approved
'Bond 24's revamped script has been approved by movie bosses. Writers Neal Purvis and Robert Wade were rehired last month to ''rescue'' John Logan's original screenplay and insiders have now admitted they had a bigger...
Read more on Movie Balla
 
Samsung to launch two new smartphones
Seoul, Aug 1 (IANS) Samsung Electronics will launch two new high-end smartphones in next six months. Kim Hyun-joon, senior vice president at Samsung, told investors that one model will feature a large screen, while...
Read more on Business Balla
 
Weight issues - when Hollywood movies went wrong
Los Angeles, Aug 1 (IANS) Depictions of weight gain or loss we see in Hollywood movies are rarely true to life, and yet we believe them. Here's a list things movies get wrong when it comes to weight, reports...
Read more on Celebrity Balla
 
Orlando Bloom vaulted sofa to reach Bieber
Orlando Bloom jumped over a sofa to punch Justin Bieber. The 'Lord of the Rings' actor was involved in an altercation with the 'Baby' hitmaker at upmarket Ibiza eatery Cipriani earlier this week, and an onlooker claims...
Read more on Celebrity Balla