Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Mysteries of space dust unlocked
New York, Aug 30 (IANS) A new analysis of space dust has revealed that the cosmic particles, wich are likely to have originated from beyond our solar system, are more complex in composition and structure than previously imagined.
 
 
Global road mapping to balance development and conservation
Washington, Aug 30 (IANS) Did you know that over 25 million km of new roads will be built worldwide by 2050, encircling the earth more than 600 times? Keeping the above fact in mind, a study has created a global map for prioritising road building across the planet to balance the competing demands of development and environmental protection.
 
 
Experimental Ebola drug cures infected monkeys
Toronto, Aug 30 (IANS) In what appears to provide new hope for people infected with the deadly Ebola virus, scientists have successfully treated all the Ebola infected monkeys with an experimental drug called Zmapp.
 
 
Male tilapia fish use urine to lure mates!
London, Aug 30 (IANS) Native to southern Africa, Mozambican tilapia fish use urine to reduce aggressive behaviour in other males, lure females to the nests that they make and stimulate spawning, says a study.
 
 
 

Latest from the Network

At 17, Chloe Grace Moretz fights for roles
Los Angeles, Aug 31 (IANS) "If I Stay" actress Chloe Grace Moretz says she still struggles to land movie roles as she battles against 'ageism' in the film industry. The 17-year-old actress has starred in a string of...
Read more on Celebrity Balla
 
PTI, MQM to observe mourning day
Islamabad, Aug 31 (IANS) Pakistan Tehreek-e-Insaf (PTI) and Muttahida Qaumi Movement (MQM) have announced to observe a day of mourning Sunday following the clashes between protesters and law enforcers in Islamabad,...
Read more on Politics Balla
 
Adam Levine paid fan's rent for a month
London, Aug 31 (IANS) Maroon 5 singer Adam Levine has revealed he once paid a fan's house rent for a month. Levine has spoken out about his generosity after paying for a fan after the latter's bill was thrown at him...
Read more on Celebrity Balla
 
Eight killed, 100 injured in Pakistan protest clashes
Islamabad, Aug 31 (IANS) At least eight people have been killed and over 100 injured in the clashes between police and protesters in Pakistan as the protesters marched towards the prime minister's house. The Pakistan...
Read more on Politics Balla
 
Polish PM elected European Council president
Brussels, Aug 31 (IANS) The European Union (EU) leaders Saturday elected Polish Prime Minister Donald Tusk as president and Italian Foreign Minister Federica Mogherini as the foreign policy chief of the European...
Read more on Politics Balla
 
EU ready to impose new sanctions on Russia
Brussels, Aug 31 (IANS) The European Union's leaders decided Sunday to give Russia one week to de-escalate Ukraine crisis, otherwise they would impose tougher sanctions on Russia, European Council President Herman Van...
Read more on Politics Balla
 
Robert Pattinson dating FKA Twigs?
London, Aug 31 (IANS) "The Twilight Saga" actor Robert Pattinson is reportedly dating singer FKA Twigs, whose real name is Tahliah Barnett. The couple has reportedly been going on dates together for a "month or so". "...
Read more on Celebrity Balla
 
Crisis with Russia close to 'full-scale war'
Brussels, Aug 31 (IANS/EFE) Ukrainian President Petro Poroshenko said Saturday that his country is "close to the point of no return" and "point of no return is full-scale war". "I think that we are very close to the...
Read more on Politics Balla
 
Jennifer Lawrence to join Chris Martin on tour?
Jennifer Lawrence will reportedly join Chris Martin on his Coldplay tour later this year. The couple only started dating in June, but it appears their new romance is getting fairly serious as the 24-year-old actress is...
Read more on Celebrity Balla
 
Joan Rivers is on life support
Joan Rivers is reportedly on life support. The 81-year-old comedienne is currently relying on a machine to keep her alive after she went into cardiac arrest and stopped breathing whilst undergoing minor throat surgery...
Read more on Celebrity Balla