Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here , but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here  and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here . I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Bacteria use their entire body to swim
New York, July 22 (IANS) Bacteria just do not swim with propellers but use the entire body, a new study shows.
 
 
Young children know all about cuteness
London, July 22 (IANS) Know why your young one goes overboard the moment he/she sees that lovely kitten or a beautiful puppy? Because "cuteness" gets ingrained into his/her mind as early as age three.
 
 
Exoplanet with 704-day-long year found
New York, July 22 (IANS) Using NASA's Kepler spacecraft, researchers have discovered an exoplanet with the longest known year.
 
 
Most detailed map yet of Mars developed
Washington, July 22 (IANS/EFE) The US Geological Survey (USGS) has developed the most detailed map of Mars to date, which includes topographic and thermal information as well as data on the properties of the Martian surface.
 
 
 

Latest from the Network

Captain Ritu expects women's hockey team to fire at CWG
Glasgow, July 22 (IANS) Going by the present form, Indian women's hockey team captain Ritu Rani seems very positive and assured of a striking show from her young teammates at the Commonwealth Games here July 24-Aug 2...
Read more on Sport Balla
 
Two Indians found dead in Oman
Muscat, July 22 (IANS) Two Indians were found dead under mysterious circumstances in Oman, a media report said Tuesday. Vandana Vijayakumar, 31, an advertising professional, was found dead outside her office premises...
Read more on Politics Balla
 
No more alcohol for Ellen DeGeneres
Los Angeles , July 22 (IANS) TV show host Ellen DeGeneres has decided to give up alcohol to support her partner Portia de Rossi, who recently came out of rehabilitation. DeGeneres, 56, who married the actress in 2008...
Read more on Celebrity Balla
 
Nicki Minaj gives voiceover for cartoon series
Los Angeles, July 22 (IANS) Rapper Nicki Minaj is part of an animation series for children called "Steven Universe". The "Starships" hitmaker has given the voiceover to a character called Sugilite in the Cartoon...
Read more on Celebrity Balla
 
No more kids for Jessica Simpson
Los Angeles, July 22 (IANS) Singer-actress Jessica Simpson, who feels her family is complete after having two children in quick succession, has no plans to expand her brood further. Posting a cute picture of a friend'...
Read more on Celebrity Balla
 
Al Jazeera bureau attacked in Gaza
Gaza, July 22 (IANS) Two shots were fired at news channel Al Jazeera's bureau office in Gaza, a day after Israeli Foreign Minister Avigdor Lieberman said that his country will work to close down the network. The shots...
Read more on Ad Balla
 
India Is High On Japan's Investment Radar
Japanese institutional investors have ranked India number one with regard to investment potential in comparison to key emerging markets, according to a recent report by Nomura, the Tokyo-based lender. Nomura’s...
Read more on Auto Balla
 
Bacteria use their entire body to swim
New York, July 22 (IANS) Bacteria just do not swim with propellers but use the entire body, a new study shows. It has long been assumed that flagella - corkscrew-like appendages - push or pull bacterial cells like...
Read more on Apple Balla
 
Ukrainian parliament passes partial mobilisation bill
Kiev, July 22 (IANS) The Ukraine parliament Tuesday approved a presidential decree to carry out the third wave of partial mobilisation of reservists to strengthen the country's defence force. The bill, which envisages...
Read more on Politics Balla
 
Russia welcomes UN resolution on MH17 investigation
Moscow, July 22 (IANS) Russia Tuesday welcomed the UN Security Council's (UNSC) resolution calling for an independent investigation into the Malaysia Airlines flight MH17 crash in Ukraine last Thursday. The resolution...
Read more on Politics Balla