Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Apple Black Friday Deals are on Sale in MacMall Black Friday 2014 Sale
 
 
The Black Friday 2014 Sales You can Shop Today 11/26
The Black Friday 2014 Sales You can Shop Today 11/26
Over 20 Black Friday 2014 sales are already launched. Get the deals early to get your head free for the hard to get Black Friday deals to be released on Thanksgiving Day.
 
 
Target Black Friday Pre Sale launched Online
Target Black Friday Pre Sale launched Online
The Target Black Friday 2014 pre sale is live online offering $100 Gift Cards with iPad Air and iPad mini 3 purchases and many more deals.
 
 
The Best Black Friday 2014 iPad Deals
The Best Black Friday 2014 iPad Deals
The Amazon Black Friday 2014 Sale has been released. The Amazon Black Friday 2014 begins earlier than ever before. In past years the Amazon Black Friday deals week started on Sunday.Besides Amazon, Walmart has kicked...
 
 
 

Latest from the Network

Modi, Sharif bonhomie gives fresh boost to Saarc (Roundup)
Kathmandu, Nov 27 (IANS) In a final ice-breaking moment, that gave a huge boost to Saarc and floundering regional cooperation, Indian Prime Minister Narendra Modi shook hands with his Pakistani counterpart Nawaz Sharif...
Read more on Politics Balla
 
Now, flying robots to serve as waiters in Singapore
Singapore, Nov 27 (IANS) If you are planning to visit Singapore next year, don't be surprised if you were greeted and served a sumptuous meal by flying robots as waiters in some restaurants. Infinium-Serve, the...
Read more on Politics Balla
 
Four Afghans, one Briton killed in Kabul suicide attack
Kabul, Nov 27 (IANS/EFE) A British national and four Afghans were killed Thursday in a suicide attack on a British embassy vehicle in Kabul which left 34 others injured, officials said. The attack occurred at 10.30 a....
Read more on Politics Balla
 
Badminton to continue testing of five-game scoring system
Kuala Lumpur, Nov 27 (IANS) The Badminton World Federation (BWF) Thursday decided to continue with the testing variations of the best of five games. "Following the recent BWF Council meeting in Lima, Peru, members...
Read more on Sport Balla
 
Two arrested in France for jihadi propaganda
Paris, Nov 27 (IANS) French police arrested a couple in Ain, central east France on charges of belonging to an alleged jihadi propaganda network, media reported on Thursday. A French man in his thirties, who converted...
Read more on Politics Balla
 
Japanese court rejects lawsuit against reopening two n-plants
Tokyo, Nov 27 (IANS/EFE) A Japanese court Thursday rejected a class action lawsuit filed by residents of the western prefecture of Shiga against reactivating offline nuclear power plants in Takahama and Oi. The ruling...
Read more on Politics Balla
 
SJVNL signs pact with Nepal for hydro-power plant
Kathmandu, Nov 27 (IANS) Indian public sector company Satluj Jal Vidyut Nigam Ltd. (SJVNL) has signed a project development agreement with the Nepal government for executing the 900 MW Arun-III Hydro Electric Project...
Read more on Business Balla
 
13 civilians killed by Ukrainian forces: Separatists
Moscow, Nov 27 (IANS/EFE) At least 13 civilians were killed in recent shelling by Ukrainian artillery in the eastern city of Donetsk controlled by pro-Russian separatists, the rebel command announced Thursday. A...
Read more on Politics Balla
 
Zambian police gear up for presidential election
Lusaka, Nov 27 (IANS) Police in Zambia have stepped up measures to ensure peace ahead of a presidential election scheduled for Jan 20, a top official said Thursday. Stella Libongani, the inspector general of Zambia...
Read more on Politics Balla
 
Hong Kong students threaten to occupy government buildings
Hong Kong, Nov 27 (IANS/EFE) Students participating in the pro-democracy demonstrations in Hong Kong threatened Thursday to attack government buildings following a night of clashes that occurred just hours after the...
Read more on Politics Balla