Unofficially Fixing Apple's 'Gotofail' Mess And How To Stay Safe

Feb 24 2014, 6:02pm CST | by

Many of you by now will have read about the Apple security issues in iOS and Mac OS X. Whilst we all wait patiently for Apple to comment on the issue, or better yet to fix it, users are left exposed to a bug that could allow attackers to gain access to sensitive information. I thought therefore that it was worth spending a few moments talking about the ways to mitigate this problem and an innovative unofficial patch from a colleague, Paul Ducklin, who writes for Naked Security at Sophos.  If you want to skip right to the tips scroll down a little further in the article.

For those of you whom are technically inclined Paul has put together an excellent technical analysis of the fault here, but for the rest of us, here is a quick summary of how an attacker could use this flaw to attack:

  1. An attacker must cause a client to connect to them – this could be trivially achieved by creating a wireless hotspot and letting them connect.
  2. The attacker must force the client to negotiate a specific protocol version and feature. This is easy as the attacker, or the server in this instance is the one that specifies this.
  3. The attacker redirects the client from their requested site and provides a somewhat legitimate looking certificate. As if my magic the certificate is accepted.

To paint the picture of how easy this would be, in a recent test in San Francisco we set up our own wireless hotspot offering free Internet (named FreePublicWifi and FreeInternet) and within a short space of time 1512 users connected voluntarily. Any one of these users who wanted our free Internet connection could potentially have been targeted. As a side, we were able to detect from these systems that 484 of these systems were using iOS and 181 using Mac OS X (I would have argued a little high, but I suppose this is expected in San Francisco). This shows how realistic this attack vector actually is and how easy it would have been for us to execute this attack. Note, we offered a warning and did not modify traffic or doing anything malicious – but it would have been easy to not play nice.

What should you do about it?

  1. Naturally, when Apple releases a fix you should apply it. Unfortunately, whilst the patch is available for iOS users tend to be very tardy in actually applying patches to their systems. Friends don’t let friends use unlatched devices with nasty bugs.
  2. Don’t join untrustworthy wireless networks. How do you know that networks like ‘Starbucks’, ‘Free Internet’ or ‘attwifi’ aren’t just nasty copies set up by an attacker? Try to stick to networks you know and trust to reduce the risk.
  3. Use a VPN to encrypt your traffic. A VPN will forward all of your exchanges through it in a tunnel preventing the attacker from exploiting the bug. It also has the benefit that it will cover all of the additional applications beyond Safari waiting to be fixed.
  4. Use web filtering, general endpoint security and follow broader security best practice. Naturally, if an attacker does pull off this attack they may want to deploy malicious code and other layers of security will help detect this if it does occur. You may also want to take a look at my article on password security here and make sure your passwords are not common across multiple sites to restrict exposure.

One more option (warning, technical gore included)

Paul has done some very interesting research on the failure and for those of you who are interested in the technical flaw and how it could be mitigated. Take a look here. I wouldn’t recommend production deployment of this fix, but it does show in depth where the flaw occurs and how it can be mitigated. It is very much worth the read from a research perspective for those of you that want a little more detail about what mistake was actually made.

We will all wait on Apple providing further updates, but in the mean time make sure you apply these best practices and think a little more carefully about what you connect to.

Follow me on Twitter @jameslyne

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Steve Jobs and Ezra Cornell: Entrepreneurs
Steve Jobs and Ezra Cornell: Entrepreneurs
More and more MBA students are choosing to major in entrepreneurship, rather than the traditional disciplines of finance and marketing. How has entrepreneurship changed over the past century-and-a-half? Or has it...
 
 
Aereo CEO speaks on future of company, industry
NEW YORK (AP) — The future of Aereo, an online service that provides over-the-air TV channels, hinges on a battle with broadcasters that goes before the U.S. Supreme Court next week. For as little as $8 a...
 
 
Apple to Observe Earth Day 2014 Extensively
Apple to Observe Earth Day 2014 Extensively
Apple has set different plans to celebrate the Earth Day 2014 on 22nd April
 
 
When will Ahrendts Join Apple as the Chief of Retail Branch?
When will Ahrendts Join Apple as the Chief of Retail Branch?
Angela Ahrendts is speculated not to join Apple in April, but in June
 
 
 

Latest from the Network

AFG Group Wins 2013 CMAA Project Achievement Award
Herndon, VA, April 18, 2014 --(PR.com)-- AFG Group recently received the 2013 CMAA Project Achievement Award from the Construction Management Association of America, National Capital Chapter. The award recognizes AFG...
Read more on Business Balla
 
AFG Group Wins 2013 CMAA Project Achievement Award
Herndon, VA, April 18, 2014 --(PR.com)-- AFG Group recently received the 2013 CMAA Project Achievement Award from the Construction Management Association of America, National Capital Chapter. The award recognizes AFG...
Read more on Politics Balla
 
Paul Walker's mother drops custody bid of his daughter
Paul Walker's mother has dropped her bid to gain custody of his daughter. Cheryl Walker had sought to be named as the sole guardian over the late actor's estate and his 15-year-old daughter Meadow, but she has now...
Read more on Celebrity Balla
 
Cayman Islands Is The New Switzerland, But Not The Way You Think
Are the Cayman Islands The Next Offshore Target? The U.S. has cast its tax net far and wide, more a shotgun than a rifle shot. Mixing fishing and shooting metaphors seems appropriate to show just how no-holds barred...
Read more on Business Balla
 
In India Election, Single Twitter Appeal Draws In $133,000 Campaign Funds For Upstart Party
On April 16, Arvind Kejriwal, founder of the upstart Aam Aadmi Party which is crusading to eliminate criminality and corruption in Indian politics, started a 140-character fundraising campaign. “….Need clean money to...
Read more on Business Balla
 
What Was Old is Now Shiny New and Retro Chic—the Reinvented Pioneer Square. Pioneer Square, Seattle’s Oldest Neighborhood, is Experiencing a Revival Fueled by Food.
Seattle, WA, April 18, 2014 --(PR.com)-- Pioneer Square is a neighborhood that is a stone&#8217;s throw from the gorgeous waterfront, on the edge of downtown and SODO with the rhythms of tourists and sports fans...
Read more on Business Balla
 
Cameron Diaz: I barely worked out for scenes
Cameron Diaz ''barely worked out'' before stripping off in scenes for 'The Other Woman'. The 41-year-old actress, who is seen running down a beach in a bikini with Sports Illustrated model Kate Upton, 21, in the new...
Read more on Movie Balla
 
Courtney Love got confidence tips from gay pals
Courtney Love's gay friends taught her how to be a rock star. The Hole singer credits her homosexual pals with helping her learn how to dress well and have a commanding presence when she enters a room. She told Gay...
Read more on Celebrity Balla
 
Lindsay Lohan: I felt humiliated by sex list
Lindsay Lohan felt "humiliated" after her rumoured list of 36 sexual conquests was leaked. The actress has seemingly admitted she did write the list of famous sexual partners, which included Hollywood stars Ashton...
Read more on Celebrity Balla
 
White House updating online privacy policy
A new Obama administration privacy policy released Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites, and it clarifies that online...
Read more on Business Balla
 
 
Auto Balla Sexy Balla Sport Balla TV Balla Politics Balla Movie Balla Apple Balla Business Balla Ad Balla Celebrity Balla