Message Font: Serif | Sans-Serif
 
UnThreaded | Threaded | Whole Thread (10) | Ignore Thread Prev Thread | Next Thread
Author: mr471 One star, 50 posts Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: of 203144  
Subject: Serious OS hack issue Date: 2/23/2014 8:41 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 2
Read about the implications on gizmodo here.
Also, avoid using Safari, Mail, Calendar, etc. on public networks until the patch is in. This has been ongoing but only a recent iOS patch has been issued.

http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary...
Print the post Back To Top
Author: platykurtic Big red star, 1000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199642 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 5:48 AM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 1
It's not referenced in the article you quoted, but if you absolutely have to work on-line before the (pretty trivial) fix is issued for OS X 10.9, neither Chrome or Firefox appear to be affected by this issue as both use their own open source SSL / TLS code (and do not fail the test cases as a result).

Now there's no real guarantee that either Chrome or Firefox don't have some measure of vulnerability in say (for example) their auto-update code on OS X, but all active exploits in the wild appear to be very simple thus far and I'd expect the OS X fix to be out before the exploits get sophisticated enough to compromise those sorts of systems.

Print the post Back To Top
Author: 0gre Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199645 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 2:09 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 3
Some perspective here, It's a man in the middle attack the attacker must be able to inject itself between you and the target server.

If you are using a private (for example your home) or trusted network you have little to worry about. If you are using public wifi, seriously consider temporarily switching to manually setting your DNS servers on your machine. Google has public DNS servers along with some simple instructions on how to configure them.

https://developers.google.com/speed/public-dns/docs/using

Just changing your browser will help, but there are other services on the Mac which use SSL which are also potentially vulnerable so I wouldn't recommend just a browser change (though doing both isn't a terrible idea).

It's all about a bad server getting between you and your destination and that isn't very easy to do so I'm not too worried about this. Most likely the places where it's the biggest concern are crowded public networks where an attacker would have lots of potential victims.

Print the post Back To Top
Author: WHOVPLLC One star, 50 posts Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199646 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 3:48 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 1
Read about the implications on gizmodo here.
Also, avoid using Safari, Mail, Calendar, etc. on public networks until the patch is in. This has been ongoing but only a recent iOS patch has been issued.

http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary......
- mr471 | Date: 2/23/2014 8:41:42 PM | Number: 199645

Virtually every software system ever developed can be hacked. That is one reason why it is called "software" = soft target.

WHOVPLLC

Print the post Back To Top
Author: DutchMark Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199648 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 4:50 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 3
If you are using a private (for example your home) or trusted network you have little to worry about. If you are using public wifi, seriously consider temporarily switching to manually setting your DNS servers on your machine. Google has public DNS servers along with some simple instructions on how to configure them.

From the little I have gleaned so far, I understand any computer between yours and the end-point can initiate the attack. Since a connection regularly makes a dozen hops or more, that's a big security hole. Still not easy to take advantage of, but quite damaging if successful.

Mark

Print the post Back To Top
Author: stevenjklein Big funky green star, 20000 posts Feste Award Nominee! Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199652 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 6:47 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
From the little I have gleaned so far, I understand any computer between yours and the end-point can initiate the attack.

Nope.

Print the post Back To Top
Author: stevenjklein Big funky green star, 20000 posts Feste Award Nominee! Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199653 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 6:51 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 1
To clarify my "nope:"

Your data doesn't usually pass through any computers between yours and the final destination. Just routers.

Only computers that share bandwidth on your LAN can pose a threat. Nowadays, that means an unsecured Wi-Fi network.

If you use a Wi-Fi network that requires a password to connect, you're safe. If you connect to your LAN via ethernet, you're safe.

(Well, unless your computer is plugged into an ethernet hub, but nobody uses those anymore. I don't even think they're made anymore.)

Print the post Back To Top
Author: 0gre Big gold star, 5000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199656 of 203144
Subject: Re: Serious OS hack issue Date: 2/24/2014 7:09 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 1
Your data doesn't usually pass through any computers between yours and the final destination. Just routers.

Only computers that share bandwidth on your LAN can pose a threat. Nowadays, that means an unsecured Wi-Fi network.


Yep.

And just sharing your network isn't enough, they need to create a fake server and fool your computer into going to that server which then captures your data. Manually setting DNS as I suggested above will eliminate the easiest way someone can fool your machine into going to a bogus server. Another obvious way to take advantage would be to create a typo based domain that attacks specific sites.

Print the post Back To Top
Author: platykurtic Big red star, 1000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199667 of 203144
Subject: Re: Serious OS hack issue Date: 2/25/2014 3:58 AM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
If you use a Wi-Fi network that requires a password to connect, you're safe. If you connect to your LAN via ethernet, you're safe.
Isn't if more like 'if you can guarantee that the router is using a valid DNS server you are safe', otherwise the exploit is trivial. This is why Ogre's fix or using Firefox or Chrome are all better solutions (Firefox and Chrome would ensure that the end-point is using a valid certificate, Ogre's fix is more about ensuring the computer uses the correct DNS address).

I don't see how having a password protected WIFI network or using ethernet helps (as the exploit is around not serving the correct certificate at the server end). Your own network sure (most likely using a valid DNS server depending on the router that's being used, for example this http://arstechnica.com/security/2014/02/dear-asus-router-use...) but the other advice appears pretty poor (if not completely wrong) on the face of it.

Print the post Back To Top
Author: stevenjklein Big funky green star, 20000 posts Feste Award Nominee! Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: 199670 of 203144
Subject: Re: Serious OS hack issue Date: 2/25/2014 9:46 AM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
Fwiw, this bug seems exclusive to Mavericks. I've visited the test site using Macs running Snow Leopard, Lion, and Mountain Lion, and none of them were susceptible.

Macintouch reports similar findings.

Also, I've read that even in Mavericks it only affects sites using SSL, not TSL. But I've no easy way to test that.

Print the post Back To Top
UnThreaded | Threaded | Whole Thread (10) | Ignore Thread Prev Thread | Next Thread
Advertisement