Security Holes! Oh my!
Paul Whitlock
The recent security issues that affected Apple and the broader tech community are as good a place as any to start a blog. Our promise is to always provide information that will make your technology life better. There have been two primary security breaches in recent days that we will cover here. First, the "Goto Fail" hole that affects only Apple, and second, the broader Heartbleed hole that Apple technology is safe from, but anyone who uses one of the vulnerable services--Facebook, for example--could be compromised.
What is "goto fail?"
The first security breach is called “goto fail” because that is the single line of code that causes the problem. Apple announced this security exposure at the end of February and provided security updates for iOS and then OS X Mavericks (10.9.x) and Mountain Lion (10.8.x).
What is the exposure of "goto fail?"
Unpatched client devices (iPhones, iPads and Macintoshes) are unable to detect a faked digital certificate that a server presents. You can’t trust that the little padlock you see on the screen means that you are really talking to the service you think you are connected to. So someone can create a server that looks just like your bank and then when you log in, they capture your credentials and pass them along to the real site. This is called, generically, a man in the middle attack.
The small padlock says this session is secure but if your computer has the "goto fail" defect, you can't trust this padlock.
It’s important to realize that this has nothing to do with the server, but is a defect in the Apple web clients.
To Find out if you have this vulnerability use the Safari Browser and go to this web site:
How do you fix "Goto Fail?"
Apple has provided fixes for all of it’s exposed products. If you apply the updates to your iPhones, iPads, iPod touches and Macintoshes, you will be able to trust padlock on your secure transactions again. After you updates, use the above website to check that the fix is in place.
What is the Heartbleed Virus?
This is a security hole that allows a client to gain access to the memory of a web server. Since accounts, passwords and cryptographic keys are all in the memory of a server, your confidential information can be exposed. Here is a great info-graphic that makes it clear how the bad guys exploit this hole.
What is the exposure of Heartbleed?
The insidious part about Heartbleed is that you are exposed simply by having an account on a service that has been compromised, like Google or Yahoo, both of which were affected. Most services have been busily patching this hole, which includes the major services. Apple and Microsoft did not have this exposure, but because this exploit attacks the server, your personal information can still be compromised even if you are using Windows or OS X, neither of which have the vulnerability.
Oh, and there is absolutely no way to know if the vulnerability has been exploited or not.
As Bruce Schneier, an immanent authority on security, put it, "'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11."
How do you fix the Heartbleed security vulnerability?
Basically, you need to update your passwords on exposed servers and follow best security practices by using unique passwords for each service. Reusing passwords is something that we commonly see in every day practice, and heartbleed is the type of vulnerability that can exploit it. If you use the same password for Google and your bank account, then the bad guys can gain access to your bank account.
Here is a list of some of the major sites and if they are impacted by Heartbleed from Mashable.com
Using unique passwords on all of the services you use is the key thing that anyone can do to improve their overall security profile. The trick is that no one wants to manage and remember all of those passwords. The answer is to use a tool that will help you manage all of those passwords. There is an answer, but that is another post ...