Apple : Apple drops iOS update to plug securty hole, but OS X may be affected too |
Apple drops iOS update to plug securty hole, but OS X may be affected too Posted: Apple has dropped iOS 7.0.6 to fix a previously unheard of security issue, which left iPhones and iPads vulnerable to hackers operating on the same unsecured wireless network. The flaw in the way iOS devices handles secure sockets layer (SSL) and transport socket layer (TSL) authentication could allow for data to be intercepted by third parties the company said. In its release notes, Apple claimed to have had restored "missing validation steps" in order to nix the bug, but said it did not divulge the full nature of security issues until an investigation had taken place. It wrote: "Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS "Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps." OS X affected too?It is not known whether the flaw had been exploited, but one expert, Johns Hopkins University cryptography professor Matthew Green, called the oversight "as bad as you could imagine." Security firm CrowdStrike took a look around the iOS 7.0.6 and concluded that Mac OS X devices are at risk from the flaw too, and said it expects Apple to launch an update for its desktop software too. Explaining the nature of the flaw in layman's terms, Crowdstrike wrote: "To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. "This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favourite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system)." So there you have it. We have no idea how long these "missing steps" were missing, or whether they've always been absent. Needless to say, it's advisable to get on that iOS 7.0.6 update with a quickness. |
In Depth: Will we ever be able to rid the world of computer viruses? Posted: In the beginning, when most of the internet was still rolling green fields, there was no need for antivirus software. Early web users could swap files with anyone without risk of infection - and they did, en masse, on messageboards and servers across the early web. Those were carefree days. But in the early 80s, just like in the real world, everything changed. A program called 'Elk Cloner' was the first computer virus to appear in the wild. It was more of a practical joke than anything else, merely displaying a short poem if the videogame it was hidden inside was played more than fifty times, but it gave others more malicious ideas. Evil elksEarly viruses spread over physical vectors like floppies and zip disks, but as the internet hooked up more and more computers, it quickly took over as the primary means of infection. Today, viruses cause billions of dollars worth of economic damage every year through data loss, systems failure, resource wastage and maintenance costs. Virus creators and security researchers are fighting a brutal arms race over each new vulnerability discovered, while consumers suffer under the weight of bloated antivirus software that often does more harm than good. To date, no antivirus software can catch all malware. But can we turn back the clock? Can we return to those halcyon days when you could let your parents play for hours unsupervised with an unpatched version of Internet Explorer? Breaking the stalemateAn Israeli startup called CyActive believes it has a secret weapon that could finally wipe computer viruses off the face of the planet forever. "We've developed an unprecedented ability to automatically forecast the future of malware evolution, based on bio-inspired algorithms and a deep understanding of the black-hats' attack-launching process," explains Danny Lev, chief marketing officer at the company. CEO Liran Tancman, who spent a decade in Israel's intelligence corps and was head of its cyber strategy unit before founding CyActive in 2013, details the problems with our modern approach to fighting viruses. "If and when a threat is exposed, it is analysed and a counter-solution is designed," he says. "Response times vary from weeks to years. Even if a solution is made available, attackers can easily modify the original code, evade the updated security measures, and once again a new threat is born." This is a problem primarily because it's so inefficient, he says. "Attackers keep adapting to the evolving defences, despite the significant efforts exerted by cyber defenders in both enterprise and the cyber security solution vendor community. The unnerving ability of cyber-criminals, cyber terrorists and rogue nations to circumvent defensive mechanisms time and time again must be addressed to fundamentally change this battle ground." Lev added: "The reactive paradigm creates an asymmetric relationship, whereby hackers have the unfair advantage: 'recycling' malware for re-use is quick and cost effective, while fighting malware is time-consuming and expensive. The mind-boggling fact is that for every dollar spent by black-hat hackers, hundreds of dollars are spent by the IT security industry. This economic imbalance is the springboard from which cyber-crime, cyber-terrorism and cyber-warfare are launched." Predictive analysisCyActive's approach to solving this problem involves predicting in advance how virus creators might vary their malware, blocking potential attacks before they're even created. "CyActive's algorithms predict hundreds of thousands of ways in which hackers could evade existing security measures," says Lev. "Based on this foreknowledge, CyActive is the first to offer proactive detection of future malware before it has ever seen the light of day." That technique has won it funding from an Israeli cyber-security incubator. However, despite the startup's grand claims of "unparalleled protection" for its customers, Lev declined to detail exactly what aspects of biology inspired the "bio-inspired" algorithms. When asked what's stopping virus creators adapting their software to outwit CyActive's algorithm, Lev said: "We constantly adapt the detectors, making sure we stay one step ahead." To us, that sounds suspiciously like we're back to square one of measures and countermeasures. Come at me, BromiumAnother startup working on the same problem is Bromium, which has raised $75 million since it was founded in 2010. Its approach is completely different - it uses hundreds of miniature virtual machines that capture every web page, email and instant message that arrive and isolate them from each other. If something that looks infectious arrives, it's kept quarantined until an administrator can review it and dispose of it. It works on Intel-based hardware, Windows 7 64-bit and 32-bit, Android, and Apple's OS X, protecting against web, email, USB, and instant messaging attacks. It doesn't yet operate on iOS devices, due to Apple's fondness for total control over its software. It can be baked deep into a device's hardware, and operates invisibly to the user. Security researcher Simon Wardley wrote in May 2013 that he was a big fan of Bromium's approach. "I used to work in the security industry and I can happily say that a chunk of it is based upon snake oil and fear. The general principle of creating a secure but functionally useful system is based upon solving an impossible problem and with good commercial reasons," he said. "What Bromium has neatly done is not try to solve the impossible (preventing you from being attacked) but instead limited any damage to as small and as temporary a space as possible. The fear is gone. Just because one email has been compromised, doesn't impact all the other emails or the other applications and environments on my machine. It's all isolated and to get rid of the problem I just close that email." Sandboxing the futureSo while it's likely that we'll never be able to rid the world of malware and computer viruses, it may not matter. By putting everything we do on our computers into a little box that can't interact with anything important, we can make viruses essentially pointless by preventing them from doing any damage. On the other hand, this approach means every web page, email and instant message you receive can be viewed and analysed by your network administrator - a deep packet inspection nightmare for anyone who cares about their privacy. On that, perhaps Benjamin Franklin said it best. "They who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." |
You are subscribed to email updates from TechRadar: All latest Apple news feeds To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google Inc., 20 West Kinzie, Chicago IL USA 60610 |
No comments:
Post a Comment