[TheScionicMan]

While using an unsecured wifi hotspot while the malicious snooper is also on the same unsecured wifi hotspot is what I remember reading. Is it other than that?

Just on the same network. The unsecured wifi was an example. That combined with the mention of the USAF decision has warped the perception of the dangers here. SSL is the backbone of the secure HTTPS sites that people thought they could trust. Online banking, shopping, billpay, etc. All things people did with trust because they assumed that Apple was secure.

And just because a patch was released doesn't mean that the problem has passed. How many people don't upgrade their OS or can't because of IT restrictions, etc? This "Nothing to see here, move along" attitude that many are giving in defense of Apple is not helpful to the people that are potentially at risk from this flaw.

[kbz1960]

It would be very difficult to set this up for a properly configured SSL connection. With this Apple flaw in the coding, it's a pretty simple matter to spoof a site. When you go to an HTTPS site, it will offer its cert and your browser checks that against the site's key. With this flaw in Apple browsers, a site can say "I'm Google.com" and their browsers say "Ok, continue..." without checking to see if it is valid.

So this flaw can be exploited over any connection then, why did they focus on unsecured wifi?

[TheScionicMan]

So this flaw can be exploited over any connection then, why did they focus on unsecured wifi?

It was an example of the easiest attack vector and the one which most people would be vulnerable to. It could also be accomplished on a secured wifi network. For example, we use a WPA2 secured wifi network. It is not connected to our internal network, just goes out to the internet. As such, we are pretty lenient with giving those credentials out to guests. Because of our assumption that Apple had web security standards implemented properly, we also allowed users to connect their smartphones to this network. Now, we're going to need to take another look at this configuration.

[Richard Buckley]

While using an unsecured wifi hotspot while the malicious snooper is also on the same unsecured wifi hotspot is what I remember reading. Is it other than that?

It is indeed. the bug in question (which is also on Mac OS X) is that the system SSL/TLS security layer does not verify the received certificate is signed by a trusted CA. So a malicious actor anywhere on the network between an affected system and a website could launch a man in the middle attack using nothing more than a self signed certificate that claims to be for the destination site.

this is a system level bug so it does not just affect browser security, but any application that depends on the OS SSL/TLS library to correctly check the server certificate.

[kbz1960]

It was an example of the easiest attack vector and the one which most people would be vulnerable to. It could also be accomplished on a secured wifi network. For example, we use a WPA2 secured wifi network. It is not connected to our internal network, just goes out to the internet. As such, we are pretty lenient with giving those credentials out to guests. Because of our assumption that Apple had web security standards implemented properly, we also allowed users to connect their smartphones to this network. Now, we're going to need to take another look at this configuration.

It is indeed. the bug in question (which is also on Mac OS X) is that the system SSL/TLS security layer does not verify the received certificate is signed by a trusted CA. So a malicious actor anywhere on the network between an affected system and a website could launch a man in the middle attack using nothing more than a self signed certificate that claims to be for the destination site.

this is a system level bug so it does not just affect browser security, but any application that depends on the OS SSL/TLS library to correctly check the server certificate.

Thanks. I guess I misread or misunderstood. Always nice to learn something.

[NotGoodIMO]

It's trying to be one of those threads where blackberry haz expert pros security while everyone else doesn't.

Blackberry security is the best, there is no doubt about that. This is what was said about Apple security in the article. "It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
Considering that people are using their phones for doing everything, including banking and buying stuff, it's very scary. I know Apple fanboys will deny everything and will keep justifying using that garbage but the fact of the matter is that iPhone has fallen behind, including security which is a shame considering their closed architecture and insane obsession with controlling everything.

[NotGoodIMO]

The article doesn't mention BBRY, so I'm not sure how it proves anything about BBRY. It's certainly evidence that Apple releases software with significant security risks, but that's not the same thing as proving another vendor is the "gold standard" of anything.

That's already known about Blackberry. Nothing to say their. The point here is that some folks have been saying that IOS and Android are as safe as Blackberry and there is no compromise in using those OSs but that fact is that there is a huge risk in using both IOS and Android. I would be worried if I was doing financial transaction on an iPhone.

[NotGoodIMO]

But they only revealed the issue once they fixed it, right? Or am I mistaken? Because if the issue was indeed a major one, and they kept it quiet for their own good, I would - as a company or government - be very sceptical towards Apple products going forward. It's not like hackers wouldn't find out anyway..

Posted via CB10

But hackers can study the patch and come up with a work around. The main thing here is that there is a fundamental flaw in how Apple has implemented SSL in iOS. I guess, it needs more ground up changes than a mere patch. Seems like another
Windows in the making.

[app_Developer]

But hackers can study the patch and come up with a work around. The main thing here is that there is a fundamental flaw in how Apple has implemented SSL in iOS. I guess, it needs more ground up changes than a mere patch. Seems like another
Windows in the making.

Looking at the flaw, which is open source, I don't see how you've come to that conclusion. It's an embarrassing bug, but quite a simple one. Why do you guess that it needs "ground up changes"?

Sent from my Nexus 7 using Tapatalk

[sickyute]

http://techland.time.com/2014/02/24/...able-to-hacks/

Posted via CB10 running on Z10STL100-1/10.2.1.2141

[mikeo007]

But hackers can study the patch and come up with a work around. The main thing here is that there is a fundamental flaw in how Apple has implemented SSL in iOS. I guess, it needs more ground up changes than a mere patch. Seems like another
Windows in the making.

Really? Study the patch? The patch was to delete a single offending (and admittedly very lazy) line of code. What exactly is there to study? There is no fundamental flaw, there was a slopping programming error that was fixed by a simple press of the backspace key and deployed to iOS users through software update.

Seems like a lot of posts with zero understanding of what the actual issue was.

[mikeo007]

Looking at the flaw, which open source, I don't see how you've come to that conclusion. It's an embarrassing bug, but quite a simple one. Why do you guess that it needs "ground up changes"?

Sent from my Nexus 7 using Tapatalk

Exactly. The only thing that will need ground up changes is the resume of the programmer who made the error in the first place.

[Djlatino]

Exactly. The only thing that will need ground up changes is the resume of the programmer who made the error in the first place.

A few of the iPhone Dev Team guys were poking fun at the irony of "goto fail;" heh, the else statement really speaks for itself :P

[sling]

Some interesting reading:
Apple’s reputation for software security a ‘myth’
Apple’s reputation for software security a ‘myth’ - Technology & Science - CBC News

[deptech]

There is a fix out for this issue, IOS 7.0.6, but now my iPad is rendered useless, WTF, and I'm not alone.

http://www.techienews.co.uk/976861/a...e-5s-ipad-air/

They rushed to fix one issue and create a bigger issue.

Z30 on 10.2.1.537 in Canada

[crazy elf]

It matters in the bigger picture when you cover up a mistake, when people have no idea there is a mistake and are vulnerable. It doesn't matter if they fixed it quietly or not, they didn't tell anyone. That's the issue, it's like your doctor treating you for syphilis and not telling you. How many people have it because your doctor didn't tell you. Samsung did the same with bad batteries, didn't tell a soul, in fact made the consumer sign a confidentiality statement not to repeat the issue to anyone.

Posted via CB10

[FunktasticLucky]

That's exactly the point- these are not individual citizens using a phone for personal reasons, these are members of the military. The Department of Defense stated the #1 reason for switching was budgetary. It's cheaper for them to use Apple phones and iPads than to use Q10 on a BES. It's a shame that an organization with a budget the size of the US Military and charged with defending our country decides to save ~$16M by putting our security at risk. It's all about money.... if you read the DoD articles they also claim they don't have the proper controls in place to ensure iOS security, but they are working on it.

I would like to point out something. The DOD as a whole has a budget. And right now the army is getting most of that money. It's why the air force has downsized so much to afford it's precious planes and trying to retire their older ones. But as everything goes, they can't get rid of the old ones because they can't train new people on all the new stuff, or budget cuts have left them without the needed number of aircraft to fully replace them. Also, look at the B-52. It still has the highest mission capable and success rates out of all the bombers. They will still be in service for decades. Like the KC-135.

Posted via CB10

[nigoinsnow]

I just hope that there would be no hacker can take over the air force control system and set the bombs to kill the innocent

[sickyute]

Second Apple iOS security flaw exposed

http://www.telegraph.co.uk/technolog...w-exposed.html

Posted via CB10 running on Z10STL100-1/10.2.1.2141

[nigoinsnow]

Second Apple iOS security flaw exposed

http://www.telegraph.co.uk/technolog...w-exposed.html

Posted via CB10 running on Z10STL100-1/10.2.1.2141

Isn't it the 3rd one in thus month?

Posted via CB10

[BCITMike]

This appears to be newly discovered, not newly introduced.

But it also sounds like you need to install such an app yourself, so it's really a test on app store check for malware allowing such an app.

Less risk than ssl bug.

Posted via CB10

[kbz1960]

Second Apple iOS security flaw exposed

Second Apple iOS security flaw exposed - Telegraph

Posted via CB10 running on Z10STL100-1/10.2.1.2141

Apple refused to comment.