It may sound like a child's game, but a Man-in-the-Middle (MITM) attack is where a hacker intercepts secure encrypted data by pretending to be a trusted end point, such as one's email service, then copies or modifies the data before passing it on.
These attacks are typically very difficult to pull off -- unless the hacker is targeting an iPad, iPhone, iMac, MacBook, or any other Mac OS X or iOS device.
Between Friday and Saturday, the Internet exploded with fear and rage. Why? Nearly every single Apple device out there contains a minor code bug with major repercussions: MITM attacks.
According to Adam Langley, the bug, referred to as "Goto fail," is the result of some extraneous code that makes it possible for a hacker to send the wrong security certificate (or no security certificate at all) to a client computer that is attempting to initiate a secure connection.
Basically, when the security certificate fails, the recipient says, "Meh," and lets the connection proceed anyway.
iOS Patches Available
If you have an iPhone, iPod Touch, or iPad, you're in luck. Go to Settings>General>Software Update. Do it now.
How big is this security update? Apple has released a patch for its current iOS 7 devices, as well as obsolete iOS 6 devices (iPhone 3GS and iPod Touch devices not capable of running iOS 7).
In fact, the update, released on Friday, is how the public learned about the major security screw-up.
Macs Not Yet Fixed
While Apple was quick to fix their mobile devices and tablets, the company has not yet released a patch for its desktop and laptop operating system. That leaves one solution: avoid all public Wi-Fi networks. No Starbucks, no airport Wi-Fi, nada. Imagine the hell that would break loose if a hacker intercepts your clients' data while you're sipping on a latte. Yeah. That'd be bad.
Private trusted networks, at home or at work, should be fine, unless you're handing out your network's security keys to strangers.
The truth is out there!
Here's an interesting timing coincidence, pointed out by John Gruber (h/t Gizmodo): the bug was released in iOS 6 in September 2012. Apple was added to the NSA PRISM program in October 2012. Theories range from the NSA being ignorant of the flaw (unlikely), to the NSA quietly exploiting it, to Apple putting it in place at the NSA's request.
We're not buying it. Would the NSA undermine one of the nation's biggest tech companies, and open up millions of consumers to cyber attacks, just to siphon data by implanting a very easy to exploit bug? And would Apple be complicit in such a scheme, risking their reputation and customers' sensitive data?
Seriously folks, the NSA snoops and the Apple engineers are some of the best in the world (code glitches notwithstanding). Surly they'd come up with something better than the cyber-equivalent of leaving the bank vault unlocked and guarded by a butter knife-yielding Betty White.
Freaked out by the security glitch? Did the NSA do this on purpose? Join the discussion on Facebook.
- Sen. Rand Paul Files Class Action Against NSA Metadata Collection (FindLaw's Technologist Blog)
- #TheDayWeFightBack: Reform Public and Private Data Mining (FindLaw's Technologist Blog)
- iPhone Security Glitch Allows Bypass of Lock Screen (FindLaw's Technologist Blog)
- FindLaw's Legal Technology Center (FindLaw)