{"id":4886,"date":"2014-02-25T10:00:27","date_gmt":"2014-02-25T15:00:27","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=4886"},"modified":"2014-02-25T10:00:27","modified_gmt":"2014-02-25T15:00:27","slug":"apple-encryption-mistake-puts-many-desktop-applications-at-risk","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/02\/25\/apple-encryption-mistake-puts-many-desktop-applications-at-risk\/","title":{"rendered":"Apple encryption mistake puts many desktop applications at risk"},"content":{"rendered":"

\"\"<\/p>\n

A subtle mistake in how Apple implemented a basic encryption feature that shields data from snooping also affects many desktop applications that rely on the code, according to a noted security researcher.<\/p>\n

Apple released a patch on Friday for its iOS mobile platform but has yet to fix the problem for desktop computers, which often have several applications that rely on the faulty code library, called Secure Transport.<\/p>\n

Ashkan Soltani, an independent privacy and security researcher, said many other Apple and non-Apple applications are affected.<\/p>\n

\"\"<\/a><\/p>\n

Security researcher Ashkan Soltani said several other desktop applications, include Apple\u2019s Mail, FaceTime and Calendar, use a code library that could allow an attacker to steal data. (Click to enlarge.)<\/p>\n

Those include Apple\u2019s Mail, FaceTime, Calendar, Keynote, the Safari browser, iBooks and its Software Update applications. It would also appear to affect third-party applications, such as the desktop Twitter application and possibly VPN (virtual private network) connections, depending on their configurations, Soltani said.<\/p>\n

The Secure Transport library, which handles setting up an encrypted connection for many applications, was contained in iOS 6 and up and OSX versions 10.9 and up, Soltani said via email.<\/p>\n

Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person\u2019s computer. If an attacker intercepts the data, it is unreadable.<\/p>\n

Apple\u2019s mistake in Secure Transport allows an attacker to perform a man-in-middle attack, and supply fake data that makes it appear an authentic web service has been cryptographically verified.<\/p>\n

\u201cThis enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server,\u201d wrote Alex Radocea, senior engineer with the computer security firm CrowdStrike, on Friday. CrowdStrike analyzed Apple\u2019s patch for iOS after it was released.<\/p>\n

The flaw is deeply buried in a line of code, wrote Adam Langley, a software engineer at Google, on his personal blog.<\/p>\n

\u201cThis sort of subtle bug deep in the code is a nightmare,\u201d Langley wrote. \u201cI believe that it\u2019s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.<\/p>\n

Until Apple fixes it, any data transmitted by those applications is at risk, although the danger is mitigated somewhat since an attacker must be on the same network as the victim.<\/p>\n

Third-party application developers could tweak their code to use other SSL\/TLS libraries, such as OpenSSL, but Apple is likely to fix the issue quickly.<\/p>\n

\u201cI suspect Apple should be pushing out a patch any day now,\u201d Soltani said.<\/p>\n

via Apple encryption mistake puts many desktop applications at risk | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A subtle mistake in how Apple implemented a basic encryption feature that shields data from snooping also affects many desktop […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[2,7,9],"tags":[325,785],"class_list":["post-4886","post","type-post","status-publish","format-standard","hentry","category-apple","category-security","category-software","tag-encryption","tag-os-x"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1gO","jetpack-related-posts":[{"id":8157,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/29\/researcher-claims-that-attackers-can-easily-bypass-current-osx-security-tools\/","url_meta":{"origin":4886,"position":0},"title":"Researcher claims that attackers can easily bypass current OSX security tools","author":"NCCT","date":"April 29, 2015","format":false,"excerpt":"Most Mac users feel as though they are impenetrable to viruses and malicious software, but according to one researcher that is not the case. While Apple has its fair share if security measures in place, recent data has surfaced suggesting those tools are \u201ctrivial\u201d for any attacker to bypass. For\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8892,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/04\/18\/spotty-android-encryption-is-the-story-behind-the-story-of-apples-battle-with-the-fbi\/","url_meta":{"origin":4886,"position":1},"title":"Spotty Android encryption is the story behind the story of Apple\u2019s battle with the FBI","author":"NCCT","date":"April 18, 2016","format":false,"excerpt":"By Jonathan Keane | PCWorld Savvy Android users know that Apple\u2019s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn\u2019t give specifics on how Google would deal with this\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":4886,"position":2},"title":"Researchers manage to get malware published in Apple's iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8859,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/03\/07\/following-a-public-outcry-amazon-will-reinstate-encryption-on-its-fire-devices-this-spring\/","url_meta":{"origin":4886,"position":3},"title":"Following a public outcry, Amazon will reinstate encryption on its Fire devices this spring","author":"NCCT","date":"March 7, 2016","format":false,"excerpt":"By Rob Thubron | TechSpot There are rare occasions when a consumer outcry can cause a company to reverse an unpopular decision it has made, and it seems Amazon is the latest firm to bow to public pressure. Only one day after an update removed local encryption in its Fire\u2026","rel":"","context":"In "Hardware"","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8004,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/10\/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root\/","url_meta":{"origin":4886,"position":4},"title":"Latest version of OS X closes Backdoor-like bug that gives attackers root","author":"NCCT","date":"April 10, 2015","format":false,"excerpt":"For at least four years, a bug in Apple's OS X gave untrusted users\u2014and possibly remote hackers with only limited control of their target\u2014unfettered \"root\" privileges over Macs. The vulnerability is being called a \"hidden backdoor\" by Emil Kvarnhammar, the security researcher who discovered the bug and privately reported it\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/backdoor-640x425.png?resize=525%2C300 1.5x"},"classes":[]},{"id":5902,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/09\/so-long-truecrypt-5-alternative-encryption-tools-that-can-lock-down-your-data\/","url_meta":{"origin":4886,"position":5},"title":"So long, TrueCrypt: 5 alternative encryption tools that can lock down your data","author":"NCCT","date":"July 9, 2014","format":false,"excerpt":"Open-source legend TrueCrypt may be gone, but the usefulness of full disk encryption carries on. So what's a crypto fan to do now for their encryption needs? Well, you could continue to use older versions of TrueCrypt if you already have it installed. While the security community was shocked earlier\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=4886"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4886\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=4886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=4886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=4886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}