Jump to content

Recommended Posts

Posted

Are you being targeted?

I think it's fair to say everyone's being targeted if you get on a network that's been hacked.  As to what you have to lose, well, it depends on what you use your computer for.  This one isn't minor.

Posted

yes

 

more specifically:

 

immediately upgrade your iphone, and stop using safari on your mac.

 

I wonder if I have to worry using iOS 5.1.1.  Seems unlikely to target something a couple of years out of date...

Posted

I disagree, Jacob.  Basically, SSL is broken.  That's pretty major.  Your fanboyism can only go so far.  You can't try to brainwash a security flaw away.
 

I don't know how far back the fault goes, but found this:

 

So goto fail was added before October 2013. It is in 10.9 but not 10.8.5; and it is in iOS 6.1 and iOS7...Ouch

...sounds like the fault itself doesn't go back that far, Al.

  • Like 1
Posted

I don't get on networks that have been hacked, AFAIK.  It's not minor, but it's not the doomsday scenario that so many are puking, either.

it's the "afaik" that's important.  You don't know.  You have no way of knowing.  I personally won't use a mac except on my home network at this point.  Tho in all likelihood, the damage has been done, if it's going to be.  

That said, I'm not particularly worried about personal consequences so much as potential work consequences.  

 

I stopped using my work computer on non-work/home/mifi networks 2 years ago tho, and all traffic is vpn on it. 

Posted

Me too.  Can't trust fucking anyone any more.  A week ago Sunday an automatic backup that I forgot I installed started up right in the middle of something.  My performance dropped by 50%, and my first thought was that I'd been hacked.

 

Also, capitalone.com home page has a fault in the embedded css pages, where they try to run scripts on 127.0.0.1 and the gateway.  :rolleyes:

Posted

It's probably never a bad idea to change important passwords, and enable 2 factor authentication whenever you can.

 

Do it from home or work tho... :)

 

Also, 15 character passwords, mixed for anything that matters.  There are lookup tables for almost anything less than that readily available in the black hat world. 

Posted

In general, is it safer to use Rice's VPN when at home (assuming that I have a router setup with WPA2 and a very difficult pw) or not to use it?  I am always slightly worried that the university's network isn't so safe with all the students on it but I know very little about network security (and I am paranoid).  

Posted (edited)

:)

 

I guess you are probably serious about this.  How difficult would this be to setup and make sure it is secure?  How would I be able to tell how secure it is to be on the network on campus?

Edited by shellylh
Posted (edited)

I use wifi at the local coffee shop a lot, as well as whenever I'm visiting my daughter for a weekend at CU Boulder or at my mother-in-law's house, to name a few.  I just worry about random people with wifi sniffers or packet sniffers (whatever) and them being able to steal my logins and such.

 

The thing is, I thought that anyone who can insert themselves into the pipe between you and the encrypted site you visit can get you, without targeting you by trying to get into your local network.  Do they have to be on the same network as you and target just you, or can they be out in the ether like the NSA and scoop up everything?

 

EDIT - link http://appleinsider.com/articles/14/02/24/apple-nearing-release-of-os-x-1092-with-support-for-facetime-audio-fixes-for-mail-safari

Edited by HeadphoneAddict
Posted

this exploit puts "the adversary" in the middle of your encrypted connections (and anyone else's) if they've taken control of the network.  Network sniffing is a different problem.  Both are solved with a mifi.

Posted

this exploit puts "the adversary" in the middle of your encrypted connections (and anyone else's) if they've taken control of the network.  Network sniffing is a different problem.  Both are solved with a mifi.

 

I'm not sure I understand - do you mean mifi as in MiFi hotspot on a cell provider?  The cell providers are safe in this case?  Why is that any different from connecting via ethernet or secured wifi at home?

Posted

What's really alarming about this bug is how bad Apple's security engineering is.

A code review would have caught this bug.
A sensible C style guide would have prevented this bug.
Lint would have caught this bug.
A static analyzer would have caught this bug.
A unit test would have caught this bug.
An integration test would have caught this bug.

Apparently Apple is following none of these established engineering practices. That's bad in general, but for a critical security library it's outright negligence.

gotofail.png

 

Not doing this to cause Jacob an aneurysm, just sharing with anyone who cares about the finer details of the flaw.  It's really pretty horrendous.  Any Freshman level programmer would immediately be able to see the flaw.

Posted

Ugh, I hope Apple isn't going to turn into the security nightmare that Windows seems to be.  I don't really want to switch to Linux... of course, I am only assuming that Linux is more secure than Mac OS X. 

Posted

Also, capitalone.com home page has a fault in the embedded css pages, where they try to run scripts on 127.0.0.1 and the gateway.  ::)

 

Should we avoid this page for now?  Not sure if this is a real problem or not.  

Posted

I refuse to use capitalone.com on my computer until they fix it.  I mean, that's the login page.

 

I noticed this because I use noscript, and the only domain I should have to open up for that page is capitalone.com, yet for some reason (that I have been too lazy to track down), it also wants 127.0.0.1 and...whatever your router is.  Feel free to double-check for yourselves, I would love to have outside corroboration.  And if it is just me, I'd like to know that, too, for obvious reasons.

Posted

This is a privacy/security problem (that may be more widespread than is currently being reported).  There is a separate ball of wax that is the windows malware situation. 

Posted

Ugh, I hope Apple isn't going to turn into the security nightmare that Windows seems to be.  I don't really want to switch to Linux... of course, I am only assuming that Linux is more secure than Mac OS X. 

Yeah, not a safe assumption.  There's no such thing as no risk, there's only manageable risk.

Posted

the insidious thing about the openssl problem is that the man in the middle attack could be coming from ANYWHERE in the middle.  The more I think about it the more I want to go back to face to face banking.  The scope of this could end up being bigger than the backdoor that was in the openssl libraries for over 10 years.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.