02-23-14 | Blog Post
A hat tip to Tatiana Melnik – an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance – for passing on this security alert, which could impact HIPAA and other privacy security compliance obligations for those using iPhones, iPads and Mac computers, and any company with a Bring Your Own Device (BYOD) policy in the workplace:
ArsTechnica has reported today an extremely critical cryptography flaw discovered in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1 that has exposed sensitive communications.
A critical iOS vulnerability that Apple patched on Friday gives attackers an easy way to surreptitiously circumvent the most widely used technology for preventing eavesdropping on the Internet. That made the security bug about as dire as one can be. Now, there’s strong evidence that the same flaw also exposes sensitive e-mail and Web communications on fully patched versions of OS X, with no indication that there is a patch currently available for the millions of people who use the Mac operating system.
The flaw, “according to researchers, causes most iOS and Mac applications to skip a crucial verification check that’s supposed to happen when many transport layer security (TLS) and secure sockets layer (SSL) connections are being negotiated. … independent security researcher Ashkan Soltani … and other researchers say virtually all applications that rely on the SecureTransport TLS layer are susceptible to the attack, regardless of whether they use a technique known as certificate pinning designed to block counterfeit encryption certificates.”
ArsTechnica suggests these next steps:
If you are operating in a BYOD environment, you may want to disable network access to iPhones and iPads until staff members update the operating system on their devices and disable network access to Macs until Apple announces that a patch is available.
ArsTechnia: Extremely critical crypto flaw in iOS may also affect fully patched Macs
For more BYOD security information, check out a replay of a past Online Tech webinar co-hosted by Melnik, “To be BYOD or not to be BYOD: Is a Bring Your Own Device Policy Right for Your Organization?”