Mac iOS Security Guide

The new Mac iOS Security Guide was released in April of 2015. As the introduction of the guide states: “Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture.”

Many of the security features are built in by default.

“iOS and iOS devices provide advanced security features, and yet they’re also easy to use. Many of these features are enabled by default, so IT departments don’t need to perform extensive configurations. And key security features like device encryption are not configurable, so users can’t disable them by mistake. Other features, such as Touch ID, enhance the user experience by making it simpler and more intuitive to secure the device.”

Topics covered in the guide are: system security, encryption and data protection, app security, network security, Apple Pay, internet services, device controls and privacy controls.

Download or view the guide (.pdf)

Apple Updates for iOS and OS X

Apple has released security updates for iOS and OS X. Both include fixes for the FREAK vulnerability in SSL/TLS. Apple’s Security Update 2015-002 addresses five vulnerabilities; Apple’s iOS 8.2 addresses six vulnerabilities and includes Apple Watch capabilities. Be sure to accept the updates as they occur, or on your computer go to the App Store and click on Updates.

Read the full story in the news.

Apple Addresses “Triple Handshake” Bug

Last Tuesday, April 22, Apple released iOS 7.1.1 to address 19 flaws in the mobile operating system, including a critical flaw in the secure transport mechanism that could be exploited with “triple handshake” attacks to expose user data.

Apple also released Security Update 2014-002 with updates for OS X Lion (10.7.x), Mountain Lion (10.8.x), and Mavericks (10.9.x) to address a number of flaws, including the triple handshake bug.

Users should update as soon as possible.

Read more about the Apple updates here.

What is the Triple Handshake Bug?

Apple Releases Critical Security Update

Apple-LogoLate last week, Apple released a security update for its iOS mobile operating system to address a flaw in its SSL/TLS implementation.

SSL (Secure Sockets Layer) is part of the TLS (Transport Layer Security) protocol and is used to encrypt sensitive information, often in a browser, as it traverses the Internet. The flaw, as described by Apple, can provide “an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS.”

In other words, the flaw makes it easy for bad actors to create fake websites that look like sites users trust, such as banking sites, and to grab information that the users send to those sites.

Apple has not yet updated this flaw on laptops or desktops, although it is expected one will be released very soon.

It is recommended that all iOS users update their devices to iOS 7.0.6 and iOS 6.1.6 as soon as possible. This is not one you want to wait on. Information on how to update your iPhone, iPod touch, and iPad can be found on Apple’s website [http://support.apple.com/kb/ht4623].

Note: iOS 6.1.6 is only available for devices that can not run iOS 7.  If you have the original iPad and iPhone 3GS or earlier versions of the iPod touch you will install iOS 6.1.6.  All other models of the iPhone, iPad, and iPod that have the ability to run iOS 7, must upgrade to iOS 7.0.6. to get the fix.

Those that need assistance updating their iOS device should contact their local IT support liaison or the IS&T Help Desk [http://ist.mit.edu/help].

Read the story in the news.

Apple Releases New OS

Apple-LogoEarlier this month, Apple released the newest version of their operating system for both the iOS platform (7.0.3) and desktop (OS X 10.9, aka Mavericks). Many security vulnerabilities are fixed in these releases. Both releases are free.

Information Services & Technology recommends users at MIT wait to upgrade to Mavericks on their desktops because of compatibility concerns with crucial applications in the MIT environment. Limited support is being provided to early adopters and users whose computer comes installed with Mavericks.

Support documentation for OS X Mavericks.

Apple Releases iOS 6.1

Last week’s Apple iOS update 6.1 addresses more than 20 vulnerabilities, including a serious flaw in the kernel and a number of bugs in the WebKit framework. The company also revoked trust in the bad TurkTrust certificates discovered late last year.

Read the story in the news.

iPhone Has Passed Key Security Threshold

According to an article published by MIT in Technology Review, the iOS system by Apple makes the device more secure. In particular, the iOS increased the use of encryption, which is beginning to cause problems for law enforcement agencies when they encounter systems with encrypted drives that make it impossible to recover any data.

Apple’s security architecture on the iPhone is apparently so sturdy, and so tightly woven into its hardware and software, that is is both easy for consumers to use encryption on their phones and very difficult for someone else to steal the encrypted information.

The key to decode the encryption is protected by the user’s PIN lock. If brute force is used to try to guess the PIN, the device will wipe itself after ten wrong tries. Even if special software is used, this limits the guessing speed to 80 milliseconds per PIN attempted. And trying all versions of a 4-digit PIN takes about 13 minutes to crack, a 6-digit PIN takes 22 hours, a 9-digit PIN takes 2.5 years, and a 10-digit PIN about 25 years.

Read the full article here.