Apple's "Gotofail" bug is a big deal because customers were exposed to risk for a long time. The only positive of this appalling oversight is that it illustrates why users of any platform should embrace the following security tips.
The background
Apple released security updates for iOS 7 and iOS 6 last Friday following its discovery that: "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS."
What this means is that when you've been sending emails, checking your bank account or using most any online service on a shared network than an attacker can monitor what you do and find ways to steal or subvert your data.
The problem doesn't affect iOS 5 devices, but OS X is affected, with Apple promising a fix "very soon".
It's an appalling oversight (is it an oversight?), but even a big threat like this need not be a huge problem to Mac or iOS device users who follow these simple security tips:
1: Trust nothing
It doesn't matter how much you enjoy using free wireless in Starbucks, hackers can -- and do -- monitor unrestricted networks. In the case of Apple's recent security blunder, all they had to do was sit in the same shop sharing the same network. Whatever platform you happen to be on, don't use public networks to transmit payment or banking information. You have been warned.
2: You'll be the last to know
Unless you're a hacker or security researcher you'll be the last to know about any existing exploit. It's likely the first you'll hear of the existence of one will be when your OS vendor ships a patch. Can you be completely certain the OS you are using is secure? Of course you can't. Stay aware of the risks you take.
3: Don't click
If you've been sent an unexpected link or attachment by a familiar-seeming Website or service, don't click it: check the email to ensure it is real before manually accessing the relevant site using your browser, rather than the link provided. There's a huge industry of groups using genuine-seeming emails and Websites to trap confidential data from unwary users ("phishing"). Don’t bite the phishing line.
4: Passwords
Don't use the same password for everything you do. There's been a bunch of recent hacks of large online sites (MacRumors, for example). When these take place miscreants attempt to get hold of email addresses and passwords. Once they have these they will attempt use these combinations on multiple sites and services. So use a different password for everything. Apple's iCloud Keychain (which looks less secure thanks to the SSL exploit) or 1Passwordwill help you manage them all.
5: Stay up-to-date
Make sure you install system security updates immediately.
6: Safety starts at home
Use the encryption features on your wireless router. If you use an AirPort at home make sure to launch AirPort Utility and select WPA/WPA2 Personal from the dropdown menu, and enter a complex password.
7: Anti-virus?
Apple products remain relatively free of malware, so I don't leave virus protection on permanently; instead, I run a check every week or so. That's fine for Apple platforms, but others (Android in particular) require always-on protection.
8: Brief iOS tips
- Enable Auto-Lock
- Disable AutoFill to prevent caching of important data
- Ensure Block Pop-ups is enabled in Settings>Safari
- In Settings>Safaru ensure Do Not Track and Fraudulent Website warning are enabled.
- Disable Bluetooth and/or Wi-Fi when not in use (also good for battery life).
- Enable Find My iPhone.
