Java Patch May Be Just a Finger in the Dam
Oracle scrambled last week to patch up a dangerous hole in Java -- a notorious root kit that was in the process of being upgraded by its makers. However, Java flaws are surfacing regularly enough that some security experts recommend users dump the technology entirely if they don't use it frequently.
Sep 4, 2012 5:00 AM PT
Oracle acted swiftly last week to close a zero-day vulnerability in its Java technology, but given Java's track record, that patch is just one hit in a long game of wackamole played with hackers.
A number of security companies discovered the vulnerability over the weekend of Aug. 25. They noticed that a popular and notorious root kit, Blackhole, was being upgraded by its malevolent authors to exploit the Java flaw that hadn't appeared on the radar of malware fighters before.
The vulnerability was so severe that many security firms recommended turning off Java entirely.
Oracle quickly released an out-of-cycle patch for the problem, a rarity by the company. "We've tested the patch and it works," Chris Astacio, manager of security research at Websense told TechNewsWorld. "It doesn't allow exploitation."
Attacks on Java are nothing new, he noted. "Java has been the No. 1 vector of attack for exploit kits," he said. "Your mass attacks are most of the time going to use Java vulnerabilities to try and drop malware on client machines."
For that reason, some security experts recommend turning off Java if you don't use it. "If you have no purpose for Java, then absolutely remove it from your computer because there have been multiple instances with Java where there have been zero days in the past," Astacio explained.
New BIOS Security Guides Proposed
New guidelines for securing the firmware that provides basic instructions to computer servers -- the Basic Input/Output System (BIOS) -- are being proposed by the National Institute of Standards and Technology (NIST), the nation's oldest physical science laboratory.
NIST adopted similar guidelines for PCs last year, but based on the comments submitted by interested parties then, it was clear servers needed their own guides, according to the author of the server proposal, Andrew Regenscheid, a math researcher and project leader at NIST's Computer Security Division.
"Servers have different architectures than laptop and desktop computers," he told TechNewsWorld.
"Servers, to facilitate management, often have other mechanisms for updating the BIOS than what laptop and desktop computers have," he added.
Processes by which a BIOS is updated are juicy targets for hackers.
Although BIOS attacks have been relatively rare in the past, they have been a source of concern in recent times, Regenscheid noted. "We're seeing more people in the security community looking at this and more attacks in the real world," he said.
NIST is collecting comments on the guidelines from the public until Sept. 14. Final guides are expected three to six months after the close of the comment period.
Are Silent Updates Secure?
From now on, the Mozilla Foundation's Firefox browser will update itself silently in the background on its users' computers. While the feature may be considered a convenience to individual users, it may present some problems for organizations.
Critics contend that many enterprise systems will have to be reconfigured to accommodate background updating, which creates a danger that hackers could subvert the update system and gain backdoor access to the computers on the system.
Mozilla Partner Channel Manager Kev Needham discounted those concerns to TechNewsWorld. "Additionally, Enterprise IT groups that need to control updates usually distribute a custom build of Firefox," he said.
Silent updates after initial user approval are becoming more common, according to Philip Lieberman, CEO of Lieberman Software. "This trend does make sense since most users are not in a great position to make these decisions, and turning off updates can be pretty terrible for them," he told TechNewsWorld.
- Aug. 28: The University of Rhode Island shut down a College of Business Administration server after personal information of more than 1,000 faculty and students was compromised. Information included names, birth dates, Social Security numbers and some compensation information of faculty members.
- Aug. 29: A federal court rejected BancorpSouth's argument that a customer, Choice Escrow and Title, was at fault for a data breach that resulted from $440,000 being siphoned from company's account because it allowed hackers to obtain legitimate login credentials.
- Aug. 29: Raynaldo Rivera, 20, an alleged hacker involved in the 2011 Sony Pictures data breach, was arrested by the FBI. Rivera faces a maximum sentence of 15 years in prison for the Lulzsec attack that Sony says cost the company $600,000.
- Aug. 30: Cancer Care Group reported sensitive information on 55,000 patients may have been compromised when backup media in a laptop bag was stolen from an employee's car in July. Information included patient names, addresses and some details of treatment.
- Aug. 31: Data breaches among public sector organizations in the United Kingdom increased to 188 in 2012 from 11 in 2007, according Freedom of Information data obtained by Imation. Total breaches for all sectors for 2012 is currently 821, the company reported.
- Sept. 12-14: UNITED (Using New Ideas to Empower Defenders) Security Summit. Grand Hyatt, San Francisco. Registration: $1,395.
- Sept. 27: Foundational Cyberwarfare (Plan X) Proposer's Day Workshop. 9 am -- 4 pm ET. DARPA Conference Center, 675 N. Randolph Street, Arlington, Va. Closed to media and public. Unclassified session in the morning. U.S. DoD Secret clearance needed to attend afternoon session.
- Oct. 1: Launch of S&TI Flash Traffic, a monthly summary of R&D activities for 14 high risk nation states -- states with high levels of hacker activity or acts of cyber espionage -- published by Taia Global. Annual subscription: $250 until Oct. 1; $500 thereafter.
- Oct. 9-11: Crypto Commons. Hilton London Metropole, UK. Early bird price (by Aug. 10): Pounds 800, plus VAT. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
- Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
- Oct. 18: Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Super Early Bird, $195 (by Aug. 18); Early Bird, $295 (by Sept. 18); Standard, $395 (by Oct. 17).
- Oct. 25-31 Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.