100 Million Systems Vulnerable to Java Flaw
As many as 100 million computers may be vulnerable to unauthorized access via a flaw in Oracle's Java software. "The time of Java in the Browser has ended," said AlienVault Labs Manager Jaime Blasco. "The best defense we have right now for these kinds of attacks is to disable Java in the browser forever."
01/14/13 6:00 AM PT
A zero-day flaw in Oracle's Java programming language could make as many as 100 million computers connected to the Internet vulnerable to attack by cybercriminals.
The threat posed by the Java vulnerability was considered so serious that the U.S. Department of Homeland Security urged computer users to turn off Java on their machines.
The vulnerability discovered last week by security researchers exploits a flaw in version 7 rev. 10 and has already begun appearing in major kits used to create malware packages. It can be exploited to plant malware on PCs.
Of the 3 billion devices running Java, about 13 percent are running the flawed version of the software, said Bogdan Botezatu, senior e-threat analyst with Bitdefender. Of those systems, he estimates some 100 million are running Microsoft Windows and are connected to the Internet.
"Given the next patch cycle for Java is scheduled for February 15th, there's a large window for end users to be unprotected," Botezatu told TechNewsworld.
Oracle has a big problem with Java, especially when it comes to using it in a browser, AlienVault Labs Manager Jaime Blasco told TechNewsWorld. "The time of Java in the Browser has ended. The best defense we have right now for these kinds of attacks is to disable Java in the browser forever."
With the continued discovery of flaws in Java, Oracle is risking the technology's place in the enterprise, said HD Moore, chief security officer at Rapid7.
"The latest set of Java sandbox escape vulnerabilities demonstrate how far behind the platform is relative to other client-side technologies, such as Flash and SilverLight," Moore told TechNewsWorld. "Oracle must overhaul the Java security model or risk banishment from the corporate desktop."
Oracle declined to comment for this story.
Sharks, Vending Machines And Enterprise Security
What do sharks and vending machines have in common with enterprise security? More than you might think, if you listen to Rafal Los, senior security strategist at HP.
Los is a fan of Steven D. Levitt and Stephen J. Dubner, the University of Chicago economist and New York Times journalist whotogether in 2005 penned "Freakonomics," a series of essays on topics like cheating as applied to teachers and sumo wrestlers, information control as applied to the Ku Klux Klan, and real estate agents and the socioeconomic patterns of naming children.
Levitt's and Dubner's approach to critical thinking inspired Los to apply that approach to the world of enterprise security. "It made me think about what people are afraid of versus what they should really fear," he told TechNewsWorld.
It's then that Los came across a charming statistic for a Freakonomics fan. The odds of being killed by a shark are one in 250 million. By contrast, the chances of being killed by vending machine is roughly one in 112 million.
"We feel we've got to chase the next big hairy monster because that's what's got the CEO's attention at the moment," he observed. "When that scariness wears off, we're off to chase the next big scary thing. We have ADD in a horrible way."
He argued that instead of paying attention to the vending machine -- identity management, software security, good network management -- we're paying attention to the shark -- hacktivists, chaotic actors and nation-state advanced persistent threats.
RT Jailbreaking Ratcheted Up
Early in the week, a security researcher posted instructions on the Internet for altering Windows RT so it could run Windows desktop apps. Microsoft's reaction may have been more surprising than the hack itself.
"We applaud the ingenuity of the folks who worked this out and the hard work they did to document it," it declared.
Neither Microsoft nor the researcher, C.L. Roker, felt the revelation about the hack dangerous. Microsoft's relaxed attitude about the jailbreak, though, may be encouraging other hackers to follow in Roker's footsteps.
By the end of the week, a hacker with the handle netham45 had posted a tool on the Net to automate Roker's hack. One reason for Microsoft's laissez-faire attitude toward the jailbreak was the amount of tech savvy needed to implement it. Now much of that grunt work is performed by the tool.
After completing his tool, netham45 went wild and installed Windows 95 on his Surface tablet. He wasn't the only one to install a foreign operating system on Surface. Dublin hacker Steve Troughton-Smith got an old version of Apple's OS X server operating system to run on his Microsoft tablet, too.
It appears Roker has opened the flood gates for homebrew apps to start appearing on Surface. How long those gates will remain open remains to be seen.
Microsoft is laying back, for now. "We are actively investigating this and will take appropriate action as necessary," it said.
Data Breach Diary
- Jan. 7: A medical billing practice, Goldthwait Associates, and four pathology groups in Massachusetts settle for US$140,000 a lawsuit filed against them by the state attorney general for improperly disposing medical records for more than 67,000 people at a town dump. Records included names, social security numbers and medical diagnoses.
- Jan. 8: In a filing with U.S. Security and Exchange Commission, Global Payments revised costs associated with a data breach in March 2012 to $93.9 million from $84 million. Fraud costs associated with the event were also revised, to $35.9 million from $67.4 million. An estimated 1.5 million credit cards in North America were affected by the breach.
- Jan. 8: Europol reports that unreported data breaches are at the root of some of the largest credit card not present fraud cases in Europe. Such cases amounted to $1.1 billion in fraud on the continent in 2011. "A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities," the report said.
- Jan. 8: IDentity Theft 911 announces an insurance product to cover expenses associated with data breaches. Expenses covered include notifications, forensic investigations and attorney consultation costs.
- Jan. 8: State Sen. Vincent Sheheen introduces legislation apologizing to the people of South Carolina for data breach at the state's Revenue Department that resulted in 74.7GB of taxpayer and business data being stolen.
- Jan. 9: Bibb County, Ga., police report forensic experts are examining some 40 hard drives in surplus computers purchased online by BC Computer Repair in Macon after the shop discovered information on the drives that appeared to be social security numbers, pensions and other personal information of Macon police officers.
Upcoming Security Events
- Jan. 17 Hack.me: There's A Vulnerable Web App for That. Black Hat Webcast sponsored by IBM. 1 p.m. ET. Free with registration.
- Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
- Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: Jan. 25 and before, $1,895. After Jan. 25, $2,295.
- Mar. 12-15: Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, Euro 1,095 (US$1,447); through Feb. 28, Euro 1,295 (US$1,711); Mar. 1-15, Euro 1,495 ($US1,975).
- Apr. 23-25: Infosecurity Europe. Earls Court, London, UK.