Oracle tries to be proactive about its Java security updates
It would appear that Oracle is trying hard to be more proactive when it comes to Java security implementation on its IT solutions and appliances.
The software company has brought forward the timetable of an upcoming Java security update by two weeks in order to block off a new security hole recently discovered.
The security update, originally scheduled for February 19, was released on Feb. 1st because of active exploitation ‘in the wild’ of one of the security vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.
The update covers no less than fifty-one security holes, forty-nine of which are remotely exploitable. To be sure, twenty-seven of the security flaws carry the maximum Common Vulnerability Scoring System (CVSS) risk score of 10.
And the latest official versions are Java 7, update 13 and Java 6, update 39. This month marks the end of life of Java 6, however.
Despite the update, many security experts continue to advise against installing Java plug-in on browsers. If users do need to use Java applets to use certain sites, or for internal applications, then these should be accessed using a second browser, not used for day-to-day surfing.
The overall security implications of Oracle’s new Java security update can be found in a blog post by Paul Ducklin of Sophos on their site.
In other internet security news
Twitter was very busy last night resetting passwords and revoking cookies, following a serious security breach that may have leaked the account data of about 250,000 users.
“Last night, we detected some very unusual access patterns that led us to identify unauthorized access attempts to Twitter user data,” said Bob Lord, Twitter’s director of information security.
According to Lord, Twitter was able to fully shut down the breach attack within moments of discovering it, but not before the attackers were able to make off with what he calls “limited user information,” including usernames, email addresses, session tokens, and encrypted passwords.
The encryption on such passwords is generally difficult to crack – but it’s not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them, suggesting that it may have been an inside job.
As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just “a small percentage” of the more than 140 million Twitter users worldwide.
If yours is one of the accounts involved, you’ll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods.
In addition, he recommends against using the same password on multiple sites. Lord says Twitter’s investigation is ongoing, and that it’s taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal.
“This attack wasn’t the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users,” Lord added.
Although the attack took place last night, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday.
On the other hand however, Lord’s revelations do make rather cryptic mention of the U.S. Department of Homeland Security’s recent recommendation that users disable the Java plug-in in their browsers.
He mentions Java twice, in fact. While it’s true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn’t clear, and Twitter reps didn’t respond to our request for clarification.
In other internet news
About 71.2 percent of all exploits kits that attempt to inject malware into internet surfers’ computers were developed in Russia, and about 51.8 percent exploit rather older operating system vulnerabilities.
To be sure, Blackhole 2.0 is the most often used hacking rootkit, installed on thousands of websites to attack and takeover visitors’ computers.
However, it targets fewer software security holes than rival cybercrime kits. That’s according to a fresh report by managed security firm Solutionary.
Contrary to various hype that exploit kits target unpatched flaws in products, Solutionary found that the overall majority (59 percent) of exploited security vulnerabilities were more than two years old.
The company reviewed 26 commonly used malware kits and discovered code abusing security bugs dating as far back as 2004, evidence that older vulnerabilities continue to be mined for profit by cybercrooks.
Typically, criminal hackers compromise otherwise perfectly legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other bad code.
Researchers at the security firm concluded that antivirus products cannot detect more than about 64 percent of malware being distributed, a finding that’s likely to be controversial in more ways than more.
The practical upshot to all of this is that system admins would be wise to regularly update their servers especially Windows Server 2003, 2008 and 2012, Adobe Flash, web browsers and Java code, rather than rely on security scanners to block any attacks that come their way.
“Exploit root kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it’s absolutely critical that organizations pay close attention to security patch management and endpoint security controls in order to significantly lower the likelihood of a server compromise.”
In other internet security news
A large group of activists, privacy organizations, journalists and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses its data about Skype users and their communications.
In an open letter published yesterday, the activist coalition argues that Microsoft’s statements about the confidentiality of Skype conversations have been “persistently unclear and confusing,” casting several doubts on the security and privacy of the Skype platform.
“Many users of the platform rely on Skype for so-called ‘secure communications’ – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.
Among the group’s numerous concerns is that although Skype was founded in Europe, its acquisition by a U.S.-based company may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.
The coalition group claims that both Microsoft and Skype have refused to answer several questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted in any manner.
The letter calls upon Microsoft to publish a regular transparency report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it.
Additionally, it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.
As the letter points out, several other companies already provide such reports, including Google, Twitter, and Sonic.net. Google’s most recent report showed that government requests for user data from online companies have increased 70 percent since mid-2010.
Microsoft acquired Skype in 2011 for $8.5 billion and has since been working to make the service a key pillar of its communications strategy. Most recently, Microsoft announced that it would shut down its Windows Live Messenger service in March and urged all current Messenger users to switch to Skype.
As could be expected, Microsoft’s strong-arm tactics haven’t pleased Messenger fans, but they’ve impressed privacy advocates even less, given the ambiguity about what information Skype discloses.
“On the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for the company to publicly document Skype’s security and privacy practices,” the open letter reads.
The letter is co-signed by a total of 61 individuals and 45 organizations, including such groups as the AIDS Policy Project, Cyber Arabs, DotConnectAfrica, the Egyptian Initiative for Personal Rights, the Electronic Frontier Foundation (EFF), Reporters Without Borders, the Thai Netizen Network, and the Tibet Action Institute.
“Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy,” the company said in an emailed statement.
In other internet security news
Kaspersky Labs said today that it has discovered yet another global spying campaign that targets numerous governmental agencies, political groups, universities and research institutions.
On the same level as the memorable ‘Flame Malware’ Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware, known as ‘Rocra or Red October’ which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.
Kaspersky Labs says that Red October has been gathering a lot of data and intelligence from “mobile devices, computer systems and network equipment” and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.
The malware is sent via a spear-phishing email which, according to Kaspersky, targets carefully-selected victims within an organization such as a government agency or the like. Containing at least three different exploits in Microsoft Excel and Word, once downloaded, the infected files drop a trojan on the affected computer which then scans the local network or the PC’s hard drive to detect if any other devices are vulnerable to the same security hole.
By simply dropping modules that can complete a number of tasks, usually as .dll libraries, an infected computer obeys various commands sent by the command center and then immediately discards the evidence.
Separated in to “persistent” and “one-time” tasks, the malware is able to spy and steal in a number of ways, including:
Waiting for a MS Office or PDF document and executing a malicious payload embedded in that document
Creating one-way covert channels of communication
Recording keystrokes and making screenshots
Retrieve e-mail messages and attachments
Collect general software and hardware environment information
Extracting browsing history from Chrome, Firefox, IE and Opera
Last but not least, it can save passwords
Extracting Windows account hashes
Extract Outlook account information
Performing network scans, then dump config data from Cisco devices when available
Some .exe tasks remain on the system while waiting for the correct environment. For example, waiting for a phone to connect. Microsoft’s Windows Phone 8, Nokia smartphones and even the iPhone are all said to be vulnerable.
Engineered specifically to steal encrypted files and even those that have been deleted from a victim’s computer, the malware — named after the novel movie “The Hunt for Red October” — has several key features which suggests it may be state-sponsored, although there is no official word on this yet.
And it gets worse. A lot worse… Among some of the features of Red October, there is a resurrection module within the malware which keeps the infection hidden and disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after its removal.
Additionally, Red October doesn’t simply focus on standard computers, but is also able to infect and steal information from mobile devices, hijacking information from external storage drives, accessing FTP servers and stealing information from a number of email databases.
In order to control the network of infection, Kaspersky says that over sixty domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.
Kaspersky believes that the cyberattackers have been active for a minimum of at least five years, based on domain name registration dates and various timestamps, and the firm “strongly believes” that the origins of the malware are Russian.
This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes: “The data stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states.”
“Such data could be traded in the underground and sold to the highest bidder, which can be of course, anywhere. Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues, creating an espionage network full of intelligence that hackers can refer to in need,” says Kapersky.
After at least five years of activity, Kapersky believes that at least 5 terabytes of confidential information could easily have been stolen.
“Since 2008, the attackers collected information from hundreds of high profile victims although it’s unknown how the data was used so far. However, it’s possible that the information was sold on the black market, or used directly,” Kaspersky warns.
The overall majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and even Italy have all reported a few cases already. The exploits also appear to have Chinese origins, whereas the malware modules may have a Russian background.
Red October was first brought to Kaspersky’s attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week. We will keep you posted.
In other internet security news
Political and hactivist collective group Anonymous has managed to hack into some of MIT’s websites earlier this morning in protest against the role computer crime laws and U.S. prosecutors may have played in the suicide of Aaron Swartz on Friday.
Twenty-six year old Internet activist Aaron Swartz was found hanged in his apartment in New York on Friday, having taken his own life at such a young age. He was under indictment for computer and wire fraud, facing fines and over thirty years in federal prison, and some are now blaming strict computer laws and the U.S. justice system for his untimely death.
Anonymous posted its message in red on a black background, claiming that Swartz’s prosecution was unjust and his actions were political activism, not criminal activities.
“Whether or not the government contributed to his suicide, the government’s prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for,” the message read.
“The situation Aaron found himself in highlights the injustice of U.S. computer crime laws, particularly their punishment regimes and the highly-questionable justice of pre-trial bargaining. Aaron’s act was undoubtedly political activism, and it had some very tragic consequences: his own death.”