Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes .... but.
"Once the hacker gained access to Honan's iCloud account, he or she
was able to reset his password, before sending the confirmation email
to the trash. Since Honan's Gmail is linked to his .mac email address,
the hacker was also able to reset his Gmail password by sending a
password recovery email to his .mac address.
Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad
and Macbook Air remotely. Since the hacker had access to his email
accounts, it was effortless to access Honan's other online accounts
such as Twitter."
Every new technology has people, the pioneers, who buy into the vendors hype ... and pay a price for that.
We should learn from them.
- Hard-Learned Lessons from the Honan Hack (lumension.com)
- 60-minute Security Makeover: Prevent Your Own 'Epic Hack' (pcworld.com)
- Former Gizmodo writer Mat Honan's hacked iCloud password leads to nightmare (nextlevelofnews.com)
- Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls (macrumors.com)
- How Secure Is the Cloud, Really? (technewsworld.com)
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.
At one level there's the old argument about disclosure of security holes, but this is also an example of 'driving' security improvement.
- How a trio of hackers brought Google's reCAPTCHA to its knees (arstechnica.com)
- Google's reCAPTCHA briefly cracked (h-online.com)
- How Hackers Nearly Took Down Google's ReCaptcha System (gizmodo.com.au)
- How Hackers Listened Their Way Around Google's Recaptcha (tech.slashdot.org)
- How Hackers Nearly Took Down Google's reCaptcha System (gizmodo.co.uk)
I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn't it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Oh, right, there are so many of them, that level of investigation is impractical.
- 'Dead Man Walking' Tricks Airport into Giving Him Top Security Job (wired.com)
- Airport worker allegedly had man's ID before death (heraldonline.com)
- Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
- Congress considers threats from airport employees (cbsnews.com)
- Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)
Last month, this question came up in a discussion forum I'm involved with:
Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.
The short answer is "no".
The long answer leads to "no" in a roundabout manner.
Unless your developers are developing admin software they should not need admin rights to test it.
This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What's that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.
Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.
No technical measure can overcome human frailty in this regard.
- Avira antivirus upgrade wreaks 'catastrophic' havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don't Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- 'Catastrophic' Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
So do my cats. But so what?
Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in "Minority Report".
And I'm sure there are _other_ ways to hack that than the one mentioned in the movie.
- SSL governance and implementation across the Internet (net-security.org)
- Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
- Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)
So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a direct attack).
I have doubts about "defence in depth" analogies with the military that many people in InfoSec use.
Read what they are really talking about in those military examples: its "ablation": that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2). They try to slow down a direct and linear attack, hopefully to a standstill.
As the Blitzkrieg showed in dealing with the Maginot Line, if you "go around it" the defence isn't a lot of use.
Through the ages of war and politics and empire-hood and nation-hood and tribalism we've seen many threats and attacks and subversions used.
The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form. What's needed is more like an all-enclosing "bubble" rather than something linear with the 'defence in depth' model. But that gets back to the problem of the perimeter.
Many wifi enabled devices are really "spies inside the defensive perimeter".
There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them. No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public -- its form of showing that "its doing something".
But how can we tell? The reality is that "security specialists" are finding errors - never mind deliberately malicious code - in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find "errors" that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that's a no-brainer isn't it!) never mind commercial databases.
I dedicate this to the memory of Ken Thompson
Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this; summing, summing many hundreds of fluctuating variables to one figure.
Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their "Top 100" or "Top 50" which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.
The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)
A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as "dollar value" leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child's ?
We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.
Sometimes I wonder why we bother ...
"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said.
"By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.
It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.
- Sony backs U.S. cybersecurity legislation (canada.com)
- DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
- Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
- Obama to Introduce Cybersecurity Proposal (circleid.com)
- White House to unveil cybersecurity proposal (theglobeandmail.com)
- What do we need to do to reach "cybersecurity awareness"? (nakedsecurity.sophos.com)
- White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
- Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)
Does LulzSec's nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? "One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish," said the SANS Technology Institute's Johannes B.
Ullrich in a blog post. "I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security."
I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.
I'm reminded of the IRA's statement to Margaret Thatcher:
We only need to be lucky once.
You need to be lucky every time.
Times change. New exploits are uncovered. Every patch and upgrade may - will? - introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.
If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.
The fact that so many sites are vulnerable, that even PCI:DSS "certified" sites get hacked, and more, *DOES* at least _demonstrate_ "a large scale failure of information security".
Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action. We get ridiculous statements in RFPs such as:
The tests shall be conducted in a broader way like a hacker will do.
LOL! If a real hacker is doing it then its not a test
Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.
Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.
And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.
On one of the lists I subscribe to I saw someone make this alarming comment:
There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.
That is a very sad situation to be in, since it
- shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
- has no guarantees about what collateral damage the outsider had to do to gain root.
- says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
- indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle
Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic.