Category Archives: Security

aka infosec

Reminder: latest Java still vulnerable

The most up to date version of Java (7 Update 25) is vulnerable to an exploit reported to Oracle on 2013Jul18 by Adam Gowdiak of Security Explorations.

This is just the latest version-specific vulnerability in a long series of related vulnerabilities that are all based on a fundamental weakness of Java that has existed for over ten years and has yet to be properly addressed.

Oracle has assured Mr. Gowdiak that this vulnerability will be eliminated in Java 7 Update 40, to be released in September 2013. The good news is that no active exploits for this vulnerability have yet been discovered.

As always, we recommend that you use Java with caution. Disabling Java in your web browser can decrease your exposure to Java-based attacks.

Update 2013Sep11: Java 7 update 40 was released yesterday, but there do not appear to be any specific fixes for this or any other security vulnerability. Some security-related changes were made in 7u40, and those changes may mitigate the vulnerability reported by Mr. Gowdiak. We will await an update from Mr. Gowdiak for confirmation either way.

Update 2013Oct16: Mr. Gowdiak has confirmed that this issue was resolved in Java 7 Update 40.

More malicious email and web site warnings

As if you needed more reasons to be cautious when using email or browsing the web, here are two new warnings, from CERT and Malwarebytes.

According to CERT and the FBI, a new, active spear-phishing campaign is sending email to targeted recipients. This particular email purports to be from “National Center for Missing and Exploited Children” and its subject line is “Search for Missing Children”. Do not open this email or any of its attachments, which contain malware.

Malwarebytes, a respected anti-malware software vendor, recently posted a warning about fake Flash player updates that appear on some (mostly pornographic) web sites. Users are tricked into clicking a link that supposedly updates the Flash player, but actually installs malware. Once the malware is installed, legitimate web-based advertisements will be replaced by ads served by the perpetrators. The new ads are often pornographic in nature, and can appear over ads on any web site.

When Windows XP support ends…

After April 2014, it will no longer be possible to obtain security updates for Windows XP – unless you’re paying Microsoft a ton of money. This has some interesting ramifications.

Clearly, there will be renewed interest in the aging O/S as an attack target. New vulnerabilities will continue to appear, but will remain unpatched on most Windows XP computers. Tools that exploit these vulnerabilities will increase in value, resulting in a boom for anyone developing them.

Depending on how many XP systems remain after April 2014, and the number and seriousness of vulnerabilities discovered after that date, there may be some backlash against Microsoft. There may be calls to extend support for XP even further. It’s possible that as many as one third of all computers and devices will still be running XP after support expires.

If Microsoft declines to extent support, you can bet that any new patches they develop for XP will find their way into the hands of regular users through unauthorized torrents and underground web sites.

On the other hand, while keeping Windows XP patched is obviously an important part of an overall security plan, there are other ways to protect yourself. Most users these days connect to the Internet through a router/firewall, which – if configured correctly – makes it almost impossible for an attacker outside the router to identify or even detect a computer inside the router. So, while I’m not recommending that you ignore this problem (you should really upgrade to Windows 7), there may not be a reason to panic if you’re still running Windows XP next year.

Update 2013Aug21: Another ComputerWorld post on this subject, and a post from ZDNet.

Today is Patch Tueday for August 2013

It’s that time again. This month Microsoft has issued eight bulletins, with three of them flagged as Critical. The associated patches affect Windows and Internet Explorer. The August 2013 security bulletin has all the technical details. A post on the Microsoft Security Response Center has a somewhat friendlier summary. For a slightly different view of this month’s updates, check out this post on the SANS Internet Storm Center.

SANS Ouch! newsletter: Two Step Verification

This month’s Ouch! newsletter (warning: PDF) is a helpful primer on two step verification. If you have a Google account of any kind, you’ve encountered two step verification. It may seem like extra work, but it’s definitely worthwhile.

Update: Duo Security has been posting about two step verification (aka two factor authentication) a lot recently. For example: Why 2 Factor Authentication Hinges on the User Experience.

The perils of saving passwords in your web browser

Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.

Lock Your Computer

First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.

Password saving features in web browsers

Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:

  • Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
  • Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
  • Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
  • Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.

Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.

I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”

Update 2013Aug11: Here’s Google’s response.

Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.

Web advertising networks: the next malware attack vector?

Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.

Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.

It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.