This week discussions of Java and its latest security flaw has dominated information security discussions It’s not often that the U.S. Department of Homeland Security tells users point blank to temporarily disable java in their web browser. As one would expect, every blogger seems to have an opinion and they range from “they sky is falling” to “DHS is over-reacting.” Standing out from the crowd, Brian Krebbs deserves kudos for his solid, well-researched article on the issue.
So what’s my take on it?
First of all, there are three reasons that DHS may have made such a strong recommendation:
- Their intelligence may indicate that the vulnerability is (or has the potential to be) exploited so frequently that it is a legitimate national security concern;
- They may be over-reacting; or,
- They may be frustrated with Oracle and applying pressure to fix Java.
While I don’t know what intelligence they have, I’d bet on a combination of 1 and 3.
For an exploitation to occur, a user has to visit a web site containing the malware. Those at highest risk are those who visit marginal web sites looking for porn, music, movies, and other material to download. However, malware may be left on compromised web sites and users directed to malware-laden sites through phishing-like emails. To some degree, we are all at risk.
So the question users face: To Java or not to Java?
At the risk of stating the obvious, if you don’t really need Java uninstall it completely from your computer. Java has a poor security record. There is simply no point to having it installed if you don’t need it. If you’re unsure whether you need Java on your personal computer, uninstall it anyway. It’s easy to re-install the latest version if it turns out you really need it.
If you have a genuine need for Java applications installed on your PC, disable the java plug-in in your browser. Instructions to disable it in all browsers or selectively are here.
If you must use a web site that uses Java, the two browser approach is likely your best bet. Note that there is no way to selectively disable Java in Microsoft Internet Explorer (one of many reasons that IE should not be your routine use web browser), so your best bet is to install Google Chrome and disable the java plug in. (For a shortcut, type “chrome://plugins/” into the URL box.)
On the topic of Chrome, if you prefer a more secure browser environment in general, try turning on Chrome’s “click to play” option for plug-ins. Instead of plug-ins running automatically, you’ll have to click on them to load. Some users might find it annoying, but it will stop web sites from automatically launching plug-ins, including Java. You can find the option at “chrome://chrome/settings/content”:
*** UPDATED 2013-01-14 ***
Oracle has released an out-of-cycle update to Java to address this issue. Windows users who wish the patch ASAP should go to Control Panel -> Java, select the Update tab, and click on “Update Now”.
In most Canadian cities, home owners require permits to put up fences and some types of sun decks. For example, here in Ottawa, if I want to build a deck behind my house that is more than 24 inches high, I need a permit and the deck must be inspected at three different points during construction.
We subject homeowners to these stringent requirements, even though if their deck collapses few people are likely to be affected. Yet we apparently allow those hosting thousands at concerts to build unsafe structures.
Isn’t it about time we start taking this seriously?
When you start talking about Internet monitoring software, most times you see folks divide up into two camps. The first is all for it, convinced that the company must watch what users are doing at all times to catch those who violate policy. The second considers monitoring as an infringement on their privacy, and that any Internet monitoring software can only serve to make employees feel even less trusted.
The fact is that both of these camps are in the extreme, if opposite, and both are wrong. Internet monitoring software is an effective and invaluable solution for protecting users from many of the dangers associated with accessing the Internet. The protections that Internet monitoring software offers can all be deployed without having to log a single user’s web access. Sure, Internet monitoring software can be used to maintain logs and provide reports of a user’s surfing if you wish, but that is something a company would choose to do for a specific issue; not a part of the protections that they so desperately need. With all the threats present on the Internet today, let’s look at the top six risks to your company that come about from not using Internet monitoring software:
Malware can cause all kinds of problems if it infects a machine, from lost productivity and downtime, to larger compromises that back door programs can provide to attackers. Malware can spread from machine to machine, and once it gains a foothold within a company, it can take down an entire site whether by infecting all the other machines, or simply because the network team takes a location down to prevent the infection from spreading to other sites. Users can be exposed to malware by downloads of files, or by accessing compromised sites. Internet monitoring software can block access to sites known to be hosting malware, and can also scan all file downloads to be sure they are safe.
2. Time wasted
I will never advocate that you cut users off from personal access to the Internet. As long as the office can interrupt their evenings or weekends, some personal use should be tolerated in the interests of fairness and morale. But the Internet can also be a huge time sink, and many users can hit a site with the intention of no more than a quick check-in, to find 45 minutes later that they are late for a meeting. Internet monitoring software can help control access to non-business sites, and limit the time spent surfing for fun.
3. Bandwidth consumption
Internet monitoring software can help to control access to high-bandwidth services; ensuring that there is enough bandwidth available for customers to hit your website and for email to flow. You don’t want your ecommerce site to be slow to respond because too many users are streaming movies.
4. Data leakage
Whether it’s Wikileaks, peer-to-peer networking, personal web mail services, or your competitor’s portal, you don’t want users forwarding or posting confidential information from your business to outside sites. Internet monitoring software can block access to these services, helping to enforce policy and keeping sensitive information inside.
5. Legal action
A user on your network downloads a pirated movie from one of those sites. The MPAA tracks the download to your network. Who do you think is going to be the target of a settlement offer, or worse, a lawsuit? What users do on their own time and with their own equipment is their business; what they do with the company’s computer on the company’s network is yours. Internet monitoring software can prevent users from stepping on the wrong side of copyright while on the clock, which protects the business from any consequences.
6. HR issues
Again, what a user does at home is their own concern, but there are plenty of things on the web that have no reason for a user to access while at the office. Some users are more sensitive to questionable content than others, and the last thing anyone wants is for one employee to feel threatened or offended by the actions of another. Internet monitoring software can protect users from accidentally clicking the wrong link, which protects everyone from having a sit down with HR.
Remember, using Internet monitoring software doesn’t mean you have to be big brother or play the role of the Internet police officer to protect your users. Internet monitoring software can provide protections while maintaining the anonymity of your users and keeping their individual web browsing habits private. Adding these protections makes good business sense, and can be done without making users think that they are untrusted, or being spied upon. Look at Internet monitoring software as the next layer of your defense in depth strategy.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need Internet monitoring software.
All product and company names herein may be trademarks of their respective owners.
With Sony’s PlayStation Network offline since April 20 following what is being called the second largest breach in history, there has been plenty of time for rumours, speculation, and red herrings. The latest is Bloomberg’s report,
“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”
While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising. Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services. Given the alleged sophistication of the attack, EC2 is simply an obvious choice.
While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else. Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots. They probably even purchase their computers the same places we do.
The Sony PlayStation Network data exposure has two causes:
- Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
- The criminals. Let us not forget that Sony was the victim of a crime.
Like TJ Max, the Sony security breach should be a wake-up call. Consumers often feel safer dealing with larger, more established companies. But it appears that some of them don’t have security right yet.
We also need to understand that tracking down cyber criminals is becoming increasingly difficult. Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere. However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.
I’ll admit it. I spoke about the HBGary hacks during a guest lecture I gave at Carleton University last week. But in all honesty I’m getting sick and tired of hearing about them. Journalists keep focusing on the wrong issues and people need to understand that many decisions – even in so-called security companies — are often not made by security professionals. Just because the company employs “security experts” doesn’t mean they consult them on internal matters. In my experience the opposite is often the case and the shoemaker’s children proverb applies.
From a technical perspective, the root cause of the initial security breach was poor software design, poor implementation, and inadequate testing. It’s an industry-wide problem that won’t change until customers demand better software and are willing to pay for it. Things got worse because the folks at HBGary appear to have ignored basic and well understood best practices with regard to passwords.
However, let’s not ignore the other root cause. While it doesn’t justify criminal behaviour, let us not forget that HBGary, in an apparent attempt to obtain publicity for themselves, allegedly did the cyber equivalent of visiting the nearest biker hangout to announce, “Just want to let you know we’re going to screw with you in the media tomorrow, but don’t worry, we’re only going to screw with you a bit.” Or, if you prefer a different analogy, they kicked the hornet’s nest without wearing the customary protective equipment.
As security pros dealing with people allegedly responsible for hacking and denial of service attacks on major companies, HBGary must have expected probes of their systems and at minimum a distributed denial of service attack. They reportedly kicked the hornet’s nest deliberately and intentionally. It leaves me wondering if becoming a victim was part of their publicity strategy. Getting yourself hacked would certainly be an bold publicity stunt for a security company, but it wouldn’t be the stupidest thing I’ve seen either.