The number one focus now with Java is “to get Java fixed up”. Well I guess that is reassuring, I would hope so with the start they have had this year.
I have seen a lot of commentary on this, personally I think the best thing that could be done is to put a freeze on dev. No more new features until things get worked out. I don’t know if that will be simple, it might even need the whole dev and qa process taken apart and rebuilt. I would not expect this to be done anytime soon, I think a few months is hopeful. Realistically I think it will be more then six.
I was offline for a bit but while I was away Kim Dotcom’s replacement of Megaupload has launched.
I never had an account on the previous version, but I did use it multiple times to receive files. I was a little upset when it was taken down, admittedly there was content on it that was illegal but there was far more that was not.
There is also much discussion around the encryption scheme that is being used.
If you have the ability to go through historical web logs this will be fairly easy for you and should give a limited number of false positives in your firewall.
What you are looking for is the Java user agent. We can get two things with this, by examining the useragent string we can identify machines with outdated installations that require updating. We can also identify the sites that our Java installations have been talking to, this is the primary thing that I am looking for right now.
Depending on what you are working with you can create a firewall policy that will inspect your HTTP traffic looking for something like a “Java/1.X.X_0X” User-Agent. When it matches the User-Agent we next want it to check if that is going to one of our known addresses, if it is we want it to allow. If not it should be blocked and logged so it can be reviewed to see if it is a false positive or if the workstation requires further investigation.
If you are not logging all of your web traffic try using access your needed applications from a machine running Wireshark, you can start building a list of IP’s that you need to allow access for.
In part 3 I will cover disabling the Java web browser link.
So what do you do with Java in your environment?
I would think that if you have it installed it is there for a very good reason. There is an application that is needed by the business that requires it.
Uninstalling Java will eliminate the risk from your environment but it will also stop people from working. Keeping it up to date is a good start but that is not going to protect you from from what happen this past weekend.
I have had a couple of ideas of this;
- In most cases while some of the users require access to Java, not everyone does. With the newer versions it is possible to remove the browsers access to Java. This should help to reduce your attack surface, using registry snap shot tools I was able to create a set of reg files that will either enable to disable this like to all of the applicable browsers. The main issue with this is that it will not take effect until the browser has been restarted. Attaching these processes to the login of the users that need it by GroupPolicy will allow their Java to be ready for those who need it, and for those that don’t it will appear that they don’t have it installed. I am going to cover this in a more detail in another post, and I might share what I have created but at minimum I will show you how to make your own.
- The users that need Java will only need to use it on specific sites, there may only be a few sites so what if we can limit where Java can go? This is where having your historical logs really can show value. I am going to cover this here in part 2.
Right now the best course of action is to remove it completely.
There is reports that it is in active use and already integrated with multiple exploit packs.
If you absolutely need to have java installed there is several methods to have it detach from your internet browser. Check the bottom of the previous link, here is IE specifically.
This is an older case and I heard that they do not just just produce this information when just a subpoena is given anymore.
Here is just the facebook related material, there is a tons of stuff in there.
The rest of the case material is here, and contains everything from what I can tell.
It’s amazing that they would had this kind of information over with just a subpoena, I wonder how that got to be a good idea?
This is the most advanced backdoor that I have seen published in a while.
This is why it is important to have multiple layers of defense and not just rely on host based detection.
This is also one of my personal interests with malware, command and control;
- In tor.
- IRC ( Which you don’t really see anymore.
- HTTP, I can’t find an example. But I know I have seen this before piggy backing out during legitimate web surfing.
This almost makes sense?!
I have to admit that I had to read it twice to make sure I was reading it correctly. While I don’t think it is the best idea for someone to joke about blowing up an airport, I think it is worse to waste the resources working on a non-threat. It’s hard to really sit on a side of the fence with this, if someone was to make an inappropriate comment about violence to me it make sense to do further investigation and not use that as the only point of prosecution.
In some cases making the threat just as you would in person can make you have a bad day or five years of bad days. In the case of Mr.Chambers, what if he had made those comments in the airport? Would that have changed the reaction to them?
Follow up from the growth of smart phone devices I mentioned in Africa, I thought this was too good not to mention.
From a company called VMK.
I like where this is going from a technology point. I think for a device like this to really take off, it needs to be cheaper and simpler. The specs on these are good, and I think the price point is reasonable too. I would be cheering if they could have manufactured this in Africa, but currently I don’t think that is practical.
I just would like to see a device with the price 50% less then this currently is, especially for the smart phone. But I think if someone could make a mobile smart phone that can retail for less then fifty or seventy-five dollars with some basic smart phone functionality, that is a device the would could really latch on to. Not necessarily a cheap smart phone, but a small portable computing device that can be used a phone if needed.
There has been increased targeted attacks against SCADA system in the last few years. It may have been due to the amount of publicity they received but until the attacks against the control systems in Iran these were not reported very often. In some cases like Stuxnet there was intense planning and multiple layers of security that needed to be defeated to get at the control system. In other cases there was not.
Control systems like this is where cyber attacks cross from the digital realm in to the kinetic space. Attacks against these systems can easily cause death and even in large scales. What would happen if the power grid was attacked in the middle of a cold snap, and that’s not even being creative. SCADA attacks are also no harder to find then regular systems.
SANS has recently launched CyberCity. A place to practice this and provide real examples of what can happen.