Tag: security

Oracle pushes out huge security update

Sisyphus-Image-01CDatabase outfit Oracle has pushed out a record number of patches in a security update.

Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.

All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.

Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.

The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.

There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.

UK open to security abuse

ciscologoA report from networking giant Cisco revealed that only 41 percent of UK companies have good security processes in place.
That places it well below India at 54 percent, and below the US at 44 percent and Germany at 43 percent.
But the situation is worse in Asia.  Only 36 percent of Chinese enterprises have adequate security while Japan has only 24 percent.
Cisco’s annual security review reveals that hackers are moving from compromising servers and operating systems to target individual users’ browsers and emails.
Some of the favoured techniques are Snowshoe spam, which generates many spam emails from a large range of IP addresses to avoid detection.
Attackers are also taking advantage of the relatively weak security of JavaScript and Flash by attacking both at the same time.
According to the survey, less than 50 percent of firms patch and configure systems to ensure security.
The survey canvassed executives at 1,700 companies and it appears there is a gap in perception with 75 percent thinking their security tools are very effective, while the reality is quite different.


Skeleton Key exposes password flaws

skeletonsSecureWorks, the security arm of Dell, has found malware which it has dubbed “Skeleton Key” which shows up weaknesses in the password system.

The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.

It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.

But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.

Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.

Google chucks rocks in glass house

obj058aIt seems that there is a large amount of pot calling kettle black when it comes to security.

Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.

That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.

The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.

To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.

Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.

The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?

Crooks stole 61 million customer records

IBM logoResearch from IBM said that in 2014 cyber attackers stole 61 million records from retailers.
But that’s just in the USA.
IBM’s survey said that there had been a 50 percent decline in attacks on retail web sites in 2014.
The report said that even though the number of cyber attacks had fallen, the attacks have become much more sophisticated.
IBM’s security services analyse over 20 billion security incidents every day – presumably worldwide.
The attackers are developing sophisticated techniques to grab “massive amounts” of data with each attack.
“The threat from organised cyber crime rings remains the largest security challenge for retailers,” said Kris Lovejoy, general manager of IBM Security Services.
IBM suggested that not all cyber breaches are disclosed.
Big Blue said the primary way cyber gangs gained access was through a method called Secure Shell Brute Force, which now outweighs malicious code.
There has been a rise in attacks however in point of sale systems using malware, but most were through command injection or SQL injection.
IBM said lack of data validation in SQL databases by system administrators made retail databases a favourite spot to attack.


Quantum theory may help net security

National-Security-Agency--008Scientists at the Griffith University in Queensland claim quantum physics will help protect data on the internet.
The researchers said that so-called “quantum steering” can be used to improve data security over long distances.
Project leader Professor Geoff Pryde boasts that the method his team are engineering promises “absolutely secure information transfer”.
He said: “Your credit card details or other personal data sent over the internet could be completely isolated from hackers.”
The scientists used special photon quantum states to program a measurement device at each step of sending code.
He said that quantum systems would secure long distance comms by generating random and uncrackable code.
But that would rely on both parties sharing systems.  But his team has invented something called quantum steering, which is used to maintain communication security and removing trust in third party devices.


Microsoft sues Windows scammers

Microsoft campusSoftware giant Microsoft has taken legal action against a company it claims is scamming people by representing itself as a Windows support outfit.

The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.

The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.

Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.

The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.

Worm found at nuclear control system

Shin Kori nuclear power plant, South Korea: Wikimedia CommonsA South Korean company was hit by what authorities described as a low risk computer worm.

The Korea Hydro & Nuclear Power Co was hit by a hack earlier this month and data stolen from its system.

But the South Korea energy ministry said today that the control systems for three nuclear reactors were unaffected by the hack, according to a Reuters report.

The energy minister told the South Korean parliament that the worm was most likely transmitted to the computer systems by an infected USB device – a claim that some have their doubts about.

The CEO of Korea Hydro and Nuclear Power told the parliament that all of the country’s reactors were invulnerable to viruses and worms.  But nevertheless he said that the firm was hiring more IT security staff to be on the safe side.

Some people believe that North Korea is behind attacks on South Korea computer installations.  The two countries are still technically at war with each other.

A British telco hacked my browser

wargames-hackerTop British telcos are hijacking their customers’ browsers to make sure that David Cameron’s anti-porn filter rules are enforced.

BT, Sky, and Virgin Media are struggling to get customers to say yes or no to the controversial adult content blocks, because unlike David Cameron, the majority of customers are happy with being able to see what they like.

When a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off and never see anything that would offend Cameron and his blue rinse friends ever again.

According to Wired the measures being taken by ISPs have been described as “completely unnecessary” and “heavy handed” by Internet rights groups.

The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers.

If you click on an interesting Channeleye story you could be redirected to a page asking about web filtering.  The only way you would be safe is if you only look at encrypted websites.

BT is blocking people’s browsers until they make a decision, making it impossible for customers to visit any websites once the in-browser notification has appeared.

A spokesperson for the UK’s biggest ISP said: “If customers do not make a decision, they are unable to continue browsing. The message will remain until the customer makes a decision.”

BT said that it is not forcing people to activate BT Parental Controls and if a user selects “No” they will be taken to a confirmation page and be able to continue browsing without the message reappearing.

The digital rights organization Open Rights Group (ORG) said that ISPs risked encouraging customers to trust hijacked sessions by displaying messages in this way.

“How can a customer tell the difference between an ISP hijack and a phishing site made to look the same? There are better ways for ISPs to contact their customers—particularly given that they have our phone numbers, email and actual addresses,” an ORG spokesperson said.

Sky is also hijacking browser sessions to ask customers if they want to turn on its Sky Broadband Shield web filter. Unlike BT, Sky said it would not disconnect or block customers if they refused to make a decision.

Virgin said it had no plans to disconnect or block customers who did not make a decision, adding that its in-browser message about its Web Filters system could be ignored. The ISP did not say how it planned to get any remaining undecided customers to make a decision if they continued to ignore prompts.

However, all this is playing directly into the Government’s hands by setting a precident. ISPs for years have said that they are not responsible for what their customers see online. By forcing customers to say “yes” or “no” for the web filters they are placing themselves in a role which the government can use.

The next thing could be looking at emails at the request of whatever daft arse idea that the government has about terrorism, or childcare

MIT invents new web programming language

nand-chipsComputer scientists at the Massachusetts Institute of Technology (MIT) think their invention might make life a lot easier if you’re developing web pages.

They’ve just gone and invented a programming language called Ur/Web that they claim will let developers write web apps as self contained program.

The compiler part of the equation auto generates XML code and style sheet specs, and then just goes right ahead and throws Javascript and database code where it should be.

Adam Chlipala, a professor of software tech at MIT claimed Ur/Web makes web pages more secure.

But there’s still some pain for web developers said Chiplala because the compiler doesn’t auto generate style sheets.

Once you’ve typed in your code the compiler takes a long hard look at it and gives a list of CSS classes.

He said that the last thing developers want is for apps to have the ability to read and overwrite passwords.  Web frameworks generally speaking assume every little line of a program has complete access to a database. Ur/Web doesn’t, he claims.

MIT didn’t say how you’ll get your paws on the programming language.

Apple auto-updates machines

Apple's CEO Tim Cook - shot from WikimediaA potential security threat has forced Apple to send an automatic update to machines without people saying yeah or nay to its installation.

Apple developed auto updates some time ago but this is the first time it’s taken advantage of the technique.

Microsoft has been auto updating its operating systems for quite some while, as security threats come to light.

The update patches problems highlighted by Carnegie Mellon University and the US Department of Homeland Security, relating to a part of Apple’s OSX operating system dubbed the network time protocol.

Apple is often perceived as having secure machines not subject to the type of threat Windows machines face.

Apple said the update doesn’t even need people to restart their machines, meaning that most people will have been unaware of the action taken.

Steel furnace hit by hackers

wargames-hackerFears that computer hackers could compromise industrial as well as military and commercial systems have been confrmed.

A report by the German Federal Office for Information Security (BSI) said that a large German steel mill was shut down after hackers stole logins allowing them to compromise the industrial infrastructure.

The BSI did not name the company but said the hackers were sophisticated technically and hacked into software that administered the plant.

They forced the plant to shut down and also compromised a blast furnace.

The news underlines concerns of the extent to which key parts of a country’s infrastructure is open to compromise by hackers.

Over the weekend, hackers compromised some South Korean nuclear installations and published diagrams  showing the layout of some installations.  The hackers have threatened to damage the nuclear installations themselves if the reactors are not shut down before December 25th.

It’s not known if control systems are vulnerable to such attacks.

Chips with built in security go postal

smartphones-genericABI Research believes that by the end of this year processors including embedded security technology will reach the billion mark.

Vendors are building in the Trusted Execution Environment (TEE) will reach 366 million as part of that figure.

The shipments are driven by governments, financial service companies and other enterprises largely to ensure secure ID and payments.

The market for TEE devices is still in its early stages, said ABI.  But shipments are bound to increase for them and for Host Card Emulation (HCE).

ARM is integrating TruZeone architecture into every Cortex-A family processor it licenses to vendors.

Unlike TEE devices, HCE depends on the cloud and lets banks introduce mobile NFC products without relying on smartphone SIMs.  ABI said that HCE support in smartphones is growing exponentially, and will account for shipments of 252 million by the end of the year.

Players in the game include ARM, Nok Nok Labs, NXP Semi, Infineon, Trustonic and Obertur Technologies.

Human error causes most data breaches

Detail showing fleeing Persians (King Darius centre) from an AncA request to the Information Commissioner’s Office (ICO) under the Freedom of Information Act has revealed that most data breaches are caused by human error.

Egress Software made the FOI request and the ICO revealed that only seven percent of breaches in the first three months of this year were because of technical glitches.

That means the fast majority were down to human error and carelessness by people.  And fines levied because of technical errors amounted to zero, while the ICO levied £5.1 million for companies that made the mistakes.

The data breaches are across many different sectors. The public sector showed healthcare organisations are top of the disgrace league, followed by local government and educational organisations.

The private sector also showed a rise in data breaches with the financial industry, the housing sector, telecoms and recruitment all showing big rises.

Tony Pepper, CEO of encryption company Egress Software, said: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt.”

Intel buys password company

Intel-logoChip giant Intel has bought a Canadian company that attempts to take the pain out of passwords.

Intel Security – which includes the McAfee unit – didn’t say how much it paid for PasswordBox, which only started business in June 2013.

It’s unclear how many of the company’s 44 employees will be employed by Intel.

Intel will give new and existing customers a premium subscription at no cost until it gets round to releasing products under its own branding.

PasswordBox has around 14 million users worldwide.  The software lets you coordinate different logins and passwords in a sort of digital wallet so you don’t have to remember – or write down – all those different passwords that are easy to forget.