Pub. 8 2013-2014 Issue 1

www.nebankers.org 18 Extraordinary Service for Extraordinary Members. Don’t Be a Java Drive-by Victim Mark Faske , Security & Compliance Consultant, CoNetrix M ANY OF US HAVE SEEN THIS message: “3 Billion De- vices Run Java: Comput- ers, Printers, Routers, Cell Phones, Blackberry, Kindle, Parking Meters, Public Transportation Passes, ATMs, Credit Cards, Home Security Systems, Cable Boxes, TVs . . .” Having trouble remembering where you’ve seen this message? Well, it flashes before you when you install the Java application. Here, Oracle is celebrating the broad use of its Java software. The danger in this statement is that widespread distribution makes Java a lucrative target for cybercrimi- nals. If you have doubts on this point, just ask Microsoft. Widely distributed software provides fertile grounds for cybercriminal exploitation. Unfortunately, a number of security problems are associated with Java. Ac- cording to antivirus software manu- facturer Kaspersky Lab, Java security holes were responsible for 50 percent of attacks in 2012, taking the 2011 vulner- TECH TALK ability leaders crown previously held by Adobe Reader. Java vulnerabilities have gotten so serious that the Department of Homeland Security issued a Security Alert (TA13-010A) on Feb. 6, 2013, ad- vising users to disable usage of Java in their web browsers. The prolific use of Java on both cor- porate and consumer systems regard- less of operating system (Windows, OS X, Linux) makes most workstations and servers a potential target, providing an avenue to internal networks, straight through corporate firewalls. The attack scenario works like this: an unsuspect- ing user with a vulnerable version of Java visits a malicious website that is hosting a malicious Java applet, and voilà, you have a successful attack that just bypassed your firewall and installed malware on the user’s system. The cybercriminal now has a foothold on your network. This process is known as a drive-by download, because the user doesn’t need to do anything particularly wrong to invoke the compromise. There was no link to click, no pop-up window, no video to play, or any other required action by the user. The entire process happens without the user’s interaction and knowledge. Enough about the problem. What can we do to combat Java weaknesses? Implementing one or more of the fol- lowing recommendations will help keep your systems and sensitive data safe: • Uninstall Java completely if you don’t need it. Granted, many of us may not be able to take this advice because Java is highly integrated into many applications, both Internet-based and internal. But for those of you who can, it’s the easiest and safest way to fix the problem. • Remove all versions of Java prior to version 7. Updating to version 7 will remove the latest version of Java 6; however, other versions of Java 6 will remain. This leaves old, vulner- able Java versions on your machines, which can be invoked by malicious websites, even though an updated version is available. Old versions need