Tom Olzak

Archive for the ‘Java’ Category

Facebook employees should know better

In Business Continuity, Cloud Computing, Computers and Internet, Data Security, Insider risk, Java on February 15, 2013 at 20:27

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.

Ease of use equals risk? Thanks, Yahoo.

In Application Security, Computers and Internet, Java on February 13, 2013 at 20:31

In Yahoo 5 Years Behind on Java Security – Yahoo! News, Ben Weitzenkorn summarizes a Brian Krebbs article about Yahoo’s apparent disregard for the unwitting website do-it-yourself website tool provided to the less HTML proficient on a budget.  The vulnerable website development tool is SiteBuilder and the vulnerability is its use of Java 6.7 (old and full of security holes) for implementation.

I used SiteBuilder long ago for my website.  It is a kludge that gets the unskilled designer to a simple design.  It is limited and should be trashed.  However, many small business have insufficient budget to hire a real developer; they rely on tools and promises supplied by companies like Yahoo.  Apparently, Yahoo didn’t get the message about living up to the trust put into them by users who don’t know better.

It appears that Yahoo responded to Krebb’s orginal article.  Brian writes,

Update, Feb. 13, 4:47 p.m. ET: Yahoo! finally got back to me, issuing the following spin-tastic statement: ““Yahoo! Web Hosting websites can be built and maintained using a variety of tools that give businesses the flexibility to develop sites according to their needs and technical comfort. We will continue to work on delivering the best experiences for our customers.” When asked what readers should take from the above statement, a spokesperson for the company said Yahoo! had tweaked SiteBuilder so that it is now bundled with Java 6 Update 39, and that it will be updated to Java 7 by the end of the month. Hopefully, it won’t be Java 7 Update 1.




%d bloggers like this: