java: threat or menace?

Too much Java can make you cranky…

It has been a pretty bad few weeks for Oracle’s Java language – zero day vulns, followed by an out of band patch, with another serving of zero days to top things off. ¬† “Uninstall Java – it is dangerous at any speed!” was the message from some security experts.

The things that make Java attractive to web app developers (it’s cross platform compatibility and pretty ubiquitous distribution) are the same things that make it such an attractive target for malware authors. ¬†Add to that a seemingly endless supply of critical security vulnerabilities, and you have a recipe for big trouble.

I have pretty much had it up to here (my hand is at neck level) with Java as a web plugin and would love to just uninstall the whole bug infested mess from my users’ computers at the office. ¬†(Of course I could say the same thing about Flash) ¬†However, some pretty critical parts of our business rely on Java web apps to bring in revenue (some of which goes to pay my salary – nuff said). ¬†So, I had to get a bit clever in coming up with a defensive strategy.

After looking at my web proxy logs, I determined that Java usage at my firm pretty much fell into two buckets: ¬†a small number of business related apps from trusted business partners and a whole bunch of totally non business related apps accessed during recreational surfing. ¬†This made my job pretty easy… I figured out where the business apps came from and created a whitelist. ¬†Then I set the web filter to block all .jar and .class file downloads from other locations. ¬†In the two or so weeks that this policy has been in place, I have gotten exactly one request to whitelist a new jar file. ¬†The result? ¬†A much reduced attack surface for the company. ¬†My users seem to be OK with the new policies, which I explained in an email blast.

Yes, we will continue to update our Java Runtime Environments – after all, there could be some locally installed software which needs the JRE and using the latest and greatest versions is just good practice. ¬†And we’ll continue to implement other good practices (getting rid of unused software, keeping an eye on our log files and network traffic, keeping patches and fixes up to date and the like).

While I can’t say that we are totally protected from Java based attacks, I do feel that we have struck a pretty good balance between security and the need to let the business do business on this one.



java: threat or menace?

vulnerable voip phones can let attackers listen in on your office

Who’s listening in on YOU?

We don’t give too much thought to our VOIP phones – they look like regular old landline phones and seem pretty innocuous sitting on our desks. ¬†However, a presentation from the recent 29th Chaos Communications Congress held last week in Berlin should be a wakeup call for security professionals. ¬†2 Columbia University researchers demonstrated how they used vulnerabilities in the operating system for Cisco’s VOIP phones in order to take control of the devices and turn them into eavesdropping devices capable of picking up conversations in their vicinity and relaying them to a remote attacker. ¬†As a bonus, they showed how to make their hack a permanent part of the phone, preventing patches and upgrades. ¬†Definitely worth viewing for security professionals.

What to do about it? ¬†Well, when Cisco releases a working patch for this problem, I would definitely suggest upgrading all affected phones’ firmware, I would also give some thought to how your VOIP VLAN is protected and whether having unattended feature phones in public parts of your site is a good idea.

vulnerable voip phones can let attackers listen in on your office