The security of Oracle’s Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.
The most visible sign of deterioration are in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7, and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, the security those same flaws will never be fixed.
Interestingly, there are some useful lessons to be learned here – and they’re more about how to deal will technical issues well than they are about surveillance or digital snooping.
So, at the risk of receiving a Royal Rant from Torvalds himself (me for writing this, and you for reading it), let me explain.
Linux has a special file called /dev/random that doesn’t exist as a real file.
If you open it in a program, and read from it, you get a stream of pseudorandom numbers, generated right inside in the kernel.
The idea of doing the work in the kernel is to end up with randomess of a very high quality.
Fascinating read. If you know more about how Linux does random numbers I’d love additional information.
I’ll leave opinions about Mr. Torvalds to the readers.
Encryption remains a key security tool despite newly leaked documents revealing the National Security Agency’s efforts to bend crypto and software to its will in order to ease its intelligence-gathering capabilities, expert say. But these latest NSA revelations serve as a chilling wake-up call for enterprises to rethink how they lock down their data.
“The bottom line is what Bruce Schneier said: for all of these [NSA] revelations, users are better off using encryption than not using encryption,” says Robin Wilton, technical outreach director of the Internet Society. “But if you’re a bank [or other financial institution] and you rely on the integrity of your transactions, what are you supposed to be doing now? Are you compromised?”
via Keep Calm, Keep Encrypting — With A Few Caveats — Dark Reading.
One easy improvement: Make it “real two factor” by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.
Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user’s fingerprints. It shouldn’t be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.
I hope that Apple offers more details about how the fingerprint reader works. The technology exists to deal with the latent fingerprint issue. Many corporations will want true two-factor before relying on the iPhone’s biometrics in the enterprise.
If this is strong & robust authentication I hope Apple makes it available to other manufacturers as an open standard.