Showing posts sorted by date for query SET. Sort by relevance Show all posts
Showing posts sorted by date for query SET. Sort by relevance Show all posts

Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview

Posted by Avik Sarkar On 2/10/2014 01:49:00 am

Implementing an Intrusion (Cyber) Kill Chain 

The Intrusion (Cyber) Kill Chain is a phrase popularized by infosec industry professionals and introduced in a Lockheed Martin Corporation paper titled; “ Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. 
The intrusion kill chain model is derived from a military model describing the phases of an attack. The phases of the military model are: find, fix, track, target, engage, and assess. The analyses of these phases are used to pinpoint gaps in capability and prioritize the development of needed systems. The first phase in this military model is to decide on a target (find). Second, once the target is decided you set about to locate it (fix). Next, you would surveill to gather intelligence (track). Once you have enough information, you decide the best way to realize your objective (target) and then implement your strategy (engage). And finally, you analyze what went wrong and what went right (assess) so that adjustments can be made in future attacks.
Lockheed Martin analysts began by mapping the phases of cyber attacks. The mapping focused on specific types of attacks, Advanced Persistent Threats (APTs) - The adversary/intruder gets into your network and stays for years– sending information, usually encrypted – to collection sites without being detected. Since the intruder spent so much time in the network, analysts were able to gather data about what was happening. Analysts could then sift through the data and begin grouping it into the military attack model phases. Analysts soon realized that while there were predictable phases in cyber attacks, the phases were slightly different from the military model.  The intrusion (cyber) kill chain shown below, describe the phases of a cyber attack.
The chain of events or activities are as follows:
  

Link in the Chain
Description
1.  Reconnaissance
Research, identification and selection of targets- scraping websites for information on companies and their employees in order to select targets.
2.  Weaponization
Most often, a Trojan with an exploit embedded in documents, photos, etc.
3.  Delivery
Transmission of the weapon (document with an embedded exploit) to the targeted environment.  According to Lockheed Martin's Computer Incident Response Team (LM-CIRT), the most prevalent delivery methods are email attachments,websites, and USB removable media.
4.  Exploitation
After the weapon is delivered, the intruder's code is triggered to exploit an operating system or application vulnerability, to make use of an operating system's auto execute feature or exploit the users themselves.
5.  Installation
Along with the exploit the weapon installs a remote access Trojan and/or a backdoor that allows the intruder to maintain presence in the environment
6.  Command and Control
Intruders establish a connection to an outside collection server from compromised systems and gain 'hands on the keyboard' control of the target's compromised network/systems/applications.
7.  Actions on Objective
After progressing through the previous 6 phases, the intruder takes action to achieve their objective.  The most common objectives are:  data extraction, disruption of the network, and/or use of the target's network as a hop point.
Lockheed Martin's analysts also discovered while mapping the intruder's activities, that a break (kill) in any one link in the chain would cause the intrusion to fail in its objective. This is one of the major benefits of the intrusion kill chain framework as security professionals have traditionally taken a defensive approach when it comes to incident response. This means that intrusions can be dealt with offensively too.
Lockheed Martin's case studies reveal that knowledge about previous intrusions and how they were accomplished allow analysts to recognize those previously used tactics and exploits in current attacks.  For example, mapping of three intrusions revealed that all three were delivered via email, all three used  very similar encryption, all three used the same installation program and connected to the same outside collection site. All of the intrusions were stopped before they accomplished their objective.
How did they do this? How can my company utilize this approach?
Monitoring and mapping is the key.
The following list contains some of the necessary components (not in any particular order) needed to do intrusion mapping and setting up the kill.
·         Network Intrusion Detection (NIDS)
·         Network Intrusion Prevention (NIPS)
·         Host Intrusion Detection (HIDS)
·         Firewall access control lists (ACL)
·         Full packet inspection
·         A mature IT asset management system
·         A mature and comprehensive Configuration Management Database (CMDB)
·         Device and system hardening
·         Secure configurations baselines
·         Website inspection
·         Honeypots
·         Anti-virus and anti-malware
·         Verbose logging – network devices, servers, databases, and applications
·         Log correlation
·         Alerting
·         Patching
·         Email and FTP inspection and filtering
·         Network tracing tools
·         Information Security staff trained in tracking and mapping events end-to-end
·         Coordination and partnering with IT, Application Owners, Database Administrators, Business Units and Management both in investigation and communicating the mapped intrusions.

In short, in order to implement intrusion kill chain activity a company needs to have a mature inter-operating and information security program. Additionally, they need trained staff that can investigate, map and advise 'kill' activities, keep a compendium of mapped intrusions, analyze and compare old and new intruder activity, code use, and delivery methods to thwart current and future intrusions.
The intrusion (cyber) kill chain is not an endeavor that can be successfully implemented in place of a comprehensive Information Security Program, it’s another tool to be used to protect the company's data assets.
The good news is if your company doesn't have a mature information security program there is a lot you can do while making plans to introduce an intrusion kill chains in your department's arsenal.
·         Educate your employees to watch for suspicious emails. For instance, emails that seem to be off – such as, someone in accounting receiving an invitation to attend a marketing conference. Let them know that they shouldn't open attachments included in email like this.
·         Make sure you have anti-virus and anti-malware software installed and up to date.
·         Start an inventory of your computing devices, laptops, desktops, tablets, smartphones, network devices and security devices.
·         You have an advantage over intruders. You know your network and what is normal and usual, they don't.  Notice user behavior that is not usual and look into it.  For example, a login at 2am for someone who works 9 to 5. Or an application process that normally runs overnight that is kicking off during the day.
·         Keep your security patches up to date.
·         Create and monitor baseline configurations.
·         Write, publish and communicate information security policies and company standards.
·         Turn on logging and start collecting and keeping logs. Start with network devices and firewalls and then add servers and databases.  Set up alerts for things such as repeated attempts at access.
·         Spend some time using search engines from outside your network to see how much information can be learned about your company from the Internet.  You'd be surprised how much you can find including sensitive documents.

All of these practices and activities give you more information about your computing environment and what is normal and usual. The more you know about your environment, the more likely it is that you will spot the intruder before any damage is done.

Disclaimer:- Before conclusion, on behalf of Team VOGH, I would like to personally thank Mr. Adrian Stolarski for sharing this remarkable article with our readers. I would also like to thank Ryan Fahey  of Infosec Institute for his spontaneous effort. 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple Brings iOS 7.0.4 [Includes New Features, FaceTime Bug & App Store Purchase Flaw Fixed]

Posted by Avik Sarkar On 11/17/2013 06:32:00 pm

Apple Brings iOS 7.0.4 & iOS 6.1.5 Includes New FeaturesFaceTime Bug  & App Store Purchase Flaw Fixed


California based tech giant Apple Inc has released a new update on their popular iOS software running on iPhone, iPad, and iPod touch devices. This release of of iOS 7.0.4  includes bug fixes and improvements, including a fix for an issue that causes FaceTime calls to fail for some users. iPods that are not able to upgrade to iOS 7 have their own version to upgrade to, iOS 6.1.5. The release of iOS 7.04 marks the third update of the iPhone operating system in the short time since Apple pushed out iOS 7 in September. The new OS represented a major change from the older operating systems, both in the look and feel of the software and in its functionality.  There’s much zooming in and out and all about in iOS 7, as well as a blurry background that has drawn quite a bit of criticism. iOS 7 also was a major security release, fixing issues with the iPhone’s certificate trust policy as well as remote code-execution vulnerabilities in the CoreGraphics and CoreMedia components. 

The new update improves iCloud Keychain, which was introduced in iOS 7.0.3, and the latest version of the desktop software, OS X Mavericks. The cloud-based technology keeps the Safari browser's passwords and credit card data in sync across all your Apple devices. Secondly, in Spotlight, the device's internal search engine, Apple has brought back the ability to search Google and Wikipedia from the results. The two services were removed when iOS 7 was first released in mid-September. 
Also on Thursday, Apple released a corresponding update to its Apple TV, updating the set-top box to version 6.0.2.  Users can update to the latest version by accessing the device's Settings, selecting General, then Software Update. In spite of the relatively small size of the update, it's recommended that users use Wi-Fi when updating. To avoid security vulnerabilities every Apple users are highly recommended to update their software. 



-Source (Apple, ZDNet & Threat Post





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Jeremy Hammond -Key Member of Anonymous Affiliated LulzSec Pleads Guilty To Stratfor Hack

Posted by Avik Sarkar On 6/03/2013 09:07:00 pm

Jeremy Hammond -Key Member of Anonymous Affiliated LulzSec Pleads Guilty To Stratfor Hack, Could Face 10 Years In Prison

Lulz Security widely known as LulzSec, the most dangerous hacker collective group who set their devastating hacking rampage for fifty days in which they have successfully penetrated almost all the so called top secure fields; has suddenly stopped their sail. But stopping crime never means that the criminal will be overlooked, the pending punishment will surely take place. And this applied from LulzSec also. Lat year we have seen leader of LulzSec and also also leader of infamous hacker collective group Anonymous code-named "Sabu," whose real name is Hector Xavier Monsegur, turned traitor to his community and became FBI informer and provided all the information on fellow hackers. The arrest of Sabu subsequently helped law-enforcement officials to infiltrate Lulzsec, an offshoot of Anonymous, the loose hacking collective that has supported an ever-shifting variety of causes. The information provided by Sabu lead FBI to arrest all the key members of LulzSec including Ryan ClearyJake Davis, Raynaldo RiveraCody Kretsinger and so on. Among them there was Jeremy Hammond widely known as "Anarchaos" who was arrested by the federal authorities and been charged for the  breach of the security analysis company Stratfor. In December last year the bail application of Hammond was also been rejected by the the Court. So after several hearings finally the accused of security breach against global intelligence firm Stratfor,  Jeremy Hammond pleaded guilty in a Manhattan court to one count of computer fraud and abuse in response to charges that he hacked into the network of the privacy intelligence firm Stratfor, stealing millions of emails that eventually were given to WikiLeaks and published over the course of 2012. The plea agreement could carry a sentence of as much as 10 years in prison, as well as millions of dollars in restitution payments, though Hammond’s official sentence won’t be handed down until September. Hammond also told Judge Loretta A. Preska of Federal District Court in Manhattan that in 2011 and 2012 he had gained unauthorized access to Stratfor’s computer systems and several other groups, including the Federal Bureau of Investigation’s Virtual Academy, the public safety department in Arizona, and Vanguard Defense Industries, which makes drones. 
"Now that I have pleaded guilty, it is a relief to be able to say that I did work with Anonymous to hack Stratfor, among other websites," Hammond said in a statement on last Tuesday. 
A petition posted to Change.org by Hammond’s brother Jason Hammond asks the judge in Hammond’s case, Loretta Preska, to sentence him to time served, given that he’s already spent 15 months in lockup. “Jeremy did nothing for personal gain and everything in hopes of making the world a better place,” reads Hammond’s brother’s petition. “Jeremy is facing a maximum sentence of ten years, but the minimum is zero. He has been in jail since March 2012 awaiting trial and now sentencing. It’s time for him to come home.”


-Source (Forbes & Huffington Post)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Debian Linux 7.0 Code Named 'Wheezy' Released & Available For Download

Posted by Avik Sarkar On 5/09/2013 04:30:00 pm

Debian Linux 7.0 Code Named 'Wheezy' Released & Added  Multiarch Support, Several Specific Tools

Once it was one of the most popular Linux distribution which have drawn the maximum attention, yes you are right I am talking about none other than Debian Linux. Now a days the craze of this flavor has became little fade but as the foundation for other, more popular Linux distributions, such as Mint, Ubuntu and few Pen Testing Distro, still the value of Debian exist. So the up-gradation and new release of this Linux flavor is  still very much important. And today I will talk about the new release of Debian Linux version 7.0 code named 'Wheezy'. After many months of constant development, the developers at Debian project proudly announced the general availability of the next version of this major Linux which is Debian 7.0 aka 'Wheezy'. According to the release note This new version of Debian includes various interesting features such as multiarch support, several specific tools to deploy private clouds, an improved installer, and a complete set of multimedia codecs and front-ends which remove the need for third-party repositories. Multiarch support, one of the main release goals for Wheezy, will allow Debian users to install packages from multiple architectures on the same machine. This means that you can now, for the first time, install both 32- and 64-bit software on the same machine and have all the relevant dependencies correctly resolved, automatically. The installation process has been greatly improved: Debian can now be installed using software speech, above all by visually impaired people who do not use a Braille device. Thanks to the combined efforts of a huge number of translators, the installation system is available in 73 languages, and more than a dozen of them are available for speech synthesis too. In addition, for the first time, Debian supports installation and booting using UEFI for new 64-bit PCs (amd64), although there is no support for Secure Boot yet. 

This Release Includes Numerous Updated Software Packages, Such as:-
  • Apache 2.2.22
  • Asterisk 1.8.13.1
  • GIMP 2.8.2
  • An updated version of the GNOME desktop environment 3.4
  • GNU Compiler Collection 4.7.2
  • Icedove 10 (an unbranded version of Mozilla Thunderbird)
  • Iceweasel 10 (an unbranded version of Mozilla Firefox)
  • KDE Plasma Workspaces and KDE Applications 4.8.4
  • kFreeBSD kernel 8.3 and 9.0
  • LibreOffice 3.5.4
  • Linux 3.2
  • MySQL 5.5.30
  • Nagios 3.4.1
  • OpenJDK 6b27 and 7u3
  • Perl 5.14.2
  • PHP 5.4.4
  • PostgreSQL 9.1
  • Python 2.7.3 and 3.2.3
  • Samba 3.6.6
  • Tomcat 6.0.35 and 7.0.28
  • Xen Hypervisor 4.1.4
  • The Xfce 4.8 desktop environment
  • X.Org 7.7

Along with these more than other 36,000 ready-to-use software packages, built from nearly 17,500 source packages also included in Debian Linux 7.0. So after reading all those cool features, what you are waiting for lets download the installation image via bittorrent (the recommended method), jigdo, or HTTP




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NATO Prepared Tallinn Manual -International Law Applicable to Cyber Warfare

Posted by Avik Sarkar On 3/20/2013 04:09:00 am

NATO Prepared Tallinn Manual -International Law Applicable to Cyber Warfare

NATO finally published the final version of a document expected to shape cyber warfare policies among Western nations was published last week, clarifying when and how countries can legally conduct online aggression against one another. The International law of Cyber Warfare have been  published by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) set up in Estonia, in 2008, the Tallinn Manual on the International Law Applicable to Cyber Warfare. Spanning 215 pages, the Tallinn Manual makes it clear that a full-scale war can be triggered by network-borne attacks on computer systems and that civilian activists that participate in those are considered legitimate targets. However, the manual specifically rules out state-sponsored attacks on critical civilian infrastructure. Nuclear power plants, hospitals, dams and similar are all out of bounds for cyber war, the manual states.

The Tallinn Manual:-
The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law).  Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics.
The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity.  It does not represent the views of the Centre, our Sponsoring Nations, or NATO.  It is also not meant to reflect NATO doctrine.  Nor does it reflect the position of any organization or State represented by observers. 

The Tallinn Manual is available in both paper and electronic copies from Cambridge University Press



-Source (IT News & CCDCOE)










SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

'Data Theft' A Serious Issue! Be Watch Full, Be Safe

Posted by Avik Sarkar On 2/20/2013 06:52:00 pm

Hidden Costs of 'Data Theft' A Serious Issue! What You Need to Know to Be Safe 

Sitting at the edge of technology, we the people of this century are blessed with all the required equipment  which makes our work so easy that one could have even imagined three hundred years ago. Along with these positive sides, we must have to keep in mind that, these technologies not only elaborating our effort  making life easier, but also posing  high level of threat. As the main concern of VOGH is cyber domain, so here w would like to share a fact which will make you think and even make your cyber life and your personal life too uncanny. Yes, I am talking about the rising cyber threats; the more we are shedding with technologies, the more we are involving our lives with some dangerous threats and challenges. Now a days cyber criminals are every where, you don't even know, what trap has already been set for you, that can ruin your happy life. One of the big example is "Data Theft" which becoming boomerang for us. In an age of fully digitized data, consumers and businesses can lose thousands of dollars in the blink of a hacker’s eye. The costs of data theft are well known to anyone who has ever found themselves victim to financial identity or medical record fraud. What few of us realize is that the procedures required to right a financial wrong are often costlier than the crimes themselves. Lets share some interesting statistic, which will surely put terror in your mind - the economy loses an average of $22,346 for every time an identity is stolen. And to fully recuperate losses, repair credit and prosecute fraudsters, consumers, accountants, lawyers and IRS officials can spend up to 5,000 hours, the equivalent of two years of full-time work on a single case. Even so, 60% of medical record fraud victims admit that they don’t monitor their medical statements for inconsistencies. 

Shocking!! Why not?

For one, most consumers don’t have time every month to file through complex medical or financial statements and check for accuracy. And secondly, the image of thousands of evil savants working around the clock to hack BOA databases sure makes a consumer feel helpless. Identity theft seems random and unpreventable–a stroke of bad luck like getting struck by lightning. If we are struck, we tell ourselves, banks, credit agencies and insurance companies are legally bound to recover our funds and correct our records. 

Now lets check out a fascinating video in our Hidden Costs Series to get a deeper look at how our high-cost, high-risk data management systems really work.



Hidden Costs of Data Theft (Statistic At a Glance):-


Data theft includes financial identity theft, identity cloning, and medical identity theft. The average cost per victim was $22,346 in 2012. And the total national cost of just medical identity fraud was $41 billion in 2012. The worst part – nearly 60% of reported victims say they don’t ever check their medical records for fraud. Depending on the severity of the case, it can take over 5,000 hours (the equivalent of working a full-time job for two years) to correct the damage.
Since 1935, over 435 million social security cards have been issued. That’s over 2,175 tons of paper issued as cards, or 52,200 trees and 5 million new cards are issued every year. 
Worldwide, digital warehouses storing private information, like banking and personal history, use about 30 billion watts of electricity, which equals roughly the output of 30 nuclear power plants. Data centers in the US make up almost a third of that usage, and waste 90% of the electricity they pull off the grid.
On average, 47% of victims encounter problems qualifying for a new loan and 70% have difficulty removing the negative information from their credit reports.
Over the next five years, the IRS stands to lose as much as $21 billion in revenue due to identity theft, and worldwide, businesses lose close to $221 billion a year with the US, UK, Canada and Australia ranking the highest in reported fraudulent activity.


After reading the above story carefully, many of you will feel insecure and panic. But I would like to inform you that the main purpose of sharing such important information, is to enhance carefulness, to rise cyber awareness. Many people became victim, not because of less knowledge, but of less information, less awareness. So from now onward before connecting your self into the digital world make sure that the significant & the emergent knowledge and information you have gathered from the article, should remain intact inside your brain. Trust me, if you became a bit cautious, you can easily get rid of all those cyber threats, and can enjoy the bless of technologies to make your life prosperous and happy. 

So stay tuned with VOGH and also be canny, be attentive and be safe inside the digital world. 

We the Team VOGH heartily thanks one of our invaluable reader and friend Emily Stewart of Insurance Quotes for the statistic and the awesome video. We love you Emily :) 




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

President Obama & Congress Will Issue Long Awaited Executive Cyber Security Order

Posted by Avik Sarkar On 2/12/2013 07:05:00 pm

President ObamaCongress Will Issue Long Awaited Executive Cyber Security Order 

Last week we reported that Pentagon has declared that they are moving toward a major expansion of its cyber security force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries. Just one week after this declaration another crucial movement came from the U.S. government.  A secret legal review on the use of America’s growing arsenal of cyber weapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad. According to sources President Barack Obama will issue a long-awaited cyber security executive order this week. Two former White House officials told the publication that the order is expected to be released after Tuesday night's State of the Union address. 
Given his status as commander-in-chief, Obama seems to be the clear choice, but since cyber warfare is such a new and unknown thing, the government hasn't actually figured out the rules of engagement yet. In the past couple of decades, the power to use America's cyber weapons has been shared between the Pentagon and the various intelligence agencies. With the exception of a series of strikes on the computer systems that run Iran's nuclear enrichment facilities an attack that Obama ordered himself the U.S. hasn't launched any major cyber attacks in recent memory, however. This probably won't be the case in the future. So the government is working on new rules of engagement, as it realizes that the capabilities of cyber weapons are evolving at a startling rate. The rules will be not unlike the set that governs how drone attacks are ordered and who orders them. Cyber warfare certainly stands to affect the average American more, though.  On Capitol Hill this week, Rep. Dutch Ruppersberger (D-Md.) and Rep. Mike Rodgers (R-Mich.) are set to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA) during a speech at the Center for Strategic and International Studies.
According to an exclusive report the bill would allow the government to share classified cyber threats with the private sector so that those companies can then protect their systems from cyber attacks. The bill was killed last year due to privacy concerns. Civil-liberty groups argued that the bill allows companies to exchange too much personal information back and forth without regulation. 







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

'Mickey Virus' The Upcoming Bollywood Movie Based on Hacking

Posted by Avik Sarkar On 1/01/2013 03:47:00 pm

'Mickey Virus' The Upcoming Bollywood Movie Based on Hacking 

'Mickey Virus' many of you may think it may be the name of another cyber threat, but let me assure you that; its not a virus or cyber threat. Mickey Virus is the name of an upcoming Bollywood movie based of hacking and cyber world. Sounds interesting, yes it is as this is the first Indian movie which have been subjected to such fields. Before Mickey Virus, we have seen several Indian movies where the matter hacking have been shown, among them we can take the name of  16 DECEMBER, Players & so on. But the main difference between those movies and Mickey Virus will be, here the main story is based on cyber world and specially hacking. According to sources popular television anchor Manish Paul is set to make his Bollywood debut with "Mickey Virus", where he plays a computer hacker. The film hits the screens May 17. Directed by debutant Saurabh Verma, the film also features actor Manish Chaudhary of "Rocket Singh: Salesman Of The Year" fame. "The film is called 'Mickey Virus' and Manish Paul has acted in it. Other than this, we have Manish Chaudhary, who was also there in 'Rocket Singh...'," Verma told IANS.
With Delhi as its backdrop, the story of the film revolves around computer hackers. Asked if Verma harboured any apprehensions since the cast and the crew of the film are relatively new, he said: "I have no apprehensions. The film is such, it has been made for people like us. It is extremely interesting." Verma has been in showbiz for the past 15 years, but was involved in the distribution and production aspects of the film industry. "I always had this movie in mind. I have been in this business for many years now. This film was not made overnight. The pre-production itself took about six months," he said.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes

Posted by Avik Sarkar On 12/21/2012 07:18:00 pm

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes 

This is the third time in a year when Oracle has updated the standard edition of Java platform. This release includes new security controls in addition to a bug fix and updated timezone data. This latest update also contains a number of security enhancements and is now certified for Mac OS X 10.8 and Windows 8. The security enhancements include the ability to disable any Java application from running in the browser and the ability to set a desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications. While keeping in mind the last security issues with Java, in the press release of this Java update Oracle said "if the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release."

Security Feature Enhancements

The JDK 7u10 release includes the following enhancements:
  • The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

Bug Fixes

Notable Bug Fixes in JDK 7u10

The following are some of the notable bug fixes included in JDK 7u10.
Area: java command

Description: Wildcard expansion for single entry classpath does not work on Windows platforms.

The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).
This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.
See 7146424.
For a list of other bug fixes included in this release, see JDK 7u10 Bug Fixes page. 

The updated Java Development Kit and Java Runtime Environment are available to download from the Oracle site. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Internet Explorer Vulnerability Allowing Hackers to Track Your Mouse Cursor

Posted by Avik Sarkar On 12/19/2012 12:51:00 pm

Internet Explorer Vulnerability Allowing Hackers to Track Your Mouse Cursor, Still Microsoft is Apathetic 

Yet again Microsoft Internet Explorer have fallen victim in front of hackers. Spider.io a website analytics firm has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens even if the Internet Explorer window is minimized  The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads. Spider.io said -The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.
As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.


Vulnerability Disclosure
Package: Microsoft Internet Explorer
Affected: Tested on versions 6–10
BugTraq Link: seclists.org/bugtraq/2012/Dec/81


Spider.io has set a demo page to demonstrate how the vulnerability is working. According to sources, Microsoft Security Research Center has acknowledged the vulnerability, but unfortunate that Microsoft are not in a hurry to patch this vulnerability in existing versions of its popular browser. "There are no immediate plans to patch this vulnerability in existing versions of the browser."  said MSRC



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search