Oracle Takes Action on Java Security
Java has spent considerable time in the headlines recently because of a string of significant security issues, many of them affecting web servers and other Internet-based web applications. Oracle, which has owned and maintained Java since purchasing Sun Microsystems in 2009, publicly addressed those issues in a blog post announcing several policy changes regarding future Java development and updates. In a post at the Oracle Security Assurance blog, lead Java developer Nandini Ramani outlined the changes.
The first change described in the post is an effort to speed up security fixes and updates. Recent patch updates have included a record number of fixes, and Oracle pledges to continue operating at this accelerated rate. In a move that might be controversial with Java's user and developer base, the team is integrating the Java security update schedule with the Oracle Critical Patch Update system used for other Oracle products. In other words, Java security updates will no longer be handled as a separate process but will fall under the overall Oracle security update system. This move will undoubtedly reduce Java's independence, but it might lead to the inclusion of more systematic security testing.
The company is also planning to work on "addressing the limitations of the existing Java in browser trust/privileges model." Changes will give the end user and system administrator more control over the security environment. Additional changes include modifications to signed applet policies and default plugin security.
Nasty New Apache Attack Discovered
A sophisticated Apache attack has appeared in the wild, according to reports, and has already infected hundreds of machines. The attack, known as Linux/Cdorked.A, redirects users to malicious sites, including sites that expose the user to the infamous Black Hole exploit pack. The attack does not leave any traces on the disk but, instead, saves its state and configuration in shared memory, making it very difficult to identify. The target for the attack appears to be Apache servers with the cPanel hosting control tool installed. Analysis by security experts at Sucuri and ESET reveal that the attack disguises suspicious strings in the backdoor with an XOR operation. The backdoor is opened through a special HTTP GET request that has been modified so that it does not appear in the Apache logs.
As of now, the recommended method for uncovering evidence of the attack is a search of shared memory. ESET's We Live Security blog describes the attack and provides a tool called
dump_cdorked_config that checks the shared memory segment in which the backdoor stores its data. (See http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/)
New C-TIP Service Helps Hunt Botnets
Microsoft launched a new service for monitoring and tracking botnet behavior in near-real time. The new Cyber Threat Intelligence Program (C-TIP) is an Azure-based cloud service intended to provide data on infected PCs. The data is updated every 30 seconds. C-TIP is part of the Microsoft Active Response for Security (MARS) program. Security specialists will use the C-TIP service to look for active botnets. The MARS project has already played a role in discovering several high-profile botnets, and the new C-TIP service adds a powerful tool to the arsenal. Computer Emergency Response Teams (CERTs) will access C-TIP to download botnet data to their own private clouds for fast and efficient analysis when an attack is taking place.
X.org Vulnerabilities Discovered
Security expert Ilja van Sprundel has identified a number of safety-critical bugs in the code of the X11 client libraries from X.org. X.org is the graphic display system used on most Linux and Unix-based systems. According to a note on the X.org developers list, the main reason for the large number of vulnerabilities is that the client libraries trust that the data sent by the X server satisfies the X11 protocol and is correct, but the code itself is susceptible to integer and buffer overflow attacks.
In the general case, the danger is minimized if the X server and X client programs run with the same user ID. However, in special cases, such as set user ID programs, an intruder could use this attack technique to obtain root privileges on a vulnerable system. All previous versions of X.org are affected. Patches to the source code are available at the X.org site.
IBM's Watson Computer Gets a Day Job
When IBM's Watson computer project stole headlines two years ago by beating the best available human at Jeopardy, experts wondered if IBM had a long-term plan in mind, or if putting the computer on a television quiz show was a marketing gambit designed to show off the company's technological prowess. The answer came recently with the announcement of the IBM Watson Engagement Advisor, a system designed to provide customer service responses through near-instantaneous big data analysis.
According to IBM, "270 billion customer service calls are handled annually, with roughly 50 percent unresolved, which means an increase in cost-per-escalated-call by three times. 61 percent of those calls could have been resolved with better access to information."
Descriptions of the new service are fairly vague, but maybe that is the point – Watson is much more adept than most computers at finding specific answers to vague questions. According to IBM, Watson will "help companies make their interactions count by knowing, delivering, and learning what each customer wants – in the context of their preferences and actions – sometimes before even the customer knows it themselves." The service appears to fall into the general category of "Big Data"; however, rather than analyzing the data in advanced for a finished report, Watson will organize the information into an intermediate, indexed state, then analyze on the fly based on its interpretation of the customer's question. Watson's formidable natural language capabilities will contribute to what IBM hopes will be a seamless and efficient customer interaction.
Since winning at Jeopardy, Watson has gotten smaller and faster, with a 240 percent improvement in system performance and a 75 percent reduction in physical size. IBM says the system can now run on a single Linux-based Power 750 server.
At least for now, the Watson Engagement Advisor seems intended to provide services for clients that support customers who have a need for drawing highly specific information from very large data sets, such as information services for the banking and consumer marketing industries. The service will be delivered in a variety of formats, including via HTML, online chat, and mobile devices.
The Drupal project has announced a security breach that has compromised usernames, contact information, and hashed passwords for possibly millions of users. Drupal is a popular open source Content Management System (CMS) used for building and managing websites. The Drupal project also hosts user websites at drupal.org and groups.drupal.org. The breach affected the sites hosted by Drupal but did not affect other sites running the Drupal CMS.
According to a statement by the Drupal security team, "This access was accomplished via third-party software installed on the Drupal.org server infrastructure and was not the result of a vulnerability within Drupal itself." Accounts at the affected websites are set to prompt users to reset their passwords at the next login. Users are encouraged to log in as soon as possible to reset their passwords.