Tuesday, January 22, 2013

Capacity focus, 71: Java under hacker attack, what should we do? (And, is Java still a suitable first programming language?)

The Java SDK icon
In recent days, it has been in the international news that the Java programming language was under attack by hackers, and the Unites States Homeland Security Department had issued an alert advising us to turn it off in our browsers.

As a UK Daily Mail article of Jan 12th 2013 puts it:

The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

'We are currently unaware of a practical solution to this problem,' the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday.

'This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,' the agency said. 'To defend against this and future Java vulnerabilities, disable Java in Web browsers.'
Oracle declined on Friday to comment on the warning.

Java is a computer language that enables programmers to write software utilizing just one set of code that will run on virtually any type of computer, including ones that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating system widely employed by corporations. 

Computer users access Java programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox . . . .  It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java.
  Sounds quite dire, and unique. 

Apparently (cf. technical FAQ here and onward links as needed, and if you need the gory details, cf, here), in updating Java to what is called Java 7 or 1.7  (the naming conventions for Java are quite confusing to the uninitiated), Oracle -- which bought out Sun Microsystems and so now owns Java -- had added new standard packages to the Application Programming Interface [API]. This is a library of standard packages that Java programs use to carry out their activities, which is now beyond some 4,000 pre-packaged items. (BTW, this powerful feature is one of Java's big attractions, and works with the Java Virtual machine to give Java the Write Once, Run Anywhere feature that is such a big part of Java.)

However, one or more of these new API classes for java 1.7 inadvertently opens the door for hackers to exploit, seizing control of your computer. 

That exploitation can begin with sneakily breaking into and inserting just one line of code into an otherwise innocent web page. 

(Yes, this is not just a case of saying avoid those weird looking email messages or web pages and porn sites -- which you should be avoiding anyway for any number of other excellent reasons -- or social networking sites that may pass along links that lead you into trouble, and to avoid downloading games from sites that you do not have 100% confidence in etc.) 

Worse, while this is specifically a problem with Java 7, the tactic can obviously be used to create a moving target, attacking earlier versions of Java.


Should we simply walk away from Java?  

Shouldn't we be rushing off to lock off Java on our browsers and remove it from our PCs? 

Should we be suggesting that Java be used as a first programming language? 

What about cell phones, smart cards, and any number of devices otherwise that use Java?

Now, of course, I have held off commenting for a few days until I could track down some contextual info that would lay a basis for sound advice. I have now got some in hand, so I will proceed.

Let's start with the warning and sensationalism game. 

First, are you aware that the number two source of recent infections [28%]  after recently discovered and exploited security gaps in Java [50%] is Adobe Reader, the popular free software that allows you to read documents in the pdf format? 

Similarly, did you know that the same Computer Emergency Readiness Team (CERT) of the Homeland Security Department warned consumers about Internet Explorer some time ago -- in an alert issued in 2004 and last updated in July 2012?

That should give some balancing context -- a major challenge with news headlines and news reporting. There is a problem, but this is not the only source of the problem, and a reasonable response must be aware of the general pattern, not just one particular point that is being headlined.

Within a couple of Days, Oracle has come up with a first stage patch (apparently not a 100% fix . . . . ), but informed speculation is that it is going to take maybe a couple of years to work its way through all the twists and turns that the devious hacker can come up with to find a way to sneak in. That is the very power of Java is being turned against it.

(NB: When I did look at my main browser to see what I should do, I saw that the Java plug-in had apparently long since been automatically turned off with a fairly fierce warning being inserted, in my plug-ins section. I am also wondering if that turn-off has something to do with some recent email troubles I have been having with a web based email address I have.)

As a further balance, the same Daily Mail article continues -- fairly deep in the details of the report:
It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java. 
They typically recommend taking steps to mitigate the risk of attack while manufacturers prepare an update, or hold off on publicizing the problem until an update is prepared.
In September, the German government advised the public to temporarily stop using Microsoft's Internet Explorer browser to give it time to patch a security vulnerability that opened it to attacks.
Java is so widely used that the software has become a prime target for hackers. Last year Oracle's Java surpassed Adobe Systems Inc's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.
Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.
We can notice a journalistic tendency to pick on one big thing to headline, and a related tendency to bury relevant context deep in a report, if the report even gets around to such. 

This is regrettable, and we should be careful.

Obviously, we need to take action on Java -- wait a minute for me to get to that -- but also obviously we need to take action by updating Adobe Reader. Similarly, do you have a good, up to date antivirus package, and do you have anti malware as well as a firewall on your computer? Do you do regular scans and is the daily update feature for such antivirus enabled?

I can recommend Avast and AVG free versions, if you are sick and tired of always needing to go out and buy the latest-greatest version of the usual commercial packages. IO malware bytes is good malware protection, and running a scan every month or so will not hurt. if Zone Alarm will work well with your PC, I can suggest it, but the Windows Firewall is good enough. 

If you are using a Mac or a Linux machine or something more exotic, or a tablet or even a smart cell phone [these are really small computers similar to tablets], you need to look up the advice for these machines.

In short, we live in a world of not only hobbyist hackers, but hackers for pay, who are part of organised crime or -- worse -- spy agencies.

Those folks are not going to stop their nasty penetration tactics, so we need to be playing at safer computing.

But, what should I do about my Browser and Java?

Let's clip the Oracle advisory:

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 'in the wild', Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Java 7u11 Download: Java.com/download

Starting with Java Version 7 Update 10, a new security feature has been added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel.

Find the Java Control Panel
Windows XP
  • Click on the Start button and then click on the Control Panel option.
  • Double click on the Java icon to open the Java Control Panel.
Windows 7, Vista
  • Click on the Start button and then click on the Control Panel option.
  • In the Control Panel Search enter Java Control Panel.
  • Click on the Java icon to open the Java Control Panel.
Windows 8
Use search to find the Control Panel
  • Press Windows logo key + W to open the Search charm to search settings
    Drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon.
  • In the search box enter Java Control Panel
  • Click on Java icon to open the Java Control Panel.
[ . . . . ]

[Windows 7 version appears below:]

Note: The example shows Java Control Panel for Java 7 Update 11

  1. In the Java Control Panel, click on the Security tab.
  2. Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
  3. Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
  4. Click OK in the Java Plug-in confirmation window.
  5. Restart the browser for changes to take effect.
Obviously, locking off Java from the browser will do a first step of the job. I also looked in my main browser plug in and made sure Java was disabled from that end too.

The advice I have seen is, that if there is a need -- e.g. to do a work task, also some online banking tasks will use Java -- for software from a trusted source that requires Java, then use a separate browser for this, and for this only. In that case, I assume that there will be need to enable Java from the control panel and in the specially designated browser. The main browser should lock off its Java plug in access. And, obviously the icon that launches that special browser should not be accessible from the desktop or any obvious place that someone not knowing the situation may use!

For smart phones smart cards etc, it looks to me on common sense, that we should put in the usual malware stuff, and should look at plugins for Java in browsers. Maybe it should be a good idea to ask the source of the card or the phone or the browser on the phone. But smart cards are seldom going on the Internet and would be used by Banks etc that have very serious security staff, so I would not worry. When it comes to phones, use common sense and use one of the newly emerging spyware, antivirus etc suites. I see that Avast is advertising their Android phone version. Apple's iPhone is a walled garden -- and I advise against Apple products, as Apple indulges some monopolistic and censorship tactics that I do not like. 

Tablets are going to be basically the same as smart phones, indeed they tend to run the same operating systems.

Finally this all brings us back to something else, why bother with Java and why bother with it as a first programming language (as I have been promoting)?

Strangely enough, for the very same reasons why Java has been under such heavy hacker attack over the past year or more. 

Java is a popular, widely used, write once run anywhere, object oriented web and multimedia ready programming language of realistic capability that I am convinced can and should be better taught to beginning programmers. Learning to program in Java is thus a gateway capability to the world of digital productivity.

That has not changed, never mind how attacks on Java have been headlined.

So, I do not recommend abandoning Java, no more than I recommend abandoning the pdf document format!

Indeed, I actually doubt that we can abandon Java, it is all around us from smart cards to smart phones and more.

In the meanwhile, let us be cautious about how we use it, until Oracle is able to patch the main vulnerabilities. Just as how we should be cautious with any information technology, especially if it accesses the Internet.

And, DV, I will try to keep an eye out and an ear cocked for key developments on the java security challenge.

So, having doused a bit of a media sensation and hacker attack fire, it is back to business, and to the task of seeing how we can develop an effective approach to learning computer programming, using Java. END