Disabling Java Plug-ins

In recent years, the Java development platform has become a favored target for hackers, leading to a growing list of Java-specific vulnerabilities being discovered and exploited by various malware.

As such, many security researchers and national computer security organizations caution users to limit their usage of Java, unless required for business reasons, or to remove it entirely, including disabling Java plug-ins in web browsers.

Listed below are instructions for disabling Java plug-ins or add-ons in common web browsers ( based on the advice given by the US-CERT Vulnerability Note VU#636312).

  • Mozilla Firefox
  • Google Chrome
  • Apple Safari
  • Microsoft Internet Explorer

Included below are links to resources that provide additional removal information.


Disable Java NOW, users told, as Java 0-day exploit hits web

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle’s Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn’t due until October 16.


Professional Social Networking – Is it risking your organisations assets?

In today’s employment environment everyone is fighting to be the best and stand out from the crowd when it comes to getting that next career break no matter how big or small. Maybe it’s a voluntary move with no pressure from where you are currently and you’re able to browse the market to find the shoe that fits and make it work best for you when it comes to flexibility, location and ‘perks of the job’. Or you mite be one of the many folk who are in the unfortunate position of having to jump from a sinking ship either voluntarily or with a little nudge.

In this environment it seems to becoming an ever popular choice to not only apply for new jobs, contact recruiters in the chosen fields and to keep in touch with old friends elsewhere within industry but to also keep the CV equivalent of Facebook up to date. LinkedIn.

LinkedIn is a great tool to offer the professional ‘you’ to business acquaintances and enable you to keep that professional distance with clients, colleagues as well as past, present and hopefully future employers.

In the cut throat world of job hunting and recruitment are we becoming too at ease with the information we divulge when it comes to our skills and  experience on our online ‘CV’s’?


WordPress admin privilege auto-handover – Does such a thing exist?

We were wondering if there is such a function or plug-in available for WordPress which automatically provides a designated existing registered user of a WordPress site with full administration privileges after a predetermined period of time of no login activity from an existing designated admin account.

For example if the core ‘Admin’ account doesn’t login to a site for say 30 days privileges are increased for a designated trusted user automatically by the plug-in or feature allowing the site to then be continually maintained in the event of for example, a lone admins death or even the password being forgotten to the main admin account and the admin no-longer having access to the password recovery feature, such as an email account originally set up to retrieve the password reset notification.

Thankfully we at ForHacSec have multiple admins and it would be very unlucky for us all to kick the bucket at the same time.

If this feature or plugin does exist what and where is it and if not, is anyone interested in a challenge of creating it?

MasterCard, VISA Warn of Processor Breach – 10,000,000 credit cards potentially compromised

VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

Original post:

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.


2012 Data Breach Investigation’s Report Released

It’s hard to believe, but it’s time again for another installment of Verizon’s annual Data Breach Investigations Report. This year’s report represents our largest dataset ever, with 855 confirmed security breaches accounting for a combined 174 million compromised records. As always, we analyze the data and attempt to explain what happened, who did it and who was affected. We are very pleased to announce that the 2012 DBIR  again includes data provided by our valued collaborators, the U.S. Secret Service and the Dutch High Tech Crime Unit. We are even more pleased to announce that these agencies are joined this year by the Irish Reporting and Information Security Service, the Australian Federal Police, and the Police Central e-Crime Unit of the London Metropolitan Police.. The inclusion of data provided by these agencies allows for the most geographically diverse DBIR to date.


Work Experience

As someone who has worked with many trainees, work placements and apprenticeships over the years it still surprises’ me the lack of enthusiasm some within the IT community have when it comes to taking someone trying to enter the industry under their wing. Whether it be for a day a week or upto two years when it comes to level 3 apprenticeships.

Everyone of us across the IT field had to start somewhere. Either through self study and getting that initial break in the industry to build upwards and onwards or through the many academic university and college pathways to get that all important ‘piece of paper’ after which they can then learn how it’s actually done for real in everyday industry life with the pressure of time, budget and political constraints which cannot be rein-acted in the classroom.

Speaking from my own observations and conversations with others within the community it seems there is a lack of motivation to firstly attract fresh blood to a point where they are interested in even a one week placement during high school and should that decision to take on a work placement be out of their control and is pushed through by management there seems to be a bigger feeling of it being some kind of punishment. Trying all possible options to avoid having a side-kick for a few days and then once the newly acquired side kick has arrived and management have finished the introductions quickly pointing said ‘side-kick’ in the direction of a task which will keep them quite and out of the way of  ‘mentor’ for the day mindlessly imaging PC after PC with no real input from said ‘mentor’ about what and why they are actually doing.


The Magic of Doing One Thing at a Time – Burnt out?

Can anyone else relate to this?

Why is it that between 25% and 50% of people report feeling overwhelmed or burned out at work?

It’s not just the number of hours we’re working, but also the fact that we spend too many continuous hours juggling too many things at the same time.

What we’ve lost, above all, are stopping points, finish lines and boundaries. Technology has blurred them beyond recognition. Wherever we go, our work follows us, on our digital devices, ever insistent and intrusive. It’s like an itch we can’t resist scratching, even though scratching invariably makes it worse.

Tell the truth: Do you answer email during conference calls (and sometimes even during calls with one other person)? Do you bring your laptop to meetings and then pretend you’re taking notes while you surf the net? Do you eat lunch at your desk? Do you make calls while you’re driving, and even send the occasional text, even though you know you shouldn’t?

The biggest cost — assuming you don’t crash — is to your productivity. In part, that’s a simple consequence of splitting your attention, so that you’re partially engaged in multiple activities but rarely fully engaged in any one. In part, it’s because when you switch away from a primary task to do something else, you’re increasing the time it takes to finish that task by an average of 25 per cent.


Want the job? Hand over your Facebook password

Picture it: you are at a job interview, and the interviewer requests that you log into your Facebook account so they can shoulder surf as you lay bare your profile in its entirety.

Worse, what if they ask you to hand over your Facebook username and password?

You might laugh and say I would never do that, but what if you really, really need a job? Many of us are desperate for work at the moment, so it is no surprise that some feel they must comply to avoid being stricken from the candidates’ list.

In the US, this tactic has been used with people applying for police officer or 911 dispatcher roles, according to an AP article. But the report says that it is happening elsewhere too.

The reason that an increasing number of employers want full access to a Facebook account is perhaps due to more of us hiding information from people we aren’t connected with.


Posted in: Industry, Privacy by Zac No Comments , , ,

Open Tabs – 19th February 2012

BOFH: Moon landings, Pong and the case of the smoking server – Embrace, extend, exterminate …

Two UK airports scrap IRIS eye-scanners – I’m glad I didn’t pay in to be part of this.

The ICO has been busy…

Metadata: A Pentester’s Best Friend –  FOCA is the Pentester’s best friend

Responsibility vs Capability in the CISO Role – CISO’ shouldn’t be alone. Support from management is a must.