And just like money, they have different values.  For example, a euro bill has a different value than a one hundred euro bill.  You also treat them differently according to their value.  This is the same as information.  Information like this blog information is treated differently compared to information containing your personal information or employee information (Hint: Personal and Employee Information are more valuable).

You would not leave valuables unprotected for just anyone to take, and when you are not using valuable information (just like money), you should put it in a safe place equivalent to its value (e.g. a locked cabinet or by encrypting it).  Yet a number of people leave sensitive information out in the open just for anyone to take.

So please remember the next time your company entrusts you with information, understand its value and treat it like money.

1. Presenting additional security information (https://www.java.com/en/download/help/appsecuritydialogs.xml); and
2. Requiring confirmation before being allowed to run.

An example of the confirmation is shown below:

In the above example, it specifies the location (i.e., URL) as well as potential risks (like the application being unsigned).

Oracle is now recommended that applications be signed by a legitimate Certificate Authority.  This increase in visibility will hopefully help bring better awareness on the risks of running 3rd party applications.  Though I wonder how long will it take before users will similarly treat this like the SSL warnings we get and folks will just click on ‘Run’ regardless.

Reference:

https://www.java.com/en/download/faq/signed_code.xml

It is good for Evernote to send notifications about the breach as well as enforcing a password change when you log in.  You are also notified through email if your password was changed.

One of their tips is “Never click on ‘reset password’ requests in emails – instead go directly to the service’.  This is critical as the email addresses and usernames were compromised so attackers can send you unsolicited email attempting to get information from you.

When you are changing your password on the site, it does not give any indication of how strong your password is (this can be subjective as well depending on your perspective) but they did advise not to use simple passwords based on dictionary words.  I would advise as well NOT to use passwords based on just numbers, commonly used info (e.g., your username or name), and easily guessed passwords (e.g,. password123, qwerty, etc.)

Keep safe everyone.

Reference:

http://evernote.com/corp/news/password_reset.php

Please note as well that the recent Java updates will uninstall Java 6 so if your application requires Java 6 then please watch out for this.

Reference:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

NOTE: The vulnerability is exploited on the client-side (e.g., if Java is run through the user’s web browsers) and not on the server-side (i.e., if your server application is running on Java).

One of the vulnerabilities (Reflection API vulnerability) has been patched with Java Version 7 Update 11 (released January 13). However, the JMX MBean vulnerability was not patched so Java is still vulnerable to exploitation.

Whether disabling Java is practical or not depends if the user needs to run Java for certain web applications. But for most cases, it is recommended for Java to be disabled.

Alternatively, you may want to run one browser with Java enabled for those mission-critical applications and another browser with Java disabled for day-to-day browsing.

Since Java Version 7 Update 10 (7u10), one can disable Java on browsers system-wide (if one has multiple browsers) through the Control Panel.

Otherwise, you need to configure each browser to disable Java.

Oracle has instructions on how to disable Java on the web browser through the link below:
http://www.java.com/en/download/help/disable_browser.xml

References:
http://www.kb.cert.org/vuls/id/625617
http://news.softpedia.com/news/Java-7-Update-11-Addresses-the-Flaw-Partly-Fixed-in-October-2012-Experts-Say-320792.shtml

So I’m running a set of articles based on what I believe are critical for securing your organisation’s information.  The target is normally those organisations that do not have a dedicated security team.

Normally, I would start with identifying what your business goals are as that will always frame/drive an  information security programme.  But as I cannot customise the articles for an organisation, I will be making some general objective.

• To protect the confidentiality, integrity and availability of mission-critical information the organisation collects and processes in a cost-effective manner.

#1 Identify Your Mission-Critical Information

The number one step is to actually identify what and where your mission-critical information are.  These are information that are used by the business on a day-to-day basis, without which you have no business.  Or if these were compromised or stolen have the impact of making you go out of business.  These are also information that have regulatory/legal requirements (e.g., personally identifiable information).

I believe in the maxim: “You cannot protect what you do not know.”

Some examples include:

• Customer Information
• Employee Information
• Financial Account Information
• Health Information
• Personally Identifiable Information
• Intellectual Property (e.g., if you develop or create intellectual property).

Identify where they are located (e.g., cabinets, with a vendor, on one of your systems) and who is responsible for them (e.g., employee records are normally the responsibility of Human Resources or if your organisation is small, the Office Manager).

Using a spreadsheet, put the information list and their location and responsible owner.

That is it for step 1.  We will be using this list moving forward.

The US Department of Homeland Security has a page on the effort: http://www.dhs.gov/national-cyber-security-awareness-month

Europe has also a Cyber Security Month: http://www.enisa.europa.eu/activities/cert/security-month

Updates are available for Oracle Java 7 Update 6 (and earlier) and Java 6 Update 34 (and earlier).  These can be found through the Reference link below or if you use Microsoft Windows, go to Control Panel >> Java.  And then choose the Update folder tab and click on Update Now.

To verify if you have the latest version of Java, use your browser to go to http://www.java.com/en/download/installed.jsp (it is recommended to copy and paste the URL to your browser instead of just clicking on the link).

The fixed version would be Oracle Java 7 Update 7 and Java 6 Update 35.

Be safe everyone!

Reference:

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

I do not expect Oracle to release an emergency patch anytime soon and the next patch cycle is in October.  So the current recommendation is to disable Java where possible.  This will be difficult for those who use applications that run on Java.  For this case, I would probably use 2 browsers.  One with Java disabled to use for normal browsing.  The other with Java enabled used only for trusted applications.

In any case, I’ll be explaining on how to disable Java on several browsers to help you on your way.

Google Chrome

In Google Chrome, click on the wrench icon (similar to the one below) and go to ‘Options’.

Choose ‘Settings’  and at the bottom of the screen, choose ‘Show advanced settings…’.

Your settings screen will expand further.

Under the Privacy section, choose ‘Content settings…’.

A dialogue box will appear and scroll down until you reach the ‘Plug-ins’ section and choose ‘Disable individual plug-ins…’

You will be shown a list of plug-ins in another tab.  Look for the Java entry and choose Disable.

When you click on Disable, the text will become faded similar to the one below.  Do not click anything further in the Plug-ins section.

You can then proceed to close the ‘Plug-ins’ and the ‘Settings – Content settings’ tabs.

And you’re done.

References:

http://www.kb.cert.org/vuls/id/636312

You can hold your card from a certain distance (around 10cm or 4 inches if using ISO 14443) from a card reader and it will allow you to pay up to a certain amount (€15 in Ireland) without signatures or a PIN.  There is a security control that if you transact a certain number of times, you will be prompted to type in your PIN to complete the transaction.  It is very convenient but not without its risks.

The technology used is called Near Field Communications (NFC) which builds (improves?) upon radio frequency identification (RFID) technologies.

If you go to the Smart Card alliance website, it specifies a number of security features of these contactless cards.  But if you read closely, they tend to use the word ‘can’ a lot.  For example:

Strong information security. For applications requiring complete data protection, information stored on cards or documents using contactless smart card technology can be encrypted and communication between the contactless smart card-based device and the reader can be encrypted to prevent eavesdropping. Hashes and/or digital signatures can be used to ensure data integrity and to authenticate the card and the credentials it contains. Cryptographically strong random number generators can be used to enable dynamic cryptographic keys, preventing replay attacks. [Smart Cards FAQ]

It makes you think if they don’t seem to be a requirement but rather an option.

viaForensics developed a proof of concept app that allows the app on an Android device to read data from contactless bank cards by placing the device within the transmission zone of the card.  And it appears that the device could read the following:

• Name on Card
• Full Card Number (i.e., credit or debit card number)
• Expiration Date

Given that they didn’t access your CVV/CVV2 number (i.e., the last 3 digits on the other side of the card), the information gained can still be used to do some purchases on sites like Amazon which doesn’t require CVV/CVV2 to complete a transaction.

It is also possible that a device could be made that could read the information from longer distances – a standard only gives guidelines on a card’s transmission zone but one can always create devices that go beyond the standards.  For example, an NFC device with a directed antennae may be able to read for longer distances.

So what can you do?  If you are not comfortable with a contactless card, you can:

Be safe everyone.

References:

http://www.siliconrepublic.com/business/item/22529-bank-of-ireland-launches-co

http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud

http://www.smartcardalliance.org/pages/smart-cards-faq

https://viaforensics.com/security/security-update-contactless-nfc-credit-cards.html