Monday, September 17, 2012

Is Java now too dangerous to use?

Java is under fire once again. So why is everyone worried this time?

Java, the great enabler of useful applications or a waste of space that is doing more harm than good? After the last few weeks this has become a question worthy of a philosophy lecture.
First in late August came news of two serious zero day Java vulnerabilities (CVE-2012-4681), with plenty of evidence that criminals were exploiting them in a big enough way to pose serious questions over Java's continued use.

Oracle patched the flaw in an out-of-band release but according to Polish security firm Security
Adding a note of the absurd, not long after the fix had appeared, the Poles said they’d found a vulnerability in the patch of the zero day, a way for code to beat the software's security blanket sandbox.
So, a serious flaw allegedly known about for months, only patched once exploits had started appearing. And then this patch immediately turns out to have a security a sandbox-busting flaw of its own.
Should consumers and businesses keep Java on their desktops? In both cases the answer is a 'yes' but only if it is actually required.
Java myth number 1 – I need Java on my computer just in case
For businesses, working out whether the Java runtime environment (JRE) is needed is fairly straightforward and the answer sis usually ‘yes’. Presumably admins wouldn’t allow Java on desktops if it wasn’t there for a reason and that will often be tied to a specific version. In the case of consumers, many probably won’t need Java but will have it on their computers whether they know it or not. Many retail PCs simply include it by default.
The JRE is still necessary for a clutch of games that work as applets not to mention Google’s heavy and contentious use of the software inside Android but otherwise its popularity is waning. Bear in mind that Java installs on the PC but can be enabled or disabled inside browsers too.
You can test whether Java is enabled and which version is being used by visiting this site.
Myth number 2 – JavaScript is Java
Wrong. Beyond the use of the word ‘”java” the two are unconnected. JavaScript was invented by Brendan Eich in 1995 while working for Netscape, who took his belief in the usefulness of his scripting interface to make browsers and websites more interactive when he became Mozilla’s CTO at the time of its founding in 2003. As they say, the rest is Wikipedia.
Microsoft’s adoption of its own non-standard version, JScript, caused serious unhappiness that it was hijacking a good open source idea for its own ends, but that's an aside.
Myth number 3 – old versions are harmless
That’s another thing about Java. Even when security updates are available and users take the time to download them, many forget to de-install old versions.
As Oracle itself said in May, "Keeping old and unsupported versions of Java on your system presents a serious security risk." The company helpfully tells people how to do this and it’s incredibly simple as long as you remember to do it and know that it’s necessary in the first place.
You’d wager most computer users don’t know that this is important and have better things to do with their time in any case.
So why doesn’t Oracle delete old versions when installing newer ones? Because old versions might conceivably be used by some applications and so they can’t. If such apps are encountered on a machine cleansed of old versions, Oracle keeps an archive of should they be required.
A good tip is to make sure that new versions of Java are downloading automatically (they should be by default) and that the system checks for new verisons often enough (the default is once a month, probably not frequent enough). In Windows run the Java app from Control Panel and click in the Update/advanced tab and set to ‘once a week.’
Myth 4 - Java vulnerabilities are a Windows problem
Java flaws can affect all platforms on which the runtime is present, including Apple and Linux. This doesn’t mean that every Java flaw affects these platforms equally. The overwhelming bulk of malware exploiting Java flaws targets Windows users, that is it attempts to open a back door into which will rush a Windows-specific payload.

Sunday, September 9, 2012

Argentina Begins Tracking All Credit Cards

Jon Matonis
Jon Matonis, Contributor
I cover payments, cryptography, and digital currency.

Argentina Begins Tracking All Credit Cards

In an eerie glimpse of what a cashless society enables, the government of Argentina has taken the drastic step of mandating banks to report every credit card purchase to the tax authorities, AFIP. Also introduced on Friday, another measure adds a 15 percent tax surcharge every time a purchase is made outside the country using a credit card issued by an Argentine bank.
This action targets those people that have been using credit cards as a way to purchase at the official rate rather than the black market rate, in effect creating a dual credit card exchange regime. Capital flight is high in Argentina due to the depreciating peso and currency controls are becoming more and more aggressive.
The black market peso price has spiked as the government has tried to close off any and all avenues for people to legally convert out of pesos and into US dollars. A 15 percent tax surcharge will close some of the gap between the regulated official rate and the black market rate, currently at 4.63 pesos per dollar and 6.39 pesos per dollar respectively. In theory, this new surcharge is deductible against future taxes owed so it’s really an advance payment. But in practice, its real value as a deduction will have been eaten up through inflation and it’s meaningless for those that don’t earn enough income to owe taxes.
On Monday, this new rule was broadened to include debit cards and purchases at any online site outside the country, which targets Amazon and eBay purchases.
But the measures go much farther, according to Michael Warren of Associated Press, “giving the government powerful new tools to combat widespread tax evasion.” He writes:
Tax and customs agents now will be able to compare better what Argentines declare to the customs and tax agencies with what their credit card bills say. Before, the reporting requirements applied only to expensive charges of more than 3,000 pesos (about $645). Now, every single purchase by every co-signer must be reported. And if the totals show people are living large while claiming to be paupers, they could get into big trouble.
Even the socialist President Jose Mujica of Uruguay called the new measures “crudely protectionist” in a radio interview from Montevideo. Tourism and investment to the area has already been suffering.
This article is the third in an ongoing series of country focus pieces where the cashless society utopia has actually advanced the cause of financial repression. The SWIFT monetary blockade of Iranian banks was the first report and MintChip digital currency in Canada was the second report.
These are brutal, important lessons in why a cashless society should not strip everyone of their transactional and financial privacy. For those people in Argentina that want to bypass currency controls and also shelter their money from government-induced inflation, this Buenos Aires exchange community claims to buy and sell bitcoin for Argentine pesos. And, the exchange sells bitcoin for Ukash vouchers which are available in Argentina.

Thursday, September 6, 2012

Hackers could be running company computers, GCHQ chief warns

Hackers may already be secretly running company computer systems because firms are too complacent and falsely believe they are protected, the head of GCHQ warned yesterday.

The cyber war is at an unprecedent level
Thousands of cyber attacks are launched around the world every day Photo: GETTY IMAGES

Iain Lobban, director of the intelligence agency, said too many businesses have “misplaced” confidence over their security against cyber attacks and need to take the threat more seriously.
He said some may not realise their systems have already been compromised, sensitive information stolen or even have their entire network until the control of criminals.
The agency revealed one, unnamed, security firm that ran large Government contracts went bankrupt after hackers released sensitive emails and data.
Another, a world leading pharmaceutical company, had a five-year, £1 billion product research programme compromised after the data was stolen in a cyber attack and allowed a cheaper rival product to hit the market before it was launched.
Mr Lobban told business leaders last night that the size and pace of cyber attacks was now at an unprecedented level and threatened the UK’s economic security.