Earlier this year, I wrote a piece about how it was only a matter of time until Java became a popular vector for attacks. The response to that particular article was a lot of fun for me. Let’s just say a number of high-profile, open source Java folks jumped up and down and shouted FUD. My conclusion: just talking about security to developers earns an almost immediate negative reaction. They don’t want to think about it.
I guess this makes sense, developers generally don’t want to have to deal with security, and me bringing up the fact that many of the systems you are working on may be vulnerable to attack isn’t something you want to think about. I understand, you have enough to worry about: looming deadlines, that junior programmer you just hired who isn’t pulling his weight, a continuing fight with operations over who “owns” the deployment process. Work is hard, there are certainly not enough hours in the day, and if you can ignore security, why not? I mean, it’s Java. Who’s going to attack Java?
AntiSec, that’s who. They aren’t just going to compromise your machines because you failed to update Java, they are going to grab your data, parade it around the world for all to see, and then make a few political statements at your expense. And, I’ll bet the FBI wishes that they had installed this February 2012 security patch from Oracle. If they had done so, they’d probably be having a much better day today.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”
This is from the AntiSEC statement regarding this breach (inappropriate language).
So what do you think is happening to the person responsible for security right now? Do you think he’s able to say, “you didn’t tell me that security was a priority?” or “It wasn’t my responsibility to check for JVM updates from Oracle?”. No, he’s likely being replaced, if not immediately then his management team is leading him on until they can identify someone who isn’t going to generate front page security failure.
What’s next? Well, the JVM is now front-and-center as far as security vulnerabilities go these days. Just last week you were all asked to turn off Java 7 until a suitable patch was issued (which is a ridiculous request BTW, that’s like asking us to stop working for a few days). I predict that as Java continues to develop as an attack vector – libraries are the next fun vulnerability. I know many of you don’t want to hear this, but it’s true. Your web frameworks are next, prepare yourself with Sonatype Insight, or start coming up with excuses when your systems are the reason for front page security fail.