Category Archives: Security

Stay safe devs, update your Java…

If you’re an Android developer, you’ll have the JDK installed somewhere. You need to keep this up-to-date. Java, along with the even more vulnerable Flash Player and Acrobat Reader make up the lion’s share all current serious security vulnerabilities on your computer.

Today, Oracle released JDK 7 update 7, and it specifically fixes a vulnerability disclosed last week. You can always download the latest JDK from this page: http://www.oracle.com/technetwork/java/javase/downloads/index.html. Click on the button ‘JDK 7u7′ (though, of course, over time that u7 will become u8 and so on).

Do it. Do it now!

If you’re not a developer and you have Java installed you still need to stay up-to-date. You should be promoted to update your Java — let it run and it’ll help you stay safe. Same goes for Flash, Acrobat Reader and Windows/OS X updates.

Edit: if you’re running OS X, you’ll notice that java -version still shows the version you had before. Annoyingly, you have to open ‘Java Preferences’ in your Applications/Utilities folder, and in the ‘Version’ column for Java 7, change the drop down to the version you just installed:

Shows how the Java Preferences window must be used on OSX to ensure that you are running the latest Java updates

Set the latest Java version in Java Preferences

Defeating Key Loggers with Snake Oil

This comes via John Gruber, who quotes a New York Times story about the odd security precautions a guy called Kenneth G. Lieberthal takes when he visits China. He calls out the fact that clipboard loggers are just as easy to install as key loggers. Here’s the relevant bit from the NYT article:

[He] copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

This is a moronic policy designed purely to make Kenneth ‘feel’ more secure because, at the front of his mind, he is worried about key loggers. Gruber is right — a clip board logger is just as easy to implement as a key logger, but this over looks one important fact — a program to steal files from a USB stick is vastly easier to implement than either a key logger or a clip board logger, because it doesn’t need any special system privelege.

Don’t write your passwords down and don’t store them in a file. I presume there’s some missing detail here — maybe he’s using a programme that encrypts the file with the password, the article doesn’t say, but even if that’s so, he still needs to descrypt it some way or another, and that means the key logger would be just as effective.

If you want true security and it is important (and justified), use one time passwords.

Do You Need To Know About Hashing and Encryption?

There has been a bit of a hullabaloo over the past few days that started because of an app called Path. It even hit the mainstream news. This app was sending address book data back to its servers where it got stored in clear text. Not the smartest move, and Path certainly weren’t the only ones guilty of this.

If you’re a developer working on a system that handles sensitive data — and any email address or personally identifiable information is sensitive — you must educate yourself about hashing, salts and general encryption techniques (and the various gotchas). You owe it to your users. You’ve got to understand when to use encryption, when to use hashes and how they work and how they can be compromised.

Matt Gemmell (who writes a bit about Mac development) has posted a pretty long post on the topic of hashes that could serve as a good introduction. I’ll admit I haven’t read it all the way through yet (currently I am very tired — my brain isn’t functioning properly so far as I can tell), but I scanned it and it looks like it should set the scene well.

Path also did this without the user’s consent. Needless to say, that is a pretty awful sin. If you are designing an app that accesses sensitive information on a device, you’ve got to ask permission. It’s only polite.

Is Full Disk Encryption Secure Enough?

I just came across this article about cracking full-disk encryption (http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware) with the headline “FileVault 2 easily decrypted, warns Passware”. It looks like the article is pretty much a re-hash of a press release, but it got me wondering how serious this actually is, and whether there are steps you can take to mitigate the risks, if you need the seurity of full-disk encryption.

The actual threat

The vulnerability comes from ports with direct memory access. From what I understand, that’s mostly high-performance ports like Firewire, PC-Card (and Express Card), e-Sata and Thunderbolt. The article mentions Firewire in particular, but that’s probably because they’re focusing on Mac and lots of Macs have Firewire. The problem certainly is certainly not just a Mac only issue, and affects any computer with those ports.

The reason these ports can be used is all down to the way they achieve their high-performance — they give devices direct access to memory. That’s definitely a double edged sword. While it allows data to move between devices at blazingly fast speeds, it also enables malicious access to anything that’s in your computer’s memory. If you’re using full disk encryption, that includes your decryption key. That key has to be in memory, because without it you can’t get your data. I’m surprised that there isn’t a way to ring-fence this super-sensitive data, but the world of technology is all about trade-offs, and up to now that clearly isn’t a trade-off anyone has felt was worth the effort.

Is there anything you can do to stay secure? Yes. This issue only affects your computer while it is up and running (and after you’ve entered your password). Therefore, if your computer is powered off, your data should be safe. It doesn’t sound so bad now — you can just turn your computer off when you’re not using it — but it still leaves one huge gaping hole; Most of us don’t turn our computers off, we put them to sleep. When we put computers to sleep, eveything that’s in memory is kept in memory, so the vulnerability is still there as soon as you open the lid or hit a key. If you need to be as safe as you can be, shut down your computer when you aren’t using it, and never leave it unattended when it’s locked/sleeping.

I hope this post gives you a little extra insight in to how full-disk encryption might not be totally secure. I do feel that this vulnerability is an edge case — using such specialised software on a running laptop means that somebody is serious about getting your data — if somebody found a laptop on a train, say, and tried accessing your files using regular methods, full disk encryption should save you from embarassment and getting your name in the newspapers — but if you are worried that you might be specifically targetted, this problem could be very real and you should definitely give it some thought.