September 4, 2012
Hackers stole and leaked Over 1 Million Apple IOS Device ID From FBI
The 20-byte ID codes were, we're told, copied from a file extracted from the Dell notebook of a senior federal agent, who was tracking the activities of hacktivists in LulzSec, Anonymous and related groups. Supervisor Special Agent Christopher Stangl's machine was compromised via a AtomicReferenceArray vulnerability in Java in March, the black hats claim.
Once his computer was infiltrated by the hackers, a file was allegedly seized containing 12 million device records that included Unique Device Identifiers (UDIDs), usernames and push notification tokens as well as a smaller number of names, mobile phone numbers, addresses and zip codes. Members of the AntiSec crew leaked edited extracts of this data, having mostly stripped it of fanbois' personal information, on Monday.
The listed UDIDs, which include gadget serial numbers and other data so apps can distinguish between individual devices, appear to be genuine. However, by themselves they may pose only a minimal privacy risk once leaked online, so the effect of the dump is largely confined to embarrassing the Feds - and raising questions as to why agents have the information in the first place.
The most likely source of the data was either an iOS app developer or multiple developers, Mac Rumours speculates.
The Java exploit used in the attack is unrelated to the mega-bugs finally patched by Oracle last week.
It's a matter of record that Stangl was among the agents invited to an FBI-Scotland Yard conference call about the progress of investigations into members of Anonymous back in January. Members of LulzSec infamously eavesdropped on this call and leaked a recording after intercepting an email arranging the chat.
Email addresses exposed by this breach may have been used in a follow-up targeted attack that tricked investigators into visiting a booby-trapped website exploiting an at-the-time Java 0-day vulnerability. Rob Graham of Errata Security expands this plausible theory in this How the FBI might've been owned blog post.
The AntiSec activists behind this week's leak suggest the device info data was used as part of some FBI tracking project involving iOS devices, such as iPhones. Even they are a bit vague on what that might be. However the group goes into some detail in explaining how it apparently swiped the data:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The AntiSec group says it decide to published a portion of the leaked data in response to a keynote speech by the NSA's General Keith Alexander at the DefCon hacker convention in July. In part, Alexander sought to persuade hackers at the convention to consider a career at the NSA, a suggestion that predictably galled the black hats.
April 3, 2012
Unpatched Java Vulnerability Exploited – Macs Infected With Flashback Malware
Flashback is a computer Trojan horse for Mac OS that first appeared in September 2011. The first variant was distributed as a fake Flash Player installer, but the malware has been changed significantly since then, both in terms of functionality and distribution methods.
Back in February, several antivirus companies reported that a new Flashback version was being distributed through Java exploits, which meant that the infection process no longer required user interaction.
The Java vulnerabilities targeted by the February exploits dated back to 2009 and 2011, so users with up-to-date Java installations were protected.
However, that's no longer the case with the latest variant of the malware, Flashback.K, which is being distributed by exploiting an unpatched Java vulnerability, security researchers from F-Secure said in a blog post Monday.
Oracle released a fix for the targeted vulnerability, which is identified as CVE-2012-0507, back in February and it was included in an update for the Windows version of Java.
However, since Apple distributes a self-compiled version of Java for Macs, it ports Oracle's patches to it according to its own schedule, which can be months behind the one for Java on Windows.
Security experts have long warned that this delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right.
After being dropped and executed on the system via the CVE-2012-0507 exploit, the new Trojan horse prompts a dialog window that asks the user for their administrative password.
Regardless of whether the user inputs the password or not, the malware still infects the system, F-Secure said in its description of the malware. The Trojan's purpose is to inject itself into the Safari process and modify the contents of certain Web pages.
There are rumors that a new exploit for a different unpatched Java vulnerability is currently being sold on the underground market and could be used to target Mac users in a similar way in the future, the F-Secure researchers said.
"If you haven't already disabled your Java client, please do so before this thing really become an outbreak," they said. The antivirus company provides instructions on how to do this.
Apple stopped including Java by default in Mac OS X starting with version 10.7 (Lion). However, if Lion users encounter a Web page that requires Java, they are prompted to download and install the runtime and might later forget that they have it on their computers.
August 11, 2011
21 reasons to uninstall Java by Oracle
The company recommends users install Java 6 Update 24 as soon as possible, but before readers follow though, allow us to offer this modest proposal: Try uninstalling Java altogether. This will dramatically shrink the attack surface of your machine, and unless you use a handful of specific applications, you'll never notice the difference.
Once upon a time, Java, with its mantra of write once, run anywhere, was the white knight that was going to save the mankind from the predatory clutches of Microsoft Windows. It never quite worked out that way – at least on the desktop – but the prospect was enough to “scare the hell” out of Bill Gates (your reporter's byline used to accompany that CNET exclusive but it was removed years ago for reasons that are unknown).
Despite the hype about Java's superior security model, the framework by some accounts has surpassed Adobe applications as the most exploited software package, with millions of attacks logged each quarter. While the vast majority of the affected platforms are Windows, attacks, albeit lame ones for now, are beginning to target Mac OS X and . And given Steve Jobs' insistence of thinking differently, Apple doesn't typically release Java security updates until months after they come out of Oracle.
Even Java attacks against Linux are now being seen.
We won't spend much time complaining about Oracle's legal broadside on the Android operating system, but that's another reason you may want to avoid Java.
So go ahead, give it a try and uninstall Java completely. You can always reinstall it if you need to, although as we've already said, if you're like most people, there's little chance you'll need to.
Bootnote
No, OpenOffice does not require Java. Per the official OpenOffice Wiki, Java is required merely to complete OpenOffice. Most OpenOffice functions work just fine on machines that don't have Java installed.
April 3, 2011
Java: A Comprehensive Beginners Guide.
I recommend you download and install eclipse, available at:
http://www.eclipse.org/downloads/
Eclipse is an IDE, Integrated Development Environment and contains amongst other things an editor, compiler and the JVM (Java Virtual Machine). Eclipse IDE will save, compile, and run your code by simply clicking Run.
Java is made up of classes. These classes simply contain Java code to carry out tasks. The different tasks are called methods. The idea of Java is to piece together these classes and use their different methods to solve problems like the programming missions here at HTS.
Java is made up of hundreds of classes organized into packages. These packages of classes are stored in the Java Class Library. The following link shows the classes and methods of the JCL. These are known as the Java Docs.
http://download.oracle.com/javase/6/docs/api/
Lets Start
Install eclipse.
Open eclipse.
Select File | New | Java Project.
Type HTS as the project name and select Finish.
Using the File menu, create a new Class within that project. Name your Class MyFirstProgram, select finish. Note, Java is case sensitive, Classes begin with an upper-case letter, variables with a lower-case letter.
Type the following into your eclipse class and run it! No point moving forward until you see the displayed message in the console. Eclipse might have already typed the class name and inserted the braces.
CODE :
public class MyFirstProgramEverything inside the first set of braces belongs to your MyFirstProgram class. The next line is the main method. Every Java program must have a main method, we will not discuss the syntax of this line in this article, but you will always use it.
{
public static void main(String[] args)
{
System.out.println("IT WORKS");
}
}
Everything inside the main method braces will be the main code we will focus on in this article to get us started.
System is a class in the JCL. The method println prints (“IT WORKS”) to the console.
If it works create a new class or delete the contents of the one your using and type or copy the following:
CODE :
public class MyFirstProgramExplanation: myAge is a variable, its type is int. int is a Java primitive type, it is an integer. The variable is assigned to 23. The semicolon is the end of that line of code.
{
public static void main(String[] args)
{
int myAge = 23;
double myMoney = 234.23343;
String name = "fj";
System.out.println("My Name is " + name);
System.out.print("and my age is " + myAge + " and I have ");
System.out.println(myMoney + " pounds");
}
}
The next section of code will take user input from the console. This will give an introduction into Objects. Try the following code:
CODE :
import java.util.Scanner;Scanner is a class in the JCL. We create a new object of the Scanner class. The object myScan is an object/instance of the Scanner class. We can call or invoke the different methods of the Scanner class upon our newly created object. We find the methods that we can use by checking the Java docs (the link above).
public class MyFirstProgram
{
public static void main(String[] args)
{
String name;
int myAge;
System.out.println("Type your name and age: "); // try HTS 10
// Try other inputs, can you get an error? Why?
Scanner myScan = new Scanner(System.in);
name = myScan.next();
myAge = myScan.nextInt();
System.out.println("My Name is " + name);
System.out.print("and my age is " + myAge);
}
}
We use the new operator to create an object. We use the import statement to import the Scanner class, located in the Java.Util package (but eclipse will do the imports for us)
The Scanner object myScan can be created in different ways using the parameters associated with the Scanner Class. In this case we are telling our new object that its input will be coming from System.in (the console). We could change System.in to take the input from other sources such as the internet. We could use our scanner object to read the source code of an internet site.
Try the following code:
CODE :
import java.net.URL;Here we have an object/instance of the URL class. The URL class has different parameters, our myURL object/instance of the class sets the parameter as http://www.google.com/.
import java.util.Scanner;
public class MyFirstProgram
{
public static void main(String[] args)
{
try
{
URL myURL = new URL("http://www.google.com/");
System.out.println(myURL.getDefaultPort());
Scanner myScan = new Scanner(myURL.openStream());
System.out.println(myScan.nextLine());
}
catch (Exception e)
{
System.out.println("There is no URL found, this is why we have the try, catch");
// We catch the error, so we do not crash!
e.printStackTrace();
}
}
}
What methods can we invoke upon our newly created URL object? What are the methods of the URL class. The code above invokes the getDefaultPort method and openStream method. We create a new Scanner object, notice that we are using the openStream method instead of System.in as before.
Our code outputs the first line of source code from our website. Lets add a loop to capture all of the source code and then we are done for this article.
CODE :
import java.net.URL;As long as our myScan onject/instance of the Scanner class can read a line, then it prints it to the console with the index value. We do this by using the hasNext() method of our myScan instance/object of Scanner.
import java.util.Scanner;
public class MyFirstProgram
{
public static void main(String[] args)
{
try
{
URL myURL = new URL("http://www.hackthissite.org/");
Scanner myScan = new Scanner(myURL.openStream());
for (int i = 0; myScan.hasNext(); i++)
{
System.out.println(i + ": " + myScan.nextLine());
}
}
catch (Exception e)
{
System.out.println("There is no URL found, this is why we have the try, catch");
// We catch the error, so we do not crash!
e.printStackTrace();
}
}
}
I hope this gives you a start with Java.
August 13, 2010
Oracle sues Google over Java in Android
Oracle has mounted a no-holds-barred legal attack on Google's Android operating system in a lawsuit that accuses the internet giant of deliberately infringing patents and copyrights Oracle holds for the Java platform.
In a complaint filed late Thursday, Oracle asked a federal court in Northern California to seize all Android products and advertising, block the further infringement of its intellectual property, and force Google to pay hefty damages, including trebled patent damages because the alleged misappropriation was willful. The action was filed on behalf of Oracle subsidiary Oracle America, which obtained the Java rights with the acquisition of Sun Microsystems in January.
"Without consent, authorization, approval, or license, Google knowingly, willingly, and unlawfully copied, prepared, published, and distributed Oracle America's copyrighted work, portions thereof, or derivative works and continues to do so," Oracle attorneys, which include renowned litigator David Boies, wrote. "Google's Android infringes Oracle America's copyrights in Java and Google is not licensed to do so."
The unexpected move comes as sales of Android-based smartphones are surging, inching past iPhone buyers in the second quarter of this year and garnering a 27 per cent market share to the iPhone's 23 per cent. It follows a series of patent suits and countersuits filed by and against Apple over intellectual property for its handset.
The complaint asserts seven patents to various technologies associated with Java, in addition to copyrighted code, documentation, specifications, libraries, and other materials that comprise the platform. Attorneys said the intellectual property is infringed by various Java applications that make up the Android stack and run on a Java-based object-oriented application framework. They also cited core Android libraries that run on the Dalvik virtual machine, which features just-in-time compilation.
"On information and belief, Google has purposefully, actively, and voluntarily distributed Android and related applications, devices, platforms, and services with the expectation that they will be purchased, used or licensed by consumers in the Northern District of California," the complaint stated. "By purposefully and voluntarily distributing one or more of its infringing products and services, Google has injured Oracle America and is thus liable to Oracle America for infringement of the patents at issue in this litigation."
The legal broadside is in some ways reminiscent of the legal offensive Sun launched against Microsoft in 1997 over the same technology. The two companies spent the better part of a decade hashing out their disagreements, and many of the most explosive allegations — that Microsoft intentionally misappropriated Java to blunt its write-once-run-anywhere promise — were later incorporated into an antitrust lawsuit filed by the Justice Department and more than a dozen states.
Microsoft ultimately agreed to pay Sun $1bln to settle their disagreements after the judge hearing the antitrust case ruled that Microsoft was a monopolist that had acted illegally to preserve its dominant position.
The patents in the case are 6,125,447, "Protection domains to provide security in a computer system"; 6,192,476, "Controlling access to a resource"; 5,966,702, "Method and apparatus for pre-processing and packaging class files"; 7,426,720, "System and method for dynamic preloading of classes through memory space cloning of a master runtime system process"; RE38,104, "Method and apparatus for resolving data references in generated code"; 6,910,205, "Interpreting functions utilizing a hybrid of virtual and native machine instructions"; and 6,061,520, "Method and system for performing static initialization."
Google declined to comment. The complaint is here.